@protontech/openpgp 6.1.1-patch.2 → 6.1.1-patch.4

package/dist/openpgp.js

@@ -1,4 +1,4 @@
-/*! OpenPGP.js v6.1.1-patch.2 - 2025-05-14 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
+/*! OpenPGP.js v6.1.1-patch.4 - 2025-07-14 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
 var openpgp = (function (exports) {
   'use strict';
 
@@ -1065,11 +1065,10 @@ var openpgp = (function (exports) {
       ed25519: 27,
       /** Ed448 (Sign only) */
       ed448: 28,
-      /** Post-quantum ML-KEM-768 + X25519 (Encrypt only) */
-      pqc_mlkem_x25519: 105,
       /** Post-quantum ML-DSA-64 + Ed25519 (Sign only) */
-      pqc_mldsa_ed25519: 107,
-
+      pqc_mldsa_ed25519: 30,
+      /** Post-quantum ML-KEM-768 + X25519 (Encrypt only) */
+      pqc_mlkem_x25519: 35,
       /** Persistent symmetric keys: encryption algorithm */
       aead: 100,
       /** Persistent symmetric keys: authentication algorithm */
@@ -1720,7 +1719,7 @@ var openpgp = (function (exports) {
      * @memberof module:config
      * @property {String} versionString A version string to be included in armored messages
      */
-    versionString: 'OpenPGP.js 6.1.1-patch.2',
+    versionString: 'OpenPGP.js 6.1.1-patch.4',
     /**
      * @memberof module:config
      * @property {String} commentString A comment string to be included in armored messages
@@ -6917,7 +6916,15 @@ var openpgp = (function (exports) {
       case enums.publicKey.ed25519:
         try {
           const webCrypto = util.getWebCrypto();
-          const webCryptoKey = await webCrypto.generateKey('Ed25519', true, ['sign', 'verify']);
+          const webCryptoKey = await webCrypto.generateKey('Ed25519', true, ['sign', 'verify'])
+            .catch(err => {
+              if (err.name === 'OperationError') { // Temporary (hopefully) fix for WebKit on Linux
+                const newErr = new Error('Unexpected key generation issue');
+                newErr.name = 'NotSupportedError';
+                throw newErr;
+              }
+              throw err;
+            });
 
           const privateKey = await webCrypto.exportKey('jwk', webCryptoKey.privateKey);
           const publicKey = await webCrypto.exportKey('jwk', webCryptoKey.publicKey);
@@ -6927,7 +6934,7 @@ var openpgp = (function (exports) {
             seed: b64ToUint8Array(privateKey.d, true)
           };
         } catch (err) {
-          if (err.name !== 'NotSupportedError' && err.name !== 'OperationError') { // Temporary (hopefully) fix for WebKit on Linux
+          if (err.name !== 'NotSupportedError') {
             throw err;
           }
           const seed = getRandomBytes(getPayloadSize$1(algo));
@@ -6960,17 +6967,11 @@ var openpgp = (function (exports) {
    * @async
    */
   async function sign$9(algo, hashAlgo, message, publicKey, privateKey, hashed) {
-    if (getHashByteLength(hashAlgo) < getHashByteLength(getPreferredHashAlgo$2(algo))) {
-      // Enforce digest sizes:
-      // - Ed25519: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.4-4
-      // - Ed448: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.5-4
-      throw new Error('Hash algorithm too weak for EdDSA.');
-    }
     switch (algo) {
       case enums.publicKey.ed25519:
         try {
           const webCrypto = util.getWebCrypto();
-          const jwk = privateKeyToJWK(algo, publicKey, privateKey);
+          const jwk = privateKeyToJWK$1(algo, publicKey, privateKey);
           const key = await webCrypto.importKey('jwk', jwk, 'Ed25519', false, ['sign']);
 
           const signature = new Uint8Array(
@@ -7010,17 +7011,11 @@ var openpgp = (function (exports) {
    * @async
    */
   async function verify$9(algo, hashAlgo, { RS }, m, publicKey, hashed) {
-    if (getHashByteLength(hashAlgo) < getHashByteLength(getPreferredHashAlgo$2(algo))) {
-      // Enforce digest sizes:
-      // - Ed25519: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.4-4
-      // - Ed448: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.5-4
-      throw new Error('Hash algorithm too weak for EdDSA.');
-    }
     switch (algo) {
       case enums.publicKey.ed25519:
         try {
           const webCrypto = util.getWebCrypto();
-          const jwk = publicKeyToJWK(algo, publicKey);
+          const jwk = publicKeyToJWK$1(algo, publicKey);
           const key = await webCrypto.importKey('jwk', jwk, 'Ed25519', false, ['verify']);
           const verified = await webCrypto.verify('Ed25519', key, RS, hashed);
           return verified;
@@ -7095,7 +7090,7 @@ var openpgp = (function (exports) {
     }
   }
 
-  const publicKeyToJWK = (algo, publicKey) => {
+  const publicKeyToJWK$1 = (algo, publicKey) => {
     switch (algo) {
       case enums.publicKey.ed25519: {
         const jwk = {
@@ -7111,10 +7106,10 @@ var openpgp = (function (exports) {
     }
   };
 
-  const privateKeyToJWK = (algo, publicKey, privateKey) => {
+  const privateKeyToJWK$1 = (algo, publicKey, privateKey) => {
     switch (algo) {
       case enums.publicKey.ed25519: {
-        const jwk = publicKeyToJWK(algo, publicKey);
+        const jwk = publicKeyToJWK$1(algo, publicKey);
         jwk.d = uint8ArrayToB64(privateKey);
         return jwk;
       }
@@ -8354,12 +8349,41 @@ var openpgp = (function (exports) {
    */
   async function generate$9(algo) {
     switch (algo) {
-      case enums.publicKey.x25519: {
-        // k stays in little-endian, unlike legacy ECDH over curve25519
-        const k = getRandomBytes(32);
-        const { publicKey: A } = nacl.box.keyPair.fromSecretKey(k);
-        return { A, k };
-      }
+      case enums.publicKey.x25519:
+        try {
+          const webCrypto = util.getWebCrypto();
+          const webCryptoKey = await webCrypto.generateKey('X25519', true, ['deriveKey', 'deriveBits'])
+            .catch(err => {
+              if (err.name === 'OperationError') { // Temporary (hopefully) fix for WebKit on Linux
+                const newErr = new Error('Unexpected key generation issue');
+                newErr.name = 'NotSupportedError';
+                throw newErr;
+              }
+              throw err;
+            });
+
+          const privateKey = await webCrypto.exportKey('jwk', webCryptoKey.privateKey);
+          const publicKey = await webCrypto.exportKey('jwk', webCryptoKey.publicKey);
+
+          if (privateKey.x !== publicKey.x) { // Weird issue with Webkit on Linux: https://bugs.webkit.org/show_bug.cgi?id=289693
+            const err = new Error('Unexpected mismatching public point');
+            err.name = 'NotSupportedError';
+            throw err;
+          }
+
+          return {
+            A: new Uint8Array(b64ToUint8Array(publicKey.x)),
+            k: b64ToUint8Array(privateKey.d)
+          };
+        } catch (err) {
+          if (err.name !== 'NotSupportedError') {
+            throw err;
+          }
+          // k stays in little-endian, unlike legacy ECDH over curve25519
+          const k = getRandomBytes(32);
+          const { publicKey: A } = nacl.box.keyPair.fromSecretKey(k);
+          return { A, k };
+        }
 
       case enums.publicKey.x448: {
         const x448 = await util.getNobleCurve(enums.publicKey.x448);
@@ -8501,13 +8525,46 @@ var openpgp = (function (exports) {
    */
   async function generateEphemeralEncryptionMaterial(algo, recipientA) {
     switch (algo) {
-      case enums.publicKey.x25519: {
-        const ephemeralSecretKey = getRandomBytes(getPayloadSize(algo));
-        const sharedSecret = nacl.scalarMult(ephemeralSecretKey, recipientA);
-        assertNonZeroArray(sharedSecret);
-        const { publicKey: ephemeralPublicKey } = nacl.box.keyPair.fromSecretKey(ephemeralSecretKey);
-        return { ephemeralPublicKey, sharedSecret };
-      }
+      case enums.publicKey.x25519:
+        try {
+          const webCrypto = util.getWebCrypto();
+          const ephemeralKeyPair = await webCrypto.generateKey('X25519', true, ['deriveKey', 'deriveBits'])
+            .catch(err => {
+              if (err.name === 'OperationError') { // Temporary (hopefully) fix for WebKit on Linux
+                const newErr = new Error('Unexpected key generation issue');
+                newErr.name = 'NotSupportedError';
+                throw newErr;
+              }
+              throw err;
+            });
+          const ephemeralPublicKeyJwt = await webCrypto.exportKey('jwk', ephemeralKeyPair.publicKey);
+          const ephemeralPrivateKeyJwt = await webCrypto.exportKey('jwk', ephemeralKeyPair.privateKey);
+          if (ephemeralPrivateKeyJwt.x !== ephemeralPublicKeyJwt.x) { // Weird issue with Webkit on Linux: https://bugs.webkit.org/show_bug.cgi?id=289693
+            const err = new Error('Unexpected mismatching public point');
+            err.name = 'NotSupportedError';
+            throw err;
+          }
+          const jwk = publicKeyToJWK(algo, recipientA);
+          const recipientPublicKey = await webCrypto.importKey('jwk', jwk, 'X25519', false, []);
+          const sharedSecretBuffer = await webCrypto.deriveBits(
+            { name: 'X25519', public: recipientPublicKey },
+            ephemeralKeyPair.privateKey,
+            getPayloadSize(algo) * 8 // in bits
+          );
+          return {
+            sharedSecret: new Uint8Array(sharedSecretBuffer),
+            ephemeralPublicKey: new Uint8Array(b64ToUint8Array(ephemeralPublicKeyJwt.x))
+          };
+        } catch (err) {
+          if (err.name !== 'NotSupportedError') {
+            throw err;
+          }
+          const ephemeralSecretKey = getRandomBytes(getPayloadSize(algo));
+          const sharedSecret = nacl.scalarMult(ephemeralSecretKey, recipientA);
+          assertNonZeroArray(sharedSecret);
+          const { publicKey: ephemeralPublicKey } = nacl.box.keyPair.fromSecretKey(ephemeralSecretKey);
+          return { ephemeralPublicKey, sharedSecret };
+        }
       case enums.publicKey.x448: {
         const x448 = await util.getNobleCurve(enums.publicKey.x448);
         const ephemeralSecretKey = x448.utils.randomPrivateKey();
@@ -8523,11 +8580,27 @@ var openpgp = (function (exports) {
 
   async function recomputeSharedSecret(algo, ephemeralPublicKey, A, k) {
     switch (algo) {
-      case enums.publicKey.x25519: {
-        const sharedSecret = nacl.scalarMult(k, ephemeralPublicKey);
-        assertNonZeroArray(sharedSecret);
-        return sharedSecret;
-      }
+      case enums.publicKey.x25519:
+        try {
+          const webCrypto = util.getWebCrypto();
+          const privateKeyJWK = privateKeyToJWK(algo, A, k);
+          const ephemeralPublicKeyJWK = publicKeyToJWK(algo, ephemeralPublicKey);
+          const privateKey = await webCrypto.importKey('jwk', privateKeyJWK, 'X25519', false, ['deriveKey', 'deriveBits']);
+          const ephemeralPublicKeyReference = await webCrypto.importKey('jwk', ephemeralPublicKeyJWK, 'X25519', false, []);
+          const sharedSecretBuffer = await webCrypto.deriveBits(
+            { name: 'X25519', public: ephemeralPublicKeyReference },
+            privateKey,
+            getPayloadSize(algo) * 8 // in bits
+          );
+          return new Uint8Array(sharedSecretBuffer);
+        } catch (err) {
+          if (err.name !== 'NotSupportedError') {
+            throw err;
+          }
+          const sharedSecret = nacl.scalarMult(k, ephemeralPublicKey);
+          assertNonZeroArray(sharedSecret);
+          return sharedSecret;
+        }
       case enums.publicKey.x448: {
         const x448 = await util.getNobleCurve(enums.publicKey.x448);
         const sharedSecret = x448.getSharedSecret(k, ephemeralPublicKey);
@@ -8555,6 +8628,35 @@ var openpgp = (function (exports) {
     }
   }
 
+
+  function publicKeyToJWK(algo, publicKey) {
+    switch (algo) {
+      case enums.publicKey.x25519: {
+        const jwk = {
+          kty: 'OKP',
+          crv: 'X25519',
+          x: uint8ArrayToB64(publicKey),
+          ext: true
+        };
+        return jwk;
+      }
+      default:
+        throw new Error('Unsupported ECDH algorithm');
+    }
+  }
+
+  function privateKeyToJWK(algo, publicKey, privateKey) {
+    switch (algo) {
+      case enums.publicKey.x25519: {
+        const jwk = publicKeyToJWK(algo, publicKey);
+        jwk.d = uint8ArrayToB64(privateKey);
+        return jwk;
+      }
+      default:
+        throw new Error('Unsupported ECDH algorithm');
+    }
+  }
+
   var ecdh_x = /*#__PURE__*/Object.freeze({
     __proto__: null,
     decrypt: decrypt$4,
@@ -9262,12 +9364,6 @@ var openpgp = (function (exports) {
   async function sign$7(oid, hashAlgo, message, publicKey, privateKey, hashed) {
     const curve = new CurveWithOID(oid);
     checkPublicPointEnconding(curve, publicKey);
-    if (getHashByteLength(hashAlgo) < getHashByteLength(enums.hash.sha256)) {
-      // Enforce digest sizes, since the constraint was already present in RFC4880bis:
-      // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
-      // and https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.3-3
-      throw new Error('Hash algorithm too weak for EdDSA.');
-    }
     const { RS: signature } = await sign$9(enums.publicKey.ed25519, hashAlgo, message, publicKey.subarray(1), privateKey, hashed);
     // EdDSA signature params are returned in little-endian format
     return {
@@ -9291,12 +9387,6 @@ var openpgp = (function (exports) {
   async function verify$7(oid, hashAlgo, { r, s }, m, publicKey, hashed) {
     const curve = new CurveWithOID(oid);
     checkPublicPointEnconding(curve, publicKey);
-    if (getHashByteLength(hashAlgo) < getHashByteLength(enums.hash.sha256)) {
-      // Enforce digest sizes, since the constraint was already present in RFC4880bis:
-      // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
-      // and https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.3-3
-      throw new Error('Hash algorithm too weak for EdDSA.');
-    }
     const RS = util.concatUint8Array([r, s]);
     return verify$9(enums.publicKey.ed25519, hashAlgo, { RS }, m, publicKey.subarray(1), hashed);
   }
@@ -10154,7 +10244,7 @@ var openpgp = (function (exports) {
   async function encrypt$2(algo, eccPublicKey, mlkemPublicKey, sessioneKeyData) {
     const { eccKeyShare, eccCipherText } = await encaps$1(algo, eccPublicKey);
     const { mlkemKeyShare, mlkemCipherText } = await encaps(algo, mlkemPublicKey);
-    const kek = await multiKeyCombine(algo, eccKeyShare, eccCipherText, eccPublicKey, mlkemKeyShare, mlkemCipherText, mlkemPublicKey);
+    const kek = await multiKeyCombine(algo, mlkemKeyShare, eccKeyShare, eccCipherText, eccPublicKey);
     const wrappedKey = await wrap(enums.symmetric.aes256, kek, sessioneKeyData); // C
     return { eccCipherText, mlkemCipherText, wrappedKey };
   }
@@ -10162,25 +10252,24 @@ var openpgp = (function (exports) {
   async function decrypt$2(algo, eccCipherText, mlkemCipherText, eccSecretKey, eccPublicKey, mlkemSecretKey, mlkemPublicKey, encryptedSessionKeyData) {
     const eccKeyShare = await decaps$1(algo, eccCipherText, eccSecretKey, eccPublicKey);
     const mlkemKeyShare = await decaps(algo, mlkemCipherText, mlkemSecretKey);
-    const kek = await multiKeyCombine(algo, eccKeyShare, eccCipherText, eccPublicKey, mlkemKeyShare, mlkemCipherText, mlkemPublicKey);
+    const kek = await multiKeyCombine(algo, mlkemKeyShare, eccKeyShare, eccCipherText, eccPublicKey);
     const sessionKey = await unwrap(enums.symmetric.aes256, kek, encryptedSessionKeyData);
     return sessionKey;
   }
 
-  async function multiKeyCombine(algo, ecdhKeyShare, ecdhCipherText, ecdhPublicKey, mlkemKeyShare, mlkemCipherText, mlkemPublicKey) {
-    // LAMPS-aligned and NIST compatible combiner, proposed in: https://mailarchive.ietf.org/arch/msg/openpgp/NMTCy707LICtxIhP3Xt1U5C8MF0/
-    // 2a. KDF(mlkemSS || tradSS || tradCT || tradPK || Domain)
-    //     where Domain is "Domain" for LAMPS, and "mlkemCT || mlkemPK || algId || const" for OpenPGP
+  /**
+   * KEM key combiner
+   */
+  async function multiKeyCombine(algo, mlkemKeyShare, ecdhKeyShare, ecdhCipherText, ecdhPublicKey) {
+    const domSep = util.encodeUTF8('OpenPGPCompositeKDFv1');
     const encData = util.concatUint8Array([
       mlkemKeyShare,
       ecdhKeyShare,
       ecdhCipherText,
       ecdhPublicKey,
-      // domSep
-      mlkemCipherText,
-      mlkemPublicKey,
       new Uint8Array([algo]),
-      util.encodeUTF8('OpenPGPCompositeKDFv1')
+      domSep,
+      new Uint8Array([domSep.length])
     ]);
 
     const kek = await computeDigest(enums.hash.sha3_256, encData);
@@ -10317,12 +10406,6 @@ var openpgp = (function (exports) {
   }
 
   async function sign$2(signatureAlgo, hashAlgo, eccSecretKey, eccPublicKey, mldsaSecretKey, dataDigest) {
-    if (hashAlgo !== getRequiredHashAlgo(signatureAlgo)) {
-      // The signature hash algo MUST be set to the specified algorithm, see
-      // https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc#section-5.2.1.
-      throw new Error('Unexpected hash algorithm for PQC signature');
-    }
-
     switch (signatureAlgo) {
       case enums.publicKey.pqc_mldsa_ed25519: {
         const { eccSignature } = await sign$3(signatureAlgo, hashAlgo, eccSecretKey, eccPublicKey, dataDigest);
@@ -10336,12 +10419,6 @@ var openpgp = (function (exports) {
   }
 
   async function verify$2(signatureAlgo, hashAlgo, eccPublicKey, mldsaPublicKey, dataDigest, { eccSignature, mldsaSignature }) {
-    if (hashAlgo !== getRequiredHashAlgo(signatureAlgo)) {
-      // The signature hash algo MUST be set to the specified algorithm, see
-      // https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc#section-5.2.1.
-      throw new Error('Unexpected hash algorithm for PQC signature');
-    }
-
     switch (signatureAlgo) {
       case enums.publicKey.pqc_mldsa_ed25519: {
         const eccVerifiedPromise = verify$3(signatureAlgo, hashAlgo, eccPublicKey, dataDigest, eccSignature);
@@ -10354,11 +10431,12 @@ var openpgp = (function (exports) {
     }
   }
 
-  function getRequiredHashAlgo(signatureAlgo) {
-    // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc#section-5.2.1.
+  function isCompatibleHashAlgo(signatureAlgo, hashAlgo) {
+    // The signature hash algo MUST have digest larger than 256 bits
+    // https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-10.html#section-9.4
     switch (signatureAlgo) {
       case enums.publicKey.pqc_mldsa_ed25519:
-        return enums.hash.sha3_256;
+        return getHashByteLength(hashAlgo) >= 32;
       default:
         throw new Error('Unsupported signature algorithm');
     }
@@ -12481,6 +12559,12 @@ var openpgp = (function (exports) {
         return verify$8(oid, hashAlgo, { r, s }, data, Q, hashed);
       }
       case enums.publicKey.eddsaLegacy: {
+        if (getHashByteLength(hashAlgo) < getHashByteLength(enums.hash.sha256)) {
+          // Enforce digest sizes, since the constraint was already present in RFC4880bis:
+          // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
+          // and https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.3-3
+          throw new Error('Hash algorithm too weak for EdDSALegacy.');
+        }
         const { oid, Q } = publicParams;
         const curveSize = new CurveWithOID(oid).payloadSize;
         // When dealing little-endian MPI data, we always need to left-pad it, as done with big-endian values:
@@ -12491,6 +12575,13 @@ var openpgp = (function (exports) {
       }
       case enums.publicKey.ed25519:
       case enums.publicKey.ed448: {
+        if (getHashByteLength(hashAlgo) < getHashByteLength(getPreferredHashAlgo$2(algo))) {
+          // Enforce digest sizes:
+          // - Ed25519: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.4-4
+          // - Ed448: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.5-4
+          throw new Error('Hash algorithm too weak for EdDSA.');
+        }
+
         const { A } = publicParams;
         return verify$9(algo, hashAlgo, signature, data, A, hashed);
       }
@@ -12503,6 +12594,11 @@ var openpgp = (function (exports) {
         return verify$5(algo.getValue(), keyMaterial, signature.mac.data, hashed);
       }
       case enums.publicKey.pqc_mldsa_ed25519: {
+        if (!isCompatibleHashAlgo(algo, hashAlgo)) {
+          // The signature hash algo MUST have digest larger than 256 bits
+          // https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-10.html#section-9.4
+          throw new Error('Unexpected hash algorithm for PQC signature: digest size too short');
+        }
         const { eccPublicKey, mldsaPublicKey } = publicParams;
         return verify$2(algo, hashAlgo, eccPublicKey, mldsaPublicKey, hashed, signature);
       }
@@ -12551,12 +12647,24 @@ var openpgp = (function (exports) {
         return sign$8(oid, hashAlgo, data, Q, d, hashed);
       }
       case enums.publicKey.eddsaLegacy: {
+        if (getHashByteLength(hashAlgo) < getHashByteLength(enums.hash.sha256)) {
+          // Enforce digest sizes, since the constraint was already present in RFC4880bis:
+          // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
+          // and https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.3-3
+          throw new Error('Hash algorithm too weak for EdDSALegacy.');
+        }
         const { oid, Q } = publicKeyParams;
         const { seed } = privateKeyParams;
         return sign$7(oid, hashAlgo, data, Q, seed, hashed);
       }
       case enums.publicKey.ed25519:
       case enums.publicKey.ed448: {
+        if (getHashByteLength(hashAlgo) < getHashByteLength(getPreferredHashAlgo$2(algo))) {
+          // Enforce digest sizes:
+          // - Ed25519: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.4-4
+          // - Ed448: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.5-4
+          throw new Error('Hash algorithm too weak for EdDSA.');
+        }
         const { A } = publicKeyParams;
         const { seed } = privateKeyParams;
         return sign$9(algo, hashAlgo, data, A, seed, hashed);
@@ -12568,6 +12676,11 @@ var openpgp = (function (exports) {
         return { mac: new ShortByteString(mac) };
       }
       case enums.publicKey.pqc_mldsa_ed25519: {
+        if (!isCompatibleHashAlgo(algo, hashAlgo)) {
+          // The signature hash algo MUST have digest larger than 256 bits
+          // https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-10.html#section-9.4
+          throw new Error('Unexpected hash algorithm for PQC signature: digest size too short');
+        }
         const { eccPublicKey } = publicKeyParams;
         const { eccSecretKey, mldsaSecretKey } = privateKeyParams;
         return sign$2(algo, hashAlgo, eccSecretKey, eccPublicKey, mldsaSecretKey, hashed);
@@ -16836,12 +16949,8 @@ var openpgp = (function (exports) {
           throw new Error('Legacy curve25519 cannot be used with v6 keys');
         }
         // The composite ML-DSA + EdDSA schemes MUST be used only with v6 keys.
-        // The composite ML-KEM + ECDH schemes MUST be used only with v6 keys.
-        if (this.version !== 6 && (
-          this.algorithm === enums.publicKey.pqc_mldsa_ed25519 ||
-          this.algorithm === enums.publicKey.pqc_mlkem_x25519
-        )) {
-          throw new Error('Unexpected key version: ML-DSA and ML-KEM algorithms can only be used with v6 keys');
+        if (this.version !== 6 && this.algorithm === enums.publicKey.pqc_mldsa_ed25519) {
+          throw new Error('Unexpected key version: ML-DSA algorithms can only be used with v6 keys');
         }
         this.publicParams = publicParams;
         pos += read;
@@ -17841,11 +17950,8 @@ var openpgp = (function (exports) {
       )) {
         throw new Error(`Cannot generate v6 keys of type 'ecc' with curve ${curve}. Generate a key of type 'curve25519' instead`);
       }
-      if (this.version !== 6 && (
-        this.algorithm === enums.publicKey.pqc_mldsa_ed25519 ||
-        this.algorithm === enums.publicKey.pqc_mlkem_x25519
-      )) {
-        throw new Error(`Cannot generate v${this.version} keys of type 'pqc'. Generate a v6 key instead`);
+      if (this.version !== 6 && this.algorithm === enums.publicKey.pqc_mldsa_ed25519) {
+        throw new Error(`Cannot generate v${this.version} signing keys of type 'pqc'. Generate a v6 key instead`);
       }
       const { privateParams, publicParams } = await generateParams(this.algorithm, bits, curve, symmetric);
       this.privateParams = privateParams;
@@ -18349,12 +18455,6 @@ var openpgp = (function (exports) {
    * @async
    */
   async function getPreferredHashAlgo(targetKeys, signingKeyPacket, date = new Date(), targetUserIDs = [], config) {
-    if (signingKeyPacket.algorithm === enums.publicKey.pqc_mldsa_ed25519) {
-      // For PQC, the returned hash algo MUST be set to the specified algorithm, see
-      // https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc#section-5.2.1.
-      return getRequiredHashAlgo(signingKeyPacket.algorithm);
-    }
-
     /**
      * If `preferredSenderAlgo` appears in the prefs of all recipients, we pick it; otherwise, we use the
      * strongest supported algo (`defaultAlgo` is always implicitly supported by all keys).
@@ -18402,6 +18502,10 @@ var openpgp = (function (exports) {
       enums.publicKey.ed448
     ]);
 
+    const pqcAlgos = new Set([
+      enums.publicKey.pqc_mldsa_ed25519
+    ]);
+
     if (eccAlgos.has(signingKeyPacket.algorithm)) {
       // For ECC, the returned hash algo MUST be at least as strong as `preferredCurveHashAlgo`, see:
       // - ECDSA: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.2-5
@@ -18424,6 +18528,21 @@ var openpgp = (function (exports) {
           strongestSupportedAlgo :
           preferredCurveAlgo;
       }
+    } else if (pqcAlgos.has(signingKeyPacket.algorithm)) {
+      // For PQC, the returned hash algo MUST be at least 256 bit long, see:
+      // https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-10.html#section-9.4 .
+      // Hence, we return the `preferredHashAlgo` as long as it's supported and long enough;
+      // Otherwise, we look at the strongest supported algo, and ultimately fallback the default algo (SHA-256).
+      const preferredSenderAlgoIsSupported = isSupportedHashAlgo(preferredSenderAlgo) && isCompatibleHashAlgo(signingKeyPacket.algorithm, preferredSenderAlgo);
+
+      if (preferredSenderAlgoIsSupported) {
+        return preferredSenderAlgo;
+      } else {
+        const strongestSupportedAlgo = getStrongestSupportedHashAlgo();
+        return isCompatibleHashAlgo(signingKeyPacket.algorithm, strongestSupportedAlgo) ?
+          strongestSupportedAlgo :
+          defaultAlgo;
+      }
     }
 
     // `preferredSenderAlgo` may be weaker than the default, but we do not guard against this,