@protontech/openpgp 6.0.0-alpha.1.patch.1 → 6.0.0-beta.0.patch.0

package/dist/lightweight/openpgp.mjs

@@ -1,4 +1,4 @@
-/*! OpenPGP.js v6.0.0-alpha.1.patch.1 - 2024-03-11 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
+/*! OpenPGP.js v6.0.0-beta.0.patch.0 - 2024-04-19 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
 const globalThis = typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};
 
 const doneWritingPromise = Symbol('doneWritingPromise');
@@ -1465,6 +1465,14 @@ var config = {
    * @property {Boolean} aeadProtect
    */
   aeadProtect: false,
+  /**
+   * Whether to disable encrypton using SEIPDv2 even if the encryption keys include the SEIPDv2 feature flag.
+   * If true, SEIPDv1 (i.e. no AEAD) packets are always used instead.
+   * SEIPDv2 is a more secure and faster choice, but it is not necessarily compatible with other libs and our mobile apps.
+   * @memberof module:config
+   * @property {Boolean} ignoreSEIPDv2FeatureFlag
+   */
+  ignoreSEIPDv2FeatureFlag: false,
   /**
    * When reading OpenPGP v4 private keys (e.g. those generated in OpenPGP.js when not setting `config.v5Keys = true`)
    * which were encrypted by OpenPGP.js v5 (or older) using `config.aeadProtect = true`,
@@ -1577,11 +1585,6 @@ var config = {
    * @property {Boolean} passwordCollisionCheck
    */
   passwordCollisionCheck: false,
-  /**
-   * @memberof module:config
-   * @property {Boolean} revocationsExpire If true, expired revocation signatures are ignored
-   */
-  revocationsExpire: false,
   /**
    * Allow decryption using RSA keys without `encrypt` flag.
    * This setting is potentially insecure, but it is needed to get around an old openpgpjs bug
@@ -1657,7 +1660,7 @@ var config = {
    * @memberof module:config
    * @property {String} versionString A version string to be included in armored messages
    */
-  versionString: 'OpenPGP.js 6.0.0-alpha.1.patch.1',
+  versionString: 'OpenPGP.js 6.0.0-beta.0.patch.0',
   /**
    * @memberof module:config
    * @property {String} commentString A comment string to be included in armored messages
@@ -1677,6 +1680,14 @@ var config = {
    * @property {Array} knownNotations
    */
   knownNotations: [],
+  /**
+   * If true, a salt notation is used to randomize signatures generated by v4 and v5 keys (v6 signatures are always non-deterministic, by design).
+   * This protects EdDSA signatures from potentially leaking the secret key in case of faults (i.e. bitflips) which, in principle, could occur
+   * during the signing computation. It is added to signatures of any algo for simplicity, and as it may also serve as protection in case of
+   * weaknesses in the hash algo, potentially hindering e.g. some chosen-prefix attacks.
+   * NOTE: the notation is interoperable, but will reveal that the signature has been generated using OpenPGP.js, which may not be desirable in some cases.
+   */
+  nonDeterministicSignaturesViaNotation: true,
   /**
    * Whether to use the the noble-curves library for curves (other than Curve25519) that are not supported by the available native crypto API.
    * When false, certain standard curves will not be supported (depending on the platform).
@@ -1707,14 +1718,7 @@ var config = {
    * @memberof module:config
    * @property {Set<String>} rejectCurves {@link module:enums.curve}
    */
-  rejectCurves: new Set([enums.curve.secp256k1]),
-  /**
-   * Whether to validate generated EdDSA signatures before returning them, to ensure they are not faulty signatures.
-   * This check will make signing 2-3 times slower.
-   * Faulty signatures may be generated (in principle) if random bitflips occur at specific points in the signature
-   * computation, and could be used to recover the signer's secret key given a second signature over the same data.
-   */
-  checkEdDSAFaultySignatures: true
+  rejectCurves: new Set([enums.curve.secp256k1])
 };
 
 /**
@@ -2194,16 +2198,19 @@ const util = {
   },
 
   /**
-   * Test email format based on W3C HTML5 specification.
-   * This check is not exaustive, and does not match RFC 5322 exactly
-   * (see https://html.spec.whatwg.org/multipage/input.html#email-state-(type=email)),
-   * but is commonly used for email address validation.
+   * Test email format to ensure basic compliance:
+   * - must include a single @
+   * - no control or space unicode chars allowed
+   * - no backslash and square brackets (as the latter can mess with the userID parsing)
+   * - cannot end with a punctuation char
+   * These checks are not meant to be exhaustive; applications are strongly encouraged to implement stricter validation,
+   * e.g. based on the W3C HTML spec (https://html.spec.whatwg.org/multipage/input.html#email-state-(type=email)).
    */
   isEmailAddress: function(data) {
     if (!util.isString(data)) {
       return false;
     }
-    const re = /^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/;
+    const re = /^[^\p{C}\p{Z}@<>\\]+@[^\p{C}\p{Z}@<>\\]+[^\p{C}\p{Z}\p{P}]$/u;
     return re.test(data);
   },
 
@@ -2609,6 +2616,78 @@ function addheader(customComment, config) {
   return result;
 }
 
+/**
+ * Calculates a checksum over the given data and returns it base64 encoded
+ * @param {String | ReadableStream<String>} data - Data to create a CRC-24 checksum for
+ * @returns {String | ReadableStream<String>} Base64 encoded checksum.
+ * @private
+ */
+function getCheckSum(data) {
+  const crc = createcrc24(data);
+  return encode$1(crc);
+}
+
+// https://create.stephan-brumme.com/crc32/#slicing-by-8-overview
+
+const crc_table = [
+  new Array(0xFF),
+  new Array(0xFF),
+  new Array(0xFF),
+  new Array(0xFF)
+];
+
+for (let i = 0; i <= 0xFF; i++) {
+  let crc = i << 16;
+  for (let j = 0; j < 8; j++) {
+    crc = (crc << 1) ^ ((crc & 0x800000) !== 0 ? 0x864CFB : 0);
+  }
+  crc_table[0][i] =
+    ((crc & 0xFF0000) >> 16) |
+    (crc & 0x00FF00) |
+    ((crc & 0x0000FF) << 16);
+}
+for (let i = 0; i <= 0xFF; i++) {
+  crc_table[1][i] = (crc_table[0][i] >> 8) ^ crc_table[0][crc_table[0][i] & 0xFF];
+}
+for (let i = 0; i <= 0xFF; i++) {
+  crc_table[2][i] = (crc_table[1][i] >> 8) ^ crc_table[0][crc_table[1][i] & 0xFF];
+}
+for (let i = 0; i <= 0xFF; i++) {
+  crc_table[3][i] = (crc_table[2][i] >> 8) ^ crc_table[0][crc_table[2][i] & 0xFF];
+}
+
+// https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/DataView#Endianness
+const isLittleEndian = (function() {
+  const buffer = new ArrayBuffer(2);
+  new DataView(buffer).setInt16(0, 0xFF, true /* littleEndian */);
+  // Int16Array uses the platform's endianness.
+  return new Int16Array(buffer)[0] === 0xFF;
+}());
+
+/**
+ * Internal function to calculate a CRC-24 checksum over a given string (data)
+ * @param {String | ReadableStream<String>} input - Data to create a CRC-24 checksum for
+ * @returns {Uint8Array | ReadableStream<Uint8Array>} The CRC-24 checksum.
+ * @private
+ */
+function createcrc24(input) {
+  let crc = 0xCE04B7;
+  return transform(input, value => {
+    const len32 = isLittleEndian ? Math.floor(value.length / 4) : 0;
+    const arr32 = new Uint32Array(value.buffer, value.byteOffset, len32);
+    for (let i = 0; i < len32; i++) {
+      crc ^= arr32[i];
+      crc =
+        crc_table[0][(crc >> 24) & 0xFF] ^
+        crc_table[1][(crc >> 16) & 0xFF] ^
+        crc_table[2][(crc >> 8) & 0xFF] ^
+        crc_table[3][(crc >> 0) & 0xFF];
+    }
+    for (let i = len32 * 4; i < value.length; i++) {
+      crc = (crc >> 8) ^ crc_table[0][(crc & 0xFF) ^ value[i]];
+    }
+  }, () => new Uint8Array([crc, crc >> 8, crc >> 16]));
+}
 
 /**
  * Verify armored headers. crypto-refresh-06, section 6.2:
@@ -2764,10 +2843,13 @@ function unarmor(input) {
  * @param {Integer} [partIndex]
  * @param {Integer} [partTotal]
  * @param {String} [customComment] - Additional comment to add to the armored string
+ * @param {Boolean} [emitChecksum] - Whether to compute and include the CRC checksum
+ *  (NB: some types of data must not include it, but compliance is left as responsibility of the caller: this function does not carry out any checks)
+ * @param {Object} [config] - Full configuration, defaults to openpgp.config
  * @returns {String | ReadableStream<String>} Armored text.
  * @static
  */
-function armor(messageType, body, partIndex, partTotal, customComment, config$1 = config) {
+function armor(messageType, body, partIndex, partTotal, customComment, emitChecksum = false, config$1 = config) {
   let text;
   let hash;
   if (messageType === enums.armor.signed) {
@@ -2775,18 +2857,24 @@ function armor(messageType, body, partIndex, partTotal, customComment, config$1
     hash = body.hash;
     body = body.data;
   }
+  // unless explicitly forbidden by the spec, we need to include the checksum to work around a GnuPG bug
+  // where data fails to be decoded if the base64 ends with no padding chars (=) (see https://dev.gnupg.org/T7071)
+  const maybeBodyClone = emitChecksum && passiveClone(body);
+
   const result = [];
   switch (messageType) {
     case enums.armor.multipartSection:
       result.push('-----BEGIN PGP MESSAGE, PART ' + partIndex + '/' + partTotal + '-----\n');
       result.push(addheader(customComment, config$1));
       result.push(encode$1(body));
+      maybeBodyClone && result.push('=', getCheckSum(maybeBodyClone));
       result.push('-----END PGP MESSAGE, PART ' + partIndex + '/' + partTotal + '-----\n');
       break;
     case enums.armor.multipartLast:
       result.push('-----BEGIN PGP MESSAGE, PART ' + partIndex + '-----\n');
       result.push(addheader(customComment, config$1));
       result.push(encode$1(body));
+      maybeBodyClone && result.push('=', getCheckSum(maybeBodyClone));
       result.push('-----END PGP MESSAGE, PART ' + partIndex + '-----\n');
       break;
     case enums.armor.signed:
@@ -2796,30 +2884,35 @@ function armor(messageType, body, partIndex, partTotal, customComment, config$1
       result.push('\n-----BEGIN PGP SIGNATURE-----\n');
       result.push(addheader(customComment, config$1));
       result.push(encode$1(body));
+      maybeBodyClone && result.push('=', getCheckSum(maybeBodyClone));
       result.push('-----END PGP SIGNATURE-----\n');
       break;
     case enums.armor.message:
       result.push('-----BEGIN PGP MESSAGE-----\n');
       result.push(addheader(customComment, config$1));
       result.push(encode$1(body));
+      maybeBodyClone && result.push('=', getCheckSum(maybeBodyClone));
       result.push('-----END PGP MESSAGE-----\n');
       break;
     case enums.armor.publicKey:
       result.push('-----BEGIN PGP PUBLIC KEY BLOCK-----\n');
       result.push(addheader(customComment, config$1));
       result.push(encode$1(body));
+      maybeBodyClone && result.push('=', getCheckSum(maybeBodyClone));
       result.push('-----END PGP PUBLIC KEY BLOCK-----\n');
       break;
     case enums.armor.privateKey:
       result.push('-----BEGIN PGP PRIVATE KEY BLOCK-----\n');
       result.push(addheader(customComment, config$1));
       result.push(encode$1(body));
+      maybeBodyClone && result.push('=', getCheckSum(maybeBodyClone));
       result.push('-----END PGP PRIVATE KEY BLOCK-----\n');
       break;
     case enums.armor.signature:
       result.push('-----BEGIN PGP SIGNATURE-----\n');
       result.push(addheader(customComment, config$1));
       result.push(encode$1(body));
+      maybeBodyClone && result.push('=', getCheckSum(maybeBodyClone));
       result.push('-----END PGP SIGNATURE-----\n');
       break;
   }
@@ -9346,20 +9439,6 @@ async function sign$5(oid, hashAlgo, message, publicKey, privateKey, hashed) {
   }
   const secretKey = util.concatUint8Array([privateKey, publicKey.subarray(1)]);
   const signature = nacl.sign.detached(hashed, secretKey);
-  if (config.checkEdDSAFaultySignatures && !nacl.sign.detached.verify(hashed, signature, publicKey.subarray(1))) {
-    /**
-     * Detect faulty signatures caused by random bitflips during `crypto_sign` which could lead to private key extraction
-     * if two signatures over the same message are obtained.
-     * See https://github.com/jedisct1/libsodium/issues/170.
-     * If the input data is not deterministic, e.g. thanks to the random salt in v6 OpenPGP signatures (not yet implemented),
-     * then the generated signature is always safe, and the verification step is skipped.
-     * Otherwise, we need to verify the generated to ensure that no bitflip occured:
-     * - in M between the computation of `r` and `h`.
-     * - in the public key before computing `h`
-     * The verification step is almost 2-3 times as slow as signing, but it's faster than re-signing + re-deriving the public key for separate checks.
-     */
-    throw new Error('Transient signing failure');
-  }
   // EdDSA signature params are returned in little-endian format
   return {
     r: signature.subarray(0, 32),
@@ -9480,20 +9559,6 @@ async function sign$4(algo, hashAlgo, message, publicKey, privateKey, hashed) {
     case enums.publicKey.ed25519: {
       const secretKey = util.concatUint8Array([privateKey, publicKey]);
       const signature = nacl.sign.detached(hashed, secretKey);
-      if (config.checkEdDSAFaultySignatures && !nacl.sign.detached.verify(hashed, signature, publicKey)) {
-        /**
-         * Detect faulty signatures caused by random bitflips during `crypto_sign` which could lead to private key extraction
-         * if two signatures over the same message are obtained.
-         * See https://github.com/jedisct1/libsodium/issues/170.
-         * If the input data is not deterministic, e.g. thanks to the random salt in v6 OpenPGP signatures (not yet implemented),
-         * then the generated signature is always safe, and the verification step is skipped.
-         * Otherwise, we need to verify the generated to ensure that no bitflip occured:
-         * - in M between the computation of `r` and `h`.
-         * - in the public key before computing `h`
-         * The verification step is almost 2-3 times as slow as signing, but it's faster than re-signing + re-deriving the public key for separate checks.
-         */
-        throw new Error('Transient signing failure');
-      }
       return { RS: signature };
     }
     case enums.publicKey.ed448: {
@@ -11226,7 +11291,7 @@ class ECDHXSymmetricKey {
  * Encrypts data using specified algorithm and public key parameters.
  * See {@link https://tools.ietf.org/html/rfc4880#section-9.1|RFC 4880 9.1} for public key algorithms.
  * @param {module:enums.publicKey} keyAlgo - Public key algorithm
- * @param {module:enums.symmetric} symmetricAlgo - Cipher algorithm
+ * @param {module:enums.symmetric|null} symmetricAlgo - Cipher algorithm (v3 only)
  * @param {Object} publicParams - Algorithm-specific public key parameters
  * @param {Object} privateParams - Algorithm-specific private key parameters
  * @param {Uint8Array} data - Data to be encrypted
@@ -11254,7 +11319,7 @@ async function publicKeyEncrypt(keyAlgo, symmetricAlgo, publicParams, privatePar
     }
     case enums.publicKey.x25519:
     case enums.publicKey.x448: {
-      if (!util.isAES(symmetricAlgo)) {
+      if (symmetricAlgo && !util.isAES(symmetricAlgo)) {
         // see https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/276
         throw new Error('X25519 and X448 keys can only encrypt AES session keys');
       }
@@ -11886,9 +11951,26 @@ class Argon2OutOfMemoryError extends Error {
 let loadArgonWasmModule;
 let argon2Promise;
 // reload wasm module above this treshold, to deallocated used memory
-const ARGON2_WASM_MEMORY_THRESHOLD_RELOAD = 2 << 19;
+// (cannot be declared as a simple `static` field as its not supported by Safari 14)
+let ARGON2_WASM_MEMORY_THRESHOLD_RELOAD = 2 << 19;
 
 class Argon2S2K {
+  static get ARGON2_WASM_MEMORY_THRESHOLD_RELOAD() {
+    return ARGON2_WASM_MEMORY_THRESHOLD_RELOAD;
+  }
+
+  static set ARGON2_WASM_MEMORY_THRESHOLD_RELOAD(memoryThreshold) {
+    ARGON2_WASM_MEMORY_THRESHOLD_RELOAD = memoryThreshold;
+  }
+
+  static reloadWasmModule() {
+    if (!loadArgonWasmModule) return;
+
+    // it will be awaited if needed at the next `produceKey` invocation
+    argon2Promise = loadArgonWasmModule();
+    argon2Promise.catch(() => {});
+  }
+
   /**
   * @param {Object} [config] - Full configuration, defaults to openpgp.config
   */
@@ -11976,10 +12058,8 @@ class Argon2S2K {
       });
 
       // a lot of memory was used, reload to deallocate
-      if (decodedM > ARGON2_WASM_MEMORY_THRESHOLD_RELOAD) {
-        // it will be awaited if needed at the next `produceKey` invocation
-        argon2Promise = loadArgonWasmModule();
-        argon2Promise.catch(() => {});
+      if (decodedM > Argon2S2K.ARGON2_WASM_MEMORY_THRESHOLD_RELOAD) {
+        Argon2S2K.reloadWasmModule();
       }
       return hash;
     } catch (e) {
@@ -14222,6 +14302,14 @@ class KeyID {
 // Symbol to store cryptographic validity of the signature, to avoid recomputing multiple times on verification.
 const verified = Symbol('verified');
 
+// A salt notation is used to randomize signatures.
+// This is to protect EdDSA signatures in particular, which are known to be vulnerable to fault attacks
+// leading to secret key extraction if two signatures over the same data can be collected (see https://github.com/jedisct1/libsodium/issues/170).
+// For simplicity, we add the salt to all algos, as it may also serve as protection in case of weaknesses in the hash algo, potentially hindering e.g.
+// some chosen-prefix attacks.
+// v6 signatures do not need to rely on this notation, as they already include a separate, built-in salt.
+const SALT_NOTATION_NAME = 'salt@notations.openpgpjs.org';
+
 // GPG puts the Issuer and Signature subpackets in the unhashed area.
 // Tampering with those invalidates the signature, so we still trust them and parse them.
 // All other unhashed subpackets are ignored.
@@ -14391,7 +14479,7 @@ class SignaturePacket {
    * @throws {Error} if signing failed
    * @async
    */
-  async sign(key, data, date = new Date(), detached = false) {
+  async sign(key, data, date = new Date(), detached = false, config) {
     this.version = key.version;
 
     this.created = util.normalizeDate(date);
@@ -14401,6 +14489,31 @@ class SignaturePacket {
 
     const arr = [new Uint8Array([this.version, this.signatureType, this.publicKeyAlgorithm, this.hashAlgorithm])];
 
+    // add randomness to the signature
+    if (this.version === 6) {
+      const saltLength = saltLengthForHash(this.hashAlgorithm);
+      if (this.salt === null) {
+        this.salt = mod.random.getRandomBytes(saltLength);
+      } else if (saltLength !== this.salt.length) {
+        throw new Error('Provided salt does not have the required length');
+      }
+    } else if (config.nonDeterministicSignaturesViaNotation) {
+      const saltNotations = this.rawNotations.filter(({ name }) => (name === SALT_NOTATION_NAME));
+      // since re-signing the same object is not supported, it's not expected to have multiple salt notations,
+      // but we guard against it as a sanity check
+      if (saltNotations.length === 0) {
+        const saltValue = mod.random.getRandomBytes(saltLengthForHash(this.hashAlgorithm));
+        this.rawNotations.push({
+          name: SALT_NOTATION_NAME,
+          value: saltValue,
+          humanReadable: false,
+          critical: false
+        });
+      } else {
+        throw new Error('Unexpected existing salt notation');
+      }
+    }
+
     // Add hashed subpackets
     arr.push(this.writeHashedSubPackets());
 
@@ -14411,14 +14524,6 @@ class SignaturePacket {
 
     this.signatureData = util.concat(arr);
 
-    if (this.version === 6) {
-      const saltLength = saltLengthForHash(this.hashAlgorithm);
-      if (this.salt === null) {
-        this.salt = mod.random.getRandomBytes(saltLength);
-      } else if (saltLength !== this.salt.length) {
-        throw new Error('Provided salt does not have the required length');
-      }
-    }
     const toHash = this.toHash(this.signatureType, data, detached);
     const hash = await this.hash(this.signatureType, data, toHash, detached);
 
@@ -16220,9 +16325,12 @@ class PublicKeyEncryptedSessionKeyPacket {
     }
     this.publicKeyAlgorithm = bytes[offset++];
     this.encrypted = mod.parseEncSessionKeyParams(this.publicKeyAlgorithm, bytes.subarray(offset));
-    if (this.version === 3 && (
-      this.publicKeyAlgorithm === enums.publicKey.x25519 || this.publicKeyAlgorithm === enums.publicKey.x448)) {
-      this.sessionKeyAlgorithm = enums.write(enums.symmetric, this.encrypted.C.algorithm);
+    if (this.publicKeyAlgorithm === enums.publicKey.x25519 || this.publicKeyAlgorithm === enums.publicKey.x448) {
+      if (this.version === 3) {
+        this.sessionKeyAlgorithm = enums.write(enums.symmetric, this.encrypted.C.algorithm);
+      } else if (this.encrypted.C.algorithm !== null) {
+        throw new Error('Unexpected cleartext symmetric algorithm');
+      }
     }
   }
 
@@ -16266,10 +16374,13 @@ class PublicKeyEncryptedSessionKeyPacket {
    */
   async encrypt(key) {
     const algo = enums.write(enums.publicKey, this.publicKeyAlgorithm);
-    const encoded = encodeSessionKey(this.version, algo, this.sessionKeyAlgorithm, this.sessionKey);
+    // No symmetric encryption algorithm identifier is passed to the public-key algorithm for a
+    // v6 PKESK packet, as it is included in the v2 SEIPD packet.
+    const sessionKeyAlgorithm = this.version === 3 ? this.sessionKeyAlgorithm : null;
+    const encoded = encodeSessionKey(this.version, algo, sessionKeyAlgorithm, this.sessionKey);
     const privateParams = algo === enums.publicKey.aead ? key.privateParams : null;
     this.encrypted = await mod.publicKeyEncrypt(
-      algo, this.sessionKeyAlgorithm, key.publicParams, privateParams, encoded, key.getFingerprintBytes());
+      algo, sessionKeyAlgorithm, key.publicParams, privateParams, encoded, key.getFingerprintBytes());
   }
 
   /**
@@ -16368,6 +16479,7 @@ function decodeSessionKey(version, keyAlgo, decryptedData, randomSessionKey) {
     case enums.publicKey.x25519:
     case enums.publicKey.x448:
       return {
+        sessionKeyAlgorithm: null,
         sessionKey: decryptedData
       };
     default:
@@ -18055,7 +18167,9 @@ class Signature {
    * @returns {ReadableStream<String>} ASCII armor.
    */
   armor(config$1 = config) {
-    return armor(enums.armor.signature, this.write(), undefined, undefined, undefined, config$1);
+    // An ASCII-armored sequence of Signature packets that only includes v6 Signature packets MUST NOT contain a CRC24 footer.
+    const emitChecksum = this.packets.some(packet => packet.constructor.tag === SignaturePacket.tag && packet.version !== 6);
+    return armor(enums.armor.signature, this.write(), undefined, undefined, undefined, emitChecksum, config$1);
   }
 
   /**
@@ -18268,7 +18382,7 @@ async function getPreferredCompressionAlgo(keys = [], date = new Date(), userIDs
 async function getPreferredCipherSuite(keys = [], date = new Date(), userIDs = [], config$1 = config) {
   const selfSigs = await Promise.all(keys.map((key, i) => key.getPrimarySelfSignature(date, userIDs[i], config$1)));
   const withAEAD = keys.length ?
-    selfSigs.every(selfSig => selfSig.features[0] & enums.features.seipdv2) :
+    !config$1.ignoreSEIPDv2FeatureFlag && selfSigs.every(selfSig => selfSig.features && (selfSig.features[0] & enums.features.seipdv2)) :
     config$1.aeadProtect;
 
   if (withAEAD) {
@@ -18315,8 +18429,8 @@ async function createSignaturePacket(dataToSign, privateKey, signingKeyPacket, s
   Object.assign(signaturePacket, signatureProperties);
   signaturePacket.publicKeyAlgorithm = signingKeyPacket.algorithm;
   signaturePacket.hashAlgorithm = await getPreferredHashAlgo(privateKey, signingKeyPacket, date, userID, config);
-  signaturePacket.rawNotations = notations;
-  await signaturePacket.sign(signingKeyPacket, dataToSign, date, detached);
+  signaturePacket.rawNotations = [...notations];
+  await signaturePacket.sign(signingKeyPacket, dataToSign, date, detached, config);
   return signaturePacket;
 }
 
@@ -18379,7 +18493,7 @@ async function isDataRevoked(primaryKey, signatureType, dataToVerify, revocation
         !signature || revocationSignature.issuerKeyID.equals(signature.issuerKeyID)
       ) {
         await revocationSignature.verify(
-          key, signatureType, dataToVerify, config.revocationsExpire ? date : null, false, config
+          key, signatureType, dataToVerify, date, false, config
         );
 
         // TODO get an identifier of the revoked object instead
@@ -19649,7 +19763,9 @@ class Key {
     const revocationSignature = await getLatestValidSignature(this.revocationSignatures, this.keyPacket, enums.signature.keyRevocation, dataToVerify, date, config$1);
     const packetlist = new PacketList();
     packetlist.push(revocationSignature);
-    return armor(enums.armor.publicKey, packetlist.write(), null, null, 'This is a revocation certificate');
+    // An ASCII-armored Transferable Public Key packet sequence of a v6 key MUST NOT contain a CRC24 footer.
+    const emitChecksum = this.keyPacket.version !== 6;
+    return armor(enums.armor.publicKey, packetlist.write(), null, null, 'This is a revocation certificate', emitChecksum, config$1);
   }
 
   /**
@@ -19839,7 +19955,9 @@ class PublicKey extends Key {
    * @returns {ReadableStream<String>} ASCII armor.
    */
   armor(config$1 = config) {
-    return armor(enums.armor.publicKey, this.toPacketList().write(), undefined, undefined, undefined, config$1);
+    // An ASCII-armored Transferable Public Key packet sequence of a v6 key MUST NOT contain a CRC24 footer.
+    const emitChecksum = this.keyPacket.version !== 6;
+    return armor(enums.armor.publicKey, this.toPacketList().write(), undefined, undefined, undefined, emitChecksum, config$1);
   }
 }
 
@@ -19912,7 +20030,9 @@ class PrivateKey extends PublicKey {
    * @returns {ReadableStream<String>} ASCII armor.
    */
   armor(config$1 = config) {
-    return armor(enums.armor.privateKey, this.toPacketList().write(), undefined, undefined, undefined, config$1);
+    // An ASCII-armored Transferable Public Key packet sequence of a v6 key MUST NOT contain a CRC24 footer.
+    const emitChecksum = this.keyPacket.version !== 6;
+    return armor(enums.armor.privateKey, this.toPacketList().write(), undefined, undefined, undefined, emitChecksum, config$1);
   }
 
   /**
@@ -21231,7 +21351,13 @@ class Message {
    * @returns {ReadableStream<String>} ASCII armor.
    */
   armor(config$1 = config) {
-    return armor(enums.armor.message, this.write(), null, null, null, config$1);
+    const trailingPacket = this.packets[this.packets.length - 1];
+    // An ASCII-armored Encrypted Message packet sequence that ends in an v2 SEIPD packet MUST NOT contain a CRC24 footer.
+    // An ASCII-armored sequence of Signature packets that only includes v6 Signature packets MUST NOT contain a CRC24 footer.
+    const emitChecksum = trailingPacket.constructor.tag === SymEncryptedIntegrityProtectedDataPacket.tag ?
+      trailingPacket.version !== 2 :
+      this.packets.some(packet => packet.constructor.tag === SignaturePacket.tag && packet.version !== 6);
+    return armor(enums.armor.message, this.write(), null, null, null, emitChecksum, config$1);
   }
 }
 
@@ -21566,9 +21692,9 @@ class CleartextMessage {
    * @returns {String | ReadableStream<String>} ASCII armor.
    */
   armor(config$1 = config) {
-    // emit header if one of the signatures has a version not 6
-    const emitHeader = this.signature.packets.some(packet => packet.version !== 6);
-    const hash = emitHeader ?
+    // emit header and checksum if one of the signatures has a version not 6
+    const emitHeaderAndChecksum = this.signature.packets.some(packet => packet.version !== 6);
+    const hash = emitHeaderAndChecksum ?
       Array.from(new Set(this.signature.packets.map(
         packet => enums.read(enums.hash, packet.hashAlgorithm).toUpperCase()
       ))).join() :
@@ -21579,7 +21705,9 @@ class CleartextMessage {
       text: this.text,
       data: this.signature.packets.write()
     };
-    return armor(enums.armor.signed, body, undefined, undefined, undefined, config$1);
+
+    // An ASCII-armored sequence of Signature packets that only includes v6 Signature packets MUST NOT contain a CRC24 footer.
+    return armor(enums.armor.signed, body, undefined, undefined, undefined, emitHeaderAndChecksum, config$1);
   }
 }
 

package/dist/lightweight/sha3.min.mjs

@@ -1,4 +1,4 @@
-/*! OpenPGP.js v6.0.0-alpha.1.patch.1 - 2024-03-11 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
+/*! OpenPGP.js v6.0.0-beta.0.patch.0 - 2024-04-19 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
 const t="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{};import{B as e}from"./interface.min.mjs";import s from"./native.interface.min.mjs";import i from"./bn.interface.min.mjs";function r(t){if(!Number.isSafeInteger(t)||t<0)throw Error("Wrong positive integer: "+t)}function n(t,...e){if(!((s=t)instanceof Uint8Array||null!=s&&"object"==typeof s&&"Uint8Array"===s.constructor.name))throw Error("Expected Uint8Array");var s;if(e.length>0&&!e.includes(t.length))throw Error(`Expected Uint8Array of length ${e}, not of length=${t.length}`)}function h(t){if("function"!=typeof t||"function"!=typeof t.create)throw Error("Hash should be wrapped by utils.wrapConstructor");r(t.outputLen),r(t.blockLen)}function o(t,e=!0){if(t.destroyed)throw Error("Hash instance has been destroyed");if(e&&t.finished)throw Error("Hash#digest() has already been called")}function f(t,e){n(t);const s=e.outputLen;if(t.length<s)throw Error("digestInto() expects output buffer of length at least "+s)}const c="object"==typeof t&&"crypto"in t?t.crypto:void 0;
-/*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */function a(t){return t instanceof Uint8Array||null!=t&&"object"==typeof t&&"Uint8Array"===t.constructor.name}const d=t=>new DataView(t.buffer,t.byteOffset,t.byteLength),l=(t,e)=>t<<32-e|t>>>e;if(!(68===new Uint8Array(new Uint32Array([287454020]).buffer)[0]))throw Error("Non little-endian hardware is not supported");function b(t){if("string"!=typeof t)throw Error("utf8ToBytes expected string, got "+typeof t);return new Uint8Array((new TextEncoder).encode(t))}function u(t){if("string"==typeof t&&(t=b(t)),!a(t))throw Error("expected Uint8Array, got "+typeof t);return t}function p(...t){let e=0;for(let s=0;s<t.length;s++){const i=t[s];if(!a(i))throw Error("Uint8Array expected");e+=i.length}const s=new Uint8Array(e);for(let e=0,i=0;e<t.length;e++){const r=t[e];s.set(r,i),i+=r.length}return s}class x{clone(){return this._cloneInto()}}function w(t){const e=e=>t().update(u(e)).digest(),s=t();return e.outputLen=s.outputLen,e.blockLen=s.blockLen,e.create=()=>t(),e}function g(t=32){if(c&&"function"==typeof c.getRandomValues)return c.getRandomValues(new Uint8Array(t));throw Error("crypto.getRandomValues must be defined")}e.setImplementation("undefined"!=typeof BigInt?s:i);class y extends x{constructor(t,e,s,i){super(),this.blockLen=t,this.outputLen=e,this.padOffset=s,this.isLE=i,this.finished=!1,this.length=0,this.pos=0,this.destroyed=!1,this.buffer=new Uint8Array(t),this.view=d(this.buffer)}update(t){o(this);const{view:e,buffer:s,blockLen:i}=this,r=(t=u(t)).length;for(let n=0;n<r;){const h=Math.min(i-this.pos,r-n);if(h!==i)s.set(t.subarray(n,n+h),this.pos),this.pos+=h,n+=h,this.pos===i&&(this.process(e,0),this.pos=0);else{const e=d(t);for(;i<=r-n;n+=i)this.process(e,n)}}return this.length+=t.length,this.roundClean(),this}digestInto(t){o(this),f(t,this),this.finished=!0;const{buffer:s,view:i,blockLen:r,isLE:n}=this;let{pos:h}=this;s[h++]=128,this.buffer.subarray(h).fill(0),this.padOffset>r-h&&(this.process(i,0),h=0);for(let t=h;t<r;t++)s[t]=0;!function(t,s,i,r){if("function"==typeof t.setBigUint64)return t.setBigUint64(s,BigInt(i.toString()),r);const n=Object.freeze(e.new(32)),h=Object.freeze(e.new(4294967295)),o=i.rightShift(n).bitwiseAnd(h).toNumber(),f=i.bitwiseAnd(h).toNumber(),c=r?4:0,a=r?0:4;t.setUint32(s+c,o,r),t.setUint32(s+a,f,r)}(i,r-8,e.new(8*this.length),n),this.process(i,0);const c=d(t),a=this.outputLen;if(a%4)throw Error("_sha2: outputLen should be aligned to 32bit");const l=a/4,b=this.get();if(l>b.length)throw Error("_sha2: outputLen bigger than state");for(let t=0;t<l;t++)c.setUint32(4*t,b[t],n)}digest(){const{buffer:t,outputLen:e}=this;this.digestInto(t);const s=t.slice(0,e);return this.destroy(),s}_cloneInto(t){t||(t=new this.constructor),t.set(...this.get());const{blockLen:e,buffer:s,length:i,finished:r,destroyed:n,pos:h}=this;return t.length=i,t.pos=h,t.finished=r,t.destroyed=n,i%e&&t.buffer.set(s),t}}const L=(t,e,s)=>t&e^t&s^e&s,A=/* @__PURE__ */new Uint32Array([1116352408,1899447441,3049323471,3921009573,961987163,1508970993,2453635748,2870763221,3624381080,310598401,607225278,1426881987,1925078388,2162078206,2614888103,3248222580,3835390401,4022224774,264347078,604807628,770255983,1249150122,1555081692,1996064986,2554220882,2821834349,2952996808,3210313671,3336571891,3584528711,113926993,338241895,666307205,773529912,1294757372,1396182291,1695183700,1986661051,2177026350,2456956037,2730485921,2820302411,3259730800,3345764771,3516065817,3600352804,4094571909,275423344,430227734,506948616,659060556,883997877,958139571,1322822218,1537002063,1747873779,1955562222,2024104815,2227730452,2361852424,2428436474,2756734187,3204031479,3329325298]),H=/* @__PURE__ */new Uint32Array([1779033703,3144134277,1013904242,2773480762,1359893119,2600822924,528734635,1541459225]),E=/* @__PURE__ */new Uint32Array(64);class B extends y{constructor(){super(64,32,8,!1),this.A=0|H[0],this.B=0|H[1],this.C=0|H[2],this.D=0|H[3],this.E=0|H[4],this.F=0|H[5],this.G=0|H[6],this.H=0|H[7]}get(){const{A:t,B:e,C:s,D:i,E:r,F:n,G:h,H:o}=this;return[t,e,s,i,r,n,h,o]}set(t,e,s,i,r,n,h,o){this.A=0|t,this.B=0|e,this.C=0|s,this.D=0|i,this.E=0|r,this.F=0|n,this.G=0|h,this.H=0|o}process(t,e){for(let s=0;s<16;s++,e+=4)E[s]=t.getUint32(e,!1);for(let t=16;t<64;t++){const e=E[t-15],s=E[t-2],i=l(e,7)^l(e,18)^e>>>3,r=l(s,17)^l(s,19)^s>>>10;E[t]=r+E[t-7]+i+E[t-16]|0}let{A:s,B:i,C:r,D:n,E:h,F:o,G:f,H:c}=this;for(let t=0;t<64;t++){const e=c+(l(h,6)^l(h,11)^l(h,25))+((a=h)&o^~a&f)+A[t]+E[t]|0,d=(l(s,2)^l(s,13)^l(s,22))+L(s,i,r)|0;c=f,f=o,o=h,h=n+e|0,n=r,r=i,i=s,s=e+d|0}var a;s=s+this.A|0,i=i+this.B|0,r=r+this.C|0,n=n+this.D|0,h=h+this.E|0,o=o+this.F|0,f=f+this.G|0,c=c+this.H|0,this.set(s,i,r,n,h,o,f,c)}roundClean(){E.fill(0)}destroy(){this.set(0,0,0,0,0,0,0,0),this.buffer.fill(0)}}class m extends B{constructor(){super(),this.A=-1056596264,this.B=914150663,this.C=812702999,this.D=-150054599,this.E=-4191439,this.F=1750603025,this.G=1694076839,this.H=-1090891868,this.outputLen=28}}const S=/* @__PURE__ */w((()=>new B)),U=/* @__PURE__ */w((()=>new m)),k=Object.freeze(e.new(2**32-1)),O=Object.freeze(e.new(32));function F(t,e=!1){return e?{h:t.bitwiseAnd(k).toNumber(),l:t.rightShift(O).bitwiseAnd(k).toNumber()}:{h:0|t.rightShift(O).bitwiseAnd(k).toNumber(),l:0|t.bitwiseAnd(k).toNumber()}}function C(t,e=!1){let s=new Uint32Array(t.length),i=new Uint32Array(t.length);for(let r=0;r<t.length;r++){const{h:n,l:h}=F(t[r],e);[s[r],i[r]]=[n,h]}return[s,i]}const D=(t,e,s)=>t<<s|e>>>32-s,G=(t,e,s)=>e<<s|t>>>32-s,j=(t,e,s)=>e<<s-32|t>>>64-s,I=(t,e,s)=>t<<s-32|e>>>64-s;const v={fromBig:F,split:C,toBig:(t,s)=>e.new(t>>>0).ileftShift(O).ibitwiseOr(e.new(s>>>0)),shrSH:(t,e,s)=>t>>>s,shrSL:(t,e,s)=>t<<32-s|e>>>s,rotrSH:(t,e,s)=>t>>>s|e<<32-s,rotrSL:(t,e,s)=>t<<32-s|e>>>s,rotrBH:(t,e,s)=>t<<64-s|e>>>s-32,rotrBL:(t,e,s)=>t>>>s-32|e<<64-s,rotr32H:(t,e)=>e,rotr32L:(t,e)=>t,rotlSH:D,rotlSL:G,rotlBH:j,rotlBL:I,add:function(t,e,s,i){const r=(e>>>0)+(i>>>0);return{h:t+s+(r/2**32|0)|0,l:0|r}},add3L:(t,e,s)=>(t>>>0)+(e>>>0)+(s>>>0),add3H:(t,e,s,i)=>e+s+i+(t/2**32|0)|0,add4L:(t,e,s,i)=>(t>>>0)+(e>>>0)+(s>>>0)+(i>>>0),add4H:(t,e,s,i,r)=>e+s+i+r+(t/2**32|0)|0,add5H:(t,e,s,i,r,n)=>e+s+i+r+n+(t/2**32|0)|0,add5L:(t,e,s,i,r)=>(t>>>0)+(e>>>0)+(s>>>0)+(i>>>0)+(r>>>0)},[z,N]=/* @__PURE__ */(()=>v.split(["0x428a2f98d728ae22","0x7137449123ef65cd","0xb5c0fbcfec4d3b2f","0xe9b5dba58189dbbc","0x3956c25bf348b538","0x59f111f1b605d019","0x923f82a4af194f9b","0xab1c5ed5da6d8118","0xd807aa98a3030242","0x12835b0145706fbe","0x243185be4ee4b28c","0x550c7dc3d5ffb4e2","0x72be5d74f27b896f","0x80deb1fe3b1696b1","0x9bdc06a725c71235","0xc19bf174cf692694","0xe49b69c19ef14ad2","0xefbe4786384f25e3","0x0fc19dc68b8cd5b5","0x240ca1cc77ac9c65","0x2de92c6f592b0275","0x4a7484aa6ea6e483","0x5cb0a9dcbd41fbd4","0x76f988da831153b5","0x983e5152ee66dfab","0xa831c66d2db43210","0xb00327c898fb213f","0xbf597fc7beef0ee4","0xc6e00bf33da88fc2","0xd5a79147930aa725","0x06ca6351e003826f","0x142929670a0e6e70","0x27b70a8546d22ffc","0x2e1b21385c26c926","0x4d2c6dfc5ac42aed","0x53380d139d95b3df","0x650a73548baf63de","0x766a0abb3c77b2a8","0x81c2c92e47edaee6","0x92722c851482353b","0xa2bfe8a14cf10364","0xa81a664bbc423001","0xc24b8b70d0f89791","0xc76c51a30654be30","0xd192e819d6ef5218","0xd69906245565a910","0xf40e35855771202a","0x106aa07032bbd1b8","0x19a4c116b8d2d0c8","0x1e376c085141ab53","0x2748774cdf8eeb99","0x34b0bcb5e19b48a8","0x391c0cb3c5c95a63","0x4ed8aa4ae3418acb","0x5b9cca4f7763e373","0x682e6ff3d6b2b8a3","0x748f82ee5defb2fc","0x78a5636f43172f60","0x84c87814a1f0ab72","0x8cc702081a6439ec","0x90befffa23631e28","0xa4506cebde82bde9","0xbef9a3f7b2c67915","0xc67178f2e372532b","0xca273eceea26619c","0xd186b8c721c0c207","0xeada7dd6cde0eb1e","0xf57d4f7fee6ed178","0x06f067aa72176fba","0x0a637dc5a2c898a6","0x113f9804bef90dae","0x1b710b35131c471b","0x28db77f523047d84","0x32caab7b40c72493","0x3c9ebe0a15c9bebc","0x431d67c49c100d4c","0x4cc5d4becb3e42b6","0x597f299cfc657e2a","0x5fcb6fab3ad6faec","0x6c44198c4a475817"].map((t=>e.new(t)))))(),X=/* @__PURE__ */new Uint32Array(80),_=/* @__PURE__ */new Uint32Array(80);class M extends y{constructor(){super(128,64,16,!1),this.Ah=1779033703,this.Al=-205731576,this.Bh=-1150833019,this.Bl=-2067093701,this.Ch=1013904242,this.Cl=-23791573,this.Dh=-1521486534,this.Dl=1595750129,this.Eh=1359893119,this.El=-1377402159,this.Fh=-1694144372,this.Fl=725511199,this.Gh=528734635,this.Gl=-79577749,this.Hh=1541459225,this.Hl=327033209}get(){const{Ah:t,Al:e,Bh:s,Bl:i,Ch:r,Cl:n,Dh:h,Dl:o,Eh:f,El:c,Fh:a,Fl:d,Gh:l,Gl:b,Hh:u,Hl:p}=this;return[t,e,s,i,r,n,h,o,f,c,a,d,l,b,u,p]}set(t,e,s,i,r,n,h,o,f,c,a,d,l,b,u,p){this.Ah=0|t,this.Al=0|e,this.Bh=0|s,this.Bl=0|i,this.Ch=0|r,this.Cl=0|n,this.Dh=0|h,this.Dl=0|o,this.Eh=0|f,this.El=0|c,this.Fh=0|a,this.Fl=0|d,this.Gh=0|l,this.Gl=0|b,this.Hh=0|u,this.Hl=0|p}process(t,e){for(let s=0;s<16;s++,e+=4)X[s]=t.getUint32(e),_[s]=t.getUint32(e+=4);for(let t=16;t<80;t++){const e=0|X[t-15],s=0|_[t-15],i=v.rotrSH(e,s,1)^v.rotrSH(e,s,8)^v.shrSH(e,s,7),r=v.rotrSL(e,s,1)^v.rotrSL(e,s,8)^v.shrSL(e,s,7),n=0|X[t-2],h=0|_[t-2],o=v.rotrSH(n,h,19)^v.rotrBH(n,h,61)^v.shrSH(n,h,6),f=v.rotrSL(n,h,19)^v.rotrBL(n,h,61)^v.shrSL(n,h,6),c=v.add4L(r,f,_[t-7],_[t-16]),a=v.add4H(c,i,o,X[t-7],X[t-16]);X[t]=0|a,_[t]=0|c}let{Ah:s,Al:i,Bh:r,Bl:n,Ch:h,Cl:o,Dh:f,Dl:c,Eh:a,El:d,Fh:l,Fl:b,Gh:u,Gl:p,Hh:x,Hl:w}=this;for(let t=0;t<80;t++){const e=v.rotrSH(a,d,14)^v.rotrSH(a,d,18)^v.rotrBH(a,d,41),g=v.rotrSL(a,d,14)^v.rotrSL(a,d,18)^v.rotrBL(a,d,41),y=a&l^~a&u,L=d&b^~d&p,A=v.add5L(w,g,L,N[t],_[t]),H=v.add5H(A,x,e,y,z[t],X[t]),E=0|A,B=v.rotrSH(s,i,28)^v.rotrBH(s,i,34)^v.rotrBH(s,i,39),m=v.rotrSL(s,i,28)^v.rotrBL(s,i,34)^v.rotrBL(s,i,39),S=s&r^s&h^r&h,U=i&n^i&o^n&o;x=0|u,w=0|p,u=0|l,p=0|b,l=0|a,b=0|d,({h:a,l:d}=v.add(0|f,0|c,0|H,0|E)),f=0|h,c=0|o,h=0|r,o=0|n,r=0|s,n=0|i;const k=v.add3L(E,m,U);s=v.add3H(k,H,B,S),i=0|k}({h:s,l:i}=v.add(0|this.Ah,0|this.Al,0|s,0|i)),({h:r,l:n}=v.add(0|this.Bh,0|this.Bl,0|r,0|n)),({h,l:o}=v.add(0|this.Ch,0|this.Cl,0|h,0|o)),({h:f,l:c}=v.add(0|this.Dh,0|this.Dl,0|f,0|c)),({h:a,l:d}=v.add(0|this.Eh,0|this.El,0|a,0|d)),({h:l,l:b}=v.add(0|this.Fh,0|this.Fl,0|l,0|b)),({h:u,l:p}=v.add(0|this.Gh,0|this.Gl,0|u,0|p)),({h:x,l:w}=v.add(0|this.Hh,0|this.Hl,0|x,0|w)),this.set(s,i,r,n,h,o,f,c,a,d,l,b,u,p,x,w)}roundClean(){X.fill(0),_.fill(0)}destroy(){this.buffer.fill(0),this.set(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0)}}class V extends M{constructor(){super(),this.Ah=-876896931,this.Al=-1056596264,this.Bh=1654270250,this.Bl=914150663,this.Ch=-1856437926,this.Cl=812702999,this.Dh=355462360,this.Dl=-150054599,this.Eh=1731405415,this.El=-4191439,this.Fh=-1900787065,this.Fl=1750603025,this.Gh=-619958771,this.Gl=1694076839,this.Hh=1203062813,this.Hl=-1090891868,this.outputLen=48}}const R=/* @__PURE__ */w((()=>new M)),T=/* @__PURE__ */w((()=>new V)),[$,W,Z]=[[],[],[]],q=/* @__PURE__ */Object.freeze(e.new(0)),J=/* @__PURE__ */Object.freeze(e.new(1)),K=/* @__PURE__ */Object.freeze(e.new(2)),P=/* @__PURE__ */Object.freeze(e.new(7)),Q=/* @__PURE__ */Object.freeze(e.new(256)),Y=/* @__PURE__ */Object.freeze(e.new(113));for(let t=0,s=J,i=1,r=0;t<24;t++){[i,r]=[r,(2*i+3*r)%5],$.push(2*(5*r+i)),W.push((t+1)*(t+2)/2%64);const n=q.clone();for(let t=0;t<7;t++)s=s.leftShift(J).ixor(s.rightShift(P).imul(Y)).imod(Q),s.bitwiseAnd(K).isZero()||n.ixor(J.leftShift(J.leftShift(/* @__PURE__ */e.new(t)).idec()));Z.push(n)}const[tt,et]=/* @__PURE__ */C(Z,!0),st=(t,e,s)=>s>32?j(t,e,s):D(t,e,s),it=(t,e,s)=>s>32?I(t,e,s):G(t,e,s);class rt extends x{constructor(t,e,s,i=!1,n=24){if(super(),this.blockLen=t,this.suffix=e,this.outputLen=s,this.enableXOF=i,this.rounds=n,this.pos=0,this.posOut=0,this.finished=!1,this.destroyed=!1,r(s),0>=this.blockLen||this.blockLen>=200)throw Error("Sha3 supports only keccak-f1600 function");var h;this.state=new Uint8Array(200),this.state32=(h=this.state,new Uint32Array(h.buffer,h.byteOffset,Math.floor(h.byteLength/4)))}keccak(){!function(t,e=24){const s=new Uint32Array(10);for(let i=24-e;i<24;i++){for(let e=0;e<10;e++)s[e]=t[e]^t[e+10]^t[e+20]^t[e+30]^t[e+40];for(let e=0;e<10;e+=2){const i=(e+8)%10,r=(e+2)%10,n=s[r],h=s[r+1],o=st(n,h,1)^s[i],f=it(n,h,1)^s[i+1];for(let s=0;s<50;s+=10)t[e+s]^=o,t[e+s+1]^=f}let e=t[2],r=t[3];for(let s=0;s<24;s++){const i=W[s],n=st(e,r,i),h=it(e,r,i),o=$[s];e=t[o],r=t[o+1],t[o]=n,t[o+1]=h}for(let e=0;e<50;e+=10){for(let i=0;i<10;i++)s[i]=t[e+i];for(let i=0;i<10;i++)t[e+i]^=~s[(i+2)%10]&s[(i+4)%10]}t[0]^=tt[i],t[1]^=et[i]}s.fill(0)}(this.state32,this.rounds),this.posOut=0,this.pos=0}update(t){o(this);const{blockLen:e,state:s}=this,i=(t=u(t)).length;for(let r=0;r<i;){const n=Math.min(e-this.pos,i-r);for(let e=0;e<n;e++)s[this.pos++]^=t[r++];this.pos===e&&this.keccak()}return this}finish(){if(this.finished)return;this.finished=!0;const{state:t,suffix:e,pos:s,blockLen:i}=this;t[s]^=e,0!=(128&e)&&s===i-1&&this.keccak(),t[i-1]^=128,this.keccak()}writeInto(t){o(this,!1),n(t),this.finish();const e=this.state,{blockLen:s}=this;for(let i=0,r=t.length;i<r;){this.posOut>=s&&this.keccak();const n=Math.min(s-this.posOut,r-i);t.set(e.subarray(this.posOut,this.posOut+n),i),this.posOut+=n,i+=n}return t}xofInto(t){if(!this.enableXOF)throw Error("XOF is not possible for this instance");return this.writeInto(t)}xof(t){return r(t),this.xofInto(new Uint8Array(t))}digestInto(t){if(f(t,this),this.finished)throw Error("digest() was already called");return this.writeInto(t),this.destroy(),t}digest(){return this.digestInto(new Uint8Array(this.outputLen))}destroy(){this.destroyed=!0,this.state.fill(0)}_cloneInto(t){const{blockLen:e,suffix:s,outputLen:i,rounds:r,enableXOF:n}=this;return t||(t=new rt(e,s,i,n,r)),t.state32.set(this.state32),t.pos=this.pos,t.posOut=this.posOut,t.finished=this.finished,t.rounds=r,t.suffix=s,t.outputLen=i,t.enableXOF=n,t.destroyed=this.destroyed,t}}const nt=(t,e,s)=>w((()=>new rt(e,t,s))),ht=/* @__PURE__ */nt(6,136,32),ot=/* @__PURE__ */nt(6,72,64),ft=/* @__PURE__ */((t,e,s)=>function(t){const e=(e,s)=>t(s).update(u(e)).digest(),s=t({});return e.outputLen=s.outputLen,e.blockLen=s.blockLen,e.create=e=>t(e),e}(((i={})=>new rt(e,t,void 0===i.dkLen?s:i.dkLen,!0))))(31,136,32);export{x as H,y as S,T as a,n as b,p as c,R as d,o as e,ft as f,U as g,h,ht as i,ot as j,g as r,S as s,u as t,b as u,w};
+/*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */function a(t){return t instanceof Uint8Array||null!=t&&"object"==typeof t&&"Uint8Array"===t.constructor.name}const d=t=>new DataView(t.buffer,t.byteOffset,t.byteLength),l=(t,e)=>t<<32-e|t>>>e;if(!(68===new Uint8Array(new Uint32Array([287454020]).buffer)[0]))throw Error("Non little-endian hardware is not supported");function b(t){if("string"!=typeof t)throw Error("utf8ToBytes expected string, got "+typeof t);return new Uint8Array((new TextEncoder).encode(t))}function u(t){if("string"==typeof t&&(t=b(t)),!a(t))throw Error("expected Uint8Array, got "+typeof t);return t}function p(...t){let e=0;for(let s=0;s<t.length;s++){const i=t[s];if(!a(i))throw Error("Uint8Array expected");e+=i.length}const s=new Uint8Array(e);for(let e=0,i=0;e<t.length;e++){const r=t[e];s.set(r,i),i+=r.length}return s}class x{clone(){return this._cloneInto()}}function w(t){const e=e=>t().update(u(e)).digest(),s=t();return e.outputLen=s.outputLen,e.blockLen=s.blockLen,e.create=()=>t(),e}function g(t=32){if(c&&"function"==typeof c.getRandomValues)return c.getRandomValues(new Uint8Array(t));throw Error("crypto.getRandomValues must be defined")}e.setImplementation("undefined"!=typeof BigInt?s:i);class y extends x{constructor(t,e,s,i){super(),this.blockLen=t,this.outputLen=e,this.padOffset=s,this.isLE=i,this.finished=!1,this.length=0,this.pos=0,this.destroyed=!1,this.buffer=new Uint8Array(t),this.view=d(this.buffer)}update(t){o(this);const{view:e,buffer:s,blockLen:i}=this,r=(t=u(t)).length;for(let n=0;n<r;){const h=Math.min(i-this.pos,r-n);if(h!==i)s.set(t.subarray(n,n+h),this.pos),this.pos+=h,n+=h,this.pos===i&&(this.process(e,0),this.pos=0);else{const e=d(t);for(;i<=r-n;n+=i)this.process(e,n)}}return this.length+=t.length,this.roundClean(),this}digestInto(t){o(this),f(t,this),this.finished=!0;const{buffer:s,view:i,blockLen:r,isLE:n}=this;let{pos:h}=this;s[h++]=128,this.buffer.subarray(h).fill(0),this.padOffset>r-h&&(this.process(i,0),h=0);for(let t=h;t<r;t++)s[t]=0;!function(t,s,i,r){if("function"==typeof t.setBigUint64)return t.setBigUint64(s,BigInt(i.toString()),r);const n=Object.freeze(e.new(32)),h=Object.freeze(e.new(4294967295)),o=i.rightShift(n).bitwiseAnd(h).toNumber(),f=i.bitwiseAnd(h).toNumber(),c=r?4:0,a=r?0:4;t.setUint32(s+c,o,r),t.setUint32(s+a,f,r)}(i,r-8,e.new(8*this.length),n),this.process(i,0);const c=d(t),a=this.outputLen;if(a%4)throw Error("_sha2: outputLen should be aligned to 32bit");const l=a/4,b=this.get();if(l>b.length)throw Error("_sha2: outputLen bigger than state");for(let t=0;t<l;t++)c.setUint32(4*t,b[t],n)}digest(){const{buffer:t,outputLen:e}=this;this.digestInto(t);const s=t.slice(0,e);return this.destroy(),s}_cloneInto(t){t||(t=new this.constructor),t.set(...this.get());const{blockLen:e,buffer:s,length:i,finished:r,destroyed:n,pos:h}=this;return t.length=i,t.pos=h,t.finished=r,t.destroyed=n,i%e&&t.buffer.set(s),t}}const L=(t,e,s)=>t&e^t&s^e&s,A=/* @__PURE__ */new Uint32Array([1116352408,1899447441,3049323471,3921009573,961987163,1508970993,2453635748,2870763221,3624381080,310598401,607225278,1426881987,1925078388,2162078206,2614888103,3248222580,3835390401,4022224774,264347078,604807628,770255983,1249150122,1555081692,1996064986,2554220882,2821834349,2952996808,3210313671,3336571891,3584528711,113926993,338241895,666307205,773529912,1294757372,1396182291,1695183700,1986661051,2177026350,2456956037,2730485921,2820302411,3259730800,3345764771,3516065817,3600352804,4094571909,275423344,430227734,506948616,659060556,883997877,958139571,1322822218,1537002063,1747873779,1955562222,2024104815,2227730452,2361852424,2428436474,2756734187,3204031479,3329325298]),H=/* @__PURE__ */new Uint32Array([1779033703,3144134277,1013904242,2773480762,1359893119,2600822924,528734635,1541459225]),E=/* @__PURE__ */new Uint32Array(64);class B extends y{constructor(){super(64,32,8,!1),this.A=0|H[0],this.B=0|H[1],this.C=0|H[2],this.D=0|H[3],this.E=0|H[4],this.F=0|H[5],this.G=0|H[6],this.H=0|H[7]}get(){const{A:t,B:e,C:s,D:i,E:r,F:n,G:h,H:o}=this;return[t,e,s,i,r,n,h,o]}set(t,e,s,i,r,n,h,o){this.A=0|t,this.B=0|e,this.C=0|s,this.D=0|i,this.E=0|r,this.F=0|n,this.G=0|h,this.H=0|o}process(t,e){for(let s=0;s<16;s++,e+=4)E[s]=t.getUint32(e,!1);for(let t=16;t<64;t++){const e=E[t-15],s=E[t-2],i=l(e,7)^l(e,18)^e>>>3,r=l(s,17)^l(s,19)^s>>>10;E[t]=r+E[t-7]+i+E[t-16]|0}let{A:s,B:i,C:r,D:n,E:h,F:o,G:f,H:c}=this;for(let t=0;t<64;t++){const e=c+(l(h,6)^l(h,11)^l(h,25))+((a=h)&o^~a&f)+A[t]+E[t]|0,d=(l(s,2)^l(s,13)^l(s,22))+L(s,i,r)|0;c=f,f=o,o=h,h=n+e|0,n=r,r=i,i=s,s=e+d|0}var a;s=s+this.A|0,i=i+this.B|0,r=r+this.C|0,n=n+this.D|0,h=h+this.E|0,o=o+this.F|0,f=f+this.G|0,c=c+this.H|0,this.set(s,i,r,n,h,o,f,c)}roundClean(){E.fill(0)}destroy(){this.set(0,0,0,0,0,0,0,0),this.buffer.fill(0)}}class m extends B{constructor(){super(),this.A=-1056596264,this.B=914150663,this.C=812702999,this.D=-150054599,this.E=-4191439,this.F=1750603025,this.G=1694076839,this.H=-1090891868,this.outputLen=28}}const S=/* @__PURE__ */w((()=>new B)),U=/* @__PURE__ */w((()=>new m)),k=Object.freeze(e.new(2**32-1)),O=Object.freeze(e.new(32));function F(t,e=!1){return e?{h:t.bitwiseAnd(k).toNumber(),l:t.rightShift(O).bitwiseAnd(k).toNumber()}:{h:0|t.rightShift(O).bitwiseAnd(k).toNumber(),l:0|t.bitwiseAnd(k).toNumber()}}function C(t,e=!1){let s=new Uint32Array(t.length),i=new Uint32Array(t.length);for(let r=0;r<t.length;r++){const{h:n,l:h}=F(t[r],e);[s[r],i[r]]=[n,h]}return[s,i]}const D=(t,e,s)=>t<<s|e>>>32-s,G=(t,e,s)=>e<<s|t>>>32-s,j=(t,e,s)=>e<<s-32|t>>>64-s,I=(t,e,s)=>t<<s-32|e>>>64-s;const v={fromBig:F,split:C,toBig:(t,s)=>e.new(t>>>0).ileftShift(O).ibitwiseOr(e.new(s>>>0)),shrSH:(t,e,s)=>t>>>s,shrSL:(t,e,s)=>t<<32-s|e>>>s,rotrSH:(t,e,s)=>t>>>s|e<<32-s,rotrSL:(t,e,s)=>t<<32-s|e>>>s,rotrBH:(t,e,s)=>t<<64-s|e>>>s-32,rotrBL:(t,e,s)=>t>>>s-32|e<<64-s,rotr32H:(t,e)=>e,rotr32L:(t,e)=>t,rotlSH:D,rotlSL:G,rotlBH:j,rotlBL:I,add:function(t,e,s,i){const r=(e>>>0)+(i>>>0);return{h:t+s+(r/2**32|0)|0,l:0|r}},add3L:(t,e,s)=>(t>>>0)+(e>>>0)+(s>>>0),add3H:(t,e,s,i)=>e+s+i+(t/2**32|0)|0,add4L:(t,e,s,i)=>(t>>>0)+(e>>>0)+(s>>>0)+(i>>>0),add4H:(t,e,s,i,r)=>e+s+i+r+(t/2**32|0)|0,add5H:(t,e,s,i,r,n)=>e+s+i+r+n+(t/2**32|0)|0,add5L:(t,e,s,i,r)=>(t>>>0)+(e>>>0)+(s>>>0)+(i>>>0)+(r>>>0)},[z,N]=/* @__PURE__ */(()=>v.split(["0x428a2f98d728ae22","0x7137449123ef65cd","0xb5c0fbcfec4d3b2f","0xe9b5dba58189dbbc","0x3956c25bf348b538","0x59f111f1b605d019","0x923f82a4af194f9b","0xab1c5ed5da6d8118","0xd807aa98a3030242","0x12835b0145706fbe","0x243185be4ee4b28c","0x550c7dc3d5ffb4e2","0x72be5d74f27b896f","0x80deb1fe3b1696b1","0x9bdc06a725c71235","0xc19bf174cf692694","0xe49b69c19ef14ad2","0xefbe4786384f25e3","0x0fc19dc68b8cd5b5","0x240ca1cc77ac9c65","0x2de92c6f592b0275","0x4a7484aa6ea6e483","0x5cb0a9dcbd41fbd4","0x76f988da831153b5","0x983e5152ee66dfab","0xa831c66d2db43210","0xb00327c898fb213f","0xbf597fc7beef0ee4","0xc6e00bf33da88fc2","0xd5a79147930aa725","0x06ca6351e003826f","0x142929670a0e6e70","0x27b70a8546d22ffc","0x2e1b21385c26c926","0x4d2c6dfc5ac42aed","0x53380d139d95b3df","0x650a73548baf63de","0x766a0abb3c77b2a8","0x81c2c92e47edaee6","0x92722c851482353b","0xa2bfe8a14cf10364","0xa81a664bbc423001","0xc24b8b70d0f89791","0xc76c51a30654be30","0xd192e819d6ef5218","0xd69906245565a910","0xf40e35855771202a","0x106aa07032bbd1b8","0x19a4c116b8d2d0c8","0x1e376c085141ab53","0x2748774cdf8eeb99","0x34b0bcb5e19b48a8","0x391c0cb3c5c95a63","0x4ed8aa4ae3418acb","0x5b9cca4f7763e373","0x682e6ff3d6b2b8a3","0x748f82ee5defb2fc","0x78a5636f43172f60","0x84c87814a1f0ab72","0x8cc702081a6439ec","0x90befffa23631e28","0xa4506cebde82bde9","0xbef9a3f7b2c67915","0xc67178f2e372532b","0xca273eceea26619c","0xd186b8c721c0c207","0xeada7dd6cde0eb1e","0xf57d4f7fee6ed178","0x06f067aa72176fba","0x0a637dc5a2c898a6","0x113f9804bef90dae","0x1b710b35131c471b","0x28db77f523047d84","0x32caab7b40c72493","0x3c9ebe0a15c9bebc","0x431d67c49c100d4c","0x4cc5d4becb3e42b6","0x597f299cfc657e2a","0x5fcb6fab3ad6faec","0x6c44198c4a475817"].map((t=>e.new(t)))))(),X=/* @__PURE__ */new Uint32Array(80),_=/* @__PURE__ */new Uint32Array(80);class M extends y{constructor(){super(128,64,16,!1),this.Ah=1779033703,this.Al=-205731576,this.Bh=-1150833019,this.Bl=-2067093701,this.Ch=1013904242,this.Cl=-23791573,this.Dh=-1521486534,this.Dl=1595750129,this.Eh=1359893119,this.El=-1377402159,this.Fh=-1694144372,this.Fl=725511199,this.Gh=528734635,this.Gl=-79577749,this.Hh=1541459225,this.Hl=327033209}get(){const{Ah:t,Al:e,Bh:s,Bl:i,Ch:r,Cl:n,Dh:h,Dl:o,Eh:f,El:c,Fh:a,Fl:d,Gh:l,Gl:b,Hh:u,Hl:p}=this;return[t,e,s,i,r,n,h,o,f,c,a,d,l,b,u,p]}set(t,e,s,i,r,n,h,o,f,c,a,d,l,b,u,p){this.Ah=0|t,this.Al=0|e,this.Bh=0|s,this.Bl=0|i,this.Ch=0|r,this.Cl=0|n,this.Dh=0|h,this.Dl=0|o,this.Eh=0|f,this.El=0|c,this.Fh=0|a,this.Fl=0|d,this.Gh=0|l,this.Gl=0|b,this.Hh=0|u,this.Hl=0|p}process(t,e){for(let s=0;s<16;s++,e+=4)X[s]=t.getUint32(e),_[s]=t.getUint32(e+=4);for(let t=16;t<80;t++){const e=0|X[t-15],s=0|_[t-15],i=v.rotrSH(e,s,1)^v.rotrSH(e,s,8)^v.shrSH(e,s,7),r=v.rotrSL(e,s,1)^v.rotrSL(e,s,8)^v.shrSL(e,s,7),n=0|X[t-2],h=0|_[t-2],o=v.rotrSH(n,h,19)^v.rotrBH(n,h,61)^v.shrSH(n,h,6),f=v.rotrSL(n,h,19)^v.rotrBL(n,h,61)^v.shrSL(n,h,6),c=v.add4L(r,f,_[t-7],_[t-16]),a=v.add4H(c,i,o,X[t-7],X[t-16]);X[t]=0|a,_[t]=0|c}let{Ah:s,Al:i,Bh:r,Bl:n,Ch:h,Cl:o,Dh:f,Dl:c,Eh:a,El:d,Fh:l,Fl:b,Gh:u,Gl:p,Hh:x,Hl:w}=this;for(let t=0;t<80;t++){const e=v.rotrSH(a,d,14)^v.rotrSH(a,d,18)^v.rotrBH(a,d,41),g=v.rotrSL(a,d,14)^v.rotrSL(a,d,18)^v.rotrBL(a,d,41),y=a&l^~a&u,L=d&b^~d&p,A=v.add5L(w,g,L,N[t],_[t]),H=v.add5H(A,x,e,y,z[t],X[t]),E=0|A,B=v.rotrSH(s,i,28)^v.rotrBH(s,i,34)^v.rotrBH(s,i,39),m=v.rotrSL(s,i,28)^v.rotrBL(s,i,34)^v.rotrBL(s,i,39),S=s&r^s&h^r&h,U=i&n^i&o^n&o;x=0|u,w=0|p,u=0|l,p=0|b,l=0|a,b=0|d,({h:a,l:d}=v.add(0|f,0|c,0|H,0|E)),f=0|h,c=0|o,h=0|r,o=0|n,r=0|s,n=0|i;const k=v.add3L(E,m,U);s=v.add3H(k,H,B,S),i=0|k}({h:s,l:i}=v.add(0|this.Ah,0|this.Al,0|s,0|i)),({h:r,l:n}=v.add(0|this.Bh,0|this.Bl,0|r,0|n)),({h,l:o}=v.add(0|this.Ch,0|this.Cl,0|h,0|o)),({h:f,l:c}=v.add(0|this.Dh,0|this.Dl,0|f,0|c)),({h:a,l:d}=v.add(0|this.Eh,0|this.El,0|a,0|d)),({h:l,l:b}=v.add(0|this.Fh,0|this.Fl,0|l,0|b)),({h:u,l:p}=v.add(0|this.Gh,0|this.Gl,0|u,0|p)),({h:x,l:w}=v.add(0|this.Hh,0|this.Hl,0|x,0|w)),this.set(s,i,r,n,h,o,f,c,a,d,l,b,u,p,x,w)}roundClean(){X.fill(0),_.fill(0)}destroy(){this.buffer.fill(0),this.set(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0)}}class V extends M{constructor(){super(),this.Ah=-876896931,this.Al=-1056596264,this.Bh=1654270250,this.Bl=914150663,this.Ch=-1856437926,this.Cl=812702999,this.Dh=355462360,this.Dl=-150054599,this.Eh=1731405415,this.El=-4191439,this.Fh=-1900787065,this.Fl=1750603025,this.Gh=-619958771,this.Gl=1694076839,this.Hh=1203062813,this.Hl=-1090891868,this.outputLen=48}}const R=/* @__PURE__ */w((()=>new M)),T=/* @__PURE__ */w((()=>new V)),[$,W,Z]=[[],[],[]],q=/* @__PURE__ */Object.freeze(e.new(0)),J=/* @__PURE__ */Object.freeze(e.new(1)),K=/* @__PURE__ */Object.freeze(e.new(2)),P=/* @__PURE__ */Object.freeze(e.new(7)),Q=/* @__PURE__ */Object.freeze(e.new(256)),Y=/* @__PURE__ */Object.freeze(e.new(113));for(let t=0,s=J,i=1,r=0;t<24;t++){[i,r]=[r,(2*i+3*r)%5],$.push(2*(5*r+i)),W.push((t+1)*(t+2)/2%64);const n=q.clone();for(let t=0;t<7;t++)s=s.leftShift(J).ixor(s.rightShift(P).imul(Y)).imod(Q),s.bitwiseAnd(K).isZero()||n.ixor(J.leftShift(J.leftShift(/* @__PURE__ */e.new(t)).idec()));Z.push(n)}const[tt,et]=/* @__PURE__ */C(Z,!0),st=(t,e,s)=>s>32?j(t,e,s):D(t,e,s),it=(t,e,s)=>s>32?I(t,e,s):G(t,e,s);class rt extends x{constructor(t,e,s,i=!1,n=24){if(super(),this.blockLen=t,this.suffix=e,this.outputLen=s,this.enableXOF=i,this.rounds=n,this.pos=0,this.posOut=0,this.finished=!1,this.destroyed=!1,r(s),0>=this.blockLen||this.blockLen>=200)throw Error("Sha3 supports only keccak-f1600 function");var h;this.state=new Uint8Array(200),this.state32=(h=this.state,new Uint32Array(h.buffer,h.byteOffset,Math.floor(h.byteLength/4)))}keccak(){!function(t,e=24){const s=new Uint32Array(10);for(let i=24-e;i<24;i++){for(let e=0;e<10;e++)s[e]=t[e]^t[e+10]^t[e+20]^t[e+30]^t[e+40];for(let e=0;e<10;e+=2){const i=(e+8)%10,r=(e+2)%10,n=s[r],h=s[r+1],o=st(n,h,1)^s[i],f=it(n,h,1)^s[i+1];for(let s=0;s<50;s+=10)t[e+s]^=o,t[e+s+1]^=f}let e=t[2],r=t[3];for(let s=0;s<24;s++){const i=W[s],n=st(e,r,i),h=it(e,r,i),o=$[s];e=t[o],r=t[o+1],t[o]=n,t[o+1]=h}for(let e=0;e<50;e+=10){for(let i=0;i<10;i++)s[i]=t[e+i];for(let i=0;i<10;i++)t[e+i]^=~s[(i+2)%10]&s[(i+4)%10]}t[0]^=tt[i],t[1]^=et[i]}s.fill(0)}(this.state32,this.rounds),this.posOut=0,this.pos=0}update(t){o(this);const{blockLen:e,state:s}=this,i=(t=u(t)).length;for(let r=0;r<i;){const n=Math.min(e-this.pos,i-r);for(let e=0;e<n;e++)s[this.pos++]^=t[r++];this.pos===e&&this.keccak()}return this}finish(){if(this.finished)return;this.finished=!0;const{state:t,suffix:e,pos:s,blockLen:i}=this;t[s]^=e,128&e&&s===i-1&&this.keccak(),t[i-1]^=128,this.keccak()}writeInto(t){o(this,!1),n(t),this.finish();const e=this.state,{blockLen:s}=this;for(let i=0,r=t.length;i<r;){this.posOut>=s&&this.keccak();const n=Math.min(s-this.posOut,r-i);t.set(e.subarray(this.posOut,this.posOut+n),i),this.posOut+=n,i+=n}return t}xofInto(t){if(!this.enableXOF)throw Error("XOF is not possible for this instance");return this.writeInto(t)}xof(t){return r(t),this.xofInto(new Uint8Array(t))}digestInto(t){if(f(t,this),this.finished)throw Error("digest() was already called");return this.writeInto(t),this.destroy(),t}digest(){return this.digestInto(new Uint8Array(this.outputLen))}destroy(){this.destroyed=!0,this.state.fill(0)}_cloneInto(t){const{blockLen:e,suffix:s,outputLen:i,rounds:r,enableXOF:n}=this;return t||(t=new rt(e,s,i,n,r)),t.state32.set(this.state32),t.pos=this.pos,t.posOut=this.posOut,t.finished=this.finished,t.rounds=r,t.suffix=s,t.outputLen=i,t.enableXOF=n,t.destroyed=this.destroyed,t}}const nt=(t,e,s)=>w((()=>new rt(e,t,s))),ht=/* @__PURE__ */nt(6,136,32),ot=/* @__PURE__ */nt(6,72,64),ft=/* @__PURE__ */((t,e,s)=>function(t){const e=(e,s)=>t(s).update(u(e)).digest(),s=t({});return e.outputLen=s.outputLen,e.blockLen=s.blockLen,e.create=e=>t(e),e}(((i={})=>new rt(e,t,void 0===i.dkLen?s:i.dkLen,!0))))(31,136,32);export{x as H,y as S,T as a,n as b,p as c,R as d,o as e,ft as f,U as g,h,ht as i,ot as j,g as r,S as s,u as t,b as u,w};
 //# sourceMappingURL=sha3.min.mjs.map