npm - @protontech/openpgp - Versions diffs - 6.0.0-beta.1 → 6.0.0-beta.2 - Mend

@protontech/openpgp 6.0.0-beta.1 → 6.0.0-beta.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

package/README.md +2 -2
package/dist/lightweight/argon2id.min.mjs +1 -1
package/dist/lightweight/argon2id.mjs +1 -1
package/dist/lightweight/legacy_ciphers.min.mjs +1 -1
package/dist/lightweight/legacy_ciphers.mjs +1 -1
package/dist/lightweight/noble_curves.min.mjs +1 -1
package/dist/lightweight/noble_curves.mjs +1 -1
package/dist/lightweight/noble_hashes.min.mjs +1 -1
package/dist/lightweight/noble_hashes.mjs +1 -1
package/dist/lightweight/openpgp.min.mjs +3 -2
package/dist/lightweight/openpgp.min.mjs.map +1 -1
package/dist/lightweight/openpgp.mjs +1011 -168
package/dist/lightweight/sha3.min.mjs +1 -1
package/dist/lightweight/sha3.mjs +1 -1
package/dist/node/openpgp.cjs +985 -134
package/dist/node/openpgp.min.cjs +12 -11
package/dist/node/openpgp.min.cjs.map +1 -1
package/dist/node/openpgp.min.mjs +12 -11
package/dist/node/openpgp.min.mjs.map +1 -1
package/dist/node/openpgp.mjs +984 -134
package/dist/openpgp.js +1011 -168
package/dist/openpgp.min.js +12 -11
package/dist/openpgp.min.js.map +1 -1
package/dist/openpgp.min.mjs +12 -11
package/dist/openpgp.min.mjs.map +1 -1
package/dist/openpgp.mjs +1011 -168
package/openpgp.d.ts +8 -1
package/package.json +6 -5

package/dist/node/openpgp.mjs CHANGED Viewed

@@ -1,8 +1,9 @@
-/*! OpenPGP.js v6.0.0-beta.1 - 2024-05-17 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
+/*! OpenPGP.js v6.0.0-beta.2 - 2024-07-05 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
 const globalThis = typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};
 import { createRequire } from 'module';
 import * as nc from 'node:crypto';
+import * as nodeCrypto$b from 'crypto';
 const doneWritingPromise = Symbol('doneWritingPromise');
 const doneWritingResolve = Symbol('doneWritingResolve');
@@ -546,9 +547,10 @@ function transformRaw(input, options) {
  * @param {Function} cancel
  * @returns {TransformStream}
  */
-function transformWithCancel(cancel) {
+function transformWithCancel(customCancel) {
   let pulled = false;
-  let backpressureChangePromiseResolve;
+  let cancelled = false;
+  let backpressureChangePromiseResolve, backpressureChangePromiseReject;
   let outputController;
   return {
     readable: new ReadableStream({
@@ -562,16 +564,29 @@ function transformWithCancel(cancel) {
           pulled = true;
         }
       },
-      cancel
+      async cancel(reason) {
+        cancelled = true;
+        if (customCancel) {
+          await customCancel(reason);
+        }
+        if (backpressureChangePromiseReject) {
+          backpressureChangePromiseReject(reason);
+        }
+      }
     }, {highWaterMark: 0}),
     writable: new WritableStream({
       write: async function(chunk) {
+        if (cancelled) {
+          throw new Error('Stream is cancelled');
+        }
         outputController.enqueue(chunk);
         if (!pulled) {
-          await new Promise(resolve => {
+          await new Promise((resolve, reject) => {
             backpressureChangePromiseResolve = resolve;
+            backpressureChangePromiseReject = reject;
           });
           backpressureChangePromiseResolve = null;
+          backpressureChangePromiseReject = null;
         } else {
           pulled = false;
         }
@@ -1507,6 +1522,14 @@ var config = {
    * @property {Boolean} v6Keys
    */
   v6Keys: false,
+  /**
+   * Enable parsing v5 keys and v5 signatures (which is different from the AEAD-encrypted SEIPDv2 packet).
+   * These are non-standard entities, which in the crypto-refresh have been superseded
+   * by v6 keys and v6 signatures, respectively.
+   * However, generation of v5 entities was supported behind config flag in OpenPGP.js v5, and some other libraries,
+   * hence parsing them might be necessary in some cases.
+   */
+  enableParsingV5Entities: false,
   /**
    * S2K (String to Key) type, used for key derivation in the context of secret key encryption
    * and password-encrypted data. Weaker s2k options are not allowed.
@@ -1663,7 +1686,7 @@ var config = {
    * @memberof module:config
    * @property {String} versionString A version string to be included in armored messages
    */
-  versionString: 'OpenPGP.js 6.0.0-beta.1',
+  versionString: 'OpenPGP.js 6.0.0-beta.2',
   /**
    * @memberof module:config
    * @property {String} commentString A comment string to be included in armored messages
@@ -5836,8 +5859,8 @@ var mode = {
 };
 // Operations are not constant time, but we try and limit timing leakage where we can
-const _0n$8 = BigInt(0);
-const _1n$d = BigInt(1);
+const _0n$9 = BigInt(0);
+const _1n$e = BigInt(1);
 function uint8ArrayToBigInt(bytes) {
     const hexAlphabet = '0123456789ABCDEF';
     let s = '';
@@ -5846,9 +5869,9 @@ function uint8ArrayToBigInt(bytes) {
     });
     return BigInt('0x0' + s);
 }
-function mod$2(a, m) {
+function mod$3(a, m) {
     const reduced = a % m;
-    return reduced < _0n$8 ? reduced + m : reduced;
+    return reduced < _0n$9 ? reduced + m : reduced;
 }
 /**
  * Compute modular exponentiation using square and multiply
@@ -5858,19 +5881,19 @@ function mod$2(a, m) {
  * @returns {BigInt} b ** e mod n.
  */
 function modExp(b, e, n) {
-    if (n === _0n$8)
+    if (n === _0n$9)
         throw Error('Modulo cannot be zero');
-    if (n === _1n$d)
+    if (n === _1n$e)
         return BigInt(0);
-    if (e < _0n$8)
+    if (e < _0n$9)
         throw Error('Unsopported negative exponent');
     let exp = e;
     let x = b;
     x %= n;
     let r = BigInt(1);
-    while (exp > _0n$8) {
-        const lsb = exp & _1n$d;
-        exp >>= _1n$d; // e / 2
+    while (exp > _0n$9) {
+        const lsb = exp & _1n$e;
+        exp >>= _1n$e; // e / 2
         // Always compute multiplication step, to reduce timing leakage
         const rx = (r * x) % n;
         // Update r only if lsb is 1 (odd exponent)
@@ -5880,7 +5903,7 @@ function modExp(b, e, n) {
     return r;
 }
 function abs(x) {
-    return x >= _0n$8 ? x : -x;
+    return x >= _0n$9 ? x : -x;
 }
 /**
  * Extended Eucleadian algorithm (http://anh.cs.luc.edu/331/notes/xgcd.pdf)
@@ -5900,9 +5923,9 @@ function _egcd(aInput, bInput) {
     // See https://math.stackexchange.com/questions/37806/extended-euclidean-algorithm-with-negative-numbers
     let a = abs(aInput);
     let b = abs(bInput);
-    const aNegated = aInput < _0n$8;
-    const bNegated = bInput < _0n$8;
-    while (b !== _0n$8) {
+    const aNegated = aInput < _0n$9;
+    const bNegated = bInput < _0n$9;
+    while (b !== _0n$9) {
         const q = a / b;
         let tmp = x;
         x = xPrev - q * x;
@@ -5930,10 +5953,10 @@ function _egcd(aInput, bInput) {
  */
 function modInv(a, n) {
     const { gcd, x } = _egcd(a, n);
-    if (gcd !== _1n$d) {
+    if (gcd !== _1n$e) {
         throw new Error('Inverse does not exist');
     }
-    return mod$2(x + n, n);
+    return mod$3(x + n, n);
 }
 /**
  * Compute greatest common divisor between this and n
@@ -5944,7 +5967,7 @@ function modInv(a, n) {
 function gcd(aInput, bInput) {
     let a = aInput;
     let b = bInput;
-    while (b !== _0n$8) {
+    while (b !== _0n$9) {
         const tmp = b;
         b = a % b;
         a = tmp;
@@ -5971,8 +5994,8 @@ function bigIntToNumber(x) {
  * @returns {Number} Bit value.
  */
 function getBit(x, i) {
-    const bit = (x >> BigInt(i)) & _1n$d;
-    return bit === _0n$8 ? 0 : 1;
+    const bit = (x >> BigInt(i)) & _1n$e;
+    return bit === _0n$9 ? 0 : 1;
 }
 /**
  * Compute bit length
@@ -5980,11 +6003,11 @@ function getBit(x, i) {
 function bitLength(x) {
     // -1n >> -1n is -1n
     // 1n >> 1n is 0n
-    const target = x < _0n$8 ? BigInt(-1) : _0n$8;
+    const target = x < _0n$9 ? BigInt(-1) : _0n$9;
     let bitlen = 1;
     let tmp = x;
     // eslint-disable-next-line no-cond-assign
-    while ((tmp >>= _1n$d) !== target) {
+    while ((tmp >>= _1n$e) !== target) {
         bitlen++;
     }
     return bitlen;
@@ -5993,7 +6016,7 @@ function bitLength(x) {
  * Compute byte length
  */
 function byteLength(x) {
-    const target = x < _0n$8 ? BigInt(-1) : _0n$8;
+    const target = x < _0n$9 ? BigInt(-1) : _0n$9;
     const _8n = BigInt(8);
     let len = 1;
     let tmp = x;
@@ -6088,7 +6111,7 @@ function getRandomBigInteger(min, max) {
   // However, we request 64 extra random bits so that the bias is negligible.
   // Section B.1.1 here: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
   const r = uint8ArrayToBigInt(getRandomBytes(bytes + 8));
-  return mod$2(r, modulus) + min;
+  return mod$3(r, modulus) + min;
 }
 var random = /*#__PURE__*/Object.freeze({
@@ -6117,7 +6140,7 @@ var random = /*#__PURE__*/Object.freeze({
  * @fileoverview Algorithms for probabilistic random prime generation
  * @module crypto/public_key/prime
  */
-const _1n$c = BigInt(1);
+const _1n$d = BigInt(1);
 /**
  * Generate a probably prime random number
  * @param bits - Bit length of the prime
@@ -6126,7 +6149,7 @@ const _1n$c = BigInt(1);
  */
 function randomProbablePrime(bits, e, k) {
     const _30n = BigInt(30);
-    const min = _1n$c << BigInt(bits - 1);
+    const min = _1n$d << BigInt(bits - 1);
     /*
      * We can avoid any multiples of 3 and 5 by looking at n mod 30
      * n mod 30 = 0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
@@ -6134,16 +6157,16 @@ function randomProbablePrime(bits, e, k) {
      *            1  7  7  7  7  7  7 11 11 11 11 13 13 17 17 17 17 19 19 23 23 23 23 29 29 29 29 29 29 1
      */
     const adds = [1, 6, 5, 4, 3, 2, 1, 4, 3, 2, 1, 2, 1, 4, 3, 2, 1, 2, 1, 4, 3, 2, 1, 6, 5, 4, 3, 2, 1, 2];
-    let n = getRandomBigInteger(min, min << _1n$c);
-    let i = bigIntToNumber(mod$2(n, _30n));
+    let n = getRandomBigInteger(min, min << _1n$d);
+    let i = bigIntToNumber(mod$3(n, _30n));
     do {
         n += BigInt(adds[i]);
         i = (i + adds[i]) % adds.length;
         // If reached the maximum, go back to the minimum.
         if (bitLength(n) > bits) {
-            n = mod$2(n, min << _1n$c);
+            n = mod$3(n, min << _1n$d);
             n += min;
-            i = bigIntToNumber(mod$2(n, _30n));
+            i = bigIntToNumber(mod$3(n, _30n));
         }
     } while (!isProbablePrime(n, e, k));
     return n;
@@ -6155,7 +6178,7 @@ function randomProbablePrime(bits, e, k) {
  * @param k - Optional number of iterations of Miller-Rabin test
  */
 function isProbablePrime(n, e, k) {
-    if (e && gcd(n - _1n$c, e) !== _1n$c) {
+    if (e && gcd(n - _1n$d, e) !== _1n$d) {
         return false;
     }
     if (!divisionTest(n)) {
@@ -6178,11 +6201,11 @@ function isProbablePrime(n, e, k) {
  * @param b - Optional Fermat test base
  */
 function fermat(n, b = BigInt(2)) {
-    return modExp(b, n - _1n$c, n) === _1n$c;
+    return modExp(b, n - _1n$d, n) === _1n$d;
 }
 function divisionTest(n) {
     const _0n = BigInt(0);
-    return smallPrimes.every(m => mod$2(n, m) !== _0n);
+    return smallPrimes.every(m => mod$3(n, m) !== _0n);
 }
 // https://github.com/gpg/libgcrypt/blob/master/cipher/primegen.c
 const smallPrimes = [
@@ -6306,7 +6329,7 @@ function millerRabin(n, k, rand) {
     if (!k) {
         k = Math.max(1, (len / 48) | 0);
     }
-    const n1 = n - _1n$c; // n - 1
+    const n1 = n - _1n$d; // n - 1
     // Find d and s, (n - 1) = (2 ^ s) * d;
     let s = 0;
     while (!getBit(n1, s)) {
@@ -6316,13 +6339,13 @@ function millerRabin(n, k, rand) {
     for (; k > 0; k--) {
         const a = getRandomBigInteger(BigInt(2), n1);
         let x = modExp(a, d, n);
-        if (x === _1n$c || x === n1) {
+        if (x === _1n$d || x === n1) {
             continue;
         }
         let i;
         for (i = 1; i < s; i++) {
-            x = mod$2(x * x, n);
-            if (x === _1n$c) {
+            x = mod$3(x * x, n);
+            if (x === _1n$d) {
                 return false;
             }
             if (x === n1) {
@@ -6516,7 +6539,7 @@ var pkcs1 = /*#__PURE__*/Object.freeze({
 const webCrypto$6 = util.getWebCrypto();
 const nodeCrypto$4 = util.getNodeCrypto();
-const _1n$b = BigInt(1);
+const _1n$c = BigInt(1);
 /** Create signature
  * @param {module:enums.hash} hashAlgo - Hash algorithm
@@ -6557,7 +6580,7 @@ async function sign$7(hashAlgo, data, n, e, d, p, q, u, hashed) {
  * @returns {Boolean}
  * @async
  */
-async function verify$7(hashAlgo, data, s, n, e, hashed) {
+async function verify$8(hashAlgo, data, s, n, e, hashed) {
   if (data && !util.isStream(data)) {
     if (util.getWebCrypto()) {
       try {
@@ -6680,7 +6703,7 @@ async function generate$5(bits, e) {
     n = p * q;
   } while (bitLength(n) !== bits);
-  const phi = (p - _1n$b) * (q - _1n$b);
+  const phi = (p - _1n$c) * (q - _1n$c);
   if (q < p) {
     [p, q] = [q, p];
@@ -6722,7 +6745,7 @@ async function validateParams$9(n, e, d, p, q, u) {
   const _2n = BigInt(2);
   // expect p*u = 1 mod q
   u = uint8ArrayToBigInt(u);
-  if (mod$2(p * u, q) !== BigInt(1)) {
+  if (mod$3(p * u, q) !== BigInt(1)) {
     return false;
   }
@@ -6739,7 +6762,7 @@ async function validateParams$9(n, e, d, p, q, u) {
   const r = getRandomBigInteger(_2n, _2n << nSizeOver3); // r in [ 2, 2^{|n|/3} ) < p and q
   const rde = r * d * e;
-  const areInverses = mod$2(rde, p - _1n$b) === r && mod$2(rde, q - _1n$b) === r;
+  const areInverses = mod$3(rde, p - _1n$c) === r && mod$3(rde, q - _1n$c) === r;
   if (!areInverses) {
     return false;
   }
@@ -6858,20 +6881,20 @@ async function bnDecrypt(data, n, e, d, p, q, u, randomPayload) {
   if (data >= n) {
     throw new Error('Data too large.');
   }
-  const dq = mod$2(d, q - _1n$b); // d mod (q-1)
-  const dp = mod$2(d, p - _1n$b); // d mod (p-1)
+  const dq = mod$3(d, q - _1n$c); // d mod (q-1)
+  const dp = mod$3(d, p - _1n$c); // d mod (p-1)
   const unblinder = getRandomBigInteger(BigInt(2), n);
   const blinder = modExp(modInv(unblinder, n), e, n);
-  data = mod$2(data * blinder, n);
+  data = mod$3(data * blinder, n);
   const mp = modExp(data, dp, p); // data**{d mod (q-1)} mod p
   const mq = modExp(data, dq, q); // data**{d mod (p-1)} mod q
-  const h = mod$2(u * (mq - mp), q); // u * (mq-mp) mod q (operands already < q)
+  const h = mod$3(u * (mq - mp), q); // u * (mq-mp) mod q (operands already < q)
   let result = h * p + mp; // result < n due to relations above
-  result = mod$2(result * unblinder, n);
+  result = mod$3(result * unblinder, n);
   return emeDecode(bigIntToUint8Array(result, 'be', byteLength(n)), randomPayload);
 }
@@ -6891,8 +6914,8 @@ async function privateToJWK$1(n, e, d, p, q, u) {
   const qNum = uint8ArrayToBigInt(q);
   const dNum = uint8ArrayToBigInt(d);
-  let dq = mod$2(dNum, qNum - _1n$b); // d mod (q-1)
-  let dp = mod$2(dNum, pNum - _1n$b); // d mod (p-1)
+  let dq = mod$3(dNum, qNum - _1n$c); // d mod (q-1)
+  let dp = mod$3(dNum, pNum - _1n$c); // d mod (p-1)
   dp = bigIntToUint8Array(dp);
   dq = bigIntToUint8Array(dq);
   return {
@@ -6947,7 +6970,7 @@ var rsa = /*#__PURE__*/Object.freeze({
   generate: generate$5,
   sign: sign$7,
   validateParams: validateParams$9,
-  verify: verify$7
+  verify: verify$8
 });
 // GPG4Browsers - An OpenPGP implementation in javascript
@@ -6968,7 +6991,7 @@ var rsa = /*#__PURE__*/Object.freeze({
 // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
-const _1n$a = BigInt(1);
+const _1n$b = BigInt(1);
 /**
  * ElGamal Encryption function
@@ -6990,10 +7013,10 @@ async function encrypt$3(data, p, g, y) {
   // OpenPGP uses a "special" version of ElGamal where g is generator of the full group Z/pZ*
   // hence g has order p-1, and to avoid that k = 0 mod p-1, we need to pick k in [1, p-2]
-  const k = getRandomBigInteger(_1n$a, p - _1n$a);
+  const k = getRandomBigInteger(_1n$b, p - _1n$b);
   return {
     c1: bigIntToUint8Array(modExp(g, k, p)),
-    c2: bigIntToUint8Array(mod$2(modExp(y, k, p) * m, p))
+    c2: bigIntToUint8Array(mod$3(modExp(y, k, p) * m, p))
   };
 }
@@ -7015,7 +7038,7 @@ async function decrypt$3(c1, c2, p, x, randomPayload) {
   p = uint8ArrayToBigInt(p);
   x = uint8ArrayToBigInt(x);
-  const padded = mod$2(modInv(modExp(c1, x, p), p) * c2, p);
+  const padded = mod$3(modInv(modExp(c1, x, p), p) * c2, p);
   return emeDecode(bigIntToUint8Array(padded, 'be', byteLength(p)), randomPayload);
 }
@@ -7034,7 +7057,7 @@ async function validateParams$8(p, g, y, x) {
   y = uint8ArrayToBigInt(y);
   // Check that 1 < g < p
-  if (g <= _1n$a || g >= p) {
+  if (g <= _1n$b || g >= p) {
     return false;
   }
@@ -7049,7 +7072,7 @@ async function validateParams$8(p, g, y, x) {
    * g should have order p-1
    * Check that g ** (p-1) = 1 mod p
    */
-  if (modExp(g, p - _1n$a, p) !== _1n$a) {
+  if (modExp(g, p - _1n$b, p) !== _1n$b) {
     return false;
   }
@@ -7064,8 +7087,8 @@ async function validateParams$8(p, g, y, x) {
   const _2n = BigInt(2);
   const threshold = _2n << BigInt(17); // we want order > threshold
   while (i < threshold) {
-    res = mod$2(res * g, p);
-    if (res === _1n$a) {
+    res = mod$3(res * g, p);
+    if (res === _1n$b) {
       return false;
     }
     i++;
@@ -7078,8 +7101,8 @@ async function validateParams$8(p, g, y, x) {
    * Blinded exponentiation computes g**{r(p-1) + x} to compare to y
    */
   x = uint8ArrayToBigInt(x);
-  const r = getRandomBigInteger(_2n << (pSize - _1n$a), _2n << pSize); // draw r of same size as p-1
-  const rqx = (p - _1n$a) * r + x;
+  const r = getRandomBigInteger(_2n << (pSize - _1n$b), _2n << pSize); // draw r of same size as p-1
+  const rqx = (p - _1n$b) * r + x;
   if (y !== modExp(g, rqx, p)) {
     return false;
   }
@@ -7096,7 +7119,7 @@ var elgamal = /*#__PURE__*/Object.freeze({
 // We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+.
 // See utils.ts for details.
-const crypto$3 =
+const crypto$4 =
   nc && typeof nc === 'object' && 'webcrypto' in nc ? nc.webcrypto : undefined;
 const nacl = {};
@@ -8459,13 +8482,13 @@ nacl.setPRNG = function(fn) {
 (function() {
   // Initialize PRNG if environment provides CSPRNG.
   // If not, methods calling randombytes will throw.
-  if (crypto$3 && crypto$3.getRandomValues) {
+  if (crypto$4 && crypto$4.getRandomValues) {
     // Browsers and Node v16+
     var QUOTA = 65536;
     nacl.setPRNG(function(x, n) {
       var i, v = new Uint8Array(n);
       for (i = 0; i < n; i += QUOTA) {
-        crypto$3.getRandomValues(v.subarray(i, i + Math.min(n - i, QUOTA)));
+        crypto$4.getRandomValues(v.subarray(i, i + Math.min(n - i, QUOTA)));
       }
       for (i = 0; i < n; i++) x[i] = v[i];
       cleanup(v);
@@ -8943,7 +8966,8 @@ const curves = {
     node: nodeCurves[enums.curve.nistP256],
     web: webCurves[enums.curve.nistP256],
     payloadSize: 32,
-    sharedSize: 256
+    sharedSize: 256,
+    wireFormatLeadingByte: 0x04
   },
   [enums.curve.nistP384]: {
     oid: [0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x22],
@@ -8953,7 +8977,8 @@ const curves = {
     node: nodeCurves[enums.curve.nistP384],
     web: webCurves[enums.curve.nistP384],
     payloadSize: 48,
-    sharedSize: 384
+    sharedSize: 384,
+    wireFormatLeadingByte: 0x04
   },
   [enums.curve.nistP521]: {
     oid: [0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x23],
@@ -8963,7 +8988,8 @@ const curves = {
     node: nodeCurves[enums.curve.nistP521],
     web: webCurves[enums.curve.nistP521],
     payloadSize: 66,
-    sharedSize: 528
+    sharedSize: 528,
+    wireFormatLeadingByte: 0x04
   },
   [enums.curve.secp256k1]: {
     oid: [0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x0A],
@@ -8971,14 +8997,16 @@ const curves = {
     hash: enums.hash.sha256,
     cipher: enums.symmetric.aes128,
     node: nodeCurves[enums.curve.secp256k1],
-    payloadSize: 32
+    payloadSize: 32,
+    wireFormatLeadingByte: 0x04
   },
   [enums.curve.ed25519Legacy]: {
     oid: [0x06, 0x09, 0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01],
     keyType: enums.publicKey.eddsaLegacy,
     hash: enums.hash.sha512,
     node: false, // nodeCurves.ed25519 TODO
-    payloadSize: 32
+    payloadSize: 32,
+    wireFormatLeadingByte: 0x40
   },
   [enums.curve.curve25519Legacy]: {
     oid: [0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x97, 0x55, 0x01, 0x05, 0x01],
@@ -8986,7 +9014,8 @@ const curves = {
     hash: enums.hash.sha256,
     cipher: enums.symmetric.aes128,
     node: false, // nodeCurves.curve25519 TODO
-    payloadSize: 32
+    payloadSize: 32,
+    wireFormatLeadingByte: 0x40
   },
   [enums.curve.brainpoolP256r1]: {
     oid: [0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x07],
@@ -8994,7 +9023,8 @@ const curves = {
     hash: enums.hash.sha256,
     cipher: enums.symmetric.aes128,
     node: nodeCurves[enums.curve.brainpoolP256r1],
-    payloadSize: 32
+    payloadSize: 32,
+    wireFormatLeadingByte: 0x04
   },
   [enums.curve.brainpoolP384r1]: {
     oid: [0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x0B],
@@ -9002,7 +9032,8 @@ const curves = {
     hash: enums.hash.sha384,
     cipher: enums.symmetric.aes192,
     node: nodeCurves[enums.curve.brainpoolP384r1],
-    payloadSize: 48
+    payloadSize: 48,
+    wireFormatLeadingByte: 0x04
   },
   [enums.curve.brainpoolP512r1]: {
     oid: [0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x0D],
@@ -9010,7 +9041,8 @@ const curves = {
     hash: enums.hash.sha512,
     cipher: enums.symmetric.aes256,
     node: nodeCurves[enums.curve.brainpoolP512r1],
-    payloadSize: 64
+    payloadSize: 64,
+    wireFormatLeadingByte: 0x04
   }
 };
@@ -9034,6 +9066,7 @@ class CurveWithOID {
     this.web = params.web;
     this.payloadSize = params.payloadSize;
     this.sharedSize = params.sharedSize;
+    this.wireFormatLeadingByte = params.wireFormatLeadingByte;
     if (this.web && util.getWebCrypto()) {
       this.type = 'web';
     } else if (this.node && util.getNodeCrypto()) {
@@ -9049,7 +9082,7 @@ class CurveWithOID {
     switch (this.type) {
       case 'web':
         try {
-          return await webGenKeyPair(this.name);
+          return await webGenKeyPair(this.name, this.wireFormatLeadingByte);
         } catch (err) {
           util.printDebugError('Browser did not support generating ec key ' + err.message);
           return jsGenKeyPair(this.name);
@@ -9062,13 +9095,13 @@ class CurveWithOID {
         privateKey[31] &= 248;
         const secretKey = privateKey.slice().reverse();
         const { publicKey: rawPublicKey } = nacl.box.keyPair.fromSecretKey(secretKey);
-        const publicKey = util.concatUint8Array([new Uint8Array([0x40]), rawPublicKey]);
+        const publicKey = util.concatUint8Array([new Uint8Array([this.wireFormatLeadingByte]), rawPublicKey]);
         return { publicKey, privateKey };
       }
       case 'ed25519Legacy': {
         const privateKey = getRandomBytes(32);
         const keyPair = nacl.sign.keyPair.fromSeed(privateKey);
-        const publicKey = util.concatUint8Array([new Uint8Array([0x40]), keyPair.publicKey]);
+        const publicKey = util.concatUint8Array([new Uint8Array([this.wireFormatLeadingByte]), keyPair.publicKey]);
         return { publicKey, privateKey };
       }
       default:
@@ -9154,6 +9187,20 @@ async function validateStandardParams(algo, oid, Q, d) {
   return true;
 }
+/**
+ * Check whether the public point has a valid encoding.
+ * NB: this function does not check e.g. whether the point belongs to the curve.
+ */
+function checkPublicPointEnconding(curve, V) {
+  const { payloadSize, wireFormatLeadingByte, name: curveName } = curve;
+  const pointSize = (curveName === enums.curve.curve25519Legacy || curveName === enums.curve.ed25519Legacy) ? payloadSize : payloadSize * 2;
+  if (V[0] !== wireFormatLeadingByte || V.length !== pointSize + 1) {
+    throw new Error('Invalid point encoding');
+  }
+}
 //////////////////////////
 //                      //
 //   Helper functions   //
@@ -9166,7 +9213,7 @@ async function jsGenKeyPair(name) {
   return { publicKey, privateKey };
 }
-async function webGenKeyPair(name) {
+async function webGenKeyPair(name, wireFormatLeadingByte) {
   // Note: keys generated with ECDSA and ECDH are structurally equivalent
   const webCryptoKey = await webCrypto$5.generateKey({ name: 'ECDSA', namedCurve: webCurves[name] }, true, ['sign', 'verify']);
@@ -9174,7 +9221,7 @@ async function webGenKeyPair(name) {
   const publicKey = await webCrypto$5.exportKey('jwk', webCryptoKey.publicKey);
   return {
-    publicKey: jwkToRawPublic(publicKey),
+    publicKey: jwkToRawPublic(publicKey, wireFormatLeadingByte),
     privateKey: b64ToUint8Array(privateKey.d)
   };
 }
@@ -9200,11 +9247,11 @@ async function nodeGenKeyPair(name) {
  *
  * @returns {Uint8Array} Raw public key.
  */
-function jwkToRawPublic(jwk) {
+function jwkToRawPublic(jwk, wireFormatLeadingByte) {
   const bufX = b64ToUint8Array(jwk.x);
   const bufY = b64ToUint8Array(jwk.y);
   const publicKey = new Uint8Array(bufX.length + bufY.length + 1);
-  publicKey[0] = 0x04;
+  publicKey[0] = wireFormatLeadingByte;
   publicKey.set(bufX, 1);
   publicKey.set(bufY, bufX.length + 1);
   return publicKey;
@@ -9283,6 +9330,7 @@ const nodeCrypto$2 = util.getNodeCrypto();
  */
 async function sign$6(oid, hashAlgo, message, publicKey, privateKey, hashed) {
   const curve = new CurveWithOID(oid);
+  checkPublicPointEnconding(curve, publicKey);
   if (message && !util.isStream(message)) {
     const keyPair = { publicKey, privateKey };
     switch (curve.type) {
@@ -9327,8 +9375,9 @@ async function sign$6(oid, hashAlgo, message, publicKey, privateKey, hashed) {
  * @returns {Boolean}
  * @async
  */
-async function verify$6(oid, hashAlgo, signature, message, publicKey, hashed) {
+async function verify$7(oid, hashAlgo, signature, message, publicKey, hashed) {
   const curve = new CurveWithOID(oid);
+  checkPublicPointEnconding(curve, publicKey);
   // See https://github.com/openpgpjs/openpgpjs/pull/948.
   // NB: the impact was more likely limited to Brainpool curves, since thanks
   // to WebCrypto availability, NIST curve should not have been affected.
@@ -9395,7 +9444,7 @@ async function validateParams$7(oid, Q, d) {
       try {
         const signature = await sign$6(oid, hashAlgo, message, Q, d, hashed);
         // eslint-disable-next-line @typescript-eslint/return-await
-        return await verify$6(oid, hashAlgo, signature, message, Q, hashed);
+        return await verify$7(oid, hashAlgo, signature, message, Q, hashed);
       } catch (err) {
         return false;
       }
@@ -9528,7 +9577,766 @@ var ecdsa = /*#__PURE__*/Object.freeze({
   __proto__: null,
   sign: sign$6,
   validateParams: validateParams$7,
-  verify: verify$6
+  verify: verify$7
+});
+/*! noble-ed25519 - MIT License (c) 2019 Paul Miller (paulmillr.com) */
+const _0n$8 = BigInt(0);
+const _1n$a = BigInt(1);
+const _2n$6 = BigInt(2);
+const _8n$2 = BigInt(8);
+const CU_O = BigInt('7237005577332262213973186563042994240857116359379907606001950938285454250989');
+const CURVE$1 = Object.freeze({
+    a: BigInt(-1),
+    d: BigInt('37095705934669439343138083508754565189542113879843219016388785533085940283555'),
+    P: BigInt('57896044618658097711785492504343953926634992332820282019728792003956564819949'),
+    l: CU_O,
+    n: CU_O,
+    h: BigInt(8),
+    Gx: BigInt('15112221349535400772501151409588531511454012693041857206046113283949847762202'),
+    Gy: BigInt('46316835694926478169428394003475163141307993866256225615783033603165251855960'),
+});
+const POW_2_256 = BigInt('0x10000000000000000000000000000000000000000000000000000000000000000');
+const SQRT_M1 = BigInt('19681161376707505956807079304988542015446066515923890162744021073123829784752');
+BigInt('6853475219497561581579357271197624642482790079785650197046958215289687604742');
+const SQRT_AD_MINUS_ONE = BigInt('25063068953384623474111414158702152701244531502492656460079210482610430750235');
+const INVSQRT_A_MINUS_D = BigInt('54469307008909316920995813868745141605393597292927456921205312896311721017578');
+const ONE_MINUS_D_SQ = BigInt('1159843021668779879193775521855586647937357759715417654439879720876111806838');
+const D_MINUS_ONE_SQ = BigInt('40440834346308536858101042469323190826248399146238708352240133220865137265952');
+class ExtendedPoint {
+    constructor(x, y, z, t) {
+        this.x = x;
+        this.y = y;
+        this.z = z;
+        this.t = t;
+    }
+    static fromAffine(p) {
+        if (!(p instanceof Point)) {
+            throw new TypeError('ExtendedPoint#fromAffine: expected Point');
+        }
+        if (p.equals(Point.ZERO))
+            return ExtendedPoint.ZERO;
+        return new ExtendedPoint(p.x, p.y, _1n$a, mod$2(p.x * p.y));
+    }
+    static toAffineBatch(points) {
+        const toInv = invertBatch(points.map((p) => p.z));
+        return points.map((p, i) => p.toAffine(toInv[i]));
+    }
+    static normalizeZ(points) {
+        return this.toAffineBatch(points).map(this.fromAffine);
+    }
+    equals(other) {
+        assertExtPoint(other);
+        const { x: X1, y: Y1, z: Z1 } = this;
+        const { x: X2, y: Y2, z: Z2 } = other;
+        const X1Z2 = mod$2(X1 * Z2);
+        const X2Z1 = mod$2(X2 * Z1);
+        const Y1Z2 = mod$2(Y1 * Z2);
+        const Y2Z1 = mod$2(Y2 * Z1);
+        return X1Z2 === X2Z1 && Y1Z2 === Y2Z1;
+    }
+    negate() {
+        return new ExtendedPoint(mod$2(-this.x), this.y, this.z, mod$2(-this.t));
+    }
+    double() {
+        const { x: X1, y: Y1, z: Z1 } = this;
+        const { a } = CURVE$1;
+        const A = mod$2(X1 * X1);
+        const B = mod$2(Y1 * Y1);
+        const C = mod$2(_2n$6 * mod$2(Z1 * Z1));
+        const D = mod$2(a * A);
+        const x1y1 = X1 + Y1;
+        const E = mod$2(mod$2(x1y1 * x1y1) - A - B);
+        const G = D + B;
+        const F = G - C;
+        const H = D - B;
+        const X3 = mod$2(E * F);
+        const Y3 = mod$2(G * H);
+        const T3 = mod$2(E * H);
+        const Z3 = mod$2(F * G);
+        return new ExtendedPoint(X3, Y3, Z3, T3);
+    }
+    add(other) {
+        assertExtPoint(other);
+        const { x: X1, y: Y1, z: Z1, t: T1 } = this;
+        const { x: X2, y: Y2, z: Z2, t: T2 } = other;
+        const A = mod$2((Y1 - X1) * (Y2 + X2));
+        const B = mod$2((Y1 + X1) * (Y2 - X2));
+        const F = mod$2(B - A);
+        if (F === _0n$8)
+            return this.double();
+        const C = mod$2(Z1 * _2n$6 * T2);
+        const D = mod$2(T1 * _2n$6 * Z2);
+        const E = D + C;
+        const G = B + A;
+        const H = D - C;
+        const X3 = mod$2(E * F);
+        const Y3 = mod$2(G * H);
+        const T3 = mod$2(E * H);
+        const Z3 = mod$2(F * G);
+        return new ExtendedPoint(X3, Y3, Z3, T3);
+    }
+    subtract(other) {
+        return this.add(other.negate());
+    }
+    precomputeWindow(W) {
+        const windows = 1 + 256 / W;
+        const points = [];
+        let p = this;
+        let base = p;
+        for (let window = 0; window < windows; window++) {
+            base = p;
+            points.push(base);
+            for (let i = 1; i < 2 ** (W - 1); i++) {
+                base = base.add(p);
+                points.push(base);
+            }
+            p = base.double();
+        }
+        return points;
+    }
+    wNAF(n, affinePoint) {
+        if (!affinePoint && this.equals(ExtendedPoint.BASE))
+            affinePoint = Point.BASE;
+        const W = (affinePoint && affinePoint._WINDOW_SIZE) || 1;
+        if (256 % W) {
+            throw new Error('Point#wNAF: Invalid precomputation window, must be power of 2');
+        }
+        let precomputes = affinePoint && pointPrecomputes.get(affinePoint);
+        if (!precomputes) {
+            precomputes = this.precomputeWindow(W);
+            if (affinePoint && W !== 1) {
+                precomputes = ExtendedPoint.normalizeZ(precomputes);
+                pointPrecomputes.set(affinePoint, precomputes);
+            }
+        }
+        let p = ExtendedPoint.ZERO;
+        let f = ExtendedPoint.BASE;
+        const windows = 1 + 256 / W;
+        const windowSize = 2 ** (W - 1);
+        const mask = BigInt(2 ** W - 1);
+        const maxNumber = 2 ** W;
+        const shiftBy = BigInt(W);
+        for (let window = 0; window < windows; window++) {
+            const offset = window * windowSize;
+            let wbits = Number(n & mask);
+            n >>= shiftBy;
+            if (wbits > windowSize) {
+                wbits -= maxNumber;
+                n += _1n$a;
+            }
+            const offset1 = offset;
+            const offset2 = offset + Math.abs(wbits) - 1;
+            const cond1 = window % 2 !== 0;
+            const cond2 = wbits < 0;
+            if (wbits === 0) {
+                f = f.add(constTimeNegate(cond1, precomputes[offset1]));
+            }
+            else {
+                p = p.add(constTimeNegate(cond2, precomputes[offset2]));
+            }
+        }
+        return ExtendedPoint.normalizeZ([p, f])[0];
+    }
+    multiply(scalar, affinePoint) {
+        return this.wNAF(normalizeScalar(scalar, CURVE$1.l), affinePoint);
+    }
+    multiplyUnsafe(scalar) {
+        let n = normalizeScalar(scalar, CURVE$1.l, false);
+        const G = ExtendedPoint.BASE;
+        const P0 = ExtendedPoint.ZERO;
+        if (n === _0n$8)
+            return P0;
+        if (this.equals(P0) || n === _1n$a)
+            return this;
+        if (this.equals(G))
+            return this.wNAF(n);
+        let p = P0;
+        let d = this;
+        while (n > _0n$8) {
+            if (n & _1n$a)
+                p = p.add(d);
+            d = d.double();
+            n >>= _1n$a;
+        }
+        return p;
+    }
+    isSmallOrder() {
+        return this.multiplyUnsafe(CURVE$1.h).equals(ExtendedPoint.ZERO);
+    }
+    isTorsionFree() {
+        let p = this.multiplyUnsafe(CURVE$1.l / _2n$6).double();
+        if (CURVE$1.l % _2n$6)
+            p = p.add(this);
+        return p.equals(ExtendedPoint.ZERO);
+    }
+    toAffine(invZ) {
+        const { x, y, z } = this;
+        const is0 = this.equals(ExtendedPoint.ZERO);
+        if (invZ == null)
+            invZ = is0 ? _8n$2 : invert$1(z);
+        const ax = mod$2(x * invZ);
+        const ay = mod$2(y * invZ);
+        const zz = mod$2(z * invZ);
+        if (is0)
+            return Point.ZERO;
+        if (zz !== _1n$a)
+            throw new Error('invZ was invalid');
+        return new Point(ax, ay);
+    }
+    fromRistrettoBytes() {
+        legacyRist();
+    }
+    toRistrettoBytes() {
+        legacyRist();
+    }
+    fromRistrettoHash() {
+        legacyRist();
+    }
+}
+ExtendedPoint.BASE = new ExtendedPoint(CURVE$1.Gx, CURVE$1.Gy, _1n$a, mod$2(CURVE$1.Gx * CURVE$1.Gy));
+ExtendedPoint.ZERO = new ExtendedPoint(_0n$8, _1n$a, _1n$a, _0n$8);
+function constTimeNegate(condition, item) {
+    const neg = item.negate();
+    return condition ? neg : item;
+}
+function assertExtPoint(other) {
+    if (!(other instanceof ExtendedPoint))
+        throw new TypeError('ExtendedPoint expected');
+}
+function assertRstPoint(other) {
+    if (!(other instanceof RistrettoPoint))
+        throw new TypeError('RistrettoPoint expected');
+}
+function legacyRist() {
+    throw new Error('Legacy method: switch to RistrettoPoint');
+}
+class RistrettoPoint {
+    constructor(ep) {
+        this.ep = ep;
+    }
+    static calcElligatorRistrettoMap(r0) {
+        const { d } = CURVE$1;
+        const r = mod$2(SQRT_M1 * r0 * r0);
+        const Ns = mod$2((r + _1n$a) * ONE_MINUS_D_SQ);
+        let c = BigInt(-1);
+        const D = mod$2((c - d * r) * mod$2(r + d));
+        let { isValid: Ns_D_is_sq, value: s } = uvRatio$1(Ns, D);
+        let s_ = mod$2(s * r0);
+        if (!edIsNegative(s_))
+            s_ = mod$2(-s_);
+        if (!Ns_D_is_sq)
+            s = s_;
+        if (!Ns_D_is_sq)
+            c = r;
+        const Nt = mod$2(c * (r - _1n$a) * D_MINUS_ONE_SQ - D);
+        const s2 = s * s;
+        const W0 = mod$2((s + s) * D);
+        const W1 = mod$2(Nt * SQRT_AD_MINUS_ONE);
+        const W2 = mod$2(_1n$a - s2);
+        const W3 = mod$2(_1n$a + s2);
+        return new ExtendedPoint(mod$2(W0 * W3), mod$2(W2 * W1), mod$2(W1 * W3), mod$2(W0 * W2));
+    }
+    static hashToCurve(hex) {
+        hex = ensureBytes$1(hex, 64);
+        const r1 = bytes255ToNumberLE(hex.slice(0, 32));
+        const R1 = this.calcElligatorRistrettoMap(r1);
+        const r2 = bytes255ToNumberLE(hex.slice(32, 64));
+        const R2 = this.calcElligatorRistrettoMap(r2);
+        return new RistrettoPoint(R1.add(R2));
+    }
+    static fromHex(hex) {
+        hex = ensureBytes$1(hex, 32);
+        const { a, d } = CURVE$1;
+        const emsg = 'RistrettoPoint.fromHex: the hex is not valid encoding of RistrettoPoint';
+        const s = bytes255ToNumberLE(hex);
+        if (!equalBytes$1(numberTo32BytesLE(s), hex) || edIsNegative(s))
+            throw new Error(emsg);
+        const s2 = mod$2(s * s);
+        const u1 = mod$2(_1n$a + a * s2);
+        const u2 = mod$2(_1n$a - a * s2);
+        const u1_2 = mod$2(u1 * u1);
+        const u2_2 = mod$2(u2 * u2);
+        const v = mod$2(a * d * u1_2 - u2_2);
+        const { isValid, value: I } = invertSqrt(mod$2(v * u2_2));
+        const Dx = mod$2(I * u2);
+        const Dy = mod$2(I * Dx * v);
+        let x = mod$2((s + s) * Dx);
+        if (edIsNegative(x))
+            x = mod$2(-x);
+        const y = mod$2(u1 * Dy);
+        const t = mod$2(x * y);
+        if (!isValid || edIsNegative(t) || y === _0n$8)
+            throw new Error(emsg);
+        return new RistrettoPoint(new ExtendedPoint(x, y, _1n$a, t));
+    }
+    toRawBytes() {
+        let { x, y, z, t } = this.ep;
+        const u1 = mod$2(mod$2(z + y) * mod$2(z - y));
+        const u2 = mod$2(x * y);
+        const u2sq = mod$2(u2 * u2);
+        const { value: invsqrt } = invertSqrt(mod$2(u1 * u2sq));
+        const D1 = mod$2(invsqrt * u1);
+        const D2 = mod$2(invsqrt * u2);
+        const zInv = mod$2(D1 * D2 * t);
+        let D;
+        if (edIsNegative(t * zInv)) {
+            let _x = mod$2(y * SQRT_M1);
+            let _y = mod$2(x * SQRT_M1);
+            x = _x;
+            y = _y;
+            D = mod$2(D1 * INVSQRT_A_MINUS_D);
+        }
+        else {
+            D = D2;
+        }
+        if (edIsNegative(x * zInv))
+            y = mod$2(-y);
+        let s = mod$2((z - y) * D);
+        if (edIsNegative(s))
+            s = mod$2(-s);
+        return numberTo32BytesLE(s);
+    }
+    toHex() {
+        return bytesToHex$1(this.toRawBytes());
+    }
+    toString() {
+        return this.toHex();
+    }
+    equals(other) {
+        assertRstPoint(other);
+        const a = this.ep;
+        const b = other.ep;
+        const one = mod$2(a.x * b.y) === mod$2(a.y * b.x);
+        const two = mod$2(a.y * b.y) === mod$2(a.x * b.x);
+        return one || two;
+    }
+    add(other) {
+        assertRstPoint(other);
+        return new RistrettoPoint(this.ep.add(other.ep));
+    }
+    subtract(other) {
+        assertRstPoint(other);
+        return new RistrettoPoint(this.ep.subtract(other.ep));
+    }
+    multiply(scalar) {
+        return new RistrettoPoint(this.ep.multiply(scalar));
+    }
+    multiplyUnsafe(scalar) {
+        return new RistrettoPoint(this.ep.multiplyUnsafe(scalar));
+    }
+}
+RistrettoPoint.BASE = new RistrettoPoint(ExtendedPoint.BASE);
+RistrettoPoint.ZERO = new RistrettoPoint(ExtendedPoint.ZERO);
+const pointPrecomputes = new WeakMap();
+class Point {
+    constructor(x, y) {
+        this.x = x;
+        this.y = y;
+    }
+    _setWindowSize(windowSize) {
+        this._WINDOW_SIZE = windowSize;
+        pointPrecomputes.delete(this);
+    }
+    static fromHex(hex, strict = true) {
+        const { d, P } = CURVE$1;
+        hex = ensureBytes$1(hex, 32);
+        const normed = hex.slice();
+        normed[31] = hex[31] & ~0x80;
+        const y = bytesToNumberLE$1(normed);
+        if (strict && y >= P)
+            throw new Error('Expected 0 < hex < P');
+        if (!strict && y >= POW_2_256)
+            throw new Error('Expected 0 < hex < 2**256');
+        const y2 = mod$2(y * y);
+        const u = mod$2(y2 - _1n$a);
+        const v = mod$2(d * y2 + _1n$a);
+        let { isValid, value: x } = uvRatio$1(u, v);
+        if (!isValid)
+            throw new Error('Point.fromHex: invalid y coordinate');
+        const isXOdd = (x & _1n$a) === _1n$a;
+        const isLastByteOdd = (hex[31] & 0x80) !== 0;
+        if (isLastByteOdd !== isXOdd) {
+            x = mod$2(-x);
+        }
+        return new Point(x, y);
+    }
+    static async fromPrivateKey(privateKey) {
+        return (await getExtendedPublicKey(privateKey)).point;
+    }
+    toRawBytes() {
+        const bytes = numberTo32BytesLE(this.y);
+        bytes[31] |= this.x & _1n$a ? 0x80 : 0;
+        return bytes;
+    }
+    toHex() {
+        return bytesToHex$1(this.toRawBytes());
+    }
+    toX25519() {
+        const { y } = this;
+        const u = mod$2((_1n$a + y) * invert$1(_1n$a - y));
+        return numberTo32BytesLE(u);
+    }
+    isTorsionFree() {
+        return ExtendedPoint.fromAffine(this).isTorsionFree();
+    }
+    equals(other) {
+        return this.x === other.x && this.y === other.y;
+    }
+    negate() {
+        return new Point(mod$2(-this.x), this.y);
+    }
+    add(other) {
+        return ExtendedPoint.fromAffine(this).add(ExtendedPoint.fromAffine(other)).toAffine();
+    }
+    subtract(other) {
+        return this.add(other.negate());
+    }
+    multiply(scalar) {
+        return ExtendedPoint.fromAffine(this).multiply(scalar, this).toAffine();
+    }
+}
+Point.BASE = new Point(CURVE$1.Gx, CURVE$1.Gy);
+Point.ZERO = new Point(_0n$8, _1n$a);
+let Signature$1 = class Signature {
+    constructor(r, s) {
+        this.r = r;
+        this.s = s;
+        this.assertValidity();
+    }
+    static fromHex(hex) {
+        const bytes = ensureBytes$1(hex, 64);
+        const r = Point.fromHex(bytes.slice(0, 32), false);
+        const s = bytesToNumberLE$1(bytes.slice(32, 64));
+        return new Signature(r, s);
+    }
+    assertValidity() {
+        const { r, s } = this;
+        if (!(r instanceof Point))
+            throw new Error('Expected Point instance');
+        normalizeScalar(s, CURVE$1.l, false);
+        return this;
+    }
+    toRawBytes() {
+        const u8 = new Uint8Array(64);
+        u8.set(this.r.toRawBytes());
+        u8.set(numberTo32BytesLE(this.s), 32);
+        return u8;
+    }
+    toHex() {
+        return bytesToHex$1(this.toRawBytes());
+    }
+};
+function concatBytes$2(...arrays) {
+    if (!arrays.every((a) => a instanceof Uint8Array))
+        throw new Error('Expected Uint8Array list');
+    if (arrays.length === 1)
+        return arrays[0];
+    const length = arrays.reduce((a, arr) => a + arr.length, 0);
+    const result = new Uint8Array(length);
+    for (let i = 0, pad = 0; i < arrays.length; i++) {
+        const arr = arrays[i];
+        result.set(arr, pad);
+        pad += arr.length;
+    }
+    return result;
+}
+const hexes$1 = Array.from({ length: 256 }, (v, i) => i.toString(16).padStart(2, '0'));
+function bytesToHex$1(uint8a) {
+    if (!(uint8a instanceof Uint8Array))
+        throw new Error('Uint8Array expected');
+    let hex = '';
+    for (let i = 0; i < uint8a.length; i++) {
+        hex += hexes$1[uint8a[i]];
+    }
+    return hex;
+}
+function hexToBytes$1(hex) {
+    if (typeof hex !== 'string') {
+        throw new TypeError('hexToBytes: expected string, got ' + typeof hex);
+    }
+    if (hex.length % 2)
+        throw new Error('hexToBytes: received invalid unpadded hex');
+    const array = new Uint8Array(hex.length / 2);
+    for (let i = 0; i < array.length; i++) {
+        const j = i * 2;
+        const hexByte = hex.slice(j, j + 2);
+        const byte = Number.parseInt(hexByte, 16);
+        if (Number.isNaN(byte) || byte < 0)
+            throw new Error('Invalid byte sequence');
+        array[i] = byte;
+    }
+    return array;
+}
+function numberTo32BytesBE(num) {
+    const length = 32;
+    const hex = num.toString(16).padStart(length * 2, '0');
+    return hexToBytes$1(hex);
+}
+function numberTo32BytesLE(num) {
+    return numberTo32BytesBE(num).reverse();
+}
+function edIsNegative(num) {
+    return (mod$2(num) & _1n$a) === _1n$a;
+}
+function bytesToNumberLE$1(uint8a) {
+    if (!(uint8a instanceof Uint8Array))
+        throw new Error('Expected Uint8Array');
+    return BigInt('0x' + bytesToHex$1(Uint8Array.from(uint8a).reverse()));
+}
+const MAX_255B = BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
+function bytes255ToNumberLE(bytes) {
+    return mod$2(bytesToNumberLE$1(bytes) & MAX_255B);
+}
+function mod$2(a, b = CURVE$1.P) {
+    const res = a % b;
+    return res >= _0n$8 ? res : b + res;
+}
+function invert$1(number, modulo = CURVE$1.P) {
+    if (number === _0n$8 || modulo <= _0n$8) {
+        throw new Error(`invert: expected positive integers, got n=${number} mod=${modulo}`);
+    }
+    let a = mod$2(number, modulo);
+    let b = modulo;
+    let x = _0n$8, u = _1n$a;
+    while (a !== _0n$8) {
+        const q = b / a;
+        const r = b % a;
+        const m = x - u * q;
+        b = a, a = r, x = u, u = m;
+    }
+    const gcd = b;
+    if (gcd !== _1n$a)
+        throw new Error('invert: does not exist');
+    return mod$2(x, modulo);
+}
+function invertBatch(nums, p = CURVE$1.P) {
+    const tmp = new Array(nums.length);
+    const lastMultiplied = nums.reduce((acc, num, i) => {
+        if (num === _0n$8)
+            return acc;
+        tmp[i] = acc;
+        return mod$2(acc * num, p);
+    }, _1n$a);
+    const inverted = invert$1(lastMultiplied, p);
+    nums.reduceRight((acc, num, i) => {
+        if (num === _0n$8)
+            return acc;
+        tmp[i] = mod$2(acc * tmp[i], p);
+        return mod$2(acc * num, p);
+    }, inverted);
+    return tmp;
+}
+function pow2$1(x, power) {
+    const { P } = CURVE$1;
+    let res = x;
+    while (power-- > _0n$8) {
+        res *= res;
+        res %= P;
+    }
+    return res;
+}
+function pow_2_252_3(x) {
+    const { P } = CURVE$1;
+    const _5n = BigInt(5);
+    const _10n = BigInt(10);
+    const _20n = BigInt(20);
+    const _40n = BigInt(40);
+    const _80n = BigInt(80);
+    const x2 = (x * x) % P;
+    const b2 = (x2 * x) % P;
+    const b4 = (pow2$1(b2, _2n$6) * b2) % P;
+    const b5 = (pow2$1(b4, _1n$a) * x) % P;
+    const b10 = (pow2$1(b5, _5n) * b5) % P;
+    const b20 = (pow2$1(b10, _10n) * b10) % P;
+    const b40 = (pow2$1(b20, _20n) * b20) % P;
+    const b80 = (pow2$1(b40, _40n) * b40) % P;
+    const b160 = (pow2$1(b80, _80n) * b80) % P;
+    const b240 = (pow2$1(b160, _80n) * b80) % P;
+    const b250 = (pow2$1(b240, _10n) * b10) % P;
+    const pow_p_5_8 = (pow2$1(b250, _2n$6) * x) % P;
+    return { pow_p_5_8, b2 };
+}
+function uvRatio$1(u, v) {
+    const v3 = mod$2(v * v * v);
+    const v7 = mod$2(v3 * v3 * v);
+    const pow = pow_2_252_3(u * v7).pow_p_5_8;
+    let x = mod$2(u * v3 * pow);
+    const vx2 = mod$2(v * x * x);
+    const root1 = x;
+    const root2 = mod$2(x * SQRT_M1);
+    const useRoot1 = vx2 === u;
+    const useRoot2 = vx2 === mod$2(-u);
+    const noRoot = vx2 === mod$2(-u * SQRT_M1);
+    if (useRoot1)
+        x = root1;
+    if (useRoot2 || noRoot)
+        x = root2;
+    if (edIsNegative(x))
+        x = mod$2(-x);
+    return { isValid: useRoot1 || useRoot2, value: x };
+}
+function invertSqrt(number) {
+    return uvRatio$1(_1n$a, number);
+}
+function modlLE(hash) {
+    return mod$2(bytesToNumberLE$1(hash), CURVE$1.l);
+}
+function equalBytes$1(b1, b2) {
+    if (b1.length !== b2.length) {
+        return false;
+    }
+    for (let i = 0; i < b1.length; i++) {
+        if (b1[i] !== b2[i]) {
+            return false;
+        }
+    }
+    return true;
+}
+function ensureBytes$1(hex, expectedLength) {
+    const bytes = hex instanceof Uint8Array ? Uint8Array.from(hex) : hexToBytes$1(hex);
+    if (typeof expectedLength === 'number' && bytes.length !== expectedLength)
+        throw new Error(`Expected ${expectedLength} bytes`);
+    return bytes;
+}
+function normalizeScalar(num, max, strict = true) {
+    if (!max)
+        throw new TypeError('Specify max value');
+    if (typeof num === 'number' && Number.isSafeInteger(num))
+        num = BigInt(num);
+    if (typeof num === 'bigint' && num < max) {
+        if (strict) {
+            if (_0n$8 < num)
+                return num;
+        }
+        else {
+            if (_0n$8 <= num)
+                return num;
+        }
+    }
+    throw new TypeError('Expected valid scalar: 0 < scalar < max');
+}
+function adjustBytes25519(bytes) {
+    bytes[0] &= 248;
+    bytes[31] &= 127;
+    bytes[31] |= 64;
+    return bytes;
+}
+function checkPrivateKey(key) {
+    key =
+        typeof key === 'bigint' || typeof key === 'number'
+            ? numberTo32BytesBE(normalizeScalar(key, POW_2_256))
+            : ensureBytes$1(key);
+    if (key.length !== 32)
+        throw new Error(`Expected 32 bytes`);
+    return key;
+}
+function getKeyFromHash(hashed) {
+    const head = adjustBytes25519(hashed.slice(0, 32));
+    const prefix = hashed.slice(32, 64);
+    const scalar = modlLE(head);
+    const point = Point.BASE.multiply(scalar);
+    const pointBytes = point.toRawBytes();
+    return { head, prefix, scalar, point, pointBytes };
+}
+let _sha512Sync;
+async function getExtendedPublicKey(key) {
+    return getKeyFromHash(await utils.sha512(checkPrivateKey(key)));
+}
+function prepareVerification(sig, message, publicKey) {
+    message = ensureBytes$1(message);
+    if (!(publicKey instanceof Point))
+        publicKey = Point.fromHex(publicKey, false);
+    const { r, s } = sig instanceof Signature$1 ? sig.assertValidity() : Signature$1.fromHex(sig);
+    const SB = ExtendedPoint.BASE.multiplyUnsafe(s);
+    return { r, s, SB, pub: publicKey, msg: message };
+}
+function finishVerification(publicKey, r, SB, hashed) {
+    const k = modlLE(hashed);
+    const kA = ExtendedPoint.fromAffine(publicKey).multiplyUnsafe(k);
+    const RkA = ExtendedPoint.fromAffine(r).add(kA);
+    return RkA.subtract(SB).multiplyUnsafe(CURVE$1.h).equals(ExtendedPoint.ZERO);
+}
+async function verify$6(sig, message, publicKey) {
+    const { r, SB, msg, pub } = prepareVerification(sig, message, publicKey);
+    const hashed = await utils.sha512(r.toRawBytes(), pub.toRawBytes(), msg);
+    return finishVerification(pub, r, SB, hashed);
+}
+Point.BASE._setWindowSize(8);
+const crypto$3 = {
+    node: nodeCrypto$b,
+    web: typeof self === 'object' && 'crypto' in self ? self.crypto : undefined,
+};
+const utils = {
+    bytesToHex: bytesToHex$1,
+    hexToBytes: hexToBytes$1,
+    concatBytes: concatBytes$2,
+    getExtendedPublicKey,
+    mod: mod$2,
+    invert: invert$1,
+    TORSION_SUBGROUP: [
+        '0100000000000000000000000000000000000000000000000000000000000000',
+        'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a',
+        '0000000000000000000000000000000000000000000000000000000000000080',
+        '26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc05',
+        'ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
+        '26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc85',
+        '0000000000000000000000000000000000000000000000000000000000000000',
+        'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa',
+    ],
+    hashToPrivateScalar: (hash) => {
+        hash = ensureBytes$1(hash);
+        if (hash.length < 40 || hash.length > 1024)
+            throw new Error('Expected 40-1024 bytes of private key as per FIPS 186');
+        return mod$2(bytesToNumberLE$1(hash), CURVE$1.l - _1n$a) + _1n$a;
+    },
+    randomBytes: (bytesLength = 32) => {
+        if (crypto$3.web) {
+            return crypto$3.web.getRandomValues(new Uint8Array(bytesLength));
+        }
+        else if (crypto$3.node) {
+            const { randomBytes } = crypto$3.node;
+            return new Uint8Array(randomBytes(bytesLength).buffer);
+        }
+        else {
+            throw new Error("The environment doesn't have randomBytes function");
+        }
+    },
+    randomPrivateKey: () => {
+        return utils.randomBytes(32);
+    },
+    sha512: async (...messages) => {
+        const message = concatBytes$2(...messages);
+        if (crypto$3.web) {
+            const buffer = await crypto$3.web.subtle.digest('SHA-512', message.buffer);
+            return new Uint8Array(buffer);
+        }
+        else if (crypto$3.node) {
+            return Uint8Array.from(crypto$3.node.createHash('sha512').update(message).digest());
+        }
+        else {
+            throw new Error("The environment doesn't have sha512 function");
+        }
+    },
+    precompute(windowSize = 8, point = Point.BASE) {
+        const cached = point.equals(Point.BASE) ? point : new Point(point.x, point.y);
+        cached._setWindowSize(windowSize);
+        cached.multiply(_2n$6);
+        return cached;
+    },
+    sha512Sync: undefined,
+};
+Object.defineProperties(utils, {
+    sha512Sync: {
+        configurable: false,
+        get() {
+            return _sha512Sync;
+        },
+        set(val) {
+            if (!_sha512Sync)
+                _sha512Sync = val;
+        },
+    },
 });
 // OpenPGP.js - An OpenPGP implementation in javascript
@@ -9564,6 +10372,8 @@ var ecdsa = /*#__PURE__*/Object.freeze({
  * @async
  */
 async function sign$5(oid, hashAlgo, message, publicKey, privateKey, hashed) {
+  const curve = new CurveWithOID(oid);
+  checkPublicPointEnconding(curve, publicKey);
   if (hash$1.getHashByteLength(hashAlgo) < hash$1.getHashByteLength(enums.hash.sha256)) {
     // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
     throw new Error('Hash algorithm too weak for EdDSA.');
@@ -9590,11 +10400,13 @@ async function sign$5(oid, hashAlgo, message, publicKey, privateKey, hashed) {
  * @async
  */
 async function verify$5(oid, hashAlgo, { r, s }, m, publicKey, hashed) {
+  const curve = new CurveWithOID(oid);
+  checkPublicPointEnconding(curve, publicKey);
   if (hash$1.getHashByteLength(hashAlgo) < hash$1.getHashByteLength(enums.hash.sha256)) {
     throw new Error('Hash algorithm too weak for EdDSA.');
   }
   const signature = util.concatUint8Array([r, s]);
-  return nacl.sign.detached.verify(hashed, signature, publicKey.subarray(1));
+  return verify$6(signature, hashed, publicKey.subarray(1));
 }
 /**
  * Validate legacy EdDSA parameters
@@ -9720,7 +10532,7 @@ async function verify$4(algo, hashAlgo, { RS }, m, publicKey, hashed) {
   }
   switch (algo) {
     case enums.publicKey.ed25519:
-      return nacl.sign.detached.verify(hashed, RS, publicKey);
+      return verify$6(RS, hashed, publicKey);
     case enums.publicKey.ed448: {
       const ed448 = await util.getNobleCurve(enums.publicKey.ed448);
       return ed448.verify(RS, hashed, publicKey);
@@ -10084,7 +10896,7 @@ function buildEcdhParam(public_algo, oid, kdfParams, fingerprint) {
     new Uint8Array([public_algo]),
     kdfParams.write(true),
     util.stringToUint8Array('Anonymous Sender    '),
-    kdfParams.replacementFingerprint || fingerprint.subarray(0, 20)
+    kdfParams.replacementFingerprint || fingerprint
   ]);
 }
@@ -10126,7 +10938,7 @@ async function genPublicEphemeralKey(curve, Q) {
       const d = getRandomBytes(32);
       const { secretKey, sharedKey } = await genPrivateEphemeralKey(curve, Q, null, d);
       let { publicKey } = nacl.box.keyPair.fromSecretKey(secretKey);
-      publicKey = util.concatUint8Array([new Uint8Array([0x40]), publicKey]);
+      publicKey = util.concatUint8Array([new Uint8Array([curve.wireFormatLeadingByte]), publicKey]);
       return { publicKey, sharedKey }; // Note: sharedKey is little-endian here, unlike below
     }
     case 'web':
@@ -10154,7 +10966,7 @@ async function genPublicEphemeralKey(curve, Q) {
  * @param {module:type/kdf_params} kdfParams - KDF params including cipher and algorithm to use
  * @param {Uint8Array} data - Unpadded session key data
  * @param {Uint8Array} Q - Recipient public key
- * @param {Uint8Array} fingerprint - Recipient fingerprint
+ * @param {Uint8Array} fingerprint - Recipient fingerprint, already truncated depending on the key version
  * @returns {Promise<{publicKey: Uint8Array, wrappedKey: Uint8Array}>}
  * @async
  */
@@ -10162,6 +10974,7 @@ async function encrypt$2(oid, kdfParams, data, Q, fingerprint) {
   const m = encode(data);
   const curve = new CurveWithOID(oid);
+  checkPublicPointEnconding(curve, Q);
   const { publicKey, sharedKey } = await genPublicEphemeralKey(curve, Q);
   const param = buildEcdhParam(enums.publicKey.ecdh, oid, kdfParams, fingerprint);
   const { keySize } = getCipherParams(kdfParams.cipher);
@@ -10218,12 +11031,14 @@ async function genPrivateEphemeralKey(curve, V, Q, d) {
  * @param {Uint8Array} C - Encrypted and wrapped value derived from session key
  * @param {Uint8Array} Q - Recipient public key
  * @param {Uint8Array} d - Recipient private key
- * @param {Uint8Array} fingerprint - Recipient fingerprint
+ * @param {Uint8Array} fingerprint - Recipient fingerprint, already truncated depending on the key version
  * @returns {Promise<Uint8Array>} Value derived from session key.
  * @async
  */
 async function decrypt$2(oid, kdfParams, V, C, Q, d, fingerprint) {
   const curve = new CurveWithOID(oid);
+  checkPublicPointEnconding(curve, Q);
+  checkPublicPointEnconding(curve, V);
   const { sharedKey } = await genPrivateEphemeralKey(curve, V, Q, d);
   const param = buildEcdhParam(enums.publicKey.ecdh, oid, kdfParams, fingerprint);
   const { keySize } = getCipherParams(kdfParams.cipher);
@@ -10355,7 +11170,7 @@ async function webPublicEphemeralKey(curve, Q) {
   );
   [s, p] = await Promise.all([s, p]);
   const sharedKey = new Uint8Array(s);
-  const publicKey = new Uint8Array(jwkToRawPublic(p));
+  const publicKey = new Uint8Array(jwkToRawPublic(p, curve.wireFormatLeadingByte));
   return { publicKey, sharedKey };
 }
@@ -10678,14 +11493,14 @@ async function sign$3(hashAlgo, hashed, g, p, q, x) {
   let r;
   let s;
   let t;
-  g = mod$2(g, p);
-  x = mod$2(x, q);
+  g = mod$3(g, p);
+  x = mod$3(x, q);
   // If the output size of the chosen hash is larger than the number of
   // bits of q, the hash result is truncated to fit by taking the number
   // of leftmost bits equal to the number of bits of q.  This (possibly
   // truncated) hash function result is treated as a number and used
   // directly in the DSA signature algorithm.
-  const h = mod$2(uint8ArrayToBigInt(hashed.subarray(0, byteLength(q))), q);
+  const h = mod$3(uint8ArrayToBigInt(hashed.subarray(0, byteLength(q))), q);
   // FIPS-186-4, section 4.6:
   // The values of r and s shall be checked to determine if r = 0 or s = 0.
   // If either r = 0 or s = 0, a new value of k shall be generated, and the
@@ -10694,13 +11509,13 @@ async function sign$3(hashAlgo, hashed, g, p, q, x) {
   while (true) {
     // See Appendix B here: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
     k = getRandomBigInteger(_1n$9, q); // returns in [1, q-1]
-    r = mod$2(modExp(g, k, p), q); // (g**k mod p) mod q
+    r = mod$3(modExp(g, k, p), q); // (g**k mod p) mod q
     if (r === _0n) {
       continue;
     }
-    const xr = mod$2(x * r, q);
-    t = mod$2(h + xr, q); // H(m) + x*r mod q
-    s = mod$2(modInv(k, q) * t, q); // k**-1 * (H(m) + x*r) mod q
+    const xr = mod$3(x * r, q);
+    t = mod$3(h + xr, q); // H(m) + x*r mod q
+    s = mod$3(modInv(k, q) * t, q); // k**-1 * (H(m) + x*r) mod q
     if (s === _0n) {
       continue;
     }
@@ -10739,20 +11554,20 @@ async function verify$3(hashAlgo, r, s, hashed, g, p, q, y) {
     util.printDebug('invalid DSA Signature');
     return false;
   }
-  const h = mod$2(uint8ArrayToBigInt(hashed.subarray(0, byteLength(q))), q);
+  const h = mod$3(uint8ArrayToBigInt(hashed.subarray(0, byteLength(q))), q);
   const w = modInv(s, q); // s**-1 mod q
   if (w === _0n$7) {
     util.printDebug('invalid DSA Signature');
     return false;
   }
-  g = mod$2(g, p);
-  y = mod$2(y, p);
-  const u1 = mod$2(h * w, q); // H(m) * w mod q
-  const u2 = mod$2(r * w, q); // r * w mod q
+  g = mod$3(g, p);
+  y = mod$3(y, p);
+  const u1 = mod$3(h * w, q); // H(m) * w mod q
+  const u2 = mod$3(r * w, q); // r * w mod q
   const t1 = modExp(g, u1, p); // g**u1 mod p
   const t2 = modExp(y, u2, p); // y**u2 mod p
-  const v = mod$2(mod$2(t1 * t2, p), q); // (g**u1 * y**u2 mod p) mod q
+  const v = mod$3(mod$3(t1 * t2, p), q); // (g**u1 * y**u2 mod p) mod q
   return v === r;
 }
@@ -10779,7 +11594,7 @@ async function validateParams$2(p, q, g, y, x) {
   /**
    * Check that subgroup order q divides p-1
    */
-  if (mod$2(p - _1n$9, q) !== _0n$7) {
+  if (mod$3(p - _1n$9, q) !== _0n$7) {
     return false;
   }
@@ -11576,6 +12391,9 @@ function parsePublicKeyParams(algo, bytes) {
     case enums.publicKey.eddsaLegacy: {
       const oid = new OID(); read += oid.read(bytes);
       checkSupportedCurve(oid);
+      if (oid.getName() !== enums.curve.ed25519Legacy) {
+        throw new Error('Unexpected OID for eddsaLegacy');
+      }
       let Q = util.readMPI(bytes.subarray(read)); read += Q.length + 2;
       Q = util.leftPad(Q, 33);
       return { read: read, publicParams: { oid, Q } };
@@ -11639,6 +12457,9 @@ function parsePrivateKeyParams(algo, bytes, publicParams) {
     }
     case enums.publicKey.eddsaLegacy: {
       const payloadSize = getCurvePayloadSize(algo, publicParams.oid);
+      if (publicParams.oid.getName() !== enums.curve.ed25519Legacy) {
+        throw new Error('Unexpected OID for eddsaLegacy');
+      }
       let seed = util.readMPI(bytes.subarray(read)); read += seed.length + 2;
       seed = util.leftPad(seed, payloadSize);
       return { read, privateParams: { seed } };
@@ -14477,6 +15298,7 @@ class SignaturePacket {
     this.signatureData = null;
     this.unhashedSubpackets = [];
+    this.unknownSubpackets = [];
     this.signedHashValue = null;
     this.salt = null;
@@ -14526,9 +15348,12 @@ class SignaturePacket {
    * @param {String} bytes - Payload of a tag 2 packet
    * @returns {SignaturePacket} Object representation.
    */
-  read(bytes) {
+  read(bytes, config$1 = config) {
     let i = 0;
     this.version = bytes[i++];
+    if (this.version === 5 && !config$1.enableParsingV5Entities) {
+      throw new UnsupportedError('Support for v5 entities is disabled; turn on `config.enableParsingV5Entities` if needed');
+    }
     if (this.version !== 4 && this.version !== 5 && this.version !== 6) {
       throw new UnsupportedError(`Version ${this.version} of the signature packet is unsupported.`);
@@ -14805,10 +15630,8 @@ class SignaturePacket {
    * @returns {Uint8Array} Subpacket data.
    */
   writeUnhashedSubPackets() {
-    const arr = [];
-    this.unhashedSubpackets.forEach(data => {
-      arr.push(writeSimpleLength(data.length));
-      arr.push(data);
+    const arr = this.unhashedSubpackets.map(({ type, critical, body }) => {
+      return writeSubPacket(type, critical, body);
     });
     const result = util.concat(arr);
@@ -14817,7 +15640,7 @@ class SignaturePacket {
     return util.concat([length, result]);
   }
-  // V4 signature sub packets
+  // Signature subpackets
   readSubPacket(bytes, hashed = true) {
     let mypos = 0;
@@ -14825,15 +15648,19 @@ class SignaturePacket {
     const critical = !!(bytes[mypos] & 0x80);
     const type = bytes[mypos] & 0x7F;
+    mypos++;
     if (!hashed) {
-      this.unhashedSubpackets.push(bytes.subarray(mypos, bytes.length));
+      this.unhashedSubpackets.push({
+        type,
+        critical,
+        body: bytes.subarray(mypos, bytes.length)
+      });
       if (!allowedUnhashedSubpackets.has(type)) {
         return;
       }
     }
-    mypos++;
     // subpacket type
     switch (type) {
       case enums.signatureSubpacket.signatureCreationTime:
@@ -15005,14 +15832,13 @@ class SignaturePacket {
           this.preferredCipherSuites.push([bytes[i], bytes[i + 1]]);
         }
         break;
-      default: {
-        const err = new Error(`Unknown signature subpacket type ${type}`);
-        if (critical) {
-          throw err;
-        } else {
-          util.printDebug(err);
-        }
-      }
+      default:
+        this.unknownSubpackets.push({
+          type,
+          critical,
+          body: bytes.subarray(mypos, bytes.length)
+        });
+        break;
     }
   }
@@ -15212,6 +16038,11 @@ class SignaturePacket {
       [enums.signature.binary, enums.signature.text].includes(this.signatureType)) {
       throw new Error('Insecure message hash algorithm: ' + enums.read(enums.hash, this.hashAlgorithm).toUpperCase());
     }
+    this.unknownSubpackets.forEach(({ type, critical }) => {
+      if (critical) {
+        throw new Error(`Unknown critical signature subpacket type ${type}`);
+      }
+    });
     this.rawNotations.forEach(({ name, critical }) => {
       if (critical && (config$1.knownNotations.indexOf(name) < 0)) {
         throw new Error(`Unknown critical notation: ${name}`);
@@ -16511,10 +17342,11 @@ class PublicKeyEncryptedSessionKeyPacket {
     // No symmetric encryption algorithm identifier is passed to the public-key algorithm for a
     // v6 PKESK packet, as it is included in the v2 SEIPD packet.
     const sessionKeyAlgorithm = this.version === 3 ? this.sessionKeyAlgorithm : null;
+    const fingerprint = key.version === 5 ? key.getFingerprintBytes().subarray(0, 20) : key.getFingerprintBytes();
     const encoded = encodeSessionKey(this.version, algo, sessionKeyAlgorithm, this.sessionKey);
     const privateParams = algo === enums.publicKey.aead ? key.privateParams : null;
     this.encrypted = await mod$1.publicKeyEncrypt(
-      algo, sessionKeyAlgorithm, key.publicParams, privateParams, encoded, key.getFingerprintBytes());
+      algo, sessionKeyAlgorithm, key.publicParams, privateParams, encoded, fingerprint);
   }
   /**
@@ -16534,7 +17366,8 @@ class PublicKeyEncryptedSessionKeyPacket {
     const randomPayload = randomSessionKey ?
       encodeSessionKey(this.version, this.publicKeyAlgorithm, randomSessionKey.sessionKeyAlgorithm, randomSessionKey.sessionKey) :
       null;
-    const decryptedData = await mod$1.publicKeyDecrypt(this.publicKeyAlgorithm, key.publicParams, key.privateParams, this.encrypted, key.getFingerprintBytes(), randomPayload);
+    const fingerprint = key.version === 5 ? key.getFingerprintBytes().subarray(0, 20) : key.getFingerprintBytes();
+    const decryptedData = await mod$1.publicKeyDecrypt(this.publicKeyAlgorithm, key.publicParams, key.privateParams, this.encrypted, fingerprint, randomPayload);
     const { sessionKey, sessionKeyAlgorithm } = decodeSessionKey(this.version, this.publicKeyAlgorithm, decryptedData, randomSessionKey);
@@ -16939,10 +17772,13 @@ class PublicKeyPacket {
    * @returns {Object} This object with attributes set by the parser
    * @async
    */
-  async read(bytes) {
+  async read(bytes, config$1 = config) {
     let pos = 0;
     // A one-octet version number (4, 5 or 6).
     this.version = bytes[pos++];
+    if (this.version === 5 && !config$1.enableParsingV5Entities) {
+      throw new UnsupportedError('Support for parsing v5 entities is disabled; turn on `config.enableParsingV5Entities` if needed');
+    }
     if (this.version === 4 || this.version === 5 || this.version === 6) {
       // - A four-octet number denoting the time that the key was created.
@@ -17534,7 +18370,7 @@ class SecretKeyPacket extends PublicKeyPacket {
    */
   async read(bytes, config$1 = config) {
     // - A Public-Key or Public-Subkey packet, as described above.
-    let i = await this.readPublicKey(bytes);
+    let i = await this.readPublicKey(bytes, config$1);
     const startOfSecretKeyData = i;
     // - One octet indicating string-to-key usage conventions.  Zero
@@ -17824,13 +18660,13 @@ class SecretKeyPacket extends PublicKeyPacket {
     if (config$1.aeadProtect) {
       this.s2kUsage = 253;
-      this.aead = enums.aead.eax;
+      this.aead = config$1.preferredAEADAlgorithm;
       const mode = mod$1.getAEADMode(this.aead);
       this.isLegacyAEAD = this.version === 5; // v4 is always re-encrypted with standard format instead.
       this.usedModernAEAD = !this.isLegacyAEAD; // legacy AEAD does not guarantee integrity of public key material
       const serializedPacketTag = writeTag(this.constructor.tag);
-      const key = await produceEncryptionKey(this.version, this.s2k, passphrase, this.symmetric, this.aead, serializedPacketTag);
+      const key = await produceEncryptionKey(this.version, this.s2k, passphrase, this.symmetric, this.aead, serializedPacketTag, this.isLegacyAEAD);
       const modeInstance = await mode(this.symmetric, key);
       this.iv = this.isLegacyAEAD ? mod$1.random.getRandomBytes(blockSize) : mod$1.random.getRandomBytes(mode.ivLength);
@@ -18000,6 +18836,12 @@ class SecretKeyPacket extends PublicKeyPacket {
  * @returns encryption key
  */
 async function produceEncryptionKey(keyVersion, s2k, passphrase, cipherAlgo, aeadMode, serializedPacketTag, isLegacyAEAD) {
+  if (s2k.type === 'argon2' && !aeadMode) {
+    throw new Error('Using Argon2 S2K without AEAD is not allowed');
+  }
+  if (s2k.type === 'simple' && keyVersion === 6) {
+    throw new Error('Using Simple S2K with version 6 keys is not allowed');
+  }
   const { keySize } = mod$1.getCipherParams(cipherAlgo);
   const derivedKey = await s2k.produceKey(passphrase, keySize);
   if (!aeadMode || keyVersion === 5 || isLegacyAEAD) {
@@ -18378,6 +19220,8 @@ async function generateSecretKey(options, config) {
  * Returns the valid and non-expired signature that has the latest creation date, while ignoring signatures created in the future.
  * @param {Array<SignaturePacket>} signatures - List of signatures
  * @param {PublicKeyPacket|PublicSubkeyPacket} publicKey - Public key packet to verify the signature
+ * @param {module:enums.signature} signatureType - Signature type to determine how to hash the data (NB: for userID signatures,
+ *                          `enums.signatures.certGeneric` should be given regardless of the actual trust level)
  * @param {Date} date - Use the given date instead of the current time
  * @param {Object} config - full configuration
  * @returns {Promise<SignaturePacket>} The latest valid signature.
@@ -18626,8 +19470,14 @@ async function isDataRevoked(primaryKey, signatureType, dataToVerify, revocation
         // `verifyAllCertifications`.)
         !signature || revocationSignature.issuerKeyID.equals(signature.issuerKeyID)
       ) {
+        const isHardRevocation = ![
+          enums.reasonForRevocation.keyRetired,
+          enums.reasonForRevocation.keySuperseded,
+          enums.reasonForRevocation.userIDInvalid
+        ].includes(revocationSignature.reasonForRevocationFlag);
         await revocationSignature.verify(
-          key, signatureType, dataToVerify, date, false, config
+          key, signatureType, dataToVerify, isHardRevocation ? null : date, false, config
         );
         // TODO get an identifier of the revoked object instead
@@ -20614,7 +21464,7 @@ async function wrapKeyObject(secretKeyPacket, secretSubkeyPackets, options, conf
       key: secretKeyPacket
     };
     const signatureProperties = secretKeyPacket.version !== 6 ? getKeySignatureProperties() : {};
-    signatureProperties.signatureType = enums.signature.certGeneric;
+    signatureProperties.signatureType = enums.signature.certPositive;
     if (index === 0) {
       signatureProperties.isPrimaryUserID = true;
     }
@@ -22439,7 +23289,7 @@ async function verify({ message, verificationKeys, expectSigned = false, format
       result.signatures = await message.verify(verificationKeys, date, config$1);
     }
     result.data = format === 'binary' ? message.getLiteralData() : message.getText();
-    if (message.fromStream) linkStreams(result, message);
+    if (message.fromStream && !signature) linkStreams(result, message);
     if (expectSigned) {
       if (result.signatures.length === 0) {
         throw new Error('Message is not signed');