@protontech/openpgp 6.1.1-patch.2 → 6.1.1-patch.4

package/dist/lightweight/openpgp.mjs

@@ -1,4 +1,4 @@
-/*! OpenPGP.js v6.1.1-patch.2 - 2025-05-14 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
+/*! OpenPGP.js v6.1.1-patch.4 - 2025-07-14 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
 const globalThis = typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};
 
 const doneWritingPromise = Symbol('doneWritingPromise');
@@ -1047,11 +1047,10 @@ var enums = {
     ed25519: 27,
     /** Ed448 (Sign only) */
     ed448: 28,
-    /** Post-quantum ML-KEM-768 + X25519 (Encrypt only) */
-    pqc_mlkem_x25519: 105,
     /** Post-quantum ML-DSA-64 + Ed25519 (Sign only) */
-    pqc_mldsa_ed25519: 107,
-
+    pqc_mldsa_ed25519: 30,
+    /** Post-quantum ML-KEM-768 + X25519 (Encrypt only) */
+    pqc_mlkem_x25519: 35,
     /** Persistent symmetric keys: encryption algorithm */
     aead: 100,
     /** Persistent symmetric keys: authentication algorithm */
@@ -1702,7 +1701,7 @@ var config = {
    * @memberof module:config
    * @property {String} versionString A version string to be included in armored messages
    */
-  versionString: 'OpenPGP.js 6.1.1-patch.2',
+  versionString: 'OpenPGP.js 6.1.1-patch.4',
   /**
    * @memberof module:config
    * @property {String} commentString A comment string to be included in armored messages
@@ -6893,7 +6892,15 @@ async function generate$a(algo) {
     case enums.publicKey.ed25519:
       try {
         const webCrypto = util.getWebCrypto();
-        const webCryptoKey = await webCrypto.generateKey('Ed25519', true, ['sign', 'verify']);
+        const webCryptoKey = await webCrypto.generateKey('Ed25519', true, ['sign', 'verify'])
+          .catch(err => {
+            if (err.name === 'OperationError') { // Temporary (hopefully) fix for WebKit on Linux
+              const newErr = new Error('Unexpected key generation issue');
+              newErr.name = 'NotSupportedError';
+              throw newErr;
+            }
+            throw err;
+          });
 
         const privateKey = await webCrypto.exportKey('jwk', webCryptoKey.privateKey);
         const publicKey = await webCrypto.exportKey('jwk', webCryptoKey.publicKey);
@@ -6903,7 +6910,7 @@ async function generate$a(algo) {
           seed: b64ToUint8Array(privateKey.d, true)
         };
       } catch (err) {
-        if (err.name !== 'NotSupportedError' && err.name !== 'OperationError') { // Temporary (hopefully) fix for WebKit on Linux
+        if (err.name !== 'NotSupportedError') {
           throw err;
         }
         const seed = getRandomBytes(getPayloadSize$1(algo));
@@ -6936,17 +6943,11 @@ async function generate$a(algo) {
  * @async
  */
 async function sign$9(algo, hashAlgo, message, publicKey, privateKey, hashed) {
-  if (getHashByteLength(hashAlgo) < getHashByteLength(getPreferredHashAlgo$2(algo))) {
-    // Enforce digest sizes:
-    // - Ed25519: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.4-4
-    // - Ed448: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.5-4
-    throw new Error('Hash algorithm too weak for EdDSA.');
-  }
   switch (algo) {
     case enums.publicKey.ed25519:
       try {
         const webCrypto = util.getWebCrypto();
-        const jwk = privateKeyToJWK(algo, publicKey, privateKey);
+        const jwk = privateKeyToJWK$1(algo, publicKey, privateKey);
         const key = await webCrypto.importKey('jwk', jwk, 'Ed25519', false, ['sign']);
 
         const signature = new Uint8Array(
@@ -6986,17 +6987,11 @@ async function sign$9(algo, hashAlgo, message, publicKey, privateKey, hashed) {
  * @async
  */
 async function verify$9(algo, hashAlgo, { RS }, m, publicKey, hashed) {
-  if (getHashByteLength(hashAlgo) < getHashByteLength(getPreferredHashAlgo$2(algo))) {
-    // Enforce digest sizes:
-    // - Ed25519: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.4-4
-    // - Ed448: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.5-4
-    throw new Error('Hash algorithm too weak for EdDSA.');
-  }
   switch (algo) {
     case enums.publicKey.ed25519:
       try {
         const webCrypto = util.getWebCrypto();
-        const jwk = publicKeyToJWK(algo, publicKey);
+        const jwk = publicKeyToJWK$1(algo, publicKey);
         const key = await webCrypto.importKey('jwk', jwk, 'Ed25519', false, ['verify']);
         const verified = await webCrypto.verify('Ed25519', key, RS, hashed);
         return verified;
@@ -7071,7 +7066,7 @@ function getPreferredHashAlgo$2(algo) {
   }
 }
 
-const publicKeyToJWK = (algo, publicKey) => {
+const publicKeyToJWK$1 = (algo, publicKey) => {
   switch (algo) {
     case enums.publicKey.ed25519: {
       const jwk = {
@@ -7087,10 +7082,10 @@ const publicKeyToJWK = (algo, publicKey) => {
   }
 };
 
-const privateKeyToJWK = (algo, publicKey, privateKey) => {
+const privateKeyToJWK$1 = (algo, publicKey, privateKey) => {
   switch (algo) {
     case enums.publicKey.ed25519: {
-      const jwk = publicKeyToJWK(algo, publicKey);
+      const jwk = publicKeyToJWK$1(algo, publicKey);
       jwk.d = uint8ArrayToB64(privateKey);
       return jwk;
     }
@@ -8330,12 +8325,41 @@ const HKDF_INFO = {
  */
 async function generate$9(algo) {
   switch (algo) {
-    case enums.publicKey.x25519: {
-      // k stays in little-endian, unlike legacy ECDH over curve25519
-      const k = getRandomBytes(32);
-      const { publicKey: A } = nacl.box.keyPair.fromSecretKey(k);
-      return { A, k };
-    }
+    case enums.publicKey.x25519:
+      try {
+        const webCrypto = util.getWebCrypto();
+        const webCryptoKey = await webCrypto.generateKey('X25519', true, ['deriveKey', 'deriveBits'])
+          .catch(err => {
+            if (err.name === 'OperationError') { // Temporary (hopefully) fix for WebKit on Linux
+              const newErr = new Error('Unexpected key generation issue');
+              newErr.name = 'NotSupportedError';
+              throw newErr;
+            }
+            throw err;
+          });
+
+        const privateKey = await webCrypto.exportKey('jwk', webCryptoKey.privateKey);
+        const publicKey = await webCrypto.exportKey('jwk', webCryptoKey.publicKey);
+
+        if (privateKey.x !== publicKey.x) { // Weird issue with Webkit on Linux: https://bugs.webkit.org/show_bug.cgi?id=289693
+          const err = new Error('Unexpected mismatching public point');
+          err.name = 'NotSupportedError';
+          throw err;
+        }
+
+        return {
+          A: new Uint8Array(b64ToUint8Array(publicKey.x)),
+          k: b64ToUint8Array(privateKey.d)
+        };
+      } catch (err) {
+        if (err.name !== 'NotSupportedError') {
+          throw err;
+        }
+        // k stays in little-endian, unlike legacy ECDH over curve25519
+        const k = getRandomBytes(32);
+        const { publicKey: A } = nacl.box.keyPair.fromSecretKey(k);
+        return { A, k };
+      }
 
     case enums.publicKey.x448: {
       const x448 = await util.getNobleCurve(enums.publicKey.x448);
@@ -8477,13 +8501,46 @@ function getPayloadSize(algo) {
  */
 async function generateEphemeralEncryptionMaterial(algo, recipientA) {
   switch (algo) {
-    case enums.publicKey.x25519: {
-      const ephemeralSecretKey = getRandomBytes(getPayloadSize(algo));
-      const sharedSecret = nacl.scalarMult(ephemeralSecretKey, recipientA);
-      assertNonZeroArray(sharedSecret);
-      const { publicKey: ephemeralPublicKey } = nacl.box.keyPair.fromSecretKey(ephemeralSecretKey);
-      return { ephemeralPublicKey, sharedSecret };
-    }
+    case enums.publicKey.x25519:
+      try {
+        const webCrypto = util.getWebCrypto();
+        const ephemeralKeyPair = await webCrypto.generateKey('X25519', true, ['deriveKey', 'deriveBits'])
+          .catch(err => {
+            if (err.name === 'OperationError') { // Temporary (hopefully) fix for WebKit on Linux
+              const newErr = new Error('Unexpected key generation issue');
+              newErr.name = 'NotSupportedError';
+              throw newErr;
+            }
+            throw err;
+          });
+        const ephemeralPublicKeyJwt = await webCrypto.exportKey('jwk', ephemeralKeyPair.publicKey);
+        const ephemeralPrivateKeyJwt = await webCrypto.exportKey('jwk', ephemeralKeyPair.privateKey);
+        if (ephemeralPrivateKeyJwt.x !== ephemeralPublicKeyJwt.x) { // Weird issue with Webkit on Linux: https://bugs.webkit.org/show_bug.cgi?id=289693
+          const err = new Error('Unexpected mismatching public point');
+          err.name = 'NotSupportedError';
+          throw err;
+        }
+        const jwk = publicKeyToJWK(algo, recipientA);
+        const recipientPublicKey = await webCrypto.importKey('jwk', jwk, 'X25519', false, []);
+        const sharedSecretBuffer = await webCrypto.deriveBits(
+          { name: 'X25519', public: recipientPublicKey },
+          ephemeralKeyPair.privateKey,
+          getPayloadSize(algo) * 8 // in bits
+        );
+        return {
+          sharedSecret: new Uint8Array(sharedSecretBuffer),
+          ephemeralPublicKey: new Uint8Array(b64ToUint8Array(ephemeralPublicKeyJwt.x))
+        };
+      } catch (err) {
+        if (err.name !== 'NotSupportedError') {
+          throw err;
+        }
+        const ephemeralSecretKey = getRandomBytes(getPayloadSize(algo));
+        const sharedSecret = nacl.scalarMult(ephemeralSecretKey, recipientA);
+        assertNonZeroArray(sharedSecret);
+        const { publicKey: ephemeralPublicKey } = nacl.box.keyPair.fromSecretKey(ephemeralSecretKey);
+        return { ephemeralPublicKey, sharedSecret };
+      }
     case enums.publicKey.x448: {
       const x448 = await util.getNobleCurve(enums.publicKey.x448);
       const ephemeralSecretKey = x448.utils.randomPrivateKey();
@@ -8499,11 +8556,27 @@ async function generateEphemeralEncryptionMaterial(algo, recipientA) {
 
 async function recomputeSharedSecret(algo, ephemeralPublicKey, A, k) {
   switch (algo) {
-    case enums.publicKey.x25519: {
-      const sharedSecret = nacl.scalarMult(k, ephemeralPublicKey);
-      assertNonZeroArray(sharedSecret);
-      return sharedSecret;
-    }
+    case enums.publicKey.x25519:
+      try {
+        const webCrypto = util.getWebCrypto();
+        const privateKeyJWK = privateKeyToJWK(algo, A, k);
+        const ephemeralPublicKeyJWK = publicKeyToJWK(algo, ephemeralPublicKey);
+        const privateKey = await webCrypto.importKey('jwk', privateKeyJWK, 'X25519', false, ['deriveKey', 'deriveBits']);
+        const ephemeralPublicKeyReference = await webCrypto.importKey('jwk', ephemeralPublicKeyJWK, 'X25519', false, []);
+        const sharedSecretBuffer = await webCrypto.deriveBits(
+          { name: 'X25519', public: ephemeralPublicKeyReference },
+          privateKey,
+          getPayloadSize(algo) * 8 // in bits
+        );
+        return new Uint8Array(sharedSecretBuffer);
+      } catch (err) {
+        if (err.name !== 'NotSupportedError') {
+          throw err;
+        }
+        const sharedSecret = nacl.scalarMult(k, ephemeralPublicKey);
+        assertNonZeroArray(sharedSecret);
+        return sharedSecret;
+      }
     case enums.publicKey.x448: {
       const x448 = await util.getNobleCurve(enums.publicKey.x448);
       const sharedSecret = x448.getSharedSecret(k, ephemeralPublicKey);
@@ -8531,6 +8604,35 @@ function assertNonZeroArray(sharedSecret) {
   }
 }
 
+
+function publicKeyToJWK(algo, publicKey) {
+  switch (algo) {
+    case enums.publicKey.x25519: {
+      const jwk = {
+        kty: 'OKP',
+        crv: 'X25519',
+        x: uint8ArrayToB64(publicKey),
+        ext: true
+      };
+      return jwk;
+    }
+    default:
+      throw new Error('Unsupported ECDH algorithm');
+  }
+}
+
+function privateKeyToJWK(algo, publicKey, privateKey) {
+  switch (algo) {
+    case enums.publicKey.x25519: {
+      const jwk = publicKeyToJWK(algo, publicKey);
+      jwk.d = uint8ArrayToB64(privateKey);
+      return jwk;
+    }
+    default:
+      throw new Error('Unsupported ECDH algorithm');
+  }
+}
+
 var ecdh_x = /*#__PURE__*/Object.freeze({
   __proto__: null,
   decrypt: decrypt$4,
@@ -9238,12 +9340,6 @@ var ecdsa = /*#__PURE__*/Object.freeze({
 async function sign$7(oid, hashAlgo, message, publicKey, privateKey, hashed) {
   const curve = new CurveWithOID(oid);
   checkPublicPointEnconding(curve, publicKey);
-  if (getHashByteLength(hashAlgo) < getHashByteLength(enums.hash.sha256)) {
-    // Enforce digest sizes, since the constraint was already present in RFC4880bis:
-    // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
-    // and https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.3-3
-    throw new Error('Hash algorithm too weak for EdDSA.');
-  }
   const { RS: signature } = await sign$9(enums.publicKey.ed25519, hashAlgo, message, publicKey.subarray(1), privateKey, hashed);
   // EdDSA signature params are returned in little-endian format
   return {
@@ -9267,12 +9363,6 @@ async function sign$7(oid, hashAlgo, message, publicKey, privateKey, hashed) {
 async function verify$7(oid, hashAlgo, { r, s }, m, publicKey, hashed) {
   const curve = new CurveWithOID(oid);
   checkPublicPointEnconding(curve, publicKey);
-  if (getHashByteLength(hashAlgo) < getHashByteLength(enums.hash.sha256)) {
-    // Enforce digest sizes, since the constraint was already present in RFC4880bis:
-    // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
-    // and https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.3-3
-    throw new Error('Hash algorithm too weak for EdDSA.');
-  }
   const RS = util.concatUint8Array([r, s]);
   return verify$9(enums.publicKey.ed25519, hashAlgo, { RS }, m, publicKey.subarray(1), hashed);
 }
@@ -10130,7 +10220,7 @@ async function generate$4(algo) {
 async function encrypt$2(algo, eccPublicKey, mlkemPublicKey, sessioneKeyData) {
   const { eccKeyShare, eccCipherText } = await encaps$1(algo, eccPublicKey);
   const { mlkemKeyShare, mlkemCipherText } = await encaps(algo, mlkemPublicKey);
-  const kek = await multiKeyCombine(algo, eccKeyShare, eccCipherText, eccPublicKey, mlkemKeyShare, mlkemCipherText, mlkemPublicKey);
+  const kek = await multiKeyCombine(algo, mlkemKeyShare, eccKeyShare, eccCipherText, eccPublicKey);
   const wrappedKey = await wrap(enums.symmetric.aes256, kek, sessioneKeyData); // C
   return { eccCipherText, mlkemCipherText, wrappedKey };
 }
@@ -10138,25 +10228,24 @@ async function encrypt$2(algo, eccPublicKey, mlkemPublicKey, sessioneKeyData) {
 async function decrypt$2(algo, eccCipherText, mlkemCipherText, eccSecretKey, eccPublicKey, mlkemSecretKey, mlkemPublicKey, encryptedSessionKeyData) {
   const eccKeyShare = await decaps$1(algo, eccCipherText, eccSecretKey, eccPublicKey);
   const mlkemKeyShare = await decaps(algo, mlkemCipherText, mlkemSecretKey);
-  const kek = await multiKeyCombine(algo, eccKeyShare, eccCipherText, eccPublicKey, mlkemKeyShare, mlkemCipherText, mlkemPublicKey);
+  const kek = await multiKeyCombine(algo, mlkemKeyShare, eccKeyShare, eccCipherText, eccPublicKey);
   const sessionKey = await unwrap(enums.symmetric.aes256, kek, encryptedSessionKeyData);
   return sessionKey;
 }
 
-async function multiKeyCombine(algo, ecdhKeyShare, ecdhCipherText, ecdhPublicKey, mlkemKeyShare, mlkemCipherText, mlkemPublicKey) {
-  // LAMPS-aligned and NIST compatible combiner, proposed in: https://mailarchive.ietf.org/arch/msg/openpgp/NMTCy707LICtxIhP3Xt1U5C8MF0/
-  // 2a. KDF(mlkemSS || tradSS || tradCT || tradPK || Domain)
-  //     where Domain is "Domain" for LAMPS, and "mlkemCT || mlkemPK || algId || const" for OpenPGP
+/**
+ * KEM key combiner
+ */
+async function multiKeyCombine(algo, mlkemKeyShare, ecdhKeyShare, ecdhCipherText, ecdhPublicKey) {
+  const domSep = util.encodeUTF8('OpenPGPCompositeKDFv1');
   const encData = util.concatUint8Array([
     mlkemKeyShare,
     ecdhKeyShare,
     ecdhCipherText,
     ecdhPublicKey,
-    // domSep
-    mlkemCipherText,
-    mlkemPublicKey,
     new Uint8Array([algo]),
-    util.encodeUTF8('OpenPGPCompositeKDFv1')
+    domSep,
+    new Uint8Array([domSep.length])
   ]);
 
   const kek = await computeDigest(enums.hash.sha3_256, encData);
@@ -10293,12 +10382,6 @@ async function generate$1(algo) {
 }
 
 async function sign$2(signatureAlgo, hashAlgo, eccSecretKey, eccPublicKey, mldsaSecretKey, dataDigest) {
-  if (hashAlgo !== getRequiredHashAlgo(signatureAlgo)) {
-    // The signature hash algo MUST be set to the specified algorithm, see
-    // https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc#section-5.2.1.
-    throw new Error('Unexpected hash algorithm for PQC signature');
-  }
-
   switch (signatureAlgo) {
     case enums.publicKey.pqc_mldsa_ed25519: {
       const { eccSignature } = await sign$3(signatureAlgo, hashAlgo, eccSecretKey, eccPublicKey, dataDigest);
@@ -10312,12 +10395,6 @@ async function sign$2(signatureAlgo, hashAlgo, eccSecretKey, eccPublicKey, mldsa
 }
 
 async function verify$2(signatureAlgo, hashAlgo, eccPublicKey, mldsaPublicKey, dataDigest, { eccSignature, mldsaSignature }) {
-  if (hashAlgo !== getRequiredHashAlgo(signatureAlgo)) {
-    // The signature hash algo MUST be set to the specified algorithm, see
-    // https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc#section-5.2.1.
-    throw new Error('Unexpected hash algorithm for PQC signature');
-  }
-
   switch (signatureAlgo) {
     case enums.publicKey.pqc_mldsa_ed25519: {
       const eccVerifiedPromise = verify$3(signatureAlgo, hashAlgo, eccPublicKey, dataDigest, eccSignature);
@@ -10330,11 +10407,12 @@ async function verify$2(signatureAlgo, hashAlgo, eccPublicKey, mldsaPublicKey, d
   }
 }
 
-function getRequiredHashAlgo(signatureAlgo) {
-  // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc#section-5.2.1.
+function isCompatibleHashAlgo(signatureAlgo, hashAlgo) {
+  // The signature hash algo MUST have digest larger than 256 bits
+  // https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-10.html#section-9.4
   switch (signatureAlgo) {
     case enums.publicKey.pqc_mldsa_ed25519:
-      return enums.hash.sha3_256;
+      return getHashByteLength(hashAlgo) >= 32;
     default:
       throw new Error('Unsupported signature algorithm');
   }
@@ -12457,6 +12535,12 @@ async function verify$1(algo, hashAlgo, signature, publicParams, privateParams,
       return verify$8(oid, hashAlgo, { r, s }, data, Q, hashed);
     }
     case enums.publicKey.eddsaLegacy: {
+      if (getHashByteLength(hashAlgo) < getHashByteLength(enums.hash.sha256)) {
+        // Enforce digest sizes, since the constraint was already present in RFC4880bis:
+        // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
+        // and https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.3-3
+        throw new Error('Hash algorithm too weak for EdDSALegacy.');
+      }
       const { oid, Q } = publicParams;
       const curveSize = new CurveWithOID(oid).payloadSize;
       // When dealing little-endian MPI data, we always need to left-pad it, as done with big-endian values:
@@ -12467,6 +12551,13 @@ async function verify$1(algo, hashAlgo, signature, publicParams, privateParams,
     }
     case enums.publicKey.ed25519:
     case enums.publicKey.ed448: {
+      if (getHashByteLength(hashAlgo) < getHashByteLength(getPreferredHashAlgo$2(algo))) {
+        // Enforce digest sizes:
+        // - Ed25519: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.4-4
+        // - Ed448: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.5-4
+        throw new Error('Hash algorithm too weak for EdDSA.');
+      }
+
       const { A } = publicParams;
       return verify$9(algo, hashAlgo, signature, data, A, hashed);
     }
@@ -12479,6 +12570,11 @@ async function verify$1(algo, hashAlgo, signature, publicParams, privateParams,
       return verify$5(algo.getValue(), keyMaterial, signature.mac.data, hashed);
     }
     case enums.publicKey.pqc_mldsa_ed25519: {
+      if (!isCompatibleHashAlgo(algo, hashAlgo)) {
+        // The signature hash algo MUST have digest larger than 256 bits
+        // https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-10.html#section-9.4
+        throw new Error('Unexpected hash algorithm for PQC signature: digest size too short');
+      }
       const { eccPublicKey, mldsaPublicKey } = publicParams;
       return verify$2(algo, hashAlgo, eccPublicKey, mldsaPublicKey, hashed, signature);
     }
@@ -12527,12 +12623,24 @@ async function sign$1(algo, hashAlgo, publicKeyParams, privateKeyParams, data, h
       return sign$8(oid, hashAlgo, data, Q, d, hashed);
     }
     case enums.publicKey.eddsaLegacy: {
+      if (getHashByteLength(hashAlgo) < getHashByteLength(enums.hash.sha256)) {
+        // Enforce digest sizes, since the constraint was already present in RFC4880bis:
+        // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
+        // and https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.3-3
+        throw new Error('Hash algorithm too weak for EdDSALegacy.');
+      }
       const { oid, Q } = publicKeyParams;
       const { seed } = privateKeyParams;
       return sign$7(oid, hashAlgo, data, Q, seed, hashed);
     }
     case enums.publicKey.ed25519:
     case enums.publicKey.ed448: {
+      if (getHashByteLength(hashAlgo) < getHashByteLength(getPreferredHashAlgo$2(algo))) {
+        // Enforce digest sizes:
+        // - Ed25519: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.4-4
+        // - Ed448: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.5-4
+        throw new Error('Hash algorithm too weak for EdDSA.');
+      }
       const { A } = publicKeyParams;
       const { seed } = privateKeyParams;
       return sign$9(algo, hashAlgo, data, A, seed, hashed);
@@ -12544,6 +12652,11 @@ async function sign$1(algo, hashAlgo, publicKeyParams, privateKeyParams, data, h
       return { mac: new ShortByteString(mac) };
     }
     case enums.publicKey.pqc_mldsa_ed25519: {
+      if (!isCompatibleHashAlgo(algo, hashAlgo)) {
+        // The signature hash algo MUST have digest larger than 256 bits
+        // https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-10.html#section-9.4
+        throw new Error('Unexpected hash algorithm for PQC signature: digest size too short');
+      }
       const { eccPublicKey } = publicKeyParams;
       const { eccSecretKey, mldsaSecretKey } = privateKeyParams;
       return sign$2(algo, hashAlgo, eccSecretKey, eccPublicKey, mldsaSecretKey, hashed);
@@ -16812,12 +16925,8 @@ class PublicKeyPacket {
         throw new Error('Legacy curve25519 cannot be used with v6 keys');
       }
       // The composite ML-DSA + EdDSA schemes MUST be used only with v6 keys.
-      // The composite ML-KEM + ECDH schemes MUST be used only with v6 keys.
-      if (this.version !== 6 && (
-        this.algorithm === enums.publicKey.pqc_mldsa_ed25519 ||
-        this.algorithm === enums.publicKey.pqc_mlkem_x25519
-      )) {
-        throw new Error('Unexpected key version: ML-DSA and ML-KEM algorithms can only be used with v6 keys');
+      if (this.version !== 6 && this.algorithm === enums.publicKey.pqc_mldsa_ed25519) {
+        throw new Error('Unexpected key version: ML-DSA algorithms can only be used with v6 keys');
       }
       this.publicParams = publicParams;
       pos += read;
@@ -17817,11 +17926,8 @@ class SecretKeyPacket extends PublicKeyPacket {
     )) {
       throw new Error(`Cannot generate v6 keys of type 'ecc' with curve ${curve}. Generate a key of type 'curve25519' instead`);
     }
-    if (this.version !== 6 && (
-      this.algorithm === enums.publicKey.pqc_mldsa_ed25519 ||
-      this.algorithm === enums.publicKey.pqc_mlkem_x25519
-    )) {
-      throw new Error(`Cannot generate v${this.version} keys of type 'pqc'. Generate a v6 key instead`);
+    if (this.version !== 6 && this.algorithm === enums.publicKey.pqc_mldsa_ed25519) {
+      throw new Error(`Cannot generate v${this.version} signing keys of type 'pqc'. Generate a v6 key instead`);
     }
     const { privateParams, publicParams } = await generateParams(this.algorithm, bits, curve, symmetric);
     this.privateParams = privateParams;
@@ -18325,12 +18431,6 @@ async function createBindingSignature(subkey, primaryKey, options, config) {
  * @async
  */
 async function getPreferredHashAlgo(targetKeys, signingKeyPacket, date = new Date(), targetUserIDs = [], config) {
-  if (signingKeyPacket.algorithm === enums.publicKey.pqc_mldsa_ed25519) {
-    // For PQC, the returned hash algo MUST be set to the specified algorithm, see
-    // https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc#section-5.2.1.
-    return getRequiredHashAlgo(signingKeyPacket.algorithm);
-  }
-
   /**
    * If `preferredSenderAlgo` appears in the prefs of all recipients, we pick it; otherwise, we use the
    * strongest supported algo (`defaultAlgo` is always implicitly supported by all keys).
@@ -18378,6 +18478,10 @@ async function getPreferredHashAlgo(targetKeys, signingKeyPacket, date = new Dat
     enums.publicKey.ed448
   ]);
 
+  const pqcAlgos = new Set([
+    enums.publicKey.pqc_mldsa_ed25519
+  ]);
+
   if (eccAlgos.has(signingKeyPacket.algorithm)) {
     // For ECC, the returned hash algo MUST be at least as strong as `preferredCurveHashAlgo`, see:
     // - ECDSA: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.2-5
@@ -18400,6 +18504,21 @@ async function getPreferredHashAlgo(targetKeys, signingKeyPacket, date = new Dat
         strongestSupportedAlgo :
         preferredCurveAlgo;
     }
+  } else if (pqcAlgos.has(signingKeyPacket.algorithm)) {
+    // For PQC, the returned hash algo MUST be at least 256 bit long, see:
+    // https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-10.html#section-9.4 .
+    // Hence, we return the `preferredHashAlgo` as long as it's supported and long enough;
+    // Otherwise, we look at the strongest supported algo, and ultimately fallback the default algo (SHA-256).
+    const preferredSenderAlgoIsSupported = isSupportedHashAlgo(preferredSenderAlgo) && isCompatibleHashAlgo(signingKeyPacket.algorithm, preferredSenderAlgo);
+
+    if (preferredSenderAlgoIsSupported) {
+      return preferredSenderAlgo;
+    } else {
+      const strongestSupportedAlgo = getStrongestSupportedHashAlgo();
+      return isCompatibleHashAlgo(signingKeyPacket.algorithm, strongestSupportedAlgo) ?
+        strongestSupportedAlgo :
+        defaultAlgo;
+    }
   }
 
   // `preferredSenderAlgo` may be weaker than the default, but we do not guard against this,

package/dist/lightweight/seek-bzip.min.mjs

@@ -1,3 +1,3 @@
-/*! OpenPGP.js v6.1.1-patch.2 - 2025-05-14 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
+/*! OpenPGP.js v6.1.1-patch.4 - 2025-07-14 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
 "undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self&&self;function t(t,e){return e.forEach((function(e){e&&"string"!=typeof e&&!Array.isArray(e)&&Object.keys(e).forEach((function(r){if("default"!==r&&!(r in t)){var i=Object.getOwnPropertyDescriptor(e,r);Object.defineProperty(t,r,i.get?i:{enumerable:!0,get:function(){return e[r]}})}}))})),Object.freeze(t)}var e=[0,1,3,7,15,31,63,127,255],r=function(t){this.stream=t,this.bitOffset=0,this.curByte=0,this.hasByte=!1};r.prototype._ensureByte=function(){this.hasByte||(this.curByte=this.stream.readByte(),this.hasByte=!0)},r.prototype.read=function(t){for(var r=0;t>0;){this._ensureByte();var i=8-this.bitOffset;if(t>=i)r<<=i,r|=e[i]&this.curByte,this.hasByte=!1,this.bitOffset=0,t-=i;else{r<<=t;var n=i-t;r|=(this.curByte&e[t]<<n)>>n,this.bitOffset+=t,t=0}}return r},r.prototype.seek=function(t){var e=t%8,r=(t-e)/8;this.bitOffset=e,this.stream.seek(r),this.hasByte=!1},r.prototype.pi=function(){var t,e=new Uint8Array(6);for(t=0;t<e.length;t++)e[t]=this.read(8);return function(t){return Array.prototype.map.call(t,(t=>("00"+t.toString(16)).slice(-2))).join("")}(e)};var i=r,n=function(){};n.prototype.readByte=function(){throw Error("abstract method readByte() not implemented")},n.prototype.read=function(t,e,r){for(var i=0;i<r;){var n=this.readByte();if(n<0)return 0===i?-1:i;t[e++]=n,i++}return i},n.prototype.seek=function(t){throw Error("abstract method seek() not implemented")},n.prototype.writeByte=function(t){throw Error("abstract method readByte() not implemented")},n.prototype.write=function(t,e,r){var i;for(i=0;i<r;i++)this.writeByte(t[e++]);return r},n.prototype.flush=function(){};var o,a=n,s=(o=new Uint32Array([0,79764919,159529838,222504665,319059676,398814059,445009330,507990021,638119352,583659535,797628118,726387553,890018660,835552979,1015980042,944750013,1276238704,1221641927,1167319070,1095957929,1595256236,1540665371,1452775106,1381403509,1780037320,1859660671,1671105958,1733955601,2031960084,2111593891,1889500026,1952343757,2552477408,2632100695,2443283854,2506133561,2334638140,2414271883,2191915858,2254759653,3190512472,3135915759,3081330742,3009969537,2905550212,2850959411,2762807018,2691435357,3560074640,3505614887,3719321342,3648080713,3342211916,3287746299,3467911202,3396681109,4063920168,4143685023,4223187782,4286162673,3779000052,3858754371,3904687514,3967668269,881225847,809987520,1023691545,969234094,662832811,591600412,771767749,717299826,311336399,374308984,453813921,533576470,25881363,88864420,134795389,214552010,2023205639,2086057648,1897238633,1976864222,1804852699,1867694188,1645340341,1724971778,1587496639,1516133128,1461550545,1406951526,1302016099,1230646740,1142491917,1087903418,2896545431,2825181984,2770861561,2716262478,3215044683,3143675388,3055782693,3001194130,2326604591,2389456536,2200899649,2280525302,2578013683,2640855108,2418763421,2498394922,3769900519,3832873040,3912640137,3992402750,4088425275,4151408268,4197601365,4277358050,3334271071,3263032808,3476998961,3422541446,3585640067,3514407732,3694837229,3640369242,1762451694,1842216281,1619975040,1682949687,2047383090,2127137669,1938468188,2001449195,1325665622,1271206113,1183200824,1111960463,1543535498,1489069629,1434599652,1363369299,622672798,568075817,748617968,677256519,907627842,853037301,1067152940,995781531,51762726,131386257,177728840,240578815,269590778,349224269,429104020,491947555,4046411278,4126034873,4172115296,4234965207,3794477266,3874110821,3953728444,4016571915,3609705398,3555108353,3735388376,3664026991,3290680682,3236090077,3449943556,3378572211,3174993278,3120533705,3032266256,2961025959,2923101090,2868635157,2813903052,2742672763,2604032198,2683796849,2461293480,2524268063,2284983834,2364738477,2175806836,2238787779,1569362073,1498123566,1409854455,1355396672,1317987909,1246755826,1192025387,1137557660,2072149281,2135122070,1912620623,1992383480,1753615357,1816598090,1627664531,1707420964,295390185,358241886,404320391,483945776,43990325,106832002,186451547,266083308,932423249,861060070,1041341759,986742920,613929101,542559546,756411363,701822548,3316196985,3244833742,3425377559,3370778784,3601682597,3530312978,3744426955,3689838204,3819031489,3881883254,3928223919,4007849240,4037393693,4100235434,4180117107,4259748804,2310601993,2373574846,2151335527,2231098320,2596047829,2659030626,2470359227,2550115596,2947551409,2876312838,2788305887,2733848168,3165939309,3094707162,3040238851,2985771188]),function(){var t=4294967295;this.getCRC=function(){return~t>>>0},this.updateCRC=function(e){t=t<<8^o[255&(t>>>24^e)]},this.updateCRCRun=function(e,r){for(;r-- >0;)t=t<<8^o[255&(t>>>24^e)]}}),f=i,u=a,h=s,p=function(t,e){var r,i=t[e];for(r=e;r>0;r--)t[r]=t[r-1];return t[0]=i,i},d={OK:0,LAST_BLOCK:-1,NOT_BZIP_DATA:-2,UNEXPECTED_INPUT_EOF:-3,UNEXPECTED_OUTPUT_EOF:-4,DATA_ERROR:-5,OUT_OF_MEMORY:-6,OBSOLETE_INPUT:-7,END_OF_BLOCK:-8},c={};c[d.LAST_BLOCK]="Bad file checksum",c[d.NOT_BZIP_DATA]="Not bzip data",c[d.UNEXPECTED_INPUT_EOF]="Unexpected input EOF",c[d.UNEXPECTED_OUTPUT_EOF]="Unexpected output EOF",c[d.DATA_ERROR]="Data error",c[d.OUT_OF_MEMORY]="Out of memory",c[d.OBSOLETE_INPUT]="Obsolete (pre 0.9.5) bzip format not supported.";var _=function(t,e){var r=c[t]||"unknown error";e&&(r+=": "+e);var i=new TypeError(r);throw i.errorCode=t,i},b=function(t,e){this.writePos=this.writeCurrent=this.writeCount=0,this._start_bunzip(t,e)};b.prototype._init_block=function(){return this._get_next_block()?(this.blockCRC=new h,!0):(this.writeCount=-1,!1)},b.prototype._start_bunzip=function(t,e){var r=new Uint8Array(4);4===t.read(r,0,4)&&"BZh"===String.fromCharCode(r[0],r[1],r[2])||_(d.NOT_BZIP_DATA,"bad magic");var i=r[3]-48;(i<1||i>9)&&_(d.NOT_BZIP_DATA,"level out of range"),this.reader=new f(t),this.dbufSize=1e5*i,this.nextoutput=0,this.outputStream=e,this.streamCRC=0},b.prototype._get_next_block=function(){var t,e,r,i=this.reader,n=i.pi();if("177245385090"===n)return!1;"314159265359"!==n&&_(d.NOT_BZIP_DATA),this.targetBlockCRC=i.read(32)>>>0,this.streamCRC=(this.targetBlockCRC^(this.streamCRC<<1|this.streamCRC>>>31))>>>0,i.read(1)&&_(d.OBSOLETE_INPUT);var o=i.read(24);o>this.dbufSize&&_(d.DATA_ERROR,"initial position out of bounds");var a=i.read(16),s=new Uint8Array(256),f=0;for(t=0;t<16;t++)if(a&1<<15-t){var u=16*t;for(r=i.read(16),e=0;e<16;e++)r&1<<15-e&&(s[f++]=u+e)}var h=i.read(3);(h<2||h>6)&&_(d.DATA_ERROR);var c=i.read(15);0===c&&_(d.DATA_ERROR);var b=new Uint8Array(256);for(t=0;t<h;t++)b[t]=t;var y=new Uint8Array(c);for(t=0;t<c;t++){for(e=0;i.read(1);e++)e>=h&&_(d.DATA_ERROR);y[t]=p(b,e)}var R,l=f+2,C=[];for(e=0;e<h;e++){var A,w,O=new Uint8Array(l),B=new Uint16Array(21);for(a=i.read(5),t=0;t<l;t++){for(;(a<1||a>20)&&_(d.DATA_ERROR),i.read(1);)i.read(1)?a--:a++;O[t]=a}for(A=w=O[0],t=1;t<l;t++)O[t]>w?w=O[t]:O[t]<A&&(A=O[t]);R={},C.push(R),R.permute=new Uint16Array(258),R.limit=new Uint32Array(22),R.base=new Uint32Array(21),R.minLen=A,R.maxLen=w;var v=0;for(t=A;t<=w;t++)for(B[t]=R.limit[t]=0,a=0;a<l;a++)O[a]===t&&(R.permute[v++]=a);for(t=0;t<l;t++)B[O[t]]++;for(v=a=0,t=A;t<w;t++)v+=B[t],R.limit[t]=v-1,v<<=1,a+=B[t],R.base[t+1]=v-a;R.limit[w+1]=Number.MAX_VALUE,R.limit[w]=v+B[w]-1,R.base[A]=0}var E=new Uint32Array(256);for(t=0;t<256;t++)b[t]=t;var m,T=0,g=0,U=0,k=this.dbuf=new Uint32Array(this.dbufSize);for(l=0;;){for(l--||(l=49,U>=c&&_(d.DATA_ERROR),R=C[y[U++]]),t=R.minLen,e=i.read(t);t>R.maxLen&&_(d.DATA_ERROR),!(e<=R.limit[t]);t++)e=e<<1|i.read(1);((e-=R.base[t])<0||e>=258)&&_(d.DATA_ERROR);var D=R.permute[e];if(0!==D&&1!==D){if(T)for(T=0,g+a>this.dbufSize&&_(d.DATA_ERROR),E[m=s[b[0]]]+=a;a--;)k[g++]=m;if(D>f)break;g>=this.dbufSize&&_(d.DATA_ERROR),E[m=s[m=p(b,t=D-1)]]++,k[g++]=m}else T||(T=1,a=0),a+=0===D?T:2*T,T<<=1}for((o<0||o>=g)&&_(d.DATA_ERROR),e=0,t=0;t<256;t++)r=e+E[t],E[t]=e,e=r;for(t=0;t<g;t++)k[E[m=255&k[t]]]|=t<<8,E[m]++;var z=0,P=0,S=0;return g&&(P=255&(z=k[o]),z>>=8,S=-1),this.writePos=z,this.writeCurrent=P,this.writeCount=g,this.writeRun=S,!0},b.prototype._read_bunzip=function(t,e){var r,i,n;if(this.writeCount<0)return 0;var o=this.dbuf,a=this.writePos,s=this.writeCurrent,f=this.writeCount;this.outputsize;for(var u=this.writeRun;f;){for(f--,i=s,s=255&(a=o[a]),a>>=8,3==u++?(r=s,n=i,s=-1):(r=1,n=s),this.blockCRC.updateCRCRun(n,r);r--;)this.outputStream.writeByte(n),this.nextoutput++;s!=i&&(u=0)}return this.writeCount=f,this.blockCRC.getCRC()!==this.targetBlockCRC&&_(d.DATA_ERROR,"Bad block CRC (got "+this.blockCRC.getCRC().toString(16)+" expected "+this.targetBlockCRC.toString(16)+")"),this.nextoutput};var y=function(t){if("readByte"in t)return t;var e=new u;return e.pos=0,e.readByte=function(){return t[this.pos++]},e.seek=function(t){this.pos=t},e.eof=function(){return this.pos>=t.length},e},R=function(t){var e=new u,r=!0;if(t)if("number"==typeof t)e.buffer=new Uint8Array(t),r=!1;else{if("writeByte"in t)return t;e.buffer=t,r=!1}else e.buffer=new Uint8Array(16384);return e.pos=0,e.writeByte=function(t){if(r&&this.pos>=this.buffer.length){var e=new Uint8Array(2*this.buffer.length);e.set(this.buffer),this.buffer=e}this.buffer[this.pos++]=t},e.getBuffer=function(){if(this.pos!==this.buffer.length){if(!r)throw new TypeError("outputsize does not match decoded input");var t=new Uint8Array(this.pos);t.set(this.buffer.subarray(0,this.pos)),this.buffer=t}return this.buffer},e._coerced=!0,e};var l=/*#__PURE__*/t({__proto__:null},[{Bunzip:b,Stream:u,Err:d,decode:function(t,e,r){for(var i=y(t),n=R(e),o=new b(i,n);!("eof"in i)||!i.eof();)if(o._init_block())o._read_bunzip();else{var a=o.reader.read(32)>>>0;if(a!==o.streamCRC&&_(d.DATA_ERROR,"Bad stream CRC (got "+o.streamCRC.toString(16)+" expected "+a.toString(16)+")"),!r||!("eof"in i)||i.eof())break;o._start_bunzip(i,n)}if("getBuffer"in n)return n.getBuffer()},decodeBlock:function(t,e,r){var i=y(t),n=R(r),o=new b(i,n);if(o.reader.seek(e),o._get_next_block()&&(o.blockCRC=new h,o.writeCopies=0,o._read_bunzip()),"getBuffer"in n)return n.getBuffer()},table:function(t,e,r){var i=new u;i.delegate=y(t),i.pos=0,i.readByte=function(){return this.pos++,this.delegate.readByte()},i.delegate.eof&&(i.eof=i.delegate.eof.bind(i.delegate));var n=new u;n.pos=0,n.writeByte=function(){this.pos++};for(var o=new b(i,n),a=o.dbufSize;!("eof"in i)||!i.eof();){var s=8*i.pos+o.reader.bitOffset;if(o.reader.hasByte&&(s-=8),o._init_block()){var f=n.pos;o._read_bunzip(),e(s,n.pos-f)}else{if(o.reader.read(32),!r||!("eof"in i)||i.eof())break;o._start_bunzip(i,n),console.assert(o.dbufSize===a,"shouldn't change block size within multistream file")}}}}]);export{l as i};
 //# sourceMappingURL=seek-bzip.min.mjs.map

package/dist/lightweight/seek-bzip.mjs

@@ -1,4 +1,4 @@
-/*! OpenPGP.js v6.1.1-patch.2 - 2025-05-14 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
+/*! OpenPGP.js v6.1.1-patch.4 - 2025-07-14 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
 const globalThis = typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};
 
 function _mergeNamespaces(n, m) {

package/dist/lightweight/sha3.min.mjs

@@ -1,4 +1,4 @@
-/*! OpenPGP.js v6.1.1-patch.2 - 2025-05-14 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
+/*! OpenPGP.js v6.1.1-patch.4 - 2025-07-14 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
 const t="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{};function e(t){if(!Number.isSafeInteger(t)||t<0)throw Error("positive integer expected, got "+t)}function n(t,...e){if(!((n=t)instanceof Uint8Array||ArrayBuffer.isView(n)&&"Uint8Array"===n.constructor.name))throw Error("Uint8Array expected");var n;if(e.length>0&&!e.includes(t.length))throw Error("Uint8Array expected of length "+e+", got length="+t.length)}function s(t){if("function"!=typeof t||"function"!=typeof t.create)throw Error("Hash should be wrapped by utils.wrapConstructor");e(t.outputLen),e(t.blockLen)}function o(t,e=!0){if(t.destroyed)throw Error("Hash instance has been destroyed");if(e&&t.finished)throw Error("Hash#digest() has already been called")}function r(t,e){n(t);const s=e.outputLen;if(t.length<s)throw Error("digestInto() expects output buffer of length at least "+s)}const i="object"==typeof t&&"crypto"in t?t.crypto:void 0,h=t=>new Uint32Array(t.buffer,t.byteOffset,Math.floor(t.byteLength/4)),a=t=>new DataView(t.buffer,t.byteOffset,t.byteLength),f=(t,e)=>t<<32-e|t>>>e,u=(t,e)=>t<<e|t>>>32-e>>>0,c=/* @__PURE__ */(()=>68===new Uint8Array(new Uint32Array([287454020]).buffer)[0])();
 /*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */function l(t){for(let n=0;n<t.length;n++)t[n]=(e=t[n])<<24&4278190080|e<<8&16711680|e>>>8&65280|e>>>24&255;var e}function d(t){if("string"!=typeof t)throw Error("utf8ToBytes expected string, got "+typeof t);return new Uint8Array((new TextEncoder).encode(t))}function p(t){return"string"==typeof t&&(t=d(t)),n(t),t}function g(...t){let e=0;for(let s=0;s<t.length;s++){const o=t[s];n(o),e+=o.length}const s=new Uint8Array(e);for(let e=0,n=0;e<t.length;e++){const o=t[e];s.set(o,n),n+=o.length}return s}class y{clone(){return this._cloneInto()}}function w(t){const e=e=>t().update(p(e)).digest(),n=t();return e.outputLen=n.outputLen,e.blockLen=n.blockLen,e.create=()=>t(),e}function b(t=32){if(i&&"function"==typeof i.getRandomValues)return i.getRandomValues(new Uint8Array(t));if(i&&"function"==typeof i.randomBytes)return i.randomBytes(t);throw Error("crypto.getRandomValues must be defined")}const L=/* @__PURE__ */BigInt(2**32-1),k=/* @__PURE__ */BigInt(32);function I(t,e=!1){return e?{h:Number(t&L),l:Number(t>>k&L)}:{h:0|Number(t>>k&L),l:0|Number(t&L)}}function B(t,e=!1){let n=new Uint32Array(t.length),s=new Uint32Array(t.length);for(let o=0;o<t.length;o++){const{h:r,l:i}=I(t[o],e);[n[o],s[o]]=[r,i]}return[n,s]}const A=(t,e,n)=>t<<n|e>>>32-n,m=(t,e,n)=>e<<n|t>>>32-n,O=(t,e,n)=>e<<n-32|t>>>64-n,U=(t,e,n)=>t<<n-32|e>>>64-n;const x={fromBig:I,split:B,toBig:(t,e)=>BigInt(t>>>0)<<k|BigInt(e>>>0),shrSH:(t,e,n)=>t>>>n,shrSL:(t,e,n)=>t<<32-n|e>>>n,rotrSH:(t,e,n)=>t>>>n|e<<32-n,rotrSL:(t,e,n)=>t<<32-n|e>>>n,rotrBH:(t,e,n)=>t<<64-n|e>>>n-32,rotrBL:(t,e,n)=>t>>>n-32|e<<64-n,rotr32H:(t,e)=>e,rotr32L:(t,e)=>t,rotlSH:A,rotlSL:m,rotlBH:O,rotlBL:U,add:function(t,e,n,s){const o=(e>>>0)+(s>>>0);return{h:t+n+(o/2**32|0)|0,l:0|o}},add3L:(t,e,n)=>(t>>>0)+(e>>>0)+(n>>>0),add3H:(t,e,n,s)=>e+n+s+(t/2**32|0)|0,add4L:(t,e,n,s)=>(t>>>0)+(e>>>0)+(n>>>0)+(s>>>0),add4H:(t,e,n,s,o)=>e+n+s+o+(t/2**32|0)|0,add5H:(t,e,n,s,o,r)=>e+n+s+o+r+(t/2**32|0)|0,add5L:(t,e,n,s,o)=>(t>>>0)+(e>>>0)+(n>>>0)+(s>>>0)+(o>>>0)},E=[],H=[],S=[],v=/* @__PURE__ */BigInt(0),F=/* @__PURE__ */BigInt(1),N=/* @__PURE__ */BigInt(2),V=/* @__PURE__ */BigInt(7),X=/* @__PURE__ */BigInt(256),M=/* @__PURE__ */BigInt(113);for(let t=0,e=F,n=1,s=0;t<24;t++){[n,s]=[s,(2*n+3*s)%5],E.push(2*(5*s+n)),H.push((t+1)*(t+2)/2%64);let o=v;for(let t=0;t<7;t++)e=(e<<F^(e>>V)*M)%X,e&N&&(o^=F<<(F<</* @__PURE__ */BigInt(t))-F);S.push(o)}const[R,j]=/* @__PURE__ */B(S,!0),T=(t,e,n)=>n>32?O(t,e,n):A(t,e,n),_=(t,e,n)=>n>32?U(t,e,n):m(t,e,n);class C extends y{constructor(t,n,s,o=!1,r=24){if(super(),this.blockLen=t,this.suffix=n,this.outputLen=s,this.enableXOF=o,this.rounds=r,this.pos=0,this.posOut=0,this.finished=!1,this.destroyed=!1,e(s),0>=this.blockLen||this.blockLen>=200)throw Error("Sha3 supports only keccak-f1600 function");this.state=new Uint8Array(200),this.state32=h(this.state)}keccak(){c||l(this.state32),function(t,e=24){const n=new Uint32Array(10);for(let s=24-e;s<24;s++){for(let e=0;e<10;e++)n[e]=t[e]^t[e+10]^t[e+20]^t[e+30]^t[e+40];for(let e=0;e<10;e+=2){const s=(e+8)%10,o=(e+2)%10,r=n[o],i=n[o+1],h=T(r,i,1)^n[s],a=_(r,i,1)^n[s+1];for(let n=0;n<50;n+=10)t[e+n]^=h,t[e+n+1]^=a}let e=t[2],o=t[3];for(let n=0;n<24;n++){const s=H[n],r=T(e,o,s),i=_(e,o,s),h=E[n];e=t[h],o=t[h+1],t[h]=r,t[h+1]=i}for(let e=0;e<50;e+=10){for(let s=0;s<10;s++)n[s]=t[e+s];for(let s=0;s<10;s++)t[e+s]^=~n[(s+2)%10]&n[(s+4)%10]}t[0]^=R[s],t[1]^=j[s]}n.fill(0)}(this.state32,this.rounds),c||l(this.state32),this.posOut=0,this.pos=0}update(t){o(this);const{blockLen:e,state:n}=this,s=(t=p(t)).length;for(let o=0;o<s;){const r=Math.min(e-this.pos,s-o);for(let e=0;e<r;e++)n[this.pos++]^=t[o++];this.pos===e&&this.keccak()}return this}finish(){if(this.finished)return;this.finished=!0;const{state:t,suffix:e,pos:n,blockLen:s}=this;t[n]^=e,128&e&&n===s-1&&this.keccak(),t[s-1]^=128,this.keccak()}writeInto(t){o(this,!1),n(t),this.finish();const e=this.state,{blockLen:s}=this;for(let n=0,o=t.length;n<o;){this.posOut>=s&&this.keccak();const r=Math.min(s-this.posOut,o-n);t.set(e.subarray(this.posOut,this.posOut+r),n),this.posOut+=r,n+=r}return t}xofInto(t){if(!this.enableXOF)throw Error("XOF is not possible for this instance");return this.writeInto(t)}xof(t){return e(t),this.xofInto(new Uint8Array(t))}digestInto(t){if(r(t,this),this.finished)throw Error("digest() was already called");return this.writeInto(t),this.destroy(),t}digest(){return this.digestInto(new Uint8Array(this.outputLen))}destroy(){this.destroyed=!0,this.state.fill(0)}_cloneInto(t){const{blockLen:e,suffix:n,outputLen:s,rounds:o,enableXOF:r}=this;return t||(t=new C(e,n,s,r,o)),t.state32.set(this.state32),t.pos=this.pos,t.posOut=this.posOut,t.finished=this.finished,t.rounds=o,t.suffix=n,t.outputLen=s,t.enableXOF=r,t.destroyed=this.destroyed,t}}const D=(t,e,n)=>w((()=>new C(e,t,n))),q=/* @__PURE__ */D(6,136,32),z=/* @__PURE__ */D(6,72,64),G=(t,e,n)=>function(t){const e=(e,n)=>t(n).update(p(e)).digest(),n=t({});return e.outputLen=n.outputLen,e.blockLen=n.blockLen,e.create=e=>t(e),e}(((s={})=>new C(e,t,void 0===s.dkLen?n:s.dkLen,!0))),J=/* @__PURE__ */G(31,168,16),K=/* @__PURE__ */G(31,136,32);export{y as H,s as a,o as b,n as c,g as d,u as e,q as f,z as g,a as h,r as i,f as j,x as k,J as l,h as m,b as r,K as s,p as t,d as u,w};
 //# sourceMappingURL=sha3.min.mjs.map

package/dist/lightweight/sha3.mjs

@@ -1,4 +1,4 @@
-/*! OpenPGP.js v6.1.1-patch.2 - 2025-05-14 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
+/*! OpenPGP.js v6.1.1-patch.4 - 2025-07-14 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
 const globalThis = typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};
 
 function anumber(n) {

package/dist/lightweight/sha512.min.mjs

@@ -1,3 +1,3 @@
-/*! OpenPGP.js v6.1.1-patch.2 - 2025-05-14 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
+/*! OpenPGP.js v6.1.1-patch.4 - 2025-07-14 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
 "undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self&&self;import{H as t,h as s,b as h,t as e,i,w as c,j as a,k as r}from"./sha3.min.mjs";const f=(t,s,h)=>t&s^~t&h,d=(t,s,h)=>t&s^t&h^s&h;class o extends t{constructor(t,h,e,i){super(),this.blockLen=t,this.outputLen=h,this.padOffset=e,this.isLE=i,this.finished=!1,this.length=0,this.pos=0,this.destroyed=!1,this.buffer=new Uint8Array(t),this.view=s(this.buffer)}update(t){h(this);const{view:i,buffer:c,blockLen:a}=this,r=(t=e(t)).length;for(let h=0;h<r;){const e=Math.min(a-this.pos,r-h);if(e!==a)c.set(t.subarray(h,h+e),this.pos),this.pos+=e,h+=e,this.pos===a&&(this.process(i,0),this.pos=0);else{const e=s(t);for(;a<=r-h;h+=a)this.process(e,h)}}return this.length+=t.length,this.roundClean(),this}digestInto(t){h(this),i(t,this),this.finished=!0;const{buffer:e,view:c,blockLen:a,isLE:r}=this;let{pos:f}=this;e[f++]=128,this.buffer.subarray(f).fill(0),this.padOffset>a-f&&(this.process(c,0),f=0);for(let t=f;t<a;t++)e[t]=0;!function(t,s,h,e){if("function"==typeof t.setBigUint64)return t.setBigUint64(s,h,e);const i=BigInt(32),c=BigInt(4294967295),a=Number(h>>i&c),r=Number(h&c),f=e?4:0,d=e?0:4;t.setUint32(s+f,a,e),t.setUint32(s+d,r,e)}(c,a-8,BigInt(8*this.length),r),this.process(c,0);const d=s(t),o=this.outputLen;if(o%4)throw Error("_sha2: outputLen should be aligned to 32bit");const b=o/4,n=this.get();if(b>n.length)throw Error("_sha2: outputLen bigger than state");for(let t=0;t<b;t++)d.setUint32(4*t,n[t],r)}digest(){const{buffer:t,outputLen:s}=this;this.digestInto(t);const h=t.slice(0,s);return this.destroy(),h}_cloneInto(t){t||(t=new this.constructor),t.set(...this.get());const{blockLen:s,buffer:h,length:e,finished:i,destroyed:c,pos:a}=this;return t.length=e,t.pos=a,t.finished=i,t.destroyed=c,e%s&&t.buffer.set(h),t}}const b=/* @__PURE__ */new Uint32Array([1116352408,1899447441,3049323471,3921009573,961987163,1508970993,2453635748,2870763221,3624381080,310598401,607225278,1426881987,1925078388,2162078206,2614888103,3248222580,3835390401,4022224774,264347078,604807628,770255983,1249150122,1555081692,1996064986,2554220882,2821834349,2952996808,3210313671,3336571891,3584528711,113926993,338241895,666307205,773529912,1294757372,1396182291,1695183700,1986661051,2177026350,2456956037,2730485921,2820302411,3259730800,3345764771,3516065817,3600352804,4094571909,275423344,430227734,506948616,659060556,883997877,958139571,1322822218,1537002063,1747873779,1955562222,2024104815,2227730452,2361852424,2428436474,2756734187,3204031479,3329325298]),n=/* @__PURE__ */new Uint32Array([1779033703,3144134277,1013904242,2773480762,1359893119,2600822924,528734635,1541459225]),l=/* @__PURE__ */new Uint32Array(64);class x extends o{constructor(){super(64,32,8,!1),this.A=0|n[0],this.B=0|n[1],this.C=0|n[2],this.D=0|n[3],this.E=0|n[4],this.F=0|n[5],this.G=0|n[6],this.H=0|n[7]}get(){const{A:t,B:s,C:h,D:e,E:i,F:c,G:a,H:r}=this;return[t,s,h,e,i,c,a,r]}set(t,s,h,e,i,c,a,r){this.A=0|t,this.B=0|s,this.C=0|h,this.D=0|e,this.E=0|i,this.F=0|c,this.G=0|a,this.H=0|r}process(t,s){for(let h=0;h<16;h++,s+=4)l[h]=t.getUint32(s,!1);for(let t=16;t<64;t++){const s=l[t-15],h=l[t-2],e=a(s,7)^a(s,18)^s>>>3,i=a(h,17)^a(h,19)^h>>>10;l[t]=i+l[t-7]+e+l[t-16]|0}let{A:h,B:e,C:i,D:c,E:r,F:o,G:n,H:x}=this;for(let t=0;t<64;t++){const s=x+(a(r,6)^a(r,11)^a(r,25))+f(r,o,n)+b[t]+l[t]|0,u=(a(h,2)^a(h,13)^a(h,22))+d(h,e,i)|0;x=n,n=o,o=r,r=c+s|0,c=i,i=e,e=h,h=s+u|0}h=h+this.A|0,e=e+this.B|0,i=i+this.C|0,c=c+this.D|0,r=r+this.E|0,o=o+this.F|0,n=n+this.G|0,x=x+this.H|0,this.set(h,e,i,c,r,o,n,x)}roundClean(){l.fill(0)}destroy(){this.set(0,0,0,0,0,0,0,0),this.buffer.fill(0)}}class u extends x{constructor(){super(),this.A=-1056596264,this.B=914150663,this.C=812702999,this.D=-150054599,this.E=-4191439,this.F=1750603025,this.G=1694076839,this.H=-1090891868,this.outputLen=28}}const p=/* @__PURE__ */c((()=>new x)),H=/* @__PURE__ */c((()=>new u)),[B,g]=/* @__PURE__ */(()=>r.split(["0x428a2f98d728ae22","0x7137449123ef65cd","0xb5c0fbcfec4d3b2f","0xe9b5dba58189dbbc","0x3956c25bf348b538","0x59f111f1b605d019","0x923f82a4af194f9b","0xab1c5ed5da6d8118","0xd807aa98a3030242","0x12835b0145706fbe","0x243185be4ee4b28c","0x550c7dc3d5ffb4e2","0x72be5d74f27b896f","0x80deb1fe3b1696b1","0x9bdc06a725c71235","0xc19bf174cf692694","0xe49b69c19ef14ad2","0xefbe4786384f25e3","0x0fc19dc68b8cd5b5","0x240ca1cc77ac9c65","0x2de92c6f592b0275","0x4a7484aa6ea6e483","0x5cb0a9dcbd41fbd4","0x76f988da831153b5","0x983e5152ee66dfab","0xa831c66d2db43210","0xb00327c898fb213f","0xbf597fc7beef0ee4","0xc6e00bf33da88fc2","0xd5a79147930aa725","0x06ca6351e003826f","0x142929670a0e6e70","0x27b70a8546d22ffc","0x2e1b21385c26c926","0x4d2c6dfc5ac42aed","0x53380d139d95b3df","0x650a73548baf63de","0x766a0abb3c77b2a8","0x81c2c92e47edaee6","0x92722c851482353b","0xa2bfe8a14cf10364","0xa81a664bbc423001","0xc24b8b70d0f89791","0xc76c51a30654be30","0xd192e819d6ef5218","0xd69906245565a910","0xf40e35855771202a","0x106aa07032bbd1b8","0x19a4c116b8d2d0c8","0x1e376c085141ab53","0x2748774cdf8eeb99","0x34b0bcb5e19b48a8","0x391c0cb3c5c95a63","0x4ed8aa4ae3418acb","0x5b9cca4f7763e373","0x682e6ff3d6b2b8a3","0x748f82ee5defb2fc","0x78a5636f43172f60","0x84c87814a1f0ab72","0x8cc702081a6439ec","0x90befffa23631e28","0xa4506cebde82bde9","0xbef9a3f7b2c67915","0xc67178f2e372532b","0xca273eceea26619c","0xd186b8c721c0c207","0xeada7dd6cde0eb1e","0xf57d4f7fee6ed178","0x06f067aa72176fba","0x0a637dc5a2c898a6","0x113f9804bef90dae","0x1b710b35131c471b","0x28db77f523047d84","0x32caab7b40c72493","0x3c9ebe0a15c9bebc","0x431d67c49c100d4c","0x4cc5d4becb3e42b6","0x597f299cfc657e2a","0x5fcb6fab3ad6faec","0x6c44198c4a475817"].map((t=>BigInt(t)))))(),L=/* @__PURE__ */new Uint32Array(80),A=/* @__PURE__ */new Uint32Array(80);class C extends o{constructor(){super(128,64,16,!1),this.Ah=1779033703,this.Al=-205731576,this.Bh=-1150833019,this.Bl=-2067093701,this.Ch=1013904242,this.Cl=-23791573,this.Dh=-1521486534,this.Dl=1595750129,this.Eh=1359893119,this.El=-1377402159,this.Fh=-1694144372,this.Fl=725511199,this.Gh=528734635,this.Gl=-79577749,this.Hh=1541459225,this.Hl=327033209}get(){const{Ah:t,Al:s,Bh:h,Bl:e,Ch:i,Cl:c,Dh:a,Dl:r,Eh:f,El:d,Fh:o,Fl:b,Gh:n,Gl:l,Hh:x,Hl:u}=this;return[t,s,h,e,i,c,a,r,f,d,o,b,n,l,x,u]}set(t,s,h,e,i,c,a,r,f,d,o,b,n,l,x,u){this.Ah=0|t,this.Al=0|s,this.Bh=0|h,this.Bl=0|e,this.Ch=0|i,this.Cl=0|c,this.Dh=0|a,this.Dl=0|r,this.Eh=0|f,this.El=0|d,this.Fh=0|o,this.Fl=0|b,this.Gh=0|n,this.Gl=0|l,this.Hh=0|x,this.Hl=0|u}process(t,s){for(let h=0;h<16;h++,s+=4)L[h]=t.getUint32(s),A[h]=t.getUint32(s+=4);for(let t=16;t<80;t++){const s=0|L[t-15],h=0|A[t-15],e=r.rotrSH(s,h,1)^r.rotrSH(s,h,8)^r.shrSH(s,h,7),i=r.rotrSL(s,h,1)^r.rotrSL(s,h,8)^r.shrSL(s,h,7),c=0|L[t-2],a=0|A[t-2],f=r.rotrSH(c,a,19)^r.rotrBH(c,a,61)^r.shrSH(c,a,6),d=r.rotrSL(c,a,19)^r.rotrBL(c,a,61)^r.shrSL(c,a,6),o=r.add4L(i,d,A[t-7],A[t-16]),b=r.add4H(o,e,f,L[t-7],L[t-16]);L[t]=0|b,A[t]=0|o}let{Ah:h,Al:e,Bh:i,Bl:c,Ch:a,Cl:f,Dh:d,Dl:o,Eh:b,El:n,Fh:l,Fl:x,Gh:u,Gl:p,Hh:H,Hl:C}=this;for(let t=0;t<80;t++){const s=r.rotrSH(b,n,14)^r.rotrSH(b,n,18)^r.rotrBH(b,n,41),E=r.rotrSL(b,n,14)^r.rotrSL(b,n,18)^r.rotrBL(b,n,41),w=b&l^~b&u,y=n&x^~n&p,D=r.add5L(C,E,y,g[t],A[t]),F=r.add5H(D,H,s,w,B[t],L[t]),G=0|D,S=r.rotrSH(h,e,28)^r.rotrBH(h,e,34)^r.rotrBH(h,e,39),U=r.rotrSL(h,e,28)^r.rotrBL(h,e,34)^r.rotrBL(h,e,39),m=h&i^h&a^i&a,I=e&c^e&f^c&f;H=0|u,C=0|p,u=0|l,p=0|x,l=0|b,x=0|n,({h:b,l:n}=r.add(0|d,0|o,0|F,0|G)),d=0|a,o=0|f,a=0|i,f=0|c,i=0|h,c=0|e;const k=r.add3L(G,U,I);h=r.add3H(k,F,S,m),e=0|k}({h,l:e}=r.add(0|this.Ah,0|this.Al,0|h,0|e)),({h:i,l:c}=r.add(0|this.Bh,0|this.Bl,0|i,0|c)),({h:a,l:f}=r.add(0|this.Ch,0|this.Cl,0|a,0|f)),({h:d,l:o}=r.add(0|this.Dh,0|this.Dl,0|d,0|o)),({h:b,l:n}=r.add(0|this.Eh,0|this.El,0|b,0|n)),({h:l,l:x}=r.add(0|this.Fh,0|this.Fl,0|l,0|x)),({h:u,l:p}=r.add(0|this.Gh,0|this.Gl,0|u,0|p)),({h:H,l:C}=r.add(0|this.Hh,0|this.Hl,0|H,0|C)),this.set(h,e,i,c,a,f,d,o,b,n,l,x,u,p,H,C)}roundClean(){L.fill(0),A.fill(0)}destroy(){this.buffer.fill(0),this.set(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0)}}class E extends C{constructor(){super(),this.Ah=-876896931,this.Al=-1056596264,this.Bh=1654270250,this.Bl=914150663,this.Ch=-1856437926,this.Cl=812702999,this.Dh=355462360,this.Dl=-150054599,this.Eh=1731405415,this.El=-4191439,this.Fh=-1900787065,this.Fl=1750603025,this.Gh=-619958771,this.Gl=1694076839,this.Hh=1203062813,this.Hl=-1090891868,this.outputLen=48}}const w=/* @__PURE__ */c((()=>new C)),y=/* @__PURE__ */c((()=>new E));export{f as C,o as H,d as M,y as a,w as b,H as c,p as s};
 //# sourceMappingURL=sha512.min.mjs.map

package/dist/lightweight/sha512.mjs

@@ -1,4 +1,4 @@
-/*! OpenPGP.js v6.1.1-patch.2 - 2025-05-14 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
+/*! OpenPGP.js v6.1.1-patch.4 - 2025-07-14 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
 const globalThis = typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};
 
 import { H as Hash, h as createView, b as aexists, t as toBytes, i as aoutput, w as wrapConstructor, j as rotr, k as u64 } from './sha3.mjs';