@protontech/openpgp 6.0.0-beta.1 → 6.0.0-beta.2

package/dist/openpgp.mjs

@@ -1,4 +1,4 @@
-/*! OpenPGP.js v6.0.0-beta.1 - 2024-05-17 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
+/*! OpenPGP.js v6.0.0-beta.2 - 2024-07-05 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
 const globalThis = typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};
 
 const doneWritingPromise = Symbol('doneWritingPromise');
@@ -543,9 +543,10 @@ function transformRaw(input, options) {
  * @param {Function} cancel
  * @returns {TransformStream}
  */
-function transformWithCancel(cancel) {
+function transformWithCancel(customCancel) {
   let pulled = false;
-  let backpressureChangePromiseResolve;
+  let cancelled = false;
+  let backpressureChangePromiseResolve, backpressureChangePromiseReject;
   let outputController;
   return {
     readable: new ReadableStream({
@@ -559,16 +560,29 @@ function transformWithCancel(cancel) {
           pulled = true;
         }
       },
-      cancel
+      async cancel(reason) {
+        cancelled = true;
+        if (customCancel) {
+          await customCancel(reason);
+        }
+        if (backpressureChangePromiseReject) {
+          backpressureChangePromiseReject(reason);
+        }
+      }
     }, {highWaterMark: 0}),
     writable: new WritableStream({
       write: async function(chunk) {
+        if (cancelled) {
+          throw new Error('Stream is cancelled');
+        }
         outputController.enqueue(chunk);
         if (!pulled) {
-          await new Promise(resolve => {
+          await new Promise((resolve, reject) => {
             backpressureChangePromiseResolve = resolve;
+            backpressureChangePromiseReject = reject;
           });
           backpressureChangePromiseResolve = null;
+          backpressureChangePromiseReject = null;
         } else {
           pulled = false;
         }
@@ -1504,6 +1518,14 @@ var config = {
    * @property {Boolean} v6Keys
    */
   v6Keys: false,
+  /**
+   * Enable parsing v5 keys and v5 signatures (which is different from the AEAD-encrypted SEIPDv2 packet).
+   * These are non-standard entities, which in the crypto-refresh have been superseded
+   * by v6 keys and v6 signatures, respectively.
+   * However, generation of v5 entities was supported behind config flag in OpenPGP.js v5, and some other libraries,
+   * hence parsing them might be necessary in some cases.
+   */
+  enableParsingV5Entities: false,
   /**
    * S2K (String to Key) type, used for key derivation in the context of secret key encryption
    * and password-encrypted data. Weaker s2k options are not allowed.
@@ -1660,7 +1682,7 @@ var config = {
    * @memberof module:config
    * @property {String} versionString A version string to be included in armored messages
    */
-  versionString: 'OpenPGP.js 6.0.0-beta.1',
+  versionString: 'OpenPGP.js 6.0.0-beta.2',
   /**
    * @memberof module:config
    * @property {String} commentString A comment string to be included in armored messages
@@ -3188,15 +3210,15 @@ function add32(a, b) {
 
 
 const webCrypto$b = util.getWebCrypto();
-const nodeCrypto$a = util.getNodeCrypto();
-const nodeCryptoHashes = nodeCrypto$a && nodeCrypto$a.getHashes();
+const nodeCrypto$b = util.getNodeCrypto();
+const nodeCryptoHashes = nodeCrypto$b && nodeCrypto$b.getHashes();
 
 function nodeHash(type) {
-  if (!nodeCrypto$a || !nodeCryptoHashes.includes(type)) {
+  if (!nodeCrypto$b || !nodeCryptoHashes.includes(type)) {
     return;
   }
   return async function (data) {
-    const shasum = nodeCrypto$a.createHash(type);
+    const shasum = nodeCrypto$b.createHash(type);
     return transform(data, value => {
       shasum.update(value);
     }, () => new Uint8Array(shasum.digest()));
@@ -4543,9 +4565,9 @@ class AES_CFB {
 
 
 const webCrypto$a = util.getWebCrypto();
-const nodeCrypto$9 = util.getNodeCrypto();
+const nodeCrypto$a = util.getNodeCrypto();
 
-const knownAlgos = nodeCrypto$9 ? nodeCrypto$9.getCiphers() : [];
+const knownAlgos = nodeCrypto$a ? nodeCrypto$a.getCiphers() : [];
 const nodeAlgos = {
   idea: knownAlgos.includes('idea-cfb') ? 'idea-cfb' : undefined, /* Unused, not implemented */
   tripledes: knownAlgos.includes('des-ede3-cfb') ? 'des-ede3-cfb' : undefined,
@@ -4611,7 +4633,7 @@ async function encrypt$5(algo, key, plaintext, iv, config) {
  */
 async function decrypt$5(algo, key, ciphertext, iv) {
   const algoName = enums.read(enums.symmetric, algo);
-  if (nodeCrypto$9 && nodeAlgos[algoName]) { // Node crypto library.
+  if (nodeCrypto$a && nodeAlgos[algoName]) { // Node crypto library.
     return nodeDecrypt$1(algo, key, ciphertext, iv);
   }
   if (util.isAES(algo)) {
@@ -4779,13 +4801,13 @@ function xorMut$1(a, b) {
 
 function nodeEncrypt$1(algo, key, pt, iv) {
   const algoName = enums.read(enums.symmetric, algo);
-  const cipherObj = new nodeCrypto$9.createCipheriv(nodeAlgos[algoName], key, iv);
+  const cipherObj = new nodeCrypto$a.createCipheriv(nodeAlgos[algoName], key, iv);
   return transform(pt, value => new Uint8Array(cipherObj.update(value)));
 }
 
 function nodeDecrypt$1(algo, key, ct, iv) {
   const algoName = enums.read(enums.symmetric, algo);
-  const decipherObj = new nodeCrypto$9.createDecipheriv(nodeAlgos[algoName], key, iv);
+  const decipherObj = new nodeCrypto$a.createDecipheriv(nodeAlgos[algoName], key, iv);
   return transform(ct, value => new Uint8Array(decipherObj.update(value)));
 }
 
@@ -4878,7 +4900,7 @@ class AES_CBC {
 
 
 const webCrypto$9 = util.getWebCrypto();
-const nodeCrypto$8 = util.getNodeCrypto();
+const nodeCrypto$9 = util.getNodeCrypto();
 
 
 /**
@@ -4944,7 +4966,7 @@ async function CMAC(key) {
 async function CBC(key) {
   if (util.getNodeCrypto()) { // Node crypto library
     return async function(pt) {
-      const en = new nodeCrypto$8.createCipheriv('aes-' + (key.length * 8) + '-cbc', key, zeroBlock$1);
+      const en = new nodeCrypto$9.createCipheriv('aes-' + (key.length * 8) + '-cbc', key, zeroBlock$1);
       const ct = en.update(pt);
       return new Uint8Array(ct);
     };
@@ -4992,7 +5014,7 @@ async function CBC(key) {
 
 
 const webCrypto$8 = util.getWebCrypto();
-const nodeCrypto$7 = util.getNodeCrypto();
+const nodeCrypto$8 = util.getNodeCrypto();
 const Buffer$1 = util.getNodeBuffer();
 
 
@@ -5014,7 +5036,7 @@ async function OMAC(key) {
 async function CTR(key) {
   if (util.getNodeCrypto()) { // Node crypto library
     return async function(pt, iv) {
-      const en = new nodeCrypto$7.createCipheriv('aes-' + (key.length * 8) + '-ctr', key, iv);
+      const en = new nodeCrypto$8.createCipheriv('aes-' + (key.length * 8) + '-ctr', key, iv);
       const ct = Buffer$1.concat([en.update(pt), en.final()]);
       return new Uint8Array(ct);
     };
@@ -5705,7 +5727,7 @@ class AES_GCM {
 
 
 const webCrypto$7 = util.getWebCrypto();
-const nodeCrypto$6 = util.getNodeCrypto();
+const nodeCrypto$7 = util.getNodeCrypto();
 const Buffer = util.getNodeBuffer();
 
 const blockLength = 16;
@@ -5728,14 +5750,14 @@ async function GCM(cipher, key) {
   if (util.getNodeCrypto()) { // Node crypto library
     return {
       encrypt: async function(pt, iv, adata = new Uint8Array()) {
-        const en = new nodeCrypto$6.createCipheriv('aes-' + (key.length * 8) + '-gcm', key, iv);
+        const en = new nodeCrypto$7.createCipheriv('aes-' + (key.length * 8) + '-gcm', key, iv);
         en.setAAD(adata);
         const ct = Buffer.concat([en.update(pt), en.final(), en.getAuthTag()]); // append auth tag to ciphertext
         return new Uint8Array(ct);
       },
 
       decrypt: async function(ct, iv, adata = new Uint8Array()) {
-        const de = new nodeCrypto$6.createDecipheriv('aes-' + (key.length * 8) + '-gcm', key, iv);
+        const de = new nodeCrypto$7.createDecipheriv('aes-' + (key.length * 8) + '-gcm', key, iv);
         de.setAAD(adata);
         de.setAuthTag(ct.slice(ct.length - tagLength, ct.length)); // read auth tag at end of ciphertext
         const pt = Buffer.concat([de.update(ct.slice(0, ct.length - tagLength)), de.final()]);
@@ -5834,8 +5856,8 @@ var mode = {
 };
 
 // Operations are not constant time, but we try and limit timing leakage where we can
-const _0n$8 = BigInt(0);
-const _1n$d = BigInt(1);
+const _0n$9 = BigInt(0);
+const _1n$e = BigInt(1);
 function uint8ArrayToBigInt(bytes) {
     const hexAlphabet = '0123456789ABCDEF';
     let s = '';
@@ -5844,9 +5866,9 @@ function uint8ArrayToBigInt(bytes) {
     });
     return BigInt('0x0' + s);
 }
-function mod$2(a, m) {
+function mod$3(a, m) {
     const reduced = a % m;
-    return reduced < _0n$8 ? reduced + m : reduced;
+    return reduced < _0n$9 ? reduced + m : reduced;
 }
 /**
  * Compute modular exponentiation using square and multiply
@@ -5856,19 +5878,19 @@ function mod$2(a, m) {
  * @returns {BigInt} b ** e mod n.
  */
 function modExp(b, e, n) {
-    if (n === _0n$8)
+    if (n === _0n$9)
         throw Error('Modulo cannot be zero');
-    if (n === _1n$d)
+    if (n === _1n$e)
         return BigInt(0);
-    if (e < _0n$8)
+    if (e < _0n$9)
         throw Error('Unsopported negative exponent');
     let exp = e;
     let x = b;
     x %= n;
     let r = BigInt(1);
-    while (exp > _0n$8) {
-        const lsb = exp & _1n$d;
-        exp >>= _1n$d; // e / 2
+    while (exp > _0n$9) {
+        const lsb = exp & _1n$e;
+        exp >>= _1n$e; // e / 2
         // Always compute multiplication step, to reduce timing leakage
         const rx = (r * x) % n;
         // Update r only if lsb is 1 (odd exponent)
@@ -5878,7 +5900,7 @@ function modExp(b, e, n) {
     return r;
 }
 function abs(x) {
-    return x >= _0n$8 ? x : -x;
+    return x >= _0n$9 ? x : -x;
 }
 /**
  * Extended Eucleadian algorithm (http://anh.cs.luc.edu/331/notes/xgcd.pdf)
@@ -5898,9 +5920,9 @@ function _egcd(aInput, bInput) {
     // See https://math.stackexchange.com/questions/37806/extended-euclidean-algorithm-with-negative-numbers
     let a = abs(aInput);
     let b = abs(bInput);
-    const aNegated = aInput < _0n$8;
-    const bNegated = bInput < _0n$8;
-    while (b !== _0n$8) {
+    const aNegated = aInput < _0n$9;
+    const bNegated = bInput < _0n$9;
+    while (b !== _0n$9) {
         const q = a / b;
         let tmp = x;
         x = xPrev - q * x;
@@ -5928,10 +5950,10 @@ function _egcd(aInput, bInput) {
  */
 function modInv(a, n) {
     const { gcd, x } = _egcd(a, n);
-    if (gcd !== _1n$d) {
+    if (gcd !== _1n$e) {
         throw new Error('Inverse does not exist');
     }
-    return mod$2(x + n, n);
+    return mod$3(x + n, n);
 }
 /**
  * Compute greatest common divisor between this and n
@@ -5942,7 +5964,7 @@ function modInv(a, n) {
 function gcd(aInput, bInput) {
     let a = aInput;
     let b = bInput;
-    while (b !== _0n$8) {
+    while (b !== _0n$9) {
         const tmp = b;
         b = a % b;
         a = tmp;
@@ -5969,8 +5991,8 @@ function bigIntToNumber(x) {
  * @returns {Number} Bit value.
  */
 function getBit(x, i) {
-    const bit = (x >> BigInt(i)) & _1n$d;
-    return bit === _0n$8 ? 0 : 1;
+    const bit = (x >> BigInt(i)) & _1n$e;
+    return bit === _0n$9 ? 0 : 1;
 }
 /**
  * Compute bit length
@@ -5978,11 +6000,11 @@ function getBit(x, i) {
 function bitLength(x) {
     // -1n >> -1n is -1n
     // 1n >> 1n is 0n
-    const target = x < _0n$8 ? BigInt(-1) : _0n$8;
+    const target = x < _0n$9 ? BigInt(-1) : _0n$9;
     let bitlen = 1;
     let tmp = x;
     // eslint-disable-next-line no-cond-assign
-    while ((tmp >>= _1n$d) !== target) {
+    while ((tmp >>= _1n$e) !== target) {
         bitlen++;
     }
     return bitlen;
@@ -5991,7 +6013,7 @@ function bitLength(x) {
  * Compute byte length
  */
 function byteLength(x) {
-    const target = x < _0n$8 ? BigInt(-1) : _0n$8;
+    const target = x < _0n$9 ? BigInt(-1) : _0n$9;
     const _8n = BigInt(8);
     let len = 1;
     let tmp = x;
@@ -6047,7 +6069,7 @@ function bigIntToUint8Array(x, endian = 'be', length) {
 // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 
 
-const nodeCrypto$5 = util.getNodeCrypto();
+const nodeCrypto$6 = util.getNodeCrypto();
 
 /**
  * Retrieve secure random byte array of the specified length
@@ -6056,8 +6078,8 @@ const nodeCrypto$5 = util.getNodeCrypto();
  */
 function getRandomBytes(length) {
   const buf = new Uint8Array(length);
-  if (nodeCrypto$5) {
-    const bytes = nodeCrypto$5.randomBytes(buf.length);
+  if (nodeCrypto$6) {
+    const bytes = nodeCrypto$6.randomBytes(buf.length);
     buf.set(bytes);
   } else if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
     crypto.getRandomValues(buf);
@@ -6086,7 +6108,7 @@ function getRandomBigInteger(min, max) {
   // However, we request 64 extra random bits so that the bias is negligible.
   // Section B.1.1 here: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
   const r = uint8ArrayToBigInt(getRandomBytes(bytes + 8));
-  return mod$2(r, modulus) + min;
+  return mod$3(r, modulus) + min;
 }
 
 var random = /*#__PURE__*/Object.freeze({
@@ -6115,7 +6137,7 @@ var random = /*#__PURE__*/Object.freeze({
  * @fileoverview Algorithms for probabilistic random prime generation
  * @module crypto/public_key/prime
  */
-const _1n$c = BigInt(1);
+const _1n$d = BigInt(1);
 /**
  * Generate a probably prime random number
  * @param bits - Bit length of the prime
@@ -6124,7 +6146,7 @@ const _1n$c = BigInt(1);
  */
 function randomProbablePrime(bits, e, k) {
     const _30n = BigInt(30);
-    const min = _1n$c << BigInt(bits - 1);
+    const min = _1n$d << BigInt(bits - 1);
     /*
      * We can avoid any multiples of 3 and 5 by looking at n mod 30
      * n mod 30 = 0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
@@ -6132,16 +6154,16 @@ function randomProbablePrime(bits, e, k) {
      *            1  7  7  7  7  7  7 11 11 11 11 13 13 17 17 17 17 19 19 23 23 23 23 29 29 29 29 29 29 1
      */
     const adds = [1, 6, 5, 4, 3, 2, 1, 4, 3, 2, 1, 2, 1, 4, 3, 2, 1, 2, 1, 4, 3, 2, 1, 6, 5, 4, 3, 2, 1, 2];
-    let n = getRandomBigInteger(min, min << _1n$c);
-    let i = bigIntToNumber(mod$2(n, _30n));
+    let n = getRandomBigInteger(min, min << _1n$d);
+    let i = bigIntToNumber(mod$3(n, _30n));
     do {
         n += BigInt(adds[i]);
         i = (i + adds[i]) % adds.length;
         // If reached the maximum, go back to the minimum.
         if (bitLength(n) > bits) {
-            n = mod$2(n, min << _1n$c);
+            n = mod$3(n, min << _1n$d);
             n += min;
-            i = bigIntToNumber(mod$2(n, _30n));
+            i = bigIntToNumber(mod$3(n, _30n));
         }
     } while (!isProbablePrime(n, e, k));
     return n;
@@ -6153,7 +6175,7 @@ function randomProbablePrime(bits, e, k) {
  * @param k - Optional number of iterations of Miller-Rabin test
  */
 function isProbablePrime(n, e, k) {
-    if (e && gcd(n - _1n$c, e) !== _1n$c) {
+    if (e && gcd(n - _1n$d, e) !== _1n$d) {
         return false;
     }
     if (!divisionTest(n)) {
@@ -6176,11 +6198,11 @@ function isProbablePrime(n, e, k) {
  * @param b - Optional Fermat test base
  */
 function fermat(n, b = BigInt(2)) {
-    return modExp(b, n - _1n$c, n) === _1n$c;
+    return modExp(b, n - _1n$d, n) === _1n$d;
 }
 function divisionTest(n) {
     const _0n = BigInt(0);
-    return smallPrimes.every(m => mod$2(n, m) !== _0n);
+    return smallPrimes.every(m => mod$3(n, m) !== _0n);
 }
 // https://github.com/gpg/libgcrypt/blob/master/cipher/primegen.c
 const smallPrimes = [
@@ -6304,7 +6326,7 @@ function millerRabin(n, k, rand) {
     if (!k) {
         k = Math.max(1, (len / 48) | 0);
     }
-    const n1 = n - _1n$c; // n - 1
+    const n1 = n - _1n$d; // n - 1
     // Find d and s, (n - 1) = (2 ^ s) * d;
     let s = 0;
     while (!getBit(n1, s)) {
@@ -6314,13 +6336,13 @@ function millerRabin(n, k, rand) {
     for (; k > 0; k--) {
         const a = getRandomBigInteger(BigInt(2), n1);
         let x = modExp(a, d, n);
-        if (x === _1n$c || x === n1) {
+        if (x === _1n$d || x === n1) {
             continue;
         }
         let i;
         for (i = 1; i < s; i++) {
-            x = mod$2(x * x, n);
-            if (x === _1n$c) {
+            x = mod$3(x * x, n);
+            if (x === _1n$d) {
                 return false;
             }
             if (x === n1) {
@@ -6513,8 +6535,8 @@ var pkcs1 = /*#__PURE__*/Object.freeze({
 
 
 const webCrypto$6 = util.getWebCrypto();
-const nodeCrypto$4 = util.getNodeCrypto();
-const _1n$b = BigInt(1);
+const nodeCrypto$5 = util.getNodeCrypto();
+const _1n$c = BigInt(1);
 
 /** Create signature
  * @param {module:enums.hash} hashAlgo - Hash algorithm
@@ -6555,7 +6577,7 @@ async function sign$7(hashAlgo, data, n, e, d, p, q, u, hashed) {
  * @returns {Boolean}
  * @async
  */
-async function verify$7(hashAlgo, data, s, n, e, hashed) {
+async function verify$8(hashAlgo, data, s, n, e, hashed) {
   if (data && !util.isStream(data)) {
     if (util.getWebCrypto()) {
       try {
@@ -6655,7 +6677,7 @@ async function generate$5(bits, e) {
       privateKeyEncoding: { type: 'pkcs1', format: 'jwk' }
     };
     const jwk = await new Promise((resolve, reject) => {
-      nodeCrypto$4.generateKeyPair('rsa', opts, (err, _, jwkPrivateKey) => {
+      nodeCrypto$5.generateKeyPair('rsa', opts, (err, _, jwkPrivateKey) => {
         if (err) {
           reject(err);
         } else {
@@ -6678,7 +6700,7 @@ async function generate$5(bits, e) {
     n = p * q;
   } while (bitLength(n) !== bits);
 
-  const phi = (p - _1n$b) * (q - _1n$b);
+  const phi = (p - _1n$c) * (q - _1n$c);
 
   if (q < p) {
     [p, q] = [q, p];
@@ -6720,7 +6742,7 @@ async function validateParams$9(n, e, d, p, q, u) {
   const _2n = BigInt(2);
   // expect p*u = 1 mod q
   u = uint8ArrayToBigInt(u);
-  if (mod$2(p * u, q) !== BigInt(1)) {
+  if (mod$3(p * u, q) !== BigInt(1)) {
     return false;
   }
 
@@ -6737,7 +6759,7 @@ async function validateParams$9(n, e, d, p, q, u) {
   const r = getRandomBigInteger(_2n, _2n << nSizeOver3); // r in [ 2, 2^{|n|/3} ) < p and q
   const rde = r * d * e;
 
-  const areInverses = mod$2(rde, p - _1n$b) === r && mod$2(rde, q - _1n$b) === r;
+  const areInverses = mod$3(rde, p - _1n$c) === r && mod$3(rde, q - _1n$c) === r;
   if (!areInverses) {
     return false;
   }
@@ -6773,7 +6795,7 @@ async function webSign$1(hashName, data, n, e, d, p, q, u) {
 }
 
 async function nodeSign$1(hashAlgo, data, n, e, d, p, q, u) {
-  const sign = nodeCrypto$4.createSign(enums.read(enums.hash, hashAlgo));
+  const sign = nodeCrypto$5.createSign(enums.read(enums.hash, hashAlgo));
   sign.write(data);
   sign.end();
 
@@ -6806,7 +6828,7 @@ async function nodeVerify$1(hashAlgo, data, s, n, e) {
   const jwk = publicToJWK(n, e);
   const key = { key: jwk, format: 'jwk', type: 'pkcs1' };
 
-  const verify = nodeCrypto$4.createVerify(enums.read(enums.hash, hashAlgo));
+  const verify = nodeCrypto$5.createVerify(enums.read(enums.hash, hashAlgo));
   verify.write(data);
   verify.end();
 
@@ -6819,9 +6841,9 @@ async function nodeVerify$1(hashAlgo, data, s, n, e) {
 
 async function nodeEncrypt(data, n, e) {
   const jwk = publicToJWK(n, e);
-  const key = { key: jwk, format: 'jwk', type: 'pkcs1', padding: nodeCrypto$4.constants.RSA_PKCS1_PADDING };
+  const key = { key: jwk, format: 'jwk', type: 'pkcs1', padding: nodeCrypto$5.constants.RSA_PKCS1_PADDING };
 
-  return new Uint8Array(nodeCrypto$4.publicEncrypt(key, data));
+  return new Uint8Array(nodeCrypto$5.publicEncrypt(key, data));
 }
 
 async function bnEncrypt(data, n, e) {
@@ -6836,10 +6858,10 @@ async function bnEncrypt(data, n, e) {
 
 async function nodeDecrypt(data, n, e, d, p, q, u) {
   const jwk = await privateToJWK$1(n, e, d, p, q, u);
-  const key = { key: jwk, format: 'jwk' , type: 'pkcs1', padding: nodeCrypto$4.constants.RSA_PKCS1_PADDING };
+  const key = { key: jwk, format: 'jwk' , type: 'pkcs1', padding: nodeCrypto$5.constants.RSA_PKCS1_PADDING };
 
   try {
-    return new Uint8Array(nodeCrypto$4.privateDecrypt(key, data));
+    return new Uint8Array(nodeCrypto$5.privateDecrypt(key, data));
   } catch (err) {
     throw new Error('Decryption error');
   }
@@ -6856,20 +6878,20 @@ async function bnDecrypt(data, n, e, d, p, q, u, randomPayload) {
   if (data >= n) {
     throw new Error('Data too large.');
   }
-  const dq = mod$2(d, q - _1n$b); // d mod (q-1)
-  const dp = mod$2(d, p - _1n$b); // d mod (p-1)
+  const dq = mod$3(d, q - _1n$c); // d mod (q-1)
+  const dp = mod$3(d, p - _1n$c); // d mod (p-1)
 
   const unblinder = getRandomBigInteger(BigInt(2), n);
   const blinder = modExp(modInv(unblinder, n), e, n);
-  data = mod$2(data * blinder, n);
+  data = mod$3(data * blinder, n);
 
   const mp = modExp(data, dp, p); // data**{d mod (q-1)} mod p
   const mq = modExp(data, dq, q); // data**{d mod (p-1)} mod q
-  const h = mod$2(u * (mq - mp), q); // u * (mq-mp) mod q (operands already < q)
+  const h = mod$3(u * (mq - mp), q); // u * (mq-mp) mod q (operands already < q)
 
   let result = h * p + mp; // result < n due to relations above
 
-  result = mod$2(result * unblinder, n);
+  result = mod$3(result * unblinder, n);
 
   return emeDecode(bigIntToUint8Array(result, 'be', byteLength(n)), randomPayload);
 }
@@ -6889,8 +6911,8 @@ async function privateToJWK$1(n, e, d, p, q, u) {
   const qNum = uint8ArrayToBigInt(q);
   const dNum = uint8ArrayToBigInt(d);
 
-  let dq = mod$2(dNum, qNum - _1n$b); // d mod (q-1)
-  let dp = mod$2(dNum, pNum - _1n$b); // d mod (p-1)
+  let dq = mod$3(dNum, qNum - _1n$c); // d mod (q-1)
+  let dp = mod$3(dNum, pNum - _1n$c); // d mod (p-1)
   dp = bigIntToUint8Array(dp);
   dq = bigIntToUint8Array(dq);
   return {
@@ -6945,7 +6967,7 @@ var rsa = /*#__PURE__*/Object.freeze({
   generate: generate$5,
   sign: sign$7,
   validateParams: validateParams$9,
-  verify: verify$7
+  verify: verify$8
 });
 
 // GPG4Browsers - An OpenPGP implementation in javascript
@@ -6966,7 +6988,7 @@ var rsa = /*#__PURE__*/Object.freeze({
 // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 
 
-const _1n$a = BigInt(1);
+const _1n$b = BigInt(1);
 
 /**
  * ElGamal Encryption function
@@ -6988,10 +7010,10 @@ async function encrypt$3(data, p, g, y) {
 
   // OpenPGP uses a "special" version of ElGamal where g is generator of the full group Z/pZ*
   // hence g has order p-1, and to avoid that k = 0 mod p-1, we need to pick k in [1, p-2]
-  const k = getRandomBigInteger(_1n$a, p - _1n$a);
+  const k = getRandomBigInteger(_1n$b, p - _1n$b);
   return {
     c1: bigIntToUint8Array(modExp(g, k, p)),
-    c2: bigIntToUint8Array(mod$2(modExp(y, k, p) * m, p))
+    c2: bigIntToUint8Array(mod$3(modExp(y, k, p) * m, p))
   };
 }
 
@@ -7013,7 +7035,7 @@ async function decrypt$3(c1, c2, p, x, randomPayload) {
   p = uint8ArrayToBigInt(p);
   x = uint8ArrayToBigInt(x);
 
-  const padded = mod$2(modInv(modExp(c1, x, p), p) * c2, p);
+  const padded = mod$3(modInv(modExp(c1, x, p), p) * c2, p);
   return emeDecode(bigIntToUint8Array(padded, 'be', byteLength(p)), randomPayload);
 }
 
@@ -7032,7 +7054,7 @@ async function validateParams$8(p, g, y, x) {
   y = uint8ArrayToBigInt(y);
 
   // Check that 1 < g < p
-  if (g <= _1n$a || g >= p) {
+  if (g <= _1n$b || g >= p) {
     return false;
   }
 
@@ -7047,7 +7069,7 @@ async function validateParams$8(p, g, y, x) {
    * g should have order p-1
    * Check that g ** (p-1) = 1 mod p
    */
-  if (modExp(g, p - _1n$a, p) !== _1n$a) {
+  if (modExp(g, p - _1n$b, p) !== _1n$b) {
     return false;
   }
 
@@ -7062,8 +7084,8 @@ async function validateParams$8(p, g, y, x) {
   const _2n = BigInt(2);
   const threshold = _2n << BigInt(17); // we want order > threshold
   while (i < threshold) {
-    res = mod$2(res * g, p);
-    if (res === _1n$a) {
+    res = mod$3(res * g, p);
+    if (res === _1n$b) {
       return false;
     }
     i++;
@@ -7076,8 +7098,8 @@ async function validateParams$8(p, g, y, x) {
    * Blinded exponentiation computes g**{r(p-1) + x} to compare to y
    */
   x = uint8ArrayToBigInt(x);
-  const r = getRandomBigInteger(_2n << (pSize - _1n$a), _2n << pSize); // draw r of same size as p-1
-  const rqx = (p - _1n$a) * r + x;
+  const r = getRandomBigInteger(_2n << (pSize - _1n$b), _2n << pSize); // draw r of same size as p-1
+  const rqx = (p - _1n$b) * r + x;
   if (y !== modExp(g, rqx, p)) {
     return false;
   }
@@ -7093,7 +7115,7 @@ var elgamal = /*#__PURE__*/Object.freeze({
 });
 
 // declare const globalThis: Record<string, any> | undefined;
-const crypto$3 =
+const crypto$4 =
   typeof globalThis === 'object' && 'crypto' in globalThis ? globalThis.crypto : undefined;
 
 const nacl = {};
@@ -8456,13 +8478,13 @@ nacl.setPRNG = function(fn) {
 (function() {
   // Initialize PRNG if environment provides CSPRNG.
   // If not, methods calling randombytes will throw.
-  if (crypto$3 && crypto$3.getRandomValues) {
+  if (crypto$4 && crypto$4.getRandomValues) {
     // Browsers and Node v16+
     var QUOTA = 65536;
     nacl.setPRNG(function(x, n) {
       var i, v = new Uint8Array(n);
       for (i = 0; i < n; i += QUOTA) {
-        crypto$3.getRandomValues(v.subarray(i, i + Math.min(n - i, QUOTA)));
+        crypto$4.getRandomValues(v.subarray(i, i + Math.min(n - i, QUOTA)));
       }
       for (i = 0; i < n; i++) x[i] = v[i];
       cleanup(v);
@@ -8911,15 +8933,15 @@ class UnparseablePacket {
 
 
 const webCrypto$5 = util.getWebCrypto();
-const nodeCrypto$3 = util.getNodeCrypto();
+const nodeCrypto$4 = util.getNodeCrypto();
 
 const webCurves = {
   [enums.curve.nistP256]: 'P-256',
   [enums.curve.nistP384]: 'P-384',
   [enums.curve.nistP521]: 'P-521'
 };
-const knownCurves = nodeCrypto$3 ? nodeCrypto$3.getCurves() : [];
-const nodeCurves = nodeCrypto$3 ? {
+const knownCurves = nodeCrypto$4 ? nodeCrypto$4.getCurves() : [];
+const nodeCurves = nodeCrypto$4 ? {
   [enums.curve.secp256k1]: knownCurves.includes('secp256k1') ? 'secp256k1' : undefined,
   [enums.curve.nistP256]: knownCurves.includes('prime256v1') ? 'prime256v1' : undefined,
   [enums.curve.nistP384]: knownCurves.includes('secp384r1') ? 'secp384r1' : undefined,
@@ -8940,7 +8962,8 @@ const curves = {
     node: nodeCurves[enums.curve.nistP256],
     web: webCurves[enums.curve.nistP256],
     payloadSize: 32,
-    sharedSize: 256
+    sharedSize: 256,
+    wireFormatLeadingByte: 0x04
   },
   [enums.curve.nistP384]: {
     oid: [0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x22],
@@ -8950,7 +8973,8 @@ const curves = {
     node: nodeCurves[enums.curve.nistP384],
     web: webCurves[enums.curve.nistP384],
     payloadSize: 48,
-    sharedSize: 384
+    sharedSize: 384,
+    wireFormatLeadingByte: 0x04
   },
   [enums.curve.nistP521]: {
     oid: [0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x23],
@@ -8960,7 +8984,8 @@ const curves = {
     node: nodeCurves[enums.curve.nistP521],
     web: webCurves[enums.curve.nistP521],
     payloadSize: 66,
-    sharedSize: 528
+    sharedSize: 528,
+    wireFormatLeadingByte: 0x04
   },
   [enums.curve.secp256k1]: {
     oid: [0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x0A],
@@ -8968,14 +8993,16 @@ const curves = {
     hash: enums.hash.sha256,
     cipher: enums.symmetric.aes128,
     node: nodeCurves[enums.curve.secp256k1],
-    payloadSize: 32
+    payloadSize: 32,
+    wireFormatLeadingByte: 0x04
   },
   [enums.curve.ed25519Legacy]: {
     oid: [0x06, 0x09, 0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01],
     keyType: enums.publicKey.eddsaLegacy,
     hash: enums.hash.sha512,
     node: false, // nodeCurves.ed25519 TODO
-    payloadSize: 32
+    payloadSize: 32,
+    wireFormatLeadingByte: 0x40
   },
   [enums.curve.curve25519Legacy]: {
     oid: [0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x97, 0x55, 0x01, 0x05, 0x01],
@@ -8983,7 +9010,8 @@ const curves = {
     hash: enums.hash.sha256,
     cipher: enums.symmetric.aes128,
     node: false, // nodeCurves.curve25519 TODO
-    payloadSize: 32
+    payloadSize: 32,
+    wireFormatLeadingByte: 0x40
   },
   [enums.curve.brainpoolP256r1]: {
     oid: [0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x07],
@@ -8991,7 +9019,8 @@ const curves = {
     hash: enums.hash.sha256,
     cipher: enums.symmetric.aes128,
     node: nodeCurves[enums.curve.brainpoolP256r1],
-    payloadSize: 32
+    payloadSize: 32,
+    wireFormatLeadingByte: 0x04
   },
   [enums.curve.brainpoolP384r1]: {
     oid: [0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x0B],
@@ -8999,7 +9028,8 @@ const curves = {
     hash: enums.hash.sha384,
     cipher: enums.symmetric.aes192,
     node: nodeCurves[enums.curve.brainpoolP384r1],
-    payloadSize: 48
+    payloadSize: 48,
+    wireFormatLeadingByte: 0x04
   },
   [enums.curve.brainpoolP512r1]: {
     oid: [0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x0D],
@@ -9007,7 +9037,8 @@ const curves = {
     hash: enums.hash.sha512,
     cipher: enums.symmetric.aes256,
     node: nodeCurves[enums.curve.brainpoolP512r1],
-    payloadSize: 64
+    payloadSize: 64,
+    wireFormatLeadingByte: 0x04
   }
 };
 
@@ -9031,6 +9062,7 @@ class CurveWithOID {
     this.web = params.web;
     this.payloadSize = params.payloadSize;
     this.sharedSize = params.sharedSize;
+    this.wireFormatLeadingByte = params.wireFormatLeadingByte;
     if (this.web && util.getWebCrypto()) {
       this.type = 'web';
     } else if (this.node && util.getNodeCrypto()) {
@@ -9046,7 +9078,7 @@ class CurveWithOID {
     switch (this.type) {
       case 'web':
         try {
-          return await webGenKeyPair(this.name);
+          return await webGenKeyPair(this.name, this.wireFormatLeadingByte);
         } catch (err) {
           util.printDebugError('Browser did not support generating ec key ' + err.message);
           return jsGenKeyPair(this.name);
@@ -9059,13 +9091,13 @@ class CurveWithOID {
         privateKey[31] &= 248;
         const secretKey = privateKey.slice().reverse();
         const { publicKey: rawPublicKey } = nacl.box.keyPair.fromSecretKey(secretKey);
-        const publicKey = util.concatUint8Array([new Uint8Array([0x40]), rawPublicKey]);
+        const publicKey = util.concatUint8Array([new Uint8Array([this.wireFormatLeadingByte]), rawPublicKey]);
         return { publicKey, privateKey };
       }
       case 'ed25519Legacy': {
         const privateKey = getRandomBytes(32);
         const keyPair = nacl.sign.keyPair.fromSeed(privateKey);
-        const publicKey = util.concatUint8Array([new Uint8Array([0x40]), keyPair.publicKey]);
+        const publicKey = util.concatUint8Array([new Uint8Array([this.wireFormatLeadingByte]), keyPair.publicKey]);
         return { publicKey, privateKey };
       }
       default:
@@ -9151,6 +9183,20 @@ async function validateStandardParams(algo, oid, Q, d) {
   return true;
 }
 
+/**
+ * Check whether the public point has a valid encoding.
+ * NB: this function does not check e.g. whether the point belongs to the curve.
+ */
+function checkPublicPointEnconding(curve, V) {
+  const { payloadSize, wireFormatLeadingByte, name: curveName } = curve;
+
+  const pointSize = (curveName === enums.curve.curve25519Legacy || curveName === enums.curve.ed25519Legacy) ? payloadSize : payloadSize * 2;
+
+  if (V[0] !== wireFormatLeadingByte || V.length !== pointSize + 1) {
+    throw new Error('Invalid point encoding');
+  }
+}
+
 //////////////////////////
 //                      //
 //   Helper functions   //
@@ -9163,7 +9209,7 @@ async function jsGenKeyPair(name) {
   return { publicKey, privateKey };
 }
 
-async function webGenKeyPair(name) {
+async function webGenKeyPair(name, wireFormatLeadingByte) {
   // Note: keys generated with ECDSA and ECDH are structurally equivalent
   const webCryptoKey = await webCrypto$5.generateKey({ name: 'ECDSA', namedCurve: webCurves[name] }, true, ['sign', 'verify']);
 
@@ -9171,14 +9217,14 @@ async function webGenKeyPair(name) {
   const publicKey = await webCrypto$5.exportKey('jwk', webCryptoKey.publicKey);
 
   return {
-    publicKey: jwkToRawPublic(publicKey),
+    publicKey: jwkToRawPublic(publicKey, wireFormatLeadingByte),
     privateKey: b64ToUint8Array(privateKey.d)
   };
 }
 
 async function nodeGenKeyPair(name) {
   // Note: ECDSA and ECDH key generation is structurally equivalent
-  const ecdh = nodeCrypto$3.createECDH(nodeCurves[name]);
+  const ecdh = nodeCrypto$4.createECDH(nodeCurves[name]);
   await ecdh.generateKeys();
   return {
     publicKey: new Uint8Array(ecdh.getPublicKey()),
@@ -9197,11 +9243,11 @@ async function nodeGenKeyPair(name) {
  *
  * @returns {Uint8Array} Raw public key.
  */
-function jwkToRawPublic(jwk) {
+function jwkToRawPublic(jwk, wireFormatLeadingByte) {
   const bufX = b64ToUint8Array(jwk.x);
   const bufY = b64ToUint8Array(jwk.y);
   const publicKey = new Uint8Array(bufX.length + bufY.length + 1);
-  publicKey[0] = 0x04;
+  publicKey[0] = wireFormatLeadingByte;
   publicKey.set(bufX, 1);
   publicKey.set(bufY, bufX.length + 1);
   return publicKey;
@@ -9262,7 +9308,7 @@ function privateToJWK(payloadSize, name, publicKey, privateKey) {
 
 
 const webCrypto$4 = util.getWebCrypto();
-const nodeCrypto$2 = util.getNodeCrypto();
+const nodeCrypto$3 = util.getNodeCrypto();
 
 /**
  * Sign a message using the provided key
@@ -9280,6 +9326,7 @@ const nodeCrypto$2 = util.getNodeCrypto();
  */
 async function sign$6(oid, hashAlgo, message, publicKey, privateKey, hashed) {
   const curve = new CurveWithOID(oid);
+  checkPublicPointEnconding(curve, publicKey);
   if (message && !util.isStream(message)) {
     const keyPair = { publicKey, privateKey };
     switch (curve.type) {
@@ -9324,8 +9371,9 @@ async function sign$6(oid, hashAlgo, message, publicKey, privateKey, hashed) {
  * @returns {Boolean}
  * @async
  */
-async function verify$6(oid, hashAlgo, signature, message, publicKey, hashed) {
+async function verify$7(oid, hashAlgo, signature, message, publicKey, hashed) {
   const curve = new CurveWithOID(oid);
+  checkPublicPointEnconding(curve, publicKey);
   // See https://github.com/openpgpjs/openpgpjs/pull/948.
   // NB: the impact was more likely limited to Brainpool curves, since thanks
   // to WebCrypto availability, NIST curve should not have been affected.
@@ -9392,7 +9440,7 @@ async function validateParams$7(oid, Q, d) {
       try {
         const signature = await sign$6(oid, hashAlgo, message, Q, d, hashed);
         // eslint-disable-next-line @typescript-eslint/return-await
-        return await verify$6(oid, hashAlgo, signature, message, Q, hashed);
+        return await verify$7(oid, hashAlgo, signature, message, Q, hashed);
       } catch (err) {
         return false;
       }
@@ -9487,7 +9535,7 @@ async function nodeSign(curve, hashAlgo, message, privateKey) {
     privateKey: nodeBuffer.from(privateKey)
   });
 
-  const sign = nodeCrypto$2.createSign(enums.read(enums.hash, hashAlgo));
+  const sign = nodeCrypto$3.createSign(enums.read(enums.hash, hashAlgo));
   sign.write(message);
   sign.end();
 
@@ -9508,7 +9556,7 @@ async function nodeVerify(curve, hashAlgo, { r, s }, message, publicKey) {
     publicKey: nodeBuffer.from(publicKey)
   });
 
-  const verify = nodeCrypto$2.createVerify(enums.read(enums.hash, hashAlgo));
+  const verify = nodeCrypto$3.createVerify(enums.read(enums.hash, hashAlgo));
   verify.write(message);
   verify.end();
 
@@ -9525,7 +9573,760 @@ var ecdsa = /*#__PURE__*/Object.freeze({
   __proto__: null,
   sign: sign$6,
   validateParams: validateParams$7,
-  verify: verify$6
+  verify: verify$7
+});
+
+/*! noble-ed25519 - MIT License (c) 2019 Paul Miller (paulmillr.com) */
+const nodeCrypto$2 = null;
+const _0n$8 = BigInt(0);
+const _1n$a = BigInt(1);
+const _2n$6 = BigInt(2);
+const _8n$2 = BigInt(8);
+const CU_O = BigInt('7237005577332262213973186563042994240857116359379907606001950938285454250989');
+const CURVE$1 = Object.freeze({
+    a: BigInt(-1),
+    d: BigInt('37095705934669439343138083508754565189542113879843219016388785533085940283555'),
+    P: BigInt('57896044618658097711785492504343953926634992332820282019728792003956564819949'),
+    l: CU_O,
+    n: CU_O,
+    h: BigInt(8),
+    Gx: BigInt('15112221349535400772501151409588531511454012693041857206046113283949847762202'),
+    Gy: BigInt('46316835694926478169428394003475163141307993866256225615783033603165251855960'),
+});
+const POW_2_256 = BigInt('0x10000000000000000000000000000000000000000000000000000000000000000');
+const SQRT_M1 = BigInt('19681161376707505956807079304988542015446066515923890162744021073123829784752');
+BigInt('6853475219497561581579357271197624642482790079785650197046958215289687604742');
+const SQRT_AD_MINUS_ONE = BigInt('25063068953384623474111414158702152701244531502492656460079210482610430750235');
+const INVSQRT_A_MINUS_D = BigInt('54469307008909316920995813868745141605393597292927456921205312896311721017578');
+const ONE_MINUS_D_SQ = BigInt('1159843021668779879193775521855586647937357759715417654439879720876111806838');
+const D_MINUS_ONE_SQ = BigInt('40440834346308536858101042469323190826248399146238708352240133220865137265952');
+class ExtendedPoint {
+    constructor(x, y, z, t) {
+        this.x = x;
+        this.y = y;
+        this.z = z;
+        this.t = t;
+    }
+    static fromAffine(p) {
+        if (!(p instanceof Point)) {
+            throw new TypeError('ExtendedPoint#fromAffine: expected Point');
+        }
+        if (p.equals(Point.ZERO))
+            return ExtendedPoint.ZERO;
+        return new ExtendedPoint(p.x, p.y, _1n$a, mod$2(p.x * p.y));
+    }
+    static toAffineBatch(points) {
+        const toInv = invertBatch(points.map((p) => p.z));
+        return points.map((p, i) => p.toAffine(toInv[i]));
+    }
+    static normalizeZ(points) {
+        return this.toAffineBatch(points).map(this.fromAffine);
+    }
+    equals(other) {
+        assertExtPoint(other);
+        const { x: X1, y: Y1, z: Z1 } = this;
+        const { x: X2, y: Y2, z: Z2 } = other;
+        const X1Z2 = mod$2(X1 * Z2);
+        const X2Z1 = mod$2(X2 * Z1);
+        const Y1Z2 = mod$2(Y1 * Z2);
+        const Y2Z1 = mod$2(Y2 * Z1);
+        return X1Z2 === X2Z1 && Y1Z2 === Y2Z1;
+    }
+    negate() {
+        return new ExtendedPoint(mod$2(-this.x), this.y, this.z, mod$2(-this.t));
+    }
+    double() {
+        const { x: X1, y: Y1, z: Z1 } = this;
+        const { a } = CURVE$1;
+        const A = mod$2(X1 * X1);
+        const B = mod$2(Y1 * Y1);
+        const C = mod$2(_2n$6 * mod$2(Z1 * Z1));
+        const D = mod$2(a * A);
+        const x1y1 = X1 + Y1;
+        const E = mod$2(mod$2(x1y1 * x1y1) - A - B);
+        const G = D + B;
+        const F = G - C;
+        const H = D - B;
+        const X3 = mod$2(E * F);
+        const Y3 = mod$2(G * H);
+        const T3 = mod$2(E * H);
+        const Z3 = mod$2(F * G);
+        return new ExtendedPoint(X3, Y3, Z3, T3);
+    }
+    add(other) {
+        assertExtPoint(other);
+        const { x: X1, y: Y1, z: Z1, t: T1 } = this;
+        const { x: X2, y: Y2, z: Z2, t: T2 } = other;
+        const A = mod$2((Y1 - X1) * (Y2 + X2));
+        const B = mod$2((Y1 + X1) * (Y2 - X2));
+        const F = mod$2(B - A);
+        if (F === _0n$8)
+            return this.double();
+        const C = mod$2(Z1 * _2n$6 * T2);
+        const D = mod$2(T1 * _2n$6 * Z2);
+        const E = D + C;
+        const G = B + A;
+        const H = D - C;
+        const X3 = mod$2(E * F);
+        const Y3 = mod$2(G * H);
+        const T3 = mod$2(E * H);
+        const Z3 = mod$2(F * G);
+        return new ExtendedPoint(X3, Y3, Z3, T3);
+    }
+    subtract(other) {
+        return this.add(other.negate());
+    }
+    precomputeWindow(W) {
+        const windows = 1 + 256 / W;
+        const points = [];
+        let p = this;
+        let base = p;
+        for (let window = 0; window < windows; window++) {
+            base = p;
+            points.push(base);
+            for (let i = 1; i < 2 ** (W - 1); i++) {
+                base = base.add(p);
+                points.push(base);
+            }
+            p = base.double();
+        }
+        return points;
+    }
+    wNAF(n, affinePoint) {
+        if (!affinePoint && this.equals(ExtendedPoint.BASE))
+            affinePoint = Point.BASE;
+        const W = (affinePoint && affinePoint._WINDOW_SIZE) || 1;
+        if (256 % W) {
+            throw new Error('Point#wNAF: Invalid precomputation window, must be power of 2');
+        }
+        let precomputes = affinePoint && pointPrecomputes.get(affinePoint);
+        if (!precomputes) {
+            precomputes = this.precomputeWindow(W);
+            if (affinePoint && W !== 1) {
+                precomputes = ExtendedPoint.normalizeZ(precomputes);
+                pointPrecomputes.set(affinePoint, precomputes);
+            }
+        }
+        let p = ExtendedPoint.ZERO;
+        let f = ExtendedPoint.BASE;
+        const windows = 1 + 256 / W;
+        const windowSize = 2 ** (W - 1);
+        const mask = BigInt(2 ** W - 1);
+        const maxNumber = 2 ** W;
+        const shiftBy = BigInt(W);
+        for (let window = 0; window < windows; window++) {
+            const offset = window * windowSize;
+            let wbits = Number(n & mask);
+            n >>= shiftBy;
+            if (wbits > windowSize) {
+                wbits -= maxNumber;
+                n += _1n$a;
+            }
+            const offset1 = offset;
+            const offset2 = offset + Math.abs(wbits) - 1;
+            const cond1 = window % 2 !== 0;
+            const cond2 = wbits < 0;
+            if (wbits === 0) {
+                f = f.add(constTimeNegate(cond1, precomputes[offset1]));
+            }
+            else {
+                p = p.add(constTimeNegate(cond2, precomputes[offset2]));
+            }
+        }
+        return ExtendedPoint.normalizeZ([p, f])[0];
+    }
+    multiply(scalar, affinePoint) {
+        return this.wNAF(normalizeScalar(scalar, CURVE$1.l), affinePoint);
+    }
+    multiplyUnsafe(scalar) {
+        let n = normalizeScalar(scalar, CURVE$1.l, false);
+        const G = ExtendedPoint.BASE;
+        const P0 = ExtendedPoint.ZERO;
+        if (n === _0n$8)
+            return P0;
+        if (this.equals(P0) || n === _1n$a)
+            return this;
+        if (this.equals(G))
+            return this.wNAF(n);
+        let p = P0;
+        let d = this;
+        while (n > _0n$8) {
+            if (n & _1n$a)
+                p = p.add(d);
+            d = d.double();
+            n >>= _1n$a;
+        }
+        return p;
+    }
+    isSmallOrder() {
+        return this.multiplyUnsafe(CURVE$1.h).equals(ExtendedPoint.ZERO);
+    }
+    isTorsionFree() {
+        let p = this.multiplyUnsafe(CURVE$1.l / _2n$6).double();
+        if (CURVE$1.l % _2n$6)
+            p = p.add(this);
+        return p.equals(ExtendedPoint.ZERO);
+    }
+    toAffine(invZ) {
+        const { x, y, z } = this;
+        const is0 = this.equals(ExtendedPoint.ZERO);
+        if (invZ == null)
+            invZ = is0 ? _8n$2 : invert$1(z);
+        const ax = mod$2(x * invZ);
+        const ay = mod$2(y * invZ);
+        const zz = mod$2(z * invZ);
+        if (is0)
+            return Point.ZERO;
+        if (zz !== _1n$a)
+            throw new Error('invZ was invalid');
+        return new Point(ax, ay);
+    }
+    fromRistrettoBytes() {
+        legacyRist();
+    }
+    toRistrettoBytes() {
+        legacyRist();
+    }
+    fromRistrettoHash() {
+        legacyRist();
+    }
+}
+ExtendedPoint.BASE = new ExtendedPoint(CURVE$1.Gx, CURVE$1.Gy, _1n$a, mod$2(CURVE$1.Gx * CURVE$1.Gy));
+ExtendedPoint.ZERO = new ExtendedPoint(_0n$8, _1n$a, _1n$a, _0n$8);
+function constTimeNegate(condition, item) {
+    const neg = item.negate();
+    return condition ? neg : item;
+}
+function assertExtPoint(other) {
+    if (!(other instanceof ExtendedPoint))
+        throw new TypeError('ExtendedPoint expected');
+}
+function assertRstPoint(other) {
+    if (!(other instanceof RistrettoPoint))
+        throw new TypeError('RistrettoPoint expected');
+}
+function legacyRist() {
+    throw new Error('Legacy method: switch to RistrettoPoint');
+}
+class RistrettoPoint {
+    constructor(ep) {
+        this.ep = ep;
+    }
+    static calcElligatorRistrettoMap(r0) {
+        const { d } = CURVE$1;
+        const r = mod$2(SQRT_M1 * r0 * r0);
+        const Ns = mod$2((r + _1n$a) * ONE_MINUS_D_SQ);
+        let c = BigInt(-1);
+        const D = mod$2((c - d * r) * mod$2(r + d));
+        let { isValid: Ns_D_is_sq, value: s } = uvRatio$1(Ns, D);
+        let s_ = mod$2(s * r0);
+        if (!edIsNegative(s_))
+            s_ = mod$2(-s_);
+        if (!Ns_D_is_sq)
+            s = s_;
+        if (!Ns_D_is_sq)
+            c = r;
+        const Nt = mod$2(c * (r - _1n$a) * D_MINUS_ONE_SQ - D);
+        const s2 = s * s;
+        const W0 = mod$2((s + s) * D);
+        const W1 = mod$2(Nt * SQRT_AD_MINUS_ONE);
+        const W2 = mod$2(_1n$a - s2);
+        const W3 = mod$2(_1n$a + s2);
+        return new ExtendedPoint(mod$2(W0 * W3), mod$2(W2 * W1), mod$2(W1 * W3), mod$2(W0 * W2));
+    }
+    static hashToCurve(hex) {
+        hex = ensureBytes$1(hex, 64);
+        const r1 = bytes255ToNumberLE(hex.slice(0, 32));
+        const R1 = this.calcElligatorRistrettoMap(r1);
+        const r2 = bytes255ToNumberLE(hex.slice(32, 64));
+        const R2 = this.calcElligatorRistrettoMap(r2);
+        return new RistrettoPoint(R1.add(R2));
+    }
+    static fromHex(hex) {
+        hex = ensureBytes$1(hex, 32);
+        const { a, d } = CURVE$1;
+        const emsg = 'RistrettoPoint.fromHex: the hex is not valid encoding of RistrettoPoint';
+        const s = bytes255ToNumberLE(hex);
+        if (!equalBytes$1(numberTo32BytesLE(s), hex) || edIsNegative(s))
+            throw new Error(emsg);
+        const s2 = mod$2(s * s);
+        const u1 = mod$2(_1n$a + a * s2);
+        const u2 = mod$2(_1n$a - a * s2);
+        const u1_2 = mod$2(u1 * u1);
+        const u2_2 = mod$2(u2 * u2);
+        const v = mod$2(a * d * u1_2 - u2_2);
+        const { isValid, value: I } = invertSqrt(mod$2(v * u2_2));
+        const Dx = mod$2(I * u2);
+        const Dy = mod$2(I * Dx * v);
+        let x = mod$2((s + s) * Dx);
+        if (edIsNegative(x))
+            x = mod$2(-x);
+        const y = mod$2(u1 * Dy);
+        const t = mod$2(x * y);
+        if (!isValid || edIsNegative(t) || y === _0n$8)
+            throw new Error(emsg);
+        return new RistrettoPoint(new ExtendedPoint(x, y, _1n$a, t));
+    }
+    toRawBytes() {
+        let { x, y, z, t } = this.ep;
+        const u1 = mod$2(mod$2(z + y) * mod$2(z - y));
+        const u2 = mod$2(x * y);
+        const u2sq = mod$2(u2 * u2);
+        const { value: invsqrt } = invertSqrt(mod$2(u1 * u2sq));
+        const D1 = mod$2(invsqrt * u1);
+        const D2 = mod$2(invsqrt * u2);
+        const zInv = mod$2(D1 * D2 * t);
+        let D;
+        if (edIsNegative(t * zInv)) {
+            let _x = mod$2(y * SQRT_M1);
+            let _y = mod$2(x * SQRT_M1);
+            x = _x;
+            y = _y;
+            D = mod$2(D1 * INVSQRT_A_MINUS_D);
+        }
+        else {
+            D = D2;
+        }
+        if (edIsNegative(x * zInv))
+            y = mod$2(-y);
+        let s = mod$2((z - y) * D);
+        if (edIsNegative(s))
+            s = mod$2(-s);
+        return numberTo32BytesLE(s);
+    }
+    toHex() {
+        return bytesToHex$1(this.toRawBytes());
+    }
+    toString() {
+        return this.toHex();
+    }
+    equals(other) {
+        assertRstPoint(other);
+        const a = this.ep;
+        const b = other.ep;
+        const one = mod$2(a.x * b.y) === mod$2(a.y * b.x);
+        const two = mod$2(a.y * b.y) === mod$2(a.x * b.x);
+        return one || two;
+    }
+    add(other) {
+        assertRstPoint(other);
+        return new RistrettoPoint(this.ep.add(other.ep));
+    }
+    subtract(other) {
+        assertRstPoint(other);
+        return new RistrettoPoint(this.ep.subtract(other.ep));
+    }
+    multiply(scalar) {
+        return new RistrettoPoint(this.ep.multiply(scalar));
+    }
+    multiplyUnsafe(scalar) {
+        return new RistrettoPoint(this.ep.multiplyUnsafe(scalar));
+    }
+}
+RistrettoPoint.BASE = new RistrettoPoint(ExtendedPoint.BASE);
+RistrettoPoint.ZERO = new RistrettoPoint(ExtendedPoint.ZERO);
+const pointPrecomputes = new WeakMap();
+class Point {
+    constructor(x, y) {
+        this.x = x;
+        this.y = y;
+    }
+    _setWindowSize(windowSize) {
+        this._WINDOW_SIZE = windowSize;
+        pointPrecomputes.delete(this);
+    }
+    static fromHex(hex, strict = true) {
+        const { d, P } = CURVE$1;
+        hex = ensureBytes$1(hex, 32);
+        const normed = hex.slice();
+        normed[31] = hex[31] & ~0x80;
+        const y = bytesToNumberLE$1(normed);
+        if (strict && y >= P)
+            throw new Error('Expected 0 < hex < P');
+        if (!strict && y >= POW_2_256)
+            throw new Error('Expected 0 < hex < 2**256');
+        const y2 = mod$2(y * y);
+        const u = mod$2(y2 - _1n$a);
+        const v = mod$2(d * y2 + _1n$a);
+        let { isValid, value: x } = uvRatio$1(u, v);
+        if (!isValid)
+            throw new Error('Point.fromHex: invalid y coordinate');
+        const isXOdd = (x & _1n$a) === _1n$a;
+        const isLastByteOdd = (hex[31] & 0x80) !== 0;
+        if (isLastByteOdd !== isXOdd) {
+            x = mod$2(-x);
+        }
+        return new Point(x, y);
+    }
+    static async fromPrivateKey(privateKey) {
+        return (await getExtendedPublicKey(privateKey)).point;
+    }
+    toRawBytes() {
+        const bytes = numberTo32BytesLE(this.y);
+        bytes[31] |= this.x & _1n$a ? 0x80 : 0;
+        return bytes;
+    }
+    toHex() {
+        return bytesToHex$1(this.toRawBytes());
+    }
+    toX25519() {
+        const { y } = this;
+        const u = mod$2((_1n$a + y) * invert$1(_1n$a - y));
+        return numberTo32BytesLE(u);
+    }
+    isTorsionFree() {
+        return ExtendedPoint.fromAffine(this).isTorsionFree();
+    }
+    equals(other) {
+        return this.x === other.x && this.y === other.y;
+    }
+    negate() {
+        return new Point(mod$2(-this.x), this.y);
+    }
+    add(other) {
+        return ExtendedPoint.fromAffine(this).add(ExtendedPoint.fromAffine(other)).toAffine();
+    }
+    subtract(other) {
+        return this.add(other.negate());
+    }
+    multiply(scalar) {
+        return ExtendedPoint.fromAffine(this).multiply(scalar, this).toAffine();
+    }
+}
+Point.BASE = new Point(CURVE$1.Gx, CURVE$1.Gy);
+Point.ZERO = new Point(_0n$8, _1n$a);
+let Signature$1 = class Signature {
+    constructor(r, s) {
+        this.r = r;
+        this.s = s;
+        this.assertValidity();
+    }
+    static fromHex(hex) {
+        const bytes = ensureBytes$1(hex, 64);
+        const r = Point.fromHex(bytes.slice(0, 32), false);
+        const s = bytesToNumberLE$1(bytes.slice(32, 64));
+        return new Signature(r, s);
+    }
+    assertValidity() {
+        const { r, s } = this;
+        if (!(r instanceof Point))
+            throw new Error('Expected Point instance');
+        normalizeScalar(s, CURVE$1.l, false);
+        return this;
+    }
+    toRawBytes() {
+        const u8 = new Uint8Array(64);
+        u8.set(this.r.toRawBytes());
+        u8.set(numberTo32BytesLE(this.s), 32);
+        return u8;
+    }
+    toHex() {
+        return bytesToHex$1(this.toRawBytes());
+    }
+};
+function concatBytes$2(...arrays) {
+    if (!arrays.every((a) => a instanceof Uint8Array))
+        throw new Error('Expected Uint8Array list');
+    if (arrays.length === 1)
+        return arrays[0];
+    const length = arrays.reduce((a, arr) => a + arr.length, 0);
+    const result = new Uint8Array(length);
+    for (let i = 0, pad = 0; i < arrays.length; i++) {
+        const arr = arrays[i];
+        result.set(arr, pad);
+        pad += arr.length;
+    }
+    return result;
+}
+const hexes$1 = Array.from({ length: 256 }, (v, i) => i.toString(16).padStart(2, '0'));
+function bytesToHex$1(uint8a) {
+    if (!(uint8a instanceof Uint8Array))
+        throw new Error('Uint8Array expected');
+    let hex = '';
+    for (let i = 0; i < uint8a.length; i++) {
+        hex += hexes$1[uint8a[i]];
+    }
+    return hex;
+}
+function hexToBytes$1(hex) {
+    if (typeof hex !== 'string') {
+        throw new TypeError('hexToBytes: expected string, got ' + typeof hex);
+    }
+    if (hex.length % 2)
+        throw new Error('hexToBytes: received invalid unpadded hex');
+    const array = new Uint8Array(hex.length / 2);
+    for (let i = 0; i < array.length; i++) {
+        const j = i * 2;
+        const hexByte = hex.slice(j, j + 2);
+        const byte = Number.parseInt(hexByte, 16);
+        if (Number.isNaN(byte) || byte < 0)
+            throw new Error('Invalid byte sequence');
+        array[i] = byte;
+    }
+    return array;
+}
+function numberTo32BytesBE(num) {
+    const length = 32;
+    const hex = num.toString(16).padStart(length * 2, '0');
+    return hexToBytes$1(hex);
+}
+function numberTo32BytesLE(num) {
+    return numberTo32BytesBE(num).reverse();
+}
+function edIsNegative(num) {
+    return (mod$2(num) & _1n$a) === _1n$a;
+}
+function bytesToNumberLE$1(uint8a) {
+    if (!(uint8a instanceof Uint8Array))
+        throw new Error('Expected Uint8Array');
+    return BigInt('0x' + bytesToHex$1(Uint8Array.from(uint8a).reverse()));
+}
+const MAX_255B = BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
+function bytes255ToNumberLE(bytes) {
+    return mod$2(bytesToNumberLE$1(bytes) & MAX_255B);
+}
+function mod$2(a, b = CURVE$1.P) {
+    const res = a % b;
+    return res >= _0n$8 ? res : b + res;
+}
+function invert$1(number, modulo = CURVE$1.P) {
+    if (number === _0n$8 || modulo <= _0n$8) {
+        throw new Error(`invert: expected positive integers, got n=${number} mod=${modulo}`);
+    }
+    let a = mod$2(number, modulo);
+    let b = modulo;
+    let x = _0n$8, u = _1n$a;
+    while (a !== _0n$8) {
+        const q = b / a;
+        const r = b % a;
+        const m = x - u * q;
+        b = a, a = r, x = u, u = m;
+    }
+    const gcd = b;
+    if (gcd !== _1n$a)
+        throw new Error('invert: does not exist');
+    return mod$2(x, modulo);
+}
+function invertBatch(nums, p = CURVE$1.P) {
+    const tmp = new Array(nums.length);
+    const lastMultiplied = nums.reduce((acc, num, i) => {
+        if (num === _0n$8)
+            return acc;
+        tmp[i] = acc;
+        return mod$2(acc * num, p);
+    }, _1n$a);
+    const inverted = invert$1(lastMultiplied, p);
+    nums.reduceRight((acc, num, i) => {
+        if (num === _0n$8)
+            return acc;
+        tmp[i] = mod$2(acc * tmp[i], p);
+        return mod$2(acc * num, p);
+    }, inverted);
+    return tmp;
+}
+function pow2$1(x, power) {
+    const { P } = CURVE$1;
+    let res = x;
+    while (power-- > _0n$8) {
+        res *= res;
+        res %= P;
+    }
+    return res;
+}
+function pow_2_252_3(x) {
+    const { P } = CURVE$1;
+    const _5n = BigInt(5);
+    const _10n = BigInt(10);
+    const _20n = BigInt(20);
+    const _40n = BigInt(40);
+    const _80n = BigInt(80);
+    const x2 = (x * x) % P;
+    const b2 = (x2 * x) % P;
+    const b4 = (pow2$1(b2, _2n$6) * b2) % P;
+    const b5 = (pow2$1(b4, _1n$a) * x) % P;
+    const b10 = (pow2$1(b5, _5n) * b5) % P;
+    const b20 = (pow2$1(b10, _10n) * b10) % P;
+    const b40 = (pow2$1(b20, _20n) * b20) % P;
+    const b80 = (pow2$1(b40, _40n) * b40) % P;
+    const b160 = (pow2$1(b80, _80n) * b80) % P;
+    const b240 = (pow2$1(b160, _80n) * b80) % P;
+    const b250 = (pow2$1(b240, _10n) * b10) % P;
+    const pow_p_5_8 = (pow2$1(b250, _2n$6) * x) % P;
+    return { pow_p_5_8, b2 };
+}
+function uvRatio$1(u, v) {
+    const v3 = mod$2(v * v * v);
+    const v7 = mod$2(v3 * v3 * v);
+    const pow = pow_2_252_3(u * v7).pow_p_5_8;
+    let x = mod$2(u * v3 * pow);
+    const vx2 = mod$2(v * x * x);
+    const root1 = x;
+    const root2 = mod$2(x * SQRT_M1);
+    const useRoot1 = vx2 === u;
+    const useRoot2 = vx2 === mod$2(-u);
+    const noRoot = vx2 === mod$2(-u * SQRT_M1);
+    if (useRoot1)
+        x = root1;
+    if (useRoot2 || noRoot)
+        x = root2;
+    if (edIsNegative(x))
+        x = mod$2(-x);
+    return { isValid: useRoot1 || useRoot2, value: x };
+}
+function invertSqrt(number) {
+    return uvRatio$1(_1n$a, number);
+}
+function modlLE(hash) {
+    return mod$2(bytesToNumberLE$1(hash), CURVE$1.l);
+}
+function equalBytes$1(b1, b2) {
+    if (b1.length !== b2.length) {
+        return false;
+    }
+    for (let i = 0; i < b1.length; i++) {
+        if (b1[i] !== b2[i]) {
+            return false;
+        }
+    }
+    return true;
+}
+function ensureBytes$1(hex, expectedLength) {
+    const bytes = hex instanceof Uint8Array ? Uint8Array.from(hex) : hexToBytes$1(hex);
+    if (typeof expectedLength === 'number' && bytes.length !== expectedLength)
+        throw new Error(`Expected ${expectedLength} bytes`);
+    return bytes;
+}
+function normalizeScalar(num, max, strict = true) {
+    if (!max)
+        throw new TypeError('Specify max value');
+    if (typeof num === 'number' && Number.isSafeInteger(num))
+        num = BigInt(num);
+    if (typeof num === 'bigint' && num < max) {
+        if (strict) {
+            if (_0n$8 < num)
+                return num;
+        }
+        else {
+            if (_0n$8 <= num)
+                return num;
+        }
+    }
+    throw new TypeError('Expected valid scalar: 0 < scalar < max');
+}
+function adjustBytes25519(bytes) {
+    bytes[0] &= 248;
+    bytes[31] &= 127;
+    bytes[31] |= 64;
+    return bytes;
+}
+function checkPrivateKey(key) {
+    key =
+        typeof key === 'bigint' || typeof key === 'number'
+            ? numberTo32BytesBE(normalizeScalar(key, POW_2_256))
+            : ensureBytes$1(key);
+    if (key.length !== 32)
+        throw new Error(`Expected 32 bytes`);
+    return key;
+}
+function getKeyFromHash(hashed) {
+    const head = adjustBytes25519(hashed.slice(0, 32));
+    const prefix = hashed.slice(32, 64);
+    const scalar = modlLE(head);
+    const point = Point.BASE.multiply(scalar);
+    const pointBytes = point.toRawBytes();
+    return { head, prefix, scalar, point, pointBytes };
+}
+let _sha512Sync;
+async function getExtendedPublicKey(key) {
+    return getKeyFromHash(await utils.sha512(checkPrivateKey(key)));
+}
+function prepareVerification(sig, message, publicKey) {
+    message = ensureBytes$1(message);
+    if (!(publicKey instanceof Point))
+        publicKey = Point.fromHex(publicKey, false);
+    const { r, s } = sig instanceof Signature$1 ? sig.assertValidity() : Signature$1.fromHex(sig);
+    const SB = ExtendedPoint.BASE.multiplyUnsafe(s);
+    return { r, s, SB, pub: publicKey, msg: message };
+}
+function finishVerification(publicKey, r, SB, hashed) {
+    const k = modlLE(hashed);
+    const kA = ExtendedPoint.fromAffine(publicKey).multiplyUnsafe(k);
+    const RkA = ExtendedPoint.fromAffine(r).add(kA);
+    return RkA.subtract(SB).multiplyUnsafe(CURVE$1.h).equals(ExtendedPoint.ZERO);
+}
+async function verify$6(sig, message, publicKey) {
+    const { r, SB, msg, pub } = prepareVerification(sig, message, publicKey);
+    const hashed = await utils.sha512(r.toRawBytes(), pub.toRawBytes(), msg);
+    return finishVerification(pub, r, SB, hashed);
+}
+Point.BASE._setWindowSize(8);
+const crypto$3 = {
+    node: nodeCrypto$2,
+    web: typeof self === 'object' && 'crypto' in self ? self.crypto : undefined,
+};
+const utils = {
+    bytesToHex: bytesToHex$1,
+    hexToBytes: hexToBytes$1,
+    concatBytes: concatBytes$2,
+    getExtendedPublicKey,
+    mod: mod$2,
+    invert: invert$1,
+    TORSION_SUBGROUP: [
+        '0100000000000000000000000000000000000000000000000000000000000000',
+        'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a',
+        '0000000000000000000000000000000000000000000000000000000000000080',
+        '26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc05',
+        'ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
+        '26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc85',
+        '0000000000000000000000000000000000000000000000000000000000000000',
+        'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa',
+    ],
+    hashToPrivateScalar: (hash) => {
+        hash = ensureBytes$1(hash);
+        if (hash.length < 40 || hash.length > 1024)
+            throw new Error('Expected 40-1024 bytes of private key as per FIPS 186');
+        return mod$2(bytesToNumberLE$1(hash), CURVE$1.l - _1n$a) + _1n$a;
+    },
+    randomBytes: (bytesLength = 32) => {
+        if (crypto$3.web) {
+            return crypto$3.web.getRandomValues(new Uint8Array(bytesLength));
+        }
+        else {
+            throw new Error("The environment doesn't have randomBytes function");
+        }
+    },
+    randomPrivateKey: () => {
+        return utils.randomBytes(32);
+    },
+    sha512: async (...messages) => {
+        const message = concatBytes$2(...messages);
+        if (crypto$3.web) {
+            const buffer = await crypto$3.web.subtle.digest('SHA-512', message.buffer);
+            return new Uint8Array(buffer);
+        }
+        else {
+            throw new Error("The environment doesn't have sha512 function");
+        }
+    },
+    precompute(windowSize = 8, point = Point.BASE) {
+        const cached = point.equals(Point.BASE) ? point : new Point(point.x, point.y);
+        cached._setWindowSize(windowSize);
+        cached.multiply(_2n$6);
+        return cached;
+    },
+    sha512Sync: undefined,
+};
+Object.defineProperties(utils, {
+    sha512Sync: {
+        configurable: false,
+        get() {
+            return _sha512Sync;
+        },
+        set(val) {
+            if (!_sha512Sync)
+                _sha512Sync = val;
+        },
+    },
 });
 
 // OpenPGP.js - An OpenPGP implementation in javascript
@@ -9561,6 +10362,8 @@ var ecdsa = /*#__PURE__*/Object.freeze({
  * @async
  */
 async function sign$5(oid, hashAlgo, message, publicKey, privateKey, hashed) {
+  const curve = new CurveWithOID(oid);
+  checkPublicPointEnconding(curve, publicKey);
   if (hash$1.getHashByteLength(hashAlgo) < hash$1.getHashByteLength(enums.hash.sha256)) {
     // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
     throw new Error('Hash algorithm too weak for EdDSA.');
@@ -9587,11 +10390,13 @@ async function sign$5(oid, hashAlgo, message, publicKey, privateKey, hashed) {
  * @async
  */
 async function verify$5(oid, hashAlgo, { r, s }, m, publicKey, hashed) {
+  const curve = new CurveWithOID(oid);
+  checkPublicPointEnconding(curve, publicKey);
   if (hash$1.getHashByteLength(hashAlgo) < hash$1.getHashByteLength(enums.hash.sha256)) {
     throw new Error('Hash algorithm too weak for EdDSA.');
   }
   const signature = util.concatUint8Array([r, s]);
-  return nacl.sign.detached.verify(hashed, signature, publicKey.subarray(1));
+  return verify$6(signature, hashed, publicKey.subarray(1));
 }
 /**
  * Validate legacy EdDSA parameters
@@ -9717,7 +10522,7 @@ async function verify$4(algo, hashAlgo, { RS }, m, publicKey, hashed) {
   }
   switch (algo) {
     case enums.publicKey.ed25519:
-      return nacl.sign.detached.verify(hashed, RS, publicKey);
+      return verify$6(RS, hashed, publicKey);
     case enums.publicKey.ed448: {
       const ed448 = await util.getNobleCurve(enums.publicKey.ed448);
       return ed448.verify(RS, hashed, publicKey);
@@ -10081,7 +10886,7 @@ function buildEcdhParam(public_algo, oid, kdfParams, fingerprint) {
     new Uint8Array([public_algo]),
     kdfParams.write(true),
     util.stringToUint8Array('Anonymous Sender    '),
-    kdfParams.replacementFingerprint || fingerprint.subarray(0, 20)
+    kdfParams.replacementFingerprint || fingerprint
   ]);
 }
 
@@ -10123,7 +10928,7 @@ async function genPublicEphemeralKey(curve, Q) {
       const d = getRandomBytes(32);
       const { secretKey, sharedKey } = await genPrivateEphemeralKey(curve, Q, null, d);
       let { publicKey } = nacl.box.keyPair.fromSecretKey(secretKey);
-      publicKey = util.concatUint8Array([new Uint8Array([0x40]), publicKey]);
+      publicKey = util.concatUint8Array([new Uint8Array([curve.wireFormatLeadingByte]), publicKey]);
       return { publicKey, sharedKey }; // Note: sharedKey is little-endian here, unlike below
     }
     case 'web':
@@ -10151,7 +10956,7 @@ async function genPublicEphemeralKey(curve, Q) {
  * @param {module:type/kdf_params} kdfParams - KDF params including cipher and algorithm to use
  * @param {Uint8Array} data - Unpadded session key data
  * @param {Uint8Array} Q - Recipient public key
- * @param {Uint8Array} fingerprint - Recipient fingerprint
+ * @param {Uint8Array} fingerprint - Recipient fingerprint, already truncated depending on the key version
  * @returns {Promise<{publicKey: Uint8Array, wrappedKey: Uint8Array}>}
  * @async
  */
@@ -10159,6 +10964,7 @@ async function encrypt$2(oid, kdfParams, data, Q, fingerprint) {
   const m = encode(data);
 
   const curve = new CurveWithOID(oid);
+  checkPublicPointEnconding(curve, Q);
   const { publicKey, sharedKey } = await genPublicEphemeralKey(curve, Q);
   const param = buildEcdhParam(enums.publicKey.ecdh, oid, kdfParams, fingerprint);
   const { keySize } = getCipherParams(kdfParams.cipher);
@@ -10215,12 +11021,14 @@ async function genPrivateEphemeralKey(curve, V, Q, d) {
  * @param {Uint8Array} C - Encrypted and wrapped value derived from session key
  * @param {Uint8Array} Q - Recipient public key
  * @param {Uint8Array} d - Recipient private key
- * @param {Uint8Array} fingerprint - Recipient fingerprint
+ * @param {Uint8Array} fingerprint - Recipient fingerprint, already truncated depending on the key version
  * @returns {Promise<Uint8Array>} Value derived from session key.
  * @async
  */
 async function decrypt$2(oid, kdfParams, V, C, Q, d, fingerprint) {
   const curve = new CurveWithOID(oid);
+  checkPublicPointEnconding(curve, Q);
+  checkPublicPointEnconding(curve, V);
   const { sharedKey } = await genPrivateEphemeralKey(curve, V, Q, d);
   const param = buildEcdhParam(enums.publicKey.ecdh, oid, kdfParams, fingerprint);
   const { keySize } = getCipherParams(kdfParams.cipher);
@@ -10352,7 +11160,7 @@ async function webPublicEphemeralKey(curve, Q) {
   );
   [s, p] = await Promise.all([s, p]);
   const sharedKey = new Uint8Array(s);
-  const publicKey = new Uint8Array(jwkToRawPublic(p));
+  const publicKey = new Uint8Array(jwkToRawPublic(p, curve.wireFormatLeadingByte));
   return { publicKey, sharedKey };
 }
 
@@ -10675,14 +11483,14 @@ async function sign$3(hashAlgo, hashed, g, p, q, x) {
   let r;
   let s;
   let t;
-  g = mod$2(g, p);
-  x = mod$2(x, q);
+  g = mod$3(g, p);
+  x = mod$3(x, q);
   // If the output size of the chosen hash is larger than the number of
   // bits of q, the hash result is truncated to fit by taking the number
   // of leftmost bits equal to the number of bits of q.  This (possibly
   // truncated) hash function result is treated as a number and used
   // directly in the DSA signature algorithm.
-  const h = mod$2(uint8ArrayToBigInt(hashed.subarray(0, byteLength(q))), q);
+  const h = mod$3(uint8ArrayToBigInt(hashed.subarray(0, byteLength(q))), q);
   // FIPS-186-4, section 4.6:
   // The values of r and s shall be checked to determine if r = 0 or s = 0.
   // If either r = 0 or s = 0, a new value of k shall be generated, and the
@@ -10691,13 +11499,13 @@ async function sign$3(hashAlgo, hashed, g, p, q, x) {
   while (true) {
     // See Appendix B here: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
     k = getRandomBigInteger(_1n$9, q); // returns in [1, q-1]
-    r = mod$2(modExp(g, k, p), q); // (g**k mod p) mod q
+    r = mod$3(modExp(g, k, p), q); // (g**k mod p) mod q
     if (r === _0n) {
       continue;
     }
-    const xr = mod$2(x * r, q);
-    t = mod$2(h + xr, q); // H(m) + x*r mod q
-    s = mod$2(modInv(k, q) * t, q); // k**-1 * (H(m) + x*r) mod q
+    const xr = mod$3(x * r, q);
+    t = mod$3(h + xr, q); // H(m) + x*r mod q
+    s = mod$3(modInv(k, q) * t, q); // k**-1 * (H(m) + x*r) mod q
     if (s === _0n) {
       continue;
     }
@@ -10736,20 +11544,20 @@ async function verify$3(hashAlgo, r, s, hashed, g, p, q, y) {
     util.printDebug('invalid DSA Signature');
     return false;
   }
-  const h = mod$2(uint8ArrayToBigInt(hashed.subarray(0, byteLength(q))), q);
+  const h = mod$3(uint8ArrayToBigInt(hashed.subarray(0, byteLength(q))), q);
   const w = modInv(s, q); // s**-1 mod q
   if (w === _0n$7) {
     util.printDebug('invalid DSA Signature');
     return false;
   }
 
-  g = mod$2(g, p);
-  y = mod$2(y, p);
-  const u1 = mod$2(h * w, q); // H(m) * w mod q
-  const u2 = mod$2(r * w, q); // r * w mod q
+  g = mod$3(g, p);
+  y = mod$3(y, p);
+  const u1 = mod$3(h * w, q); // H(m) * w mod q
+  const u2 = mod$3(r * w, q); // r * w mod q
   const t1 = modExp(g, u1, p); // g**u1 mod p
   const t2 = modExp(y, u2, p); // y**u2 mod p
-  const v = mod$2(mod$2(t1 * t2, p), q); // (g**u1 * y**u2 mod p) mod q
+  const v = mod$3(mod$3(t1 * t2, p), q); // (g**u1 * y**u2 mod p) mod q
   return v === r;
 }
 
@@ -10776,7 +11584,7 @@ async function validateParams$2(p, q, g, y, x) {
   /**
    * Check that subgroup order q divides p-1
    */
-  if (mod$2(p - _1n$9, q) !== _0n$7) {
+  if (mod$3(p - _1n$9, q) !== _0n$7) {
     return false;
   }
 
@@ -11573,6 +12381,9 @@ function parsePublicKeyParams(algo, bytes) {
     case enums.publicKey.eddsaLegacy: {
       const oid = new OID(); read += oid.read(bytes);
       checkSupportedCurve(oid);
+      if (oid.getName() !== enums.curve.ed25519Legacy) {
+        throw new Error('Unexpected OID for eddsaLegacy');
+      }
       let Q = util.readMPI(bytes.subarray(read)); read += Q.length + 2;
       Q = util.leftPad(Q, 33);
       return { read: read, publicParams: { oid, Q } };
@@ -11636,6 +12447,9 @@ function parsePrivateKeyParams(algo, bytes, publicParams) {
     }
     case enums.publicKey.eddsaLegacy: {
       const payloadSize = getCurvePayloadSize(algo, publicParams.oid);
+      if (publicParams.oid.getName() !== enums.curve.ed25519Legacy) {
+        throw new Error('Unexpected OID for eddsaLegacy');
+      }
       let seed = util.readMPI(bytes.subarray(read)); read += seed.length + 2;
       seed = util.leftPad(seed, payloadSize);
       return { read, privateParams: { seed } };
@@ -14466,6 +15280,7 @@ class SignaturePacket {
 
     this.signatureData = null;
     this.unhashedSubpackets = [];
+    this.unknownSubpackets = [];
     this.signedHashValue = null;
     this.salt = null;
 
@@ -14515,9 +15330,12 @@ class SignaturePacket {
    * @param {String} bytes - Payload of a tag 2 packet
    * @returns {SignaturePacket} Object representation.
    */
-  read(bytes) {
+  read(bytes, config$1 = config) {
     let i = 0;
     this.version = bytes[i++];
+    if (this.version === 5 && !config$1.enableParsingV5Entities) {
+      throw new UnsupportedError('Support for v5 entities is disabled; turn on `config.enableParsingV5Entities` if needed');
+    }
 
     if (this.version !== 4 && this.version !== 5 && this.version !== 6) {
       throw new UnsupportedError(`Version ${this.version} of the signature packet is unsupported.`);
@@ -14794,10 +15612,8 @@ class SignaturePacket {
    * @returns {Uint8Array} Subpacket data.
    */
   writeUnhashedSubPackets() {
-    const arr = [];
-    this.unhashedSubpackets.forEach(data => {
-      arr.push(writeSimpleLength(data.length));
-      arr.push(data);
+    const arr = this.unhashedSubpackets.map(({ type, critical, body }) => {
+      return writeSubPacket(type, critical, body);
     });
 
     const result = util.concat(arr);
@@ -14806,7 +15622,7 @@ class SignaturePacket {
     return util.concat([length, result]);
   }
 
-  // V4 signature sub packets
+  // Signature subpackets
   readSubPacket(bytes, hashed = true) {
     let mypos = 0;
 
@@ -14814,15 +15630,19 @@ class SignaturePacket {
     const critical = !!(bytes[mypos] & 0x80);
     const type = bytes[mypos] & 0x7F;
 
+    mypos++;
+
     if (!hashed) {
-      this.unhashedSubpackets.push(bytes.subarray(mypos, bytes.length));
+      this.unhashedSubpackets.push({
+        type,
+        critical,
+        body: bytes.subarray(mypos, bytes.length)
+      });
       if (!allowedUnhashedSubpackets.has(type)) {
         return;
       }
     }
 
-    mypos++;
-
     // subpacket type
     switch (type) {
       case enums.signatureSubpacket.signatureCreationTime:
@@ -14994,14 +15814,13 @@ class SignaturePacket {
           this.preferredCipherSuites.push([bytes[i], bytes[i + 1]]);
         }
         break;
-      default: {
-        const err = new Error(`Unknown signature subpacket type ${type}`);
-        if (critical) {
-          throw err;
-        } else {
-          util.printDebug(err);
-        }
-      }
+      default:
+        this.unknownSubpackets.push({
+          type,
+          critical,
+          body: bytes.subarray(mypos, bytes.length)
+        });
+        break;
     }
   }
 
@@ -15201,6 +16020,11 @@ class SignaturePacket {
       [enums.signature.binary, enums.signature.text].includes(this.signatureType)) {
       throw new Error('Insecure message hash algorithm: ' + enums.read(enums.hash, this.hashAlgorithm).toUpperCase());
     }
+    this.unknownSubpackets.forEach(({ type, critical }) => {
+      if (critical) {
+        throw new Error(`Unknown critical signature subpacket type ${type}`);
+      }
+    });
     this.rawNotations.forEach(({ name, critical }) => {
       if (critical && (config$1.knownNotations.indexOf(name) < 0)) {
         throw new Error(`Unknown critical notation: ${name}`);
@@ -16500,10 +17324,11 @@ class PublicKeyEncryptedSessionKeyPacket {
     // No symmetric encryption algorithm identifier is passed to the public-key algorithm for a
     // v6 PKESK packet, as it is included in the v2 SEIPD packet.
     const sessionKeyAlgorithm = this.version === 3 ? this.sessionKeyAlgorithm : null;
+    const fingerprint = key.version === 5 ? key.getFingerprintBytes().subarray(0, 20) : key.getFingerprintBytes();
     const encoded = encodeSessionKey(this.version, algo, sessionKeyAlgorithm, this.sessionKey);
     const privateParams = algo === enums.publicKey.aead ? key.privateParams : null;
     this.encrypted = await mod$1.publicKeyEncrypt(
-      algo, sessionKeyAlgorithm, key.publicParams, privateParams, encoded, key.getFingerprintBytes());
+      algo, sessionKeyAlgorithm, key.publicParams, privateParams, encoded, fingerprint);
   }
 
   /**
@@ -16523,7 +17348,8 @@ class PublicKeyEncryptedSessionKeyPacket {
     const randomPayload = randomSessionKey ?
       encodeSessionKey(this.version, this.publicKeyAlgorithm, randomSessionKey.sessionKeyAlgorithm, randomSessionKey.sessionKey) :
       null;
-    const decryptedData = await mod$1.publicKeyDecrypt(this.publicKeyAlgorithm, key.publicParams, key.privateParams, this.encrypted, key.getFingerprintBytes(), randomPayload);
+    const fingerprint = key.version === 5 ? key.getFingerprintBytes().subarray(0, 20) : key.getFingerprintBytes();
+    const decryptedData = await mod$1.publicKeyDecrypt(this.publicKeyAlgorithm, key.publicParams, key.privateParams, this.encrypted, fingerprint, randomPayload);
 
     const { sessionKey, sessionKeyAlgorithm } = decodeSessionKey(this.version, this.publicKeyAlgorithm, decryptedData, randomSessionKey);
 
@@ -16928,10 +17754,13 @@ class PublicKeyPacket {
    * @returns {Object} This object with attributes set by the parser
    * @async
    */
-  async read(bytes) {
+  async read(bytes, config$1 = config) {
     let pos = 0;
     // A one-octet version number (4, 5 or 6).
     this.version = bytes[pos++];
+    if (this.version === 5 && !config$1.enableParsingV5Entities) {
+      throw new UnsupportedError('Support for parsing v5 entities is disabled; turn on `config.enableParsingV5Entities` if needed');
+    }
 
     if (this.version === 4 || this.version === 5 || this.version === 6) {
       // - A four-octet number denoting the time that the key was created.
@@ -17523,7 +18352,7 @@ class SecretKeyPacket extends PublicKeyPacket {
    */
   async read(bytes, config$1 = config) {
     // - A Public-Key or Public-Subkey packet, as described above.
-    let i = await this.readPublicKey(bytes);
+    let i = await this.readPublicKey(bytes, config$1);
     const startOfSecretKeyData = i;
 
     // - One octet indicating string-to-key usage conventions.  Zero
@@ -17813,13 +18642,13 @@ class SecretKeyPacket extends PublicKeyPacket {
 
     if (config$1.aeadProtect) {
       this.s2kUsage = 253;
-      this.aead = enums.aead.eax;
+      this.aead = config$1.preferredAEADAlgorithm;
       const mode = mod$1.getAEADMode(this.aead);
       this.isLegacyAEAD = this.version === 5; // v4 is always re-encrypted with standard format instead.
       this.usedModernAEAD = !this.isLegacyAEAD; // legacy AEAD does not guarantee integrity of public key material
 
       const serializedPacketTag = writeTag(this.constructor.tag);
-      const key = await produceEncryptionKey(this.version, this.s2k, passphrase, this.symmetric, this.aead, serializedPacketTag);
+      const key = await produceEncryptionKey(this.version, this.s2k, passphrase, this.symmetric, this.aead, serializedPacketTag, this.isLegacyAEAD);
 
       const modeInstance = await mode(this.symmetric, key);
       this.iv = this.isLegacyAEAD ? mod$1.random.getRandomBytes(blockSize) : mod$1.random.getRandomBytes(mode.ivLength);
@@ -17989,6 +18818,12 @@ class SecretKeyPacket extends PublicKeyPacket {
  * @returns encryption key
  */
 async function produceEncryptionKey(keyVersion, s2k, passphrase, cipherAlgo, aeadMode, serializedPacketTag, isLegacyAEAD) {
+  if (s2k.type === 'argon2' && !aeadMode) {
+    throw new Error('Using Argon2 S2K without AEAD is not allowed');
+  }
+  if (s2k.type === 'simple' && keyVersion === 6) {
+    throw new Error('Using Simple S2K with version 6 keys is not allowed');
+  }
   const { keySize } = mod$1.getCipherParams(cipherAlgo);
   const derivedKey = await s2k.produceKey(passphrase, keySize);
   if (!aeadMode || keyVersion === 5 || isLegacyAEAD) {
@@ -18367,6 +19202,8 @@ async function generateSecretKey(options, config) {
  * Returns the valid and non-expired signature that has the latest creation date, while ignoring signatures created in the future.
  * @param {Array<SignaturePacket>} signatures - List of signatures
  * @param {PublicKeyPacket|PublicSubkeyPacket} publicKey - Public key packet to verify the signature
+ * @param {module:enums.signature} signatureType - Signature type to determine how to hash the data (NB: for userID signatures,
+ *                          `enums.signatures.certGeneric` should be given regardless of the actual trust level)
  * @param {Date} date - Use the given date instead of the current time
  * @param {Object} config - full configuration
  * @returns {Promise<SignaturePacket>} The latest valid signature.
@@ -18615,8 +19452,14 @@ async function isDataRevoked(primaryKey, signatureType, dataToVerify, revocation
         // `verifyAllCertifications`.)
         !signature || revocationSignature.issuerKeyID.equals(signature.issuerKeyID)
       ) {
+        const isHardRevocation = ![
+          enums.reasonForRevocation.keyRetired,
+          enums.reasonForRevocation.keySuperseded,
+          enums.reasonForRevocation.userIDInvalid
+        ].includes(revocationSignature.reasonForRevocationFlag);
+
         await revocationSignature.verify(
-          key, signatureType, dataToVerify, date, false, config
+          key, signatureType, dataToVerify, isHardRevocation ? null : date, false, config
         );
 
         // TODO get an identifier of the revoked object instead
@@ -20603,7 +21446,7 @@ async function wrapKeyObject(secretKeyPacket, secretSubkeyPackets, options, conf
       key: secretKeyPacket
     };
     const signatureProperties = secretKeyPacket.version !== 6 ? getKeySignatureProperties() : {};
-    signatureProperties.signatureType = enums.signature.certGeneric;
+    signatureProperties.signatureType = enums.signature.certPositive;
     if (index === 0) {
       signatureProperties.isPrimaryUserID = true;
     }
@@ -22428,7 +23271,7 @@ async function verify({ message, verificationKeys, expectSigned = false, format
       result.signatures = await message.verify(verificationKeys, date, config$1);
     }
     result.data = format === 'binary' ? message.getLiteralData() : message.getText();
-    if (message.fromStream) linkStreams(result, message);
+    if (message.fromStream && !signature) linkStreams(result, message);
     if (expectSigned) {
       if (result.signatures.length === 0) {
         throw new Error('Message is not signed');