@protontech/openpgp 5.9.1-1 → 5.11.0

package/dist/lightweight/openpgp.mjs

@@ -1,4 +1,4 @@
-/*! OpenPGP.js v5.9.1-1 - 2023-09-06 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
+/*! OpenPGP.js v5.11.0 - 2023-11-27 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
 const globalThis = typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};
 
 const doneWritingPromise = Symbol('doneWritingPromise');
@@ -241,18 +241,17 @@ if (NodeReadableStream$1) {
             this.push(null);
             break;
           }
-          if (!this.push(value) || this._cancelling) {
-            this._reading = false;
+          if (!this.push(value)) {
             break;
           }
         }
-      } catch(e) {
-        this.emit('error', e);
+      } catch (e) {
+        this.destroy(e);
       }
     }
 
-    _destroy(reason) {
-      this._reader.cancel(reason);
+    async _destroy(error, callback) {
+      this._reader.cancel(error).then(callback, callback);
     }
   }
 
@@ -287,7 +286,7 @@ function Reader(input) {
     const reader = input.getReader();
     this._read = reader.read.bind(reader);
     this._releaseLock = () => {};
-    this._cancel = () => {};
+    this._cancel = async () => {};
     return;
   }
   let streamType = isStream(input);
@@ -1507,1211 +1506,1233 @@ async function getBigInteger() {
   }
 }
 
-// GPG4Browsers - An OpenPGP implementation in javascript
+/**
+ * @module enums
+ */
 
-const debugMode = (() => {
-  try {
-    return process.env.NODE_ENV === 'development'; // eslint-disable-line no-process-env
-  } catch (e) {}
-  return false;
-})();
+const byValue = Symbol('byValue');
 
-const util = {
-  isString: function(data) {
-    return typeof data === 'string' || data instanceof String;
-  },
+var enums = {
 
-  isArray: function(data) {
-    return data instanceof Array;
-  },
+  /** Maps curve names under various standards to one
+   * @see {@link https://wiki.gnupg.org/ECC|ECC - GnuPG wiki}
+   * @enum {String}
+   * @readonly
+   */
+  curve: {
+    /** NIST P-256 Curve */
+    'p256':                'p256',
+    'P-256':               'p256',
+    'secp256r1':           'p256',
+    'prime256v1':          'p256',
+    '1.2.840.10045.3.1.7': 'p256',
+    '2a8648ce3d030107':    'p256',
+    '2A8648CE3D030107':    'p256',
 
-  isUint8Array: isUint8Array,
+    /** NIST P-384 Curve */
+    'p384':         'p384',
+    'P-384':        'p384',
+    'secp384r1':    'p384',
+    '1.3.132.0.34': 'p384',
+    '2b81040022':   'p384',
+    '2B81040022':   'p384',
 
-  isStream: isStream,
+    /** NIST P-521 Curve */
+    'p521':         'p521',
+    'P-521':        'p521',
+    'secp521r1':    'p521',
+    '1.3.132.0.35': 'p521',
+    '2b81040023':   'p521',
+    '2B81040023':   'p521',
 
-  readNumber: function (bytes) {
-    let n = 0;
-    for (let i = 0; i < bytes.length; i++) {
-      n += (256 ** i) * bytes[bytes.length - 1 - i];
-    }
-    return n;
-  },
+    /** SECG SECP256k1 Curve */
+    'secp256k1':    'secp256k1',
+    '1.3.132.0.10': 'secp256k1',
+    '2b8104000a':   'secp256k1',
+    '2B8104000A':   'secp256k1',
 
-  writeNumber: function (n, bytes) {
-    const b = new Uint8Array(bytes);
-    for (let i = 0; i < bytes; i++) {
-      b[i] = (n >> (8 * (bytes - i - 1))) & 0xFF;
-    }
+    /** Ed25519 - deprecated by crypto-refresh (replaced by standaone Ed25519 algo) */
+    'ed25519Legacy':          'ed25519',
+    'ED25519':                'ed25519',
+    /** @deprecated use `ed25519Legacy` instead */
+    'ed25519':                'ed25519',
+    'Ed25519':                'ed25519',
+    '1.3.6.1.4.1.11591.15.1': 'ed25519',
+    '2b06010401da470f01':     'ed25519',
+    '2B06010401DA470F01':     'ed25519',
 
-    return b;
-  },
+    /** Curve25519 - deprecated by crypto-refresh (replaced by standaone X25519 algo) */
+    'curve25519Legacy':       'curve25519',
+    'X25519':                 'curve25519',
+    'cv25519':                'curve25519',
+    /** @deprecated use `curve25519Legacy` instead */
+    'curve25519':             'curve25519',
+    'Curve25519':             'curve25519',
+    '1.3.6.1.4.1.3029.1.5.1': 'curve25519',
+    '2b060104019755010501':   'curve25519',
+    '2B060104019755010501':   'curve25519',
 
-  readDate: function (bytes) {
-    const n = util.readNumber(bytes);
-    const d = new Date(n * 1000);
-    return d;
-  },
+    /** BrainpoolP256r1 Curve */
+    'brainpoolP256r1':       'brainpoolP256r1',
+    '1.3.36.3.3.2.8.1.1.7':  'brainpoolP256r1',
+    '2b2403030208010107':    'brainpoolP256r1',
+    '2B2403030208010107':    'brainpoolP256r1',
 
-  writeDate: function (time) {
-    const numeric = Math.floor(time.getTime() / 1000);
+    /** BrainpoolP384r1 Curve */
+    'brainpoolP384r1':       'brainpoolP384r1',
+    '1.3.36.3.3.2.8.1.1.11': 'brainpoolP384r1',
+    '2b240303020801010b':    'brainpoolP384r1',
+    '2B240303020801010B':    'brainpoolP384r1',
 
-    return util.writeNumber(numeric, 4);
+    /** BrainpoolP512r1 Curve */
+    'brainpoolP512r1':       'brainpoolP512r1',
+    '1.3.36.3.3.2.8.1.1.13': 'brainpoolP512r1',
+    '2b240303020801010d':    'brainpoolP512r1',
+    '2B240303020801010D':    'brainpoolP512r1'
   },
 
-  normalizeDate: function (time = Date.now()) {
-    return time === null || time === Infinity ? time : new Date(Math.floor(+time / 1000) * 1000);
+  /** KDF parameters flags
+   * Non-standard extensions (for now) to allow email forwarding
+   * @enum {Integer}
+   * @readonly
+   */
+  kdfFlags: {
+    /** Specify fingerprint to use instead of the recipient's */
+    replace_fingerprint: 0x01,
+    /** Specify custom parameters to use in the KDF digest computation */
+    replace_kdf_params: 0x02
   },
 
-  /**
-   * Read one MPI from bytes in input
-   * @param {Uint8Array} bytes - Input data to parse
-   * @returns {Uint8Array} Parsed MPI.
+  /** A string to key specifier type
+   * @enum {Integer}
+   * @readonly
    */
-  readMPI: function (bytes) {
-    const bits = (bytes[0] << 8) | bytes[1];
-    const bytelen = (bits + 7) >>> 3;
-    return bytes.subarray(2, 2 + bytelen);
+  s2k: {
+    simple: 0,
+    salted: 1,
+    iterated: 3,
+    argon2: 4,
+    gnu: 101
   },
 
-  /**
-   * Left-pad Uint8Array to length by adding 0x0 bytes
-   * @param {Uint8Array} bytes - Data to pad
-   * @param {Number} length - Padded length
-   * @returns {Uint8Array} Padded bytes.
+  /** {@link https://tools.ietf.org/html/draft-ietf-openpgp-crypto-refresh-08.html#section-9.1|crypto-refresh RFC, section 9.1}
+   * @enum {Integer}
+   * @readonly
    */
-  leftPad(bytes, length) {
-    const padded = new Uint8Array(length);
-    const offset = length - bytes.length;
-    padded.set(bytes, offset);
-    return padded;
+  publicKey: {
+    /** RSA (Encrypt or Sign) [HAC] */
+    rsaEncryptSign: 1,
+    /** RSA (Encrypt only) [HAC] */
+    rsaEncrypt: 2,
+    /** RSA (Sign only) [HAC] */
+    rsaSign: 3,
+    /** Elgamal (Encrypt only) [ELGAMAL] [HAC] */
+    elgamal: 16,
+    /** DSA (Sign only) [FIPS186] [HAC] */
+    dsa: 17,
+    /** ECDH (Encrypt only) [RFC6637] */
+    ecdh: 18,
+    /** ECDSA (Sign only) [RFC6637] */
+    ecdsa: 19,
+    /** EdDSA (Sign only) - deprecated by crypto-refresh (replaced by `ed25519` identifier below)
+     * [{@link https://tools.ietf.org/html/draft-koch-eddsa-for-openpgp-04|Draft RFC}] */
+    eddsaLegacy: 22, // NB: this is declared before `eddsa` to translate 22 to 'eddsa' for backwards compatibility
+    /** @deprecated use `eddsaLegacy` instead */
+    ed25519Legacy: 22,
+    /** @deprecated use `eddsaLegacy` instead */
+    eddsa: 22,
+    /** Reserved for AEDH */
+    aedh: 23,
+    /** Reserved for AEDSA */
+    aedsa: 24,
+    /** X25519 (Encrypt only) */
+    x25519: 25,
+    /** X448 (Encrypt only) */
+    x448: 26,
+    /** Ed25519 (Sign only) */
+    ed25519: 27,
+    /** Ed448 (Sign only) */
+    ed448: 28,
+    /** Symmetric authenticated encryption algorithms */
+    aead: 100,
+    /** Authentication using CMAC */
+    hmac: 101
   },
 
-  /**
-   * Convert a Uint8Array to an MPI-formatted Uint8Array.
-   * @param {Uint8Array} bin - An array of 8-bit integers to convert
-   * @returns {Uint8Array} MPI-formatted Uint8Array.
+  /** {@link https://tools.ietf.org/html/rfc4880#section-9.2|RFC4880, section 9.2}
+   * @enum {Integer}
+   * @readonly
    */
-  uint8ArrayToMPI: function (bin) {
-    const bitSize = util.uint8ArrayBitLength(bin);
-    if (bitSize === 0) {
-      throw new Error('Zero MPI');
-    }
-    const stripped = bin.subarray(bin.length - Math.ceil(bitSize / 8));
-    const prefix = new Uint8Array([(bitSize & 0xFF00) >> 8, bitSize & 0xFF]);
-    return util.concatUint8Array([prefix, stripped]);
+  symmetric: {
+    plaintext: 0,
+    /** Not implemented! */
+    idea: 1,
+    tripledes: 2,
+    cast5: 3,
+    blowfish: 4,
+    aes128: 7,
+    aes192: 8,
+    aes256: 9,
+    twofish: 10
   },
 
-  /**
-   * Return bit length of the input data
-   * @param {Uint8Array} bin input data (big endian)
-   * @returns bit length
+  /** {@link https://tools.ietf.org/html/rfc4880#section-9.3|RFC4880, section 9.3}
+   * @enum {Integer}
+   * @readonly
    */
-  uint8ArrayBitLength: function (bin) {
-    let i; // index of leading non-zero byte
-    for (i = 0; i < bin.length; i++) if (bin[i] !== 0) break;
-    if (i === bin.length) {
-      return 0;
-    }
-    const stripped = bin.subarray(i);
-    return (stripped.length - 1) * 8 + util.nbits(stripped[0]);
+  compression: {
+    uncompressed: 0,
+    /** RFC1951 */
+    zip: 1,
+    /** RFC1950 */
+    zlib: 2,
+    bzip2: 3
   },
 
-  /**
-   * Convert a hex string to an array of 8-bit integers
-   * @param {String} hex - A hex string to convert
-   * @returns {Uint8Array} An array of 8-bit integers.
+  /** {@link https://tools.ietf.org/html/rfc4880#section-9.4|RFC4880, section 9.4}
+   * @enum {Integer}
+   * @readonly
    */
-  hexToUint8Array: function (hex) {
-    const result = new Uint8Array(hex.length >> 1);
-    for (let k = 0; k < hex.length >> 1; k++) {
-      result[k] = parseInt(hex.substr(k << 1, 2), 16);
-    }
-    return result;
+  hash: {
+    md5: 1,
+    sha1: 2,
+    ripemd: 3,
+    sha256: 8,
+    sha384: 9,
+    sha512: 10,
+    sha224: 11
   },
 
-  /**
-   * Convert an array of 8-bit integers to a hex string
-   * @param {Uint8Array} bytes - Array of 8-bit integers to convert
-   * @returns {String} Hexadecimal representation of the array.
+  /** A list of hash names as accepted by webCrypto functions.
+   * {@link https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest|Parameters, algo}
+   * @enum {String}
    */
-  uint8ArrayToHex: function (bytes) {
-    const r = [];
-    const e = bytes.length;
-    let c = 0;
-    let h;
-    while (c < e) {
-      h = bytes[c++].toString(16);
-      while (h.length < 2) {
-        h = '0' + h;
-      }
-      r.push('' + h);
-    }
-    return r.join('');
-  },
-
-  /**
-   * Convert a string to an array of 8-bit integers
-   * @param {String} str - String to convert
-   * @returns {Uint8Array} An array of 8-bit integers.
-   */
-  stringToUint8Array: function (str) {
-    return transform(str, str => {
-      if (!util.isString(str)) {
-        throw new Error('stringToUint8Array: Data must be in the form of a string');
-      }
-
-      const result = new Uint8Array(str.length);
-      for (let i = 0; i < str.length; i++) {
-        result[i] = str.charCodeAt(i);
-      }
-      return result;
-    });
-  },
-
-  /**
-   * Convert an array of 8-bit integers to a string
-   * @param {Uint8Array} bytes - An array of 8-bit integers to convert
-   * @returns {String} String representation of the array.
-   */
-  uint8ArrayToString: function (bytes) {
-    bytes = new Uint8Array(bytes);
-    const result = [];
-    const bs = 1 << 14;
-    const j = bytes.length;
-
-    for (let i = 0; i < j; i += bs) {
-      result.push(String.fromCharCode.apply(String, bytes.subarray(i, i + bs < j ? i + bs : j)));
-    }
-    return result.join('');
-  },
-
-  /**
-   * Convert a native javascript string to a Uint8Array of utf8 bytes
-   * @param {String|ReadableStream} str - The string to convert
-   * @returns {Uint8Array|ReadableStream} A valid squence of utf8 bytes.
-   */
-  encodeUTF8: function (str) {
-    const encoder = new TextEncoder('utf-8');
-    // eslint-disable-next-line no-inner-declarations
-    function process(value, lastChunk = false) {
-      return encoder.encode(value, { stream: !lastChunk });
-    }
-    return transform(str, process, () => process('', true));
-  },
-
-  /**
-   * Convert a Uint8Array of utf8 bytes to a native javascript string
-   * @param {Uint8Array|ReadableStream} utf8 - A valid squence of utf8 bytes
-   * @returns {String|ReadableStream} A native javascript string.
-   */
-  decodeUTF8: function (utf8) {
-    const decoder = new TextDecoder('utf-8');
-    // eslint-disable-next-line no-inner-declarations
-    function process(value, lastChunk = false) {
-      return decoder.decode(value, { stream: !lastChunk });
-    }
-    return transform(utf8, process, () => process(new Uint8Array(), true));
-  },
-
-  /**
-   * Concat a list of Uint8Arrays, Strings or Streams
-   * The caller must not mix Uint8Arrays with Strings, but may mix Streams with non-Streams.
-   * @param {Array<Uint8Array|String|ReadableStream>} Array - Of Uint8Arrays/Strings/Streams to concatenate
-   * @returns {Uint8Array|String|ReadableStream} Concatenated array.
-   */
-  concat: concat,
-
-  /**
-   * Concat Uint8Arrays
-   * @param {Array<Uint8Array>} Array - Of Uint8Arrays to concatenate
-   * @returns {Uint8Array} Concatenated array.
-   */
-  concatUint8Array: concatUint8Array,
-
-  /**
-   * Check Uint8Array equality
-   * @param {Uint8Array} array1 - First array
-   * @param {Uint8Array} array2 - Second array
-   * @returns {Boolean} Equality.
-   */
-  equalsUint8Array: function (array1, array2) {
-    if (!util.isUint8Array(array1) || !util.isUint8Array(array2)) {
-      throw new Error('Data must be in the form of a Uint8Array');
-    }
-
-    if (array1.length !== array2.length) {
-      return false;
-    }
-
-    for (let i = 0; i < array1.length; i++) {
-      if (array1[i] !== array2[i]) {
-        return false;
-      }
-    }
-    return true;
+  webHash: {
+    'SHA-1': 2,
+    'SHA-256': 8,
+    'SHA-384': 9,
+    'SHA-512': 10
   },
 
-  /**
-   * Calculates a 16bit sum of a Uint8Array by adding each character
-   * codes modulus 65535
-   * @param {Uint8Array} Uint8Array - To create a sum of
-   * @returns {Uint8Array} 2 bytes containing the sum of all charcodes % 65535.
+  /** {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-9.6|RFC4880bis-04, section 9.6}
+   * @enum {Integer}
+   * @readonly
    */
-  writeChecksum: function (text) {
-    let s = 0;
-    for (let i = 0; i < text.length; i++) {
-      s = (s + text[i]) & 0xFFFF;
-    }
-    return util.writeNumber(s, 2);
+  aead: {
+    eax: 1,
+    ocb: 2,
+    experimentalGCM: 100 // Private algorithm
   },
 
-  /**
-   * Helper function to print a debug message. Debug
-   * messages are only printed if
-   * @param {String} str - String of the debug message
+  /** A list of packet types and numeric tags associated with them.
+   * @enum {Integer}
+   * @readonly
    */
-  printDebug: function (str) {
-    if (debugMode) {
-      console.log('[OpenPGP.js debug]', str);
-    }
+  packet: {
+    publicKeyEncryptedSessionKey: 1,
+    signature: 2,
+    symEncryptedSessionKey: 3,
+    onePassSignature: 4,
+    secretKey: 5,
+    publicKey: 6,
+    secretSubkey: 7,
+    compressedData: 8,
+    symmetricallyEncryptedData: 9,
+    marker: 10,
+    literalData: 11,
+    trust: 12,
+    userID: 13,
+    publicSubkey: 14,
+    userAttribute: 17,
+    symEncryptedIntegrityProtectedData: 18,
+    modificationDetectionCode: 19,
+    aeadEncryptedData: 20 // see IETF draft: https://tools.ietf.org/html/draft-ford-openpgp-format-00#section-2.1
   },
 
-  /**
-   * Helper function to print a debug error. Debug
-   * messages are only printed if
-   * @param {String} str - String of the debug message
+  /** Data types in the literal packet
+   * @enum {Integer}
+   * @readonly
    */
-  printDebugError: function (error) {
-    if (debugMode) {
-      console.error('[OpenPGP.js debug]', error);
-    }
+  literal: {
+    /** Binary data 'b' */
+    binary: 'b'.charCodeAt(),
+    /** Text data 't' */
+    text: 't'.charCodeAt(),
+    /** Utf8 data 'u' */
+    utf8: 'u'.charCodeAt(),
+    /** MIME message body part 'm' */
+    mime: 'm'.charCodeAt()
   },
 
-  // returns bit length of the integer x
-  nbits: function (x) {
-    let r = 1;
-    let t = x >>> 16;
-    if (t !== 0) {
-      x = t;
-      r += 16;
-    }
-    t = x >> 8;
-    if (t !== 0) {
-      x = t;
-      r += 8;
-    }
-    t = x >> 4;
-    if (t !== 0) {
-      x = t;
-      r += 4;
-    }
-    t = x >> 2;
-    if (t !== 0) {
-      x = t;
-      r += 2;
-    }
-    t = x >> 1;
-    if (t !== 0) {
-      x = t;
-      r += 1;
-    }
-    return r;
-  },
 
-  /**
-   * If S[1] == 0, then double(S) == (S[2..128] || 0);
-   * otherwise, double(S) == (S[2..128] || 0) xor
-   * (zeros(120) || 10000111).
-   *
-   * Both OCB and EAX (through CMAC) require this function to be constant-time.
-   *
-   * @param {Uint8Array} data
+  /** One pass signature packet type
+   * @enum {Integer}
+   * @readonly
    */
-  double: function(data) {
-    const doubleVar = new Uint8Array(data.length);
-    const last = data.length - 1;
-    for (let i = 0; i < last; i++) {
-      doubleVar[i] = (data[i] << 1) ^ (data[i + 1] >> 7);
-    }
-    doubleVar[last] = (data[last] << 1) ^ ((data[0] >> 7) * 0x87);
-    return doubleVar;
+  signature: {
+    /** 0x00: Signature of a binary document. */
+    binary: 0,
+    /** 0x01: Signature of a canonical text document.
+     *
+     * Canonicalyzing the document by converting line endings. */
+    text: 1,
+    /** 0x02: Standalone signature.
+     *
+     * This signature is a signature of only its own subpacket contents.
+     * It is calculated identically to a signature over a zero-lengh
+     * binary document.  Note that it doesn't make sense to have a V3
+     * standalone signature. */
+    standalone: 2,
+    /** 0x10: Generic certification of a User ID and Public-Key packet.
+     *
+     * The issuer of this certification does not make any particular
+     * assertion as to how well the certifier has checked that the owner
+     * of the key is in fact the person described by the User ID. */
+    certGeneric: 16,
+    /** 0x11: Persona certification of a User ID and Public-Key packet.
+     *
+     * The issuer of this certification has not done any verification of
+     * the claim that the owner of this key is the User ID specified. */
+    certPersona: 17,
+    /** 0x12: Casual certification of a User ID and Public-Key packet.
+     *
+     * The issuer of this certification has done some casual
+     * verification of the claim of identity. */
+    certCasual: 18,
+    /** 0x13: Positive certification of a User ID and Public-Key packet.
+     *
+     * The issuer of this certification has done substantial
+     * verification of the claim of identity.
+     *
+     * Most OpenPGP implementations make their "key signatures" as 0x10
+     * certifications.  Some implementations can issue 0x11-0x13
+     * certifications, but few differentiate between the types. */
+    certPositive: 19,
+    /** 0x30: Certification revocation signature
+     *
+     * This signature revokes an earlier User ID certification signature
+     * (signature class 0x10 through 0x13) or direct-key signature
+     * (0x1F).  It should be issued by the same key that issued the
+     * revoked signature or an authorized revocation key.  The signature
+     * is computed over the same data as the certificate that it
+     * revokes, and should have a later creation date than that
+     * certificate. */
+    certRevocation: 48,
+    /** 0x18: Subkey Binding Signature
+     *
+     * This signature is a statement by the top-level signing key that
+     * indicates that it owns the subkey.  This signature is calculated
+     * directly on the primary key and subkey, and not on any User ID or
+     * other packets.  A signature that binds a signing subkey MUST have
+     * an Embedded Signature subpacket in this binding signature that
+     * contains a 0x19 signature made by the signing subkey on the
+     * primary key and subkey. */
+    subkeyBinding: 24,
+    /** 0x19: Primary Key Binding Signature
+     *
+     * This signature is a statement by a signing subkey, indicating
+     * that it is owned by the primary key and subkey.  This signature
+     * is calculated the same way as a 0x18 signature: directly on the
+     * primary key and subkey, and not on any User ID or other packets.
+     *
+     * When a signature is made over a key, the hash data starts with the
+     * octet 0x99, followed by a two-octet length of the key, and then body
+     * of the key packet.  (Note that this is an old-style packet header for
+     * a key packet with two-octet length.)  A subkey binding signature
+     * (type 0x18) or primary key binding signature (type 0x19) then hashes
+     * the subkey using the same format as the main key (also using 0x99 as
+     * the first octet). */
+    keyBinding: 25,
+    /** 0x1F: Signature directly on a key
+     *
+     * This signature is calculated directly on a key.  It binds the
+     * information in the Signature subpackets to the key, and is
+     * appropriate to be used for subpackets that provide information
+     * about the key, such as the Revocation Key subpacket.  It is also
+     * appropriate for statements that non-self certifiers want to make
+     * about the key itself, rather than the binding between a key and a
+     * name. */
+    key: 31,
+    /** 0x20: Key revocation signature
+     *
+     * The signature is calculated directly on the key being revoked.  A
+     * revoked key is not to be used.  Only revocation signatures by the
+     * key being revoked, or by an authorized revocation key, should be
+     * considered valid revocation signatures.a */
+    keyRevocation: 32,
+    /** 0x28: Subkey revocation signature
+     *
+     * The signature is calculated directly on the subkey being revoked.
+     * A revoked subkey is not to be used.  Only revocation signatures
+     * by the top-level signature key that is bound to this subkey, or
+     * by an authorized revocation key, should be considered valid
+     * revocation signatures.
+     *
+     * Key revocation signatures (types 0x20 and 0x28)
+     * hash only the key being revoked. */
+    subkeyRevocation: 40,
+    /** 0x40: Timestamp signature.
+     * This signature is only meaningful for the timestamp contained in
+     * it. */
+    timestamp: 64,
+    /** 0x50: Third-Party Confirmation signature.
+     *
+     * This signature is a signature over some other OpenPGP Signature
+     * packet(s).  It is analogous to a notary seal on the signed data.
+     * A third-party signature SHOULD include Signature Target
+     * subpacket(s) to give easy identification.  Note that we really do
+     * mean SHOULD.  There are plausible uses for this (such as a blind
+     * party that only sees the signature, not the key or source
+     * document) that cannot include a target subpacket. */
+    thirdParty: 80
   },
 
-  /**
-   * Shift a Uint8Array to the right by n bits
-   * @param {Uint8Array} array - The array to shift
-   * @param {Integer} bits - Amount of bits to shift (MUST be smaller
-   * than 8)
-   * @returns {String} Resulting array.
+  /** Signature subpacket type
+   * @enum {Integer}
+   * @readonly
    */
-  shiftRight: function (array, bits) {
-    if (bits) {
-      for (let i = array.length - 1; i >= 0; i--) {
-        array[i] >>= bits;
-        if (i > 0) {
-          array[i] |= (array[i - 1] << (8 - bits));
-        }
-      }
-    }
-    return array;
+  signatureSubpacket: {
+    signatureCreationTime: 2,
+    signatureExpirationTime: 3,
+    exportableCertification: 4,
+    trustSignature: 5,
+    regularExpression: 6,
+    revocable: 7,
+    keyExpirationTime: 9,
+    placeholderBackwardsCompatibility: 10,
+    preferredSymmetricAlgorithms: 11,
+    revocationKey: 12,
+    issuer: 16,
+    notationData: 20,
+    preferredHashAlgorithms: 21,
+    preferredCompressionAlgorithms: 22,
+    keyServerPreferences: 23,
+    preferredKeyServer: 24,
+    primaryUserID: 25,
+    policyURI: 26,
+    keyFlags: 27,
+    signersUserID: 28,
+    reasonForRevocation: 29,
+    features: 30,
+    signatureTarget: 31,
+    embeddedSignature: 32,
+    issuerFingerprint: 33,
+    preferredAEADAlgorithms: 34
   },
 
-  /**
-   * Get native Web Cryptography api, only the current version of the spec.
-   * @returns {Object} The SubtleCrypto api or 'undefined'.
+  /** Key flags
+   * @enum {Integer}
+   * @readonly
    */
-  getWebCrypto: function() {
-    return typeof globalThis !== 'undefined' && globalThis.crypto && globalThis.crypto.subtle;
+  keyFlags: {
+    /** 0x01 - This key may be used to certify other keys. */
+    certifyKeys: 1,
+    /** 0x02 - This key may be used to sign data. */
+    signData: 2,
+    /** 0x04 - This key may be used to encrypt communications. */
+    encryptCommunication: 4,
+    /** 0x08 - This key may be used to encrypt storage. */
+    encryptStorage: 8,
+    /** 0x10 - The private component of this key may have been split
+     *        by a secret-sharing mechanism. */
+    splitPrivateKey: 16,
+    /** 0x20 - This key may be used for authentication. */
+    authentication: 32,
+    /** This key may be used for forwarded communications */
+    forwardedCommunication: 64,
+    /** 0x80 - The private component of this key may be in the
+     *        possession of more than one person. */
+    sharedPrivateKey: 128
   },
 
-  /**
-   * Get BigInteger class
-   * It wraps the native BigInt type if it's available
-   * Otherwise it relies on bn.js
-   * @returns {BigInteger}
-   * @async
+  /** Armor type
+   * @enum {Integer}
+   * @readonly
    */
-  getBigInteger,
+  armor: {
+    multipartSection: 0,
+    multipartLast: 1,
+    signed: 2,
+    message: 3,
+    publicKey: 4,
+    privateKey: 5,
+    signature: 6
+  },
 
-  /**
-   * Get native Node.js crypto api.
-   * @returns {Object} The crypto module or 'undefined'.
+  /** {@link https://tools.ietf.org/html/rfc4880#section-5.2.3.23|RFC4880, section 5.2.3.23}
+   * @enum {Integer}
+   * @readonly
    */
-  getNodeCrypto: function() {
-    return void('crypto');
+  reasonForRevocation: {
+    /** No reason specified (key revocations or cert revocations) */
+    noReason: 0,
+    /** Key is superseded (key revocations) */
+    keySuperseded: 1,
+    /** Key material has been compromised (key revocations) */
+    keyCompromised: 2,
+    /** Key is retired and no longer used (key revocations) */
+    keyRetired: 3,
+    /** User ID information is no longer valid (cert revocations) */
+    userIDInvalid: 32
   },
 
-  getNodeZlib: function() {
-    return void('zlib');
+  /** {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-5.2.3.25|RFC4880bis-04, section 5.2.3.25}
+   * @enum {Integer}
+   * @readonly
+   */
+  features: {
+    /** 0x01 - Modification Detection (packets 18 and 19) */
+    modificationDetection: 1,
+    /** 0x02 - AEAD Encrypted Data Packet (packet 20) and version 5
+     *         Symmetric-Key Encrypted Session Key Packets (packet 3) */
+    aead: 2,
+    /** 0x04 - Version 5 Public-Key Packet format and corresponding new
+      *        fingerprint format */
+    v5Keys: 4
   },
 
   /**
-   * Get native Node.js Buffer constructor. This should be used since
-   * Buffer is not available under browserify.
-   * @returns {Function} The Buffer constructor or 'undefined'.
+   * Asserts validity of given value and converts from string/integer to integer.
+   * @param {Object} type target enum type
+   * @param {String|Integer} e value to check and/or convert
+   * @returns {Integer} enum value if it exists
+   * @throws {Error} if the value is invalid
    */
-  getNodeBuffer: function() {
-    return ({}).Buffer;
-  },
-
-  getHardwareConcurrency: function() {
-    if (typeof navigator !== 'undefined') {
-      return navigator.hardwareConcurrency || 1;
+  write: function(type, e) {
+    if (typeof e === 'number') {
+      e = this.read(type, e);
     }
 
-    const os = void('os'); // Assume we're on Node.js.
-    return os.cpus().length;
-  },
-
-  isEmailAddress: function(data) {
-    if (!util.isString(data)) {
-      return false;
+    if (type[e] !== undefined) {
+      return type[e];
     }
-    const re = /^(([^<>()[\]\\.,;:\s@"]+(\.[^<>()[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+([a-zA-Z]{2,}[0-9]*|xn--[a-zA-Z\-0-9]+)))$/;
-    return re.test(data);
+
+    throw new Error('Invalid enum value.');
   },
 
   /**
-   * Normalize line endings to <CR><LF>
-   * Support any encoding where CR=0x0D, LF=0x0A
+   * Converts enum integer value to the corresponding string, if it exists.
+   * @param {Object} type target enum type
+   * @param {Integer} e value to convert
+   * @returns {String} name of enum value if it exists
+   * @throws {Error} if the value is invalid
    */
-  canonicalizeEOL: function(data) {
-    const CR = 13;
-    const LF = 10;
-    let carryOverCR = false;
+  read: function(type, e) {
+    if (!type[byValue]) {
+      type[byValue] = [];
+      Object.entries(type).forEach(([key, value]) => {
+        type[byValue][value] = key;
+      });
+    }
 
-    return transform(data, bytes => {
-      if (carryOverCR) {
-        bytes = util.concatUint8Array([new Uint8Array([CR]), bytes]);
-      }
+    if (type[byValue][e] !== undefined) {
+      return type[byValue][e];
+    }
 
-      if (bytes[bytes.length - 1] === CR) {
-        carryOverCR = true;
-        bytes = bytes.subarray(0, -1);
-      } else {
-        carryOverCR = false;
-      }
+    throw new Error('Invalid enum value.');
+  }
+};
 
-      let index;
-      const indices = [];
-      for (let i = 0; ; i = index) {
-        index = bytes.indexOf(LF, i) + 1;
-        if (index) {
-          if (bytes[index - 2] !== CR) indices.push(index);
-        } else {
-          break;
-        }
-      }
-      if (!indices.length) {
-        return bytes;
-      }
+// GPG4Browsers - An OpenPGP implementation in javascript
 
-      const normalized = new Uint8Array(bytes.length + indices.length);
-      let j = 0;
-      for (let i = 0; i < indices.length; i++) {
-        const sub = bytes.subarray(indices[i - 1] || 0, indices[i]);
-        normalized.set(sub, j);
-        j += sub.length;
-        normalized[j - 1] = CR;
-        normalized[j] = LF;
-        j++;
-      }
-      normalized.set(bytes.subarray(indices[indices.length - 1] || 0), j);
-      return normalized;
-    }, () => (carryOverCR ? new Uint8Array([CR]) : undefined));
+const debugMode = (() => {
+  try {
+    return process.env.NODE_ENV === 'development'; // eslint-disable-line no-process-env
+  } catch (e) {}
+  return false;
+})();
+
+const util = {
+  isString: function(data) {
+    return typeof data === 'string' || data instanceof String;
   },
 
-  /**
-   * Convert line endings from canonicalized <CR><LF> to native <LF>
-   * Support any encoding where CR=0x0D, LF=0x0A
-   */
-  nativeEOL: function(data) {
-    const CR = 13;
-    const LF = 10;
-    let carryOverCR = false;
+  isArray: function(data) {
+    return data instanceof Array;
+  },
 
-    return transform(data, bytes => {
-      if (carryOverCR && bytes[0] !== LF) {
-        bytes = util.concatUint8Array([new Uint8Array([CR]), bytes]);
-      } else {
-        bytes = new Uint8Array(bytes); // Don't mutate passed bytes
-      }
+  isUint8Array: isUint8Array,
 
-      if (bytes[bytes.length - 1] === CR) {
-        carryOverCR = true;
-        bytes = bytes.subarray(0, -1);
-      } else {
-        carryOverCR = false;
-      }
+  isStream: isStream,
 
-      let index;
-      let j = 0;
-      for (let i = 0; i !== bytes.length; i = index) {
-        index = bytes.indexOf(CR, i) + 1;
-        if (!index) index = bytes.length;
-        const last = index - (bytes[index] === LF ? 1 : 0);
-        if (i) bytes.copyWithin(j, i, last);
-        j += last - i;
-      }
-      return bytes.subarray(0, j);
-    }, () => (carryOverCR ? new Uint8Array([CR]) : undefined));
+  readNumber: function (bytes) {
+    let n = 0;
+    for (let i = 0; i < bytes.length; i++) {
+      n += (256 ** i) * bytes[bytes.length - 1 - i];
+    }
+    return n;
   },
 
-  /**
-   * Remove trailing spaces, carriage returns and tabs from each line
-   */
-  removeTrailingSpaces: function(text) {
-    return text.split('\n').map(line => {
-      let i = line.length - 1;
-      for (; i >= 0 && (line[i] === ' ' || line[i] === '\t' || line[i] === '\r'); i--);
-      return line.substr(0, i + 1);
-    }).join('\n');
+  writeNumber: function (n, bytes) {
+    const b = new Uint8Array(bytes);
+    for (let i = 0; i < bytes; i++) {
+      b[i] = (n >> (8 * (bytes - i - 1))) & 0xFF;
+    }
+
+    return b;
   },
 
-  wrapError: function(message, error) {
-    if (!error) {
-      return new Error(message);
-    }
+  readDate: function (bytes) {
+    const n = util.readNumber(bytes);
+    const d = new Date(n * 1000);
+    return d;
+  },
+
+  writeDate: function (time) {
+    const numeric = Math.floor(time.getTime() / 1000);
 
-    // update error message
-    try {
-      error.message = message + ': ' + error.message;
-    } catch (e) {}
+    return util.writeNumber(numeric, 4);
+  },
 
-    return error;
+  normalizeDate: function (time = Date.now()) {
+    return time === null || time === Infinity ? time : new Date(Math.floor(+time / 1000) * 1000);
   },
 
   /**
-   * Map allowed packet tags to corresponding classes
-   * Meant to be used to format `allowedPacket` for Packetlist.read
-   * @param {Array<Object>} allowedClasses
-   * @returns {Object} map from enum.packet to corresponding *Packet class
+   * Read one MPI from bytes in input
+   * @param {Uint8Array} bytes - Input data to parse
+   * @returns {Uint8Array} Parsed MPI.
    */
-  constructAllowedPackets: function(allowedClasses) {
-    const map = {};
-    allowedClasses.forEach(PacketClass => {
-      if (!PacketClass.tag) {
-        throw new Error('Invalid input: expected a packet class');
-      }
-      map[PacketClass.tag] = PacketClass;
-    });
-    return map;
+  readMPI: function (bytes) {
+    const bits = (bytes[0] << 8) | bytes[1];
+    const bytelen = (bits + 7) >>> 3;
+    return bytes.subarray(2, 2 + bytelen);
   },
 
   /**
-   * Return a Promise that will resolve as soon as one of the promises in input resolves
-   * or will reject if all input promises all rejected
-   * (similar to Promise.any, but with slightly different error handling)
-   * @param {Array<Promise>} promises
-   * @return {Promise<Any>} Promise resolving to the result of the fastest fulfilled promise
-   *                          or rejected with the Error of the last resolved Promise (if all promises are rejected)
+   * Left-pad Uint8Array to length by adding 0x0 bytes
+   * @param {Uint8Array} bytes - Data to pad
+   * @param {Number} length - Padded length
+   * @returns {Uint8Array} Padded bytes.
    */
-  anyPromise: function(promises) {
-    // eslint-disable-next-line no-async-promise-executor
-    return new Promise(async (resolve, reject) => {
-      let exception;
-      await Promise.all(promises.map(async promise => {
-        try {
-          resolve(await promise);
-        } catch (e) {
-          exception = e;
-        }
-      }));
-      reject(exception);
-    });
+  leftPad(bytes, length) {
+    const padded = new Uint8Array(length);
+    const offset = length - bytes.length;
+    padded.set(bytes, offset);
+    return padded;
   },
 
   /**
-   * Return either `a` or `b` based on `cond`, in algorithmic constant time.
-   * @param {Boolean} cond
-   * @param {Uint8Array} a
-   * @param {Uint8Array} b
-   * @returns `a` if `cond` is true, `b` otherwise
+   * Convert a Uint8Array to an MPI-formatted Uint8Array.
+   * @param {Uint8Array} bin - An array of 8-bit integers to convert
+   * @returns {Uint8Array} MPI-formatted Uint8Array.
    */
-  selectUint8Array: function(cond, a, b) {
-    const length = Math.max(a.length, b.length);
-    const result = new Uint8Array(length);
-    let end = 0;
-    for (let i = 0; i < result.length; i++) {
-      result[i] = (a[i] & (256 - cond)) | (b[i] & (255 + cond));
-      end += (cond & i < a.length) | ((1 - cond) & i < b.length);
+  uint8ArrayToMPI: function (bin) {
+    const bitSize = util.uint8ArrayBitLength(bin);
+    if (bitSize === 0) {
+      throw new Error('Zero MPI');
     }
-    return result.subarray(0, end);
+    const stripped = bin.subarray(bin.length - Math.ceil(bitSize / 8));
+    const prefix = new Uint8Array([(bitSize & 0xFF00) >> 8, bitSize & 0xFF]);
+    return util.concatUint8Array([prefix, stripped]);
   },
+
   /**
-   * Return either `a` or `b` based on `cond`, in algorithmic constant time.
-   * NB: it only supports `a, b` with values between 0-255.
-   * @param {Boolean} cond
-   * @param {Uint8} a
-   * @param {Uint8} b
-   * @returns `a` if `cond` is true, `b` otherwise
+   * Return bit length of the input data
+   * @param {Uint8Array} bin input data (big endian)
+   * @returns bit length
    */
-  selectUint8: function(cond, a, b) {
-    return (a & (256 - cond)) | (b & (255 + cond));
-  }
-};
-
-/* OpenPGP radix-64/base64 string encoding/decoding
- * Copyright 2005 Herbert Hanewinkel, www.haneWIN.de
- * version 1.0, check www.haneWIN.de for the latest version
- *
- * This software is provided as-is, without express or implied warranty.
- * Permission to use, copy, modify, distribute or sell this software, with or
- * without fee, for any purpose and by any individual or organization, is hereby
- * granted, provided that the above copyright notice and this paragraph appear
- * in all copies. Distribution as a part of an application or binary must
- * include the above copyright notice in the documentation and/or other materials
- * provided with the application or distribution.
- */
-
-const Buffer = util.getNodeBuffer();
+  uint8ArrayBitLength: function (bin) {
+    let i; // index of leading non-zero byte
+    for (i = 0; i < bin.length; i++) if (bin[i] !== 0) break;
+    if (i === bin.length) {
+      return 0;
+    }
+    const stripped = bin.subarray(i);
+    return (stripped.length - 1) * 8 + util.nbits(stripped[0]);
+  },
 
-let encodeChunk;
-let decodeChunk;
-if (Buffer) {
-  encodeChunk = buf => Buffer.from(buf).toString('base64');
-  decodeChunk = str => {
-    const b = Buffer.from(str, 'base64');
-    return new Uint8Array(b.buffer, b.byteOffset, b.byteLength);
-  };
-} else {
-  encodeChunk = buf => btoa(util.uint8ArrayToString(buf));
-  decodeChunk = str => util.stringToUint8Array(atob(str));
-}
+  /**
+   * Convert a hex string to an array of 8-bit integers
+   * @param {String} hex - A hex string to convert
+   * @returns {Uint8Array} An array of 8-bit integers.
+   */
+  hexToUint8Array: function (hex) {
+    const result = new Uint8Array(hex.length >> 1);
+    for (let k = 0; k < hex.length >> 1; k++) {
+      result[k] = parseInt(hex.substr(k << 1, 2), 16);
+    }
+    return result;
+  },
 
-/**
- * Convert binary array to radix-64
- * @param {Uint8Array | ReadableStream<Uint8Array>} data - Uint8Array to convert
- * @returns {String | ReadableStream<String>} Radix-64 version of input string.
- * @static
- */
-function encode(data) {
-  let buf = new Uint8Array();
-  return transform(data, value => {
-    buf = util.concatUint8Array([buf, value]);
+  /**
+   * Convert an array of 8-bit integers to a hex string
+   * @param {Uint8Array} bytes - Array of 8-bit integers to convert
+   * @returns {String} Hexadecimal representation of the array.
+   */
+  uint8ArrayToHex: function (bytes) {
     const r = [];
-    const bytesPerLine = 45; // 60 chars per line * (3 bytes / 4 chars of base64).
-    const lines = Math.floor(buf.length / bytesPerLine);
-    const bytes = lines * bytesPerLine;
-    const encoded = encodeChunk(buf.subarray(0, bytes));
-    for (let i = 0; i < lines; i++) {
-      r.push(encoded.substr(i * 60, 60));
-      r.push('\n');
+    const e = bytes.length;
+    let c = 0;
+    let h;
+    while (c < e) {
+      h = bytes[c++].toString(16);
+      while (h.length < 2) {
+        h = '0' + h;
+      }
+      r.push('' + h);
     }
-    buf = buf.subarray(bytes);
     return r.join('');
-  }, () => (buf.length ? encodeChunk(buf) + '\n' : ''));
-}
-
-/**
- * Convert radix-64 to binary array
- * @param {String | ReadableStream<String>} data - Radix-64 string to convert
- * @returns {Uint8Array | ReadableStream<Uint8Array>} Binary array version of input string.
- * @static
- */
-function decode(data) {
-  let buf = '';
-  return transform(data, value => {
-    buf += value;
+  },
 
-    // Count how many whitespace characters there are in buf
-    let spaces = 0;
-    const spacechars = [' ', '\t', '\r', '\n'];
-    for (let i = 0; i < spacechars.length; i++) {
-      const spacechar = spacechars[i];
-      for (let pos = buf.indexOf(spacechar); pos !== -1; pos = buf.indexOf(spacechar, pos + 1)) {
-        spaces++;
+  /**
+   * Convert a string to an array of 8-bit integers
+   * @param {String} str - String to convert
+   * @returns {Uint8Array} An array of 8-bit integers.
+   */
+  stringToUint8Array: function (str) {
+    return transform(str, str => {
+      if (!util.isString(str)) {
+        throw new Error('stringToUint8Array: Data must be in the form of a string');
       }
-    }
-
-    // Backtrack until we have 4n non-whitespace characters
-    // that we can safely base64-decode
-    let length = buf.length;
-    for (; length > 0 && (length - spaces) % 4 !== 0; length--) {
-      if (spacechars.includes(buf[length])) spaces--;
-    }
-
-    const decoded = decodeChunk(buf.substr(0, length));
-    buf = buf.substr(length);
-    return decoded;
-  }, () => decodeChunk(buf));
-}
-
-/**
- * Convert a Base-64 encoded string an array of 8-bit integer
- *
- * Note: accepts both Radix-64 and URL-safe strings
- * @param {String} base64 - Base-64 encoded string to convert
- * @returns {Uint8Array} An array of 8-bit integers.
- */
-function b64ToUint8Array(base64) {
-  return decode(base64.replace(/-/g, '+').replace(/_/g, '/'));
-}
-
-/**
- * Convert an array of 8-bit integer to a Base-64 encoded string
- * @param {Uint8Array} bytes - An array of 8-bit integers to convert
- * @param {bool} url - If true, output is URL-safe
- * @returns {String} Base-64 encoded string.
- */
-function uint8ArrayToB64(bytes, url) {
-  let encoded = encode(bytes).replace(/[\r\n]/g, '');
-  if (url) {
-    encoded = encoded.replace(/[+]/g, '-').replace(/[/]/g, '_').replace(/[=]/g, '');
-  }
-  return encoded;
-}
-
-/**
- * @module enums
- */
 
-const byValue = Symbol('byValue');
-
-var enums = {
+      const result = new Uint8Array(str.length);
+      for (let i = 0; i < str.length; i++) {
+        result[i] = str.charCodeAt(i);
+      }
+      return result;
+    });
+  },
 
-  /** Maps curve names under various standards to one
-   * @see {@link https://wiki.gnupg.org/ECC|ECC - GnuPG wiki}
-   * @enum {String}
-   * @readonly
+  /**
+   * Convert an array of 8-bit integers to a string
+   * @param {Uint8Array} bytes - An array of 8-bit integers to convert
+   * @returns {String} String representation of the array.
    */
-  curve: {
-    /** NIST P-256 Curve */
-    'p256':                'p256',
-    'P-256':               'p256',
-    'secp256r1':           'p256',
-    'prime256v1':          'p256',
-    '1.2.840.10045.3.1.7': 'p256',
-    '2a8648ce3d030107':    'p256',
-    '2A8648CE3D030107':    'p256',
+  uint8ArrayToString: function (bytes) {
+    bytes = new Uint8Array(bytes);
+    const result = [];
+    const bs = 1 << 14;
+    const j = bytes.length;
 
-    /** NIST P-384 Curve */
-    'p384':         'p384',
-    'P-384':        'p384',
-    'secp384r1':    'p384',
-    '1.3.132.0.34': 'p384',
-    '2b81040022':   'p384',
-    '2B81040022':   'p384',
+    for (let i = 0; i < j; i += bs) {
+      result.push(String.fromCharCode.apply(String, bytes.subarray(i, i + bs < j ? i + bs : j)));
+    }
+    return result.join('');
+  },
 
-    /** NIST P-521 Curve */
-    'p521':         'p521',
-    'P-521':        'p521',
-    'secp521r1':    'p521',
-    '1.3.132.0.35': 'p521',
-    '2b81040023':   'p521',
-    '2B81040023':   'p521',
+  /**
+   * Convert a native javascript string to a Uint8Array of utf8 bytes
+   * @param {String|ReadableStream} str - The string to convert
+   * @returns {Uint8Array|ReadableStream} A valid squence of utf8 bytes.
+   */
+  encodeUTF8: function (str) {
+    const encoder = new TextEncoder('utf-8');
+    // eslint-disable-next-line no-inner-declarations
+    function process(value, lastChunk = false) {
+      return encoder.encode(value, { stream: !lastChunk });
+    }
+    return transform(str, process, () => process('', true));
+  },
 
-    /** SECG SECP256k1 Curve */
-    'secp256k1':    'secp256k1',
-    '1.3.132.0.10': 'secp256k1',
-    '2b8104000a':   'secp256k1',
-    '2B8104000A':   'secp256k1',
+  /**
+   * Convert a Uint8Array of utf8 bytes to a native javascript string
+   * @param {Uint8Array|ReadableStream} utf8 - A valid squence of utf8 bytes
+   * @returns {String|ReadableStream} A native javascript string.
+   */
+  decodeUTF8: function (utf8) {
+    const decoder = new TextDecoder('utf-8');
+    // eslint-disable-next-line no-inner-declarations
+    function process(value, lastChunk = false) {
+      return decoder.decode(value, { stream: !lastChunk });
+    }
+    return transform(utf8, process, () => process(new Uint8Array(), true));
+  },
 
-    /** Ed25519 */
-    'ED25519':                'ed25519',
-    'ed25519':                'ed25519',
-    'Ed25519':                'ed25519',
-    '1.3.6.1.4.1.11591.15.1': 'ed25519',
-    '2b06010401da470f01':     'ed25519',
-    '2B06010401DA470F01':     'ed25519',
+  /**
+   * Concat a list of Uint8Arrays, Strings or Streams
+   * The caller must not mix Uint8Arrays with Strings, but may mix Streams with non-Streams.
+   * @param {Array<Uint8Array|String|ReadableStream>} Array - Of Uint8Arrays/Strings/Streams to concatenate
+   * @returns {Uint8Array|String|ReadableStream} Concatenated array.
+   */
+  concat: concat,
 
-    /** Curve25519 */
-    'X25519':                 'curve25519',
-    'cv25519':                'curve25519',
-    'curve25519':             'curve25519',
-    'Curve25519':             'curve25519',
-    '1.3.6.1.4.1.3029.1.5.1': 'curve25519',
-    '2b060104019755010501':   'curve25519',
-    '2B060104019755010501':   'curve25519',
+  /**
+   * Concat Uint8Arrays
+   * @param {Array<Uint8Array>} Array - Of Uint8Arrays to concatenate
+   * @returns {Uint8Array} Concatenated array.
+   */
+  concatUint8Array: concatUint8Array,
 
-    /** BrainpoolP256r1 Curve */
-    'brainpoolP256r1':       'brainpoolP256r1',
-    '1.3.36.3.3.2.8.1.1.7':  'brainpoolP256r1',
-    '2b2403030208010107':    'brainpoolP256r1',
-    '2B2403030208010107':    'brainpoolP256r1',
+  /**
+   * Check Uint8Array equality
+   * @param {Uint8Array} array1 - First array
+   * @param {Uint8Array} array2 - Second array
+   * @returns {Boolean} Equality.
+   */
+  equalsUint8Array: function (array1, array2) {
+    if (!util.isUint8Array(array1) || !util.isUint8Array(array2)) {
+      throw new Error('Data must be in the form of a Uint8Array');
+    }
 
-    /** BrainpoolP384r1 Curve */
-    'brainpoolP384r1':       'brainpoolP384r1',
-    '1.3.36.3.3.2.8.1.1.11': 'brainpoolP384r1',
-    '2b240303020801010b':    'brainpoolP384r1',
-    '2B240303020801010B':    'brainpoolP384r1',
+    if (array1.length !== array2.length) {
+      return false;
+    }
 
-    /** BrainpoolP512r1 Curve */
-    'brainpoolP512r1':       'brainpoolP512r1',
-    '1.3.36.3.3.2.8.1.1.13': 'brainpoolP512r1',
-    '2b240303020801010d':    'brainpoolP512r1',
-    '2B240303020801010D':    'brainpoolP512r1'
+    for (let i = 0; i < array1.length; i++) {
+      if (array1[i] !== array2[i]) {
+        return false;
+      }
+    }
+    return true;
   },
 
-  /** KDF parameters flags
-   * Non-standard extensions (for now) to allow email forwarding
-   * @enum {Integer}
-   * @readonly
+  /**
+   * Calculates a 16bit sum of a Uint8Array by adding each character
+   * codes modulus 65535
+   * @param {Uint8Array} Uint8Array - To create a sum of
+   * @returns {Uint8Array} 2 bytes containing the sum of all charcodes % 65535.
    */
-  kdfFlags: {
-    /** Specify fingerprint to use instead of the recipient's */
-    replace_fingerprint: 0x01,
-    /** Specify custom parameters to use in the KDF digest computation */
-    replace_kdf_params: 0x02
+  writeChecksum: function (text) {
+    let s = 0;
+    for (let i = 0; i < text.length; i++) {
+      s = (s + text[i]) & 0xFFFF;
+    }
+    return util.writeNumber(s, 2);
   },
 
-  /** A string to key specifier type
-   * @enum {Integer}
-   * @readonly
+  /**
+   * Helper function to print a debug message. Debug
+   * messages are only printed if
+   * @param {String} str - String of the debug message
    */
-  s2k: {
-    simple: 0,
-    salted: 1,
-    iterated: 3,
-    argon2: 4,
-    gnu: 101
+  printDebug: function (str) {
+    if (debugMode) {
+      console.log('[OpenPGP.js debug]', str);
+    }
   },
 
-  /** {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-9.1|RFC4880bis-04, section 9.1}
-   * @enum {Integer}
-   * @readonly
+  /**
+   * Helper function to print a debug error. Debug
+   * messages are only printed if
+   * @param {String} str - String of the debug message
    */
-  publicKey: {
-    /** RSA (Encrypt or Sign) [HAC] */
-    rsaEncryptSign: 1,
-    /** RSA (Encrypt only) [HAC] */
-    rsaEncrypt: 2,
-    /** RSA (Sign only) [HAC] */
-    rsaSign: 3,
-    /** Elgamal (Encrypt only) [ELGAMAL] [HAC] */
-    elgamal: 16,
-    /** DSA (Sign only) [FIPS186] [HAC] */
-    dsa: 17,
-    /** ECDH (Encrypt only) [RFC6637] */
-    ecdh: 18,
-    /** ECDSA (Sign only) [RFC6637] */
-    ecdsa: 19,
-    /** EdDSA (Sign only)
-     * [{@link https://tools.ietf.org/html/draft-koch-eddsa-for-openpgp-04|Draft RFC}] */
-    eddsa: 22,
-    /** Reserved for AEDH */
-    aedh: 23,
-    /** Reserved for AEDSA */
-    aedsa: 24,
-    /** Symmetric authenticated encryption algorithms */
-    aead: 100,
-    /** Authentication using CMAC */
-    hmac: 101
+  printDebugError: function (error) {
+    if (debugMode) {
+      console.error('[OpenPGP.js debug]', error);
+    }
   },
 
-  /** {@link https://tools.ietf.org/html/rfc4880#section-9.2|RFC4880, section 9.2}
-   * @enum {Integer}
-   * @readonly
-   */
-  symmetric: {
-    plaintext: 0,
-    /** Not implemented! */
-    idea: 1,
-    tripledes: 2,
-    cast5: 3,
-    blowfish: 4,
-    aes128: 7,
-    aes192: 8,
-    aes256: 9,
-    twofish: 10
+  // returns bit length of the integer x
+  nbits: function (x) {
+    let r = 1;
+    let t = x >>> 16;
+    if (t !== 0) {
+      x = t;
+      r += 16;
+    }
+    t = x >> 8;
+    if (t !== 0) {
+      x = t;
+      r += 8;
+    }
+    t = x >> 4;
+    if (t !== 0) {
+      x = t;
+      r += 4;
+    }
+    t = x >> 2;
+    if (t !== 0) {
+      x = t;
+      r += 2;
+    }
+    t = x >> 1;
+    if (t !== 0) {
+      x = t;
+      r += 1;
+    }
+    return r;
+  },
+
+  /**
+   * If S[1] == 0, then double(S) == (S[2..128] || 0);
+   * otherwise, double(S) == (S[2..128] || 0) xor
+   * (zeros(120) || 10000111).
+   *
+   * Both OCB and EAX (through CMAC) require this function to be constant-time.
+   *
+   * @param {Uint8Array} data
+   */
+  double: function(data) {
+    const doubleVar = new Uint8Array(data.length);
+    const last = data.length - 1;
+    for (let i = 0; i < last; i++) {
+      doubleVar[i] = (data[i] << 1) ^ (data[i + 1] >> 7);
+    }
+    doubleVar[last] = (data[last] << 1) ^ ((data[0] >> 7) * 0x87);
+    return doubleVar;
   },
 
-  /** {@link https://tools.ietf.org/html/rfc4880#section-9.3|RFC4880, section 9.3}
-   * @enum {Integer}
-   * @readonly
+  /**
+   * Shift a Uint8Array to the right by n bits
+   * @param {Uint8Array} array - The array to shift
+   * @param {Integer} bits - Amount of bits to shift (MUST be smaller
+   * than 8)
+   * @returns {String} Resulting array.
    */
-  compression: {
-    uncompressed: 0,
-    /** RFC1951 */
-    zip: 1,
-    /** RFC1950 */
-    zlib: 2,
-    bzip2: 3
+  shiftRight: function (array, bits) {
+    if (bits) {
+      for (let i = array.length - 1; i >= 0; i--) {
+        array[i] >>= bits;
+        if (i > 0) {
+          array[i] |= (array[i - 1] << (8 - bits));
+        }
+      }
+    }
+    return array;
   },
 
-  /** {@link https://tools.ietf.org/html/rfc4880#section-9.4|RFC4880, section 9.4}
-   * @enum {Integer}
-   * @readonly
+  /**
+   * Get native Web Cryptography api, only the current version of the spec.
+   * @returns {Object} The SubtleCrypto api or 'undefined'.
    */
-  hash: {
-    md5: 1,
-    sha1: 2,
-    ripemd: 3,
-    sha256: 8,
-    sha384: 9,
-    sha512: 10,
-    sha224: 11
+  getWebCrypto: function() {
+    return typeof globalThis !== 'undefined' && globalThis.crypto && globalThis.crypto.subtle;
   },
 
-  /** A list of hash names as accepted by webCrypto functions.
-   * {@link https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest|Parameters, algo}
-   * @enum {String}
+  /**
+   * Get BigInteger class
+   * It wraps the native BigInt type if it's available
+   * Otherwise it relies on bn.js
+   * @returns {BigInteger}
+   * @async
    */
-  webHash: {
-    'SHA-1': 2,
-    'SHA-256': 8,
-    'SHA-384': 9,
-    'SHA-512': 10
-  },
+  getBigInteger,
 
-  /** {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-9.6|RFC4880bis-04, section 9.6}
-   * @enum {Integer}
-   * @readonly
+  /**
+   * Get native Node.js crypto api.
+   * @returns {Object} The crypto module or 'undefined'.
    */
-  aead: {
-    eax: 1,
-    ocb: 2,
-    experimentalGCM: 100 // Private algorithm
+  getNodeCrypto: function() {
+    return void('crypto');
   },
 
-  /** A list of packet types and numeric tags associated with them.
-   * @enum {Integer}
-   * @readonly
-   */
-  packet: {
-    publicKeyEncryptedSessionKey: 1,
-    signature: 2,
-    symEncryptedSessionKey: 3,
-    onePassSignature: 4,
-    secretKey: 5,
-    publicKey: 6,
-    secretSubkey: 7,
-    compressedData: 8,
-    symmetricallyEncryptedData: 9,
-    marker: 10,
-    literalData: 11,
-    trust: 12,
-    userID: 13,
-    publicSubkey: 14,
-    userAttribute: 17,
-    symEncryptedIntegrityProtectedData: 18,
-    modificationDetectionCode: 19,
-    aeadEncryptedData: 20 // see IETF draft: https://tools.ietf.org/html/draft-ford-openpgp-format-00#section-2.1
+  getNodeZlib: function() {
+    return void('zlib');
   },
 
-  /** Data types in the literal packet
-   * @enum {Integer}
-   * @readonly
+  /**
+   * Get native Node.js Buffer constructor. This should be used since
+   * Buffer is not available under browserify.
+   * @returns {Function} The Buffer constructor or 'undefined'.
    */
-  literal: {
-    /** Binary data 'b' */
-    binary: 'b'.charCodeAt(),
-    /** Text data 't' */
-    text: 't'.charCodeAt(),
-    /** Utf8 data 'u' */
-    utf8: 'u'.charCodeAt(),
-    /** MIME message body part 'm' */
-    mime: 'm'.charCodeAt()
+  getNodeBuffer: function() {
+    return ({}).Buffer;
   },
 
+  getHardwareConcurrency: function() {
+    if (typeof navigator !== 'undefined') {
+      return navigator.hardwareConcurrency || 1;
+    }
+
+    const os = void('os'); // Assume we're on Node.js.
+    return os.cpus().length;
+  },
 
-  /** One pass signature packet type
-   * @enum {Integer}
-   * @readonly
-   */
-  signature: {
-    /** 0x00: Signature of a binary document. */
-    binary: 0,
-    /** 0x01: Signature of a canonical text document.
-     *
-     * Canonicalyzing the document by converting line endings. */
-    text: 1,
-    /** 0x02: Standalone signature.
-     *
-     * This signature is a signature of only its own subpacket contents.
-     * It is calculated identically to a signature over a zero-lengh
-     * binary document.  Note that it doesn't make sense to have a V3
-     * standalone signature. */
-    standalone: 2,
-    /** 0x10: Generic certification of a User ID and Public-Key packet.
-     *
-     * The issuer of this certification does not make any particular
-     * assertion as to how well the certifier has checked that the owner
-     * of the key is in fact the person described by the User ID. */
-    certGeneric: 16,
-    /** 0x11: Persona certification of a User ID and Public-Key packet.
-     *
-     * The issuer of this certification has not done any verification of
-     * the claim that the owner of this key is the User ID specified. */
-    certPersona: 17,
-    /** 0x12: Casual certification of a User ID and Public-Key packet.
-     *
-     * The issuer of this certification has done some casual
-     * verification of the claim of identity. */
-    certCasual: 18,
-    /** 0x13: Positive certification of a User ID and Public-Key packet.
-     *
-     * The issuer of this certification has done substantial
-     * verification of the claim of identity.
-     *
-     * Most OpenPGP implementations make their "key signatures" as 0x10
-     * certifications.  Some implementations can issue 0x11-0x13
-     * certifications, but few differentiate between the types. */
-    certPositive: 19,
-    /** 0x30: Certification revocation signature
-     *
-     * This signature revokes an earlier User ID certification signature
-     * (signature class 0x10 through 0x13) or direct-key signature
-     * (0x1F).  It should be issued by the same key that issued the
-     * revoked signature or an authorized revocation key.  The signature
-     * is computed over the same data as the certificate that it
-     * revokes, and should have a later creation date than that
-     * certificate. */
-    certRevocation: 48,
-    /** 0x18: Subkey Binding Signature
-     *
-     * This signature is a statement by the top-level signing key that
-     * indicates that it owns the subkey.  This signature is calculated
-     * directly on the primary key and subkey, and not on any User ID or
-     * other packets.  A signature that binds a signing subkey MUST have
-     * an Embedded Signature subpacket in this binding signature that
-     * contains a 0x19 signature made by the signing subkey on the
-     * primary key and subkey. */
-    subkeyBinding: 24,
-    /** 0x19: Primary Key Binding Signature
-     *
-     * This signature is a statement by a signing subkey, indicating
-     * that it is owned by the primary key and subkey.  This signature
-     * is calculated the same way as a 0x18 signature: directly on the
-     * primary key and subkey, and not on any User ID or other packets.
-     *
-     * When a signature is made over a key, the hash data starts with the
-     * octet 0x99, followed by a two-octet length of the key, and then body
-     * of the key packet.  (Note that this is an old-style packet header for
-     * a key packet with two-octet length.)  A subkey binding signature
-     * (type 0x18) or primary key binding signature (type 0x19) then hashes
-     * the subkey using the same format as the main key (also using 0x99 as
-     * the first octet). */
-    keyBinding: 25,
-    /** 0x1F: Signature directly on a key
-     *
-     * This signature is calculated directly on a key.  It binds the
-     * information in the Signature subpackets to the key, and is
-     * appropriate to be used for subpackets that provide information
-     * about the key, such as the Revocation Key subpacket.  It is also
-     * appropriate for statements that non-self certifiers want to make
-     * about the key itself, rather than the binding between a key and a
-     * name. */
-    key: 31,
-    /** 0x20: Key revocation signature
-     *
-     * The signature is calculated directly on the key being revoked.  A
-     * revoked key is not to be used.  Only revocation signatures by the
-     * key being revoked, or by an authorized revocation key, should be
-     * considered valid revocation signatures.a */
-    keyRevocation: 32,
-    /** 0x28: Subkey revocation signature
-     *
-     * The signature is calculated directly on the subkey being revoked.
-     * A revoked subkey is not to be used.  Only revocation signatures
-     * by the top-level signature key that is bound to this subkey, or
-     * by an authorized revocation key, should be considered valid
-     * revocation signatures.
-     *
-     * Key revocation signatures (types 0x20 and 0x28)
-     * hash only the key being revoked. */
-    subkeyRevocation: 40,
-    /** 0x40: Timestamp signature.
-     * This signature is only meaningful for the timestamp contained in
-     * it. */
-    timestamp: 64,
-    /** 0x50: Third-Party Confirmation signature.
-     *
-     * This signature is a signature over some other OpenPGP Signature
-     * packet(s).  It is analogous to a notary seal on the signed data.
-     * A third-party signature SHOULD include Signature Target
-     * subpacket(s) to give easy identification.  Note that we really do
-     * mean SHOULD.  There are plausible uses for this (such as a blind
-     * party that only sees the signature, not the key or source
-     * document) that cannot include a target subpacket. */
-    thirdParty: 80
+  isEmailAddress: function(data) {
+    if (!util.isString(data)) {
+      return false;
+    }
+    const re = /^(([^<>()[\]\\.,;:\s@"]+(\.[^<>()[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+([a-zA-Z]{2,}[0-9]*|xn--[a-zA-Z\-0-9]+)))$/;
+    return re.test(data);
   },
 
-  /** Signature subpacket type
-   * @enum {Integer}
-   * @readonly
+  /**
+   * Normalize line endings to <CR><LF>
+   * Support any encoding where CR=0x0D, LF=0x0A
    */
-  signatureSubpacket: {
-    signatureCreationTime: 2,
-    signatureExpirationTime: 3,
-    exportableCertification: 4,
-    trustSignature: 5,
-    regularExpression: 6,
-    revocable: 7,
-    keyExpirationTime: 9,
-    placeholderBackwardsCompatibility: 10,
-    preferredSymmetricAlgorithms: 11,
-    revocationKey: 12,
-    issuer: 16,
-    notationData: 20,
-    preferredHashAlgorithms: 21,
-    preferredCompressionAlgorithms: 22,
-    keyServerPreferences: 23,
-    preferredKeyServer: 24,
-    primaryUserID: 25,
-    policyURI: 26,
-    keyFlags: 27,
-    signersUserID: 28,
-    reasonForRevocation: 29,
-    features: 30,
-    signatureTarget: 31,
-    embeddedSignature: 32,
-    issuerFingerprint: 33,
-    preferredAEADAlgorithms: 34
+  canonicalizeEOL: function(data) {
+    const CR = 13;
+    const LF = 10;
+    let carryOverCR = false;
+
+    return transform(data, bytes => {
+      if (carryOverCR) {
+        bytes = util.concatUint8Array([new Uint8Array([CR]), bytes]);
+      }
+
+      if (bytes[bytes.length - 1] === CR) {
+        carryOverCR = true;
+        bytes = bytes.subarray(0, -1);
+      } else {
+        carryOverCR = false;
+      }
+
+      let index;
+      const indices = [];
+      for (let i = 0; ; i = index) {
+        index = bytes.indexOf(LF, i) + 1;
+        if (index) {
+          if (bytes[index - 2] !== CR) indices.push(index);
+        } else {
+          break;
+        }
+      }
+      if (!indices.length) {
+        return bytes;
+      }
+
+      const normalized = new Uint8Array(bytes.length + indices.length);
+      let j = 0;
+      for (let i = 0; i < indices.length; i++) {
+        const sub = bytes.subarray(indices[i - 1] || 0, indices[i]);
+        normalized.set(sub, j);
+        j += sub.length;
+        normalized[j - 1] = CR;
+        normalized[j] = LF;
+        j++;
+      }
+      normalized.set(bytes.subarray(indices[indices.length - 1] || 0), j);
+      return normalized;
+    }, () => (carryOverCR ? new Uint8Array([CR]) : undefined));
   },
 
-  /** Key flags
-   * @enum {Integer}
-   * @readonly
+  /**
+   * Convert line endings from canonicalized <CR><LF> to native <LF>
+   * Support any encoding where CR=0x0D, LF=0x0A
    */
-  keyFlags: {
-    /** 0x01 - This key may be used to certify other keys. */
-    certifyKeys: 1,
-    /** 0x02 - This key may be used to sign data. */
-    signData: 2,
-    /** 0x04 - This key may be used to encrypt communications. */
-    encryptCommunication: 4,
-    /** 0x08 - This key may be used to encrypt storage. */
-    encryptStorage: 8,
-    /** 0x10 - The private component of this key may have been split
-     *        by a secret-sharing mechanism. */
-    splitPrivateKey: 16,
-    /** 0x20 - This key may be used for authentication. */
-    authentication: 32,
-    /** This key may be used for forwarded communications */
-    forwardedCommunication: 64,
-    /** 0x80 - The private component of this key may be in the
-     *        possession of more than one person. */
-    sharedPrivateKey: 128
+  nativeEOL: function(data) {
+    const CR = 13;
+    const LF = 10;
+    let carryOverCR = false;
+
+    return transform(data, bytes => {
+      if (carryOverCR && bytes[0] !== LF) {
+        bytes = util.concatUint8Array([new Uint8Array([CR]), bytes]);
+      } else {
+        bytes = new Uint8Array(bytes); // Don't mutate passed bytes
+      }
+
+      if (bytes[bytes.length - 1] === CR) {
+        carryOverCR = true;
+        bytes = bytes.subarray(0, -1);
+      } else {
+        carryOverCR = false;
+      }
+
+      let index;
+      let j = 0;
+      for (let i = 0; i !== bytes.length; i = index) {
+        index = bytes.indexOf(CR, i) + 1;
+        if (!index) index = bytes.length;
+        const last = index - (bytes[index] === LF ? 1 : 0);
+        if (i) bytes.copyWithin(j, i, last);
+        j += last - i;
+      }
+      return bytes.subarray(0, j);
+    }, () => (carryOverCR ? new Uint8Array([CR]) : undefined));
   },
 
-  /** Armor type
-   * @enum {Integer}
-   * @readonly
+  /**
+   * Remove trailing spaces, carriage returns and tabs from each line
    */
-  armor: {
-    multipartSection: 0,
-    multipartLast: 1,
-    signed: 2,
-    message: 3,
-    publicKey: 4,
-    privateKey: 5,
-    signature: 6
+  removeTrailingSpaces: function(text) {
+    return text.split('\n').map(line => {
+      let i = line.length - 1;
+      for (; i >= 0 && (line[i] === ' ' || line[i] === '\t' || line[i] === '\r'); i--);
+      return line.substr(0, i + 1);
+    }).join('\n');
   },
 
-  /** {@link https://tools.ietf.org/html/rfc4880#section-5.2.3.23|RFC4880, section 5.2.3.23}
-   * @enum {Integer}
-   * @readonly
+  wrapError: function(message, error) {
+    if (!error) {
+      return new Error(message);
+    }
+
+    // update error message
+    try {
+      error.message = message + ': ' + error.message;
+    } catch (e) {}
+
+    return error;
+  },
+
+  /**
+   * Map allowed packet tags to corresponding classes
+   * Meant to be used to format `allowedPacket` for Packetlist.read
+   * @param {Array<Object>} allowedClasses
+   * @returns {Object} map from enum.packet to corresponding *Packet class
    */
-  reasonForRevocation: {
-    /** No reason specified (key revocations or cert revocations) */
-    noReason: 0,
-    /** Key is superseded (key revocations) */
-    keySuperseded: 1,
-    /** Key material has been compromised (key revocations) */
-    keyCompromised: 2,
-    /** Key is retired and no longer used (key revocations) */
-    keyRetired: 3,
-    /** User ID information is no longer valid (cert revocations) */
-    userIDInvalid: 32
+  constructAllowedPackets: function(allowedClasses) {
+    const map = {};
+    allowedClasses.forEach(PacketClass => {
+      if (!PacketClass.tag) {
+        throw new Error('Invalid input: expected a packet class');
+      }
+      map[PacketClass.tag] = PacketClass;
+    });
+    return map;
   },
 
-  /** {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-5.2.3.25|RFC4880bis-04, section 5.2.3.25}
-   * @enum {Integer}
-   * @readonly
+  /**
+   * Return a Promise that will resolve as soon as one of the promises in input resolves
+   * or will reject if all input promises all rejected
+   * (similar to Promise.any, but with slightly different error handling)
+   * @param {Array<Promise>} promises
+   * @return {Promise<Any>} Promise resolving to the result of the fastest fulfilled promise
+   *                          or rejected with the Error of the last resolved Promise (if all promises are rejected)
    */
-  features: {
-    /** 0x01 - Modification Detection (packets 18 and 19) */
-    modificationDetection: 1,
-    /** 0x02 - AEAD Encrypted Data Packet (packet 20) and version 5
-     *         Symmetric-Key Encrypted Session Key Packets (packet 3) */
-    aead: 2,
-    /** 0x04 - Version 5 Public-Key Packet format and corresponding new
-      *        fingerprint format */
-    v5Keys: 4
+  anyPromise: function(promises) {
+    // eslint-disable-next-line no-async-promise-executor
+    return new Promise(async (resolve, reject) => {
+      let exception;
+      await Promise.all(promises.map(async promise => {
+        try {
+          resolve(await promise);
+        } catch (e) {
+          exception = e;
+        }
+      }));
+      reject(exception);
+    });
   },
 
   /**
-   * Asserts validity of given value and converts from string/integer to integer.
-   * @param {Object} type target enum type
-   * @param {String|Integer} e value to check and/or convert
-   * @returns {Integer} enum value if it exists
-   * @throws {Error} if the value is invalid
+   * Return either `a` or `b` based on `cond`, in algorithmic constant time.
+   * @param {Boolean} cond
+   * @param {Uint8Array} a
+   * @param {Uint8Array} b
+   * @returns `a` if `cond` is true, `b` otherwise
+   */
+  selectUint8Array: function(cond, a, b) {
+    const length = Math.max(a.length, b.length);
+    const result = new Uint8Array(length);
+    let end = 0;
+    for (let i = 0; i < result.length; i++) {
+      result[i] = (a[i] & (256 - cond)) | (b[i] & (255 + cond));
+      end += (cond & i < a.length) | ((1 - cond) & i < b.length);
+    }
+    return result.subarray(0, end);
+  },
+  /**
+   * Return either `a` or `b` based on `cond`, in algorithmic constant time.
+   * NB: it only supports `a, b` with values between 0-255.
+   * @param {Boolean} cond
+   * @param {Uint8} a
+   * @param {Uint8} b
+   * @returns `a` if `cond` is true, `b` otherwise
+   */
+  selectUint8: function(cond, a, b) {
+    return (a & (256 - cond)) | (b & (255 + cond));
+  },
+  /**
+   * @param {module:enums.symmetric} cipherAlgo
    */
-  write: function(type, e) {
-    if (typeof e === 'number') {
-      e = this.read(type, e);
-    }
+  isAES: function(cipherAlgo) {
+    return cipherAlgo === enums.symmetric.aes128 || cipherAlgo === enums.symmetric.aes192 || cipherAlgo === enums.symmetric.aes256;
+  }
+};
 
-    if (type[e] !== undefined) {
-      return type[e];
+/* OpenPGP radix-64/base64 string encoding/decoding
+ * Copyright 2005 Herbert Hanewinkel, www.haneWIN.de
+ * version 1.0, check www.haneWIN.de for the latest version
+ *
+ * This software is provided as-is, without express or implied warranty.
+ * Permission to use, copy, modify, distribute or sell this software, with or
+ * without fee, for any purpose and by any individual or organization, is hereby
+ * granted, provided that the above copyright notice and this paragraph appear
+ * in all copies. Distribution as a part of an application or binary must
+ * include the above copyright notice in the documentation and/or other materials
+ * provided with the application or distribution.
+ */
+
+const Buffer = util.getNodeBuffer();
+
+let encodeChunk;
+let decodeChunk;
+if (Buffer) {
+  encodeChunk = buf => Buffer.from(buf).toString('base64');
+  decodeChunk = str => {
+    const b = Buffer.from(str, 'base64');
+    return new Uint8Array(b.buffer, b.byteOffset, b.byteLength);
+  };
+} else {
+  encodeChunk = buf => btoa(util.uint8ArrayToString(buf));
+  decodeChunk = str => util.stringToUint8Array(atob(str));
+}
+
+/**
+ * Convert binary array to radix-64
+ * @param {Uint8Array | ReadableStream<Uint8Array>} data - Uint8Array to convert
+ * @returns {String | ReadableStream<String>} Radix-64 version of input string.
+ * @static
+ */
+function encode(data) {
+  let buf = new Uint8Array();
+  return transform(data, value => {
+    buf = util.concatUint8Array([buf, value]);
+    const r = [];
+    const bytesPerLine = 45; // 60 chars per line * (3 bytes / 4 chars of base64).
+    const lines = Math.floor(buf.length / bytesPerLine);
+    const bytes = lines * bytesPerLine;
+    const encoded = encodeChunk(buf.subarray(0, bytes));
+    for (let i = 0; i < lines; i++) {
+      r.push(encoded.substr(i * 60, 60));
+      r.push('\n');
     }
+    buf = buf.subarray(bytes);
+    return r.join('');
+  }, () => (buf.length ? encodeChunk(buf) + '\n' : ''));
+}
 
-    throw new Error('Invalid enum value.');
-  },
+/**
+ * Convert radix-64 to binary array
+ * @param {String | ReadableStream<String>} data - Radix-64 string to convert
+ * @returns {Uint8Array | ReadableStream<Uint8Array>} Binary array version of input string.
+ * @static
+ */
+function decode(data) {
+  let buf = '';
+  return transform(data, value => {
+    buf += value;
 
-  /**
-   * Converts enum integer value to the corresponding string, if it exists.
-   * @param {Object} type target enum type
-   * @param {Integer} e value to convert
-   * @returns {String} name of enum value if it exists
-   * @throws {Error} if the value is invalid
-   */
-  read: function(type, e) {
-    if (!type[byValue]) {
-      type[byValue] = [];
-      Object.entries(type).forEach(([key, value]) => {
-        type[byValue][value] = key;
-      });
+    // Count how many whitespace characters there are in buf
+    let spaces = 0;
+    const spacechars = [' ', '\t', '\r', '\n'];
+    for (let i = 0; i < spacechars.length; i++) {
+      const spacechar = spacechars[i];
+      for (let pos = buf.indexOf(spacechar); pos !== -1; pos = buf.indexOf(spacechar, pos + 1)) {
+        spaces++;
+      }
     }
 
-    if (type[byValue][e] !== undefined) {
-      return type[byValue][e];
+    // Backtrack until we have 4n non-whitespace characters
+    // that we can safely base64-decode
+    let length = buf.length;
+    for (; length > 0 && (length - spaces) % 4 !== 0; length--) {
+      if (spacechars.includes(buf[length])) spaces--;
     }
 
-    throw new Error('Invalid enum value.');
+    const decoded = decodeChunk(buf.substr(0, length));
+    buf = buf.substr(length);
+    return decoded;
+  }, () => decodeChunk(buf));
+}
+
+/**
+ * Convert a Base-64 encoded string an array of 8-bit integer
+ *
+ * Note: accepts both Radix-64 and URL-safe strings
+ * @param {String} base64 - Base-64 encoded string to convert
+ * @returns {Uint8Array} An array of 8-bit integers.
+ */
+function b64ToUint8Array(base64) {
+  return decode(base64.replace(/-/g, '+').replace(/_/g, '/'));
+}
+
+/**
+ * Convert an array of 8-bit integer to a Base-64 encoded string
+ * @param {Uint8Array} bytes - An array of 8-bit integers to convert
+ * @param {bool} url - If true, output is URL-safe
+ * @returns {String} Base-64 encoded string.
+ */
+function uint8ArrayToB64(bytes, url) {
+  let encoded = encode(bytes).replace(/[\r\n]/g, '');
+  if (url) {
+    encoded = encoded.replace(/[+]/g, '-').replace(/[/]/g, '_').replace(/[=]/g, '');
   }
-};
+  return encoded;
+}
 
 // GPG4Browsers - An OpenPGP implementation in javascript
 
@@ -2929,7 +2950,7 @@ var config = {
    * @memberof module:config
    * @property {String} versionString A version string to be included in armored messages
    */
-  versionString: 'OpenPGP.js 5.9.1-1',
+  versionString: 'OpenPGP.js 5.11.0',
   /**
    * @memberof module:config
    * @property {String} commentString A comment string to be included in armored messages
@@ -2980,7 +3001,14 @@ var config = {
    * @memberof module:config
    * @property {Set<String>} rejectCurves {@link module:enums.curve}
    */
-  rejectCurves: new Set([enums.curve.secp256k1])
+  rejectCurves: new Set([enums.curve.secp256k1]),
+  /**
+   * Whether to validate generated EdDSA signatures before returning them, to ensure they are not faulty signatures.
+   * This check will make signing 2-3 times slower.
+   * Faulty signatures may be generated (in principle) if random bitflips occur at specific points in the signature
+   * computation, and could be used to recover the signer's secret key given a second signature over the same data.
+   */
+  checkEdDSAFaultySignatures: true
 };
 
 // GPG4Browsers - An OpenPGP implementation in javascript
@@ -3415,6 +3443,7 @@ class KeyID {
    */
   read(bytes) {
     this.bytes = util.uint8ArrayToString(bytes.subarray(0, 8));
+    return this.bytes.length;
   }
 
   /**
@@ -9961,7 +9990,7 @@ async function encrypt(algo, key, plaintext, iv, config) {
   if (util.getNodeCrypto() && nodeAlgos[algoName]) { // Node crypto library.
     return nodeEncrypt(algo, key, plaintext, iv);
   }
-  if (algoName.substr(0, 3) === 'aes') {
+  if (util.isAES(algo)) {
     return aesEncrypt(algo, key, plaintext, iv, config);
   }
 
@@ -10004,7 +10033,7 @@ async function decrypt(algo, key, ciphertext, iv) {
   if (util.getNodeCrypto() && nodeAlgos[algoName]) { // Node crypto library.
     return nodeDecrypt(algo, key, ciphertext, iv);
   }
-  if (algoName.substr(0, 3) === 'aes') {
+  if (util.isAES(algo)) {
     return aesDecrypt(algo, key, ciphertext, iv);
   }
 
@@ -10023,7 +10052,7 @@ async function decrypt(algo, key, ciphertext, iv) {
     let j = 0;
     while (chunk ? ct.length >= block_size : ct.length) {
       const decblock = cipherfn.encrypt(blockp);
-      blockp = ct;
+      blockp = ct.subarray(0, block_size);
       for (i = 0; i < block_size; i++) {
         plaintext[j++] = blockp[i] ^ decblock[i];
       }
@@ -10949,42 +10978,42 @@ async function GCM(cipher, key) {
     throw new Error('GCM mode supports only AES cipher');
   }
 
-  if (util.getWebCrypto() && key.length !== 24) { // WebCrypto (no 192 bit support) see: https://www.chromium.org/blink/webcrypto#TOC-AES-support
-    const _key = await webCrypto$4.importKey('raw', key, { name: ALGO }, false, ['encrypt', 'decrypt']);
-
+  if (util.getNodeCrypto()) { // Node crypto library
     return {
       encrypt: async function(pt, iv, adata = new Uint8Array()) {
-        if (!pt.length) { // iOS does not support GCM-en/decrypting empty messages
-          return AES_GCM.encrypt(pt, key, iv, adata);
-        }
-        const ct = await webCrypto$4.encrypt({ name: ALGO, iv, additionalData: adata, tagLength: tagLength$2 * 8 }, _key, pt);
+        const en = new nodeCrypto$4.createCipheriv('aes-' + (key.length * 8) + '-gcm', key, iv);
+        en.setAAD(adata);
+        const ct = Buffer$2.concat([en.update(pt), en.final(), en.getAuthTag()]); // append auth tag to ciphertext
         return new Uint8Array(ct);
       },
 
       decrypt: async function(ct, iv, adata = new Uint8Array()) {
-        if (ct.length === tagLength$2) { // iOS does not support GCM-en/decrypting empty messages
-          return AES_GCM.decrypt(ct, key, iv, adata);
-        }
-        const pt = await webCrypto$4.decrypt({ name: ALGO, iv, additionalData: adata, tagLength: tagLength$2 * 8 }, _key, ct);
+        const de = new nodeCrypto$4.createDecipheriv('aes-' + (key.length * 8) + '-gcm', key, iv);
+        de.setAAD(adata);
+        de.setAuthTag(ct.slice(ct.length - tagLength$2, ct.length)); // read auth tag at end of ciphertext
+        const pt = Buffer$2.concat([de.update(ct.slice(0, ct.length - tagLength$2)), de.final()]);
         return new Uint8Array(pt);
       }
     };
   }
 
-  if (util.getNodeCrypto()) { // Node crypto library
+  if (util.getWebCrypto() && key.length !== 24) { // WebCrypto (no 192 bit support) see: https://www.chromium.org/blink/webcrypto#TOC-AES-support
+    const _key = await webCrypto$4.importKey('raw', key, { name: ALGO }, false, ['encrypt', 'decrypt']);
+
     return {
       encrypt: async function(pt, iv, adata = new Uint8Array()) {
-        const en = new nodeCrypto$4.createCipheriv('aes-' + (key.length * 8) + '-gcm', key, iv);
-        en.setAAD(adata);
-        const ct = Buffer$2.concat([en.update(pt), en.final(), en.getAuthTag()]); // append auth tag to ciphertext
+        if (!pt.length) { // iOS does not support GCM-en/decrypting empty messages
+          return AES_GCM.encrypt(pt, key, iv, adata);
+        }
+        const ct = await webCrypto$4.encrypt({ name: ALGO, iv, additionalData: adata, tagLength: tagLength$2 * 8 }, _key, pt);
         return new Uint8Array(ct);
       },
 
       decrypt: async function(ct, iv, adata = new Uint8Array()) {
-        const de = new nodeCrypto$4.createDecipheriv('aes-' + (key.length * 8) + '-gcm', key, iv);
-        de.setAAD(adata);
-        de.setAuthTag(ct.slice(ct.length - tagLength$2, ct.length)); // read auth tag at end of ciphertext
-        const pt = Buffer$2.concat([de.update(ct.slice(0, ct.length - tagLength$2)), de.final()]);
+        if (ct.length === tagLength$2) { // iOS does not support GCM-en/decrypting empty messages
+          return AES_GCM.decrypt(ct, key, iv, adata);
+        }
+        const pt = await webCrypto$4.decrypt({ name: ALGO, iv, additionalData: adata, tagLength: tagLength$2 * 8 }, _key, ct);
         return new Uint8Array(pt);
       }
     };
@@ -11987,11 +12016,11 @@ const nodeCrypto$5 = util.getNodeCrypto();
  */
 function getRandomBytes(length) {
   const buf = new Uint8Array(length);
-  if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
-    crypto.getRandomValues(buf);
-  } else if (nodeCrypto$5) {
+  if (nodeCrypto$5) {
     const bytes = nodeCrypto$5.randomBytes(buf.length);
     buf.set(bytes);
+  } else if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
+    crypto.getRandomValues(buf);
   } else {
     throw new Error('No secure random number generator available.');
   }
@@ -13553,7 +13582,7 @@ const curves = {
   },
   ed25519: {
     oid: [0x06, 0x09, 0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01],
-    keyType: enums.publicKey.eddsa,
+    keyType: enums.publicKey.eddsaLegacy,
     hash: enums.hash.sha512,
     node: false, // nodeCurves.ed25519 TODO
     payloadSize: 32
@@ -13592,7 +13621,7 @@ const curves = {
   }
 };
 
-class Curve {
+class CurveWithOID {
   constructor(oidOrName, params) {
     try {
       if (util.isArray(oidOrName) ||
@@ -13669,7 +13698,7 @@ class Curve {
 async function generate$1(curve) {
   const BigInteger = await util.getBigInteger();
 
-  curve = new Curve(curve);
+  curve = new CurveWithOID(curve);
   const keyPair = await curve.genKeyPair();
   const Q = new BigInteger(keyPair.publicKey).toUint8Array();
   const secret = new BigInteger(keyPair.privateKey).toUint8Array('be', curve.payloadSize);
@@ -13860,7 +13889,7 @@ const nodeCrypto$8 = util.getNodeCrypto();
  * @async
  */
 async function sign$1(oid, hashAlgo, message, publicKey, privateKey, hashed) {
-  const curve = new Curve(oid);
+  const curve = new CurveWithOID(oid);
   if (message && !util.isStream(message)) {
     const keyPair = { publicKey, privateKey };
     switch (curve.type) {
@@ -13905,7 +13934,7 @@ async function sign$1(oid, hashAlgo, message, publicKey, privateKey, hashed) {
  * @async
  */
 async function verify$1(oid, hashAlgo, signature, message, publicKey, hashed) {
-  const curve = new Curve(oid);
+  const curve = new CurveWithOID(oid);
   if (message && !util.isStream(message)) {
     switch (curve.type) {
       case 'web':
@@ -13939,7 +13968,7 @@ async function verify$1(oid, hashAlgo, signature, message, publicKey, hashed) {
  * @async
  */
 async function validateParams$2(oid, Q, d) {
-  const curve = new Curve(oid);
+  const curve = new CurveWithOID(oid);
   // Reject curves x25519 and ed25519
   if (curve.keyType !== enums.publicKey.ecdsa) {
     return false;
@@ -14142,7 +14171,7 @@ var ecdsa = /*#__PURE__*/Object.freeze({
 naclFastLight.hash = bytes => new Uint8Array(_512().update(bytes).digest());
 
 /**
- * Sign a message using the provided key
+ * Sign a message using the provided legacy EdDSA key
  * @param {module:type/oid} oid - Elliptic curve object identifier
  * @param {module:enums.hash} hashAlgo - Hash algorithm used to sign (must be sha256 or stronger)
  * @param {Uint8Array} message - Message to sign
@@ -14158,10 +14187,24 @@ naclFastLight.hash = bytes => new Uint8Array(_512().update(bytes).digest());
 async function sign$2(oid, hashAlgo, message, publicKey, privateKey, hashed) {
   if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(enums.hash.sha256)) {
     // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
-    throw new Error('Hash algorithm too weak: sha256 or stronger is required for EdDSA.');
+    throw new Error('Hash algorithm too weak for EdDSA.');
   }
   const secretKey = util.concatUint8Array([privateKey, publicKey.subarray(1)]);
   const signature = naclFastLight.sign.detached(hashed, secretKey);
+  if (config.checkEdDSAFaultySignatures && !naclFastLight.sign.detached.verify(hashed, signature, publicKey.subarray(1))) {
+    /**
+     * Detect faulty signatures caused by random bitflips during `crypto_sign` which could lead to private key extraction
+     * if two signatures over the same message are obtained.
+     * See https://github.com/jedisct1/libsodium/issues/170.
+     * If the input data is not deterministic, e.g. thanks to the random salt in v6 OpenPGP signatures (not yet implemented),
+     * then the generated signature is always safe, and the verification step is skipped.
+     * Otherwise, we need to verify the generated to ensure that no bitflip occured:
+     * - in M between the computation of `r` and `h`.
+     * - in the public key before computing `h`
+     * The verification step is almost 2-3 times as slow as signing, but it's faster than re-signing + re-deriving the public key for separate checks.
+     */
+    throw new Error('Transient signing failure');
+  }
   // EdDSA signature params are returned in little-endian format
   return {
     r: signature.subarray(0, 32),
@@ -14170,7 +14213,7 @@ async function sign$2(oid, hashAlgo, message, publicKey, privateKey, hashed) {
 }
 
 /**
- * Verifies if a signature is valid for a message
+ * Verifies if a legacy EdDSA signature is valid for a message
  * @param {module:type/oid} oid - Elliptic curve object identifier
  * @param {module:enums.hash} hashAlgo - Hash algorithm used in the signature
  * @param  {{r: Uint8Array,
@@ -14182,11 +14225,14 @@ async function sign$2(oid, hashAlgo, message, publicKey, privateKey, hashed) {
  * @async
  */
 async function verify$2(oid, hashAlgo, { r, s }, m, publicKey, hashed) {
+  if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(enums.hash.sha256)) {
+    throw new Error('Hash algorithm too weak for EdDSA.');
+  }
   const signature = util.concatUint8Array([r, s]);
   return naclFastLight.sign.detached.verify(hashed, signature, publicKey.subarray(1));
 }
 /**
- * Validate EdDSA parameters
+ * Validate legacy EdDSA parameters
  * @param {module:type/oid} oid - Elliptic curve object identifier
  * @param {Uint8Array} Q - EdDSA public point
  * @param {Uint8Array} k - EdDSA secret seed
@@ -14199,20 +14245,154 @@ async function validateParams$3(oid, Q, k) {
     return false;
   }
 
-  /**
-   * Derive public point Q' = dG from private key
-   * and expect Q == Q'
-   */
-  const { publicKey } = naclFastLight.sign.keyPair.fromSeed(k);
-  const dG = new Uint8Array([0x40, ...publicKey]); // Add public key prefix
-  return util.equalsUint8Array(Q, dG);
+  /**
+   * Derive public point Q' = dG from private key
+   * and expect Q == Q'
+   */
+  const { publicKey } = naclFastLight.sign.keyPair.fromSeed(k);
+  const dG = new Uint8Array([0x40, ...publicKey]); // Add public key prefix
+  return util.equalsUint8Array(Q, dG);
+
+}
+
+var eddsa_legacy = /*#__PURE__*/Object.freeze({
+  __proto__: null,
+  sign: sign$2,
+  verify: verify$2,
+  validateParams: validateParams$3
+});
+
+// OpenPGP.js - An OpenPGP implementation in javascript
+
+naclFastLight.hash = bytes => new Uint8Array(_512().update(bytes).digest());
+
+/**
+ * Generate (non-legacy) EdDSA key
+ * @param {module:enums.publicKey} algo - Algorithm identifier
+ * @returns {Promise<{ A: Uint8Array, seed: Uint8Array }>}
+ */
+async function generate$2(algo) {
+  switch (algo) {
+    case enums.publicKey.ed25519: {
+      const seed = getRandomBytes(32);
+      const { publicKey: A } = naclFastLight.sign.keyPair.fromSeed(seed);
+      return { A, seed };
+    }
+    default:
+      throw new Error('Unsupported EdDSA algorithm');
+  }
+}
+
+/**
+ * Sign a message using the provided key
+ * @param {module:enums.publicKey} algo - Algorithm identifier
+ * @param {module:enums.hash} hashAlgo - Hash algorithm used to sign (must be sha256 or stronger)
+ * @param {Uint8Array} message - Message to sign
+ * @param {Uint8Array} publicKey - Public key
+ * @param {Uint8Array} privateKey - Private key used to sign the message
+ * @param {Uint8Array} hashed - The hashed message
+ * @returns {Promise<{
+ *   RS: Uint8Array
+ * }>} Signature of the message
+ * @async
+ */
+async function sign$3(algo, hashAlgo, message, publicKey, privateKey, hashed) {
+  if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(getPreferredHashAlgo$1(algo))) {
+    throw new Error('Hash algorithm too weak for EdDSA.');
+  }
+  switch (algo) {
+    case enums.publicKey.ed25519: {
+      const secretKey = util.concatUint8Array([privateKey, publicKey]);
+      const signature = naclFastLight.sign.detached(hashed, secretKey);
+      if (config.checkEdDSAFaultySignatures && !naclFastLight.sign.detached.verify(hashed, signature, publicKey)) {
+        /**
+         * Detect faulty signatures caused by random bitflips during `crypto_sign` which could lead to private key extraction
+         * if two signatures over the same message are obtained.
+         * See https://github.com/jedisct1/libsodium/issues/170.
+         * If the input data is not deterministic, e.g. thanks to the random salt in v6 OpenPGP signatures (not yet implemented),
+         * then the generated signature is always safe, and the verification step is skipped.
+         * Otherwise, we need to verify the generated to ensure that no bitflip occured:
+         * - in M between the computation of `r` and `h`.
+         * - in the public key before computing `h`
+         * The verification step is almost 2-3 times as slow as signing, but it's faster than re-signing + re-deriving the public key for separate checks.
+         */
+        throw new Error('Transient signing failure');
+      }
+      return { RS: signature };
+    }
+    case enums.publicKey.ed448:
+    default:
+      throw new Error('Unsupported EdDSA algorithm');
+  }
+
+}
+
+/**
+ * Verifies if a signature is valid for a message
+ * @param {module:enums.publicKey} algo - Algorithm identifier
+ * @param {module:enums.hash} hashAlgo - Hash algorithm used in the signature
+ * @param  {{ RS: Uint8Array }} signature Signature to verify the message
+ * @param {Uint8Array} m - Message to verify
+ * @param {Uint8Array} publicKey - Public key used to verify the message
+ * @param {Uint8Array} hashed - The hashed message
+ * @returns {Boolean}
+ * @async
+ */
+async function verify$3(algo, hashAlgo, { RS }, m, publicKey, hashed) {
+  if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(getPreferredHashAlgo$1(algo))) {
+    throw new Error('Hash algorithm too weak for EdDSA.');
+  }
+  switch (algo) {
+    case enums.publicKey.ed25519: {
+      return naclFastLight.sign.detached.verify(hashed, RS, publicKey);
+    }
+    case enums.publicKey.ed448:
+    default:
+      throw new Error('Unsupported EdDSA algorithm');
+  }
+}
+/**
+ * Validate (non-legacy) EdDSA parameters
+ * @param {module:enums.publicKey} algo - Algorithm identifier
+ * @param {Uint8Array} A - EdDSA public point
+ * @param {Uint8Array} seed - EdDSA secret seed
+ * @param {Uint8Array} oid - (legacy only) EdDSA OID
+ * @returns {Promise<Boolean>} Whether params are valid.
+ * @async
+ */
+async function validateParams$4(algo, A, seed) {
+  switch (algo) {
+    case enums.publicKey.ed25519: {
+      /**
+       * Derive public point A' from private key
+       * and expect A == A'
+       */
+      const { publicKey } = naclFastLight.sign.keyPair.fromSeed(seed);
+      return util.equalsUint8Array(A, publicKey);
+    }
+
+    case enums.publicKey.ed448: // unsupported
+    default:
+      return false;
+  }
+}
+
+function getPreferredHashAlgo$1(algo) {
+  switch (algo) {
+    case enums.publicKey.ed25519:
+      return enums.hash.sha256;
+    default:
+      throw new Error('Unknown EdDSA algo');
+  }
 }
 
 var eddsa = /*#__PURE__*/Object.freeze({
   __proto__: null,
-  sign: sign$2,
-  verify: verify$2,
-  validateParams: validateParams$3
+  generate: generate$2,
+  sign: sign$3,
+  verify: verify$3,
+  validateParams: validateParams$4,
+  getPreferredHashAlgo: getPreferredHashAlgo$1
 });
 
 // OpenPGP.js - An OpenPGP implementation in javascript
@@ -14404,7 +14584,7 @@ const nodeCrypto$9 = util.getNodeCrypto();
  * @returns {Promise<Boolean>} Whether params are valid.
  * @async
  */
-async function validateParams$4(oid, Q, d) {
+async function validateParams$5(oid, Q, d) {
   return validateStandardParams(enums.publicKey.ecdh, oid, Q, d);
 }
 
@@ -14446,7 +14626,7 @@ async function kdf(hashAlgo, X, length, param, stripLeading = false, stripTraili
 /**
  * Generate ECDHE ephemeral key and secret from public key
  *
- * @param {Curve} curve - Elliptic curve object
+ * @param {CurveWithOID} curve - Elliptic curve object
  * @param {Uint8Array} Q - Recipient public key
  * @returns {Promise<{publicKey: Uint8Array, sharedKey: Uint8Array}>}
  * @async
@@ -14489,7 +14669,7 @@ async function genPublicEphemeralKey(curve, Q) {
 async function encrypt$3(oid, kdfParams, data, Q, fingerprint) {
   const m = encode$1(data);
 
-  const curve = new Curve(oid);
+  const curve = new CurveWithOID(oid);
   const { publicKey, sharedKey } = await genPublicEphemeralKey(curve, Q);
   const param = buildEcdhParam(enums.publicKey.ecdh, oid, kdfParams, fingerprint);
   const { keySize } = getCipher(kdfParams.cipher);
@@ -14501,7 +14681,7 @@ async function encrypt$3(oid, kdfParams, data, Q, fingerprint) {
 /**
  * Generate ECDHE secret from private key and public part of ephemeral key
  *
- * @param {Curve} curve - Elliptic curve object
+ * @param {CurveWithOID} curve - Elliptic curve object
  * @param {Uint8Array} V - Public part of ephemeral key
  * @param {Uint8Array} Q - Recipient public key
  * @param {Uint8Array} d - Recipient private key
@@ -14549,7 +14729,7 @@ async function genPrivateEphemeralKey(curve, V, Q, d) {
  * @async
  */
 async function decrypt$3(oid, kdfParams, V, C, Q, d, fingerprint) {
-  const curve = new Curve(oid);
+  const curve = new CurveWithOID(oid);
   const { sharedKey } = await genPrivateEphemeralKey(curve, V, Q, d);
   const param = buildEcdhParam(enums.publicKey.ecdh, oid, kdfParams, fingerprint);
   const { keySize } = getCipher(kdfParams.cipher);
@@ -14569,7 +14749,7 @@ async function decrypt$3(oid, kdfParams, V, C, Q, d, fingerprint) {
 /**
  * Generate ECDHE secret from private key and public part of ephemeral key using webCrypto
  *
- * @param {Curve} curve - Elliptic curve object
+ * @param {CurveWithOID} curve - Elliptic curve object
  * @param {Uint8Array} V - Public part of ephemeral key
  * @param {Uint8Array} Q - Recipient public key
  * @param {Uint8Array} d - Recipient private key
@@ -14622,7 +14802,7 @@ async function webPrivateEphemeralKey(curve, V, Q, d) {
 /**
  * Generate ECDHE ephemeral key and secret from public key using webCrypto
  *
- * @param {Curve} curve - Elliptic curve object
+ * @param {CurveWithOID} curve - Elliptic curve object
  * @param {Uint8Array} Q - Recipient public key
  * @returns {Promise<{publicKey: Uint8Array, sharedKey: Uint8Array}>}
  * @async
@@ -14670,7 +14850,7 @@ async function webPublicEphemeralKey(curve, Q) {
 /**
  * Generate ECDHE secret from private key and public part of ephemeral key using indutny/elliptic
  *
- * @param {Curve} curve - Elliptic curve object
+ * @param {CurveWithOID} curve - Elliptic curve object
  * @param {Uint8Array} V - Public part of ephemeral key
  * @param {Uint8Array} d - Recipient private key
  * @returns {Promise<{secretKey: Uint8Array, sharedKey: Uint8Array}>}
@@ -14690,7 +14870,7 @@ async function ellipticPrivateEphemeralKey(curve, V, d) {
 /**
  * Generate ECDHE ephemeral key and secret from public key using indutny/elliptic
  *
- * @param {Curve} curve - Elliptic curve object
+ * @param {CurveWithOID} curve - Elliptic curve object
  * @param {Uint8Array} Q - Recipient public key
  * @returns {Promise<{publicKey: Uint8Array, sharedKey: Uint8Array}>}
  * @async
@@ -14710,7 +14890,7 @@ async function ellipticPublicEphemeralKey(curve, Q) {
 /**
  * Generate ECDHE secret from private key and public part of ephemeral key using nodeCrypto
  *
- * @param {Curve} curve - Elliptic curve object
+ * @param {CurveWithOID} curve - Elliptic curve object
  * @param {Uint8Array} V - Public part of ephemeral key
  * @param {Uint8Array} d - Recipient private key
  * @returns {Promise<{secretKey: Uint8Array, sharedKey: Uint8Array}>}
@@ -14727,7 +14907,7 @@ async function nodePrivateEphemeralKey(curve, V, d) {
 /**
  * Generate ECDHE ephemeral key and secret from public key using nodeCrypto
  *
- * @param {Curve} curve - Elliptic curve object
+ * @param {CurveWithOID} curve - Elliptic curve object
  * @param {Uint8Array} Q - Recipient public key
  * @returns {Promise<{publicKey: Uint8Array, sharedKey: Uint8Array}>}
  * @async
@@ -14742,18 +14922,202 @@ async function nodePublicEphemeralKey(curve, Q) {
 
 var ecdh = /*#__PURE__*/Object.freeze({
   __proto__: null,
-  validateParams: validateParams$4,
+  validateParams: validateParams$5,
   encrypt: encrypt$3,
   decrypt: decrypt$3
 });
 
+/**
+ * @fileoverview This module implements HKDF using either the WebCrypto API or Node.js' crypto API.
+ * @module crypto/hkdf
+ * @private
+ */
+
+const webCrypto$9 = util.getWebCrypto();
+const nodeCrypto$a = util.getNodeCrypto();
+const nodeSubtleCrypto = nodeCrypto$a && nodeCrypto$a.webcrypto && nodeCrypto$a.webcrypto.subtle;
+
+async function HKDF(hashAlgo, inputKey, salt, info, outLen) {
+  const hash = enums.read(enums.webHash, hashAlgo);
+  if (!hash) throw new Error('Hash algo not supported with HKDF');
+
+  if (webCrypto$9 || nodeSubtleCrypto) {
+    const crypto = webCrypto$9 || nodeSubtleCrypto;
+    const importedKey = await crypto.importKey('raw', inputKey, 'HKDF', false, ['deriveBits']);
+    const bits = await crypto.deriveBits({ name: 'HKDF', hash, salt, info }, importedKey, outLen * 8);
+    return new Uint8Array(bits);
+  }
+
+  if (nodeCrypto$a) {
+    const hashAlgoName = enums.read(enums.hash, hashAlgo);
+    // Node-only HKDF implementation based on https://www.rfc-editor.org/rfc/rfc5869
+
+    const computeHMAC = (hmacKey, hmacMessage) => nodeCrypto$a.createHmac(hashAlgoName, hmacKey).update(hmacMessage).digest();
+    // Step 1: Extract
+    // PRK = HMAC-Hash(salt, IKM)
+    const pseudoRandomKey = computeHMAC(salt, inputKey);
+
+    const hashLen = pseudoRandomKey.length;
+
+    // Step 2: Expand
+    // HKDF-Expand(PRK, info, L) -> OKM
+    const n = Math.ceil(outLen / hashLen);
+    const outputKeyingMaterial = new Uint8Array(n * hashLen);
+
+    // HMAC input buffer updated at each iteration
+    const roundInput = new Uint8Array(hashLen + info.length + 1);
+    // T_i and last byte are updated at each iteration, but `info` remains constant
+    roundInput.set(info, hashLen);
+
+    for (let i = 0; i < n; i++) {
+      // T(0) = empty string (zero length)
+      // T(i) = HMAC-Hash(PRK, T(i-1) | info | i)
+      roundInput[roundInput.length - 1] = i + 1;
+      // t = T(i+1)
+      const t = computeHMAC(pseudoRandomKey, i > 0 ? roundInput : roundInput.subarray(hashLen));
+      roundInput.set(t, 0);
+
+      outputKeyingMaterial.set(t, i * hashLen);
+    }
+
+    return outputKeyingMaterial.subarray(0, outLen);
+  }
+
+  throw new Error('No HKDF implementation available');
+}
+
+/**
+ * @fileoverview Key encryption and decryption for RFC 6637 ECDH
+ * @module crypto/public_key/elliptic/ecdh
+ * @private
+ */
+
+const HKDF_INFO = {
+  x25519: util.encodeUTF8('OpenPGP X25519')
+};
+
+/**
+ * Generate ECDH key for Montgomery curves
+ * @param {module:enums.publicKey} algo - Algorithm identifier
+ * @returns {Promise<{ A: Uint8Array, k: Uint8Array }>}
+ */
+async function generate$3(algo) {
+  switch (algo) {
+    case enums.publicKey.x25519: {
+      // k stays in little-endian, unlike legacy ECDH over curve25519
+      const k = getRandomBytes(32);
+      const { publicKey: A } = naclFastLight.box.keyPair.fromSecretKey(k);
+      return { A, k };
+    }
+    default:
+      throw new Error('Unsupported ECDH algorithm');
+  }
+}
+
+/**
+* Validate ECDH parameters
+* @param {module:enums.publicKey} algo - Algorithm identifier
+* @param {Uint8Array} A - ECDH public point
+* @param {Uint8Array} k - ECDH secret scalar
+* @returns {Promise<Boolean>} Whether params are valid.
+* @async
+*/
+async function validateParams$6(algo, A, k) {
+  switch (algo) {
+    case enums.publicKey.x25519: {
+      /**
+       * Derive public point A' from private key
+       * and expect A == A'
+       */
+      const { publicKey } = naclFastLight.box.keyPair.fromSecretKey(k);
+      return util.equalsUint8Array(A, publicKey);
+    }
+
+    default:
+      return false;
+  }
+}
+
+/**
+ * Wrap and encrypt a session key
+ *
+ * @param {module:enums.publicKey} algo - Algorithm identifier
+ * @param {Uint8Array} data - session key data to be encrypted
+ * @param {Uint8Array} recipientA - Recipient public key (K_B)
+ * @returns {Promise<{
+ *  ephemeralPublicKey: Uint8Array,
+ * wrappedKey: Uint8Array
+ * }>} ephemeral public key (K_A) and encrypted key
+ * @async
+ */
+async function encrypt$4(algo, data, recipientA) {
+  switch (algo) {
+    case enums.publicKey.x25519: {
+      const ephemeralSecretKey = getRandomBytes(32);
+      const sharedSecret = naclFastLight.scalarMult(ephemeralSecretKey, recipientA);
+      const { publicKey: ephemeralPublicKey } = naclFastLight.box.keyPair.fromSecretKey(ephemeralSecretKey);
+      const hkdfInput = util.concatUint8Array([
+        ephemeralPublicKey,
+        recipientA,
+        sharedSecret
+      ]);
+      const { keySize } = getCipher(enums.symmetric.aes128);
+      const encryptionKey = await HKDF(enums.hash.sha256, hkdfInput, new Uint8Array(), HKDF_INFO.x25519, keySize);
+      const wrappedKey = wrap(encryptionKey, data);
+      return { ephemeralPublicKey, wrappedKey };
+    }
+
+    default:
+      throw new Error('Unsupported ECDH algorithm');
+  }
+}
+
+/**
+ * Decrypt and unwrap the session key
+ *
+ * @param {module:enums.publicKey} algo - Algorithm identifier
+ * @param {Uint8Array} ephemeralPublicKey - (K_A)
+ * @param {Uint8Array} wrappedKey,
+ * @param {Uint8Array} A - Recipient public key (K_b), needed for KDF
+ * @param {Uint8Array} k - Recipient secret key (b)
+ * @returns {Promise<Uint8Array>} decrypted session key data
+ * @async
+ */
+async function decrypt$4(algo, ephemeralPublicKey, wrappedKey, A, k) {
+  switch (algo) {
+    case enums.publicKey.x25519: {
+      const sharedSecret = naclFastLight.scalarMult(k, ephemeralPublicKey);
+      const hkdfInput = util.concatUint8Array([
+        ephemeralPublicKey,
+        A,
+        sharedSecret
+      ]);
+      const { keySize } = getCipher(enums.symmetric.aes128);
+      const encryptionKey = await HKDF(enums.hash.sha256, hkdfInput, new Uint8Array(), HKDF_INFO.x25519, keySize);
+      return unwrap(encryptionKey, wrappedKey);
+    }
+    default:
+      throw new Error('Unsupported ECDH algorithm');
+  }
+}
+
+var ecdh_x = /*#__PURE__*/Object.freeze({
+  __proto__: null,
+  generate: generate$3,
+  validateParams: validateParams$6,
+  encrypt: encrypt$4,
+  decrypt: decrypt$4
+});
+
 // OpenPGP.js - An OpenPGP implementation in javascript
 
 var elliptic = /*#__PURE__*/Object.freeze({
   __proto__: null,
-  Curve: Curve,
+  CurveWithOID: CurveWithOID,
   ecdh: ecdh,
+  ecdhX: ecdh_x,
   ecdsa: ecdsa,
+  eddsaLegacy: eddsa_legacy,
   eddsa: eddsa,
   generate: generate$1,
   getPreferredHashAlgo: getPreferredHashAlgo
@@ -14778,7 +15142,7 @@ var elliptic = /*#__PURE__*/Object.freeze({
  * @returns {Promise<{ r: Uint8Array, s: Uint8Array }>}
  * @async
  */
-async function sign$3(hashAlgo, hashed, g, p, q, x) {
+async function sign$4(hashAlgo, hashed, g, p, q, x) {
   const BigInteger = await util.getBigInteger();
   const one = new BigInteger(1);
   p = new BigInteger(p);
@@ -14837,7 +15201,7 @@ async function sign$3(hashAlgo, hashed, g, p, q, x) {
  * @returns {boolean}
  * @async
  */
-async function verify$3(hashAlgo, r, s, hashed, g, p, q, y) {
+async function verify$4(hashAlgo, r, s, hashed, g, p, q, y) {
   const BigInteger = await util.getBigInteger();
   const zero = new BigInteger(0);
   r = new BigInteger(r);
@@ -14880,7 +15244,7 @@ async function verify$3(hashAlgo, r, s, hashed, g, p, q, y) {
  * @returns {Promise<Boolean>} Whether params are valid.
  * @async
  */
-async function validateParams$5(p, q, g, y, x) {
+async function validateParams$7(p, q, g, y, x) {
   const BigInteger = await util.getBigInteger();
   p = new BigInteger(p);
   q = new BigInteger(q);
@@ -14935,9 +15299,9 @@ async function validateParams$5(p, q, g, y, x) {
 
 var dsa = /*#__PURE__*/Object.freeze({
   __proto__: null,
-  sign: sign$3,
-  verify: verify$3,
-  validateParams: validateParams$5
+  sign: sign$4,
+  verify: verify$4,
+  validateParams: validateParams$7
 });
 
 /**
@@ -15073,10 +15437,10 @@ function parseSignatureParams(algo, signature) {
       const s = util.readMPI(signature.subarray(read));
       return { r, s };
     }
-    // Algorithm-Specific Fields for EdDSA signatures:
+    // Algorithm-Specific Fields for legacy EdDSA signatures:
     // -  MPI of an EC point r.
     // -  EdDSA value s, in MPI, in the little endian representation
-    case enums.publicKey.eddsa: {
+    case enums.publicKey.eddsaLegacy: {
       // When parsing little-endian MPI data, we always need to left-pad it, as done with big-endian values:
       // https://www.ietf.org/archive/id/draft-ietf-openpgp-rfc4880bis-10.html#section-3.2-9
       let r = util.readMPI(signature.subarray(read)); read += r.length + 2;
@@ -15085,7 +15449,12 @@ function parseSignatureParams(algo, signature) {
       s = util.leftPad(s, 32);
       return { r, s };
     }
-
+    // Algorithm-Specific Fields for Ed25519 signatures:
+    // - 64 octets of the native signature
+    case enums.publicKey.ed25519: {
+      const RS = signature.subarray(read, read + 64); read += RS.length;
+      return { RS };
+    }
     case enums.publicKey.hmac: {
       const mac = new ShortByteString(); mac.read(signature.subarray(read));
       return { mac };
@@ -15110,7 +15479,7 @@ function parseSignatureParams(algo, signature) {
  * @returns {Promise<Boolean>} True if signature is valid.
  * @async
  */
-async function verify$4(algo, hashAlgo, signature, publicParams, privateParams, data, hashed) {
+async function verify$5(algo, hashAlgo, signature, publicParams, privateParams, data, hashed) {
   switch (algo) {
     case enums.publicKey.rsaEncryptSign:
     case enums.publicKey.rsaEncrypt:
@@ -15126,16 +15495,20 @@ async function verify$4(algo, hashAlgo, signature, publicParams, privateParams,
     }
     case enums.publicKey.ecdsa: {
       const { oid, Q } = publicParams;
-      const curveSize = new publicKey.elliptic.Curve(oid).payloadSize;
+      const curveSize = new publicKey.elliptic.CurveWithOID(oid).payloadSize;
       // padding needed for webcrypto
       const r = util.leftPad(signature.r, curveSize);
       const s = util.leftPad(signature.s, curveSize);
       return publicKey.elliptic.ecdsa.verify(oid, hashAlgo, { r, s }, data, Q, hashed);
     }
-    case enums.publicKey.eddsa: {
+    case enums.publicKey.eddsaLegacy: {
       const { oid, Q } = publicParams;
       // signature already padded on parsing
-      return publicKey.elliptic.eddsa.verify(oid, hashAlgo, signature, data, Q, hashed);
+      return publicKey.elliptic.eddsaLegacy.verify(oid, hashAlgo, signature, data, Q, hashed);
+    }
+    case enums.publicKey.ed25519: {
+      const { A } = publicParams;
+      return publicKey.elliptic.eddsa.verify(algo, hashAlgo, signature, data, A, hashed);
     }
     case enums.publicKey.hmac: {
       if (!privateParams) {
@@ -15165,7 +15538,7 @@ async function verify$4(algo, hashAlgo, signature, publicParams, privateParams,
  * @returns {Promise<Object>} Signature                      Object containing named signature parameters.
  * @async
  */
-async function sign$4(algo, hashAlgo, publicKeyParams, privateKeyParams, data, hashed) {
+async function sign$5(algo, hashAlgo, publicKeyParams, privateKeyParams, data, hashed) {
   if (!publicKeyParams || !privateKeyParams) {
     throw new Error('Missing key parameters');
   }
@@ -15191,10 +15564,15 @@ async function sign$4(algo, hashAlgo, publicKeyParams, privateKeyParams, data, h
       const { d } = privateKeyParams;
       return publicKey.elliptic.ecdsa.sign(oid, hashAlgo, data, Q, d, hashed);
     }
-    case enums.publicKey.eddsa: {
+    case enums.publicKey.eddsaLegacy: {
       const { oid, Q } = publicKeyParams;
       const { seed } = privateKeyParams;
-      return publicKey.elliptic.eddsa.sign(oid, hashAlgo, data, Q, seed, hashed);
+      return publicKey.elliptic.eddsaLegacy.sign(oid, hashAlgo, data, Q, seed, hashed);
+    }
+    case enums.publicKey.ed25519: {
+      const { A } = publicKeyParams;
+      const { seed } = privateKeyParams;
+      return publicKey.elliptic.eddsa.sign(algo, hashAlgo, data, A, seed, hashed);
     }
     case enums.publicKey.hmac: {
       const { cipher: algo } = publicKeyParams;
@@ -15210,34 +15588,31 @@ async function sign$4(algo, hashAlgo, publicKeyParams, privateKeyParams, data, h
 var signature = /*#__PURE__*/Object.freeze({
   __proto__: null,
   parseSignatureParams: parseSignatureParams,
-  verify: verify$4,
-  sign: sign$4
+  verify: verify$5,
+  sign: sign$5
 });
 
 // OpenPGP.js - An OpenPGP implementation in javascript
 
 class ECDHSymmetricKey {
   constructor(data) {
-    if (typeof data === 'undefined') {
-      data = new Uint8Array([]);
-    } else if (util.isString(data)) {
-      data = util.stringToUint8Array(data);
-    } else {
-      data = new Uint8Array(data);
+    if (data) {
+      this.data = data;
     }
-    this.data = data;
   }
 
   /**
-   * Read an ECDHSymmetricKey from an Uint8Array
-   * @param {Uint8Array} input - Where to read the encoded symmetric key from
+   * Read an ECDHSymmetricKey from an Uint8Array:
+   * - 1 octect for the length `l`
+   * - `l` octects of encoded session key data
+   * @param {Uint8Array} bytes
    * @returns {Number} Number of read bytes.
    */
-  read(input) {
-    if (input.length >= 1) {
-      const length = input[0];
-      if (input.length >= 1 + length) {
-        this.data = input.subarray(1, 1 + length);
+  read(bytes) {
+    if (bytes.length >= 1) {
+      const length = bytes[0];
+      if (bytes.length >= 1 + length) {
+        this.data = bytes.subarray(1, 1 + length);
         return 1 + this.data.length;
       }
     }
@@ -15246,7 +15621,7 @@ class ECDHSymmetricKey {
 
   /**
    * Write an ECDHSymmetricKey as an Uint8Array
-   * @returns  {Uint8Array}  An array containing the value
+   * @returns  {Uint8Array} Serialised data
    */
   write() {
     return util.concatUint8Array([new Uint8Array([this.data.length]), this.data]);
@@ -15286,6 +15661,9 @@ class KDFParams {
    * @returns {Number} Number of read bytes.
    */
   read(input) {
+    if (input.length < 4 || (input[1] !== 1 && input[1] !== VERSION_FORWARDING)) {
+      throw new UnsupportedError('Cannot read KDFParams');
+    }
     const totalBytes = input[0];
     this.version = input[1];
     this.hash = input[2];
@@ -15373,12 +15751,57 @@ const AEADEnum = type_enum(enums.aead);
 const SymAlgoEnum = type_enum(enums.symmetric);
 const HashEnum = type_enum(enums.hash);
 
+/**
+ * Encoded symmetric key for x25519 and x448
+ * The payload format varies for v3 and v6 PKESK:
+ * the former includes an algorithm byte preceeding the encrypted session key.
+ *
+ * @module type/x25519x448_symkey
+ */
+
+class ECDHXSymmetricKey {
+  static fromObject({ wrappedKey, algorithm }) {
+    const instance = new ECDHXSymmetricKey();
+    instance.wrappedKey = wrappedKey;
+    instance.algorithm = algorithm;
+    return instance;
+  }
+
+  /**
+   * - 1 octect for the length `l`
+   * - `l` octects of encoded session key data (with optional leading algorithm byte)
+   * @param {Uint8Array} bytes
+   * @returns {Number} Number of read bytes.
+   */
+  read(bytes) {
+    let read = 0;
+    let followLength = bytes[read++];
+    this.algorithm = followLength % 2 ? bytes[read++] : null; // session key size is always even
+    followLength -= followLength % 2;
+    this.wrappedKey = bytes.subarray(read, read + followLength); read += followLength;
+  }
+
+  /**
+   * Write an MontgomerySymmetricKey as an Uint8Array
+   * @returns  {Uint8Array} Serialised data
+   */
+  write() {
+    return util.concatUint8Array([
+      this.algorithm ?
+        new Uint8Array([this.wrappedKey.length + 1, this.algorithm]) :
+        new Uint8Array([this.wrappedKey.length]),
+      this.wrappedKey
+    ]);
+  }
+}
+
 // GPG4Browsers - An OpenPGP implementation in javascript
 
 /**
  * Encrypts data using specified algorithm and public key parameters.
  * See {@link https://tools.ietf.org/html/rfc4880#section-9.1|RFC 4880 9.1} for public key algorithms.
- * @param {module:enums.publicKey} algo - Public key algorithm
+ * @param {module:enums.publicKey} keyAlgo - Public key algorithm
+ * @param {module:enums.symmetric} symmetricAlgo - Cipher algorithm
  * @param {Object} publicParams - Algorithm-specific public key parameters
  * @param {Object} privateParams - Algorithm-specific private key parameters
  * @param {Uint8Array} data - Data to be encrypted
@@ -15386,8 +15809,8 @@ const HashEnum = type_enum(enums.hash);
  * @returns {Promise<Object>} Encrypted session key parameters.
  * @async
  */
-async function publicKeyEncrypt(algo, publicParams, privateParams, data, fingerprint) {
-  switch (algo) {
+async function publicKeyEncrypt(keyAlgo, symmetricAlgo, publicParams, privateParams, data, fingerprint) {
+  switch (keyAlgo) {
     case enums.publicKey.rsaEncrypt:
     case enums.publicKey.rsaEncryptSign: {
       const { n, e } = publicParams;
@@ -15404,6 +15827,17 @@ async function publicKeyEncrypt(algo, publicParams, privateParams, data, fingerp
         oid, kdfParams, data, Q, fingerprint);
       return { V, C: new ECDHSymmetricKey(C) };
     }
+    case enums.publicKey.x25519: {
+      if (!util.isAES(symmetricAlgo)) {
+        // see https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/276
+        throw new Error('X25519 keys can only encrypt AES session keys');
+      }
+      const { A } = publicParams;
+      const { ephemeralPublicKey, wrappedKey } = await publicKey.elliptic.ecdhX.encrypt(
+        keyAlgo, data, A);
+      const C = ECDHXSymmetricKey.fromObject({ algorithm: symmetricAlgo, wrappedKey });
+      return { ephemeralPublicKey, C };
+    }
     case enums.publicKey.aead: {
       if (!privateParams) {
         throw new Error('Cannot encrypt with symmetric key missing private parameters');
@@ -15460,6 +15894,16 @@ async function publicKeyDecrypt(algo, publicKeyParams, privateKeyParams, session
       return publicKey.elliptic.ecdh.decrypt(
         oid, kdfParams, V, C.data, Q, d, fingerprint);
     }
+    case enums.publicKey.x25519: {
+      const { A } = publicKeyParams;
+      const { k } = privateKeyParams;
+      const { ephemeralPublicKey, C } = sessionKeyParams;
+      if (!util.isAES(C.algorithm)) {
+        throw new Error('AES session key expected');
+      }
+      return publicKey.elliptic.ecdhX.decrypt(
+        algo, ephemeralPublicKey, C.wrappedKey, A, k);
+    }
     case enums.publicKey.aead: {
       const { cipher: algo } = publicKeyParams;
       const algoValue = algo.getValue();
@@ -15511,7 +15955,7 @@ function parsePublicKeyParams(algo, bytes) {
       const Q = util.readMPI(bytes.subarray(read)); read += Q.length + 2;
       return { read: read, publicParams: { oid, Q } };
     }
-    case enums.publicKey.eddsa: {
+    case enums.publicKey.eddsaLegacy: {
       const oid = new OID(); read += oid.read(bytes);
       checkSupportedCurve(oid);
       let Q = util.readMPI(bytes.subarray(read)); read += Q.length + 2;
@@ -15525,6 +15969,11 @@ function parsePublicKeyParams(algo, bytes) {
       const kdfParams = new KDFParams(); read += kdfParams.read(bytes.subarray(read));
       return { read: read, publicParams: { oid, Q, kdfParams } };
     }
+    case enums.publicKey.ed25519:
+    case enums.publicKey.x25519: {
+      const A = bytes.subarray(read, read + 32); read += A.length;
+      return { read, publicParams: { A } };
+    }
     case enums.publicKey.hmac:
     case enums.publicKey.aead: {
       const algo = new SymAlgoEnum(); read += algo.read(bytes);
@@ -15563,17 +16012,25 @@ function parsePrivateKeyParams(algo, bytes, publicParams) {
     }
     case enums.publicKey.ecdsa:
     case enums.publicKey.ecdh: {
-      const curve = new Curve(publicParams.oid);
+      const curve = new CurveWithOID(publicParams.oid);
       let d = util.readMPI(bytes.subarray(read)); read += d.length + 2;
       d = util.leftPad(d, curve.payloadSize);
       return { read, privateParams: { d } };
     }
-    case enums.publicKey.eddsa: {
-      const curve = new Curve(publicParams.oid);
+    case enums.publicKey.eddsaLegacy: {
+      const curve = new CurveWithOID(publicParams.oid);
       let seed = util.readMPI(bytes.subarray(read)); read += seed.length + 2;
       seed = util.leftPad(seed, curve.payloadSize);
       return { read, privateParams: { seed } };
     }
+    case enums.publicKey.ed25519: {
+      const seed = bytes.subarray(read, read + 32); read += seed.length;
+      return { read, privateParams: { seed } };
+    }
+    case enums.publicKey.x25519: {
+      const k = bytes.subarray(read, read + 32); read += k.length;
+      return { read, privateParams: { k } };
+    }
     case enums.publicKey.hmac: {
       const { cipher: algo } = publicParams;
       const keySize = hash.getHashByteLength(algo.getValue());
@@ -15625,6 +16082,16 @@ function parseEncSessionKeyParams(algo, bytes) {
       const C = new ECDHSymmetricKey(); C.read(bytes.subarray(read));
       return { V, C };
     }
+    //   Algorithm-Specific Fields for X25519 encrypted session keys:
+    //       - 32 octets representing an ephemeral X25519 public key.
+    //       - A one-octet size of the following fields.
+    //       - The one-octet algorithm identifier, if it was passed (in the case of a v3 PKESK packet).
+    //       - The encrypted session key.
+    case enums.publicKey.x25519: {
+      const ephemeralPublicKey = bytes.subarray(read, read + 32); read += ephemeralPublicKey.length;
+      const C = new ECDHXSymmetricKey(); C.read(bytes.subarray(read));
+      return { ephemeralPublicKey, C };
+    }
     //   Algorithm-Specific Fields for symmetric AEAD encryption:
     //       - AEAD algorithm
     //       - Starting initialization vector
@@ -15651,22 +16118,13 @@ function parseEncSessionKeyParams(algo, bytes) {
  * @returns {Uint8Array} The array containing the MPIs.
  */
 function serializeParams(algo, params) {
-  let orderedParams;
-  switch (algo) {
-    case enums.publicKey.hmac:
-    case enums.publicKey.aead: {
-      orderedParams = Object.keys(params).map(name => {
-        const param = params[name];
-        return util.isUint8Array(param) ? param : param.write();
-      });
-      break;
-    }
-    default:
-      orderedParams = Object.keys(params).map(name => {
-        const param = params[name];
-        return util.isUint8Array(param) ? util.uint8ArrayToMPI(param) : param.write();
-      });
-  }
+  // Some algorithms do not rely on MPIs to store the binary params
+  const algosWithNativeRepresentation = new Set([enums.publicKey.ed25519, enums.publicKey.x25519, enums.publicKey.aead, enums.publicKey.hmac]);
+  const orderedParams = Object.keys(params).map(name => {
+    const param = params[name];
+    if (!util.isUint8Array(param)) return param.write();
+    return algosWithNativeRepresentation.has(algo) ? param : util.uint8ArrayToMPI(param);
+  });
   return util.concatUint8Array(orderedParams);
 }
 
@@ -15694,7 +16152,7 @@ function generateParams(algo, bits, oid, symmetric) {
         privateParams: { d: secret },
         publicParams: { oid: new OID(oid), Q }
       }));
-    case enums.publicKey.eddsa:
+    case enums.publicKey.eddsaLegacy:
       return publicKey.elliptic.generate(oid).then(({ oid, Q, secret }) => ({
         privateParams: { seed: secret },
         publicParams: { oid: new OID(oid), Q }
@@ -15708,6 +16166,16 @@ function generateParams(algo, bits, oid, symmetric) {
           kdfParams: new KDFParams({ hash, cipher })
         }
       }));
+    case enums.publicKey.ed25519:
+      return publicKey.elliptic.eddsa.generate(algo).then(({ A, seed }) => ({
+        privateParams: { seed },
+        publicParams: { A }
+      }));
+    case enums.publicKey.x25519:
+      return publicKey.elliptic.ecdhX.generate(algo).then(({ A, k }) => ({
+        privateParams: { k },
+        publicParams: { A }
+      }));
     case enums.publicKey.hmac: {
       const symAlgo = enums.write(enums.hash, symmetric);
       const keyMaterial = getRandomBytes(hash.getHashByteLength(symAlgo));
@@ -15749,7 +16217,7 @@ async function createSymmetricParams(key, algo) {
  * @returns {Promise<Boolean>} Whether the parameters are valid.
  * @async
  */
-async function validateParams$6(algo, publicParams, privateParams) {
+async function validateParams$8(algo, publicParams, privateParams) {
   if (!publicParams || !privateParams) {
     throw new Error('Missing key parameters');
   }
@@ -15778,10 +16246,20 @@ async function validateParams$6(algo, publicParams, privateParams) {
       const { d } = privateParams;
       return algoModule.validateParams(oid, Q, d);
     }
-    case enums.publicKey.eddsa: {
-      const { oid, Q } = publicParams;
+    case enums.publicKey.eddsaLegacy: {
+      const { Q, oid } = publicParams;
+      const { seed } = privateParams;
+      return publicKey.elliptic.eddsaLegacy.validateParams(oid, Q, seed);
+    }
+    case enums.publicKey.ed25519: {
+      const { A } = publicParams;
       const { seed } = privateParams;
-      return publicKey.elliptic.eddsa.validateParams(oid, Q, seed);
+      return publicKey.elliptic.eddsa.validateParams(algo, A, seed);
+    }
+    case enums.publicKey.x25519: {
+      const { A } = publicParams;
+      const { k } = privateParams;
+      return publicKey.elliptic.ecdhX.validateParams(algo, A, k);
     }
     case enums.publicKey.hmac: {
       const { cipher: algo, digest } = publicParams;
@@ -15851,6 +16329,23 @@ function checkSupportedCurve(oid) {
   }
 }
 
+/**
+ * Get preferred hash algo for a given elliptic algo
+ * @param {module:enums.publicKey} algo - alrogithm identifier
+ * @param {module:type/oid} [oid] - curve OID if needed by algo
+ */
+function getPreferredCurveHashAlgo(algo, oid) {
+  switch (algo) {
+    case enums.publicKey.ecdsa:
+    case enums.publicKey.eddsaLegacy:
+      return publicKey.elliptic.getPreferredHashAlgo(oid);
+    case enums.publicKey.ed25519:
+      return publicKey.elliptic.eddsa.getPreferredHashAlgo(algo);
+    default:
+      throw new Error('Unknown elliptic signing algo');
+  }
+}
+
 var crypto$1 = /*#__PURE__*/Object.freeze({
   __proto__: null,
   publicKeyEncrypt: publicKeyEncrypt,
@@ -15860,11 +16355,12 @@ var crypto$1 = /*#__PURE__*/Object.freeze({
   parseEncSessionKeyParams: parseEncSessionKeyParams,
   serializeParams: serializeParams,
   generateParams: generateParams,
-  validateParams: validateParams$6,
+  validateParams: validateParams$8,
   getPrefixRandom: getPrefixRandom,
   generateSessionKey: generateSessionKey,
   getAEADMode: getAEADMode,
-  getCipher: getCipher
+  getCipher: getCipher,
+  getPreferredCurveHashAlgo: getPreferredCurveHashAlgo
 });
 
 /**
@@ -16107,15 +16603,15 @@ class GenericS2K {
             this.type = 'gnu-dummy';
             // GnuPG extension mode 1001 -- don't write secret key at all
           } else {
-            throw new Error('Unknown s2k gnu protection mode.');
+            throw new UnsupportedError('Unknown s2k gnu protection mode.');
           }
         } else {
-          throw new Error('Unknown s2k type.');
+          throw new UnsupportedError('Unknown s2k type.');
         }
         break;
 
       default:
-        throw new Error('Unknown s2k type.');
+        throw new UnsupportedError('Unknown s2k type.'); // unreachable
     }
 
     return i;
@@ -16219,7 +16715,7 @@ function newS2KFromType(type, config$1 = config) {
     case enums.s2k.simple:
       return new GenericS2K(type, config$1);
     default:
-      throw new Error(`Unsupported S2K type ${type}`);
+      throw new UnsupportedError(`Unsupported S2K type ${type}`);
   }
 }
 
@@ -24973,13 +25469,17 @@ class PublicKeyEncryptedSessionKeyPacket {
    * @param {Uint8Array} bytes - Payload of a tag 1 packet
    */
   read(bytes) {
-    this.version = bytes[0];
+    let i = 0;
+    this.version = bytes[i++];
     if (this.version !== VERSION$3) {
       throw new UnsupportedError(`Version ${this.version} of the PKESK packet is unsupported.`);
     }
-    this.publicKeyID.read(bytes.subarray(1, bytes.length));
-    this.publicKeyAlgorithm = bytes[9];
-    this.encrypted = mod.parseEncSessionKeyParams(this.publicKeyAlgorithm, bytes.subarray(10));
+    i += this.publicKeyID.read(bytes.subarray(i));
+    this.publicKeyAlgorithm = bytes[i++];
+    this.encrypted = mod.parseEncSessionKeyParams(this.publicKeyAlgorithm, bytes.subarray(i), this.version);
+    if (this.publicKeyAlgorithm === enums.publicKey.x25519) {
+      this.sessionKeyAlgorithm = enums.write(enums.symmetric, this.encrypted.C.algorithm);
+    }
   }
 
   /**
@@ -25005,15 +25505,11 @@ class PublicKeyEncryptedSessionKeyPacket {
    * @async
    */
   async encrypt(key) {
-    const data = util.concatUint8Array([
-      new Uint8Array([enums.write(enums.symmetric, this.sessionKeyAlgorithm)]),
-      this.sessionKey,
-      util.writeChecksum(this.sessionKey)
-    ]);
     const algo = enums.write(enums.publicKey, this.publicKeyAlgorithm);
+    const encoded = encodeSessionKey(this.version, algo, this.sessionKeyAlgorithm, this.sessionKey);
     const privateParams = algo === enums.publicKey.aead ? key.privateParams : null;
     this.encrypted = await mod.publicKeyEncrypt(
-      algo, key.publicParams, privateParams, data, key.getFingerprintBytes());
+      algo, this.sessionKeyAlgorithm, key.publicParams, privateParams, encoded, key.getFingerprintBytes());
   }
 
   /**
@@ -25030,34 +25526,86 @@ class PublicKeyEncryptedSessionKeyPacket {
       throw new Error('Decryption error');
     }
 
-    const randomPayload = randomSessionKey ? util.concatUint8Array([
-      new Uint8Array([randomSessionKey.sessionKeyAlgorithm]),
-      randomSessionKey.sessionKey,
-      util.writeChecksum(randomSessionKey.sessionKey)
-    ]) : null;
-    const decoded = await mod.publicKeyDecrypt(this.publicKeyAlgorithm, key.publicParams, key.privateParams, this.encrypted, key.getFingerprintBytes(), randomPayload);
-    const symmetricAlgoByte = decoded[0];
-    const sessionKey = decoded.subarray(1, decoded.length - 2);
-    const checksum = decoded.subarray(decoded.length - 2);
-    const computedChecksum = util.writeChecksum(sessionKey);
-    const isValidChecksum = computedChecksum[0] === checksum[0] & computedChecksum[1] === checksum[1];
-
-    if (randomSessionKey) {
-      // We must not leak info about the validity of the decrypted checksum or cipher algo.
-      // The decrypted session key must be of the same algo and size as the random session key, otherwise we discard it and use the random data.
-      const isValidPayload = isValidChecksum & symmetricAlgoByte === randomSessionKey.sessionKeyAlgorithm & sessionKey.length === randomSessionKey.sessionKey.length;
-      this.sessionKeyAlgorithm = util.selectUint8(isValidPayload, symmetricAlgoByte, randomSessionKey.sessionKeyAlgorithm);
-      this.sessionKey = util.selectUint8Array(isValidPayload, sessionKey, randomSessionKey.sessionKey);
+    const randomPayload = randomSessionKey ?
+      encodeSessionKey(this.version, this.publicKeyAlgorithm, randomSessionKey.sessionKeyAlgorithm, randomSessionKey.sessionKey) :
+      null;
+    const decryptedData = await mod.publicKeyDecrypt(this.publicKeyAlgorithm, key.publicParams, key.privateParams, this.encrypted, key.getFingerprintBytes(), randomPayload);
 
-    } else {
-      const isValidPayload = isValidChecksum && enums.read(enums.symmetric, symmetricAlgoByte);
-      if (isValidPayload) {
-        this.sessionKey = sessionKey;
-        this.sessionKeyAlgorithm = symmetricAlgoByte;
+    const { sessionKey, sessionKeyAlgorithm } = decodeSessionKey(this.version, this.publicKeyAlgorithm, decryptedData, randomSessionKey);
+
+    // v3 Montgomery curves have cleartext cipher algo
+    if (this.publicKeyAlgorithm !== enums.publicKey.x25519) {
+      this.sessionKeyAlgorithm = sessionKeyAlgorithm;
+    }
+    this.sessionKey = sessionKey;
+  }
+}
+
+
+function encodeSessionKey(version, keyAlgo, cipherAlgo, sessionKeyData) {
+  switch (keyAlgo) {
+    case enums.publicKey.rsaEncrypt:
+    case enums.publicKey.rsaEncryptSign:
+    case enums.publicKey.elgamal:
+    case enums.publicKey.ecdh:
+    case enums.publicKey.aead: {
+      // add checksum
+      return util.concatUint8Array([
+        new Uint8Array([cipherAlgo]),
+        sessionKeyData,
+        util.writeChecksum(sessionKeyData.subarray(sessionKeyData.length % 8))
+      ]);
+    }
+    case enums.publicKey.x25519:
+      return sessionKeyData;
+    default:
+      throw new Error('Unsupported public key algorithm');
+  }
+}
+
+
+function decodeSessionKey(version, keyAlgo, decryptedData, randomSessionKey) {
+  switch (keyAlgo) {
+    case enums.publicKey.rsaEncrypt:
+    case enums.publicKey.rsaEncryptSign:
+    case enums.publicKey.elgamal:
+    case enums.publicKey.ecdh:
+    case enums.publicKey.aead: {
+      // verify checksum in constant time
+      const result = decryptedData.subarray(0, decryptedData.length - 2);
+      const checksum = decryptedData.subarray(decryptedData.length - 2);
+      const computedChecksum = util.writeChecksum(result.subarray(result.length % 8));
+      const isValidChecksum = computedChecksum[0] === checksum[0] & computedChecksum[1] === checksum[1];
+      const decryptedSessionKey = { sessionKeyAlgorithm: result[0], sessionKey: result.subarray(1) };
+      if (randomSessionKey) {
+        // We must not leak info about the validity of the decrypted checksum or cipher algo.
+        // The decrypted session key must be of the same algo and size as the random session key, otherwise we discard it and use the random data.
+        const isValidPayload = isValidChecksum &
+          decryptedSessionKey.sessionKeyAlgorithm === randomSessionKey.sessionKeyAlgorithm &
+          decryptedSessionKey.sessionKey.length === randomSessionKey.sessionKey.length;
+        return {
+          sessionKey: util.selectUint8Array(isValidPayload, decryptedSessionKey.sessionKey, randomSessionKey.sessionKey),
+          sessionKeyAlgorithm: util.selectUint8(
+            isValidPayload,
+            decryptedSessionKey.sessionKeyAlgorithm,
+            randomSessionKey.sessionKeyAlgorithm
+          )
+        };
       } else {
-        throw new Error('Decryption error');
+        const isValidPayload = isValidChecksum && enums.read(enums.symmetric, decryptedSessionKey.sessionKeyAlgorithm);
+        if (isValidPayload) {
+          return decryptedSessionKey;
+        } else {
+          throw new Error('Decryption error');
+        }
       }
     }
+    case enums.publicKey.x25519:
+      return {
+        sessionKey: decryptedData
+      };
+    default:
+      throw new Error('Unsupported public key algorithm');
   }
 }
 
@@ -25488,7 +26036,7 @@ class PublicKeyPacket {
       result.bits = util.uint8ArrayBitLength(modulo);
     } else if (this.publicParams.oid) {
       result.curve = this.publicParams.oid.getName();
-    } else {
+    } else if (this.publicParams.cipher) {
       result.symmetric = this.publicParams.cipher.getName();
     }
     return result;
@@ -25820,6 +26368,7 @@ class SecretKeyPacket extends PublicKeyPacket {
   async read(bytes) {
     // - A Public-Key or Public-Subkey packet, as described above.
     let i = await this.readPublicKey(bytes);
+    const startOfSecretKeyData = i;
 
     // - One octet indicating string-to-key usage conventions.  Zero
     //   indicates that the secret-key data is not encrypted.  255 or 254
@@ -25833,41 +26382,48 @@ class SecretKeyPacket extends PublicKeyPacket {
       i++;
     }
 
-    // - [Optional] If string-to-key usage octet was 255, 254, or 253, a
-    //   one-octet symmetric encryption algorithm.
-    if (this.s2kUsage === 255 || this.s2kUsage === 254 || this.s2kUsage === 253) {
-      this.symmetric = bytes[i++];
-
-      // - [Optional] If string-to-key usage octet was 253, a one-octet
-      //   AEAD algorithm.
-      if (this.s2kUsage === 253) {
-        this.aead = bytes[i++];
-      }
-
+    try {
       // - [Optional] If string-to-key usage octet was 255, 254, or 253, a
-      //   string-to-key specifier.  The length of the string-to-key
-      //   specifier is implied by its type, as described above.
-      const s2kType = bytes[i++];
-      this.s2k = newS2KFromType(s2kType);
-      i += this.s2k.read(bytes.subarray(i, bytes.length));
+      //   one-octet symmetric encryption algorithm.
+      if (this.s2kUsage === 255 || this.s2kUsage === 254 || this.s2kUsage === 253) {
+        this.symmetric = bytes[i++];
+
+        // - [Optional] If string-to-key usage octet was 253, a one-octet
+        //   AEAD algorithm.
+        if (this.s2kUsage === 253) {
+          this.aead = bytes[i++];
+        }
 
-      if (this.s2k.type === 'gnu-dummy') {
-        return;
+        // - [Optional] If string-to-key usage octet was 255, 254, or 253, a
+        //   string-to-key specifier.  The length of the string-to-key
+        //   specifier is implied by its type, as described above.
+        const s2kType = bytes[i++];
+        this.s2k = newS2KFromType(s2kType);
+        i += this.s2k.read(bytes.subarray(i, bytes.length));
+
+        if (this.s2k.type === 'gnu-dummy') {
+          return;
+        }
+      } else if (this.s2kUsage) {
+        this.symmetric = this.s2kUsage;
       }
-    } else if (this.s2kUsage) {
-      this.symmetric = this.s2kUsage;
-    }
 
-    // - [Optional] If secret data is encrypted (string-to-key usage octet
-    //   not zero), an Initial Vector (IV) of the same length as the
-    //   cipher's block size.
-    if (this.s2kUsage) {
-      this.iv = bytes.subarray(
-        i,
-        i + mod.getCipher(this.symmetric).blockSize
-      );
+      // - [Optional] If secret data is encrypted (string-to-key usage octet
+      //   not zero), an Initial Vector (IV) of the same length as the
+      //   cipher's block size.
+      if (this.s2kUsage) {
+        this.iv = bytes.subarray(
+          i,
+          i + mod.getCipher(this.symmetric).blockSize
+        );
 
-      i += this.iv.length;
+        i += this.iv.length;
+      }
+    } catch (e) {
+      // if the s2k is unsupported, we still want to support encrypting and verifying with the given key
+      if (!this.s2kUsage) throw e; // always throw for decrypted keys
+      this.unparseableKeyMaterial = bytes.subarray(startOfSecretKeyData);
+      this.isEncrypted = true;
     }
 
     // - Only for a version 5 packet, a four-octet scalar octet count for
@@ -25903,8 +26459,15 @@ class SecretKeyPacket extends PublicKeyPacket {
    * @returns {Uint8Array} A string of bytes containing the secret key OpenPGP packet.
    */
   write() {
-    const arr = [this.writePublicKey()];
+    const serializedPublicKey = this.writePublicKey();
+    if (this.unparseableKeyMaterial) {
+      return util.concatUint8Array([
+        serializedPublicKey,
+        this.unparseableKeyMaterial
+      ]);
+    }
 
+    const arr = [serializedPublicKey];
     arr.push(new Uint8Array([this.s2kUsage]));
 
     const optionalFieldsArr = [];
@@ -25964,6 +26527,18 @@ class SecretKeyPacket extends PublicKeyPacket {
     return this.isEncrypted === false;
   }
 
+  /**
+   * Check whether the key includes secret key material.
+   * Some secret keys do not include it, and can thus only be used
+   * for public-key operations (encryption and verification).
+   * Such keys are:
+   * - GNU-dummy keys, where the secret material has been stripped away
+   * - encrypted keys with unsupported S2K or cipher
+   */
+  isMissingSecretKeyMaterial() {
+    return this.unparseableKeyMaterial !== undefined || this.isDummy();
+  }
+
   /**
    * Check whether this is a gnu-dummy key
    * @returns {Boolean}
@@ -25984,6 +26559,7 @@ class SecretKeyPacket extends PublicKeyPacket {
     if (this.isDecrypted()) {
       this.clearPrivateParams();
     }
+    delete this.unparseableKeyMaterial;
     this.isEncrypted = null;
     this.keyMaterial = null;
     this.s2k = newS2KFromType(enums.s2k.gnu, config$1);
@@ -26055,6 +26631,10 @@ class SecretKeyPacket extends PublicKeyPacket {
       return false;
     }
 
+    if (this.unparseableKeyMaterial) {
+      throw new Error('Key packet cannot be decrypted: unsupported S2K or cipher algo');
+    }
+
     if (this.isDecrypted()) {
       throw new Error('Key packet is already decrypted.');
     }
@@ -26139,7 +26719,7 @@ class SecretKeyPacket extends PublicKeyPacket {
    * Clear private key parameters
    */
   clearPrivateParams() {
-    if (this.isDummy()) {
+    if (this.isMissingSecretKeyMaterial()) {
       return;
     }
 
@@ -27538,25 +28118,22 @@ async function createBindingSignature(subkey, primaryKey, options, config) {
   const dataToSign = {};
   dataToSign.key = primaryKey;
   dataToSign.bind = subkey;
-  const subkeySignaturePacket = new SignaturePacket();
-  subkeySignaturePacket.signatureType = enums.signature.subkeyBinding;
-  subkeySignaturePacket.publicKeyAlgorithm = primaryKey.algorithm;
-  subkeySignaturePacket.hashAlgorithm = await getPreferredHashAlgo$1(null, subkey, undefined, undefined, config);
+  const signatureProperties = { signatureType: enums.signature.subkeyBinding };
   if (options.sign) {
-    subkeySignaturePacket.keyFlags = [enums.keyFlags.signData];
-    subkeySignaturePacket.embeddedSignature = await createSignaturePacket(dataToSign, null, subkey, {
+    signatureProperties.keyFlags = [enums.keyFlags.signData];
+    signatureProperties.embeddedSignature = await createSignaturePacket(dataToSign, null, subkey, {
       signatureType: enums.signature.keyBinding
     }, options.date, undefined, undefined, undefined, config);
   } else {
-    subkeySignaturePacket.keyFlags = options.forwarding ?
+    signatureProperties.keyFlags = options.forwarding ?
       [enums.keyFlags.forwardedCommunication] :
       [enums.keyFlags.encryptCommunication | enums.keyFlags.encryptStorage];
   }
   if (options.keyExpirationTime > 0) {
-    subkeySignaturePacket.keyExpirationTime = options.keyExpirationTime;
-    subkeySignaturePacket.keyNeverExpires = false;
+    signatureProperties.keyExpirationTime = options.keyExpirationTime;
+    signatureProperties.keyNeverExpires = false;
   }
-  await subkeySignaturePacket.sign(primaryKey, dataToSign, options.date);
+  const subkeySignaturePacket = await createSignaturePacket(dataToSign, null, primaryKey, signatureProperties, options.date, undefined, undefined, undefined, config);
   return subkeySignaturePacket;
 }
 
@@ -27570,7 +28147,7 @@ async function createBindingSignature(subkey, primaryKey, options, config) {
  * @returns {Promise<enums.hash>}
  * @async
  */
-async function getPreferredHashAlgo$1(key, keyPacket, date = new Date(), userID = {}, config) {
+async function getPreferredHashAlgo$2(key, keyPacket, date = new Date(), userID = {}, config) {
   let hashAlgo = config.preferredHashAlgorithm;
   let prefAlgo = hashAlgo;
   if (key) {
@@ -27581,17 +28158,11 @@ async function getPreferredHashAlgo$1(key, keyPacket, date = new Date(), userID
         prefAlgo : hashAlgo;
     }
   }
-  switch (Object.getPrototypeOf(keyPacket)) {
-    case SecretKeyPacket.prototype:
-    case PublicKeyPacket.prototype:
-    case SecretSubkeyPacket.prototype:
-    case PublicSubkeyPacket.prototype:
-      switch (keyPacket.algorithm) {
-        case enums.publicKey.ecdh:
-        case enums.publicKey.ecdsa:
-        case enums.publicKey.eddsa:
-          prefAlgo = mod.publicKey.elliptic.getPreferredHashAlgo(keyPacket.publicParams.oid);
-      }
+  switch (keyPacket.algorithm) {
+    case enums.publicKey.ecdsa:
+    case enums.publicKey.eddsaLegacy:
+    case enums.publicKey.ed25519:
+      prefAlgo = mod.getPreferredCurveHashAlgo(keyPacket.algorithm, keyPacket.publicParams.oid);
   }
   return mod.hash.getHashByteLength(hashAlgo) <= mod.hash.getHashByteLength(prefAlgo) ?
     prefAlgo : hashAlgo;
@@ -27659,7 +28230,7 @@ async function createSignaturePacket(dataToSign, privateKey, signingKeyPacket, s
   const signaturePacket = new SignaturePacket();
   Object.assign(signaturePacket, signatureProperties);
   signaturePacket.publicKeyAlgorithm = signingKeyPacket.algorithm;
-  signaturePacket.hashAlgorithm = await getPreferredHashAlgo$1(privateKey, signingKeyPacket, date, userID, config);
+  signaturePacket.hashAlgorithm = await getPreferredHashAlgo$2(privateKey, signingKeyPacket, date, userID, config);
   signaturePacket.rawNotations = notations;
   await signaturePacket.sign(signingKeyPacket, dataToSign, date, detached);
   return signaturePacket;
@@ -27800,11 +28371,11 @@ function sanitizeKeyOptions(options, subkeyDefaults = {}) {
       } catch (e) {
         throw new Error('Unknown curve');
       }
-      if (options.curve === enums.curve.ed25519 || options.curve === enums.curve.curve25519) {
-        options.curve = options.sign ? enums.curve.ed25519 : enums.curve.curve25519;
+      if (options.curve === enums.curve.ed25519Legacy || options.curve === enums.curve.curve25519Legacy) {
+        options.curve = options.sign ? enums.curve.ed25519Legacy : enums.curve.curve25519Legacy;
       }
       if (options.sign) {
-        options.algorithm = options.curve === enums.curve.ed25519 ? enums.publicKey.eddsa : enums.publicKey.ecdsa;
+        options.algorithm = options.curve === enums.curve.ed25519Legacy ? enums.publicKey.eddsaLegacy : enums.publicKey.ecdsa;
       } else {
         options.algorithm = enums.publicKey.ecdh;
       }
@@ -27832,6 +28403,7 @@ function isValidSigningKeyPacket(keyPacket, signature) {
   return keyAlgo !== enums.publicKey.rsaEncrypt &&
     keyAlgo !== enums.publicKey.elgamal &&
     keyAlgo !== enums.publicKey.ecdh &&
+    keyAlgo !== enums.publicKey.x25519 &&
     (!signature.keyFlags ||
       (signature.keyFlags[0] & enums.keyFlags.signData) !== 0);
 }
@@ -27841,7 +28413,8 @@ function isValidEncryptionKeyPacket(keyPacket, signature) {
   return keyAlgo !== enums.publicKey.dsa &&
     keyAlgo !== enums.publicKey.rsaSign &&
     keyAlgo !== enums.publicKey.ecdsa &&
-    keyAlgo !== enums.publicKey.eddsa &&
+    keyAlgo !== enums.publicKey.eddsaLegacy &&
+    keyAlgo !== enums.publicKey.ed25519 &&
     (!signature.keyFlags ||
       (signature.keyFlags[0] & enums.keyFlags.encryptCommunication) !== 0 ||
       (signature.keyFlags[0] & enums.keyFlags.encryptStorage) !== 0);
@@ -27886,7 +28459,7 @@ function checkKeyRequirements(keyPacket, config) {
       }
       break;
     case enums.publicKey.ecdsa:
-    case enums.publicKey.eddsa:
+    case enums.publicKey.eddsaLegacy:
     case enums.publicKey.ecdh:
       if (config.rejectCurves.has(algoInfo.curve)) {
         throw new Error(`Support for ${algoInfo.algorithm} keys using curve ${algoInfo.curve} is disabled.`);
@@ -29396,7 +29969,7 @@ function createKey(packetlist) {
  * @static
  * @private
  */
-async function generate$2(options, config) {
+async function generate$4(options, config) {
   options.sign = true; // primary key is always a signing key
   options = sanitizeKeyOptions(options);
   options.subkeys = options.subkeys.map((subkey, index) => sanitizeKeyOptions(options.subkeys[index], options));
@@ -29513,50 +30086,50 @@ async function wrapKeyObject(secretKeyPacket, secretSubkeyPackets, options, conf
     const dataToSign = {};
     dataToSign.userID = userIDPacket;
     dataToSign.key = secretKeyPacket;
-    const signaturePacket = new SignaturePacket();
-    signaturePacket.signatureType = enums.signature.certGeneric;
-    signaturePacket.publicKeyAlgorithm = secretKeyPacket.algorithm;
-    signaturePacket.hashAlgorithm = await getPreferredHashAlgo$1(null, secretKeyPacket, undefined, undefined, config);
-    signaturePacket.keyFlags = [enums.keyFlags.certifyKeys | enums.keyFlags.signData];
-    signaturePacket.preferredSymmetricAlgorithms = createPreferredAlgos([
+
+    const signatureProperties = {};
+    signatureProperties.signatureType = enums.signature.certGeneric;
+    signatureProperties.keyFlags = [enums.keyFlags.certifyKeys | enums.keyFlags.signData];
+    signatureProperties.preferredSymmetricAlgorithms = createPreferredAlgos([
       // prefer aes256, aes128, then aes192 (no WebCrypto support: https://www.chromium.org/blink/webcrypto#TOC-AES-support)
       enums.symmetric.aes256,
       enums.symmetric.aes128,
       enums.symmetric.aes192
     ], config.preferredSymmetricAlgorithm);
     if (config.aeadProtect) {
-      signaturePacket.preferredAEADAlgorithms = createPreferredAlgos([
+      signatureProperties.preferredAEADAlgorithms = createPreferredAlgos([
         enums.aead.eax,
         enums.aead.ocb
       ], config.preferredAEADAlgorithm);
     }
-    signaturePacket.preferredHashAlgorithms = createPreferredAlgos([
+    signatureProperties.preferredHashAlgorithms = createPreferredAlgos([
       // prefer fast asm.js implementations (SHA-256)
       enums.hash.sha256,
       enums.hash.sha512
     ], config.preferredHashAlgorithm);
-    signaturePacket.preferredCompressionAlgorithms = createPreferredAlgos([
+    signatureProperties.preferredCompressionAlgorithms = createPreferredAlgos([
       enums.compression.zlib,
       enums.compression.zip,
       enums.compression.uncompressed
     ], config.preferredCompressionAlgorithm);
     if (index === 0) {
-      signaturePacket.isPrimaryUserID = true;
+      signatureProperties.isPrimaryUserID = true;
     }
     // integrity protection always enabled
-    signaturePacket.features = [0];
-    signaturePacket.features[0] |= enums.features.modificationDetection;
+    signatureProperties.features = [0];
+    signatureProperties.features[0] |= enums.features.modificationDetection;
     if (config.aeadProtect) {
-      signaturePacket.features[0] |= enums.features.aead;
+      signatureProperties.features[0] |= enums.features.aead;
     }
     if (config.v5Keys) {
-      signaturePacket.features[0] |= enums.features.v5Keys;
+      signatureProperties.features[0] |= enums.features.v5Keys;
     }
     if (options.keyExpirationTime > 0) {
-      signaturePacket.keyExpirationTime = options.keyExpirationTime;
-      signaturePacket.keyNeverExpires = false;
+      signatureProperties.keyExpirationTime = options.keyExpirationTime;
+      signatureProperties.keyNeverExpires = false;
     }
-    await signaturePacket.sign(secretKeyPacket, dataToSign, options.date);
+
+    const signaturePacket = await createSignaturePacket(dataToSign, null, secretKeyPacket, signatureProperties, options.date, undefined, undefined, undefined, config);
 
     return { userIDPacket, signaturePacket };
   })).then(list => {
@@ -30075,6 +30648,15 @@ class Message {
       enums.read(enums.aead, await getPreferredAlgo('aead', encryptionKeys, date, userIDs, config$1)) :
       undefined;
 
+    await Promise.all(encryptionKeys.map(key => key.getEncryptionKey()
+      .catch(() => null) // ignore key strength requirements
+      .then(maybeKey => {
+        if (maybeKey && (maybeKey.keyPacket.algorithm === enums.publicKey.x25519) && !util.isAES(algo)) {
+          throw new Error('Could not generate a session key compatible with the given `encryptionKeys`: X22519 keys can only be used to encrypt AES session keys; change `config.preferredSymmetricAlgorithm` accordingly.');
+        }
+      })
+    ));
+
     const sessionKeyData = mod.generateSessionKey(algo);
     return { data: sessionKeyData, algorithm: algorithmName, aeadAlgorithm: aeadAlgorithmName };
   }
@@ -30249,7 +30831,7 @@ class Message {
       const signingKey = await primaryKey.getSigningKey(signingKeyID, date, userIDs, config$1);
       const onePassSig = new OnePassSignaturePacket();
       onePassSig.signatureType = signatureType;
-      onePassSig.hashAlgorithm = await getPreferredHashAlgo$1(primaryKey, signingKey.keyPacket, date, userIDs, config$1);
+      onePassSig.hashAlgorithm = await getPreferredHashAlgo$2(primaryKey, signingKey.keyPacket, date, userIDs, config$1);
       onePassSig.publicKeyAlgorithm = signingKey.keyPacket.algorithm;
       onePassSig.issuerKeyID = signingKey.getKeyID();
       if (i === signingKeys.length - 1) {
@@ -30382,7 +30964,7 @@ class Message {
     if (literalDataList.length !== 1) {
       throw new Error('Can only verify message with one literal data packet.');
     }
-    const signatureList = signature.packets;
+    const signatureList = signature.packets.filterByTag(enums.packet.signature); // drop UnparsablePackets
     return createVerificationObjects(signatureList, literalDataList, verificationKeys, date, true, config$1);
   }
 
@@ -30729,7 +31311,7 @@ class CleartextMessage {
    * @async
    */
   verify(keys, date = new Date(), config$1 = config) {
-    const signatureList = this.signature.packets;
+    const signatureList = this.signature.packets.filterByTag(enums.packet.signature); // drop UnparsablePackets
     const literalDataPacket = new LiteralDataPacket();
     // we assume that cleartext signature is generated based on UTF8 cleartext
     literalDataPacket.setText(this.text);
@@ -30814,7 +31396,7 @@ function verifyHeaders$1(headers, packetlist) {
   let oneHeader = null;
   let hashAlgos = [];
   headers.forEach(function(header) {
-    oneHeader = header.match(/Hash: (.+)/); // get header value
+    oneHeader = header.match(/^Hash: (.+)$/); // get header value
     if (oneHeader) {
       oneHeader = oneHeader[1].replace(/\s/g, ''); // remove whitespace
       oneHeader = oneHeader.split(',');
@@ -30906,7 +31488,7 @@ async function generateKey({ userIDs = [], passphrase, type = 'ecc', rsaBits = 4
   const options = { userIDs, passphrase, type, rsaBits, curve, keyExpirationTime, date, subkeys, symmetricHash, symmetricCipher };
 
   try {
-    const { key, revocationCertificate } = await generate$2(options, config$1);
+    const { key, revocationCertificate } = await generate$4(options, config$1);
     key.getKeys().forEach(({ keyPacket }) => checkKeyRequirements(keyPacket, config$1));
 
     return {
@@ -31100,7 +31682,7 @@ async function encryptKey({ privateKey, passphrase, config: config$1, ...rest })
  * @async
  * @static
  */
-async function encrypt$4({ message, encryptionKeys, signingKeys, passwords, sessionKey, format = 'armored', signature = null, wildcard = false, signingKeyIDs = [], encryptionKeyIDs = [], date = new Date(), signingUserIDs = [], encryptionUserIDs = [], signatureNotations = [], config: config$1, ...rest }) {
+async function encrypt$5({ message, encryptionKeys, signingKeys, passwords, sessionKey, format = 'armored', signature = null, wildcard = false, signingKeyIDs = [], encryptionKeyIDs = [], date = new Date(), signingUserIDs = [], encryptionUserIDs = [], signatureNotations = [], config: config$1, ...rest }) {
   config$1 = { ...config, ...config$1 }; checkConfig(config$1);
   checkMessage(message); checkOutputMessageFormat(format);
   encryptionKeys = toArray$1(encryptionKeys); signingKeys = toArray$1(signingKeys); passwords = toArray$1(passwords);
@@ -31169,7 +31751,7 @@ async function encrypt$4({ message, encryptionKeys, signingKeys, passwords, sess
  * @async
  * @static
  */
-async function decrypt$4({ message, decryptionKeys, passwords, sessionKeys, verificationKeys, expectSigned = false, format = 'utf8', signature = null, date = new Date(), config: config$1, ...rest }) {
+async function decrypt$5({ message, decryptionKeys, passwords, sessionKeys, verificationKeys, expectSigned = false, format = 'utf8', signature = null, date = new Date(), config: config$1, ...rest }) {
   config$1 = { ...config, ...config$1 }; checkConfig(config$1);
   checkMessage(message); verificationKeys = toArray$1(verificationKeys); decryptionKeys = toArray$1(decryptionKeys); passwords = toArray$1(passwords); sessionKeys = toArray$1(sessionKeys);
   if (rest.privateKeys) throw new Error('The `privateKeys` option has been removed from openpgp.decrypt, pass `decryptionKeys` instead');
@@ -31232,7 +31814,7 @@ async function decrypt$4({ message, decryptionKeys, passwords, sessionKeys, veri
  * @async
  * @static
  */
-async function sign$5({ message, signingKeys, format = 'armored', detached = false, signingKeyIDs = [], date = new Date(), signingUserIDs = [], signatureNotations = [], config: config$1, ...rest }) {
+async function sign$6({ message, signingKeys, format = 'armored', detached = false, signingKeyIDs = [], date = new Date(), signingUserIDs = [], signatureNotations = [], config: config$1, ...rest }) {
   config$1 = { ...config, ...config$1 }; checkConfig(config$1);
   checkCleartextOrMessage(message); checkOutputMessageFormat(format);
   signingKeys = toArray$1(signingKeys); signingKeyIDs = toArray$1(signingKeyIDs); signingUserIDs = toArray$1(signingUserIDs); signatureNotations = toArray$1(signatureNotations);
@@ -31301,7 +31883,7 @@ async function sign$5({ message, signingKeys, format = 'armored', detached = fal
  * @async
  * @static
  */
-async function verify$5({ message, verificationKeys, expectSigned = false, format = 'utf8', signature = null, date = new Date(), config: config$1, ...rest }) {
+async function verify$6({ message, verificationKeys, expectSigned = false, format = 'utf8', signature = null, date = new Date(), config: config$1, ...rest }) {
   config$1 = { ...config, ...config$1 }; checkConfig(config$1);
   checkCleartextOrMessage(message); verificationKeys = toArray$1(verificationKeys);
   if (rest.publicKeys) throw new Error('The `publicKeys` option has been removed from openpgp.verify, pass `verificationKeys` instead');
@@ -31567,4 +32149,4 @@ function formatObject(object, format, config) {
   }
 }
 
-export { AEADEncryptedDataPacket, CleartextMessage, CompressedDataPacket, KDFParams, LiteralDataPacket, MarkerPacket, Message, OnePassSignaturePacket, PacketList, PrivateKey, PublicKey, PublicKeyEncryptedSessionKeyPacket, PublicKeyPacket, PublicSubkeyPacket, SecretKeyPacket, SecretSubkeyPacket, Signature, SignaturePacket, Subkey, SymEncryptedIntegrityProtectedDataPacket, SymEncryptedSessionKeyPacket, SymmetricallyEncryptedDataPacket, TrustPacket, UnparseablePacket, UserAttributePacket, UserIDPacket, _224 as _, commonjsGlobal as a, armor, common$1 as b, createCommonjsModule as c, config, createCleartextMessage, createMessage, common as d, decrypt$4 as decrypt, decryptKey, decryptSessionKeys, _256 as e, encrypt$4 as encrypt, encryptKey, encryptSessionKey, enums, _384 as f, _512 as g, generateKey, generateSessionKey$1 as generateSessionKey, inherits_browser as i, minimalisticAssert as m, ripemd as r, readCleartextMessage, readKey, readKeys, readMessage, readPrivateKey, readPrivateKeys, readSignature, reformatKey, revokeKey, sign$5 as sign, utils as u, unarmor, verify$5 as verify };
+export { AEADEncryptedDataPacket, CleartextMessage, CompressedDataPacket, KDFParams, LiteralDataPacket, MarkerPacket, Message, OnePassSignaturePacket, PacketList, PrivateKey, PublicKey, PublicKeyEncryptedSessionKeyPacket, PublicKeyPacket, PublicSubkeyPacket, SecretKeyPacket, SecretSubkeyPacket, Signature, SignaturePacket, Subkey, SymEncryptedIntegrityProtectedDataPacket, SymEncryptedSessionKeyPacket, SymmetricallyEncryptedDataPacket, TrustPacket, UnparseablePacket, UserAttributePacket, UserIDPacket, _224 as _, commonjsGlobal as a, armor, common$1 as b, createCommonjsModule as c, config, createCleartextMessage, createMessage, common as d, decrypt$5 as decrypt, decryptKey, decryptSessionKeys, _256 as e, encrypt$5 as encrypt, encryptKey, encryptSessionKey, enums, _384 as f, _512 as g, generateKey, generateSessionKey$1 as generateSessionKey, inherits_browser as i, minimalisticAssert as m, ripemd as r, readCleartextMessage, readKey, readKeys, readMessage, readPrivateKey, readPrivateKeys, readSignature, reformatKey, revokeKey, sign$6 as sign, utils as u, unarmor, verify$6 as verify };