@protontech/openpgp 6.0.0-beta.0.patch.0 → 6.0.0-beta.2

package/dist/lightweight/openpgp.mjs

@@ -1,4 +1,4 @@
-/*! OpenPGP.js v6.0.0-beta.0.patch.0 - 2024-04-19 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
+/*! OpenPGP.js v6.0.0-beta.2 - 2024-07-05 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
 const globalThis = typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};
 
 const doneWritingPromise = Symbol('doneWritingPromise');
@@ -543,9 +543,10 @@ function transformRaw(input, options) {
  * @param {Function} cancel
  * @returns {TransformStream}
  */
-function transformWithCancel(cancel) {
+function transformWithCancel(customCancel) {
   let pulled = false;
-  let backpressureChangePromiseResolve;
+  let cancelled = false;
+  let backpressureChangePromiseResolve, backpressureChangePromiseReject;
   let outputController;
   return {
     readable: new ReadableStream({
@@ -559,16 +560,29 @@ function transformWithCancel(cancel) {
           pulled = true;
         }
       },
-      cancel
+      async cancel(reason) {
+        cancelled = true;
+        if (customCancel) {
+          await customCancel(reason);
+        }
+        if (backpressureChangePromiseReject) {
+          backpressureChangePromiseReject(reason);
+        }
+      }
     }, {highWaterMark: 0}),
     writable: new WritableStream({
       write: async function(chunk) {
+        if (cancelled) {
+          throw new Error('Stream is cancelled');
+        }
         outputController.enqueue(chunk);
         if (!pulled) {
-          await new Promise(resolve => {
+          await new Promise((resolve, reject) => {
             backpressureChangePromiseResolve = resolve;
+            backpressureChangePromiseReject = reject;
           });
           backpressureChangePromiseResolve = null;
+          backpressureChangePromiseReject = null;
         } else {
           pulled = false;
         }
@@ -1504,6 +1518,14 @@ var config = {
    * @property {Boolean} v6Keys
    */
   v6Keys: false,
+  /**
+   * Enable parsing v5 keys and v5 signatures (which is different from the AEAD-encrypted SEIPDv2 packet).
+   * These are non-standard entities, which in the crypto-refresh have been superseded
+   * by v6 keys and v6 signatures, respectively.
+   * However, generation of v5 entities was supported behind config flag in OpenPGP.js v5, and some other libraries,
+   * hence parsing them might be necessary in some cases.
+   */
+  enableParsingV5Entities: false,
   /**
    * S2K (String to Key) type, used for key derivation in the context of secret key encryption
    * and password-encrypted data. Weaker s2k options are not allowed.
@@ -1660,7 +1682,7 @@ var config = {
    * @memberof module:config
    * @property {String} versionString A version string to be included in armored messages
    */
-  versionString: 'OpenPGP.js 6.0.0-beta.0.patch.0',
+  versionString: 'OpenPGP.js 6.0.0-beta.2',
   /**
    * @memberof module:config
    * @property {String} commentString A comment string to be included in armored messages
@@ -1721,27 +1743,6 @@ var config = {
   rejectCurves: new Set([enums.curve.secp256k1])
 };
 
-/**
- * We don't use the BigIntegerInterface wrapper from noble-hashes because:
- * - importing the instance results in it being shared with noble-hashes, which separately calls `setImplementation()`
- *  on load, causing it to throw due to duplicate initialization.
- * - even duplicating the interface code here to keep a separate instance requires handing a race-conditions the first time
- * `getBigInteger` is called, when the code needs to check if the implementation is set, and initialize it if not.
- * Ultimately, the interface provides no advantages and it's only needed because of TS.
- */
-const detectBigInt = () => typeof BigInt !== 'undefined';
-async function getBigInteger() {
-  if (detectBigInt()) {
-    // NativeBigInteger is small, so it's imported in isolation (it could also be imported at the top level)
-    const { default: NativeBigInteger } = await import('./native.interface.mjs');
-    return NativeBigInteger;
-  } else {
-    // FallbackBigInteger relies on large BN.js lib, which is also used by noble-hashes and noble-curves
-    const { default: FallbackBigInteger } = await import('./bn.interface.mjs');
-    return FallbackBigInteger;
-  }
-}
-
 // GPG4Browsers - An OpenPGP implementation in javascript
 // Copyright (C) 2011 Recurity Labs GmbH
 //
@@ -1783,8 +1784,6 @@ const util = {
 
   isStream: isStream,
 
-  getBigInteger,
-
   /**
    * Load noble-curves lib on demand and return the requested curve function
    * @param {enums.publicKey} publicKeyAlgo
@@ -2506,7 +2505,7 @@ function b64ToUint8Array(base64) {
  */
 function uint8ArrayToB64(bytes, url) {
   let encoded = encode$1(bytes).replace(/[\r\n]/g, '');
-  if (url) {
+  {
     encoded = encoded.replace(/[+]/g, '-').replace(/[/]/g, '_').replace(/[=]/g, '');
   }
   return encoded;
@@ -3205,15 +3204,15 @@ function add32(a, b) {
 
 
 const webCrypto$b = util.getWebCrypto();
-const nodeCrypto$a = util.getNodeCrypto();
-const nodeCryptoHashes = nodeCrypto$a && nodeCrypto$a.getHashes();
+const nodeCrypto$b = util.getNodeCrypto();
+const nodeCryptoHashes = nodeCrypto$b && nodeCrypto$b.getHashes();
 
 function nodeHash(type) {
-  if (!nodeCrypto$a || !nodeCryptoHashes.includes(type)) {
+  if (!nodeCrypto$b || !nodeCryptoHashes.includes(type)) {
     return;
   }
   return async function (data) {
-    const shasum = nodeCrypto$a.createHash(type);
+    const shasum = nodeCrypto$b.createHash(type);
     return transform(data, value => {
       shasum.update(value);
     }, () => new Uint8Array(shasum.digest()));
@@ -4293,7 +4292,7 @@ function is_bytes(a) {
     return a instanceof Uint8Array;
 }
 function _heap_init(heap, heapSize) {
-    const size = heap ? heap.byteLength : heapSize || 65536;
+    const size = heap ? heap.byteLength : 65536;
     if (size & 0xfff || size <= 0)
         throw new Error('heap size must be a positive integer and a multiple of 4096');
     heap = heap || new Uint8Array(new ArrayBuffer(size));
@@ -4560,9 +4559,9 @@ class AES_CFB {
 
 
 const webCrypto$a = util.getWebCrypto();
-const nodeCrypto$9 = util.getNodeCrypto();
+const nodeCrypto$a = util.getNodeCrypto();
 
-const knownAlgos = nodeCrypto$9 ? nodeCrypto$9.getCiphers() : [];
+const knownAlgos = nodeCrypto$a ? nodeCrypto$a.getCiphers() : [];
 const nodeAlgos = {
   idea: knownAlgos.includes('idea-cfb') ? 'idea-cfb' : undefined, /* Unused, not implemented */
   tripledes: knownAlgos.includes('des-ede3-cfb') ? 'des-ede3-cfb' : undefined,
@@ -4628,7 +4627,7 @@ async function encrypt$5(algo, key, plaintext, iv, config) {
  */
 async function decrypt$5(algo, key, ciphertext, iv) {
   const algoName = enums.read(enums.symmetric, algo);
-  if (nodeCrypto$9 && nodeAlgos[algoName]) { // Node crypto library.
+  if (nodeCrypto$a && nodeAlgos[algoName]) { // Node crypto library.
     return nodeDecrypt$1(algo, key, ciphertext, iv);
   }
   if (util.isAES(algo)) {
@@ -4796,13 +4795,13 @@ function xorMut$1(a, b) {
 
 function nodeEncrypt$1(algo, key, pt, iv) {
   const algoName = enums.read(enums.symmetric, algo);
-  const cipherObj = new nodeCrypto$9.createCipheriv(nodeAlgos[algoName], key, iv);
+  const cipherObj = new nodeCrypto$a.createCipheriv(nodeAlgos[algoName], key, iv);
   return transform(pt, value => new Uint8Array(cipherObj.update(value)));
 }
 
 function nodeDecrypt$1(algo, key, ct, iv) {
   const algoName = enums.read(enums.symmetric, algo);
-  const decipherObj = new nodeCrypto$9.createDecipheriv(nodeAlgos[algoName], key, iv);
+  const decipherObj = new nodeCrypto$a.createDecipheriv(nodeAlgos[algoName], key, iv);
   return transform(ct, value => new Uint8Array(decipherObj.update(value)));
 }
 
@@ -4895,7 +4894,7 @@ class AES_CBC {
 
 
 const webCrypto$9 = util.getWebCrypto();
-const nodeCrypto$8 = util.getNodeCrypto();
+const nodeCrypto$9 = util.getNodeCrypto();
 
 
 /**
@@ -4961,7 +4960,7 @@ async function CMAC(key) {
 async function CBC(key) {
   if (util.getNodeCrypto()) { // Node crypto library
     return async function(pt) {
-      const en = new nodeCrypto$8.createCipheriv('aes-' + (key.length * 8) + '-cbc', key, zeroBlock$1);
+      const en = new nodeCrypto$9.createCipheriv('aes-' + (key.length * 8) + '-cbc', key, zeroBlock$1);
       const ct = en.update(pt);
       return new Uint8Array(ct);
     };
@@ -5009,7 +5008,7 @@ async function CBC(key) {
 
 
 const webCrypto$8 = util.getWebCrypto();
-const nodeCrypto$7 = util.getNodeCrypto();
+const nodeCrypto$8 = util.getNodeCrypto();
 const Buffer$1 = util.getNodeBuffer();
 
 
@@ -5031,7 +5030,7 @@ async function OMAC(key) {
 async function CTR(key) {
   if (util.getNodeCrypto()) { // Node crypto library
     return async function(pt, iv) {
-      const en = new nodeCrypto$7.createCipheriv('aes-' + (key.length * 8) + '-ctr', key, iv);
+      const en = new nodeCrypto$8.createCipheriv('aes-' + (key.length * 8) + '-ctr', key, iv);
       const ct = Buffer$1.concat([en.update(pt), en.final()]);
       return new Uint8Array(ct);
     };
@@ -5722,7 +5721,7 @@ class AES_GCM {
 
 
 const webCrypto$7 = util.getWebCrypto();
-const nodeCrypto$6 = util.getNodeCrypto();
+const nodeCrypto$7 = util.getNodeCrypto();
 const Buffer = util.getNodeBuffer();
 
 const blockLength = 16;
@@ -5745,14 +5744,14 @@ async function GCM(cipher, key) {
   if (util.getNodeCrypto()) { // Node crypto library
     return {
       encrypt: async function(pt, iv, adata = new Uint8Array()) {
-        const en = new nodeCrypto$6.createCipheriv('aes-' + (key.length * 8) + '-gcm', key, iv);
+        const en = new nodeCrypto$7.createCipheriv('aes-' + (key.length * 8) + '-gcm', key, iv);
         en.setAAD(adata);
         const ct = Buffer.concat([en.update(pt), en.final(), en.getAuthTag()]); // append auth tag to ciphertext
         return new Uint8Array(ct);
       },
 
       decrypt: async function(ct, iv, adata = new Uint8Array()) {
-        const de = new nodeCrypto$6.createDecipheriv('aes-' + (key.length * 8) + '-gcm', key, iv);
+        const de = new nodeCrypto$7.createDecipheriv('aes-' + (key.length * 8) + '-gcm', key, iv);
         de.setAAD(adata);
         de.setAuthTag(ct.slice(ct.length - tagLength, ct.length)); // read auth tag at end of ciphertext
         const pt = Buffer.concat([de.update(ct.slice(0, ct.length - tagLength)), de.final()]);
@@ -5850,6 +5849,202 @@ var mode = {
   ocb: OCB
 };
 
+// Operations are not constant time, but we try and limit timing leakage where we can
+const _0n$2 = BigInt(0);
+const _1n$5 = BigInt(1);
+function uint8ArrayToBigInt(bytes) {
+    const hexAlphabet = '0123456789ABCDEF';
+    let s = '';
+    bytes.forEach(v => {
+        s += hexAlphabet[v >> 4] + hexAlphabet[v & 15];
+    });
+    return BigInt('0x0' + s);
+}
+function mod$2(a, m) {
+    const reduced = a % m;
+    return reduced < _0n$2 ? reduced + m : reduced;
+}
+/**
+ * Compute modular exponentiation using square and multiply
+ * @param {BigInt} a - Base
+ * @param {BigInt} e - Exponent
+ * @param {BigInt} n - Modulo
+ * @returns {BigInt} b ** e mod n.
+ */
+function modExp(b, e, n) {
+    if (n === _0n$2)
+        throw Error('Modulo cannot be zero');
+    if (n === _1n$5)
+        return BigInt(0);
+    if (e < _0n$2)
+        throw Error('Unsopported negative exponent');
+    let exp = e;
+    let x = b;
+    x %= n;
+    let r = BigInt(1);
+    while (exp > _0n$2) {
+        const lsb = exp & _1n$5;
+        exp >>= _1n$5; // e / 2
+        // Always compute multiplication step, to reduce timing leakage
+        const rx = (r * x) % n;
+        // Update r only if lsb is 1 (odd exponent)
+        r = lsb ? rx : r;
+        x = (x * x) % n; // Square
+    }
+    return r;
+}
+function abs(x) {
+    return x >= _0n$2 ? x : -x;
+}
+/**
+ * Extended Eucleadian algorithm (http://anh.cs.luc.edu/331/notes/xgcd.pdf)
+ * Given a and b, compute (x, y) such that ax + by = gdc(a, b).
+ * Negative numbers are also supported.
+ * @param {BigInt} a - First operand
+ * @param {BigInt} b - Second operand
+ * @returns {{ gcd, x, y: bigint }}
+ */
+function _egcd(aInput, bInput) {
+    let x = BigInt(0);
+    let y = BigInt(1);
+    let xPrev = BigInt(1);
+    let yPrev = BigInt(0);
+    // Deal with negative numbers: run algo over absolute values,
+    // and "move" the sign to the returned x and/or y.
+    // See https://math.stackexchange.com/questions/37806/extended-euclidean-algorithm-with-negative-numbers
+    let a = abs(aInput);
+    let b = abs(bInput);
+    const aNegated = aInput < _0n$2;
+    const bNegated = bInput < _0n$2;
+    while (b !== _0n$2) {
+        const q = a / b;
+        let tmp = x;
+        x = xPrev - q * x;
+        xPrev = tmp;
+        tmp = y;
+        y = yPrev - q * y;
+        yPrev = tmp;
+        tmp = b;
+        b = a % b;
+        a = tmp;
+    }
+    return {
+        x: aNegated ? -xPrev : xPrev,
+        y: bNegated ? -yPrev : yPrev,
+        gcd: a
+    };
+}
+/**
+ * Compute the inverse of `a` modulo `n`
+ * Note: `a` and and `n` must be relatively prime
+ * @param {BigInt} a
+ * @param {BigInt} n - Modulo
+ * @returns {BigInt} x such that a*x = 1 mod n
+ * @throws {Error} if the inverse does not exist
+ */
+function modInv(a, n) {
+    const { gcd, x } = _egcd(a, n);
+    if (gcd !== _1n$5) {
+        throw new Error('Inverse does not exist');
+    }
+    return mod$2(x + n, n);
+}
+/**
+ * Compute greatest common divisor between this and n
+ * @param {BigInt} aInput - Operand
+ * @param {BigInt} bInput - Operand
+ * @returns {BigInt} gcd
+ */
+function gcd(aInput, bInput) {
+    let a = aInput;
+    let b = bInput;
+    while (b !== _0n$2) {
+        const tmp = b;
+        b = a % b;
+        a = tmp;
+    }
+    return a;
+}
+/**
+ * Get this value as an exact Number (max 53 bits)
+ * Fails if this value is too large
+ * @returns {Number}
+ */
+function bigIntToNumber(x) {
+    const number = Number(x);
+    if (number > Number.MAX_SAFE_INTEGER) {
+        // We throw and error to conform with the bn.js implementation
+        throw new Error('Number can only safely store up to 53 bits');
+    }
+    return number;
+}
+/**
+ * Get value of i-th bit
+ * @param {BigInt} x
+ * @param {Number} i - Bit index
+ * @returns {Number} Bit value.
+ */
+function getBit(x, i) {
+    const bit = (x >> BigInt(i)) & _1n$5;
+    return bit === _0n$2 ? 0 : 1;
+}
+/**
+ * Compute bit length
+ */
+function bitLength(x) {
+    // -1n >> -1n is -1n
+    // 1n >> 1n is 0n
+    const target = x < _0n$2 ? BigInt(-1) : _0n$2;
+    let bitlen = 1;
+    let tmp = x;
+    // eslint-disable-next-line no-cond-assign
+    while ((tmp >>= _1n$5) !== target) {
+        bitlen++;
+    }
+    return bitlen;
+}
+/**
+ * Compute byte length
+ */
+function byteLength(x) {
+    const target = x < _0n$2 ? BigInt(-1) : _0n$2;
+    const _8n = BigInt(8);
+    let len = 1;
+    let tmp = x;
+    // eslint-disable-next-line no-cond-assign
+    while ((tmp >>= _8n) !== target) {
+        len++;
+    }
+    return len;
+}
+/**
+ * Get Uint8Array representation of this number
+ * @param {String} endian - Endianess of output array (defaults to 'be')
+ * @param {Number} length - Of output array
+ * @returns {Uint8Array}
+ */
+function bigIntToUint8Array(x, endian = 'be', length) {
+    // we get and parse the hex string (https://coolaj86.com/articles/convert-js-bigints-to-typedarrays/)
+    // this is faster than shift+mod iterations
+    let hex = x.toString(16);
+    if (hex.length % 2 === 1) {
+        hex = '0' + hex;
+    }
+    const rawLength = hex.length / 2;
+    const bytes = new Uint8Array(length || rawLength);
+    // parse hex
+    const offset = length ? length - rawLength : 0;
+    let i = 0;
+    while (i < rawLength) {
+        bytes[i + offset] = parseInt(hex.slice(2 * i, 2 * i + 2), 16);
+        i++;
+    }
+    if (endian !== 'be') {
+        bytes.reverse();
+    }
+    return bytes;
+}
+
 // GPG4Browsers - An OpenPGP implementation in javascript
 // Copyright (C) 2011 Recurity Labs GmbH
 //
@@ -5868,7 +6063,7 @@ var mode = {
 // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 
 
-const nodeCrypto$5 = util.getNodeCrypto();
+const nodeCrypto$6 = util.getNodeCrypto();
 
 /**
  * Retrieve secure random byte array of the specified length
@@ -5877,8 +6072,8 @@ const nodeCrypto$5 = util.getNodeCrypto();
  */
 function getRandomBytes(length) {
   const buf = new Uint8Array(length);
-  if (nodeCrypto$5) {
-    const bytes = nodeCrypto$5.randomBytes(buf.length);
+  if (nodeCrypto$6) {
+    const bytes = nodeCrypto$6.randomBytes(buf.length);
     buf.set(bytes);
   } else if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
     crypto.getRandomValues(buf);
@@ -5889,27 +6084,25 @@ function getRandomBytes(length) {
 }
 
 /**
- * Create a secure random BigInteger that is greater than or equal to min and less than max.
- * @param {module:BigInteger} min - Lower bound, included
- * @param {module:BigInteger} max - Upper bound, excluded
- * @returns {Promise<module:BigInteger>} Random BigInteger.
+ * Create a secure random BigInt that is greater than or equal to min and less than max.
+ * @param {bigint} min - Lower bound, included
+ * @param {bigint} max - Upper bound, excluded
+ * @returns {bigint} Random BigInt.
  * @async
  */
-async function getRandomBigInteger(min, max) {
-  const BigInteger = await util.getBigInteger();
-
-  if (max.lt(min)) {
+function getRandomBigInteger(min, max) {
+  if (max < min) {
     throw new Error('Illegal parameter value: max <= min');
   }
 
-  const modulus = max.sub(min);
-  const bytes = modulus.byteLength();
+  const modulus = max - min;
+  const bytes = byteLength(modulus);
 
   // Using a while loop is necessary to avoid bias introduced by the mod operation.
   // However, we request 64 extra random bits so that the bias is negligible.
   // Section B.1.1 here: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
-  const r = new BigInteger(getRandomBytes(bytes + 8));
-  return r.mod(modulus).add(min);
+  const r = uint8ArrayToBigInt(getRandomBytes(bytes + 8));
+  return mod$2(r, modulus) + min;
 }
 
 var random = /*#__PURE__*/Object.freeze({
@@ -5934,177 +6127,159 @@ var random = /*#__PURE__*/Object.freeze({
 // You should have received a copy of the GNU Lesser General Public
 // License along with this library; if not, write to the Free Software
 // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
-
-
+/**
+ * @fileoverview Algorithms for probabilistic random prime generation
+ * @module crypto/public_key/prime
+ */
+const _1n$4 = BigInt(1);
 /**
  * Generate a probably prime random number
- * @param {Integer} bits - Bit length of the prime
- * @param {BigInteger} e - Optional RSA exponent to check against the prime
- * @param {Integer} k - Optional number of iterations of Miller-Rabin test
- * @returns BigInteger
- * @async
+ * @param bits - Bit length of the prime
+ * @param e - Optional RSA exponent to check against the prime
+ * @param k - Optional number of iterations of Miller-Rabin test
  */
-async function randomProbablePrime(bits, e, k) {
-  const BigInteger = await util.getBigInteger();
-
-  const one = new BigInteger(1);
-  const min = one.leftShift(new BigInteger(bits - 1));
-  const thirty = new BigInteger(30);
-  /*
-   * We can avoid any multiples of 3 and 5 by looking at n mod 30
-   * n mod 30 = 0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
-   * the next possible prime is mod 30:
-   *            1  7  7  7  7  7  7 11 11 11 11 13 13 17 17 17 17 19 19 23 23 23 23 29 29 29 29 29 29 1
-   */
-  const adds = [1, 6, 5, 4, 3, 2, 1, 4, 3, 2, 1, 2, 1, 4, 3, 2, 1, 2, 1, 4, 3, 2, 1, 6, 5, 4, 3, 2, 1, 2];
-
-  const n = await getRandomBigInteger(min, min.leftShift(one));
-  let i = n.mod(thirty).toNumber();
-
-  do {
-    n.iadd(new BigInteger(adds[i]));
-    i = (i + adds[i]) % adds.length;
-    // If reached the maximum, go back to the minimum.
-    if (n.bitLength() > bits) {
-      n.imod(min.leftShift(one)).iadd(min);
-      i = n.mod(thirty).toNumber();
-    }
-  } while (!await isProbablePrime(n, e, k));
-  return n;
+function randomProbablePrime(bits, e, k) {
+    const _30n = BigInt(30);
+    const min = _1n$4 << BigInt(bits - 1);
+    /*
+     * We can avoid any multiples of 3 and 5 by looking at n mod 30
+     * n mod 30 = 0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
+     * the next possible prime is mod 30:
+     *            1  7  7  7  7  7  7 11 11 11 11 13 13 17 17 17 17 19 19 23 23 23 23 29 29 29 29 29 29 1
+     */
+    const adds = [1, 6, 5, 4, 3, 2, 1, 4, 3, 2, 1, 2, 1, 4, 3, 2, 1, 2, 1, 4, 3, 2, 1, 6, 5, 4, 3, 2, 1, 2];
+    let n = getRandomBigInteger(min, min << _1n$4);
+    let i = bigIntToNumber(mod$2(n, _30n));
+    do {
+        n += BigInt(adds[i]);
+        i = (i + adds[i]) % adds.length;
+        // If reached the maximum, go back to the minimum.
+        if (bitLength(n) > bits) {
+            n = mod$2(n, min << _1n$4);
+            n += min;
+            i = bigIntToNumber(mod$2(n, _30n));
+        }
+    } while (!isProbablePrime(n, e, k));
+    return n;
 }
-
 /**
  * Probabilistic primality testing
- * @param {BigInteger} n - Number to test
- * @param {BigInteger} e - Optional RSA exponent to check against the prime
- * @param {Integer} k - Optional number of iterations of Miller-Rabin test
- * @returns {boolean}
- * @async
+ * @param n - Number to test
+ * @param e - Optional RSA exponent to check against the prime
+ * @param k - Optional number of iterations of Miller-Rabin test
  */
-async function isProbablePrime(n, e, k) {
-  if (e && !n.dec().gcd(e).isOne()) {
-    return false;
-  }
-  if (!await divisionTest(n)) {
-    return false;
-  }
-  if (!await fermat(n)) {
-    return false;
-  }
-  if (!await millerRabin(n, k)) {
-    return false;
-  }
-  // TODO implement the Lucas test
-  // See Section C.3.3 here: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
-  return true;
+function isProbablePrime(n, e, k) {
+    if (e && gcd(n - _1n$4, e) !== _1n$4) {
+        return false;
+    }
+    if (!divisionTest(n)) {
+        return false;
+    }
+    if (!fermat(n)) {
+        return false;
+    }
+    if (!millerRabin(n, k)) {
+        return false;
+    }
+    // TODO implement the Lucas test
+    // See Section C.3.3 here: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
+    return true;
 }
-
 /**
  * Tests whether n is probably prime or not using Fermat's test with b = 2.
  * Fails if b^(n-1) mod n != 1.
- * @param {BigInteger} n - Number to test
- * @param {BigInteger} b - Optional Fermat test base
- * @returns {boolean}
+ * @param n - Number to test
+ * @param b - Optional Fermat test base
  */
-async function fermat(n, b) {
-  const BigInteger = await util.getBigInteger();
-
-  b = b || new BigInteger(2);
-  return b.modExp(n.dec(), n).isOne();
+function fermat(n, b = BigInt(2)) {
+    return modExp(b, n - _1n$4, n) === _1n$4;
 }
-
-async function divisionTest(n) {
-  const BigInteger = await util.getBigInteger();
-
-  return smallPrimes.every(m => {
-    return n.mod(new BigInteger(m)) !== 0;
-  });
+function divisionTest(n) {
+    const _0n = BigInt(0);
+    return smallPrimes.every(m => mod$2(n, m) !== _0n);
 }
-
 // https://github.com/gpg/libgcrypt/blob/master/cipher/primegen.c
 const smallPrimes = [
-  7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43,
-  47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101,
-  103, 107, 109, 113, 127, 131, 137, 139, 149, 151,
-  157, 163, 167, 173, 179, 181, 191, 193, 197, 199,
-  211, 223, 227, 229, 233, 239, 241, 251, 257, 263,
-  269, 271, 277, 281, 283, 293, 307, 311, 313, 317,
-  331, 337, 347, 349, 353, 359, 367, 373, 379, 383,
-  389, 397, 401, 409, 419, 421, 431, 433, 439, 443,
-  449, 457, 461, 463, 467, 479, 487, 491, 499, 503,
-  509, 521, 523, 541, 547, 557, 563, 569, 571, 577,
-  587, 593, 599, 601, 607, 613, 617, 619, 631, 641,
-  643, 647, 653, 659, 661, 673, 677, 683, 691, 701,
-  709, 719, 727, 733, 739, 743, 751, 757, 761, 769,
-  773, 787, 797, 809, 811, 821, 823, 827, 829, 839,
-  853, 857, 859, 863, 877, 881, 883, 887, 907, 911,
-  919, 929, 937, 941, 947, 953, 967, 971, 977, 983,
-  991, 997, 1009, 1013, 1019, 1021, 1031, 1033,
-  1039, 1049, 1051, 1061, 1063, 1069, 1087, 1091,
-  1093, 1097, 1103, 1109, 1117, 1123, 1129, 1151,
-  1153, 1163, 1171, 1181, 1187, 1193, 1201, 1213,
-  1217, 1223, 1229, 1231, 1237, 1249, 1259, 1277,
-  1279, 1283, 1289, 1291, 1297, 1301, 1303, 1307,
-  1319, 1321, 1327, 1361, 1367, 1373, 1381, 1399,
-  1409, 1423, 1427, 1429, 1433, 1439, 1447, 1451,
-  1453, 1459, 1471, 1481, 1483, 1487, 1489, 1493,
-  1499, 1511, 1523, 1531, 1543, 1549, 1553, 1559,
-  1567, 1571, 1579, 1583, 1597, 1601, 1607, 1609,
-  1613, 1619, 1621, 1627, 1637, 1657, 1663, 1667,
-  1669, 1693, 1697, 1699, 1709, 1721, 1723, 1733,
-  1741, 1747, 1753, 1759, 1777, 1783, 1787, 1789,
-  1801, 1811, 1823, 1831, 1847, 1861, 1867, 1871,
-  1873, 1877, 1879, 1889, 1901, 1907, 1913, 1931,
-  1933, 1949, 1951, 1973, 1979, 1987, 1993, 1997,
-  1999, 2003, 2011, 2017, 2027, 2029, 2039, 2053,
-  2063, 2069, 2081, 2083, 2087, 2089, 2099, 2111,
-  2113, 2129, 2131, 2137, 2141, 2143, 2153, 2161,
-  2179, 2203, 2207, 2213, 2221, 2237, 2239, 2243,
-  2251, 2267, 2269, 2273, 2281, 2287, 2293, 2297,
-  2309, 2311, 2333, 2339, 2341, 2347, 2351, 2357,
-  2371, 2377, 2381, 2383, 2389, 2393, 2399, 2411,
-  2417, 2423, 2437, 2441, 2447, 2459, 2467, 2473,
-  2477, 2503, 2521, 2531, 2539, 2543, 2549, 2551,
-  2557, 2579, 2591, 2593, 2609, 2617, 2621, 2633,
-  2647, 2657, 2659, 2663, 2671, 2677, 2683, 2687,
-  2689, 2693, 2699, 2707, 2711, 2713, 2719, 2729,
-  2731, 2741, 2749, 2753, 2767, 2777, 2789, 2791,
-  2797, 2801, 2803, 2819, 2833, 2837, 2843, 2851,
-  2857, 2861, 2879, 2887, 2897, 2903, 2909, 2917,
-  2927, 2939, 2953, 2957, 2963, 2969, 2971, 2999,
-  3001, 3011, 3019, 3023, 3037, 3041, 3049, 3061,
-  3067, 3079, 3083, 3089, 3109, 3119, 3121, 3137,
-  3163, 3167, 3169, 3181, 3187, 3191, 3203, 3209,
-  3217, 3221, 3229, 3251, 3253, 3257, 3259, 3271,
-  3299, 3301, 3307, 3313, 3319, 3323, 3329, 3331,
-  3343, 3347, 3359, 3361, 3371, 3373, 3389, 3391,
-  3407, 3413, 3433, 3449, 3457, 3461, 3463, 3467,
-  3469, 3491, 3499, 3511, 3517, 3527, 3529, 3533,
-  3539, 3541, 3547, 3557, 3559, 3571, 3581, 3583,
-  3593, 3607, 3613, 3617, 3623, 3631, 3637, 3643,
-  3659, 3671, 3673, 3677, 3691, 3697, 3701, 3709,
-  3719, 3727, 3733, 3739, 3761, 3767, 3769, 3779,
-  3793, 3797, 3803, 3821, 3823, 3833, 3847, 3851,
-  3853, 3863, 3877, 3881, 3889, 3907, 3911, 3917,
-  3919, 3923, 3929, 3931, 3943, 3947, 3967, 3989,
-  4001, 4003, 4007, 4013, 4019, 4021, 4027, 4049,
-  4051, 4057, 4073, 4079, 4091, 4093, 4099, 4111,
-  4127, 4129, 4133, 4139, 4153, 4157, 4159, 4177,
-  4201, 4211, 4217, 4219, 4229, 4231, 4241, 4243,
-  4253, 4259, 4261, 4271, 4273, 4283, 4289, 4297,
-  4327, 4337, 4339, 4349, 4357, 4363, 4373, 4391,
-  4397, 4409, 4421, 4423, 4441, 4447, 4451, 4457,
-  4463, 4481, 4483, 4493, 4507, 4513, 4517, 4519,
-  4523, 4547, 4549, 4561, 4567, 4583, 4591, 4597,
-  4603, 4621, 4637, 4639, 4643, 4649, 4651, 4657,
-  4663, 4673, 4679, 4691, 4703, 4721, 4723, 4729,
-  4733, 4751, 4759, 4783, 4787, 4789, 4793, 4799,
-  4801, 4813, 4817, 4831, 4861, 4871, 4877, 4889,
-  4903, 4909, 4919, 4931, 4933, 4937, 4943, 4951,
-  4957, 4967, 4969, 4973, 4987, 4993, 4999
-];
-
-
+    7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43,
+    47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101,
+    103, 107, 109, 113, 127, 131, 137, 139, 149, 151,
+    157, 163, 167, 173, 179, 181, 191, 193, 197, 199,
+    211, 223, 227, 229, 233, 239, 241, 251, 257, 263,
+    269, 271, 277, 281, 283, 293, 307, 311, 313, 317,
+    331, 337, 347, 349, 353, 359, 367, 373, 379, 383,
+    389, 397, 401, 409, 419, 421, 431, 433, 439, 443,
+    449, 457, 461, 463, 467, 479, 487, 491, 499, 503,
+    509, 521, 523, 541, 547, 557, 563, 569, 571, 577,
+    587, 593, 599, 601, 607, 613, 617, 619, 631, 641,
+    643, 647, 653, 659, 661, 673, 677, 683, 691, 701,
+    709, 719, 727, 733, 739, 743, 751, 757, 761, 769,
+    773, 787, 797, 809, 811, 821, 823, 827, 829, 839,
+    853, 857, 859, 863, 877, 881, 883, 887, 907, 911,
+    919, 929, 937, 941, 947, 953, 967, 971, 977, 983,
+    991, 997, 1009, 1013, 1019, 1021, 1031, 1033,
+    1039, 1049, 1051, 1061, 1063, 1069, 1087, 1091,
+    1093, 1097, 1103, 1109, 1117, 1123, 1129, 1151,
+    1153, 1163, 1171, 1181, 1187, 1193, 1201, 1213,
+    1217, 1223, 1229, 1231, 1237, 1249, 1259, 1277,
+    1279, 1283, 1289, 1291, 1297, 1301, 1303, 1307,
+    1319, 1321, 1327, 1361, 1367, 1373, 1381, 1399,
+    1409, 1423, 1427, 1429, 1433, 1439, 1447, 1451,
+    1453, 1459, 1471, 1481, 1483, 1487, 1489, 1493,
+    1499, 1511, 1523, 1531, 1543, 1549, 1553, 1559,
+    1567, 1571, 1579, 1583, 1597, 1601, 1607, 1609,
+    1613, 1619, 1621, 1627, 1637, 1657, 1663, 1667,
+    1669, 1693, 1697, 1699, 1709, 1721, 1723, 1733,
+    1741, 1747, 1753, 1759, 1777, 1783, 1787, 1789,
+    1801, 1811, 1823, 1831, 1847, 1861, 1867, 1871,
+    1873, 1877, 1879, 1889, 1901, 1907, 1913, 1931,
+    1933, 1949, 1951, 1973, 1979, 1987, 1993, 1997,
+    1999, 2003, 2011, 2017, 2027, 2029, 2039, 2053,
+    2063, 2069, 2081, 2083, 2087, 2089, 2099, 2111,
+    2113, 2129, 2131, 2137, 2141, 2143, 2153, 2161,
+    2179, 2203, 2207, 2213, 2221, 2237, 2239, 2243,
+    2251, 2267, 2269, 2273, 2281, 2287, 2293, 2297,
+    2309, 2311, 2333, 2339, 2341, 2347, 2351, 2357,
+    2371, 2377, 2381, 2383, 2389, 2393, 2399, 2411,
+    2417, 2423, 2437, 2441, 2447, 2459, 2467, 2473,
+    2477, 2503, 2521, 2531, 2539, 2543, 2549, 2551,
+    2557, 2579, 2591, 2593, 2609, 2617, 2621, 2633,
+    2647, 2657, 2659, 2663, 2671, 2677, 2683, 2687,
+    2689, 2693, 2699, 2707, 2711, 2713, 2719, 2729,
+    2731, 2741, 2749, 2753, 2767, 2777, 2789, 2791,
+    2797, 2801, 2803, 2819, 2833, 2837, 2843, 2851,
+    2857, 2861, 2879, 2887, 2897, 2903, 2909, 2917,
+    2927, 2939, 2953, 2957, 2963, 2969, 2971, 2999,
+    3001, 3011, 3019, 3023, 3037, 3041, 3049, 3061,
+    3067, 3079, 3083, 3089, 3109, 3119, 3121, 3137,
+    3163, 3167, 3169, 3181, 3187, 3191, 3203, 3209,
+    3217, 3221, 3229, 3251, 3253, 3257, 3259, 3271,
+    3299, 3301, 3307, 3313, 3319, 3323, 3329, 3331,
+    3343, 3347, 3359, 3361, 3371, 3373, 3389, 3391,
+    3407, 3413, 3433, 3449, 3457, 3461, 3463, 3467,
+    3469, 3491, 3499, 3511, 3517, 3527, 3529, 3533,
+    3539, 3541, 3547, 3557, 3559, 3571, 3581, 3583,
+    3593, 3607, 3613, 3617, 3623, 3631, 3637, 3643,
+    3659, 3671, 3673, 3677, 3691, 3697, 3701, 3709,
+    3719, 3727, 3733, 3739, 3761, 3767, 3769, 3779,
+    3793, 3797, 3803, 3821, 3823, 3833, 3847, 3851,
+    3853, 3863, 3877, 3881, 3889, 3907, 3911, 3917,
+    3919, 3923, 3929, 3931, 3943, 3947, 3967, 3989,
+    4001, 4003, 4007, 4013, 4019, 4021, 4027, 4049,
+    4051, 4057, 4073, 4079, 4091, 4093, 4099, 4111,
+    4127, 4129, 4133, 4139, 4153, 4157, 4159, 4177,
+    4201, 4211, 4217, 4219, 4229, 4231, 4241, 4243,
+    4253, 4259, 4261, 4271, 4273, 4283, 4289, 4297,
+    4327, 4337, 4339, 4349, 4357, 4363, 4373, 4391,
+    4397, 4409, 4421, 4423, 4441, 4447, 4451, 4457,
+    4463, 4481, 4483, 4493, 4507, 4513, 4517, 4519,
+    4523, 4547, 4549, 4561, 4567, 4583, 4591, 4597,
+    4603, 4621, 4637, 4639, 4643, 4649, 4651, 4657,
+    4663, 4673, 4679, 4691, 4703, 4721, 4723, 4729,
+    4733, 4751, 4759, 4783, 4787, 4789, 4793, 4799,
+    4801, 4813, 4817, 4831, 4861, 4871, 4877, 4889,
+    4903, 4909, 4919, 4931, 4933, 4937, 4943, 4951,
+    4957, 4967, 4969, 4973, 4987, 4993, 4999
+].map(n => BigInt(n));
 // Miller-Rabin - Miller Rabin algorithm for primality test
 // Copyright Fedor Indutny, 2014.
 //
@@ -6128,63 +6303,51 @@ const smallPrimes = [
 // DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
 // OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
 // USE OR OTHER DEALINGS IN THE SOFTWARE.
-
 // Adapted on Jan 2018 from version 4.0.1 at https://github.com/indutny/miller-rabin
-
 // Sample syntax for Fixed-Base Miller-Rabin:
 // millerRabin(n, k, () => new BN(small_primes[Math.random() * small_primes.length | 0]))
-
 /**
  * Tests whether n is probably prime or not using the Miller-Rabin test.
  * See HAC Remark 4.28.
- * @param {BigInteger} n - Number to test
- * @param {Integer} k - Optional number of iterations of Miller-Rabin test
- * @param {Function} rand - Optional function to generate potential witnesses
+ * @param n - Number to test
+ * @param k - Optional number of iterations of Miller-Rabin test
+ * @param rand - Optional function to generate potential witnesses
  * @returns {boolean}
  * @async
  */
-async function millerRabin(n, k, rand) {
-  const BigInteger = await util.getBigInteger();
-
-  const len = n.bitLength();
-
-  if (!k) {
-    k = Math.max(1, (len / 48) | 0);
-  }
-
-  const n1 = n.dec(); // n - 1
-
-  // Find d and s, (n - 1) = (2 ^ s) * d;
-  let s = 0;
-  while (!n1.getBit(s)) { s++; }
-  const d = n.rightShift(new BigInteger(s));
-
-  for (; k > 0; k--) {
-    const a = rand ? rand() : await getRandomBigInteger(new BigInteger(2), n1);
-
-    let x = a.modExp(d, n);
-    if (x.isOne() || x.equal(n1)) {
-      continue;
+function millerRabin(n, k, rand) {
+    const len = bitLength(n);
+    if (!k) {
+        k = Math.max(1, (len / 48) | 0);
     }
-
-    let i;
-    for (i = 1; i < s; i++) {
-      x = x.mul(x).mod(n);
-
-      if (x.isOne()) {
-        return false;
-      }
-      if (x.equal(n1)) {
-        break;
-      }
-    }
-
-    if (i === s) {
-      return false;
+    const n1 = n - _1n$4; // n - 1
+    // Find d and s, (n - 1) = (2 ^ s) * d;
+    let s = 0;
+    while (!getBit(n1, s)) {
+        s++;
+    }
+    const d = n >> BigInt(s);
+    for (; k > 0; k--) {
+        const a = getRandomBigInteger(BigInt(2), n1);
+        let x = modExp(a, d, n);
+        if (x === _1n$4 || x === n1) {
+            continue;
+        }
+        let i;
+        for (i = 1; i < s; i++) {
+            x = mod$2(x * x, n);
+            if (x === _1n$4) {
+                return false;
+            }
+            if (x === n1) {
+                break;
+            }
+        }
+        if (i === s) {
+            return false;
+        }
     }
-  }
-
-  return true;
+    return true;
 }
 
 // GPG4Browsers - An OpenPGP implementation in javascript
@@ -6310,7 +6473,7 @@ function emeDecode(encoded, randomPayload) {
  * @param {Integer} emLen - Intended length in octets of the encoded message
  * @returns {Uint8Array} Encoded message.
  */
-async function emsaEncode(algo, hashed, emLen) {
+function emsaEncode(algo, hashed, emLen) {
   let i;
   if (hashed.length !== hash.getHashByteLength(algo)) {
     throw new Error('Invalid hash length');
@@ -6366,7 +6529,8 @@ var pkcs1 = /*#__PURE__*/Object.freeze({
 
 
 const webCrypto$6 = util.getWebCrypto();
-const nodeCrypto$4 = util.getNodeCrypto();
+const nodeCrypto$5 = util.getNodeCrypto();
+const _1n$3 = BigInt(1);
 
 /** Create signature
  * @param {module:enums.hash} hashAlgo - Hash algorithm
@@ -6407,7 +6571,7 @@ async function sign$7(hashAlgo, data, n, e, d, p, q, u, hashed) {
  * @returns {Boolean}
  * @async
  */
-async function verify$7(hashAlgo, data, s, n, e, hashed) {
+async function verify$8(hashAlgo, data, s, n, e, hashed) {
   if (data && !util.isStream(data)) {
     if (util.getWebCrypto()) {
       try {
@@ -6480,16 +6644,14 @@ async function decrypt$4(data, n, e, d, p, q, u, randomPayload) {
  * @async
  */
 async function generate$5(bits, e) {
-  const BigInteger = await util.getBigInteger();
-
-  e = new BigInteger(e);
+  e = BigInt(e);
 
   // Native RSA keygen using Web Crypto
   if (util.getWebCrypto()) {
     const keyGenOpt = {
       name: 'RSASSA-PKCS1-v1_5',
       modulusLength: bits, // the specified keysize in bits
-      publicExponent: e.toUint8Array(), // take three bytes (max 65537) for exponent
+      publicExponent: bigIntToUint8Array(e), // take three bytes (max 65537) for exponent
       hash: {
         name: 'SHA-1' // not required for actual RSA keys, but for crypto api 'sign' and 'verify'
       }
@@ -6504,12 +6666,12 @@ async function generate$5(bits, e) {
   } else if (util.getNodeCrypto()) {
     const opts = {
       modulusLength: bits,
-      publicExponent: e.toNumber(),
+      publicExponent: bigIntToNumber(e),
       publicKeyEncoding: { type: 'pkcs1', format: 'jwk' },
       privateKeyEncoding: { type: 'pkcs1', format: 'jwk' }
     };
     const jwk = await new Promise((resolve, reject) => {
-      nodeCrypto$4.generateKeyPair('rsa', opts, (err, _, jwkPrivateKey) => {
+      nodeCrypto$5.generateKeyPair('rsa', opts, (err, _, jwkPrivateKey) => {
         if (err) {
           reject(err);
         } else {
@@ -6527,26 +6689,26 @@ async function generate$5(bits, e) {
   let q;
   let n;
   do {
-    q = await randomProbablePrime(bits - (bits >> 1), e, 40);
-    p = await randomProbablePrime(bits >> 1, e, 40);
-    n = p.mul(q);
-  } while (n.bitLength() !== bits);
+    q = randomProbablePrime(bits - (bits >> 1), e, 40);
+    p = randomProbablePrime(bits >> 1, e, 40);
+    n = p * q;
+  } while (bitLength(n) !== bits);
 
-  const phi = p.dec().imul(q.dec());
+  const phi = (p - _1n$3) * (q - _1n$3);
 
-  if (q.lt(p)) {
+  if (q < p) {
     [p, q] = [q, p];
   }
 
   return {
-    n: n.toUint8Array(),
-    e: e.toUint8Array(),
-    d: e.modInv(phi).toUint8Array(),
-    p: p.toUint8Array(),
-    q: q.toUint8Array(),
+    n: bigIntToUint8Array(n),
+    e: bigIntToUint8Array(e),
+    d: bigIntToUint8Array(modInv(e, phi)),
+    p: bigIntToUint8Array(p),
+    q: bigIntToUint8Array(q),
     // dp: d.mod(p.subn(1)),
     // dq: d.mod(q.subn(1)),
-    u: p.modInv(q).toUint8Array()
+    u: bigIntToUint8Array(modInv(p, q))
   };
 }
 
@@ -6562,26 +6724,24 @@ async function generate$5(bits, e) {
  * @async
  */
 async function validateParams$8(n, e, d, p, q, u) {
-  const BigInteger = await util.getBigInteger();
-
-  n = new BigInteger(n);
-  p = new BigInteger(p);
-  q = new BigInteger(q);
+  n = uint8ArrayToBigInt(n);
+  p = uint8ArrayToBigInt(p);
+  q = uint8ArrayToBigInt(q);
 
   // expect pq = n
-  if (!p.mul(q).equal(n)) {
+  if ((p * q) !== n) {
     return false;
   }
 
-  const two = new BigInteger(2);
+  const _2n = BigInt(2);
   // expect p*u = 1 mod q
-  u = new BigInteger(u);
-  if (!p.mul(u).mod(q).isOne()) {
+  u = uint8ArrayToBigInt(u);
+  if (mod$2(p * u, q) !== BigInt(1)) {
     return false;
   }
 
-  e = new BigInteger(e);
-  d = new BigInteger(d);
+  e = uint8ArrayToBigInt(e);
+  d = uint8ArrayToBigInt(d);
   /**
    * In RSA pkcs#1 the exponents (d, e) are inverses modulo lcm(p-1, q-1)
    * We check that [de = 1 mod (p-1)] and [de = 1 mod (q-1)]
@@ -6589,11 +6749,11 @@ async function validateParams$8(n, e, d, p, q, u) {
    *
    * We blind the multiplication with r, and check that rde = r mod lcm(p-1, q-1)
    */
-  const nSizeOver3 = new BigInteger(Math.floor(n.bitLength() / 3));
-  const r = await getRandomBigInteger(two, two.leftShift(nSizeOver3)); // r in [ 2, 2^{|n|/3} ) < p and q
-  const rde = r.mul(d).mul(e);
+  const nSizeOver3 = BigInt(Math.floor(bitLength(n) / 3));
+  const r = getRandomBigInteger(_2n, _2n << nSizeOver3); // r in [ 2, 2^{|n|/3} ) < p and q
+  const rde = r * d * e;
 
-  const areInverses = rde.mod(p.dec()).equal(r) && rde.mod(q.dec()).equal(r);
+  const areInverses = mod$2(rde, p - _1n$3) === r && mod$2(rde, q - _1n$3) === r;
   if (!areInverses) {
     return false;
   }
@@ -6602,15 +6762,13 @@ async function validateParams$8(n, e, d, p, q, u) {
 }
 
 async function bnSign(hashAlgo, n, d, hashed) {
-  const BigInteger = await util.getBigInteger();
-
-  n = new BigInteger(n);
-  const m = new BigInteger(await emsaEncode(hashAlgo, hashed, n.byteLength()));
-  d = new BigInteger(d);
-  if (m.gte(n)) {
+  n = uint8ArrayToBigInt(n);
+  const m = uint8ArrayToBigInt(emsaEncode(hashAlgo, hashed, byteLength(n)));
+  d = uint8ArrayToBigInt(d);
+  if (m >= n) {
     throw new Error('Message size cannot exceed modulus size');
   }
-  return m.modExp(d, n).toUint8Array('be', n.byteLength());
+  return bigIntToUint8Array(modExp(m, d, n), 'be', byteLength(n));
 }
 
 async function webSign$1(hashName, data, n, e, d, p, q, u) {
@@ -6631,7 +6789,7 @@ async function webSign$1(hashName, data, n, e, d, p, q, u) {
 }
 
 async function nodeSign$1(hashAlgo, data, n, e, d, p, q, u) {
-  const sign = nodeCrypto$4.createSign(enums.read(enums.hash, hashAlgo));
+  const sign = nodeCrypto$5.createSign(enums.read(enums.hash, hashAlgo));
   sign.write(data);
   sign.end();
 
@@ -6640,16 +6798,14 @@ async function nodeSign$1(hashAlgo, data, n, e, d, p, q, u) {
 }
 
 async function bnVerify(hashAlgo, s, n, e, hashed) {
-  const BigInteger = await util.getBigInteger();
-
-  n = new BigInteger(n);
-  s = new BigInteger(s);
-  e = new BigInteger(e);
-  if (s.gte(n)) {
+  n = uint8ArrayToBigInt(n);
+  s = uint8ArrayToBigInt(s);
+  e = uint8ArrayToBigInt(e);
+  if (s >= n) {
     throw new Error('Signature size cannot exceed modulus size');
   }
-  const EM1 = s.modExp(e, n).toUint8Array('be', n.byteLength());
-  const EM2 = await emsaEncode(hashAlgo, hashed, n.byteLength());
+  const EM1 = bigIntToUint8Array(modExp(s, e, n), 'be', byteLength(n));
+  const EM2 = emsaEncode(hashAlgo, hashed, byteLength(n));
   return util.equalsUint8Array(EM1, EM2);
 }
 
@@ -6666,12 +6822,12 @@ async function nodeVerify$1(hashAlgo, data, s, n, e) {
   const jwk = publicToJWK(n, e);
   const key = { key: jwk, format: 'jwk', type: 'pkcs1' };
 
-  const verify = nodeCrypto$4.createVerify(enums.read(enums.hash, hashAlgo));
+  const verify = nodeCrypto$5.createVerify(enums.read(enums.hash, hashAlgo));
   verify.write(data);
   verify.end();
 
   try {
-    return await verify.verify(key, s);
+    return verify.verify(key, s);
   } catch (err) {
     return false;
   }
@@ -6679,65 +6835,59 @@ async function nodeVerify$1(hashAlgo, data, s, n, e) {
 
 async function nodeEncrypt(data, n, e) {
   const jwk = publicToJWK(n, e);
-  const key = { key: jwk, format: 'jwk', type: 'pkcs1', padding: nodeCrypto$4.constants.RSA_PKCS1_PADDING };
+  const key = { key: jwk, format: 'jwk', type: 'pkcs1', padding: nodeCrypto$5.constants.RSA_PKCS1_PADDING };
 
-  return new Uint8Array(nodeCrypto$4.publicEncrypt(key, data));
+  return new Uint8Array(nodeCrypto$5.publicEncrypt(key, data));
 }
 
 async function bnEncrypt(data, n, e) {
-  const BigInteger = await util.getBigInteger();
-
-  n = new BigInteger(n);
-  data = new BigInteger(emeEncode(data, n.byteLength()));
-  e = new BigInteger(e);
-  if (data.gte(n)) {
+  n = uint8ArrayToBigInt(n);
+  data = uint8ArrayToBigInt(emeEncode(data, byteLength(n)));
+  e = uint8ArrayToBigInt(e);
+  if (data >= n) {
     throw new Error('Message size cannot exceed modulus size');
   }
-  return data.modExp(e, n).toUint8Array('be', n.byteLength());
+  return bigIntToUint8Array(modExp(data, e, n), 'be', byteLength(n));
 }
 
 async function nodeDecrypt(data, n, e, d, p, q, u) {
   const jwk = await privateToJWK$1(n, e, d, p, q, u);
-  const key = { key: jwk, format: 'jwk' , type: 'pkcs1', padding: nodeCrypto$4.constants.RSA_PKCS1_PADDING };
+  const key = { key: jwk, format: 'jwk' , type: 'pkcs1', padding: nodeCrypto$5.constants.RSA_PKCS1_PADDING };
 
   try {
-    return new Uint8Array(nodeCrypto$4.privateDecrypt(key, data));
+    return new Uint8Array(nodeCrypto$5.privateDecrypt(key, data));
   } catch (err) {
     throw new Error('Decryption error');
   }
 }
 
 async function bnDecrypt(data, n, e, d, p, q, u, randomPayload) {
-  const BigInteger = await util.getBigInteger();
-
-  data = new BigInteger(data);
-  n = new BigInteger(n);
-  e = new BigInteger(e);
-  d = new BigInteger(d);
-  p = new BigInteger(p);
-  q = new BigInteger(q);
-  u = new BigInteger(u);
-  if (data.gte(n)) {
+  data = uint8ArrayToBigInt(data);
+  n = uint8ArrayToBigInt(n);
+  e = uint8ArrayToBigInt(e);
+  d = uint8ArrayToBigInt(d);
+  p = uint8ArrayToBigInt(p);
+  q = uint8ArrayToBigInt(q);
+  u = uint8ArrayToBigInt(u);
+  if (data >= n) {
     throw new Error('Data too large.');
   }
-  const dq = d.mod(q.dec()); // d mod (q-1)
-  const dp = d.mod(p.dec()); // d mod (p-1)
-
-  const unblinder = (await getRandomBigInteger(new BigInteger(2), n)).mod(n);
-  const blinder = unblinder.modInv(n).modExp(e, n);
-  data = data.mul(blinder).mod(n);
-
+  const dq = mod$2(d, q - _1n$3); // d mod (q-1)
+  const dp = mod$2(d, p - _1n$3); // d mod (p-1)
 
-  const mp = data.modExp(dp, p); // data**{d mod (q-1)} mod p
-  const mq = data.modExp(dq, q); // data**{d mod (p-1)} mod q
-  const h = u.mul(mq.sub(mp)).mod(q); // u * (mq-mp) mod q (operands already < q)
+  const unblinder = getRandomBigInteger(BigInt(2), n);
+  const blinder = modExp(modInv(unblinder, n), e, n);
+  data = mod$2(data * blinder, n);
 
-  let result = h.mul(p).add(mp); // result < n due to relations above
+  const mp = modExp(data, dp, p); // data**{d mod (q-1)} mod p
+  const mq = modExp(data, dq, q); // data**{d mod (p-1)} mod q
+  const h = mod$2(u * (mq - mp), q); // u * (mq-mp) mod q (operands already < q)
 
-  result = result.mul(unblinder).mod(n);
+  let result = h * p + mp; // result < n due to relations above
 
+  result = mod$2(result * unblinder, n);
 
-  return emeDecode(result.toUint8Array('be', n.byteLength()), randomPayload);
+  return emeDecode(bigIntToUint8Array(result, 'be', byteLength(n)), randomPayload);
 }
 
 /** Convert Openpgp private key params to jwk key according to
@@ -6751,28 +6901,26 @@ async function bnDecrypt(data, n, e, d, p, q, u, randomPayload) {
  * @param {Uint8Array} u
  */
 async function privateToJWK$1(n, e, d, p, q, u) {
-  const BigInteger = await util.getBigInteger();
-
-  const pNum = new BigInteger(p);
-  const qNum = new BigInteger(q);
-  const dNum = new BigInteger(d);
-
-  let dq = dNum.mod(qNum.dec()); // d mod (q-1)
-  let dp = dNum.mod(pNum.dec()); // d mod (p-1)
-  dp = dp.toUint8Array();
-  dq = dq.toUint8Array();
+  const pNum = uint8ArrayToBigInt(p);
+  const qNum = uint8ArrayToBigInt(q);
+  const dNum = uint8ArrayToBigInt(d);
+
+  let dq = mod$2(dNum, qNum - _1n$3); // d mod (q-1)
+  let dp = mod$2(dNum, pNum - _1n$3); // d mod (p-1)
+  dp = bigIntToUint8Array(dp);
+  dq = bigIntToUint8Array(dq);
   return {
     kty: 'RSA',
-    n: uint8ArrayToB64(n, true),
-    e: uint8ArrayToB64(e, true),
-    d: uint8ArrayToB64(d, true),
+    n: uint8ArrayToB64(n),
+    e: uint8ArrayToB64(e),
+    d: uint8ArrayToB64(d),
     // switch p and q
-    p: uint8ArrayToB64(q, true),
-    q: uint8ArrayToB64(p, true),
+    p: uint8ArrayToB64(q),
+    q: uint8ArrayToB64(p),
     // switch dp and dq
-    dp: uint8ArrayToB64(dq, true),
-    dq: uint8ArrayToB64(dp, true),
-    qi: uint8ArrayToB64(u, true),
+    dp: uint8ArrayToB64(dq),
+    dq: uint8ArrayToB64(dp),
+    qi: uint8ArrayToB64(u),
     ext: true
   };
 }
@@ -6786,8 +6934,8 @@ async function privateToJWK$1(n, e, d, p, q, u) {
 function publicToJWK(n, e) {
   return {
     kty: 'RSA',
-    n: uint8ArrayToB64(n, true),
-    e: uint8ArrayToB64(e, true),
+    n: uint8ArrayToB64(n),
+    e: uint8ArrayToB64(e),
     ext: true
   };
 }
@@ -6796,7 +6944,7 @@ function publicToJWK(n, e) {
 function jwkToPrivate(jwk, e) {
   return {
     n: b64ToUint8Array(jwk.n),
-    e: e.toUint8Array(),
+    e: bigIntToUint8Array(e),
     d: b64ToUint8Array(jwk.d),
     // switch p and q
     p: b64ToUint8Array(jwk.q),
@@ -6813,7 +6961,7 @@ var rsa = /*#__PURE__*/Object.freeze({
   generate: generate$5,
   sign: sign$7,
   validateParams: validateParams$8,
-  verify: verify$7
+  verify: verify$8
 });
 
 // GPG4Browsers - An OpenPGP implementation in javascript
@@ -6834,6 +6982,8 @@ var rsa = /*#__PURE__*/Object.freeze({
 // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 
 
+const _1n$2 = BigInt(1);
+
 /**
  * ElGamal Encryption function
  * Note that in OpenPGP, the message needs to be padded with PKCS#1 (same as RSA)
@@ -6845,21 +6995,19 @@ var rsa = /*#__PURE__*/Object.freeze({
  * @async
  */
 async function encrypt$3(data, p, g, y) {
-  const BigInteger = await util.getBigInteger();
-
-  p = new BigInteger(p);
-  g = new BigInteger(g);
-  y = new BigInteger(y);
+  p = uint8ArrayToBigInt(p);
+  g = uint8ArrayToBigInt(g);
+  y = uint8ArrayToBigInt(y);
 
-  const padded = emeEncode(data, p.byteLength());
-  const m = new BigInteger(padded);
+  const padded = emeEncode(data, byteLength(p));
+  const m = uint8ArrayToBigInt(padded);
 
   // OpenPGP uses a "special" version of ElGamal where g is generator of the full group Z/pZ*
   // hence g has order p-1, and to avoid that k = 0 mod p-1, we need to pick k in [1, p-2]
-  const k = await getRandomBigInteger(new BigInteger(1), p.dec());
+  const k = getRandomBigInteger(_1n$2, p - _1n$2);
   return {
-    c1: g.modExp(k, p).toUint8Array(),
-    c2: y.modExp(k, p).imul(m).imod(p).toUint8Array()
+    c1: bigIntToUint8Array(modExp(g, k, p)),
+    c2: bigIntToUint8Array(mod$2(modExp(y, k, p) * m, p))
   };
 }
 
@@ -6876,15 +7024,13 @@ async function encrypt$3(data, p, g, y) {
  * @async
  */
 async function decrypt$3(c1, c2, p, x, randomPayload) {
-  const BigInteger = await util.getBigInteger();
+  c1 = uint8ArrayToBigInt(c1);
+  c2 = uint8ArrayToBigInt(c2);
+  p = uint8ArrayToBigInt(p);
+  x = uint8ArrayToBigInt(x);
 
-  c1 = new BigInteger(c1);
-  c2 = new BigInteger(c2);
-  p = new BigInteger(p);
-  x = new BigInteger(x);
-
-  const padded = c1.modExp(x, p).modInv(p).imul(c2).imod(p);
-  return emeDecode(padded.toUint8Array('be', p.byteLength()), randomPayload);
+  const padded = mod$2(modInv(modExp(c1, x, p), p) * c2, p);
+  return emeDecode(bigIntToUint8Array(padded, 'be', byteLength(p)), randomPayload);
 }
 
 /**
@@ -6897,22 +7043,19 @@ async function decrypt$3(c1, c2, p, x, randomPayload) {
  * @async
  */
 async function validateParams$7(p, g, y, x) {
-  const BigInteger = await util.getBigInteger();
-
-  p = new BigInteger(p);
-  g = new BigInteger(g);
-  y = new BigInteger(y);
+  p = uint8ArrayToBigInt(p);
+  g = uint8ArrayToBigInt(g);
+  y = uint8ArrayToBigInt(y);
 
-  const one = new BigInteger(1);
   // Check that 1 < g < p
-  if (g.lte(one) || g.gte(p)) {
+  if (g <= _1n$2 || g >= p) {
     return false;
   }
 
   // Expect p-1 to be large
-  const pSize = new BigInteger(p.bitLength());
-  const n1023 = new BigInteger(1023);
-  if (pSize.lt(n1023)) {
+  const pSize = BigInt(bitLength(p));
+  const _1023n = BigInt(1023);
+  if (pSize < _1023n) {
     return false;
   }
 
@@ -6920,7 +7063,7 @@ async function validateParams$7(p, g, y, x) {
    * g should have order p-1
    * Check that g ** (p-1) = 1 mod p
    */
-  if (!g.modExp(p.dec(), p).isOne()) {
+  if (modExp(g, p - _1n$2, p) !== _1n$2) {
     return false;
   }
 
@@ -6931,14 +7074,15 @@ async function validateParams$7(p, g, y, x) {
    * We just check g**i != 1 for all i up to a threshold
    */
   let res = g;
-  const i = new BigInteger(1);
-  const threshold = new BigInteger(2).leftShift(new BigInteger(17)); // we want order > threshold
-  while (i.lt(threshold)) {
-    res = res.mul(g).imod(p);
-    if (res.isOne()) {
+  let i = BigInt(1);
+  const _2n = BigInt(2);
+  const threshold = _2n << BigInt(17); // we want order > threshold
+  while (i < threshold) {
+    res = mod$2(res * g, p);
+    if (res === _1n$2) {
       return false;
     }
-    i.iinc();
+    i++;
   }
 
   /**
@@ -6947,11 +7091,10 @@ async function validateParams$7(p, g, y, x) {
    *
    * Blinded exponentiation computes g**{r(p-1) + x} to compare to y
    */
-  x = new BigInteger(x);
-  const two = new BigInteger(2);
-  const r = await getRandomBigInteger(two.leftShift(pSize.dec()), two.leftShift(pSize)); // draw r of same size as p-1
-  const rqx = p.dec().imul(r).iadd(x);
-  if (!y.equal(g.modExp(rqx, p))) {
+  x = uint8ArrayToBigInt(x);
+  const r = getRandomBigInteger(_2n << (pSize - _1n$2), _2n << pSize); // draw r of same size as p-1
+  const rqx = (p - _1n$2) * r + x;
+  if (y !== modExp(g, rqx, p)) {
     return false;
   }
 
@@ -6966,7 +7109,7 @@ var elgamal = /*#__PURE__*/Object.freeze({
 });
 
 // declare const globalThis: Record<string, any> | undefined;
-const crypto$2 =
+const crypto$3 =
   typeof globalThis === 'object' && 'crypto' in globalThis ? globalThis.crypto : undefined;
 
 const nacl = {};
@@ -8329,13 +8472,13 @@ nacl.setPRNG = function(fn) {
 (function() {
   // Initialize PRNG if environment provides CSPRNG.
   // If not, methods calling randombytes will throw.
-  if (crypto$2 && crypto$2.getRandomValues) {
+  if (crypto$3 && crypto$3.getRandomValues) {
     // Browsers and Node v16+
     var QUOTA = 65536;
     nacl.setPRNG(function(x, n) {
       var i, v = new Uint8Array(n);
       for (i = 0; i < n; i += QUOTA) {
-        crypto$2.getRandomValues(v.subarray(i, i + Math.min(n - i, QUOTA)));
+        crypto$3.getRandomValues(v.subarray(i, i + Math.min(n - i, QUOTA)));
       }
       for (i = 0; i < n; i++) x[i] = v[i];
       cleanup(v);
@@ -8784,15 +8927,15 @@ class UnparseablePacket {
 
 
 const webCrypto$5 = util.getWebCrypto();
-const nodeCrypto$3 = util.getNodeCrypto();
+const nodeCrypto$4 = util.getNodeCrypto();
 
 const webCurves = {
   [enums.curve.nistP256]: 'P-256',
   [enums.curve.nistP384]: 'P-384',
   [enums.curve.nistP521]: 'P-521'
 };
-const knownCurves = nodeCrypto$3 ? nodeCrypto$3.getCurves() : [];
-const nodeCurves = nodeCrypto$3 ? {
+const knownCurves = nodeCrypto$4 ? nodeCrypto$4.getCurves() : [];
+const nodeCurves = nodeCrypto$4 ? {
   [enums.curve.secp256k1]: knownCurves.includes('secp256k1') ? 'secp256k1' : undefined,
   [enums.curve.nistP256]: knownCurves.includes('prime256v1') ? 'prime256v1' : undefined,
   [enums.curve.nistP384]: knownCurves.includes('secp384r1') ? 'secp384r1' : undefined,
@@ -8813,7 +8956,8 @@ const curves = {
     node: nodeCurves[enums.curve.nistP256],
     web: webCurves[enums.curve.nistP256],
     payloadSize: 32,
-    sharedSize: 256
+    sharedSize: 256,
+    wireFormatLeadingByte: 0x04
   },
   [enums.curve.nistP384]: {
     oid: [0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x22],
@@ -8823,7 +8967,8 @@ const curves = {
     node: nodeCurves[enums.curve.nistP384],
     web: webCurves[enums.curve.nistP384],
     payloadSize: 48,
-    sharedSize: 384
+    sharedSize: 384,
+    wireFormatLeadingByte: 0x04
   },
   [enums.curve.nistP521]: {
     oid: [0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x23],
@@ -8833,7 +8978,8 @@ const curves = {
     node: nodeCurves[enums.curve.nistP521],
     web: webCurves[enums.curve.nistP521],
     payloadSize: 66,
-    sharedSize: 528
+    sharedSize: 528,
+    wireFormatLeadingByte: 0x04
   },
   [enums.curve.secp256k1]: {
     oid: [0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x0A],
@@ -8841,14 +8987,16 @@ const curves = {
     hash: enums.hash.sha256,
     cipher: enums.symmetric.aes128,
     node: nodeCurves[enums.curve.secp256k1],
-    payloadSize: 32
+    payloadSize: 32,
+    wireFormatLeadingByte: 0x04
   },
   [enums.curve.ed25519Legacy]: {
     oid: [0x06, 0x09, 0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01],
     keyType: enums.publicKey.eddsaLegacy,
     hash: enums.hash.sha512,
     node: false, // nodeCurves.ed25519 TODO
-    payloadSize: 32
+    payloadSize: 32,
+    wireFormatLeadingByte: 0x40
   },
   [enums.curve.curve25519Legacy]: {
     oid: [0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x97, 0x55, 0x01, 0x05, 0x01],
@@ -8856,7 +9004,8 @@ const curves = {
     hash: enums.hash.sha256,
     cipher: enums.symmetric.aes128,
     node: false, // nodeCurves.curve25519 TODO
-    payloadSize: 32
+    payloadSize: 32,
+    wireFormatLeadingByte: 0x40
   },
   [enums.curve.brainpoolP256r1]: {
     oid: [0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x07],
@@ -8864,7 +9013,8 @@ const curves = {
     hash: enums.hash.sha256,
     cipher: enums.symmetric.aes128,
     node: nodeCurves[enums.curve.brainpoolP256r1],
-    payloadSize: 32
+    payloadSize: 32,
+    wireFormatLeadingByte: 0x04
   },
   [enums.curve.brainpoolP384r1]: {
     oid: [0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x0B],
@@ -8872,7 +9022,8 @@ const curves = {
     hash: enums.hash.sha384,
     cipher: enums.symmetric.aes192,
     node: nodeCurves[enums.curve.brainpoolP384r1],
-    payloadSize: 48
+    payloadSize: 48,
+    wireFormatLeadingByte: 0x04
   },
   [enums.curve.brainpoolP512r1]: {
     oid: [0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x0D],
@@ -8880,7 +9031,8 @@ const curves = {
     hash: enums.hash.sha512,
     cipher: enums.symmetric.aes256,
     node: nodeCurves[enums.curve.brainpoolP512r1],
-    payloadSize: 64
+    payloadSize: 64,
+    wireFormatLeadingByte: 0x04
   }
 };
 
@@ -8904,6 +9056,7 @@ class CurveWithOID {
     this.web = params.web;
     this.payloadSize = params.payloadSize;
     this.sharedSize = params.sharedSize;
+    this.wireFormatLeadingByte = params.wireFormatLeadingByte;
     if (this.web && util.getWebCrypto()) {
       this.type = 'web';
     } else if (this.node && util.getNodeCrypto()) {
@@ -8919,7 +9072,7 @@ class CurveWithOID {
     switch (this.type) {
       case 'web':
         try {
-          return await webGenKeyPair(this.name);
+          return await webGenKeyPair(this.name, this.wireFormatLeadingByte);
         } catch (err) {
           util.printDebugError('Browser did not support generating ec key ' + err.message);
           return jsGenKeyPair(this.name);
@@ -8932,13 +9085,13 @@ class CurveWithOID {
         privateKey[31] &= 248;
         const secretKey = privateKey.slice().reverse();
         const { publicKey: rawPublicKey } = nacl.box.keyPair.fromSecretKey(secretKey);
-        const publicKey = util.concatUint8Array([new Uint8Array([0x40]), rawPublicKey]);
+        const publicKey = util.concatUint8Array([new Uint8Array([this.wireFormatLeadingByte]), rawPublicKey]);
         return { publicKey, privateKey };
       }
       case 'ed25519Legacy': {
         const privateKey = getRandomBytes(32);
         const keyPair = nacl.sign.keyPair.fromSeed(privateKey);
-        const publicKey = util.concatUint8Array([new Uint8Array([0x40]), keyPair.publicKey]);
+        const publicKey = util.concatUint8Array([new Uint8Array([this.wireFormatLeadingByte]), keyPair.publicKey]);
         return { publicKey, privateKey };
       }
       default:
@@ -9024,6 +9177,20 @@ async function validateStandardParams(algo, oid, Q, d) {
   return true;
 }
 
+/**
+ * Check whether the public point has a valid encoding.
+ * NB: this function does not check e.g. whether the point belongs to the curve.
+ */
+function checkPublicPointEnconding(curve, V) {
+  const { payloadSize, wireFormatLeadingByte, name: curveName } = curve;
+
+  const pointSize = (curveName === enums.curve.curve25519Legacy || curveName === enums.curve.ed25519Legacy) ? payloadSize : payloadSize * 2;
+
+  if (V[0] !== wireFormatLeadingByte || V.length !== pointSize + 1) {
+    throw new Error('Invalid point encoding');
+  }
+}
+
 //////////////////////////
 //                      //
 //   Helper functions   //
@@ -9036,7 +9203,7 @@ async function jsGenKeyPair(name) {
   return { publicKey, privateKey };
 }
 
-async function webGenKeyPair(name) {
+async function webGenKeyPair(name, wireFormatLeadingByte) {
   // Note: keys generated with ECDSA and ECDH are structurally equivalent
   const webCryptoKey = await webCrypto$5.generateKey({ name: 'ECDSA', namedCurve: webCurves[name] }, true, ['sign', 'verify']);
 
@@ -9044,14 +9211,14 @@ async function webGenKeyPair(name) {
   const publicKey = await webCrypto$5.exportKey('jwk', webCryptoKey.publicKey);
 
   return {
-    publicKey: jwkToRawPublic(publicKey),
+    publicKey: jwkToRawPublic(publicKey, wireFormatLeadingByte),
     privateKey: b64ToUint8Array(privateKey.d)
   };
 }
 
 async function nodeGenKeyPair(name) {
   // Note: ECDSA and ECDH key generation is structurally equivalent
-  const ecdh = nodeCrypto$3.createECDH(nodeCurves[name]);
+  const ecdh = nodeCrypto$4.createECDH(nodeCurves[name]);
   await ecdh.generateKeys();
   return {
     publicKey: new Uint8Array(ecdh.getPublicKey()),
@@ -9070,11 +9237,11 @@ async function nodeGenKeyPair(name) {
  *
  * @returns {Uint8Array} Raw public key.
  */
-function jwkToRawPublic(jwk) {
+function jwkToRawPublic(jwk, wireFormatLeadingByte) {
   const bufX = b64ToUint8Array(jwk.x);
   const bufY = b64ToUint8Array(jwk.y);
   const publicKey = new Uint8Array(bufX.length + bufY.length + 1);
-  publicKey[0] = 0x04;
+  publicKey[0] = wireFormatLeadingByte;
   publicKey.set(bufX, 1);
   publicKey.set(bufY, bufX.length + 1);
   return publicKey;
@@ -9095,8 +9262,8 @@ function rawPublicToJWK(payloadSize, name, publicKey) {
   const jwk = {
     kty: 'EC',
     crv: name,
-    x: uint8ArrayToB64(bufX, true),
-    y: uint8ArrayToB64(bufY, true),
+    x: uint8ArrayToB64(bufX),
+    y: uint8ArrayToB64(bufY),
     ext: true
   };
   return jwk;
@@ -9112,7 +9279,7 @@ function rawPublicToJWK(payloadSize, name, publicKey) {
  */
 function privateToJWK(payloadSize, name, publicKey, privateKey) {
   const jwk = rawPublicToJWK(payloadSize, name, publicKey);
-  jwk.d = uint8ArrayToB64(privateKey, true);
+  jwk.d = uint8ArrayToB64(privateKey);
   return jwk;
 }
 
@@ -9135,7 +9302,7 @@ function privateToJWK(payloadSize, name, publicKey, privateKey) {
 
 
 const webCrypto$4 = util.getWebCrypto();
-const nodeCrypto$2 = util.getNodeCrypto();
+const nodeCrypto$3 = util.getNodeCrypto();
 
 /**
  * Sign a message using the provided key
@@ -9153,6 +9320,7 @@ const nodeCrypto$2 = util.getNodeCrypto();
  */
 async function sign$6(oid, hashAlgo, message, publicKey, privateKey, hashed) {
   const curve = new CurveWithOID(oid);
+  checkPublicPointEnconding(curve, publicKey);
   if (message && !util.isStream(message)) {
     const keyPair = { publicKey, privateKey };
     switch (curve.type) {
@@ -9180,8 +9348,8 @@ async function sign$6(oid, hashAlgo, message, publicKey, privateKey, hashed) {
   // lowS: non-canonical sig: https://stackoverflow.com/questions/74338846/ecdsa-signature-verification-mismatch
   const signature = nobleCurve.sign(hashed, privateKey, { lowS: false });
   return {
-    r: signature.r.toUint8Array('be', curve.payloadSize),
-    s: signature.s.toUint8Array('be', curve.payloadSize)
+    r: bigIntToUint8Array(signature.r, 'be', curve.payloadSize),
+    s: bigIntToUint8Array(signature.s, 'be', curve.payloadSize)
   };
 }
 
@@ -9197,8 +9365,9 @@ async function sign$6(oid, hashAlgo, message, publicKey, privateKey, hashed) {
  * @returns {Boolean}
  * @async
  */
-async function verify$6(oid, hashAlgo, signature, message, publicKey, hashed) {
+async function verify$7(oid, hashAlgo, signature, message, publicKey, hashed) {
   const curve = new CurveWithOID(oid);
+  checkPublicPointEnconding(curve, publicKey);
   // See https://github.com/openpgpjs/openpgpjs/pull/948.
   // NB: the impact was more likely limited to Brainpool curves, since thanks
   // to WebCrypto availability, NIST curve should not have been affected.
@@ -9264,7 +9433,8 @@ async function validateParams$6(oid, Q, d) {
       const hashed = await hash.digest(hashAlgo, message);
       try {
         const signature = await sign$6(oid, hashAlgo, message, Q, d, hashed);
-        return await verify$6(oid, hashAlgo, signature, message, Q, hashed);
+        // eslint-disable-next-line @typescript-eslint/return-await
+        return await verify$7(oid, hashAlgo, signature, message, Q, hashed);
       } catch (err) {
         return false;
       }
@@ -9359,7 +9529,7 @@ async function nodeSign(curve, hashAlgo, message, privateKey) {
     privateKey: nodeBuffer.from(privateKey)
   });
 
-  const sign = nodeCrypto$2.createSign(enums.read(enums.hash, hashAlgo));
+  const sign = nodeCrypto$3.createSign(enums.read(enums.hash, hashAlgo));
   sign.write(message);
   sign.end();
 
@@ -9380,7 +9550,7 @@ async function nodeVerify(curve, hashAlgo, { r, s }, message, publicKey) {
     publicKey: nodeBuffer.from(publicKey)
   });
 
-  const verify = nodeCrypto$2.createVerify(enums.read(enums.hash, hashAlgo));
+  const verify = nodeCrypto$3.createVerify(enums.read(enums.hash, hashAlgo));
   verify.write(message);
   verify.end();
 
@@ -9397,7 +9567,760 @@ var ecdsa = /*#__PURE__*/Object.freeze({
   __proto__: null,
   sign: sign$6,
   validateParams: validateParams$6,
-  verify: verify$6
+  verify: verify$7
+});
+
+/*! noble-ed25519 - MIT License (c) 2019 Paul Miller (paulmillr.com) */
+const nodeCrypto$2 = null;
+const _0n$1 = BigInt(0);
+const _1n$1 = BigInt(1);
+const _2n = BigInt(2);
+const _8n = BigInt(8);
+const CU_O = BigInt('7237005577332262213973186563042994240857116359379907606001950938285454250989');
+const CURVE = Object.freeze({
+    a: BigInt(-1),
+    d: BigInt('37095705934669439343138083508754565189542113879843219016388785533085940283555'),
+    P: BigInt('57896044618658097711785492504343953926634992332820282019728792003956564819949'),
+    l: CU_O,
+    n: CU_O,
+    h: BigInt(8),
+    Gx: BigInt('15112221349535400772501151409588531511454012693041857206046113283949847762202'),
+    Gy: BigInt('46316835694926478169428394003475163141307993866256225615783033603165251855960'),
+});
+const POW_2_256 = BigInt('0x10000000000000000000000000000000000000000000000000000000000000000');
+const SQRT_M1 = BigInt('19681161376707505956807079304988542015446066515923890162744021073123829784752');
+BigInt('6853475219497561581579357271197624642482790079785650197046958215289687604742');
+const SQRT_AD_MINUS_ONE = BigInt('25063068953384623474111414158702152701244531502492656460079210482610430750235');
+const INVSQRT_A_MINUS_D = BigInt('54469307008909316920995813868745141605393597292927456921205312896311721017578');
+const ONE_MINUS_D_SQ = BigInt('1159843021668779879193775521855586647937357759715417654439879720876111806838');
+const D_MINUS_ONE_SQ = BigInt('40440834346308536858101042469323190826248399146238708352240133220865137265952');
+class ExtendedPoint {
+    constructor(x, y, z, t) {
+        this.x = x;
+        this.y = y;
+        this.z = z;
+        this.t = t;
+    }
+    static fromAffine(p) {
+        if (!(p instanceof Point)) {
+            throw new TypeError('ExtendedPoint#fromAffine: expected Point');
+        }
+        if (p.equals(Point.ZERO))
+            return ExtendedPoint.ZERO;
+        return new ExtendedPoint(p.x, p.y, _1n$1, mod$1(p.x * p.y));
+    }
+    static toAffineBatch(points) {
+        const toInv = invertBatch(points.map((p) => p.z));
+        return points.map((p, i) => p.toAffine(toInv[i]));
+    }
+    static normalizeZ(points) {
+        return this.toAffineBatch(points).map(this.fromAffine);
+    }
+    equals(other) {
+        assertExtPoint(other);
+        const { x: X1, y: Y1, z: Z1 } = this;
+        const { x: X2, y: Y2, z: Z2 } = other;
+        const X1Z2 = mod$1(X1 * Z2);
+        const X2Z1 = mod$1(X2 * Z1);
+        const Y1Z2 = mod$1(Y1 * Z2);
+        const Y2Z1 = mod$1(Y2 * Z1);
+        return X1Z2 === X2Z1 && Y1Z2 === Y2Z1;
+    }
+    negate() {
+        return new ExtendedPoint(mod$1(-this.x), this.y, this.z, mod$1(-this.t));
+    }
+    double() {
+        const { x: X1, y: Y1, z: Z1 } = this;
+        const { a } = CURVE;
+        const A = mod$1(X1 * X1);
+        const B = mod$1(Y1 * Y1);
+        const C = mod$1(_2n * mod$1(Z1 * Z1));
+        const D = mod$1(a * A);
+        const x1y1 = X1 + Y1;
+        const E = mod$1(mod$1(x1y1 * x1y1) - A - B);
+        const G = D + B;
+        const F = G - C;
+        const H = D - B;
+        const X3 = mod$1(E * F);
+        const Y3 = mod$1(G * H);
+        const T3 = mod$1(E * H);
+        const Z3 = mod$1(F * G);
+        return new ExtendedPoint(X3, Y3, Z3, T3);
+    }
+    add(other) {
+        assertExtPoint(other);
+        const { x: X1, y: Y1, z: Z1, t: T1 } = this;
+        const { x: X2, y: Y2, z: Z2, t: T2 } = other;
+        const A = mod$1((Y1 - X1) * (Y2 + X2));
+        const B = mod$1((Y1 + X1) * (Y2 - X2));
+        const F = mod$1(B - A);
+        if (F === _0n$1)
+            return this.double();
+        const C = mod$1(Z1 * _2n * T2);
+        const D = mod$1(T1 * _2n * Z2);
+        const E = D + C;
+        const G = B + A;
+        const H = D - C;
+        const X3 = mod$1(E * F);
+        const Y3 = mod$1(G * H);
+        const T3 = mod$1(E * H);
+        const Z3 = mod$1(F * G);
+        return new ExtendedPoint(X3, Y3, Z3, T3);
+    }
+    subtract(other) {
+        return this.add(other.negate());
+    }
+    precomputeWindow(W) {
+        const windows = 1 + 256 / W;
+        const points = [];
+        let p = this;
+        let base = p;
+        for (let window = 0; window < windows; window++) {
+            base = p;
+            points.push(base);
+            for (let i = 1; i < 2 ** (W - 1); i++) {
+                base = base.add(p);
+                points.push(base);
+            }
+            p = base.double();
+        }
+        return points;
+    }
+    wNAF(n, affinePoint) {
+        if (!affinePoint && this.equals(ExtendedPoint.BASE))
+            affinePoint = Point.BASE;
+        const W = (affinePoint && affinePoint._WINDOW_SIZE) || 1;
+        if (256 % W) {
+            throw new Error('Point#wNAF: Invalid precomputation window, must be power of 2');
+        }
+        let precomputes = affinePoint && pointPrecomputes.get(affinePoint);
+        if (!precomputes) {
+            precomputes = this.precomputeWindow(W);
+            if (affinePoint && W !== 1) {
+                precomputes = ExtendedPoint.normalizeZ(precomputes);
+                pointPrecomputes.set(affinePoint, precomputes);
+            }
+        }
+        let p = ExtendedPoint.ZERO;
+        let f = ExtendedPoint.BASE;
+        const windows = 1 + 256 / W;
+        const windowSize = 2 ** (W - 1);
+        const mask = BigInt(2 ** W - 1);
+        const maxNumber = 2 ** W;
+        const shiftBy = BigInt(W);
+        for (let window = 0; window < windows; window++) {
+            const offset = window * windowSize;
+            let wbits = Number(n & mask);
+            n >>= shiftBy;
+            if (wbits > windowSize) {
+                wbits -= maxNumber;
+                n += _1n$1;
+            }
+            const offset1 = offset;
+            const offset2 = offset + Math.abs(wbits) - 1;
+            const cond1 = window % 2 !== 0;
+            const cond2 = wbits < 0;
+            if (wbits === 0) {
+                f = f.add(constTimeNegate(cond1, precomputes[offset1]));
+            }
+            else {
+                p = p.add(constTimeNegate(cond2, precomputes[offset2]));
+            }
+        }
+        return ExtendedPoint.normalizeZ([p, f])[0];
+    }
+    multiply(scalar, affinePoint) {
+        return this.wNAF(normalizeScalar(scalar, CURVE.l), affinePoint);
+    }
+    multiplyUnsafe(scalar) {
+        let n = normalizeScalar(scalar, CURVE.l, false);
+        const G = ExtendedPoint.BASE;
+        const P0 = ExtendedPoint.ZERO;
+        if (n === _0n$1)
+            return P0;
+        if (this.equals(P0) || n === _1n$1)
+            return this;
+        if (this.equals(G))
+            return this.wNAF(n);
+        let p = P0;
+        let d = this;
+        while (n > _0n$1) {
+            if (n & _1n$1)
+                p = p.add(d);
+            d = d.double();
+            n >>= _1n$1;
+        }
+        return p;
+    }
+    isSmallOrder() {
+        return this.multiplyUnsafe(CURVE.h).equals(ExtendedPoint.ZERO);
+    }
+    isTorsionFree() {
+        let p = this.multiplyUnsafe(CURVE.l / _2n).double();
+        if (CURVE.l % _2n)
+            p = p.add(this);
+        return p.equals(ExtendedPoint.ZERO);
+    }
+    toAffine(invZ) {
+        const { x, y, z } = this;
+        const is0 = this.equals(ExtendedPoint.ZERO);
+        if (invZ == null)
+            invZ = is0 ? _8n : invert(z);
+        const ax = mod$1(x * invZ);
+        const ay = mod$1(y * invZ);
+        const zz = mod$1(z * invZ);
+        if (is0)
+            return Point.ZERO;
+        if (zz !== _1n$1)
+            throw new Error('invZ was invalid');
+        return new Point(ax, ay);
+    }
+    fromRistrettoBytes() {
+        legacyRist();
+    }
+    toRistrettoBytes() {
+        legacyRist();
+    }
+    fromRistrettoHash() {
+        legacyRist();
+    }
+}
+ExtendedPoint.BASE = new ExtendedPoint(CURVE.Gx, CURVE.Gy, _1n$1, mod$1(CURVE.Gx * CURVE.Gy));
+ExtendedPoint.ZERO = new ExtendedPoint(_0n$1, _1n$1, _1n$1, _0n$1);
+function constTimeNegate(condition, item) {
+    const neg = item.negate();
+    return condition ? neg : item;
+}
+function assertExtPoint(other) {
+    if (!(other instanceof ExtendedPoint))
+        throw new TypeError('ExtendedPoint expected');
+}
+function assertRstPoint(other) {
+    if (!(other instanceof RistrettoPoint))
+        throw new TypeError('RistrettoPoint expected');
+}
+function legacyRist() {
+    throw new Error('Legacy method: switch to RistrettoPoint');
+}
+class RistrettoPoint {
+    constructor(ep) {
+        this.ep = ep;
+    }
+    static calcElligatorRistrettoMap(r0) {
+        const { d } = CURVE;
+        const r = mod$1(SQRT_M1 * r0 * r0);
+        const Ns = mod$1((r + _1n$1) * ONE_MINUS_D_SQ);
+        let c = BigInt(-1);
+        const D = mod$1((c - d * r) * mod$1(r + d));
+        let { isValid: Ns_D_is_sq, value: s } = uvRatio(Ns, D);
+        let s_ = mod$1(s * r0);
+        if (!edIsNegative(s_))
+            s_ = mod$1(-s_);
+        if (!Ns_D_is_sq)
+            s = s_;
+        if (!Ns_D_is_sq)
+            c = r;
+        const Nt = mod$1(c * (r - _1n$1) * D_MINUS_ONE_SQ - D);
+        const s2 = s * s;
+        const W0 = mod$1((s + s) * D);
+        const W1 = mod$1(Nt * SQRT_AD_MINUS_ONE);
+        const W2 = mod$1(_1n$1 - s2);
+        const W3 = mod$1(_1n$1 + s2);
+        return new ExtendedPoint(mod$1(W0 * W3), mod$1(W2 * W1), mod$1(W1 * W3), mod$1(W0 * W2));
+    }
+    static hashToCurve(hex) {
+        hex = ensureBytes(hex, 64);
+        const r1 = bytes255ToNumberLE(hex.slice(0, 32));
+        const R1 = this.calcElligatorRistrettoMap(r1);
+        const r2 = bytes255ToNumberLE(hex.slice(32, 64));
+        const R2 = this.calcElligatorRistrettoMap(r2);
+        return new RistrettoPoint(R1.add(R2));
+    }
+    static fromHex(hex) {
+        hex = ensureBytes(hex, 32);
+        const { a, d } = CURVE;
+        const emsg = 'RistrettoPoint.fromHex: the hex is not valid encoding of RistrettoPoint';
+        const s = bytes255ToNumberLE(hex);
+        if (!equalBytes(numberTo32BytesLE(s), hex) || edIsNegative(s))
+            throw new Error(emsg);
+        const s2 = mod$1(s * s);
+        const u1 = mod$1(_1n$1 + a * s2);
+        const u2 = mod$1(_1n$1 - a * s2);
+        const u1_2 = mod$1(u1 * u1);
+        const u2_2 = mod$1(u2 * u2);
+        const v = mod$1(a * d * u1_2 - u2_2);
+        const { isValid, value: I } = invertSqrt(mod$1(v * u2_2));
+        const Dx = mod$1(I * u2);
+        const Dy = mod$1(I * Dx * v);
+        let x = mod$1((s + s) * Dx);
+        if (edIsNegative(x))
+            x = mod$1(-x);
+        const y = mod$1(u1 * Dy);
+        const t = mod$1(x * y);
+        if (!isValid || edIsNegative(t) || y === _0n$1)
+            throw new Error(emsg);
+        return new RistrettoPoint(new ExtendedPoint(x, y, _1n$1, t));
+    }
+    toRawBytes() {
+        let { x, y, z, t } = this.ep;
+        const u1 = mod$1(mod$1(z + y) * mod$1(z - y));
+        const u2 = mod$1(x * y);
+        const u2sq = mod$1(u2 * u2);
+        const { value: invsqrt } = invertSqrt(mod$1(u1 * u2sq));
+        const D1 = mod$1(invsqrt * u1);
+        const D2 = mod$1(invsqrt * u2);
+        const zInv = mod$1(D1 * D2 * t);
+        let D;
+        if (edIsNegative(t * zInv)) {
+            let _x = mod$1(y * SQRT_M1);
+            let _y = mod$1(x * SQRT_M1);
+            x = _x;
+            y = _y;
+            D = mod$1(D1 * INVSQRT_A_MINUS_D);
+        }
+        else {
+            D = D2;
+        }
+        if (edIsNegative(x * zInv))
+            y = mod$1(-y);
+        let s = mod$1((z - y) * D);
+        if (edIsNegative(s))
+            s = mod$1(-s);
+        return numberTo32BytesLE(s);
+    }
+    toHex() {
+        return bytesToHex(this.toRawBytes());
+    }
+    toString() {
+        return this.toHex();
+    }
+    equals(other) {
+        assertRstPoint(other);
+        const a = this.ep;
+        const b = other.ep;
+        const one = mod$1(a.x * b.y) === mod$1(a.y * b.x);
+        const two = mod$1(a.y * b.y) === mod$1(a.x * b.x);
+        return one || two;
+    }
+    add(other) {
+        assertRstPoint(other);
+        return new RistrettoPoint(this.ep.add(other.ep));
+    }
+    subtract(other) {
+        assertRstPoint(other);
+        return new RistrettoPoint(this.ep.subtract(other.ep));
+    }
+    multiply(scalar) {
+        return new RistrettoPoint(this.ep.multiply(scalar));
+    }
+    multiplyUnsafe(scalar) {
+        return new RistrettoPoint(this.ep.multiplyUnsafe(scalar));
+    }
+}
+RistrettoPoint.BASE = new RistrettoPoint(ExtendedPoint.BASE);
+RistrettoPoint.ZERO = new RistrettoPoint(ExtendedPoint.ZERO);
+const pointPrecomputes = new WeakMap();
+class Point {
+    constructor(x, y) {
+        this.x = x;
+        this.y = y;
+    }
+    _setWindowSize(windowSize) {
+        this._WINDOW_SIZE = windowSize;
+        pointPrecomputes.delete(this);
+    }
+    static fromHex(hex, strict = true) {
+        const { d, P } = CURVE;
+        hex = ensureBytes(hex, 32);
+        const normed = hex.slice();
+        normed[31] = hex[31] & ~0x80;
+        const y = bytesToNumberLE(normed);
+        if (strict && y >= P)
+            throw new Error('Expected 0 < hex < P');
+        if (!strict && y >= POW_2_256)
+            throw new Error('Expected 0 < hex < 2**256');
+        const y2 = mod$1(y * y);
+        const u = mod$1(y2 - _1n$1);
+        const v = mod$1(d * y2 + _1n$1);
+        let { isValid, value: x } = uvRatio(u, v);
+        if (!isValid)
+            throw new Error('Point.fromHex: invalid y coordinate');
+        const isXOdd = (x & _1n$1) === _1n$1;
+        const isLastByteOdd = (hex[31] & 0x80) !== 0;
+        if (isLastByteOdd !== isXOdd) {
+            x = mod$1(-x);
+        }
+        return new Point(x, y);
+    }
+    static async fromPrivateKey(privateKey) {
+        return (await getExtendedPublicKey(privateKey)).point;
+    }
+    toRawBytes() {
+        const bytes = numberTo32BytesLE(this.y);
+        bytes[31] |= this.x & _1n$1 ? 0x80 : 0;
+        return bytes;
+    }
+    toHex() {
+        return bytesToHex(this.toRawBytes());
+    }
+    toX25519() {
+        const { y } = this;
+        const u = mod$1((_1n$1 + y) * invert(_1n$1 - y));
+        return numberTo32BytesLE(u);
+    }
+    isTorsionFree() {
+        return ExtendedPoint.fromAffine(this).isTorsionFree();
+    }
+    equals(other) {
+        return this.x === other.x && this.y === other.y;
+    }
+    negate() {
+        return new Point(mod$1(-this.x), this.y);
+    }
+    add(other) {
+        return ExtendedPoint.fromAffine(this).add(ExtendedPoint.fromAffine(other)).toAffine();
+    }
+    subtract(other) {
+        return this.add(other.negate());
+    }
+    multiply(scalar) {
+        return ExtendedPoint.fromAffine(this).multiply(scalar, this).toAffine();
+    }
+}
+Point.BASE = new Point(CURVE.Gx, CURVE.Gy);
+Point.ZERO = new Point(_0n$1, _1n$1);
+let Signature$1 = class Signature {
+    constructor(r, s) {
+        this.r = r;
+        this.s = s;
+        this.assertValidity();
+    }
+    static fromHex(hex) {
+        const bytes = ensureBytes(hex, 64);
+        const r = Point.fromHex(bytes.slice(0, 32), false);
+        const s = bytesToNumberLE(bytes.slice(32, 64));
+        return new Signature(r, s);
+    }
+    assertValidity() {
+        const { r, s } = this;
+        if (!(r instanceof Point))
+            throw new Error('Expected Point instance');
+        normalizeScalar(s, CURVE.l, false);
+        return this;
+    }
+    toRawBytes() {
+        const u8 = new Uint8Array(64);
+        u8.set(this.r.toRawBytes());
+        u8.set(numberTo32BytesLE(this.s), 32);
+        return u8;
+    }
+    toHex() {
+        return bytesToHex(this.toRawBytes());
+    }
+};
+function concatBytes(...arrays) {
+    if (!arrays.every((a) => a instanceof Uint8Array))
+        throw new Error('Expected Uint8Array list');
+    if (arrays.length === 1)
+        return arrays[0];
+    const length = arrays.reduce((a, arr) => a + arr.length, 0);
+    const result = new Uint8Array(length);
+    for (let i = 0, pad = 0; i < arrays.length; i++) {
+        const arr = arrays[i];
+        result.set(arr, pad);
+        pad += arr.length;
+    }
+    return result;
+}
+const hexes = Array.from({ length: 256 }, (v, i) => i.toString(16).padStart(2, '0'));
+function bytesToHex(uint8a) {
+    if (!(uint8a instanceof Uint8Array))
+        throw new Error('Uint8Array expected');
+    let hex = '';
+    for (let i = 0; i < uint8a.length; i++) {
+        hex += hexes[uint8a[i]];
+    }
+    return hex;
+}
+function hexToBytes(hex) {
+    if (typeof hex !== 'string') {
+        throw new TypeError('hexToBytes: expected string, got ' + typeof hex);
+    }
+    if (hex.length % 2)
+        throw new Error('hexToBytes: received invalid unpadded hex');
+    const array = new Uint8Array(hex.length / 2);
+    for (let i = 0; i < array.length; i++) {
+        const j = i * 2;
+        const hexByte = hex.slice(j, j + 2);
+        const byte = Number.parseInt(hexByte, 16);
+        if (Number.isNaN(byte) || byte < 0)
+            throw new Error('Invalid byte sequence');
+        array[i] = byte;
+    }
+    return array;
+}
+function numberTo32BytesBE(num) {
+    const length = 32;
+    const hex = num.toString(16).padStart(length * 2, '0');
+    return hexToBytes(hex);
+}
+function numberTo32BytesLE(num) {
+    return numberTo32BytesBE(num).reverse();
+}
+function edIsNegative(num) {
+    return (mod$1(num) & _1n$1) === _1n$1;
+}
+function bytesToNumberLE(uint8a) {
+    if (!(uint8a instanceof Uint8Array))
+        throw new Error('Expected Uint8Array');
+    return BigInt('0x' + bytesToHex(Uint8Array.from(uint8a).reverse()));
+}
+const MAX_255B = BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
+function bytes255ToNumberLE(bytes) {
+    return mod$1(bytesToNumberLE(bytes) & MAX_255B);
+}
+function mod$1(a, b = CURVE.P) {
+    const res = a % b;
+    return res >= _0n$1 ? res : b + res;
+}
+function invert(number, modulo = CURVE.P) {
+    if (number === _0n$1 || modulo <= _0n$1) {
+        throw new Error(`invert: expected positive integers, got n=${number} mod=${modulo}`);
+    }
+    let a = mod$1(number, modulo);
+    let b = modulo;
+    let x = _0n$1, u = _1n$1;
+    while (a !== _0n$1) {
+        const q = b / a;
+        const r = b % a;
+        const m = x - u * q;
+        b = a, a = r, x = u, u = m;
+    }
+    const gcd = b;
+    if (gcd !== _1n$1)
+        throw new Error('invert: does not exist');
+    return mod$1(x, modulo);
+}
+function invertBatch(nums, p = CURVE.P) {
+    const tmp = new Array(nums.length);
+    const lastMultiplied = nums.reduce((acc, num, i) => {
+        if (num === _0n$1)
+            return acc;
+        tmp[i] = acc;
+        return mod$1(acc * num, p);
+    }, _1n$1);
+    const inverted = invert(lastMultiplied, p);
+    nums.reduceRight((acc, num, i) => {
+        if (num === _0n$1)
+            return acc;
+        tmp[i] = mod$1(acc * tmp[i], p);
+        return mod$1(acc * num, p);
+    }, inverted);
+    return tmp;
+}
+function pow2(x, power) {
+    const { P } = CURVE;
+    let res = x;
+    while (power-- > _0n$1) {
+        res *= res;
+        res %= P;
+    }
+    return res;
+}
+function pow_2_252_3(x) {
+    const { P } = CURVE;
+    const _5n = BigInt(5);
+    const _10n = BigInt(10);
+    const _20n = BigInt(20);
+    const _40n = BigInt(40);
+    const _80n = BigInt(80);
+    const x2 = (x * x) % P;
+    const b2 = (x2 * x) % P;
+    const b4 = (pow2(b2, _2n) * b2) % P;
+    const b5 = (pow2(b4, _1n$1) * x) % P;
+    const b10 = (pow2(b5, _5n) * b5) % P;
+    const b20 = (pow2(b10, _10n) * b10) % P;
+    const b40 = (pow2(b20, _20n) * b20) % P;
+    const b80 = (pow2(b40, _40n) * b40) % P;
+    const b160 = (pow2(b80, _80n) * b80) % P;
+    const b240 = (pow2(b160, _80n) * b80) % P;
+    const b250 = (pow2(b240, _10n) * b10) % P;
+    const pow_p_5_8 = (pow2(b250, _2n) * x) % P;
+    return { pow_p_5_8, b2 };
+}
+function uvRatio(u, v) {
+    const v3 = mod$1(v * v * v);
+    const v7 = mod$1(v3 * v3 * v);
+    const pow = pow_2_252_3(u * v7).pow_p_5_8;
+    let x = mod$1(u * v3 * pow);
+    const vx2 = mod$1(v * x * x);
+    const root1 = x;
+    const root2 = mod$1(x * SQRT_M1);
+    const useRoot1 = vx2 === u;
+    const useRoot2 = vx2 === mod$1(-u);
+    const noRoot = vx2 === mod$1(-u * SQRT_M1);
+    if (useRoot1)
+        x = root1;
+    if (useRoot2 || noRoot)
+        x = root2;
+    if (edIsNegative(x))
+        x = mod$1(-x);
+    return { isValid: useRoot1 || useRoot2, value: x };
+}
+function invertSqrt(number) {
+    return uvRatio(_1n$1, number);
+}
+function modlLE(hash) {
+    return mod$1(bytesToNumberLE(hash), CURVE.l);
+}
+function equalBytes(b1, b2) {
+    if (b1.length !== b2.length) {
+        return false;
+    }
+    for (let i = 0; i < b1.length; i++) {
+        if (b1[i] !== b2[i]) {
+            return false;
+        }
+    }
+    return true;
+}
+function ensureBytes(hex, expectedLength) {
+    const bytes = hex instanceof Uint8Array ? Uint8Array.from(hex) : hexToBytes(hex);
+    if (typeof expectedLength === 'number' && bytes.length !== expectedLength)
+        throw new Error(`Expected ${expectedLength} bytes`);
+    return bytes;
+}
+function normalizeScalar(num, max, strict = true) {
+    if (!max)
+        throw new TypeError('Specify max value');
+    if (typeof num === 'number' && Number.isSafeInteger(num))
+        num = BigInt(num);
+    if (typeof num === 'bigint' && num < max) {
+        if (strict) {
+            if (_0n$1 < num)
+                return num;
+        }
+        else {
+            if (_0n$1 <= num)
+                return num;
+        }
+    }
+    throw new TypeError('Expected valid scalar: 0 < scalar < max');
+}
+function adjustBytes25519(bytes) {
+    bytes[0] &= 248;
+    bytes[31] &= 127;
+    bytes[31] |= 64;
+    return bytes;
+}
+function checkPrivateKey(key) {
+    key =
+        typeof key === 'bigint' || typeof key === 'number'
+            ? numberTo32BytesBE(normalizeScalar(key, POW_2_256))
+            : ensureBytes(key);
+    if (key.length !== 32)
+        throw new Error(`Expected 32 bytes`);
+    return key;
+}
+function getKeyFromHash(hashed) {
+    const head = adjustBytes25519(hashed.slice(0, 32));
+    const prefix = hashed.slice(32, 64);
+    const scalar = modlLE(head);
+    const point = Point.BASE.multiply(scalar);
+    const pointBytes = point.toRawBytes();
+    return { head, prefix, scalar, point, pointBytes };
+}
+let _sha512Sync;
+async function getExtendedPublicKey(key) {
+    return getKeyFromHash(await utils.sha512(checkPrivateKey(key)));
+}
+function prepareVerification(sig, message, publicKey) {
+    message = ensureBytes(message);
+    if (!(publicKey instanceof Point))
+        publicKey = Point.fromHex(publicKey, false);
+    const { r, s } = sig instanceof Signature$1 ? sig.assertValidity() : Signature$1.fromHex(sig);
+    const SB = ExtendedPoint.BASE.multiplyUnsafe(s);
+    return { r, s, SB, pub: publicKey, msg: message };
+}
+function finishVerification(publicKey, r, SB, hashed) {
+    const k = modlLE(hashed);
+    const kA = ExtendedPoint.fromAffine(publicKey).multiplyUnsafe(k);
+    const RkA = ExtendedPoint.fromAffine(r).add(kA);
+    return RkA.subtract(SB).multiplyUnsafe(CURVE.h).equals(ExtendedPoint.ZERO);
+}
+async function verify$6(sig, message, publicKey) {
+    const { r, SB, msg, pub } = prepareVerification(sig, message, publicKey);
+    const hashed = await utils.sha512(r.toRawBytes(), pub.toRawBytes(), msg);
+    return finishVerification(pub, r, SB, hashed);
+}
+Point.BASE._setWindowSize(8);
+const crypto$2 = {
+    node: nodeCrypto$2,
+    web: typeof self === 'object' && 'crypto' in self ? self.crypto : undefined,
+};
+const utils = {
+    bytesToHex,
+    hexToBytes,
+    concatBytes,
+    getExtendedPublicKey,
+    mod: mod$1,
+    invert,
+    TORSION_SUBGROUP: [
+        '0100000000000000000000000000000000000000000000000000000000000000',
+        'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a',
+        '0000000000000000000000000000000000000000000000000000000000000080',
+        '26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc05',
+        'ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
+        '26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc85',
+        '0000000000000000000000000000000000000000000000000000000000000000',
+        'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa',
+    ],
+    hashToPrivateScalar: (hash) => {
+        hash = ensureBytes(hash);
+        if (hash.length < 40 || hash.length > 1024)
+            throw new Error('Expected 40-1024 bytes of private key as per FIPS 186');
+        return mod$1(bytesToNumberLE(hash), CURVE.l - _1n$1) + _1n$1;
+    },
+    randomBytes: (bytesLength = 32) => {
+        if (crypto$2.web) {
+            return crypto$2.web.getRandomValues(new Uint8Array(bytesLength));
+        }
+        else {
+            throw new Error("The environment doesn't have randomBytes function");
+        }
+    },
+    randomPrivateKey: () => {
+        return utils.randomBytes(32);
+    },
+    sha512: async (...messages) => {
+        const message = concatBytes(...messages);
+        if (crypto$2.web) {
+            const buffer = await crypto$2.web.subtle.digest('SHA-512', message.buffer);
+            return new Uint8Array(buffer);
+        }
+        else {
+            throw new Error("The environment doesn't have sha512 function");
+        }
+    },
+    precompute(windowSize = 8, point = Point.BASE) {
+        const cached = point.equals(Point.BASE) ? point : new Point(point.x, point.y);
+        cached._setWindowSize(windowSize);
+        cached.multiply(_2n);
+        return cached;
+    },
+    sha512Sync: undefined,
+};
+Object.defineProperties(utils, {
+    sha512Sync: {
+        configurable: false,
+        get() {
+            return _sha512Sync;
+        },
+        set(val) {
+            if (!_sha512Sync)
+                _sha512Sync = val;
+        },
+    },
 });
 
 // OpenPGP.js - An OpenPGP implementation in javascript
@@ -9433,6 +10356,8 @@ var ecdsa = /*#__PURE__*/Object.freeze({
  * @async
  */
 async function sign$5(oid, hashAlgo, message, publicKey, privateKey, hashed) {
+  const curve = new CurveWithOID(oid);
+  checkPublicPointEnconding(curve, publicKey);
   if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(enums.hash.sha256)) {
     // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
     throw new Error('Hash algorithm too weak for EdDSA.');
@@ -9459,11 +10384,13 @@ async function sign$5(oid, hashAlgo, message, publicKey, privateKey, hashed) {
  * @async
  */
 async function verify$5(oid, hashAlgo, { r, s }, m, publicKey, hashed) {
+  const curve = new CurveWithOID(oid);
+  checkPublicPointEnconding(curve, publicKey);
   if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(enums.hash.sha256)) {
     throw new Error('Hash algorithm too weak for EdDSA.');
   }
   const signature = util.concatUint8Array([r, s]);
-  return nacl.sign.detached.verify(hashed, signature, publicKey.subarray(1));
+  return verify$6(signature, hashed, publicKey.subarray(1));
 }
 /**
  * Validate legacy EdDSA parameters
@@ -9589,7 +10516,7 @@ async function verify$4(algo, hashAlgo, { RS }, m, publicKey, hashed) {
   }
   switch (algo) {
     case enums.publicKey.ed25519:
-      return nacl.sign.detached.verify(hashed, RS, publicKey);
+      return verify$6(RS, hashed, publicKey);
     case enums.publicKey.ed448: {
       const ed448 = await util.getNobleCurve(enums.publicKey.ed448);
       return ed448.verify(RS, hashed, publicKey);
@@ -9953,7 +10880,7 @@ function buildEcdhParam(public_algo, oid, kdfParams, fingerprint) {
     new Uint8Array([public_algo]),
     kdfParams.write(true),
     util.stringToUint8Array('Anonymous Sender    '),
-    kdfParams.replacementFingerprint || fingerprint.subarray(0, 20)
+    kdfParams.replacementFingerprint || fingerprint
   ]);
 }
 
@@ -9995,7 +10922,7 @@ async function genPublicEphemeralKey(curve, Q) {
       const d = getRandomBytes(32);
       const { secretKey, sharedKey } = await genPrivateEphemeralKey(curve, Q, null, d);
       let { publicKey } = nacl.box.keyPair.fromSecretKey(secretKey);
-      publicKey = util.concatUint8Array([new Uint8Array([0x40]), publicKey]);
+      publicKey = util.concatUint8Array([new Uint8Array([curve.wireFormatLeadingByte]), publicKey]);
       return { publicKey, sharedKey }; // Note: sharedKey is little-endian here, unlike below
     }
     case 'web':
@@ -10023,7 +10950,7 @@ async function genPublicEphemeralKey(curve, Q) {
  * @param {module:type/kdf_params} kdfParams - KDF params including cipher and algorithm to use
  * @param {Uint8Array} data - Unpadded session key data
  * @param {Uint8Array} Q - Recipient public key
- * @param {Uint8Array} fingerprint - Recipient fingerprint
+ * @param {Uint8Array} fingerprint - Recipient fingerprint, already truncated depending on the key version
  * @returns {Promise<{publicKey: Uint8Array, wrappedKey: Uint8Array}>}
  * @async
  */
@@ -10031,6 +10958,7 @@ async function encrypt$2(oid, kdfParams, data, Q, fingerprint) {
   const m = encode(data);
 
   const curve = new CurveWithOID(oid);
+  checkPublicPointEnconding(curve, Q);
   const { publicKey, sharedKey } = await genPublicEphemeralKey(curve, Q);
   const param = buildEcdhParam(enums.publicKey.ecdh, oid, kdfParams, fingerprint);
   const { keySize } = getCipherParams(kdfParams.cipher);
@@ -10087,12 +11015,14 @@ async function genPrivateEphemeralKey(curve, V, Q, d) {
  * @param {Uint8Array} C - Encrypted and wrapped value derived from session key
  * @param {Uint8Array} Q - Recipient public key
  * @param {Uint8Array} d - Recipient private key
- * @param {Uint8Array} fingerprint - Recipient fingerprint
+ * @param {Uint8Array} fingerprint - Recipient fingerprint, already truncated depending on the key version
  * @returns {Promise<Uint8Array>} Value derived from session key.
  * @async
  */
 async function decrypt$2(oid, kdfParams, V, C, Q, d, fingerprint) {
   const curve = new CurveWithOID(oid);
+  checkPublicPointEnconding(curve, Q);
+  checkPublicPointEnconding(curve, V);
   const { sharedKey } = await genPrivateEphemeralKey(curve, V, Q, d);
   const param = buildEcdhParam(enums.publicKey.ecdh, oid, kdfParams, fingerprint);
   const { keySize } = getCipherParams(kdfParams.cipher);
@@ -10224,7 +11154,7 @@ async function webPublicEphemeralKey(curve, Q) {
   );
   [s, p] = await Promise.all([s, p]);
   const sharedKey = new Uint8Array(s);
-  const publicKey = new Uint8Array(jwkToRawPublic(p));
+  const publicKey = new Uint8Array(jwkToRawPublic(p, curve.wireFormatLeadingByte));
   return { publicKey, sharedKey };
 }
 
@@ -10522,6 +11452,9 @@ var elliptic = /*#__PURE__*/Object.freeze({
    https://tools.ietf.org/html/rfc4880#section-14
 */
 
+const _0n = BigInt(0);
+const _1n = BigInt(1);
+
 /**
  * DSA Sign function
  * @param {Integer} hashAlgo
@@ -10534,26 +11467,24 @@ var elliptic = /*#__PURE__*/Object.freeze({
  * @async
  */
 async function sign$3(hashAlgo, hashed, g, p, q, x) {
-  const BigInteger = await util.getBigInteger();
-
-  const one = new BigInteger(1);
-  p = new BigInteger(p);
-  q = new BigInteger(q);
-  g = new BigInteger(g);
-  x = new BigInteger(x);
+  const _0n = BigInt(0);
+  p = uint8ArrayToBigInt(p);
+  q = uint8ArrayToBigInt(q);
+  g = uint8ArrayToBigInt(g);
+  x = uint8ArrayToBigInt(x);
 
   let k;
   let r;
   let s;
   let t;
-  g = g.mod(p);
-  x = x.mod(q);
+  g = mod$2(g, p);
+  x = mod$2(x, q);
   // If the output size of the chosen hash is larger than the number of
   // bits of q, the hash result is truncated to fit by taking the number
   // of leftmost bits equal to the number of bits of q.  This (possibly
   // truncated) hash function result is treated as a number and used
   // directly in the DSA signature algorithm.
-  const h = new BigInteger(hashed.subarray(0, q.byteLength())).mod(q);
+  const h = mod$2(uint8ArrayToBigInt(hashed.subarray(0, byteLength(q))), q);
   // FIPS-186-4, section 4.6:
   // The values of r and s shall be checked to determine if r = 0 or s = 0.
   // If either r = 0 or s = 0, a new value of k shall be generated, and the
@@ -10561,22 +11492,22 @@ async function sign$3(hashAlgo, hashed, g, p, q, x) {
   // or s = 0 if signatures are generated properly.
   while (true) {
     // See Appendix B here: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
-    k = await getRandomBigInteger(one, q); // returns in [1, q-1]
-    r = g.modExp(k, p).imod(q); // (g**k mod p) mod q
-    if (r.isZero()) {
+    k = getRandomBigInteger(_1n, q); // returns in [1, q-1]
+    r = mod$2(modExp(g, k, p), q); // (g**k mod p) mod q
+    if (r === _0n) {
       continue;
     }
-    const xr = x.mul(r).imod(q);
-    t = h.add(xr).imod(q); // H(m) + x*r mod q
-    s = k.modInv(q).imul(t).imod(q); // k**-1 * (H(m) + x*r) mod q
-    if (s.isZero()) {
+    const xr = mod$2(x * r, q);
+    t = mod$2(h + xr, q); // H(m) + x*r mod q
+    s = mod$2(modInv(k, q) * t, q); // k**-1 * (H(m) + x*r) mod q
+    if (s === _0n) {
       continue;
     }
     break;
   }
   return {
-    r: r.toUint8Array('be', q.byteLength()),
-    s: s.toUint8Array('be', q.byteLength())
+    r: bigIntToUint8Array(r, 'be', byteLength(p)),
+    s: bigIntToUint8Array(s, 'be', byteLength(p))
   };
 }
 
@@ -10594,37 +11525,34 @@ async function sign$3(hashAlgo, hashed, g, p, q, x) {
  * @async
  */
 async function verify$3(hashAlgo, r, s, hashed, g, p, q, y) {
-  const BigInteger = await util.getBigInteger();
+  r = uint8ArrayToBigInt(r);
+  s = uint8ArrayToBigInt(s);
 
-  const zero = new BigInteger(0);
-  r = new BigInteger(r);
-  s = new BigInteger(s);
+  p = uint8ArrayToBigInt(p);
+  q = uint8ArrayToBigInt(q);
+  g = uint8ArrayToBigInt(g);
+  y = uint8ArrayToBigInt(y);
 
-  p = new BigInteger(p);
-  q = new BigInteger(q);
-  g = new BigInteger(g);
-  y = new BigInteger(y);
-
-  if (r.lte(zero) || r.gte(q) ||
-      s.lte(zero) || s.gte(q)) {
+  if (r <= _0n || r >= q ||
+      s <= _0n || s >= q) {
     util.printDebug('invalid DSA Signature');
     return false;
   }
-  const h = new BigInteger(hashed.subarray(0, q.byteLength())).imod(q);
-  const w = s.modInv(q); // s**-1 mod q
-  if (w.isZero()) {
+  const h = mod$2(uint8ArrayToBigInt(hashed.subarray(0, byteLength(q))), q);
+  const w = modInv(s, q); // s**-1 mod q
+  if (w === _0n) {
     util.printDebug('invalid DSA Signature');
     return false;
   }
 
-  g = g.mod(p);
-  y = y.mod(p);
-  const u1 = h.mul(w).imod(q); // H(m) * w mod q
-  const u2 = r.mul(w).imod(q); // r * w mod q
-  const t1 = g.modExp(u1, p); // g**u1 mod p
-  const t2 = y.modExp(u2, p); // y**u2 mod p
-  const v = t1.mul(t2).imod(p).imod(q); // (g**u1 * y**u2 mod p) mod q
-  return v.equal(r);
+  g = mod$2(g, p);
+  y = mod$2(y, p);
+  const u1 = mod$2(h * w, q); // H(m) * w mod q
+  const u2 = mod$2(r * w, q); // r * w mod q
+  const t1 = modExp(g, u1, p); // g**u1 mod p
+  const t2 = modExp(y, u2, p); // y**u2 mod p
+  const v = mod$2(mod$2(t1 * t2, p), q); // (g**u1 * y**u2 mod p) mod q
+  return v === r;
 }
 
 /**
@@ -10638,22 +11566,19 @@ async function verify$3(hashAlgo, r, s, hashed, g, p, q, y) {
  * @async
  */
 async function validateParams$1(p, q, g, y, x) {
-  const BigInteger = await util.getBigInteger();
-
-  p = new BigInteger(p);
-  q = new BigInteger(q);
-  g = new BigInteger(g);
-  y = new BigInteger(y);
-  const one = new BigInteger(1);
+  p = uint8ArrayToBigInt(p);
+  q = uint8ArrayToBigInt(q);
+  g = uint8ArrayToBigInt(g);
+  y = uint8ArrayToBigInt(y);
   // Check that 1 < g < p
-  if (g.lte(one) || g.gte(p)) {
+  if (g <= _1n || g >= p) {
     return false;
   }
 
   /**
    * Check that subgroup order q divides p-1
    */
-  if (!p.dec().mod(q).isZero()) {
+  if (mod$2(p - _1n, q) !== _0n) {
     return false;
   }
 
@@ -10661,16 +11586,16 @@ async function validateParams$1(p, q, g, y, x) {
    * g has order q
    * Check that g ** q = 1 mod p
    */
-  if (!g.modExp(q, p).isOne()) {
+  if (modExp(g, q, p) !== _1n) {
     return false;
   }
 
   /**
    * Check q is large and probably prime (we mainly want to avoid small factors)
    */
-  const qSize = new BigInteger(q.bitLength());
-  const n150 = new BigInteger(150);
-  if (qSize.lt(n150) || !(await isProbablePrime(q, null, 32))) {
+  const qSize = BigInt(bitLength(q));
+  const _150n = BigInt(150);
+  if (qSize < _150n || !isProbablePrime(q, null, 32)) {
     return false;
   }
 
@@ -10680,11 +11605,11 @@ async function validateParams$1(p, q, g, y, x) {
    *
    * Blinded exponentiation computes g**{rq + x} to compare to y
    */
-  x = new BigInteger(x);
-  const two = new BigInteger(2);
-  const r = await getRandomBigInteger(two.leftShift(qSize.dec()), two.leftShift(qSize)); // draw r of same size as q
-  const rqx = q.mul(r).add(x);
-  if (!y.equal(g.modExp(rqx, p))) {
+  x = uint8ArrayToBigInt(x);
+  const _2n = BigInt(2);
+  const r = getRandomBigInteger(_2n << (qSize - _1n), _2n << qSize); // draw r of same size as q
+  const rqx = q * r + x;
+  if (y !== modExp(g, rqx, p)) {
     return false;
   }
 
@@ -11450,6 +12375,9 @@ function parsePublicKeyParams(algo, bytes) {
     case enums.publicKey.eddsaLegacy: {
       const oid = new OID(); read += oid.read(bytes);
       checkSupportedCurve(oid);
+      if (oid.getName() !== enums.curve.ed25519Legacy) {
+        throw new Error('Unexpected OID for eddsaLegacy');
+      }
       let Q = util.readMPI(bytes.subarray(read)); read += Q.length + 2;
       Q = util.leftPad(Q, 33);
       return { read: read, publicParams: { oid, Q } };
@@ -11513,6 +12441,9 @@ function parsePrivateKeyParams(algo, bytes, publicParams) {
     }
     case enums.publicKey.eddsaLegacy: {
       const payloadSize = getCurvePayloadSize(algo, publicParams.oid);
+      if (publicParams.oid.getName() !== enums.curve.ed25519Legacy) {
+        throw new Error('Unexpected OID for eddsaLegacy');
+      }
       let seed = util.readMPI(bytes.subarray(read)); read += seed.length + 2;
       seed = util.leftPad(seed, payloadSize);
       return { read, privateParams: { seed } };
@@ -14343,6 +15274,7 @@ class SignaturePacket {
 
     this.signatureData = null;
     this.unhashedSubpackets = [];
+    this.unknownSubpackets = [];
     this.signedHashValue = null;
     this.salt = null;
 
@@ -14392,9 +15324,12 @@ class SignaturePacket {
    * @param {String} bytes - Payload of a tag 2 packet
    * @returns {SignaturePacket} Object representation.
    */
-  read(bytes) {
+  read(bytes, config$1 = config) {
     let i = 0;
     this.version = bytes[i++];
+    if (this.version === 5 && !config$1.enableParsingV5Entities) {
+      throw new UnsupportedError('Support for v5 entities is disabled; turn on `config.enableParsingV5Entities` if needed');
+    }
 
     if (this.version !== 4 && this.version !== 5 && this.version !== 6) {
       throw new UnsupportedError(`Version ${this.version} of the signature packet is unsupported.`);
@@ -14671,10 +15606,8 @@ class SignaturePacket {
    * @returns {Uint8Array} Subpacket data.
    */
   writeUnhashedSubPackets() {
-    const arr = [];
-    this.unhashedSubpackets.forEach(data => {
-      arr.push(writeSimpleLength(data.length));
-      arr.push(data);
+    const arr = this.unhashedSubpackets.map(({ type, critical, body }) => {
+      return writeSubPacket(type, critical, body);
     });
 
     const result = util.concat(arr);
@@ -14683,7 +15616,7 @@ class SignaturePacket {
     return util.concat([length, result]);
   }
 
-  // V4 signature sub packets
+  // Signature subpackets
   readSubPacket(bytes, hashed = true) {
     let mypos = 0;
 
@@ -14691,15 +15624,19 @@ class SignaturePacket {
     const critical = !!(bytes[mypos] & 0x80);
     const type = bytes[mypos] & 0x7F;
 
+    mypos++;
+
     if (!hashed) {
-      this.unhashedSubpackets.push(bytes.subarray(mypos, bytes.length));
+      this.unhashedSubpackets.push({
+        type,
+        critical,
+        body: bytes.subarray(mypos, bytes.length)
+      });
       if (!allowedUnhashedSubpackets.has(type)) {
         return;
       }
     }
 
-    mypos++;
-
     // subpacket type
     switch (type) {
       case enums.signatureSubpacket.signatureCreationTime:
@@ -14871,14 +15808,13 @@ class SignaturePacket {
           this.preferredCipherSuites.push([bytes[i], bytes[i + 1]]);
         }
         break;
-      default: {
-        const err = new Error(`Unknown signature subpacket type ${type}`);
-        if (critical) {
-          throw err;
-        } else {
-          util.printDebug(err);
-        }
-      }
+      default:
+        this.unknownSubpackets.push({
+          type,
+          critical,
+          body: bytes.subarray(mypos, bytes.length)
+        });
+        break;
     }
   }
 
@@ -15078,6 +16014,11 @@ class SignaturePacket {
       [enums.signature.binary, enums.signature.text].includes(this.signatureType)) {
       throw new Error('Insecure message hash algorithm: ' + enums.read(enums.hash, this.hashAlgorithm).toUpperCase());
     }
+    this.unknownSubpackets.forEach(({ type, critical }) => {
+      if (critical) {
+        throw new Error(`Unknown critical signature subpacket type ${type}`);
+      }
+    });
     this.rawNotations.forEach(({ name, critical }) => {
       if (critical && (config$1.knownNotations.indexOf(name) < 0)) {
         throw new Error(`Unknown critical notation: ${name}`);
@@ -16057,7 +16998,7 @@ async function runAEAD(packet, fn, key, data) {
           done = true;
         }
         cryptedBytes += chunk.length - tagLengthIfDecrypting;
-        // eslint-disable-next-line no-loop-func
+        // eslint-disable-next-line @typescript-eslint/no-loop-func
         latestPromise = latestPromise.then(() => cryptedPromise).then(async crypted => {
           await writer.ready;
           await writer.write(crypted);
@@ -16377,10 +17318,11 @@ class PublicKeyEncryptedSessionKeyPacket {
     // No symmetric encryption algorithm identifier is passed to the public-key algorithm for a
     // v6 PKESK packet, as it is included in the v2 SEIPD packet.
     const sessionKeyAlgorithm = this.version === 3 ? this.sessionKeyAlgorithm : null;
+    const fingerprint = key.version === 5 ? key.getFingerprintBytes().subarray(0, 20) : key.getFingerprintBytes();
     const encoded = encodeSessionKey(this.version, algo, sessionKeyAlgorithm, this.sessionKey);
     const privateParams = algo === enums.publicKey.aead ? key.privateParams : null;
     this.encrypted = await mod.publicKeyEncrypt(
-      algo, sessionKeyAlgorithm, key.publicParams, privateParams, encoded, key.getFingerprintBytes());
+      algo, sessionKeyAlgorithm, key.publicParams, privateParams, encoded, fingerprint);
   }
 
   /**
@@ -16400,7 +17342,8 @@ class PublicKeyEncryptedSessionKeyPacket {
     const randomPayload = randomSessionKey ?
       encodeSessionKey(this.version, this.publicKeyAlgorithm, randomSessionKey.sessionKeyAlgorithm, randomSessionKey.sessionKey) :
       null;
-    const decryptedData = await mod.publicKeyDecrypt(this.publicKeyAlgorithm, key.publicParams, key.privateParams, this.encrypted, key.getFingerprintBytes(), randomPayload);
+    const fingerprint = key.version === 5 ? key.getFingerprintBytes().subarray(0, 20) : key.getFingerprintBytes();
+    const decryptedData = await mod.publicKeyDecrypt(this.publicKeyAlgorithm, key.publicParams, key.privateParams, this.encrypted, fingerprint, randomPayload);
 
     const { sessionKey, sessionKeyAlgorithm } = decodeSessionKey(this.version, this.publicKeyAlgorithm, decryptedData, randomSessionKey);
 
@@ -16805,10 +17748,13 @@ class PublicKeyPacket {
    * @returns {Object} This object with attributes set by the parser
    * @async
    */
-  async read(bytes) {
+  async read(bytes, config$1 = config) {
     let pos = 0;
     // A one-octet version number (4, 5 or 6).
     this.version = bytes[pos++];
+    if (this.version === 5 && !config$1.enableParsingV5Entities) {
+      throw new UnsupportedError('Support for parsing v5 entities is disabled; turn on `config.enableParsingV5Entities` if needed');
+    }
 
     if (this.version === 4 || this.version === 5 || this.version === 6) {
       // - A four-octet number denoting the time that the key was created.
@@ -17193,7 +18139,7 @@ class PublicSubkeyPacket extends PublicKeyPacket {
    * @param {Date} [date] - Creation date
    * @param {Object} [config] - Full configuration, defaults to openpgp.config
    */
-  // eslint-disable-next-line no-useless-constructor
+  // eslint-disable-next-line @typescript-eslint/no-useless-constructor
   constructor(date, config) {
     super(date, config);
   }
@@ -17400,7 +18346,7 @@ class SecretKeyPacket extends PublicKeyPacket {
    */
   async read(bytes, config$1 = config) {
     // - A Public-Key or Public-Subkey packet, as described above.
-    let i = await this.readPublicKey(bytes);
+    let i = await this.readPublicKey(bytes, config$1);
     const startOfSecretKeyData = i;
 
     // - One octet indicating string-to-key usage conventions.  Zero
@@ -17690,13 +18636,13 @@ class SecretKeyPacket extends PublicKeyPacket {
 
     if (config$1.aeadProtect) {
       this.s2kUsage = 253;
-      this.aead = enums.aead.eax;
+      this.aead = config$1.preferredAEADAlgorithm;
       const mode = mod.getAEADMode(this.aead);
       this.isLegacyAEAD = this.version === 5; // v4 is always re-encrypted with standard format instead.
       this.usedModernAEAD = !this.isLegacyAEAD; // legacy AEAD does not guarantee integrity of public key material
 
       const serializedPacketTag = writeTag(this.constructor.tag);
-      const key = await produceEncryptionKey(this.version, this.s2k, passphrase, this.symmetric, this.aead, serializedPacketTag);
+      const key = await produceEncryptionKey(this.version, this.s2k, passphrase, this.symmetric, this.aead, serializedPacketTag, this.isLegacyAEAD);
 
       const modeInstance = await mode(this.symmetric, key);
       this.iv = this.isLegacyAEAD ? mod.random.getRandomBytes(blockSize) : mod.random.getRandomBytes(mode.ivLength);
@@ -17866,6 +18812,12 @@ class SecretKeyPacket extends PublicKeyPacket {
  * @returns encryption key
  */
 async function produceEncryptionKey(keyVersion, s2k, passphrase, cipherAlgo, aeadMode, serializedPacketTag, isLegacyAEAD) {
+  if (s2k.type === 'argon2' && !aeadMode) {
+    throw new Error('Using Argon2 S2K without AEAD is not allowed');
+  }
+  if (s2k.type === 'simple' && keyVersion === 6) {
+    throw new Error('Using Simple S2K with version 6 keys is not allowed');
+  }
   const { keySize } = mod.getCipherParams(cipherAlgo);
   const derivedKey = await s2k.produceKey(passphrase, keySize);
   if (!aeadMode || keyVersion === 5 || isLegacyAEAD) {
@@ -18098,7 +19050,7 @@ class PaddingPacket {
    * Read a padding packet
    * @param {Uint8Array | ReadableStream<Uint8Array>} bytes
    */
-  read(bytes) { // eslint-disable-line no-unused-vars
+  read(bytes) { // eslint-disable-line @typescript-eslint/no-unused-vars
     // Padding packets are ignored, so this function is never called.
   }
 
@@ -18244,6 +19196,8 @@ async function generateSecretKey(options, config) {
  * Returns the valid and non-expired signature that has the latest creation date, while ignoring signatures created in the future.
  * @param {Array<SignaturePacket>} signatures - List of signatures
  * @param {PublicKeyPacket|PublicSubkeyPacket} publicKey - Public key packet to verify the signature
+ * @param {module:enums.signature} signatureType - Signature type to determine how to hash the data (NB: for userID signatures,
+ *                          `enums.signatures.certGeneric` should be given regardless of the actual trust level)
  * @param {Date} date - Use the given date instead of the current time
  * @param {Object} config - full configuration
  * @returns {Promise<SignaturePacket>} The latest valid signature.
@@ -18492,8 +19446,14 @@ async function isDataRevoked(primaryKey, signatureType, dataToVerify, revocation
         // `verifyAllCertifications`.)
         !signature || revocationSignature.issuerKeyID.equals(signature.issuerKeyID)
       ) {
+        const isHardRevocation = ![
+          enums.reasonForRevocation.keyRetired,
+          enums.reasonForRevocation.keySuperseded,
+          enums.reasonForRevocation.userIDInvalid
+        ].includes(revocationSignature.reasonForRevocationFlag);
+
         await revocationSignature.verify(
-          key, signatureType, dataToVerify, date, false, config
+          key, signatureType, dataToVerify, isHardRevocation ? null : date, false, config
         );
 
         // TODO get an identifier of the revoked object instead
@@ -19652,6 +20612,7 @@ class Key {
       }
     }
     if (!users.length) {
+      // eslint-disable-next-line @typescript-eslint/no-throw-literal
       throw exception || new Error('Could not find primary user');
     }
     await Promise.all(users.map(async function (a) {
@@ -20479,7 +21440,7 @@ async function wrapKeyObject(secretKeyPacket, secretSubkeyPackets, options, conf
       key: secretKeyPacket
     };
     const signatureProperties = secretKeyPacket.version !== 6 ? getKeySignatureProperties() : {};
-    signatureProperties.signatureType = enums.signature.certGeneric;
+    signatureProperties.signatureType = enums.signature.certPositive;
     if (index === 0) {
       signatureProperties.isPrimaryUserID = true;
     }
@@ -20562,7 +21523,12 @@ async function readKey({ armoredKey, binaryKey, config: config$1, ...rest }) {
     input = binaryKey;
   }
   const packetlist = await PacketList.fromBinary(input, allowedKeyPackets, config$1);
-  return createKey(packetlist);
+  const keyIndex = packetlist.indexOfTag(enums.packet.publicKey, enums.packet.secretKey);
+  if (keyIndex.length === 0) {
+    throw new Error('No key packet found');
+  }
+  const firstKeyPacketList = packetlist.slice(keyIndex[0], keyIndex[1]);
+  return createKey(firstKeyPacketList);
 }
 
 /**
@@ -20599,7 +21565,15 @@ async function readPrivateKey({ armoredKey, binaryKey, config: config$1, ...rest
     input = binaryKey;
   }
   const packetlist = await PacketList.fromBinary(input, allowedKeyPackets, config$1);
-  return new PrivateKey(packetlist);
+  const keyIndex = packetlist.indexOfTag(enums.packet.publicKey, enums.packet.secretKey);
+  for (let i = 0; i < keyIndex.length; i++) {
+    if (packetlist[keyIndex[i]].constructor.tag === enums.packet.publicKey) {
+      continue;
+    }
+    const firstPrivateKeyList = packetlist.slice(keyIndex[i], keyIndex[i + 1]);
+    return new PrivateKey(firstPrivateKeyList);
+  }
+  throw new Error('No secret key packet found');
 }
 
 /**
@@ -20678,15 +21652,18 @@ async function readPrivateKeys({ armoredKeys, binaryKeys, config: config$1 }) {
   }
   const keys = [];
   const packetlist = await PacketList.fromBinary(input, allowedKeyPackets, config$1);
-  const keyIndex = packetlist.indexOfTag(enums.packet.secretKey);
-  if (keyIndex.length === 0) {
-    throw new Error('No secret key packet found');
-  }
+  const keyIndex = packetlist.indexOfTag(enums.packet.publicKey, enums.packet.secretKey);
   for (let i = 0; i < keyIndex.length; i++) {
+    if (packetlist[keyIndex[i]].constructor.tag === enums.packet.publicKey) {
+      continue;
+    }
     const oneKeyList = packetlist.slice(keyIndex[i], keyIndex[i + 1]);
     const newKey = new PrivateKey(oneKeyList);
     keys.push(newKey);
   }
+  if (keys.length === 0) {
+    throw new Error('No secret key packet found');
+  }
   return keys;
 }
 
@@ -22100,7 +23077,7 @@ async function encrypt({ message, encryptionKeys, signingKeys, passwords, sessio
     // serialize data
     const armor = format === 'armored';
     const data = armor ? message.armor(config$1) : message.write();
-    return convertStream(data);
+    return await convertStream(data);
   } catch (err) {
     throw util.wrapError('Error encrypting message', err);
   }
@@ -22237,7 +23214,7 @@ async function sign({ message, signingKeys, format = 'armored', detached = false
         ]);
       });
     }
-    return convertStream(signature);
+    return await convertStream(signature);
   } catch (err) {
     throw util.wrapError('Error signing message', err);
   }
@@ -22288,7 +23265,7 @@ async function verify({ message, verificationKeys, expectSigned = false, format
       result.signatures = await message.verify(verificationKeys, date, config$1);
     }
     result.data = format === 'binary' ? message.getLiteralData() : message.getText();
-    if (message.fromStream) linkStreams(result, message);
+    if (message.fromStream && !signature) linkStreams(result, message);
     if (expectSigned) {
       if (result.signatures.length === 0) {
         throw new Error('Message is not signed');
@@ -22420,12 +23397,12 @@ async function decryptSessionKeys({ message, decryptionKeys, passwords, date = n
  */
 function checkString(data, name) {
   if (!util.isString(data)) {
-    throw new Error('Parameter [' + (name || 'data') + '] must be of type String');
+    throw new Error('Parameter [' + (name ) + '] must be of type String');
   }
 }
 function checkBinary(data, name) {
   if (!util.isUint8Array(data)) {
-    throw new Error('Parameter [' + (name || 'data') + '] must be of type Uint8Array');
+    throw new Error('Parameter [' + ('data') + '] must be of type Uint8Array');
   }
 }
 function checkMessage(message) {