@protontech/openpgp 6.1.1-patch.2 → 6.1.1-patch.4

package/dist/node/openpgp.mjs

@@ -1,4 +1,4 @@
-/*! OpenPGP.js v6.1.1-patch.2 - 2025-05-14 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
+/*! OpenPGP.js v6.1.1-patch.4 - 2025-07-14 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
 const globalThis = typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};
 
 import { createRequire } from 'module';
@@ -1066,11 +1066,10 @@ var enums = {
     ed25519: 27,
     /** Ed448 (Sign only) */
     ed448: 28,
-    /** Post-quantum ML-KEM-768 + X25519 (Encrypt only) */
-    pqc_mlkem_x25519: 105,
     /** Post-quantum ML-DSA-64 + Ed25519 (Sign only) */
-    pqc_mldsa_ed25519: 107,
-
+    pqc_mldsa_ed25519: 30,
+    /** Post-quantum ML-KEM-768 + X25519 (Encrypt only) */
+    pqc_mlkem_x25519: 35,
     /** Persistent symmetric keys: encryption algorithm */
     aead: 100,
     /** Persistent symmetric keys: authentication algorithm */
@@ -1721,7 +1720,7 @@ var config = {
    * @memberof module:config
    * @property {String} versionString A version string to be included in armored messages
    */
-  versionString: 'OpenPGP.js 6.1.1-patch.2',
+  versionString: 'OpenPGP.js 6.1.1-patch.4',
   /**
    * @memberof module:config
    * @property {String} commentString A comment string to be included in armored messages
@@ -6924,7 +6923,15 @@ async function generate$a(algo) {
     case enums.publicKey.ed25519:
       try {
         const webCrypto = util.getWebCrypto();
-        const webCryptoKey = await webCrypto.generateKey('Ed25519', true, ['sign', 'verify']);
+        const webCryptoKey = await webCrypto.generateKey('Ed25519', true, ['sign', 'verify'])
+          .catch(err => {
+            if (err.name === 'OperationError') { // Temporary (hopefully) fix for WebKit on Linux
+              const newErr = new Error('Unexpected key generation issue');
+              newErr.name = 'NotSupportedError';
+              throw newErr;
+            }
+            throw err;
+          });
 
         const privateKey = await webCrypto.exportKey('jwk', webCryptoKey.privateKey);
         const publicKey = await webCrypto.exportKey('jwk', webCryptoKey.publicKey);
@@ -6934,7 +6941,7 @@ async function generate$a(algo) {
           seed: b64ToUint8Array(privateKey.d, true)
         };
       } catch (err) {
-        if (err.name !== 'NotSupportedError' && err.name !== 'OperationError') { // Temporary (hopefully) fix for WebKit on Linux
+        if (err.name !== 'NotSupportedError') {
           throw err;
         }
         const seed = getRandomBytes(getPayloadSize$1(algo));
@@ -6967,17 +6974,11 @@ async function generate$a(algo) {
  * @async
  */
 async function sign$9(algo, hashAlgo, message, publicKey, privateKey, hashed) {
-  if (getHashByteLength(hashAlgo) < getHashByteLength(getPreferredHashAlgo$2(algo))) {
-    // Enforce digest sizes:
-    // - Ed25519: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.4-4
-    // - Ed448: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.5-4
-    throw new Error('Hash algorithm too weak for EdDSA.');
-  }
   switch (algo) {
     case enums.publicKey.ed25519:
       try {
         const webCrypto = util.getWebCrypto();
-        const jwk = privateKeyToJWK(algo, publicKey, privateKey);
+        const jwk = privateKeyToJWK$1(algo, publicKey, privateKey);
         const key = await webCrypto.importKey('jwk', jwk, 'Ed25519', false, ['sign']);
 
         const signature = new Uint8Array(
@@ -7017,17 +7018,11 @@ async function sign$9(algo, hashAlgo, message, publicKey, privateKey, hashed) {
  * @async
  */
 async function verify$9(algo, hashAlgo, { RS }, m, publicKey, hashed) {
-  if (getHashByteLength(hashAlgo) < getHashByteLength(getPreferredHashAlgo$2(algo))) {
-    // Enforce digest sizes:
-    // - Ed25519: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.4-4
-    // - Ed448: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.5-4
-    throw new Error('Hash algorithm too weak for EdDSA.');
-  }
   switch (algo) {
     case enums.publicKey.ed25519:
       try {
         const webCrypto = util.getWebCrypto();
-        const jwk = publicKeyToJWK(algo, publicKey);
+        const jwk = publicKeyToJWK$1(algo, publicKey);
         const key = await webCrypto.importKey('jwk', jwk, 'Ed25519', false, ['verify']);
         const verified = await webCrypto.verify('Ed25519', key, RS, hashed);
         return verified;
@@ -7102,7 +7097,7 @@ function getPreferredHashAlgo$2(algo) {
   }
 }
 
-const publicKeyToJWK = (algo, publicKey) => {
+const publicKeyToJWK$1 = (algo, publicKey) => {
   switch (algo) {
     case enums.publicKey.ed25519: {
       const jwk = {
@@ -7118,10 +7113,10 @@ const publicKeyToJWK = (algo, publicKey) => {
   }
 };
 
-const privateKeyToJWK = (algo, publicKey, privateKey) => {
+const privateKeyToJWK$1 = (algo, publicKey, privateKey) => {
   switch (algo) {
     case enums.publicKey.ed25519: {
-      const jwk = publicKeyToJWK(algo, publicKey);
+      const jwk = publicKeyToJWK$1(algo, publicKey);
       jwk.d = uint8ArrayToB64(privateKey);
       return jwk;
     }
@@ -8361,12 +8356,41 @@ const HKDF_INFO = {
  */
 async function generate$9(algo) {
   switch (algo) {
-    case enums.publicKey.x25519: {
-      // k stays in little-endian, unlike legacy ECDH over curve25519
-      const k = getRandomBytes(32);
-      const { publicKey: A } = nacl.box.keyPair.fromSecretKey(k);
-      return { A, k };
-    }
+    case enums.publicKey.x25519:
+      try {
+        const webCrypto = util.getWebCrypto();
+        const webCryptoKey = await webCrypto.generateKey('X25519', true, ['deriveKey', 'deriveBits'])
+          .catch(err => {
+            if (err.name === 'OperationError') { // Temporary (hopefully) fix for WebKit on Linux
+              const newErr = new Error('Unexpected key generation issue');
+              newErr.name = 'NotSupportedError';
+              throw newErr;
+            }
+            throw err;
+          });
+
+        const privateKey = await webCrypto.exportKey('jwk', webCryptoKey.privateKey);
+        const publicKey = await webCrypto.exportKey('jwk', webCryptoKey.publicKey);
+
+        if (privateKey.x !== publicKey.x) { // Weird issue with Webkit on Linux: https://bugs.webkit.org/show_bug.cgi?id=289693
+          const err = new Error('Unexpected mismatching public point');
+          err.name = 'NotSupportedError';
+          throw err;
+        }
+
+        return {
+          A: new Uint8Array(b64ToUint8Array(publicKey.x)),
+          k: b64ToUint8Array(privateKey.d)
+        };
+      } catch (err) {
+        if (err.name !== 'NotSupportedError') {
+          throw err;
+        }
+        // k stays in little-endian, unlike legacy ECDH over curve25519
+        const k = getRandomBytes(32);
+        const { publicKey: A } = nacl.box.keyPair.fromSecretKey(k);
+        return { A, k };
+      }
 
     case enums.publicKey.x448: {
       const x448 = await util.getNobleCurve(enums.publicKey.x448);
@@ -8508,13 +8532,46 @@ function getPayloadSize(algo) {
  */
 async function generateEphemeralEncryptionMaterial(algo, recipientA) {
   switch (algo) {
-    case enums.publicKey.x25519: {
-      const ephemeralSecretKey = getRandomBytes(getPayloadSize(algo));
-      const sharedSecret = nacl.scalarMult(ephemeralSecretKey, recipientA);
-      assertNonZeroArray(sharedSecret);
-      const { publicKey: ephemeralPublicKey } = nacl.box.keyPair.fromSecretKey(ephemeralSecretKey);
-      return { ephemeralPublicKey, sharedSecret };
-    }
+    case enums.publicKey.x25519:
+      try {
+        const webCrypto = util.getWebCrypto();
+        const ephemeralKeyPair = await webCrypto.generateKey('X25519', true, ['deriveKey', 'deriveBits'])
+          .catch(err => {
+            if (err.name === 'OperationError') { // Temporary (hopefully) fix for WebKit on Linux
+              const newErr = new Error('Unexpected key generation issue');
+              newErr.name = 'NotSupportedError';
+              throw newErr;
+            }
+            throw err;
+          });
+        const ephemeralPublicKeyJwt = await webCrypto.exportKey('jwk', ephemeralKeyPair.publicKey);
+        const ephemeralPrivateKeyJwt = await webCrypto.exportKey('jwk', ephemeralKeyPair.privateKey);
+        if (ephemeralPrivateKeyJwt.x !== ephemeralPublicKeyJwt.x) { // Weird issue with Webkit on Linux: https://bugs.webkit.org/show_bug.cgi?id=289693
+          const err = new Error('Unexpected mismatching public point');
+          err.name = 'NotSupportedError';
+          throw err;
+        }
+        const jwk = publicKeyToJWK(algo, recipientA);
+        const recipientPublicKey = await webCrypto.importKey('jwk', jwk, 'X25519', false, []);
+        const sharedSecretBuffer = await webCrypto.deriveBits(
+          { name: 'X25519', public: recipientPublicKey },
+          ephemeralKeyPair.privateKey,
+          getPayloadSize(algo) * 8 // in bits
+        );
+        return {
+          sharedSecret: new Uint8Array(sharedSecretBuffer),
+          ephemeralPublicKey: new Uint8Array(b64ToUint8Array(ephemeralPublicKeyJwt.x))
+        };
+      } catch (err) {
+        if (err.name !== 'NotSupportedError') {
+          throw err;
+        }
+        const ephemeralSecretKey = getRandomBytes(getPayloadSize(algo));
+        const sharedSecret = nacl.scalarMult(ephemeralSecretKey, recipientA);
+        assertNonZeroArray(sharedSecret);
+        const { publicKey: ephemeralPublicKey } = nacl.box.keyPair.fromSecretKey(ephemeralSecretKey);
+        return { ephemeralPublicKey, sharedSecret };
+      }
     case enums.publicKey.x448: {
       const x448 = await util.getNobleCurve(enums.publicKey.x448);
       const ephemeralSecretKey = x448.utils.randomPrivateKey();
@@ -8530,11 +8587,27 @@ async function generateEphemeralEncryptionMaterial(algo, recipientA) {
 
 async function recomputeSharedSecret(algo, ephemeralPublicKey, A, k) {
   switch (algo) {
-    case enums.publicKey.x25519: {
-      const sharedSecret = nacl.scalarMult(k, ephemeralPublicKey);
-      assertNonZeroArray(sharedSecret);
-      return sharedSecret;
-    }
+    case enums.publicKey.x25519:
+      try {
+        const webCrypto = util.getWebCrypto();
+        const privateKeyJWK = privateKeyToJWK(algo, A, k);
+        const ephemeralPublicKeyJWK = publicKeyToJWK(algo, ephemeralPublicKey);
+        const privateKey = await webCrypto.importKey('jwk', privateKeyJWK, 'X25519', false, ['deriveKey', 'deriveBits']);
+        const ephemeralPublicKeyReference = await webCrypto.importKey('jwk', ephemeralPublicKeyJWK, 'X25519', false, []);
+        const sharedSecretBuffer = await webCrypto.deriveBits(
+          { name: 'X25519', public: ephemeralPublicKeyReference },
+          privateKey,
+          getPayloadSize(algo) * 8 // in bits
+        );
+        return new Uint8Array(sharedSecretBuffer);
+      } catch (err) {
+        if (err.name !== 'NotSupportedError') {
+          throw err;
+        }
+        const sharedSecret = nacl.scalarMult(k, ephemeralPublicKey);
+        assertNonZeroArray(sharedSecret);
+        return sharedSecret;
+      }
     case enums.publicKey.x448: {
       const x448 = await util.getNobleCurve(enums.publicKey.x448);
       const sharedSecret = x448.getSharedSecret(k, ephemeralPublicKey);
@@ -8562,6 +8635,35 @@ function assertNonZeroArray(sharedSecret) {
   }
 }
 
+
+function publicKeyToJWK(algo, publicKey) {
+  switch (algo) {
+    case enums.publicKey.x25519: {
+      const jwk = {
+        kty: 'OKP',
+        crv: 'X25519',
+        x: uint8ArrayToB64(publicKey),
+        ext: true
+      };
+      return jwk;
+    }
+    default:
+      throw new Error('Unsupported ECDH algorithm');
+  }
+}
+
+function privateKeyToJWK(algo, publicKey, privateKey) {
+  switch (algo) {
+    case enums.publicKey.x25519: {
+      const jwk = publicKeyToJWK(algo, publicKey);
+      jwk.d = uint8ArrayToB64(privateKey);
+      return jwk;
+    }
+    default:
+      throw new Error('Unsupported ECDH algorithm');
+  }
+}
+
 var ecdh_x = /*#__PURE__*/Object.freeze({
   __proto__: null,
   decrypt: decrypt$4,
@@ -9269,12 +9371,6 @@ var ecdsa = /*#__PURE__*/Object.freeze({
 async function sign$7(oid, hashAlgo, message, publicKey, privateKey, hashed) {
   const curve = new CurveWithOID(oid);
   checkPublicPointEnconding(curve, publicKey);
-  if (getHashByteLength(hashAlgo) < getHashByteLength(enums.hash.sha256)) {
-    // Enforce digest sizes, since the constraint was already present in RFC4880bis:
-    // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
-    // and https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.3-3
-    throw new Error('Hash algorithm too weak for EdDSA.');
-  }
   const { RS: signature } = await sign$9(enums.publicKey.ed25519, hashAlgo, message, publicKey.subarray(1), privateKey, hashed);
   // EdDSA signature params are returned in little-endian format
   return {
@@ -9298,12 +9394,6 @@ async function sign$7(oid, hashAlgo, message, publicKey, privateKey, hashed) {
 async function verify$7(oid, hashAlgo, { r, s }, m, publicKey, hashed) {
   const curve = new CurveWithOID(oid);
   checkPublicPointEnconding(curve, publicKey);
-  if (getHashByteLength(hashAlgo) < getHashByteLength(enums.hash.sha256)) {
-    // Enforce digest sizes, since the constraint was already present in RFC4880bis:
-    // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
-    // and https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.3-3
-    throw new Error('Hash algorithm too weak for EdDSA.');
-  }
   const RS = util.concatUint8Array([r, s]);
   return verify$9(enums.publicKey.ed25519, hashAlgo, { RS }, m, publicKey.subarray(1), hashed);
 }
@@ -10161,7 +10251,7 @@ async function generate$4(algo) {
 async function encrypt$2(algo, eccPublicKey, mlkemPublicKey, sessioneKeyData) {
   const { eccKeyShare, eccCipherText } = await encaps$1(algo, eccPublicKey);
   const { mlkemKeyShare, mlkemCipherText } = await encaps(algo, mlkemPublicKey);
-  const kek = await multiKeyCombine(algo, eccKeyShare, eccCipherText, eccPublicKey, mlkemKeyShare, mlkemCipherText, mlkemPublicKey);
+  const kek = await multiKeyCombine(algo, mlkemKeyShare, eccKeyShare, eccCipherText, eccPublicKey);
   const wrappedKey = await wrap(enums.symmetric.aes256, kek, sessioneKeyData); // C
   return { eccCipherText, mlkemCipherText, wrappedKey };
 }
@@ -10169,25 +10259,24 @@ async function encrypt$2(algo, eccPublicKey, mlkemPublicKey, sessioneKeyData) {
 async function decrypt$2(algo, eccCipherText, mlkemCipherText, eccSecretKey, eccPublicKey, mlkemSecretKey, mlkemPublicKey, encryptedSessionKeyData) {
   const eccKeyShare = await decaps$1(algo, eccCipherText, eccSecretKey, eccPublicKey);
   const mlkemKeyShare = await decaps(algo, mlkemCipherText, mlkemSecretKey);
-  const kek = await multiKeyCombine(algo, eccKeyShare, eccCipherText, eccPublicKey, mlkemKeyShare, mlkemCipherText, mlkemPublicKey);
+  const kek = await multiKeyCombine(algo, mlkemKeyShare, eccKeyShare, eccCipherText, eccPublicKey);
   const sessionKey = await unwrap(enums.symmetric.aes256, kek, encryptedSessionKeyData);
   return sessionKey;
 }
 
-async function multiKeyCombine(algo, ecdhKeyShare, ecdhCipherText, ecdhPublicKey, mlkemKeyShare, mlkemCipherText, mlkemPublicKey) {
-  // LAMPS-aligned and NIST compatible combiner, proposed in: https://mailarchive.ietf.org/arch/msg/openpgp/NMTCy707LICtxIhP3Xt1U5C8MF0/
-  // 2a. KDF(mlkemSS || tradSS || tradCT || tradPK || Domain)
-  //     where Domain is "Domain" for LAMPS, and "mlkemCT || mlkemPK || algId || const" for OpenPGP
+/**
+ * KEM key combiner
+ */
+async function multiKeyCombine(algo, mlkemKeyShare, ecdhKeyShare, ecdhCipherText, ecdhPublicKey) {
+  const domSep = util.encodeUTF8('OpenPGPCompositeKDFv1');
   const encData = util.concatUint8Array([
     mlkemKeyShare,
     ecdhKeyShare,
     ecdhCipherText,
     ecdhPublicKey,
-    // domSep
-    mlkemCipherText,
-    mlkemPublicKey,
     new Uint8Array([algo]),
-    util.encodeUTF8('OpenPGPCompositeKDFv1')
+    domSep,
+    new Uint8Array([domSep.length])
   ]);
 
   const kek = await computeDigest(enums.hash.sha3_256, encData);
@@ -10324,12 +10413,6 @@ async function generate$1(algo) {
 }
 
 async function sign$2(signatureAlgo, hashAlgo, eccSecretKey, eccPublicKey, mldsaSecretKey, dataDigest) {
-  if (hashAlgo !== getRequiredHashAlgo(signatureAlgo)) {
-    // The signature hash algo MUST be set to the specified algorithm, see
-    // https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc#section-5.2.1.
-    throw new Error('Unexpected hash algorithm for PQC signature');
-  }
-
   switch (signatureAlgo) {
     case enums.publicKey.pqc_mldsa_ed25519: {
       const { eccSignature } = await sign$3(signatureAlgo, hashAlgo, eccSecretKey, eccPublicKey, dataDigest);
@@ -10343,12 +10426,6 @@ async function sign$2(signatureAlgo, hashAlgo, eccSecretKey, eccPublicKey, mldsa
 }
 
 async function verify$2(signatureAlgo, hashAlgo, eccPublicKey, mldsaPublicKey, dataDigest, { eccSignature, mldsaSignature }) {
-  if (hashAlgo !== getRequiredHashAlgo(signatureAlgo)) {
-    // The signature hash algo MUST be set to the specified algorithm, see
-    // https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc#section-5.2.1.
-    throw new Error('Unexpected hash algorithm for PQC signature');
-  }
-
   switch (signatureAlgo) {
     case enums.publicKey.pqc_mldsa_ed25519: {
       const eccVerifiedPromise = verify$3(signatureAlgo, hashAlgo, eccPublicKey, dataDigest, eccSignature);
@@ -10361,11 +10438,12 @@ async function verify$2(signatureAlgo, hashAlgo, eccPublicKey, mldsaPublicKey, d
   }
 }
 
-function getRequiredHashAlgo(signatureAlgo) {
-  // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc#section-5.2.1.
+function isCompatibleHashAlgo(signatureAlgo, hashAlgo) {
+  // The signature hash algo MUST have digest larger than 256 bits
+  // https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-10.html#section-9.4
   switch (signatureAlgo) {
     case enums.publicKey.pqc_mldsa_ed25519:
-      return enums.hash.sha3_256;
+      return getHashByteLength(hashAlgo) >= 32;
     default:
       throw new Error('Unsupported signature algorithm');
   }
@@ -12488,6 +12566,12 @@ async function verify$1(algo, hashAlgo, signature, publicParams, privateParams,
       return verify$8(oid, hashAlgo, { r, s }, data, Q, hashed);
     }
     case enums.publicKey.eddsaLegacy: {
+      if (getHashByteLength(hashAlgo) < getHashByteLength(enums.hash.sha256)) {
+        // Enforce digest sizes, since the constraint was already present in RFC4880bis:
+        // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
+        // and https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.3-3
+        throw new Error('Hash algorithm too weak for EdDSALegacy.');
+      }
       const { oid, Q } = publicParams;
       const curveSize = new CurveWithOID(oid).payloadSize;
       // When dealing little-endian MPI data, we always need to left-pad it, as done with big-endian values:
@@ -12498,6 +12582,13 @@ async function verify$1(algo, hashAlgo, signature, publicParams, privateParams,
     }
     case enums.publicKey.ed25519:
     case enums.publicKey.ed448: {
+      if (getHashByteLength(hashAlgo) < getHashByteLength(getPreferredHashAlgo$2(algo))) {
+        // Enforce digest sizes:
+        // - Ed25519: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.4-4
+        // - Ed448: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.5-4
+        throw new Error('Hash algorithm too weak for EdDSA.');
+      }
+
       const { A } = publicParams;
       return verify$9(algo, hashAlgo, signature, data, A, hashed);
     }
@@ -12510,6 +12601,11 @@ async function verify$1(algo, hashAlgo, signature, publicParams, privateParams,
       return verify$5(algo.getValue(), keyMaterial, signature.mac.data, hashed);
     }
     case enums.publicKey.pqc_mldsa_ed25519: {
+      if (!isCompatibleHashAlgo(algo, hashAlgo)) {
+        // The signature hash algo MUST have digest larger than 256 bits
+        // https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-10.html#section-9.4
+        throw new Error('Unexpected hash algorithm for PQC signature: digest size too short');
+      }
       const { eccPublicKey, mldsaPublicKey } = publicParams;
       return verify$2(algo, hashAlgo, eccPublicKey, mldsaPublicKey, hashed, signature);
     }
@@ -12558,12 +12654,24 @@ async function sign$1(algo, hashAlgo, publicKeyParams, privateKeyParams, data, h
       return sign$8(oid, hashAlgo, data, Q, d, hashed);
     }
     case enums.publicKey.eddsaLegacy: {
+      if (getHashByteLength(hashAlgo) < getHashByteLength(enums.hash.sha256)) {
+        // Enforce digest sizes, since the constraint was already present in RFC4880bis:
+        // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
+        // and https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.3-3
+        throw new Error('Hash algorithm too weak for EdDSALegacy.');
+      }
       const { oid, Q } = publicKeyParams;
       const { seed } = privateKeyParams;
       return sign$7(oid, hashAlgo, data, Q, seed, hashed);
     }
     case enums.publicKey.ed25519:
     case enums.publicKey.ed448: {
+      if (getHashByteLength(hashAlgo) < getHashByteLength(getPreferredHashAlgo$2(algo))) {
+        // Enforce digest sizes:
+        // - Ed25519: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.4-4
+        // - Ed448: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.5-4
+        throw new Error('Hash algorithm too weak for EdDSA.');
+      }
       const { A } = publicKeyParams;
       const { seed } = privateKeyParams;
       return sign$9(algo, hashAlgo, data, A, seed, hashed);
@@ -12575,6 +12683,11 @@ async function sign$1(algo, hashAlgo, publicKeyParams, privateKeyParams, data, h
       return { mac: new ShortByteString(mac) };
     }
     case enums.publicKey.pqc_mldsa_ed25519: {
+      if (!isCompatibleHashAlgo(algo, hashAlgo)) {
+        // The signature hash algo MUST have digest larger than 256 bits
+        // https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-10.html#section-9.4
+        throw new Error('Unexpected hash algorithm for PQC signature: digest size too short');
+      }
       const { eccPublicKey } = publicKeyParams;
       const { eccSecretKey, mldsaSecretKey } = privateKeyParams;
       return sign$2(algo, hashAlgo, eccSecretKey, eccPublicKey, mldsaSecretKey, hashed);
@@ -16851,12 +16964,8 @@ class PublicKeyPacket {
         throw new Error('Legacy curve25519 cannot be used with v6 keys');
       }
       // The composite ML-DSA + EdDSA schemes MUST be used only with v6 keys.
-      // The composite ML-KEM + ECDH schemes MUST be used only with v6 keys.
-      if (this.version !== 6 && (
-        this.algorithm === enums.publicKey.pqc_mldsa_ed25519 ||
-        this.algorithm === enums.publicKey.pqc_mlkem_x25519
-      )) {
-        throw new Error('Unexpected key version: ML-DSA and ML-KEM algorithms can only be used with v6 keys');
+      if (this.version !== 6 && this.algorithm === enums.publicKey.pqc_mldsa_ed25519) {
+        throw new Error('Unexpected key version: ML-DSA algorithms can only be used with v6 keys');
       }
       this.publicParams = publicParams;
       pos += read;
@@ -17856,11 +17965,8 @@ class SecretKeyPacket extends PublicKeyPacket {
     )) {
       throw new Error(`Cannot generate v6 keys of type 'ecc' with curve ${curve}. Generate a key of type 'curve25519' instead`);
     }
-    if (this.version !== 6 && (
-      this.algorithm === enums.publicKey.pqc_mldsa_ed25519 ||
-      this.algorithm === enums.publicKey.pqc_mlkem_x25519
-    )) {
-      throw new Error(`Cannot generate v${this.version} keys of type 'pqc'. Generate a v6 key instead`);
+    if (this.version !== 6 && this.algorithm === enums.publicKey.pqc_mldsa_ed25519) {
+      throw new Error(`Cannot generate v${this.version} signing keys of type 'pqc'. Generate a v6 key instead`);
     }
     const { privateParams, publicParams } = await generateParams(this.algorithm, bits, curve, symmetric);
     this.privateParams = privateParams;
@@ -18364,12 +18470,6 @@ async function createBindingSignature(subkey, primaryKey, options, config) {
  * @async
  */
 async function getPreferredHashAlgo(targetKeys, signingKeyPacket, date = new Date(), targetUserIDs = [], config) {
-  if (signingKeyPacket.algorithm === enums.publicKey.pqc_mldsa_ed25519) {
-    // For PQC, the returned hash algo MUST be set to the specified algorithm, see
-    // https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc#section-5.2.1.
-    return getRequiredHashAlgo(signingKeyPacket.algorithm);
-  }
-
   /**
    * If `preferredSenderAlgo` appears in the prefs of all recipients, we pick it; otherwise, we use the
    * strongest supported algo (`defaultAlgo` is always implicitly supported by all keys).
@@ -18417,6 +18517,10 @@ async function getPreferredHashAlgo(targetKeys, signingKeyPacket, date = new Dat
     enums.publicKey.ed448
   ]);
 
+  const pqcAlgos = new Set([
+    enums.publicKey.pqc_mldsa_ed25519
+  ]);
+
   if (eccAlgos.has(signingKeyPacket.algorithm)) {
     // For ECC, the returned hash algo MUST be at least as strong as `preferredCurveHashAlgo`, see:
     // - ECDSA: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.2-5
@@ -18439,6 +18543,21 @@ async function getPreferredHashAlgo(targetKeys, signingKeyPacket, date = new Dat
         strongestSupportedAlgo :
         preferredCurveAlgo;
     }
+  } else if (pqcAlgos.has(signingKeyPacket.algorithm)) {
+    // For PQC, the returned hash algo MUST be at least 256 bit long, see:
+    // https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-10.html#section-9.4 .
+    // Hence, we return the `preferredHashAlgo` as long as it's supported and long enough;
+    // Otherwise, we look at the strongest supported algo, and ultimately fallback the default algo (SHA-256).
+    const preferredSenderAlgoIsSupported = isSupportedHashAlgo(preferredSenderAlgo) && isCompatibleHashAlgo(signingKeyPacket.algorithm, preferredSenderAlgo);
+
+    if (preferredSenderAlgoIsSupported) {
+      return preferredSenderAlgo;
+    } else {
+      const strongestSupportedAlgo = getStrongestSupportedHashAlgo();
+      return isCompatibleHashAlgo(signingKeyPacket.algorithm, strongestSupportedAlgo) ?
+        strongestSupportedAlgo :
+        defaultAlgo;
+    }
   }
 
   // `preferredSenderAlgo` may be weaker than the default, but we do not guard against this,