@protontech/openpgp 6.0.0-beta.1 → 6.0.0-beta.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (28) hide show
  1. package/README.md +2 -2
  2. package/dist/lightweight/argon2id.min.mjs +1 -1
  3. package/dist/lightweight/argon2id.mjs +1 -1
  4. package/dist/lightweight/legacy_ciphers.min.mjs +1 -1
  5. package/dist/lightweight/legacy_ciphers.mjs +1 -1
  6. package/dist/lightweight/noble_curves.min.mjs +1 -1
  7. package/dist/lightweight/noble_curves.mjs +1 -1
  8. package/dist/lightweight/noble_hashes.min.mjs +1 -1
  9. package/dist/lightweight/noble_hashes.mjs +1 -1
  10. package/dist/lightweight/openpgp.min.mjs +3 -2
  11. package/dist/lightweight/openpgp.min.mjs.map +1 -1
  12. package/dist/lightweight/openpgp.mjs +1011 -168
  13. package/dist/lightweight/sha3.min.mjs +1 -1
  14. package/dist/lightweight/sha3.mjs +1 -1
  15. package/dist/node/openpgp.cjs +985 -134
  16. package/dist/node/openpgp.min.cjs +12 -11
  17. package/dist/node/openpgp.min.cjs.map +1 -1
  18. package/dist/node/openpgp.min.mjs +12 -11
  19. package/dist/node/openpgp.min.mjs.map +1 -1
  20. package/dist/node/openpgp.mjs +984 -134
  21. package/dist/openpgp.js +1011 -168
  22. package/dist/openpgp.min.js +12 -11
  23. package/dist/openpgp.min.js.map +1 -1
  24. package/dist/openpgp.min.mjs +12 -11
  25. package/dist/openpgp.min.mjs.map +1 -1
  26. package/dist/openpgp.mjs +1011 -168
  27. package/openpgp.d.ts +8 -1
  28. package/package.json +6 -5
package/dist/openpgp.js CHANGED
@@ -1,4 +1,4 @@
1
- /*! OpenPGP.js v6.0.0-beta.1 - 2024-05-17 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
1
+ /*! OpenPGP.js v6.0.0-beta.2 - 2024-07-05 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
2
2
  var openpgp = (function (exports) {
3
3
  'use strict';
4
4
 
@@ -546,9 +546,10 @@ var openpgp = (function (exports) {
546
546
  * @param {Function} cancel
547
547
  * @returns {TransformStream}
548
548
  */
549
- function transformWithCancel(cancel) {
549
+ function transformWithCancel(customCancel) {
550
550
  let pulled = false;
551
- let backpressureChangePromiseResolve;
551
+ let cancelled = false;
552
+ let backpressureChangePromiseResolve, backpressureChangePromiseReject;
552
553
  let outputController;
553
554
  return {
554
555
  readable: new ReadableStream({
@@ -562,16 +563,29 @@ var openpgp = (function (exports) {
562
563
  pulled = true;
563
564
  }
564
565
  },
565
- cancel
566
+ async cancel(reason) {
567
+ cancelled = true;
568
+ if (customCancel) {
569
+ await customCancel(reason);
570
+ }
571
+ if (backpressureChangePromiseReject) {
572
+ backpressureChangePromiseReject(reason);
573
+ }
574
+ }
566
575
  }, {highWaterMark: 0}),
567
576
  writable: new WritableStream({
568
577
  write: async function(chunk) {
578
+ if (cancelled) {
579
+ throw new Error('Stream is cancelled');
580
+ }
569
581
  outputController.enqueue(chunk);
570
582
  if (!pulled) {
571
- await new Promise(resolve => {
583
+ await new Promise((resolve, reject) => {
572
584
  backpressureChangePromiseResolve = resolve;
585
+ backpressureChangePromiseReject = reject;
573
586
  });
574
587
  backpressureChangePromiseResolve = null;
588
+ backpressureChangePromiseReject = null;
575
589
  } else {
576
590
  pulled = false;
577
591
  }
@@ -1507,6 +1521,14 @@ var openpgp = (function (exports) {
1507
1521
  * @property {Boolean} v6Keys
1508
1522
  */
1509
1523
  v6Keys: false,
1524
+ /**
1525
+ * Enable parsing v5 keys and v5 signatures (which is different from the AEAD-encrypted SEIPDv2 packet).
1526
+ * These are non-standard entities, which in the crypto-refresh have been superseded
1527
+ * by v6 keys and v6 signatures, respectively.
1528
+ * However, generation of v5 entities was supported behind config flag in OpenPGP.js v5, and some other libraries,
1529
+ * hence parsing them might be necessary in some cases.
1530
+ */
1531
+ enableParsingV5Entities: false,
1510
1532
  /**
1511
1533
  * S2K (String to Key) type, used for key derivation in the context of secret key encryption
1512
1534
  * and password-encrypted data. Weaker s2k options are not allowed.
@@ -1663,7 +1685,7 @@ var openpgp = (function (exports) {
1663
1685
  * @memberof module:config
1664
1686
  * @property {String} versionString A version string to be included in armored messages
1665
1687
  */
1666
- versionString: 'OpenPGP.js 6.0.0-beta.1',
1688
+ versionString: 'OpenPGP.js 6.0.0-beta.2',
1667
1689
  /**
1668
1690
  * @memberof module:config
1669
1691
  * @property {String} commentString A comment string to be included in armored messages
@@ -3191,15 +3213,15 @@ var openpgp = (function (exports) {
3191
3213
 
3192
3214
 
3193
3215
  const webCrypto$b = util.getWebCrypto();
3194
- const nodeCrypto$a = util.getNodeCrypto();
3195
- const nodeCryptoHashes = nodeCrypto$a && nodeCrypto$a.getHashes();
3216
+ const nodeCrypto$b = util.getNodeCrypto();
3217
+ const nodeCryptoHashes = nodeCrypto$b && nodeCrypto$b.getHashes();
3196
3218
 
3197
3219
  function nodeHash(type) {
3198
- if (!nodeCrypto$a || !nodeCryptoHashes.includes(type)) {
3220
+ if (!nodeCrypto$b || !nodeCryptoHashes.includes(type)) {
3199
3221
  return;
3200
3222
  }
3201
3223
  return async function (data) {
3202
- const shasum = nodeCrypto$a.createHash(type);
3224
+ const shasum = nodeCrypto$b.createHash(type);
3203
3225
  return transform(data, value => {
3204
3226
  shasum.update(value);
3205
3227
  }, () => new Uint8Array(shasum.digest()));
@@ -4546,9 +4568,9 @@ var openpgp = (function (exports) {
4546
4568
 
4547
4569
 
4548
4570
  const webCrypto$a = util.getWebCrypto();
4549
- const nodeCrypto$9 = util.getNodeCrypto();
4571
+ const nodeCrypto$a = util.getNodeCrypto();
4550
4572
 
4551
- const knownAlgos = nodeCrypto$9 ? nodeCrypto$9.getCiphers() : [];
4573
+ const knownAlgos = nodeCrypto$a ? nodeCrypto$a.getCiphers() : [];
4552
4574
  const nodeAlgos = {
4553
4575
  idea: knownAlgos.includes('idea-cfb') ? 'idea-cfb' : undefined, /* Unused, not implemented */
4554
4576
  tripledes: knownAlgos.includes('des-ede3-cfb') ? 'des-ede3-cfb' : undefined,
@@ -4614,7 +4636,7 @@ var openpgp = (function (exports) {
4614
4636
  */
4615
4637
  async function decrypt$5(algo, key, ciphertext, iv) {
4616
4638
  const algoName = enums.read(enums.symmetric, algo);
4617
- if (nodeCrypto$9 && nodeAlgos[algoName]) { // Node crypto library.
4639
+ if (nodeCrypto$a && nodeAlgos[algoName]) { // Node crypto library.
4618
4640
  return nodeDecrypt$1(algo, key, ciphertext, iv);
4619
4641
  }
4620
4642
  if (util.isAES(algo)) {
@@ -4782,13 +4804,13 @@ var openpgp = (function (exports) {
4782
4804
 
4783
4805
  function nodeEncrypt$1(algo, key, pt, iv) {
4784
4806
  const algoName = enums.read(enums.symmetric, algo);
4785
- const cipherObj = new nodeCrypto$9.createCipheriv(nodeAlgos[algoName], key, iv);
4807
+ const cipherObj = new nodeCrypto$a.createCipheriv(nodeAlgos[algoName], key, iv);
4786
4808
  return transform(pt, value => new Uint8Array(cipherObj.update(value)));
4787
4809
  }
4788
4810
 
4789
4811
  function nodeDecrypt$1(algo, key, ct, iv) {
4790
4812
  const algoName = enums.read(enums.symmetric, algo);
4791
- const decipherObj = new nodeCrypto$9.createDecipheriv(nodeAlgos[algoName], key, iv);
4813
+ const decipherObj = new nodeCrypto$a.createDecipheriv(nodeAlgos[algoName], key, iv);
4792
4814
  return transform(ct, value => new Uint8Array(decipherObj.update(value)));
4793
4815
  }
4794
4816
 
@@ -4881,7 +4903,7 @@ var openpgp = (function (exports) {
4881
4903
 
4882
4904
 
4883
4905
  const webCrypto$9 = util.getWebCrypto();
4884
- const nodeCrypto$8 = util.getNodeCrypto();
4906
+ const nodeCrypto$9 = util.getNodeCrypto();
4885
4907
 
4886
4908
 
4887
4909
  /**
@@ -4947,7 +4969,7 @@ var openpgp = (function (exports) {
4947
4969
  async function CBC(key) {
4948
4970
  if (util.getNodeCrypto()) { // Node crypto library
4949
4971
  return async function(pt) {
4950
- const en = new nodeCrypto$8.createCipheriv('aes-' + (key.length * 8) + '-cbc', key, zeroBlock$1);
4972
+ const en = new nodeCrypto$9.createCipheriv('aes-' + (key.length * 8) + '-cbc', key, zeroBlock$1);
4951
4973
  const ct = en.update(pt);
4952
4974
  return new Uint8Array(ct);
4953
4975
  };
@@ -4995,7 +5017,7 @@ var openpgp = (function (exports) {
4995
5017
 
4996
5018
 
4997
5019
  const webCrypto$8 = util.getWebCrypto();
4998
- const nodeCrypto$7 = util.getNodeCrypto();
5020
+ const nodeCrypto$8 = util.getNodeCrypto();
4999
5021
  const Buffer$1 = util.getNodeBuffer();
5000
5022
 
5001
5023
 
@@ -5017,7 +5039,7 @@ var openpgp = (function (exports) {
5017
5039
  async function CTR(key) {
5018
5040
  if (util.getNodeCrypto()) { // Node crypto library
5019
5041
  return async function(pt, iv) {
5020
- const en = new nodeCrypto$7.createCipheriv('aes-' + (key.length * 8) + '-ctr', key, iv);
5042
+ const en = new nodeCrypto$8.createCipheriv('aes-' + (key.length * 8) + '-ctr', key, iv);
5021
5043
  const ct = Buffer$1.concat([en.update(pt), en.final()]);
5022
5044
  return new Uint8Array(ct);
5023
5045
  };
@@ -5708,7 +5730,7 @@ var openpgp = (function (exports) {
5708
5730
 
5709
5731
 
5710
5732
  const webCrypto$7 = util.getWebCrypto();
5711
- const nodeCrypto$6 = util.getNodeCrypto();
5733
+ const nodeCrypto$7 = util.getNodeCrypto();
5712
5734
  const Buffer = util.getNodeBuffer();
5713
5735
 
5714
5736
  const blockLength = 16;
@@ -5731,14 +5753,14 @@ var openpgp = (function (exports) {
5731
5753
  if (util.getNodeCrypto()) { // Node crypto library
5732
5754
  return {
5733
5755
  encrypt: async function(pt, iv, adata = new Uint8Array()) {
5734
- const en = new nodeCrypto$6.createCipheriv('aes-' + (key.length * 8) + '-gcm', key, iv);
5756
+ const en = new nodeCrypto$7.createCipheriv('aes-' + (key.length * 8) + '-gcm', key, iv);
5735
5757
  en.setAAD(adata);
5736
5758
  const ct = Buffer.concat([en.update(pt), en.final(), en.getAuthTag()]); // append auth tag to ciphertext
5737
5759
  return new Uint8Array(ct);
5738
5760
  },
5739
5761
 
5740
5762
  decrypt: async function(ct, iv, adata = new Uint8Array()) {
5741
- const de = new nodeCrypto$6.createDecipheriv('aes-' + (key.length * 8) + '-gcm', key, iv);
5763
+ const de = new nodeCrypto$7.createDecipheriv('aes-' + (key.length * 8) + '-gcm', key, iv);
5742
5764
  de.setAAD(adata);
5743
5765
  de.setAuthTag(ct.slice(ct.length - tagLength, ct.length)); // read auth tag at end of ciphertext
5744
5766
  const pt = Buffer.concat([de.update(ct.slice(0, ct.length - tagLength)), de.final()]);
@@ -5837,8 +5859,8 @@ var openpgp = (function (exports) {
5837
5859
  };
5838
5860
 
5839
5861
  // Operations are not constant time, but we try and limit timing leakage where we can
5840
- const _0n$8 = BigInt(0);
5841
- const _1n$d = BigInt(1);
5862
+ const _0n$9 = BigInt(0);
5863
+ const _1n$e = BigInt(1);
5842
5864
  function uint8ArrayToBigInt(bytes) {
5843
5865
  const hexAlphabet = '0123456789ABCDEF';
5844
5866
  let s = '';
@@ -5847,9 +5869,9 @@ var openpgp = (function (exports) {
5847
5869
  });
5848
5870
  return BigInt('0x0' + s);
5849
5871
  }
5850
- function mod$2(a, m) {
5872
+ function mod$3(a, m) {
5851
5873
  const reduced = a % m;
5852
- return reduced < _0n$8 ? reduced + m : reduced;
5874
+ return reduced < _0n$9 ? reduced + m : reduced;
5853
5875
  }
5854
5876
  /**
5855
5877
  * Compute modular exponentiation using square and multiply
@@ -5859,19 +5881,19 @@ var openpgp = (function (exports) {
5859
5881
  * @returns {BigInt} b ** e mod n.
5860
5882
  */
5861
5883
  function modExp(b, e, n) {
5862
- if (n === _0n$8)
5884
+ if (n === _0n$9)
5863
5885
  throw Error('Modulo cannot be zero');
5864
- if (n === _1n$d)
5886
+ if (n === _1n$e)
5865
5887
  return BigInt(0);
5866
- if (e < _0n$8)
5888
+ if (e < _0n$9)
5867
5889
  throw Error('Unsopported negative exponent');
5868
5890
  let exp = e;
5869
5891
  let x = b;
5870
5892
  x %= n;
5871
5893
  let r = BigInt(1);
5872
- while (exp > _0n$8) {
5873
- const lsb = exp & _1n$d;
5874
- exp >>= _1n$d; // e / 2
5894
+ while (exp > _0n$9) {
5895
+ const lsb = exp & _1n$e;
5896
+ exp >>= _1n$e; // e / 2
5875
5897
  // Always compute multiplication step, to reduce timing leakage
5876
5898
  const rx = (r * x) % n;
5877
5899
  // Update r only if lsb is 1 (odd exponent)
@@ -5881,7 +5903,7 @@ var openpgp = (function (exports) {
5881
5903
  return r;
5882
5904
  }
5883
5905
  function abs(x) {
5884
- return x >= _0n$8 ? x : -x;
5906
+ return x >= _0n$9 ? x : -x;
5885
5907
  }
5886
5908
  /**
5887
5909
  * Extended Eucleadian algorithm (http://anh.cs.luc.edu/331/notes/xgcd.pdf)
@@ -5901,9 +5923,9 @@ var openpgp = (function (exports) {
5901
5923
  // See https://math.stackexchange.com/questions/37806/extended-euclidean-algorithm-with-negative-numbers
5902
5924
  let a = abs(aInput);
5903
5925
  let b = abs(bInput);
5904
- const aNegated = aInput < _0n$8;
5905
- const bNegated = bInput < _0n$8;
5906
- while (b !== _0n$8) {
5926
+ const aNegated = aInput < _0n$9;
5927
+ const bNegated = bInput < _0n$9;
5928
+ while (b !== _0n$9) {
5907
5929
  const q = a / b;
5908
5930
  let tmp = x;
5909
5931
  x = xPrev - q * x;
@@ -5931,10 +5953,10 @@ var openpgp = (function (exports) {
5931
5953
  */
5932
5954
  function modInv(a, n) {
5933
5955
  const { gcd, x } = _egcd(a, n);
5934
- if (gcd !== _1n$d) {
5956
+ if (gcd !== _1n$e) {
5935
5957
  throw new Error('Inverse does not exist');
5936
5958
  }
5937
- return mod$2(x + n, n);
5959
+ return mod$3(x + n, n);
5938
5960
  }
5939
5961
  /**
5940
5962
  * Compute greatest common divisor between this and n
@@ -5945,7 +5967,7 @@ var openpgp = (function (exports) {
5945
5967
  function gcd(aInput, bInput) {
5946
5968
  let a = aInput;
5947
5969
  let b = bInput;
5948
- while (b !== _0n$8) {
5970
+ while (b !== _0n$9) {
5949
5971
  const tmp = b;
5950
5972
  b = a % b;
5951
5973
  a = tmp;
@@ -5972,8 +5994,8 @@ var openpgp = (function (exports) {
5972
5994
  * @returns {Number} Bit value.
5973
5995
  */
5974
5996
  function getBit(x, i) {
5975
- const bit = (x >> BigInt(i)) & _1n$d;
5976
- return bit === _0n$8 ? 0 : 1;
5997
+ const bit = (x >> BigInt(i)) & _1n$e;
5998
+ return bit === _0n$9 ? 0 : 1;
5977
5999
  }
5978
6000
  /**
5979
6001
  * Compute bit length
@@ -5981,11 +6003,11 @@ var openpgp = (function (exports) {
5981
6003
  function bitLength(x) {
5982
6004
  // -1n >> -1n is -1n
5983
6005
  // 1n >> 1n is 0n
5984
- const target = x < _0n$8 ? BigInt(-1) : _0n$8;
6006
+ const target = x < _0n$9 ? BigInt(-1) : _0n$9;
5985
6007
  let bitlen = 1;
5986
6008
  let tmp = x;
5987
6009
  // eslint-disable-next-line no-cond-assign
5988
- while ((tmp >>= _1n$d) !== target) {
6010
+ while ((tmp >>= _1n$e) !== target) {
5989
6011
  bitlen++;
5990
6012
  }
5991
6013
  return bitlen;
@@ -5994,7 +6016,7 @@ var openpgp = (function (exports) {
5994
6016
  * Compute byte length
5995
6017
  */
5996
6018
  function byteLength(x) {
5997
- const target = x < _0n$8 ? BigInt(-1) : _0n$8;
6019
+ const target = x < _0n$9 ? BigInt(-1) : _0n$9;
5998
6020
  const _8n = BigInt(8);
5999
6021
  let len = 1;
6000
6022
  let tmp = x;
@@ -6050,7 +6072,7 @@ var openpgp = (function (exports) {
6050
6072
  // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
6051
6073
 
6052
6074
 
6053
- const nodeCrypto$5 = util.getNodeCrypto();
6075
+ const nodeCrypto$6 = util.getNodeCrypto();
6054
6076
 
6055
6077
  /**
6056
6078
  * Retrieve secure random byte array of the specified length
@@ -6059,8 +6081,8 @@ var openpgp = (function (exports) {
6059
6081
  */
6060
6082
  function getRandomBytes(length) {
6061
6083
  const buf = new Uint8Array(length);
6062
- if (nodeCrypto$5) {
6063
- const bytes = nodeCrypto$5.randomBytes(buf.length);
6084
+ if (nodeCrypto$6) {
6085
+ const bytes = nodeCrypto$6.randomBytes(buf.length);
6064
6086
  buf.set(bytes);
6065
6087
  } else if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
6066
6088
  crypto.getRandomValues(buf);
@@ -6089,7 +6111,7 @@ var openpgp = (function (exports) {
6089
6111
  // However, we request 64 extra random bits so that the bias is negligible.
6090
6112
  // Section B.1.1 here: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
6091
6113
  const r = uint8ArrayToBigInt(getRandomBytes(bytes + 8));
6092
- return mod$2(r, modulus) + min;
6114
+ return mod$3(r, modulus) + min;
6093
6115
  }
6094
6116
 
6095
6117
  var random = /*#__PURE__*/Object.freeze({
@@ -6118,7 +6140,7 @@ var openpgp = (function (exports) {
6118
6140
  * @fileoverview Algorithms for probabilistic random prime generation
6119
6141
  * @module crypto/public_key/prime
6120
6142
  */
6121
- const _1n$c = BigInt(1);
6143
+ const _1n$d = BigInt(1);
6122
6144
  /**
6123
6145
  * Generate a probably prime random number
6124
6146
  * @param bits - Bit length of the prime
@@ -6127,7 +6149,7 @@ var openpgp = (function (exports) {
6127
6149
  */
6128
6150
  function randomProbablePrime(bits, e, k) {
6129
6151
  const _30n = BigInt(30);
6130
- const min = _1n$c << BigInt(bits - 1);
6152
+ const min = _1n$d << BigInt(bits - 1);
6131
6153
  /*
6132
6154
  * We can avoid any multiples of 3 and 5 by looking at n mod 30
6133
6155
  * n mod 30 = 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
@@ -6135,16 +6157,16 @@ var openpgp = (function (exports) {
6135
6157
  * 1 7 7 7 7 7 7 11 11 11 11 13 13 17 17 17 17 19 19 23 23 23 23 29 29 29 29 29 29 1
6136
6158
  */
6137
6159
  const adds = [1, 6, 5, 4, 3, 2, 1, 4, 3, 2, 1, 2, 1, 4, 3, 2, 1, 2, 1, 4, 3, 2, 1, 6, 5, 4, 3, 2, 1, 2];
6138
- let n = getRandomBigInteger(min, min << _1n$c);
6139
- let i = bigIntToNumber(mod$2(n, _30n));
6160
+ let n = getRandomBigInteger(min, min << _1n$d);
6161
+ let i = bigIntToNumber(mod$3(n, _30n));
6140
6162
  do {
6141
6163
  n += BigInt(adds[i]);
6142
6164
  i = (i + adds[i]) % adds.length;
6143
6165
  // If reached the maximum, go back to the minimum.
6144
6166
  if (bitLength(n) > bits) {
6145
- n = mod$2(n, min << _1n$c);
6167
+ n = mod$3(n, min << _1n$d);
6146
6168
  n += min;
6147
- i = bigIntToNumber(mod$2(n, _30n));
6169
+ i = bigIntToNumber(mod$3(n, _30n));
6148
6170
  }
6149
6171
  } while (!isProbablePrime(n, e, k));
6150
6172
  return n;
@@ -6156,7 +6178,7 @@ var openpgp = (function (exports) {
6156
6178
  * @param k - Optional number of iterations of Miller-Rabin test
6157
6179
  */
6158
6180
  function isProbablePrime(n, e, k) {
6159
- if (e && gcd(n - _1n$c, e) !== _1n$c) {
6181
+ if (e && gcd(n - _1n$d, e) !== _1n$d) {
6160
6182
  return false;
6161
6183
  }
6162
6184
  if (!divisionTest(n)) {
@@ -6179,11 +6201,11 @@ var openpgp = (function (exports) {
6179
6201
  * @param b - Optional Fermat test base
6180
6202
  */
6181
6203
  function fermat(n, b = BigInt(2)) {
6182
- return modExp(b, n - _1n$c, n) === _1n$c;
6204
+ return modExp(b, n - _1n$d, n) === _1n$d;
6183
6205
  }
6184
6206
  function divisionTest(n) {
6185
6207
  const _0n = BigInt(0);
6186
- return smallPrimes.every(m => mod$2(n, m) !== _0n);
6208
+ return smallPrimes.every(m => mod$3(n, m) !== _0n);
6187
6209
  }
6188
6210
  // https://github.com/gpg/libgcrypt/blob/master/cipher/primegen.c
6189
6211
  const smallPrimes = [
@@ -6307,7 +6329,7 @@ var openpgp = (function (exports) {
6307
6329
  if (!k) {
6308
6330
  k = Math.max(1, (len / 48) | 0);
6309
6331
  }
6310
- const n1 = n - _1n$c; // n - 1
6332
+ const n1 = n - _1n$d; // n - 1
6311
6333
  // Find d and s, (n - 1) = (2 ^ s) * d;
6312
6334
  let s = 0;
6313
6335
  while (!getBit(n1, s)) {
@@ -6317,13 +6339,13 @@ var openpgp = (function (exports) {
6317
6339
  for (; k > 0; k--) {
6318
6340
  const a = getRandomBigInteger(BigInt(2), n1);
6319
6341
  let x = modExp(a, d, n);
6320
- if (x === _1n$c || x === n1) {
6342
+ if (x === _1n$d || x === n1) {
6321
6343
  continue;
6322
6344
  }
6323
6345
  let i;
6324
6346
  for (i = 1; i < s; i++) {
6325
- x = mod$2(x * x, n);
6326
- if (x === _1n$c) {
6347
+ x = mod$3(x * x, n);
6348
+ if (x === _1n$d) {
6327
6349
  return false;
6328
6350
  }
6329
6351
  if (x === n1) {
@@ -6516,8 +6538,8 @@ var openpgp = (function (exports) {
6516
6538
 
6517
6539
 
6518
6540
  const webCrypto$6 = util.getWebCrypto();
6519
- const nodeCrypto$4 = util.getNodeCrypto();
6520
- const _1n$b = BigInt(1);
6541
+ const nodeCrypto$5 = util.getNodeCrypto();
6542
+ const _1n$c = BigInt(1);
6521
6543
 
6522
6544
  /** Create signature
6523
6545
  * @param {module:enums.hash} hashAlgo - Hash algorithm
@@ -6558,7 +6580,7 @@ var openpgp = (function (exports) {
6558
6580
  * @returns {Boolean}
6559
6581
  * @async
6560
6582
  */
6561
- async function verify$7(hashAlgo, data, s, n, e, hashed) {
6583
+ async function verify$8(hashAlgo, data, s, n, e, hashed) {
6562
6584
  if (data && !util.isStream(data)) {
6563
6585
  if (util.getWebCrypto()) {
6564
6586
  try {
@@ -6658,7 +6680,7 @@ var openpgp = (function (exports) {
6658
6680
  privateKeyEncoding: { type: 'pkcs1', format: 'jwk' }
6659
6681
  };
6660
6682
  const jwk = await new Promise((resolve, reject) => {
6661
- nodeCrypto$4.generateKeyPair('rsa', opts, (err, _, jwkPrivateKey) => {
6683
+ nodeCrypto$5.generateKeyPair('rsa', opts, (err, _, jwkPrivateKey) => {
6662
6684
  if (err) {
6663
6685
  reject(err);
6664
6686
  } else {
@@ -6681,7 +6703,7 @@ var openpgp = (function (exports) {
6681
6703
  n = p * q;
6682
6704
  } while (bitLength(n) !== bits);
6683
6705
 
6684
- const phi = (p - _1n$b) * (q - _1n$b);
6706
+ const phi = (p - _1n$c) * (q - _1n$c);
6685
6707
 
6686
6708
  if (q < p) {
6687
6709
  [p, q] = [q, p];
@@ -6723,7 +6745,7 @@ var openpgp = (function (exports) {
6723
6745
  const _2n = BigInt(2);
6724
6746
  // expect p*u = 1 mod q
6725
6747
  u = uint8ArrayToBigInt(u);
6726
- if (mod$2(p * u, q) !== BigInt(1)) {
6748
+ if (mod$3(p * u, q) !== BigInt(1)) {
6727
6749
  return false;
6728
6750
  }
6729
6751
 
@@ -6740,7 +6762,7 @@ var openpgp = (function (exports) {
6740
6762
  const r = getRandomBigInteger(_2n, _2n << nSizeOver3); // r in [ 2, 2^{|n|/3} ) < p and q
6741
6763
  const rde = r * d * e;
6742
6764
 
6743
- const areInverses = mod$2(rde, p - _1n$b) === r && mod$2(rde, q - _1n$b) === r;
6765
+ const areInverses = mod$3(rde, p - _1n$c) === r && mod$3(rde, q - _1n$c) === r;
6744
6766
  if (!areInverses) {
6745
6767
  return false;
6746
6768
  }
@@ -6776,7 +6798,7 @@ var openpgp = (function (exports) {
6776
6798
  }
6777
6799
 
6778
6800
  async function nodeSign$1(hashAlgo, data, n, e, d, p, q, u) {
6779
- const sign = nodeCrypto$4.createSign(enums.read(enums.hash, hashAlgo));
6801
+ const sign = nodeCrypto$5.createSign(enums.read(enums.hash, hashAlgo));
6780
6802
  sign.write(data);
6781
6803
  sign.end();
6782
6804
 
@@ -6809,7 +6831,7 @@ var openpgp = (function (exports) {
6809
6831
  const jwk = publicToJWK(n, e);
6810
6832
  const key = { key: jwk, format: 'jwk', type: 'pkcs1' };
6811
6833
 
6812
- const verify = nodeCrypto$4.createVerify(enums.read(enums.hash, hashAlgo));
6834
+ const verify = nodeCrypto$5.createVerify(enums.read(enums.hash, hashAlgo));
6813
6835
  verify.write(data);
6814
6836
  verify.end();
6815
6837
 
@@ -6822,9 +6844,9 @@ var openpgp = (function (exports) {
6822
6844
 
6823
6845
  async function nodeEncrypt(data, n, e) {
6824
6846
  const jwk = publicToJWK(n, e);
6825
- const key = { key: jwk, format: 'jwk', type: 'pkcs1', padding: nodeCrypto$4.constants.RSA_PKCS1_PADDING };
6847
+ const key = { key: jwk, format: 'jwk', type: 'pkcs1', padding: nodeCrypto$5.constants.RSA_PKCS1_PADDING };
6826
6848
 
6827
- return new Uint8Array(nodeCrypto$4.publicEncrypt(key, data));
6849
+ return new Uint8Array(nodeCrypto$5.publicEncrypt(key, data));
6828
6850
  }
6829
6851
 
6830
6852
  async function bnEncrypt(data, n, e) {
@@ -6839,10 +6861,10 @@ var openpgp = (function (exports) {
6839
6861
 
6840
6862
  async function nodeDecrypt(data, n, e, d, p, q, u) {
6841
6863
  const jwk = await privateToJWK$1(n, e, d, p, q, u);
6842
- const key = { key: jwk, format: 'jwk' , type: 'pkcs1', padding: nodeCrypto$4.constants.RSA_PKCS1_PADDING };
6864
+ const key = { key: jwk, format: 'jwk' , type: 'pkcs1', padding: nodeCrypto$5.constants.RSA_PKCS1_PADDING };
6843
6865
 
6844
6866
  try {
6845
- return new Uint8Array(nodeCrypto$4.privateDecrypt(key, data));
6867
+ return new Uint8Array(nodeCrypto$5.privateDecrypt(key, data));
6846
6868
  } catch (err) {
6847
6869
  throw new Error('Decryption error');
6848
6870
  }
@@ -6859,20 +6881,20 @@ var openpgp = (function (exports) {
6859
6881
  if (data >= n) {
6860
6882
  throw new Error('Data too large.');
6861
6883
  }
6862
- const dq = mod$2(d, q - _1n$b); // d mod (q-1)
6863
- const dp = mod$2(d, p - _1n$b); // d mod (p-1)
6884
+ const dq = mod$3(d, q - _1n$c); // d mod (q-1)
6885
+ const dp = mod$3(d, p - _1n$c); // d mod (p-1)
6864
6886
 
6865
6887
  const unblinder = getRandomBigInteger(BigInt(2), n);
6866
6888
  const blinder = modExp(modInv(unblinder, n), e, n);
6867
- data = mod$2(data * blinder, n);
6889
+ data = mod$3(data * blinder, n);
6868
6890
 
6869
6891
  const mp = modExp(data, dp, p); // data**{d mod (q-1)} mod p
6870
6892
  const mq = modExp(data, dq, q); // data**{d mod (p-1)} mod q
6871
- const h = mod$2(u * (mq - mp), q); // u * (mq-mp) mod q (operands already < q)
6893
+ const h = mod$3(u * (mq - mp), q); // u * (mq-mp) mod q (operands already < q)
6872
6894
 
6873
6895
  let result = h * p + mp; // result < n due to relations above
6874
6896
 
6875
- result = mod$2(result * unblinder, n);
6897
+ result = mod$3(result * unblinder, n);
6876
6898
 
6877
6899
  return emeDecode(bigIntToUint8Array(result, 'be', byteLength(n)), randomPayload);
6878
6900
  }
@@ -6892,8 +6914,8 @@ var openpgp = (function (exports) {
6892
6914
  const qNum = uint8ArrayToBigInt(q);
6893
6915
  const dNum = uint8ArrayToBigInt(d);
6894
6916
 
6895
- let dq = mod$2(dNum, qNum - _1n$b); // d mod (q-1)
6896
- let dp = mod$2(dNum, pNum - _1n$b); // d mod (p-1)
6917
+ let dq = mod$3(dNum, qNum - _1n$c); // d mod (q-1)
6918
+ let dp = mod$3(dNum, pNum - _1n$c); // d mod (p-1)
6897
6919
  dp = bigIntToUint8Array(dp);
6898
6920
  dq = bigIntToUint8Array(dq);
6899
6921
  return {
@@ -6948,7 +6970,7 @@ var openpgp = (function (exports) {
6948
6970
  generate: generate$5,
6949
6971
  sign: sign$7,
6950
6972
  validateParams: validateParams$9,
6951
- verify: verify$7
6973
+ verify: verify$8
6952
6974
  });
6953
6975
 
6954
6976
  // GPG4Browsers - An OpenPGP implementation in javascript
@@ -6969,7 +6991,7 @@ var openpgp = (function (exports) {
6969
6991
  // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
6970
6992
 
6971
6993
 
6972
- const _1n$a = BigInt(1);
6994
+ const _1n$b = BigInt(1);
6973
6995
 
6974
6996
  /**
6975
6997
  * ElGamal Encryption function
@@ -6991,10 +7013,10 @@ var openpgp = (function (exports) {
6991
7013
 
6992
7014
  // OpenPGP uses a "special" version of ElGamal where g is generator of the full group Z/pZ*
6993
7015
  // hence g has order p-1, and to avoid that k = 0 mod p-1, we need to pick k in [1, p-2]
6994
- const k = getRandomBigInteger(_1n$a, p - _1n$a);
7016
+ const k = getRandomBigInteger(_1n$b, p - _1n$b);
6995
7017
  return {
6996
7018
  c1: bigIntToUint8Array(modExp(g, k, p)),
6997
- c2: bigIntToUint8Array(mod$2(modExp(y, k, p) * m, p))
7019
+ c2: bigIntToUint8Array(mod$3(modExp(y, k, p) * m, p))
6998
7020
  };
6999
7021
  }
7000
7022
 
@@ -7016,7 +7038,7 @@ var openpgp = (function (exports) {
7016
7038
  p = uint8ArrayToBigInt(p);
7017
7039
  x = uint8ArrayToBigInt(x);
7018
7040
 
7019
- const padded = mod$2(modInv(modExp(c1, x, p), p) * c2, p);
7041
+ const padded = mod$3(modInv(modExp(c1, x, p), p) * c2, p);
7020
7042
  return emeDecode(bigIntToUint8Array(padded, 'be', byteLength(p)), randomPayload);
7021
7043
  }
7022
7044
 
@@ -7035,7 +7057,7 @@ var openpgp = (function (exports) {
7035
7057
  y = uint8ArrayToBigInt(y);
7036
7058
 
7037
7059
  // Check that 1 < g < p
7038
- if (g <= _1n$a || g >= p) {
7060
+ if (g <= _1n$b || g >= p) {
7039
7061
  return false;
7040
7062
  }
7041
7063
 
@@ -7050,7 +7072,7 @@ var openpgp = (function (exports) {
7050
7072
  * g should have order p-1
7051
7073
  * Check that g ** (p-1) = 1 mod p
7052
7074
  */
7053
- if (modExp(g, p - _1n$a, p) !== _1n$a) {
7075
+ if (modExp(g, p - _1n$b, p) !== _1n$b) {
7054
7076
  return false;
7055
7077
  }
7056
7078
 
@@ -7065,8 +7087,8 @@ var openpgp = (function (exports) {
7065
7087
  const _2n = BigInt(2);
7066
7088
  const threshold = _2n << BigInt(17); // we want order > threshold
7067
7089
  while (i < threshold) {
7068
- res = mod$2(res * g, p);
7069
- if (res === _1n$a) {
7090
+ res = mod$3(res * g, p);
7091
+ if (res === _1n$b) {
7070
7092
  return false;
7071
7093
  }
7072
7094
  i++;
@@ -7079,8 +7101,8 @@ var openpgp = (function (exports) {
7079
7101
  * Blinded exponentiation computes g**{r(p-1) + x} to compare to y
7080
7102
  */
7081
7103
  x = uint8ArrayToBigInt(x);
7082
- const r = getRandomBigInteger(_2n << (pSize - _1n$a), _2n << pSize); // draw r of same size as p-1
7083
- const rqx = (p - _1n$a) * r + x;
7104
+ const r = getRandomBigInteger(_2n << (pSize - _1n$b), _2n << pSize); // draw r of same size as p-1
7105
+ const rqx = (p - _1n$b) * r + x;
7084
7106
  if (y !== modExp(g, rqx, p)) {
7085
7107
  return false;
7086
7108
  }
@@ -7096,7 +7118,7 @@ var openpgp = (function (exports) {
7096
7118
  });
7097
7119
 
7098
7120
  // declare const globalThis: Record<string, any> | undefined;
7099
- const crypto$3 =
7121
+ const crypto$4 =
7100
7122
  typeof globalThis === 'object' && 'crypto' in globalThis ? globalThis.crypto : undefined;
7101
7123
 
7102
7124
  const nacl = {};
@@ -8459,13 +8481,13 @@ var openpgp = (function (exports) {
8459
8481
  (function() {
8460
8482
  // Initialize PRNG if environment provides CSPRNG.
8461
8483
  // If not, methods calling randombytes will throw.
8462
- if (crypto$3 && crypto$3.getRandomValues) {
8484
+ if (crypto$4 && crypto$4.getRandomValues) {
8463
8485
  // Browsers and Node v16+
8464
8486
  var QUOTA = 65536;
8465
8487
  nacl.setPRNG(function(x, n) {
8466
8488
  var i, v = new Uint8Array(n);
8467
8489
  for (i = 0; i < n; i += QUOTA) {
8468
- crypto$3.getRandomValues(v.subarray(i, i + Math.min(n - i, QUOTA)));
8490
+ crypto$4.getRandomValues(v.subarray(i, i + Math.min(n - i, QUOTA)));
8469
8491
  }
8470
8492
  for (i = 0; i < n; i++) x[i] = v[i];
8471
8493
  cleanup(v);
@@ -8914,15 +8936,15 @@ var openpgp = (function (exports) {
8914
8936
 
8915
8937
 
8916
8938
  const webCrypto$5 = util.getWebCrypto();
8917
- const nodeCrypto$3 = util.getNodeCrypto();
8939
+ const nodeCrypto$4 = util.getNodeCrypto();
8918
8940
 
8919
8941
  const webCurves = {
8920
8942
  [enums.curve.nistP256]: 'P-256',
8921
8943
  [enums.curve.nistP384]: 'P-384',
8922
8944
  [enums.curve.nistP521]: 'P-521'
8923
8945
  };
8924
- const knownCurves = nodeCrypto$3 ? nodeCrypto$3.getCurves() : [];
8925
- const nodeCurves = nodeCrypto$3 ? {
8946
+ const knownCurves = nodeCrypto$4 ? nodeCrypto$4.getCurves() : [];
8947
+ const nodeCurves = nodeCrypto$4 ? {
8926
8948
  [enums.curve.secp256k1]: knownCurves.includes('secp256k1') ? 'secp256k1' : undefined,
8927
8949
  [enums.curve.nistP256]: knownCurves.includes('prime256v1') ? 'prime256v1' : undefined,
8928
8950
  [enums.curve.nistP384]: knownCurves.includes('secp384r1') ? 'secp384r1' : undefined,
@@ -8943,7 +8965,8 @@ var openpgp = (function (exports) {
8943
8965
  node: nodeCurves[enums.curve.nistP256],
8944
8966
  web: webCurves[enums.curve.nistP256],
8945
8967
  payloadSize: 32,
8946
- sharedSize: 256
8968
+ sharedSize: 256,
8969
+ wireFormatLeadingByte: 0x04
8947
8970
  },
8948
8971
  [enums.curve.nistP384]: {
8949
8972
  oid: [0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x22],
@@ -8953,7 +8976,8 @@ var openpgp = (function (exports) {
8953
8976
  node: nodeCurves[enums.curve.nistP384],
8954
8977
  web: webCurves[enums.curve.nistP384],
8955
8978
  payloadSize: 48,
8956
- sharedSize: 384
8979
+ sharedSize: 384,
8980
+ wireFormatLeadingByte: 0x04
8957
8981
  },
8958
8982
  [enums.curve.nistP521]: {
8959
8983
  oid: [0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x23],
@@ -8963,7 +8987,8 @@ var openpgp = (function (exports) {
8963
8987
  node: nodeCurves[enums.curve.nistP521],
8964
8988
  web: webCurves[enums.curve.nistP521],
8965
8989
  payloadSize: 66,
8966
- sharedSize: 528
8990
+ sharedSize: 528,
8991
+ wireFormatLeadingByte: 0x04
8967
8992
  },
8968
8993
  [enums.curve.secp256k1]: {
8969
8994
  oid: [0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x0A],
@@ -8971,14 +8996,16 @@ var openpgp = (function (exports) {
8971
8996
  hash: enums.hash.sha256,
8972
8997
  cipher: enums.symmetric.aes128,
8973
8998
  node: nodeCurves[enums.curve.secp256k1],
8974
- payloadSize: 32
8999
+ payloadSize: 32,
9000
+ wireFormatLeadingByte: 0x04
8975
9001
  },
8976
9002
  [enums.curve.ed25519Legacy]: {
8977
9003
  oid: [0x06, 0x09, 0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01],
8978
9004
  keyType: enums.publicKey.eddsaLegacy,
8979
9005
  hash: enums.hash.sha512,
8980
9006
  node: false, // nodeCurves.ed25519 TODO
8981
- payloadSize: 32
9007
+ payloadSize: 32,
9008
+ wireFormatLeadingByte: 0x40
8982
9009
  },
8983
9010
  [enums.curve.curve25519Legacy]: {
8984
9011
  oid: [0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x97, 0x55, 0x01, 0x05, 0x01],
@@ -8986,7 +9013,8 @@ var openpgp = (function (exports) {
8986
9013
  hash: enums.hash.sha256,
8987
9014
  cipher: enums.symmetric.aes128,
8988
9015
  node: false, // nodeCurves.curve25519 TODO
8989
- payloadSize: 32
9016
+ payloadSize: 32,
9017
+ wireFormatLeadingByte: 0x40
8990
9018
  },
8991
9019
  [enums.curve.brainpoolP256r1]: {
8992
9020
  oid: [0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x07],
@@ -8994,7 +9022,8 @@ var openpgp = (function (exports) {
8994
9022
  hash: enums.hash.sha256,
8995
9023
  cipher: enums.symmetric.aes128,
8996
9024
  node: nodeCurves[enums.curve.brainpoolP256r1],
8997
- payloadSize: 32
9025
+ payloadSize: 32,
9026
+ wireFormatLeadingByte: 0x04
8998
9027
  },
8999
9028
  [enums.curve.brainpoolP384r1]: {
9000
9029
  oid: [0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x0B],
@@ -9002,7 +9031,8 @@ var openpgp = (function (exports) {
9002
9031
  hash: enums.hash.sha384,
9003
9032
  cipher: enums.symmetric.aes192,
9004
9033
  node: nodeCurves[enums.curve.brainpoolP384r1],
9005
- payloadSize: 48
9034
+ payloadSize: 48,
9035
+ wireFormatLeadingByte: 0x04
9006
9036
  },
9007
9037
  [enums.curve.brainpoolP512r1]: {
9008
9038
  oid: [0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x0D],
@@ -9010,7 +9040,8 @@ var openpgp = (function (exports) {
9010
9040
  hash: enums.hash.sha512,
9011
9041
  cipher: enums.symmetric.aes256,
9012
9042
  node: nodeCurves[enums.curve.brainpoolP512r1],
9013
- payloadSize: 64
9043
+ payloadSize: 64,
9044
+ wireFormatLeadingByte: 0x04
9014
9045
  }
9015
9046
  };
9016
9047
 
@@ -9034,6 +9065,7 @@ var openpgp = (function (exports) {
9034
9065
  this.web = params.web;
9035
9066
  this.payloadSize = params.payloadSize;
9036
9067
  this.sharedSize = params.sharedSize;
9068
+ this.wireFormatLeadingByte = params.wireFormatLeadingByte;
9037
9069
  if (this.web && util.getWebCrypto()) {
9038
9070
  this.type = 'web';
9039
9071
  } else if (this.node && util.getNodeCrypto()) {
@@ -9049,7 +9081,7 @@ var openpgp = (function (exports) {
9049
9081
  switch (this.type) {
9050
9082
  case 'web':
9051
9083
  try {
9052
- return await webGenKeyPair(this.name);
9084
+ return await webGenKeyPair(this.name, this.wireFormatLeadingByte);
9053
9085
  } catch (err) {
9054
9086
  util.printDebugError('Browser did not support generating ec key ' + err.message);
9055
9087
  return jsGenKeyPair(this.name);
@@ -9062,13 +9094,13 @@ var openpgp = (function (exports) {
9062
9094
  privateKey[31] &= 248;
9063
9095
  const secretKey = privateKey.slice().reverse();
9064
9096
  const { publicKey: rawPublicKey } = nacl.box.keyPair.fromSecretKey(secretKey);
9065
- const publicKey = util.concatUint8Array([new Uint8Array([0x40]), rawPublicKey]);
9097
+ const publicKey = util.concatUint8Array([new Uint8Array([this.wireFormatLeadingByte]), rawPublicKey]);
9066
9098
  return { publicKey, privateKey };
9067
9099
  }
9068
9100
  case 'ed25519Legacy': {
9069
9101
  const privateKey = getRandomBytes(32);
9070
9102
  const keyPair = nacl.sign.keyPair.fromSeed(privateKey);
9071
- const publicKey = util.concatUint8Array([new Uint8Array([0x40]), keyPair.publicKey]);
9103
+ const publicKey = util.concatUint8Array([new Uint8Array([this.wireFormatLeadingByte]), keyPair.publicKey]);
9072
9104
  return { publicKey, privateKey };
9073
9105
  }
9074
9106
  default:
@@ -9154,6 +9186,20 @@ var openpgp = (function (exports) {
9154
9186
  return true;
9155
9187
  }
9156
9188
 
9189
+ /**
9190
+ * Check whether the public point has a valid encoding.
9191
+ * NB: this function does not check e.g. whether the point belongs to the curve.
9192
+ */
9193
+ function checkPublicPointEnconding(curve, V) {
9194
+ const { payloadSize, wireFormatLeadingByte, name: curveName } = curve;
9195
+
9196
+ const pointSize = (curveName === enums.curve.curve25519Legacy || curveName === enums.curve.ed25519Legacy) ? payloadSize : payloadSize * 2;
9197
+
9198
+ if (V[0] !== wireFormatLeadingByte || V.length !== pointSize + 1) {
9199
+ throw new Error('Invalid point encoding');
9200
+ }
9201
+ }
9202
+
9157
9203
  //////////////////////////
9158
9204
  // //
9159
9205
  // Helper functions //
@@ -9166,7 +9212,7 @@ var openpgp = (function (exports) {
9166
9212
  return { publicKey, privateKey };
9167
9213
  }
9168
9214
 
9169
- async function webGenKeyPair(name) {
9215
+ async function webGenKeyPair(name, wireFormatLeadingByte) {
9170
9216
  // Note: keys generated with ECDSA and ECDH are structurally equivalent
9171
9217
  const webCryptoKey = await webCrypto$5.generateKey({ name: 'ECDSA', namedCurve: webCurves[name] }, true, ['sign', 'verify']);
9172
9218
 
@@ -9174,14 +9220,14 @@ var openpgp = (function (exports) {
9174
9220
  const publicKey = await webCrypto$5.exportKey('jwk', webCryptoKey.publicKey);
9175
9221
 
9176
9222
  return {
9177
- publicKey: jwkToRawPublic(publicKey),
9223
+ publicKey: jwkToRawPublic(publicKey, wireFormatLeadingByte),
9178
9224
  privateKey: b64ToUint8Array(privateKey.d)
9179
9225
  };
9180
9226
  }
9181
9227
 
9182
9228
  async function nodeGenKeyPair(name) {
9183
9229
  // Note: ECDSA and ECDH key generation is structurally equivalent
9184
- const ecdh = nodeCrypto$3.createECDH(nodeCurves[name]);
9230
+ const ecdh = nodeCrypto$4.createECDH(nodeCurves[name]);
9185
9231
  await ecdh.generateKeys();
9186
9232
  return {
9187
9233
  publicKey: new Uint8Array(ecdh.getPublicKey()),
@@ -9200,11 +9246,11 @@ var openpgp = (function (exports) {
9200
9246
  *
9201
9247
  * @returns {Uint8Array} Raw public key.
9202
9248
  */
9203
- function jwkToRawPublic(jwk) {
9249
+ function jwkToRawPublic(jwk, wireFormatLeadingByte) {
9204
9250
  const bufX = b64ToUint8Array(jwk.x);
9205
9251
  const bufY = b64ToUint8Array(jwk.y);
9206
9252
  const publicKey = new Uint8Array(bufX.length + bufY.length + 1);
9207
- publicKey[0] = 0x04;
9253
+ publicKey[0] = wireFormatLeadingByte;
9208
9254
  publicKey.set(bufX, 1);
9209
9255
  publicKey.set(bufY, bufX.length + 1);
9210
9256
  return publicKey;
@@ -9265,7 +9311,7 @@ var openpgp = (function (exports) {
9265
9311
 
9266
9312
 
9267
9313
  const webCrypto$4 = util.getWebCrypto();
9268
- const nodeCrypto$2 = util.getNodeCrypto();
9314
+ const nodeCrypto$3 = util.getNodeCrypto();
9269
9315
 
9270
9316
  /**
9271
9317
  * Sign a message using the provided key
@@ -9283,6 +9329,7 @@ var openpgp = (function (exports) {
9283
9329
  */
9284
9330
  async function sign$6(oid, hashAlgo, message, publicKey, privateKey, hashed) {
9285
9331
  const curve = new CurveWithOID(oid);
9332
+ checkPublicPointEnconding(curve, publicKey);
9286
9333
  if (message && !util.isStream(message)) {
9287
9334
  const keyPair = { publicKey, privateKey };
9288
9335
  switch (curve.type) {
@@ -9327,8 +9374,9 @@ var openpgp = (function (exports) {
9327
9374
  * @returns {Boolean}
9328
9375
  * @async
9329
9376
  */
9330
- async function verify$6(oid, hashAlgo, signature, message, publicKey, hashed) {
9377
+ async function verify$7(oid, hashAlgo, signature, message, publicKey, hashed) {
9331
9378
  const curve = new CurveWithOID(oid);
9379
+ checkPublicPointEnconding(curve, publicKey);
9332
9380
  // See https://github.com/openpgpjs/openpgpjs/pull/948.
9333
9381
  // NB: the impact was more likely limited to Brainpool curves, since thanks
9334
9382
  // to WebCrypto availability, NIST curve should not have been affected.
@@ -9395,7 +9443,7 @@ var openpgp = (function (exports) {
9395
9443
  try {
9396
9444
  const signature = await sign$6(oid, hashAlgo, message, Q, d, hashed);
9397
9445
  // eslint-disable-next-line @typescript-eslint/return-await
9398
- return await verify$6(oid, hashAlgo, signature, message, Q, hashed);
9446
+ return await verify$7(oid, hashAlgo, signature, message, Q, hashed);
9399
9447
  } catch (err) {
9400
9448
  return false;
9401
9449
  }
@@ -9490,7 +9538,7 @@ var openpgp = (function (exports) {
9490
9538
  privateKey: nodeBuffer.from(privateKey)
9491
9539
  });
9492
9540
 
9493
- const sign = nodeCrypto$2.createSign(enums.read(enums.hash, hashAlgo));
9541
+ const sign = nodeCrypto$3.createSign(enums.read(enums.hash, hashAlgo));
9494
9542
  sign.write(message);
9495
9543
  sign.end();
9496
9544
 
@@ -9511,7 +9559,7 @@ var openpgp = (function (exports) {
9511
9559
  publicKey: nodeBuffer.from(publicKey)
9512
9560
  });
9513
9561
 
9514
- const verify = nodeCrypto$2.createVerify(enums.read(enums.hash, hashAlgo));
9562
+ const verify = nodeCrypto$3.createVerify(enums.read(enums.hash, hashAlgo));
9515
9563
  verify.write(message);
9516
9564
  verify.end();
9517
9565
 
@@ -9528,7 +9576,760 @@ var openpgp = (function (exports) {
9528
9576
  __proto__: null,
9529
9577
  sign: sign$6,
9530
9578
  validateParams: validateParams$7,
9531
- verify: verify$6
9579
+ verify: verify$7
9580
+ });
9581
+
9582
+ /*! noble-ed25519 - MIT License (c) 2019 Paul Miller (paulmillr.com) */
9583
+ const nodeCrypto$2 = null;
9584
+ const _0n$8 = BigInt(0);
9585
+ const _1n$a = BigInt(1);
9586
+ const _2n$6 = BigInt(2);
9587
+ const _8n$2 = BigInt(8);
9588
+ const CU_O = BigInt('7237005577332262213973186563042994240857116359379907606001950938285454250989');
9589
+ const CURVE$1 = Object.freeze({
9590
+ a: BigInt(-1),
9591
+ d: BigInt('37095705934669439343138083508754565189542113879843219016388785533085940283555'),
9592
+ P: BigInt('57896044618658097711785492504343953926634992332820282019728792003956564819949'),
9593
+ l: CU_O,
9594
+ n: CU_O,
9595
+ h: BigInt(8),
9596
+ Gx: BigInt('15112221349535400772501151409588531511454012693041857206046113283949847762202'),
9597
+ Gy: BigInt('46316835694926478169428394003475163141307993866256225615783033603165251855960'),
9598
+ });
9599
+ const POW_2_256 = BigInt('0x10000000000000000000000000000000000000000000000000000000000000000');
9600
+ const SQRT_M1 = BigInt('19681161376707505956807079304988542015446066515923890162744021073123829784752');
9601
+ BigInt('6853475219497561581579357271197624642482790079785650197046958215289687604742');
9602
+ const SQRT_AD_MINUS_ONE = BigInt('25063068953384623474111414158702152701244531502492656460079210482610430750235');
9603
+ const INVSQRT_A_MINUS_D = BigInt('54469307008909316920995813868745141605393597292927456921205312896311721017578');
9604
+ const ONE_MINUS_D_SQ = BigInt('1159843021668779879193775521855586647937357759715417654439879720876111806838');
9605
+ const D_MINUS_ONE_SQ = BigInt('40440834346308536858101042469323190826248399146238708352240133220865137265952');
9606
+ class ExtendedPoint {
9607
+ constructor(x, y, z, t) {
9608
+ this.x = x;
9609
+ this.y = y;
9610
+ this.z = z;
9611
+ this.t = t;
9612
+ }
9613
+ static fromAffine(p) {
9614
+ if (!(p instanceof Point)) {
9615
+ throw new TypeError('ExtendedPoint#fromAffine: expected Point');
9616
+ }
9617
+ if (p.equals(Point.ZERO))
9618
+ return ExtendedPoint.ZERO;
9619
+ return new ExtendedPoint(p.x, p.y, _1n$a, mod$2(p.x * p.y));
9620
+ }
9621
+ static toAffineBatch(points) {
9622
+ const toInv = invertBatch(points.map((p) => p.z));
9623
+ return points.map((p, i) => p.toAffine(toInv[i]));
9624
+ }
9625
+ static normalizeZ(points) {
9626
+ return this.toAffineBatch(points).map(this.fromAffine);
9627
+ }
9628
+ equals(other) {
9629
+ assertExtPoint(other);
9630
+ const { x: X1, y: Y1, z: Z1 } = this;
9631
+ const { x: X2, y: Y2, z: Z2 } = other;
9632
+ const X1Z2 = mod$2(X1 * Z2);
9633
+ const X2Z1 = mod$2(X2 * Z1);
9634
+ const Y1Z2 = mod$2(Y1 * Z2);
9635
+ const Y2Z1 = mod$2(Y2 * Z1);
9636
+ return X1Z2 === X2Z1 && Y1Z2 === Y2Z1;
9637
+ }
9638
+ negate() {
9639
+ return new ExtendedPoint(mod$2(-this.x), this.y, this.z, mod$2(-this.t));
9640
+ }
9641
+ double() {
9642
+ const { x: X1, y: Y1, z: Z1 } = this;
9643
+ const { a } = CURVE$1;
9644
+ const A = mod$2(X1 * X1);
9645
+ const B = mod$2(Y1 * Y1);
9646
+ const C = mod$2(_2n$6 * mod$2(Z1 * Z1));
9647
+ const D = mod$2(a * A);
9648
+ const x1y1 = X1 + Y1;
9649
+ const E = mod$2(mod$2(x1y1 * x1y1) - A - B);
9650
+ const G = D + B;
9651
+ const F = G - C;
9652
+ const H = D - B;
9653
+ const X3 = mod$2(E * F);
9654
+ const Y3 = mod$2(G * H);
9655
+ const T3 = mod$2(E * H);
9656
+ const Z3 = mod$2(F * G);
9657
+ return new ExtendedPoint(X3, Y3, Z3, T3);
9658
+ }
9659
+ add(other) {
9660
+ assertExtPoint(other);
9661
+ const { x: X1, y: Y1, z: Z1, t: T1 } = this;
9662
+ const { x: X2, y: Y2, z: Z2, t: T2 } = other;
9663
+ const A = mod$2((Y1 - X1) * (Y2 + X2));
9664
+ const B = mod$2((Y1 + X1) * (Y2 - X2));
9665
+ const F = mod$2(B - A);
9666
+ if (F === _0n$8)
9667
+ return this.double();
9668
+ const C = mod$2(Z1 * _2n$6 * T2);
9669
+ const D = mod$2(T1 * _2n$6 * Z2);
9670
+ const E = D + C;
9671
+ const G = B + A;
9672
+ const H = D - C;
9673
+ const X3 = mod$2(E * F);
9674
+ const Y3 = mod$2(G * H);
9675
+ const T3 = mod$2(E * H);
9676
+ const Z3 = mod$2(F * G);
9677
+ return new ExtendedPoint(X3, Y3, Z3, T3);
9678
+ }
9679
+ subtract(other) {
9680
+ return this.add(other.negate());
9681
+ }
9682
+ precomputeWindow(W) {
9683
+ const windows = 1 + 256 / W;
9684
+ const points = [];
9685
+ let p = this;
9686
+ let base = p;
9687
+ for (let window = 0; window < windows; window++) {
9688
+ base = p;
9689
+ points.push(base);
9690
+ for (let i = 1; i < 2 ** (W - 1); i++) {
9691
+ base = base.add(p);
9692
+ points.push(base);
9693
+ }
9694
+ p = base.double();
9695
+ }
9696
+ return points;
9697
+ }
9698
+ wNAF(n, affinePoint) {
9699
+ if (!affinePoint && this.equals(ExtendedPoint.BASE))
9700
+ affinePoint = Point.BASE;
9701
+ const W = (affinePoint && affinePoint._WINDOW_SIZE) || 1;
9702
+ if (256 % W) {
9703
+ throw new Error('Point#wNAF: Invalid precomputation window, must be power of 2');
9704
+ }
9705
+ let precomputes = affinePoint && pointPrecomputes.get(affinePoint);
9706
+ if (!precomputes) {
9707
+ precomputes = this.precomputeWindow(W);
9708
+ if (affinePoint && W !== 1) {
9709
+ precomputes = ExtendedPoint.normalizeZ(precomputes);
9710
+ pointPrecomputes.set(affinePoint, precomputes);
9711
+ }
9712
+ }
9713
+ let p = ExtendedPoint.ZERO;
9714
+ let f = ExtendedPoint.BASE;
9715
+ const windows = 1 + 256 / W;
9716
+ const windowSize = 2 ** (W - 1);
9717
+ const mask = BigInt(2 ** W - 1);
9718
+ const maxNumber = 2 ** W;
9719
+ const shiftBy = BigInt(W);
9720
+ for (let window = 0; window < windows; window++) {
9721
+ const offset = window * windowSize;
9722
+ let wbits = Number(n & mask);
9723
+ n >>= shiftBy;
9724
+ if (wbits > windowSize) {
9725
+ wbits -= maxNumber;
9726
+ n += _1n$a;
9727
+ }
9728
+ const offset1 = offset;
9729
+ const offset2 = offset + Math.abs(wbits) - 1;
9730
+ const cond1 = window % 2 !== 0;
9731
+ const cond2 = wbits < 0;
9732
+ if (wbits === 0) {
9733
+ f = f.add(constTimeNegate(cond1, precomputes[offset1]));
9734
+ }
9735
+ else {
9736
+ p = p.add(constTimeNegate(cond2, precomputes[offset2]));
9737
+ }
9738
+ }
9739
+ return ExtendedPoint.normalizeZ([p, f])[0];
9740
+ }
9741
+ multiply(scalar, affinePoint) {
9742
+ return this.wNAF(normalizeScalar(scalar, CURVE$1.l), affinePoint);
9743
+ }
9744
+ multiplyUnsafe(scalar) {
9745
+ let n = normalizeScalar(scalar, CURVE$1.l, false);
9746
+ const G = ExtendedPoint.BASE;
9747
+ const P0 = ExtendedPoint.ZERO;
9748
+ if (n === _0n$8)
9749
+ return P0;
9750
+ if (this.equals(P0) || n === _1n$a)
9751
+ return this;
9752
+ if (this.equals(G))
9753
+ return this.wNAF(n);
9754
+ let p = P0;
9755
+ let d = this;
9756
+ while (n > _0n$8) {
9757
+ if (n & _1n$a)
9758
+ p = p.add(d);
9759
+ d = d.double();
9760
+ n >>= _1n$a;
9761
+ }
9762
+ return p;
9763
+ }
9764
+ isSmallOrder() {
9765
+ return this.multiplyUnsafe(CURVE$1.h).equals(ExtendedPoint.ZERO);
9766
+ }
9767
+ isTorsionFree() {
9768
+ let p = this.multiplyUnsafe(CURVE$1.l / _2n$6).double();
9769
+ if (CURVE$1.l % _2n$6)
9770
+ p = p.add(this);
9771
+ return p.equals(ExtendedPoint.ZERO);
9772
+ }
9773
+ toAffine(invZ) {
9774
+ const { x, y, z } = this;
9775
+ const is0 = this.equals(ExtendedPoint.ZERO);
9776
+ if (invZ == null)
9777
+ invZ = is0 ? _8n$2 : invert$1(z);
9778
+ const ax = mod$2(x * invZ);
9779
+ const ay = mod$2(y * invZ);
9780
+ const zz = mod$2(z * invZ);
9781
+ if (is0)
9782
+ return Point.ZERO;
9783
+ if (zz !== _1n$a)
9784
+ throw new Error('invZ was invalid');
9785
+ return new Point(ax, ay);
9786
+ }
9787
+ fromRistrettoBytes() {
9788
+ legacyRist();
9789
+ }
9790
+ toRistrettoBytes() {
9791
+ legacyRist();
9792
+ }
9793
+ fromRistrettoHash() {
9794
+ legacyRist();
9795
+ }
9796
+ }
9797
+ ExtendedPoint.BASE = new ExtendedPoint(CURVE$1.Gx, CURVE$1.Gy, _1n$a, mod$2(CURVE$1.Gx * CURVE$1.Gy));
9798
+ ExtendedPoint.ZERO = new ExtendedPoint(_0n$8, _1n$a, _1n$a, _0n$8);
9799
+ function constTimeNegate(condition, item) {
9800
+ const neg = item.negate();
9801
+ return condition ? neg : item;
9802
+ }
9803
+ function assertExtPoint(other) {
9804
+ if (!(other instanceof ExtendedPoint))
9805
+ throw new TypeError('ExtendedPoint expected');
9806
+ }
9807
+ function assertRstPoint(other) {
9808
+ if (!(other instanceof RistrettoPoint))
9809
+ throw new TypeError('RistrettoPoint expected');
9810
+ }
9811
+ function legacyRist() {
9812
+ throw new Error('Legacy method: switch to RistrettoPoint');
9813
+ }
9814
+ class RistrettoPoint {
9815
+ constructor(ep) {
9816
+ this.ep = ep;
9817
+ }
9818
+ static calcElligatorRistrettoMap(r0) {
9819
+ const { d } = CURVE$1;
9820
+ const r = mod$2(SQRT_M1 * r0 * r0);
9821
+ const Ns = mod$2((r + _1n$a) * ONE_MINUS_D_SQ);
9822
+ let c = BigInt(-1);
9823
+ const D = mod$2((c - d * r) * mod$2(r + d));
9824
+ let { isValid: Ns_D_is_sq, value: s } = uvRatio$1(Ns, D);
9825
+ let s_ = mod$2(s * r0);
9826
+ if (!edIsNegative(s_))
9827
+ s_ = mod$2(-s_);
9828
+ if (!Ns_D_is_sq)
9829
+ s = s_;
9830
+ if (!Ns_D_is_sq)
9831
+ c = r;
9832
+ const Nt = mod$2(c * (r - _1n$a) * D_MINUS_ONE_SQ - D);
9833
+ const s2 = s * s;
9834
+ const W0 = mod$2((s + s) * D);
9835
+ const W1 = mod$2(Nt * SQRT_AD_MINUS_ONE);
9836
+ const W2 = mod$2(_1n$a - s2);
9837
+ const W3 = mod$2(_1n$a + s2);
9838
+ return new ExtendedPoint(mod$2(W0 * W3), mod$2(W2 * W1), mod$2(W1 * W3), mod$2(W0 * W2));
9839
+ }
9840
+ static hashToCurve(hex) {
9841
+ hex = ensureBytes$1(hex, 64);
9842
+ const r1 = bytes255ToNumberLE(hex.slice(0, 32));
9843
+ const R1 = this.calcElligatorRistrettoMap(r1);
9844
+ const r2 = bytes255ToNumberLE(hex.slice(32, 64));
9845
+ const R2 = this.calcElligatorRistrettoMap(r2);
9846
+ return new RistrettoPoint(R1.add(R2));
9847
+ }
9848
+ static fromHex(hex) {
9849
+ hex = ensureBytes$1(hex, 32);
9850
+ const { a, d } = CURVE$1;
9851
+ const emsg = 'RistrettoPoint.fromHex: the hex is not valid encoding of RistrettoPoint';
9852
+ const s = bytes255ToNumberLE(hex);
9853
+ if (!equalBytes$1(numberTo32BytesLE(s), hex) || edIsNegative(s))
9854
+ throw new Error(emsg);
9855
+ const s2 = mod$2(s * s);
9856
+ const u1 = mod$2(_1n$a + a * s2);
9857
+ const u2 = mod$2(_1n$a - a * s2);
9858
+ const u1_2 = mod$2(u1 * u1);
9859
+ const u2_2 = mod$2(u2 * u2);
9860
+ const v = mod$2(a * d * u1_2 - u2_2);
9861
+ const { isValid, value: I } = invertSqrt(mod$2(v * u2_2));
9862
+ const Dx = mod$2(I * u2);
9863
+ const Dy = mod$2(I * Dx * v);
9864
+ let x = mod$2((s + s) * Dx);
9865
+ if (edIsNegative(x))
9866
+ x = mod$2(-x);
9867
+ const y = mod$2(u1 * Dy);
9868
+ const t = mod$2(x * y);
9869
+ if (!isValid || edIsNegative(t) || y === _0n$8)
9870
+ throw new Error(emsg);
9871
+ return new RistrettoPoint(new ExtendedPoint(x, y, _1n$a, t));
9872
+ }
9873
+ toRawBytes() {
9874
+ let { x, y, z, t } = this.ep;
9875
+ const u1 = mod$2(mod$2(z + y) * mod$2(z - y));
9876
+ const u2 = mod$2(x * y);
9877
+ const u2sq = mod$2(u2 * u2);
9878
+ const { value: invsqrt } = invertSqrt(mod$2(u1 * u2sq));
9879
+ const D1 = mod$2(invsqrt * u1);
9880
+ const D2 = mod$2(invsqrt * u2);
9881
+ const zInv = mod$2(D1 * D2 * t);
9882
+ let D;
9883
+ if (edIsNegative(t * zInv)) {
9884
+ let _x = mod$2(y * SQRT_M1);
9885
+ let _y = mod$2(x * SQRT_M1);
9886
+ x = _x;
9887
+ y = _y;
9888
+ D = mod$2(D1 * INVSQRT_A_MINUS_D);
9889
+ }
9890
+ else {
9891
+ D = D2;
9892
+ }
9893
+ if (edIsNegative(x * zInv))
9894
+ y = mod$2(-y);
9895
+ let s = mod$2((z - y) * D);
9896
+ if (edIsNegative(s))
9897
+ s = mod$2(-s);
9898
+ return numberTo32BytesLE(s);
9899
+ }
9900
+ toHex() {
9901
+ return bytesToHex$1(this.toRawBytes());
9902
+ }
9903
+ toString() {
9904
+ return this.toHex();
9905
+ }
9906
+ equals(other) {
9907
+ assertRstPoint(other);
9908
+ const a = this.ep;
9909
+ const b = other.ep;
9910
+ const one = mod$2(a.x * b.y) === mod$2(a.y * b.x);
9911
+ const two = mod$2(a.y * b.y) === mod$2(a.x * b.x);
9912
+ return one || two;
9913
+ }
9914
+ add(other) {
9915
+ assertRstPoint(other);
9916
+ return new RistrettoPoint(this.ep.add(other.ep));
9917
+ }
9918
+ subtract(other) {
9919
+ assertRstPoint(other);
9920
+ return new RistrettoPoint(this.ep.subtract(other.ep));
9921
+ }
9922
+ multiply(scalar) {
9923
+ return new RistrettoPoint(this.ep.multiply(scalar));
9924
+ }
9925
+ multiplyUnsafe(scalar) {
9926
+ return new RistrettoPoint(this.ep.multiplyUnsafe(scalar));
9927
+ }
9928
+ }
9929
+ RistrettoPoint.BASE = new RistrettoPoint(ExtendedPoint.BASE);
9930
+ RistrettoPoint.ZERO = new RistrettoPoint(ExtendedPoint.ZERO);
9931
+ const pointPrecomputes = new WeakMap();
9932
+ class Point {
9933
+ constructor(x, y) {
9934
+ this.x = x;
9935
+ this.y = y;
9936
+ }
9937
+ _setWindowSize(windowSize) {
9938
+ this._WINDOW_SIZE = windowSize;
9939
+ pointPrecomputes.delete(this);
9940
+ }
9941
+ static fromHex(hex, strict = true) {
9942
+ const { d, P } = CURVE$1;
9943
+ hex = ensureBytes$1(hex, 32);
9944
+ const normed = hex.slice();
9945
+ normed[31] = hex[31] & ~0x80;
9946
+ const y = bytesToNumberLE$1(normed);
9947
+ if (strict && y >= P)
9948
+ throw new Error('Expected 0 < hex < P');
9949
+ if (!strict && y >= POW_2_256)
9950
+ throw new Error('Expected 0 < hex < 2**256');
9951
+ const y2 = mod$2(y * y);
9952
+ const u = mod$2(y2 - _1n$a);
9953
+ const v = mod$2(d * y2 + _1n$a);
9954
+ let { isValid, value: x } = uvRatio$1(u, v);
9955
+ if (!isValid)
9956
+ throw new Error('Point.fromHex: invalid y coordinate');
9957
+ const isXOdd = (x & _1n$a) === _1n$a;
9958
+ const isLastByteOdd = (hex[31] & 0x80) !== 0;
9959
+ if (isLastByteOdd !== isXOdd) {
9960
+ x = mod$2(-x);
9961
+ }
9962
+ return new Point(x, y);
9963
+ }
9964
+ static async fromPrivateKey(privateKey) {
9965
+ return (await getExtendedPublicKey(privateKey)).point;
9966
+ }
9967
+ toRawBytes() {
9968
+ const bytes = numberTo32BytesLE(this.y);
9969
+ bytes[31] |= this.x & _1n$a ? 0x80 : 0;
9970
+ return bytes;
9971
+ }
9972
+ toHex() {
9973
+ return bytesToHex$1(this.toRawBytes());
9974
+ }
9975
+ toX25519() {
9976
+ const { y } = this;
9977
+ const u = mod$2((_1n$a + y) * invert$1(_1n$a - y));
9978
+ return numberTo32BytesLE(u);
9979
+ }
9980
+ isTorsionFree() {
9981
+ return ExtendedPoint.fromAffine(this).isTorsionFree();
9982
+ }
9983
+ equals(other) {
9984
+ return this.x === other.x && this.y === other.y;
9985
+ }
9986
+ negate() {
9987
+ return new Point(mod$2(-this.x), this.y);
9988
+ }
9989
+ add(other) {
9990
+ return ExtendedPoint.fromAffine(this).add(ExtendedPoint.fromAffine(other)).toAffine();
9991
+ }
9992
+ subtract(other) {
9993
+ return this.add(other.negate());
9994
+ }
9995
+ multiply(scalar) {
9996
+ return ExtendedPoint.fromAffine(this).multiply(scalar, this).toAffine();
9997
+ }
9998
+ }
9999
+ Point.BASE = new Point(CURVE$1.Gx, CURVE$1.Gy);
10000
+ Point.ZERO = new Point(_0n$8, _1n$a);
10001
+ let Signature$1 = class Signature {
10002
+ constructor(r, s) {
10003
+ this.r = r;
10004
+ this.s = s;
10005
+ this.assertValidity();
10006
+ }
10007
+ static fromHex(hex) {
10008
+ const bytes = ensureBytes$1(hex, 64);
10009
+ const r = Point.fromHex(bytes.slice(0, 32), false);
10010
+ const s = bytesToNumberLE$1(bytes.slice(32, 64));
10011
+ return new Signature(r, s);
10012
+ }
10013
+ assertValidity() {
10014
+ const { r, s } = this;
10015
+ if (!(r instanceof Point))
10016
+ throw new Error('Expected Point instance');
10017
+ normalizeScalar(s, CURVE$1.l, false);
10018
+ return this;
10019
+ }
10020
+ toRawBytes() {
10021
+ const u8 = new Uint8Array(64);
10022
+ u8.set(this.r.toRawBytes());
10023
+ u8.set(numberTo32BytesLE(this.s), 32);
10024
+ return u8;
10025
+ }
10026
+ toHex() {
10027
+ return bytesToHex$1(this.toRawBytes());
10028
+ }
10029
+ };
10030
+ function concatBytes$2(...arrays) {
10031
+ if (!arrays.every((a) => a instanceof Uint8Array))
10032
+ throw new Error('Expected Uint8Array list');
10033
+ if (arrays.length === 1)
10034
+ return arrays[0];
10035
+ const length = arrays.reduce((a, arr) => a + arr.length, 0);
10036
+ const result = new Uint8Array(length);
10037
+ for (let i = 0, pad = 0; i < arrays.length; i++) {
10038
+ const arr = arrays[i];
10039
+ result.set(arr, pad);
10040
+ pad += arr.length;
10041
+ }
10042
+ return result;
10043
+ }
10044
+ const hexes$1 = Array.from({ length: 256 }, (v, i) => i.toString(16).padStart(2, '0'));
10045
+ function bytesToHex$1(uint8a) {
10046
+ if (!(uint8a instanceof Uint8Array))
10047
+ throw new Error('Uint8Array expected');
10048
+ let hex = '';
10049
+ for (let i = 0; i < uint8a.length; i++) {
10050
+ hex += hexes$1[uint8a[i]];
10051
+ }
10052
+ return hex;
10053
+ }
10054
+ function hexToBytes$1(hex) {
10055
+ if (typeof hex !== 'string') {
10056
+ throw new TypeError('hexToBytes: expected string, got ' + typeof hex);
10057
+ }
10058
+ if (hex.length % 2)
10059
+ throw new Error('hexToBytes: received invalid unpadded hex');
10060
+ const array = new Uint8Array(hex.length / 2);
10061
+ for (let i = 0; i < array.length; i++) {
10062
+ const j = i * 2;
10063
+ const hexByte = hex.slice(j, j + 2);
10064
+ const byte = Number.parseInt(hexByte, 16);
10065
+ if (Number.isNaN(byte) || byte < 0)
10066
+ throw new Error('Invalid byte sequence');
10067
+ array[i] = byte;
10068
+ }
10069
+ return array;
10070
+ }
10071
+ function numberTo32BytesBE(num) {
10072
+ const length = 32;
10073
+ const hex = num.toString(16).padStart(length * 2, '0');
10074
+ return hexToBytes$1(hex);
10075
+ }
10076
+ function numberTo32BytesLE(num) {
10077
+ return numberTo32BytesBE(num).reverse();
10078
+ }
10079
+ function edIsNegative(num) {
10080
+ return (mod$2(num) & _1n$a) === _1n$a;
10081
+ }
10082
+ function bytesToNumberLE$1(uint8a) {
10083
+ if (!(uint8a instanceof Uint8Array))
10084
+ throw new Error('Expected Uint8Array');
10085
+ return BigInt('0x' + bytesToHex$1(Uint8Array.from(uint8a).reverse()));
10086
+ }
10087
+ const MAX_255B = BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
10088
+ function bytes255ToNumberLE(bytes) {
10089
+ return mod$2(bytesToNumberLE$1(bytes) & MAX_255B);
10090
+ }
10091
+ function mod$2(a, b = CURVE$1.P) {
10092
+ const res = a % b;
10093
+ return res >= _0n$8 ? res : b + res;
10094
+ }
10095
+ function invert$1(number, modulo = CURVE$1.P) {
10096
+ if (number === _0n$8 || modulo <= _0n$8) {
10097
+ throw new Error(`invert: expected positive integers, got n=${number} mod=${modulo}`);
10098
+ }
10099
+ let a = mod$2(number, modulo);
10100
+ let b = modulo;
10101
+ let x = _0n$8, u = _1n$a;
10102
+ while (a !== _0n$8) {
10103
+ const q = b / a;
10104
+ const r = b % a;
10105
+ const m = x - u * q;
10106
+ b = a, a = r, x = u, u = m;
10107
+ }
10108
+ const gcd = b;
10109
+ if (gcd !== _1n$a)
10110
+ throw new Error('invert: does not exist');
10111
+ return mod$2(x, modulo);
10112
+ }
10113
+ function invertBatch(nums, p = CURVE$1.P) {
10114
+ const tmp = new Array(nums.length);
10115
+ const lastMultiplied = nums.reduce((acc, num, i) => {
10116
+ if (num === _0n$8)
10117
+ return acc;
10118
+ tmp[i] = acc;
10119
+ return mod$2(acc * num, p);
10120
+ }, _1n$a);
10121
+ const inverted = invert$1(lastMultiplied, p);
10122
+ nums.reduceRight((acc, num, i) => {
10123
+ if (num === _0n$8)
10124
+ return acc;
10125
+ tmp[i] = mod$2(acc * tmp[i], p);
10126
+ return mod$2(acc * num, p);
10127
+ }, inverted);
10128
+ return tmp;
10129
+ }
10130
+ function pow2$1(x, power) {
10131
+ const { P } = CURVE$1;
10132
+ let res = x;
10133
+ while (power-- > _0n$8) {
10134
+ res *= res;
10135
+ res %= P;
10136
+ }
10137
+ return res;
10138
+ }
10139
+ function pow_2_252_3(x) {
10140
+ const { P } = CURVE$1;
10141
+ const _5n = BigInt(5);
10142
+ const _10n = BigInt(10);
10143
+ const _20n = BigInt(20);
10144
+ const _40n = BigInt(40);
10145
+ const _80n = BigInt(80);
10146
+ const x2 = (x * x) % P;
10147
+ const b2 = (x2 * x) % P;
10148
+ const b4 = (pow2$1(b2, _2n$6) * b2) % P;
10149
+ const b5 = (pow2$1(b4, _1n$a) * x) % P;
10150
+ const b10 = (pow2$1(b5, _5n) * b5) % P;
10151
+ const b20 = (pow2$1(b10, _10n) * b10) % P;
10152
+ const b40 = (pow2$1(b20, _20n) * b20) % P;
10153
+ const b80 = (pow2$1(b40, _40n) * b40) % P;
10154
+ const b160 = (pow2$1(b80, _80n) * b80) % P;
10155
+ const b240 = (pow2$1(b160, _80n) * b80) % P;
10156
+ const b250 = (pow2$1(b240, _10n) * b10) % P;
10157
+ const pow_p_5_8 = (pow2$1(b250, _2n$6) * x) % P;
10158
+ return { pow_p_5_8, b2 };
10159
+ }
10160
+ function uvRatio$1(u, v) {
10161
+ const v3 = mod$2(v * v * v);
10162
+ const v7 = mod$2(v3 * v3 * v);
10163
+ const pow = pow_2_252_3(u * v7).pow_p_5_8;
10164
+ let x = mod$2(u * v3 * pow);
10165
+ const vx2 = mod$2(v * x * x);
10166
+ const root1 = x;
10167
+ const root2 = mod$2(x * SQRT_M1);
10168
+ const useRoot1 = vx2 === u;
10169
+ const useRoot2 = vx2 === mod$2(-u);
10170
+ const noRoot = vx2 === mod$2(-u * SQRT_M1);
10171
+ if (useRoot1)
10172
+ x = root1;
10173
+ if (useRoot2 || noRoot)
10174
+ x = root2;
10175
+ if (edIsNegative(x))
10176
+ x = mod$2(-x);
10177
+ return { isValid: useRoot1 || useRoot2, value: x };
10178
+ }
10179
+ function invertSqrt(number) {
10180
+ return uvRatio$1(_1n$a, number);
10181
+ }
10182
+ function modlLE(hash) {
10183
+ return mod$2(bytesToNumberLE$1(hash), CURVE$1.l);
10184
+ }
10185
+ function equalBytes$1(b1, b2) {
10186
+ if (b1.length !== b2.length) {
10187
+ return false;
10188
+ }
10189
+ for (let i = 0; i < b1.length; i++) {
10190
+ if (b1[i] !== b2[i]) {
10191
+ return false;
10192
+ }
10193
+ }
10194
+ return true;
10195
+ }
10196
+ function ensureBytes$1(hex, expectedLength) {
10197
+ const bytes = hex instanceof Uint8Array ? Uint8Array.from(hex) : hexToBytes$1(hex);
10198
+ if (typeof expectedLength === 'number' && bytes.length !== expectedLength)
10199
+ throw new Error(`Expected ${expectedLength} bytes`);
10200
+ return bytes;
10201
+ }
10202
+ function normalizeScalar(num, max, strict = true) {
10203
+ if (!max)
10204
+ throw new TypeError('Specify max value');
10205
+ if (typeof num === 'number' && Number.isSafeInteger(num))
10206
+ num = BigInt(num);
10207
+ if (typeof num === 'bigint' && num < max) {
10208
+ if (strict) {
10209
+ if (_0n$8 < num)
10210
+ return num;
10211
+ }
10212
+ else {
10213
+ if (_0n$8 <= num)
10214
+ return num;
10215
+ }
10216
+ }
10217
+ throw new TypeError('Expected valid scalar: 0 < scalar < max');
10218
+ }
10219
+ function adjustBytes25519(bytes) {
10220
+ bytes[0] &= 248;
10221
+ bytes[31] &= 127;
10222
+ bytes[31] |= 64;
10223
+ return bytes;
10224
+ }
10225
+ function checkPrivateKey(key) {
10226
+ key =
10227
+ typeof key === 'bigint' || typeof key === 'number'
10228
+ ? numberTo32BytesBE(normalizeScalar(key, POW_2_256))
10229
+ : ensureBytes$1(key);
10230
+ if (key.length !== 32)
10231
+ throw new Error(`Expected 32 bytes`);
10232
+ return key;
10233
+ }
10234
+ function getKeyFromHash(hashed) {
10235
+ const head = adjustBytes25519(hashed.slice(0, 32));
10236
+ const prefix = hashed.slice(32, 64);
10237
+ const scalar = modlLE(head);
10238
+ const point = Point.BASE.multiply(scalar);
10239
+ const pointBytes = point.toRawBytes();
10240
+ return { head, prefix, scalar, point, pointBytes };
10241
+ }
10242
+ let _sha512Sync;
10243
+ async function getExtendedPublicKey(key) {
10244
+ return getKeyFromHash(await utils.sha512(checkPrivateKey(key)));
10245
+ }
10246
+ function prepareVerification(sig, message, publicKey) {
10247
+ message = ensureBytes$1(message);
10248
+ if (!(publicKey instanceof Point))
10249
+ publicKey = Point.fromHex(publicKey, false);
10250
+ const { r, s } = sig instanceof Signature$1 ? sig.assertValidity() : Signature$1.fromHex(sig);
10251
+ const SB = ExtendedPoint.BASE.multiplyUnsafe(s);
10252
+ return { r, s, SB, pub: publicKey, msg: message };
10253
+ }
10254
+ function finishVerification(publicKey, r, SB, hashed) {
10255
+ const k = modlLE(hashed);
10256
+ const kA = ExtendedPoint.fromAffine(publicKey).multiplyUnsafe(k);
10257
+ const RkA = ExtendedPoint.fromAffine(r).add(kA);
10258
+ return RkA.subtract(SB).multiplyUnsafe(CURVE$1.h).equals(ExtendedPoint.ZERO);
10259
+ }
10260
+ async function verify$6(sig, message, publicKey) {
10261
+ const { r, SB, msg, pub } = prepareVerification(sig, message, publicKey);
10262
+ const hashed = await utils.sha512(r.toRawBytes(), pub.toRawBytes(), msg);
10263
+ return finishVerification(pub, r, SB, hashed);
10264
+ }
10265
+ Point.BASE._setWindowSize(8);
10266
+ const crypto$3 = {
10267
+ node: nodeCrypto$2,
10268
+ web: typeof self === 'object' && 'crypto' in self ? self.crypto : undefined,
10269
+ };
10270
+ const utils = {
10271
+ bytesToHex: bytesToHex$1,
10272
+ hexToBytes: hexToBytes$1,
10273
+ concatBytes: concatBytes$2,
10274
+ getExtendedPublicKey,
10275
+ mod: mod$2,
10276
+ invert: invert$1,
10277
+ TORSION_SUBGROUP: [
10278
+ '0100000000000000000000000000000000000000000000000000000000000000',
10279
+ 'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a',
10280
+ '0000000000000000000000000000000000000000000000000000000000000080',
10281
+ '26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc05',
10282
+ 'ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
10283
+ '26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc85',
10284
+ '0000000000000000000000000000000000000000000000000000000000000000',
10285
+ 'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa',
10286
+ ],
10287
+ hashToPrivateScalar: (hash) => {
10288
+ hash = ensureBytes$1(hash);
10289
+ if (hash.length < 40 || hash.length > 1024)
10290
+ throw new Error('Expected 40-1024 bytes of private key as per FIPS 186');
10291
+ return mod$2(bytesToNumberLE$1(hash), CURVE$1.l - _1n$a) + _1n$a;
10292
+ },
10293
+ randomBytes: (bytesLength = 32) => {
10294
+ if (crypto$3.web) {
10295
+ return crypto$3.web.getRandomValues(new Uint8Array(bytesLength));
10296
+ }
10297
+ else {
10298
+ throw new Error("The environment doesn't have randomBytes function");
10299
+ }
10300
+ },
10301
+ randomPrivateKey: () => {
10302
+ return utils.randomBytes(32);
10303
+ },
10304
+ sha512: async (...messages) => {
10305
+ const message = concatBytes$2(...messages);
10306
+ if (crypto$3.web) {
10307
+ const buffer = await crypto$3.web.subtle.digest('SHA-512', message.buffer);
10308
+ return new Uint8Array(buffer);
10309
+ }
10310
+ else {
10311
+ throw new Error("The environment doesn't have sha512 function");
10312
+ }
10313
+ },
10314
+ precompute(windowSize = 8, point = Point.BASE) {
10315
+ const cached = point.equals(Point.BASE) ? point : new Point(point.x, point.y);
10316
+ cached._setWindowSize(windowSize);
10317
+ cached.multiply(_2n$6);
10318
+ return cached;
10319
+ },
10320
+ sha512Sync: undefined,
10321
+ };
10322
+ Object.defineProperties(utils, {
10323
+ sha512Sync: {
10324
+ configurable: false,
10325
+ get() {
10326
+ return _sha512Sync;
10327
+ },
10328
+ set(val) {
10329
+ if (!_sha512Sync)
10330
+ _sha512Sync = val;
10331
+ },
10332
+ },
9532
10333
  });
9533
10334
 
9534
10335
  // OpenPGP.js - An OpenPGP implementation in javascript
@@ -9564,6 +10365,8 @@ var openpgp = (function (exports) {
9564
10365
  * @async
9565
10366
  */
9566
10367
  async function sign$5(oid, hashAlgo, message, publicKey, privateKey, hashed) {
10368
+ const curve = new CurveWithOID(oid);
10369
+ checkPublicPointEnconding(curve, publicKey);
9567
10370
  if (hash$1.getHashByteLength(hashAlgo) < hash$1.getHashByteLength(enums.hash.sha256)) {
9568
10371
  // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
9569
10372
  throw new Error('Hash algorithm too weak for EdDSA.');
@@ -9590,11 +10393,13 @@ var openpgp = (function (exports) {
9590
10393
  * @async
9591
10394
  */
9592
10395
  async function verify$5(oid, hashAlgo, { r, s }, m, publicKey, hashed) {
10396
+ const curve = new CurveWithOID(oid);
10397
+ checkPublicPointEnconding(curve, publicKey);
9593
10398
  if (hash$1.getHashByteLength(hashAlgo) < hash$1.getHashByteLength(enums.hash.sha256)) {
9594
10399
  throw new Error('Hash algorithm too weak for EdDSA.');
9595
10400
  }
9596
10401
  const signature = util.concatUint8Array([r, s]);
9597
- return nacl.sign.detached.verify(hashed, signature, publicKey.subarray(1));
10402
+ return verify$6(signature, hashed, publicKey.subarray(1));
9598
10403
  }
9599
10404
  /**
9600
10405
  * Validate legacy EdDSA parameters
@@ -9720,7 +10525,7 @@ var openpgp = (function (exports) {
9720
10525
  }
9721
10526
  switch (algo) {
9722
10527
  case enums.publicKey.ed25519:
9723
- return nacl.sign.detached.verify(hashed, RS, publicKey);
10528
+ return verify$6(RS, hashed, publicKey);
9724
10529
  case enums.publicKey.ed448: {
9725
10530
  const ed448 = await util.getNobleCurve(enums.publicKey.ed448);
9726
10531
  return ed448.verify(RS, hashed, publicKey);
@@ -10084,7 +10889,7 @@ var openpgp = (function (exports) {
10084
10889
  new Uint8Array([public_algo]),
10085
10890
  kdfParams.write(true),
10086
10891
  util.stringToUint8Array('Anonymous Sender '),
10087
- kdfParams.replacementFingerprint || fingerprint.subarray(0, 20)
10892
+ kdfParams.replacementFingerprint || fingerprint
10088
10893
  ]);
10089
10894
  }
10090
10895
 
@@ -10126,7 +10931,7 @@ var openpgp = (function (exports) {
10126
10931
  const d = getRandomBytes(32);
10127
10932
  const { secretKey, sharedKey } = await genPrivateEphemeralKey(curve, Q, null, d);
10128
10933
  let { publicKey } = nacl.box.keyPair.fromSecretKey(secretKey);
10129
- publicKey = util.concatUint8Array([new Uint8Array([0x40]), publicKey]);
10934
+ publicKey = util.concatUint8Array([new Uint8Array([curve.wireFormatLeadingByte]), publicKey]);
10130
10935
  return { publicKey, sharedKey }; // Note: sharedKey is little-endian here, unlike below
10131
10936
  }
10132
10937
  case 'web':
@@ -10154,7 +10959,7 @@ var openpgp = (function (exports) {
10154
10959
  * @param {module:type/kdf_params} kdfParams - KDF params including cipher and algorithm to use
10155
10960
  * @param {Uint8Array} data - Unpadded session key data
10156
10961
  * @param {Uint8Array} Q - Recipient public key
10157
- * @param {Uint8Array} fingerprint - Recipient fingerprint
10962
+ * @param {Uint8Array} fingerprint - Recipient fingerprint, already truncated depending on the key version
10158
10963
  * @returns {Promise<{publicKey: Uint8Array, wrappedKey: Uint8Array}>}
10159
10964
  * @async
10160
10965
  */
@@ -10162,6 +10967,7 @@ var openpgp = (function (exports) {
10162
10967
  const m = encode(data);
10163
10968
 
10164
10969
  const curve = new CurveWithOID(oid);
10970
+ checkPublicPointEnconding(curve, Q);
10165
10971
  const { publicKey, sharedKey } = await genPublicEphemeralKey(curve, Q);
10166
10972
  const param = buildEcdhParam(enums.publicKey.ecdh, oid, kdfParams, fingerprint);
10167
10973
  const { keySize } = getCipherParams(kdfParams.cipher);
@@ -10218,12 +11024,14 @@ var openpgp = (function (exports) {
10218
11024
  * @param {Uint8Array} C - Encrypted and wrapped value derived from session key
10219
11025
  * @param {Uint8Array} Q - Recipient public key
10220
11026
  * @param {Uint8Array} d - Recipient private key
10221
- * @param {Uint8Array} fingerprint - Recipient fingerprint
11027
+ * @param {Uint8Array} fingerprint - Recipient fingerprint, already truncated depending on the key version
10222
11028
  * @returns {Promise<Uint8Array>} Value derived from session key.
10223
11029
  * @async
10224
11030
  */
10225
11031
  async function decrypt$2(oid, kdfParams, V, C, Q, d, fingerprint) {
10226
11032
  const curve = new CurveWithOID(oid);
11033
+ checkPublicPointEnconding(curve, Q);
11034
+ checkPublicPointEnconding(curve, V);
10227
11035
  const { sharedKey } = await genPrivateEphemeralKey(curve, V, Q, d);
10228
11036
  const param = buildEcdhParam(enums.publicKey.ecdh, oid, kdfParams, fingerprint);
10229
11037
  const { keySize } = getCipherParams(kdfParams.cipher);
@@ -10355,7 +11163,7 @@ var openpgp = (function (exports) {
10355
11163
  );
10356
11164
  [s, p] = await Promise.all([s, p]);
10357
11165
  const sharedKey = new Uint8Array(s);
10358
- const publicKey = new Uint8Array(jwkToRawPublic(p));
11166
+ const publicKey = new Uint8Array(jwkToRawPublic(p, curve.wireFormatLeadingByte));
10359
11167
  return { publicKey, sharedKey };
10360
11168
  }
10361
11169
 
@@ -10678,14 +11486,14 @@ var openpgp = (function (exports) {
10678
11486
  let r;
10679
11487
  let s;
10680
11488
  let t;
10681
- g = mod$2(g, p);
10682
- x = mod$2(x, q);
11489
+ g = mod$3(g, p);
11490
+ x = mod$3(x, q);
10683
11491
  // If the output size of the chosen hash is larger than the number of
10684
11492
  // bits of q, the hash result is truncated to fit by taking the number
10685
11493
  // of leftmost bits equal to the number of bits of q. This (possibly
10686
11494
  // truncated) hash function result is treated as a number and used
10687
11495
  // directly in the DSA signature algorithm.
10688
- const h = mod$2(uint8ArrayToBigInt(hashed.subarray(0, byteLength(q))), q);
11496
+ const h = mod$3(uint8ArrayToBigInt(hashed.subarray(0, byteLength(q))), q);
10689
11497
  // FIPS-186-4, section 4.6:
10690
11498
  // The values of r and s shall be checked to determine if r = 0 or s = 0.
10691
11499
  // If either r = 0 or s = 0, a new value of k shall be generated, and the
@@ -10694,13 +11502,13 @@ var openpgp = (function (exports) {
10694
11502
  while (true) {
10695
11503
  // See Appendix B here: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
10696
11504
  k = getRandomBigInteger(_1n$9, q); // returns in [1, q-1]
10697
- r = mod$2(modExp(g, k, p), q); // (g**k mod p) mod q
11505
+ r = mod$3(modExp(g, k, p), q); // (g**k mod p) mod q
10698
11506
  if (r === _0n) {
10699
11507
  continue;
10700
11508
  }
10701
- const xr = mod$2(x * r, q);
10702
- t = mod$2(h + xr, q); // H(m) + x*r mod q
10703
- s = mod$2(modInv(k, q) * t, q); // k**-1 * (H(m) + x*r) mod q
11509
+ const xr = mod$3(x * r, q);
11510
+ t = mod$3(h + xr, q); // H(m) + x*r mod q
11511
+ s = mod$3(modInv(k, q) * t, q); // k**-1 * (H(m) + x*r) mod q
10704
11512
  if (s === _0n) {
10705
11513
  continue;
10706
11514
  }
@@ -10739,20 +11547,20 @@ var openpgp = (function (exports) {
10739
11547
  util.printDebug('invalid DSA Signature');
10740
11548
  return false;
10741
11549
  }
10742
- const h = mod$2(uint8ArrayToBigInt(hashed.subarray(0, byteLength(q))), q);
11550
+ const h = mod$3(uint8ArrayToBigInt(hashed.subarray(0, byteLength(q))), q);
10743
11551
  const w = modInv(s, q); // s**-1 mod q
10744
11552
  if (w === _0n$7) {
10745
11553
  util.printDebug('invalid DSA Signature');
10746
11554
  return false;
10747
11555
  }
10748
11556
 
10749
- g = mod$2(g, p);
10750
- y = mod$2(y, p);
10751
- const u1 = mod$2(h * w, q); // H(m) * w mod q
10752
- const u2 = mod$2(r * w, q); // r * w mod q
11557
+ g = mod$3(g, p);
11558
+ y = mod$3(y, p);
11559
+ const u1 = mod$3(h * w, q); // H(m) * w mod q
11560
+ const u2 = mod$3(r * w, q); // r * w mod q
10753
11561
  const t1 = modExp(g, u1, p); // g**u1 mod p
10754
11562
  const t2 = modExp(y, u2, p); // y**u2 mod p
10755
- const v = mod$2(mod$2(t1 * t2, p), q); // (g**u1 * y**u2 mod p) mod q
11563
+ const v = mod$3(mod$3(t1 * t2, p), q); // (g**u1 * y**u2 mod p) mod q
10756
11564
  return v === r;
10757
11565
  }
10758
11566
 
@@ -10779,7 +11587,7 @@ var openpgp = (function (exports) {
10779
11587
  /**
10780
11588
  * Check that subgroup order q divides p-1
10781
11589
  */
10782
- if (mod$2(p - _1n$9, q) !== _0n$7) {
11590
+ if (mod$3(p - _1n$9, q) !== _0n$7) {
10783
11591
  return false;
10784
11592
  }
10785
11593
 
@@ -11576,6 +12384,9 @@ var openpgp = (function (exports) {
11576
12384
  case enums.publicKey.eddsaLegacy: {
11577
12385
  const oid = new OID(); read += oid.read(bytes);
11578
12386
  checkSupportedCurve(oid);
12387
+ if (oid.getName() !== enums.curve.ed25519Legacy) {
12388
+ throw new Error('Unexpected OID for eddsaLegacy');
12389
+ }
11579
12390
  let Q = util.readMPI(bytes.subarray(read)); read += Q.length + 2;
11580
12391
  Q = util.leftPad(Q, 33);
11581
12392
  return { read: read, publicParams: { oid, Q } };
@@ -11639,6 +12450,9 @@ var openpgp = (function (exports) {
11639
12450
  }
11640
12451
  case enums.publicKey.eddsaLegacy: {
11641
12452
  const payloadSize = getCurvePayloadSize(algo, publicParams.oid);
12453
+ if (publicParams.oid.getName() !== enums.curve.ed25519Legacy) {
12454
+ throw new Error('Unexpected OID for eddsaLegacy');
12455
+ }
11642
12456
  let seed = util.readMPI(bytes.subarray(read)); read += seed.length + 2;
11643
12457
  seed = util.leftPad(seed, payloadSize);
11644
12458
  return { read, privateParams: { seed } };
@@ -14469,6 +15283,7 @@ var openpgp = (function (exports) {
14469
15283
 
14470
15284
  this.signatureData = null;
14471
15285
  this.unhashedSubpackets = [];
15286
+ this.unknownSubpackets = [];
14472
15287
  this.signedHashValue = null;
14473
15288
  this.salt = null;
14474
15289
 
@@ -14518,9 +15333,12 @@ var openpgp = (function (exports) {
14518
15333
  * @param {String} bytes - Payload of a tag 2 packet
14519
15334
  * @returns {SignaturePacket} Object representation.
14520
15335
  */
14521
- read(bytes) {
15336
+ read(bytes, config$1 = config) {
14522
15337
  let i = 0;
14523
15338
  this.version = bytes[i++];
15339
+ if (this.version === 5 && !config$1.enableParsingV5Entities) {
15340
+ throw new UnsupportedError('Support for v5 entities is disabled; turn on `config.enableParsingV5Entities` if needed');
15341
+ }
14524
15342
 
14525
15343
  if (this.version !== 4 && this.version !== 5 && this.version !== 6) {
14526
15344
  throw new UnsupportedError(`Version ${this.version} of the signature packet is unsupported.`);
@@ -14797,10 +15615,8 @@ var openpgp = (function (exports) {
14797
15615
  * @returns {Uint8Array} Subpacket data.
14798
15616
  */
14799
15617
  writeUnhashedSubPackets() {
14800
- const arr = [];
14801
- this.unhashedSubpackets.forEach(data => {
14802
- arr.push(writeSimpleLength(data.length));
14803
- arr.push(data);
15618
+ const arr = this.unhashedSubpackets.map(({ type, critical, body }) => {
15619
+ return writeSubPacket(type, critical, body);
14804
15620
  });
14805
15621
 
14806
15622
  const result = util.concat(arr);
@@ -14809,7 +15625,7 @@ var openpgp = (function (exports) {
14809
15625
  return util.concat([length, result]);
14810
15626
  }
14811
15627
 
14812
- // V4 signature sub packets
15628
+ // Signature subpackets
14813
15629
  readSubPacket(bytes, hashed = true) {
14814
15630
  let mypos = 0;
14815
15631
 
@@ -14817,15 +15633,19 @@ var openpgp = (function (exports) {
14817
15633
  const critical = !!(bytes[mypos] & 0x80);
14818
15634
  const type = bytes[mypos] & 0x7F;
14819
15635
 
15636
+ mypos++;
15637
+
14820
15638
  if (!hashed) {
14821
- this.unhashedSubpackets.push(bytes.subarray(mypos, bytes.length));
15639
+ this.unhashedSubpackets.push({
15640
+ type,
15641
+ critical,
15642
+ body: bytes.subarray(mypos, bytes.length)
15643
+ });
14822
15644
  if (!allowedUnhashedSubpackets.has(type)) {
14823
15645
  return;
14824
15646
  }
14825
15647
  }
14826
15648
 
14827
- mypos++;
14828
-
14829
15649
  // subpacket type
14830
15650
  switch (type) {
14831
15651
  case enums.signatureSubpacket.signatureCreationTime:
@@ -14997,14 +15817,13 @@ var openpgp = (function (exports) {
14997
15817
  this.preferredCipherSuites.push([bytes[i], bytes[i + 1]]);
14998
15818
  }
14999
15819
  break;
15000
- default: {
15001
- const err = new Error(`Unknown signature subpacket type ${type}`);
15002
- if (critical) {
15003
- throw err;
15004
- } else {
15005
- util.printDebug(err);
15006
- }
15007
- }
15820
+ default:
15821
+ this.unknownSubpackets.push({
15822
+ type,
15823
+ critical,
15824
+ body: bytes.subarray(mypos, bytes.length)
15825
+ });
15826
+ break;
15008
15827
  }
15009
15828
  }
15010
15829
 
@@ -15204,6 +16023,11 @@ var openpgp = (function (exports) {
15204
16023
  [enums.signature.binary, enums.signature.text].includes(this.signatureType)) {
15205
16024
  throw new Error('Insecure message hash algorithm: ' + enums.read(enums.hash, this.hashAlgorithm).toUpperCase());
15206
16025
  }
16026
+ this.unknownSubpackets.forEach(({ type, critical }) => {
16027
+ if (critical) {
16028
+ throw new Error(`Unknown critical signature subpacket type ${type}`);
16029
+ }
16030
+ });
15207
16031
  this.rawNotations.forEach(({ name, critical }) => {
15208
16032
  if (critical && (config$1.knownNotations.indexOf(name) < 0)) {
15209
16033
  throw new Error(`Unknown critical notation: ${name}`);
@@ -16503,10 +17327,11 @@ var openpgp = (function (exports) {
16503
17327
  // No symmetric encryption algorithm identifier is passed to the public-key algorithm for a
16504
17328
  // v6 PKESK packet, as it is included in the v2 SEIPD packet.
16505
17329
  const sessionKeyAlgorithm = this.version === 3 ? this.sessionKeyAlgorithm : null;
17330
+ const fingerprint = key.version === 5 ? key.getFingerprintBytes().subarray(0, 20) : key.getFingerprintBytes();
16506
17331
  const encoded = encodeSessionKey(this.version, algo, sessionKeyAlgorithm, this.sessionKey);
16507
17332
  const privateParams = algo === enums.publicKey.aead ? key.privateParams : null;
16508
17333
  this.encrypted = await mod$1.publicKeyEncrypt(
16509
- algo, sessionKeyAlgorithm, key.publicParams, privateParams, encoded, key.getFingerprintBytes());
17334
+ algo, sessionKeyAlgorithm, key.publicParams, privateParams, encoded, fingerprint);
16510
17335
  }
16511
17336
 
16512
17337
  /**
@@ -16526,7 +17351,8 @@ var openpgp = (function (exports) {
16526
17351
  const randomPayload = randomSessionKey ?
16527
17352
  encodeSessionKey(this.version, this.publicKeyAlgorithm, randomSessionKey.sessionKeyAlgorithm, randomSessionKey.sessionKey) :
16528
17353
  null;
16529
- const decryptedData = await mod$1.publicKeyDecrypt(this.publicKeyAlgorithm, key.publicParams, key.privateParams, this.encrypted, key.getFingerprintBytes(), randomPayload);
17354
+ const fingerprint = key.version === 5 ? key.getFingerprintBytes().subarray(0, 20) : key.getFingerprintBytes();
17355
+ const decryptedData = await mod$1.publicKeyDecrypt(this.publicKeyAlgorithm, key.publicParams, key.privateParams, this.encrypted, fingerprint, randomPayload);
16530
17356
 
16531
17357
  const { sessionKey, sessionKeyAlgorithm } = decodeSessionKey(this.version, this.publicKeyAlgorithm, decryptedData, randomSessionKey);
16532
17358
 
@@ -16931,10 +17757,13 @@ var openpgp = (function (exports) {
16931
17757
  * @returns {Object} This object with attributes set by the parser
16932
17758
  * @async
16933
17759
  */
16934
- async read(bytes) {
17760
+ async read(bytes, config$1 = config) {
16935
17761
  let pos = 0;
16936
17762
  // A one-octet version number (4, 5 or 6).
16937
17763
  this.version = bytes[pos++];
17764
+ if (this.version === 5 && !config$1.enableParsingV5Entities) {
17765
+ throw new UnsupportedError('Support for parsing v5 entities is disabled; turn on `config.enableParsingV5Entities` if needed');
17766
+ }
16938
17767
 
16939
17768
  if (this.version === 4 || this.version === 5 || this.version === 6) {
16940
17769
  // - A four-octet number denoting the time that the key was created.
@@ -17526,7 +18355,7 @@ var openpgp = (function (exports) {
17526
18355
  */
17527
18356
  async read(bytes, config$1 = config) {
17528
18357
  // - A Public-Key or Public-Subkey packet, as described above.
17529
- let i = await this.readPublicKey(bytes);
18358
+ let i = await this.readPublicKey(bytes, config$1);
17530
18359
  const startOfSecretKeyData = i;
17531
18360
 
17532
18361
  // - One octet indicating string-to-key usage conventions. Zero
@@ -17816,13 +18645,13 @@ var openpgp = (function (exports) {
17816
18645
 
17817
18646
  if (config$1.aeadProtect) {
17818
18647
  this.s2kUsage = 253;
17819
- this.aead = enums.aead.eax;
18648
+ this.aead = config$1.preferredAEADAlgorithm;
17820
18649
  const mode = mod$1.getAEADMode(this.aead);
17821
18650
  this.isLegacyAEAD = this.version === 5; // v4 is always re-encrypted with standard format instead.
17822
18651
  this.usedModernAEAD = !this.isLegacyAEAD; // legacy AEAD does not guarantee integrity of public key material
17823
18652
 
17824
18653
  const serializedPacketTag = writeTag(this.constructor.tag);
17825
- const key = await produceEncryptionKey(this.version, this.s2k, passphrase, this.symmetric, this.aead, serializedPacketTag);
18654
+ const key = await produceEncryptionKey(this.version, this.s2k, passphrase, this.symmetric, this.aead, serializedPacketTag, this.isLegacyAEAD);
17826
18655
 
17827
18656
  const modeInstance = await mode(this.symmetric, key);
17828
18657
  this.iv = this.isLegacyAEAD ? mod$1.random.getRandomBytes(blockSize) : mod$1.random.getRandomBytes(mode.ivLength);
@@ -17992,6 +18821,12 @@ var openpgp = (function (exports) {
17992
18821
  * @returns encryption key
17993
18822
  */
17994
18823
  async function produceEncryptionKey(keyVersion, s2k, passphrase, cipherAlgo, aeadMode, serializedPacketTag, isLegacyAEAD) {
18824
+ if (s2k.type === 'argon2' && !aeadMode) {
18825
+ throw new Error('Using Argon2 S2K without AEAD is not allowed');
18826
+ }
18827
+ if (s2k.type === 'simple' && keyVersion === 6) {
18828
+ throw new Error('Using Simple S2K with version 6 keys is not allowed');
18829
+ }
17995
18830
  const { keySize } = mod$1.getCipherParams(cipherAlgo);
17996
18831
  const derivedKey = await s2k.produceKey(passphrase, keySize);
17997
18832
  if (!aeadMode || keyVersion === 5 || isLegacyAEAD) {
@@ -18370,6 +19205,8 @@ var openpgp = (function (exports) {
18370
19205
  * Returns the valid and non-expired signature that has the latest creation date, while ignoring signatures created in the future.
18371
19206
  * @param {Array<SignaturePacket>} signatures - List of signatures
18372
19207
  * @param {PublicKeyPacket|PublicSubkeyPacket} publicKey - Public key packet to verify the signature
19208
+ * @param {module:enums.signature} signatureType - Signature type to determine how to hash the data (NB: for userID signatures,
19209
+ * `enums.signatures.certGeneric` should be given regardless of the actual trust level)
18373
19210
  * @param {Date} date - Use the given date instead of the current time
18374
19211
  * @param {Object} config - full configuration
18375
19212
  * @returns {Promise<SignaturePacket>} The latest valid signature.
@@ -18618,8 +19455,14 @@ var openpgp = (function (exports) {
18618
19455
  // `verifyAllCertifications`.)
18619
19456
  !signature || revocationSignature.issuerKeyID.equals(signature.issuerKeyID)
18620
19457
  ) {
19458
+ const isHardRevocation = ![
19459
+ enums.reasonForRevocation.keyRetired,
19460
+ enums.reasonForRevocation.keySuperseded,
19461
+ enums.reasonForRevocation.userIDInvalid
19462
+ ].includes(revocationSignature.reasonForRevocationFlag);
19463
+
18621
19464
  await revocationSignature.verify(
18622
- key, signatureType, dataToVerify, date, false, config
19465
+ key, signatureType, dataToVerify, isHardRevocation ? null : date, false, config
18623
19466
  );
18624
19467
 
18625
19468
  // TODO get an identifier of the revoked object instead
@@ -20606,7 +21449,7 @@ var openpgp = (function (exports) {
20606
21449
  key: secretKeyPacket
20607
21450
  };
20608
21451
  const signatureProperties = secretKeyPacket.version !== 6 ? getKeySignatureProperties() : {};
20609
- signatureProperties.signatureType = enums.signature.certGeneric;
21452
+ signatureProperties.signatureType = enums.signature.certPositive;
20610
21453
  if (index === 0) {
20611
21454
  signatureProperties.isPrimaryUserID = true;
20612
21455
  }
@@ -22431,7 +23274,7 @@ var openpgp = (function (exports) {
22431
23274
  result.signatures = await message.verify(verificationKeys, date, config$1);
22432
23275
  }
22433
23276
  result.data = format === 'binary' ? message.getLiteralData() : message.getText();
22434
- if (message.fromStream) linkStreams(result, message);
23277
+ if (message.fromStream && !signature) linkStreams(result, message);
22435
23278
  if (expectSigned) {
22436
23279
  if (result.signatures.length === 0) {
22437
23280
  throw new Error('Message is not signed');