Bump playwright from 1.51.0 to 1.51.1 (#1834)

Bumps [playwright](https://github.com/microsoft/playwright) from 1.51.0 to 1.51.1.
- [Release notes](https://github.com/microsoft/playwright/releases)
- [Commits](https://github.com/microsoft/playwright/compare/v1.51.0...v1.51.1)

---
updated-dependencies:
- dependency-name: playwright
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/dependabot.yml

@@ -0,0 +1,33 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    # The redundant target-branch directive is needed to set two different update schedules for npm,
+    # working around a dependabot limitation:
+    # see https://github.com/dependabot/dependabot-core/issues/1778#issuecomment-1988140219 .
+    target-branch: main
+    directory: "/"
+    schedule:
+      interval: "daily"
+    allow:
+      - dependency-name: "playwright"
+    versioning-strategy: increase
+
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    allow:
+      - dependency-name: "@noble*"
+      - dependency-name: "fflate"
+    versioning-strategy: increase
+    groups:
+      # Any packages matching the pattern @noble* where the highest resolvable
+      # version is minor or patch will be grouped together.
+      # Grouping rules apply to version updates only.
+      noble:
+        applies-to: version-updates
+        patterns:
+        - "@noble*"
+        update-types:
+        - "minor"
+        - "patch"

.github/workflows/benchmark.yml

@@ -2,7 +2,7 @@ name: Performance Regression Test
 
 on:
   pull_request:
-    branches: [main, v6]
+    branches: [main]
 
 jobs:
   benchmark:

.github/workflows/docs.yml

@@ -4,7 +4,7 @@ on:
   push:
     branches: [main]
   pull_request:
-    branches: [main, v6]
+    branches: [main]
 
 jobs:
   lint:

.github/workflows/sop-test-suite.yml

@@ -2,7 +2,7 @@ name: SOP interoperability test suite
 
 on:
   pull_request:
-    branches: [ main, v6 ]
+    branches: [ main ]
 
 jobs:
 
@@ -10,7 +10,7 @@ jobs:
     name: Run interoperability test suite
     runs-on: ubuntu-latest
     container: 
-      image: ghcr.io/protonmail/openpgp-interop-test-docker:v1.1.10
+      image: ghcr.io/protonmail/openpgp-interop-test-docker:v1.1.12
       credentials:
         username: ${{ github.actor }}
         password: ${{ secrets.github_token }}

.github/workflows/tests.yml

@@ -4,7 +4,7 @@ on:
   push:
     branches: [main]
   pull_request:
-    branches: [main, v6]
+    branches: [main]
 
 jobs:
   build: # cache both dist and tests (non-lightweight only), based on commit hash
@@ -57,8 +57,15 @@ jobs:
 
   test-browsers-latest:
     name: Browsers (latest)
-    runs-on: ubuntu-latest
     needs: build
+    strategy:
+      fail-fast: false # if tests for one version fail, continue with the rest
+      matrix:
+        # run on all main platforms to test platform-specific code, if present
+        # (e.g. webkit's WebCrypto API implementation is different in macOS vs Linux)
+        # TODO: windows-latest fails to fetch resources from the wtr server; investigate if the problem is with path declaration or permissions
+        runner: ['ubuntu-latest', 'macos-latest']
+    runs-on: ${{ matrix.runner }}
 
     steps:
       - uses: actions/checkout@v4
@@ -79,17 +86,19 @@ jobs:
           npm pkg delete scripts.prepare
           npm ci
 
-      - name: Get Playwright version
+      - name: Get Playwright version and cache location
         id: playwright-version
         run: |
-          PLAYWRIGHT_VERSION=$(npm ls playwright | grep playwright | sed 's/.*@//')
+          PLAYWRIGHT_VERSION=$(npm ls playwright --depth=0 | grep playwright | sed 's/.*@//')
           echo "version=$PLAYWRIGHT_VERSION" >> $GITHUB_OUTPUT
+          PLAYWRIGHT_CACHE=${{ fromJSON('{"ubuntu-latest": "~/.cache/ms-playwright", "macos-latest": "~/Library/Caches/ms-playwright"}')[matrix.runner] }}
+          echo "playwright_cache=$PLAYWRIGHT_CACHE" >> $GITHUB_OUTPUT
       - name: Check for cached browsers
         id: cache-playwright-browsers
         uses: actions/cache@v4
         with:
-          path: ~/.cache/ms-playwright
-          key: playwright-browsers-${{ steps.playwright-version.outputs.version }}
+          path: ${{ steps.playwright-version.outputs.playwright_cache }}
+          key: playwright-browsers-${{ matrix.runner }}-${{ steps.playwright-version.outputs.version }}
       - name: Install browsers
         if: steps.cache-playwright-browsers.outputs.cache-hit != 'true'
         run: |
@@ -97,15 +106,16 @@ jobs:
           npx playwright install --with-deps firefox
 
       - name: Install WebKit # caching not possible, external shared libraries required
+        if: ${{ matrix.runner == 'macos-latest' }} # do not install on ubuntu, since the X25519 WebCrypto implementation has issues
         run: npx playwright install --with-deps webkit
 
       - name: Run browser tests
-        run: npm run test-browser
+        run: npm run test-browser:ci -- --static-logging
 
       - name: Run browser tests (lightweight) # overwrite test/lib
         run: |
           npm run build-test --lightweight
-          npm run test-browser
+          npm run test-browser:ci -- --static-logging
 
   test-browsers-compatibility:
     name: Browsers (older, on Browserstack)
@@ -119,6 +129,15 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
 
+      - name: Generate self-signed HTTPS certificates for web-test-runner server
+        uses: kofemann/action-create-certificate@v0.0.4
+        with:
+          hostcert: '127.0.0.1.pem'
+          hostkey:  '127.0.0.1-key.pem'
+          cachain:  'ca-chain.pem'
+      - name: Adjust HTTPS certificates permissions
+        run: sudo chown runner:docker *.pem
+
       - name: Install dependencies
         run: npm ci --ignore-scripts
 
@@ -139,12 +158,12 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Run browserstack tests
-        run: npm run test-browserstack
+        run: npm run test-browserstack -- --static-logging
 
       - name: Run browserstack tests (lightweight) # overwrite test/lib
         run: |
           npm run build-test --lightweight
-          npm run test-browserstack
+          npm run test-browserstack -- --static-logging
         env:
           LIGHTWEIGHT: true
 

README.md

@@ -1,7 +1,7 @@
-OpenPGP.js [![BrowserStack Status](https://automate.browserstack.com/badge.svg?badge_key=N1l2eHFOanVBMU9wYWxJM3ZnWERnc1lidkt5UkRqa3BralV3SWVhOGpGTT0tLVljSjE4Z3dzVmdiQjl6RWgxb2c3T2c9PQ==--5864052cd523f751b6b907d547ac9c4c5f88c8a3)](https://automate.browserstack.com/public-build/N1l2eHFOanVBMU9wYWxJM3ZnWERnc1lidkt5UkRqa3BralV3SWVhOGpGTT0tLVljSjE4Z3dzVmdiQjl6RWgxb2c3T2c9PQ==--5864052cd523f751b6b907d547ac9c4c5f88c8a3) [![Join the chat on Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/openpgpjs/openpgpjs?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
+OpenPGP.js [![Join the chat on Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/openpgpjs/openpgpjs?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
 ==========
 
-[OpenPGP.js](https://openpgpjs.org/) is a JavaScript implementation of the OpenPGP protocol. It implements the [crypto-refresh](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh) (superseding [RFC4880](https://tools.ietf.org/html/rfc4880) and [RFC4880bis](https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-10)).
+[OpenPGP.js](https://openpgpjs.org/) is a JavaScript implementation of the OpenPGP protocol. It implements [RFC 9580](https://datatracker.ietf.org/doc/rfc9580/) (superseding [RFC 4880](https://tools.ietf.org/html/rfc4880) and [RFC 4880bis](https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-10)).
 
 **Table of Contents**
 
@@ -35,29 +35,35 @@ OpenPGP.js [![BrowserStack Status](https://automate.browserstack.com/badge.svg?b
 
 * The `dist/openpgp.min.js` (or `.mjs`) bundle works with recent versions of Chrome, Firefox, Edge and Safari 14+.
 
-* The `dist/node/openpgp.min.mjs` (or `.cjs`) bundle works in Node.js v18+: it is used by default when you `import ... from 'openpgp'` (resp. `require('openpgp')`).
+* The `dist/node/openpgp.min.mjs` (or `.cjs`) bundle works in Node.js v18+: it is used by default when you `import ... from 'openpgp'` (or `require('openpgp')`, respectively).
+
+* Support for the [Web Cryptography API](https://w3c.github.io/webcrypto/)'s `SubtleCrypto` is required.
+  * In browsers, `SubtleCrypto` is only available in [secure contexts](https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts).
+  * In supported versions of Node.js, `SubtleCrypto` is always available.
+
+* Support for the [Web Streams API](https://streams.spec.whatwg.org/) is required.
+  * In browsers: the latest versions of Chrome, Firefox, Edge and Safari support Streams, including `TransformStream`s.
+    These are needed if you use the library with stream inputs.
+    In previous versions of OpenPGP.js, Web Streams were automatically polyfilled by the library,
+    but from v6 this task is left up to the library user, due to the more extensive browser support, and the
+    polyfilling side-effects. If you're working with [older browsers versions which do not implement e.g. TransformStreams](https://developer.mozilla.org/en-US/docs/Web/API/TransformStream#browser_compatibility), you can manually
+    load the [Web Streams polyfill](https://github.com/MattiasBuelens/web-streams-polyfills).
+    Please note that when you load the polyfills, the global `ReadableStream` property (if it exists) gets overwritten with the polyfill version.
+    In some edge cases, you might need to use the native
+    `ReadableStream` (for example when using it to create a `Response`
+    object), in which case you should store a reference to it before loading
+    the polyfills. There is also the [web-streams-adapter](https://github.com/MattiasBuelens/web-streams-adapter)
+    library to convert back and forth between them.
+  * In Node.js: OpenPGP.js v6 no longer supports native Node `Readable` streams in inputs, and instead expects (and outputs) [Node's Web Streams](https://nodejs.org/api/webstreams.html#class-readablestream). [Node v17+ includes utilities to convert from and to Web Streams](https://nodejs.org/api/stream.html#streamreadabletowebstreamreadable-options).
 
-* Streaming support: the latest versions of Chrome, Firefox, Edge and Safari implement the
-[Streams specification](https://streams.spec.whatwg.org/), including `TransformStream`s.
-These are needed if you use the library with streamed inputs.
-In previous versions of OpenPGP.js, WebStreams were automatically polyfilled by the library,
-but from v6 this task is left up to the library user, due to the more extensive browser support, and the
-polyfilling side-effects. If you're working with [older browsers versions which do not implement e.g. TransformStreams](https://developer.mozilla.org/en-US/docs/Web/API/TransformStream), you can manually
-load [WebStream polyfill](https://github.com/MattiasBuelens/web-streams-polyfills).
-Please note that when you load the polyfills, the global `ReadableStream` property (if it exists) gets overwritten with the polyfill version.
-In some edge cases, you might need to use the native
-`ReadableStream` (for example when using it to create a `Response`
-object), in which case you should store a reference to it before loading
-the polyfills. There is also the [web-streams-adapter](https://github.com/MattiasBuelens/web-streams-adapter)
-library to convert back and forth between them.
 
 ### Performance
 
-* Version 3.0.0 of the library introduces support for public-key cryptography using [elliptic curves](https://wiki.gnupg.org/ECC). We use native implementations on browsers and Node.js when available. Elliptic curve cryptography provides stronger security per bits of key, which allows for much faster operations. Currently the following curves are supported:
+* Version 3.0.0 of the library introduced support for public-key cryptography using [elliptic curves](https://wiki.gnupg.org/ECC). We use native implementations on browsers and Node.js when available. Compared to RSA, elliptic curve cryptography provides stronger security per bits of key, which allows for much faster operations. Currently the following curves are supported:
 
     | Curve           | Encryption | Signature | NodeCrypto | WebCrypto | Constant-Time     |
     |:---------------:|:----------:|:---------:|:----------:|:---------:|:-----------------:|
-    | curve25519      | ECDH       | N/A       | No         | Yes*      | If native**      |
+    | curve25519      | ECDH       | N/A       | No         | No        | Algorithmically  |
     | ed25519         | N/A        | EdDSA     | No         | Yes*      | If native**      |
     | nistP256        | ECDH       | ECDSA     | Yes*       | Yes*      | If native**      |
     | nistP384        | ECDH       | ECDSA     | Yes*       | Yes*      | If native**      |
@@ -67,25 +73,22 @@ library to convert back and forth between them.
     | brainpoolP512r1 | ECDH       | ECDSA     | Yes*       | No        | If native**      |
     | secp256k1       | ECDH       | ECDSA     | Yes*       | No        | If native**      |
 
-   \* when available
+   \* when available  
    \** these curves are only constant-time if the underlying native implementation is available and constant-time
 
-* If the user's browser supports [native WebCrypto](https://caniuse.com/#feat=cryptography) via the `window.crypto.subtle` API, this will be used. Under Node.js the native [crypto module](https://nodejs.org/api/crypto.html#crypto_crypto) is used.
+* The platform's [native Web Crypto API](https://w3c.github.io/webcrypto/) is used for performance. On Node.js the native [crypto module](https://nodejs.org/api/crypto.html#crypto_crypto) is also used, in cases where it offers additional functionality.
 
-* The library implements authenticated encryption (AEAD) as per the ["crypto refresh" draft standard](https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh) using AES-OCB, EAX, or GCM. This makes symmetric encryption faster on platforms with native implementations. However, since the specification is very recent and other OpenPGP implementations are in the process of adopting it, the feature is currently behind a flag. **Note: activating this setting can break compatibility with other OpenPGP implementations which have yet to implement the feature.** You can enable it by setting `openpgp.config.aeadProtect = true`.
-Note that this setting has a different effect from the one in OpenPGP.js v6, which implemented support for a provisional version of AEAD from [RFC4880bis](https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-10), which was modified in a later draft of the crypto refresh.
+* The library implements authenticated encryption (AEAD) as per [RFC 9580](https://datatracker.ietf.org/doc/rfc9580/) using AES-GCM, OCB, or EAX. This makes symmetric encryption faster on platforms with native implementations. However, since the specification is very recent and other OpenPGP implementations are in the process of adopting it, the feature is currently behind a flag. **Note: activating this setting can break compatibility with other OpenPGP implementations which have yet to implement the feature.** You can enable it by setting `openpgp.config.aeadProtect = true`.
+  Note that this setting has a different effect from the one in OpenPGP.js v5, which implemented support for a provisional version of AEAD from [RFC 4880bis](https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-10), which was modified in RFC 9580.
 
   You can change the AEAD mode by setting one of the following options:
 
   ```
-  openpgp.config.preferredAEADAlgorithm = openpgp.enums.aead.ocb; // Default (widest ecosystem support), non-native
-  openpgp.config.preferredAEADAlgorithm = openpgp.enums.aead.gcm; // Native in WebCrypto and Node.js
+  openpgp.config.preferredAEADAlgorithm = openpgp.enums.aead.gcm; // Default, native in WebCrypto and Node.js
+  openpgp.config.preferredAEADAlgorithm = openpgp.enums.aead.ocb; // Non-native, but supported across RFC 9580 implementations
   openpgp.config.preferredAEADAlgorithm = openpgp.enums.aead.eax; // Native in Node.js
   ```
 
-* For environments that don't provide native crypto, the library falls back to [asm.js](https://caniuse.com/#feat=asmjs) AES and AEAD implementations.
-
-
 ### Getting started
 
 #### Node.js
@@ -386,14 +389,8 @@ Where the value can be any of:
 })();
 ```
 
-For more information on using ReadableStreams, see [the MDN Documentation on the
-Streams API](https://developer.mozilla.org/en-US/docs/Web/API/Streams_API).
-
-You can also pass a [Node.js `Readable`
-stream](https://nodejs.org/api/stream.html#stream_class_stream_readable), in
-which case OpenPGP.js will return a Node.js `Readable` stream as well, which you
-can `.pipe()` to a `Writable` stream, for example.
-
+For more information on using ReadableStreams (both in browsers and Node.js), see [the MDN Documentation on the
+Streams API](https://developer.mozilla.org/en-US/docs/Web/API/Streams_API) .
 
 #### Streaming encrypt and decrypt *String* data with PGP keys
 
@@ -667,7 +664,7 @@ To create your own build of the library, just run the following command after cl
 
     npm install && npm test
 
-For debugging browser errors, you can run `npm start` and open [`http://localhost:8080/test/unittests.html`](http://localhost:8080/test/unittests.html) in a browser, or run the following command:
+For debugging browser errors, run the following command:
 
     npm run browsertest
 

openpgp.d.ts

@@ -94,7 +94,7 @@ export class PrivateKey extends PublicKey {
   public revoke(reason?: ReasonForRevocation, date?: Date, config?: Config): Promise<PrivateKey>;
   public isDecrypted(): boolean;
   public addSubkey(options: SubkeyOptions): Promise<PrivateKey>;
-  public getDecryptionKeys(keyID?: KeyID, date?: Date | null, userID?: UserID, config?: Config): Promise<PrivateKey | Subkey>;
+  public getDecryptionKeys(keyID?: KeyID, date?: Date | null, userID?: UserID, config?: Config): Promise<(PrivateKey | Subkey)[]>;
   public update(sourceKey: PublicKey, date?: Date, config?: Config): Promise<PrivateKey>;
 }
 
@@ -702,7 +702,7 @@ export type EllipticCurveName = 'ed25519Legacy' | 'curve25519Legacy' | 'nistP256
 interface GenerateKeyOptions {
   userIDs: MaybeArray<UserID>;
   passphrase?: string;
-  type?: 'ecc' | 'rsa';
+  type?: 'ecc' | 'rsa' | 'curve25519' | 'curve448';
   curve?: EllipticCurveName;
   rsaBits?: number;
   keyExpirationTime?: number;
@@ -713,14 +713,8 @@ interface GenerateKeyOptions {
 }
 export type KeyOptions = GenerateKeyOptions;
 
-export interface SubkeyOptions {
-  type?: 'ecc' | 'rsa';
-  curve?: EllipticCurveName;
-  rsaBits?: number;
-  keyExpirationTime?: number;
-  date?: Date;
+export interface SubkeyOptions extends Pick<GenerateKeyOptions, 'type' | 'curve' | 'rsaBits' | 'keyExpirationTime' | 'date' | 'config'> {
   sign?: boolean;
-  config?: PartialConfig;
 }
 
 export declare class KeyID {
@@ -922,6 +916,8 @@ export namespace enums {
   export enum aead {
     eax = 1,
     ocb = 2,
+    gcm = 3,
+    /** @deprecated use `gcm` instead */
     experimentalGCM = 100 // Private algorithm
   }
 

package.json

@@ -1,7 +1,7 @@
 {
   "name": "openpgp",
   "description": "OpenPGP.js is a Javascript implementation of the OpenPGP protocol. This is defined in RFC 4880.",
-  "version": "6.0.0-beta.3.patch.1",
+  "version": "6.1.0",
   "license": "LGPL-3.0+",
   "homepage": "https://openpgpjs.org/",
   "engines": {
@@ -22,9 +22,9 @@
   "exports": {
     ".": {
       "types": "./openpgp.d.ts",
+      "browser": "./dist/openpgp.min.mjs",
       "import": "./dist/node/openpgp.mjs",
-      "require": "./dist/node/openpgp.min.cjs",
-      "browser": "./dist/openpgp.min.mjs"
+      "require": "./dist/node/openpgp.min.cjs"
     },
     "./lightweight": {
       "types": "./openpgp.d.ts",
@@ -49,35 +49,40 @@
     "test-type-definitions": "tsx test/typescript/definitions.ts",
     "benchmark-time": "node test/benchmarks/time.js",
     "benchmark-memory-usage": "node test/benchmarks/memory_usage.js",
-    "start": "http-server",
     "prebrowsertest": "npm run build-test",
-    "browsertest": "npm start -- -o test/unittests.html",
-    "test-browser": "karma start test/karma.conf.cjs",
-    "test-browserstack": "karma start test/karma.conf.cjs --browsers bs_safari_latest,bs_ios_14,bs_safari_14",
+    "browsertest": "web-test-runner --config test/web-test-runner.config.js --group local --manual --open",
+    "test-browser": "web-test-runner --config test/web-test-runner.config.js --group local --playwright --browsers chromium firefox webkit",
+    "test-browser:ci": "web-test-runner --config test/web-test-runner.config.js --group headless:ci",
+    "test-browserstack": "web-test-runner --config test/web-test-runner.browserstack.config.js",
     "coverage": "c8 npm test",
     "lint": "eslint .",
     "docs": "jsdoc --configure .jsdocrc.cjs --destination docs --recurse README.md src && printf '%s' 'docs.openpgpjs.org' > docs/CNAME",
     "preversion": "rm -rf dist docs node_modules && npm ci && npm test",
     "version": "npm run docs && git add -A docs",
-    "postversion": "git push && git push --tags && npm publish"
+    "postversion": "git push --follow-tags && npm publish"
   },
   "devDependencies": {
-    "@noble/ciphers": "^0.6.0",
-    "@noble/curves": "^1.6.0",
+    "@noble/ciphers": "^1.2.1",
+    "@noble/curves": "^1.8.1",
     "@noble/hashes": "^1.5.0",
     "@openpgp/jsdoc": "^3.6.11",
     "@openpgp/seek-bzip": "^1.0.5-git",
     "@openpgp/tweetnacl": "^1.0.4-1",
     "@openpgp/web-stream-tools": "~0.1.3",
-    "@rollup/plugin-alias": "^5.1.0",
+    "@rollup/plugin-alias": "^5.1.1",
     "@rollup/plugin-commonjs": "^25.0.8",
-    "@rollup/plugin-node-resolve": "^15.2.3",
+    "@rollup/plugin-node-resolve": "^15.3.0",
     "@rollup/plugin-replace": "^5.0.7",
     "@rollup/plugin-terser": "^0.4.4",
     "@rollup/plugin-typescript": "^11.1.6",
     "@rollup/plugin-wasm": "^6.2.2",
     "@types/chai": "^4.3.19",
+    "@types/sinon": "^17.0.3",
     "@typescript-eslint/parser": "^7.18.0",
+    "@web/test-runner": "^0.19.0",
+    "@web/test-runner-browserstack": "^0.7.2",
+    "@web/test-runner-mocha": "^0.9.0",
+    "@web/test-runner-playwright": "^0.11.0",
     "argon2id": "^1.0.1",
     "benchmark": "^2.1.4",
     "bn.js": "^5.2.1",
@@ -85,33 +90,29 @@
     "chai": "^4.4.1",
     "chai-as-promised": "^7.1.2",
     "eckey-utils": "^0.7.14",
-    "eslint": "^8.57.0",
+    "eslint": "^8.57.1",
     "eslint-config-airbnb": "^19.0.4",
     "eslint-config-airbnb-base": "^15.0.0",
     "eslint-config-airbnb-typescript": "^18.0.0",
     "eslint-import-resolver-typescript": "^3.6.3",
     "eslint-plugin-chai-friendly": "^0.7.4",
-    "eslint-plugin-import": "^2.30.0",
+    "eslint-plugin-import": "^2.31.0",
     "eslint-plugin-unicorn": "^48.0.1",
-    "fflate": "^0.7.4",
-    "http-server": "^14.1.1",
-    "karma": "^6.4.4",
-    "karma-browserstack-launcher": "^1.6.0",
-    "karma-chrome-launcher": "^3.2.0",
-    "karma-firefox-launcher": "^2.1.3",
-    "karma-mocha": "^2.0.1",
-    "karma-mocha-reporter": "^2.2.5",
-    "karma-webkit-launcher": "^2.6.0",
+    "fflate": "^0.8.2",
     "mocha": "^10.7.3",
-    "playwright": "^1.47.0",
-    "rollup": "^4.21.2",
+    "playwright": "^1.51.1",
+    "rollup": "^4.24.2",
     "sinon": "^18.0.1",
     "ts-node": "^10.9.2",
-    "tslib": "^2.7.0",
-    "tsx": "^4.19.0",
-    "typescript": "^5.5.4",
+    "tslib": "^2.8.0",
+    "tsx": "^4.19.2",
+    "typescript": "^5.6.3",
     "web-streams-polyfill": "^4.0.0"
   },
+  "overrides": {
+    "@web/dev-server-core": "npm:@openpgp/wtr-dev-server-core@0.7.3-patch.1",
+    "@web/test-runner-core": "npm:@openpgp/wtr-test-runner-core@0.13.4-patch.0"
+  },
   "repository": {
     "type": "git",
     "url": "https://github.com/openpgpjs/openpgpjs"

rollup.config.js

@@ -23,13 +23,20 @@ const wasmOptions = {
   browser: { targetEnv: 'browser', maxFileSize: undefined } // always inlline (our wasm files are small)
 };
 
-const getChunkFileName = (chunkInfo, extension) => {
-  // index files result in chunks named simply 'index', so we rename them to include the package name
-  if (chunkInfo.name === 'index') {
-    const packageName = chunkInfo.facadeModuleId.split('/').at(-2); // assume index file is under the root folder
-    return `${packageName}.${extension}`;
+const getChunkFileName = (chunkInfo, extension) => `[name].${extension}`;
+
+/**
+ * Dynamically imported modules which expose an index file as entrypoint end up with a chunk named `index`
+ * by default. We want to preserve the module name instead.
+ */
+const setManualChunkName = chunkId => {
+  if (chunkId.includes('seek-bzip')) {
+    return 'seek-bzip';
+  } else if (chunkId.includes('argon2id')) {
+    return 'argon2id';
+  } else {
+    return undefined;
   }
-  return `[name].${extension}`;
 };
 
 const banner =
@@ -50,112 +57,120 @@ const terserOptions = {
   }
 };
 
+const nodeBuild = {
+  input: 'src/index.js',
+  external: nodeBuiltinModules.concat(nodeDependencies),
+  output: [
+    { file: 'dist/node/openpgp.cjs', format: 'cjs', name: pkg.name, banner, intro },
+    { file: 'dist/node/openpgp.min.cjs', format: 'cjs', name: pkg.name, banner, intro, plugins: [terser(terserOptions)], sourcemap: true },
+    { file: 'dist/node/openpgp.mjs', format: 'es', banner, intro },
+    { file: 'dist/node/openpgp.min.mjs', format: 'es', banner, intro, plugins: [terser(terserOptions)], sourcemap: true }
+  ].map(options => ({ ...options, inlineDynamicImports: true })),
+  plugins: [
+    resolve({
+      exportConditions: ['node'] // needed for resolution of noble-curves import of '@noble/crypto' in Node 18
+    }),
+    typescript({
+      compilerOptions: { outDir: './dist/tmp-ts' }
+    }),
+    commonjs(),
+    replace({
+      'OpenPGP.js VERSION': `OpenPGP.js ${pkg.version}`
+    }),
+    wasm(wasmOptions.node)
+  ]
+};
+
+const fullBrowserBuild = {
+  input: 'src/index.js',
+  external: nodeBuiltinModules.concat(nodeDependencies),
+  output: [
+    { file: 'dist/openpgp.js', format: 'iife', name: pkg.name, banner, intro },
+    { file: 'dist/openpgp.min.js', format: 'iife', name: pkg.name, banner, intro, plugins: [terser(terserOptions)], sourcemap: true },
+    { file: 'dist/openpgp.mjs', format: 'es', banner, intro },
+    { file: 'dist/openpgp.min.mjs', format: 'es', banner, intro, plugins: [terser(terserOptions)], sourcemap: true }
+  ].map(options => ({ ...options, inlineDynamicImports: true })),
+  plugins: [
+    resolve({
+      browser: true
+    }),
+    typescript({
+      compilerOptions: { outDir: './dist/tmp-ts' } // to avoid js files being overwritten
+    }),
+    commonjs({
+      ignore: nodeBuiltinModules.concat(nodeDependencies)
+    }),
+    replace({
+      'OpenPGP.js VERSION': `OpenPGP.js ${pkg.version}`,
+      "import { createRequire } from 'module';": 'const createRequire = () => () => {}',
+      delimiters: ['', '']
+    }),
+    wasm(wasmOptions.browser)
+  ]
+};
+
+const lightweightBrowserBuild = {
+  input: 'src/index.js',
+  external: nodeBuiltinModules.concat(nodeDependencies),
+  output: [
+    { entryFileNames: 'openpgp.mjs', chunkFileNames: chunkInfo => getChunkFileName(chunkInfo, 'mjs') },
+    { entryFileNames: 'openpgp.min.mjs', chunkFileNames: chunkInfo => getChunkFileName(chunkInfo, 'min.mjs'), plugins: [terser(terserOptions)], sourcemap: true }
+  ].map(options => ({ ...options, dir: 'dist/lightweight', manualChunks: setManualChunkName, format: 'es', banner, intro })),
+  preserveEntrySignatures: 'exports-only',
+  plugins: [
+    resolve({
+      browser: true
+    }),
+    typescript({
+      compilerOptions: { outDir: './dist/lightweight/tmp-ts' }
+    }),
+    commonjs({
+      ignore: nodeBuiltinModules.concat(nodeDependencies)
+    }),
+    replace({
+      'OpenPGP.js VERSION': `OpenPGP.js ${pkg.version}`,
+      "import { createRequire } from 'module';": 'const createRequire = () => () => {}',
+      delimiters: ['', '']
+    }),
+    wasm(wasmOptions.browser)
+  ]
+};
+
+const testBuild = {
+  input: 'test/unittests.js',
+  output: [
+    { file: 'test/lib/unittests-bundle.js', format: 'es', intro, sourcemap: true, inlineDynamicImports: true }
+  ],
+  external: nodeBuiltinModules.concat(nodeDependencies),
+  plugins: [
+    alias({
+      entries: {
+        openpgp: `./dist/${process.env.npm_config_lightweight ? 'lightweight/' : ''}openpgp.mjs`
+      }
+    }),
+    resolve({
+      browser: true
+    }),
+    typescript({
+      compilerOptions: { outDir: './test/lib/tmp-ts' }
+    }),
+    commonjs({
+      ignore: nodeBuiltinModules.concat(nodeDependencies),
+      requireReturnsDefault: 'preferred'
+    }),
+    replace({
+      "import { createRequire } from 'module';": 'const createRequire = () => () => {}',
+      delimiters: ['', '']
+    }),
+    wasm(wasmOptions.browser)
+  ]
+};
+
 export default Object.assign([
-  {
-    input: 'src/index.js',
-    external: nodeBuiltinModules.concat(nodeDependencies),
-    output: [
-      { file: 'dist/openpgp.js', format: 'iife', name: pkg.name, banner, intro },
-      { file: 'dist/openpgp.min.js', format: 'iife', name: pkg.name, banner, intro, plugins: [terser(terserOptions)], sourcemap: true },
-      { file: 'dist/openpgp.mjs', format: 'es', banner, intro },
-      { file: 'dist/openpgp.min.mjs', format: 'es', banner, intro, plugins: [terser(terserOptions)], sourcemap: true }
-    ].map(options => ({ ...options, inlineDynamicImports: true })),
-    plugins: [
-      resolve({
-        browser: true
-      }),
-      typescript({
-        compilerOptions: { outDir: './dist/tmp-ts' } // to avoid js files being overwritten
-      }),
-      commonjs({
-        ignore: nodeBuiltinModules.concat(nodeDependencies)
-      }),
-      replace({
-        'OpenPGP.js VERSION': `OpenPGP.js ${pkg.version}`,
-        "import { createRequire } from 'module';": 'const createRequire = () => () => {}',
-        delimiters: ['', '']
-      }),
-      wasm(wasmOptions.browser)
-    ]
-  },
-  {
-    input: 'src/index.js',
-    external: nodeBuiltinModules.concat(nodeDependencies),
-    output: [
-      { file: 'dist/node/openpgp.cjs', format: 'cjs', name: pkg.name, banner, intro },
-      { file: 'dist/node/openpgp.min.cjs', format: 'cjs', name: pkg.name, banner, intro, plugins: [terser(terserOptions)], sourcemap: true },
-      { file: 'dist/node/openpgp.mjs', format: 'es', banner, intro },
-      { file: 'dist/node/openpgp.min.mjs', format: 'es', banner, intro, plugins: [terser(terserOptions)], sourcemap: true }
-    ].map(options => ({ ...options, inlineDynamicImports: true })),
-    plugins: [
-      resolve({
-        exportConditions: ['node'] // needed for resolution of noble-curves import of '@noble/crypto' in Node 18
-      }),
-      typescript({
-        compilerOptions: { outDir: './dist/tmp-ts' }
-      }),
-      commonjs(),
-      replace({
-        'OpenPGP.js VERSION': `OpenPGP.js ${pkg.version}`
-      }),
-      wasm(wasmOptions.node)
-    ]
-  },
-  {
-    input: 'src/index.js',
-    external: nodeBuiltinModules.concat(nodeDependencies),
-    output: [
-      { dir: 'dist/lightweight', entryFileNames: 'openpgp.mjs', chunkFileNames: chunkInfo => getChunkFileName(chunkInfo, 'mjs'), format: 'es', banner, intro },
-      { dir: 'dist/lightweight', entryFileNames: 'openpgp.min.mjs', chunkFileNames: chunkInfo => getChunkFileName(chunkInfo, 'min.mjs'), format: 'es', banner, intro, plugins: [terser(terserOptions)], sourcemap: true }
-    ],
-    preserveEntrySignatures: 'exports-only',
-    plugins: [
-      resolve({
-        browser: true
-      }),
-      typescript({
-        compilerOptions: { outDir: './dist/lightweight/tmp-ts' }
-      }),
-      commonjs({
-        ignore: nodeBuiltinModules.concat(nodeDependencies)
-      }),
-      replace({
-        'OpenPGP.js VERSION': `OpenPGP.js ${pkg.version}`,
-        "import { createRequire } from 'module';": 'const createRequire = () => () => {}',
-        delimiters: ['', '']
-      }),
-      wasm(wasmOptions.browser)
-    ]
-  },
-  {
-    input: 'test/unittests.js',
-    output: [
-      { file: 'test/lib/unittests-bundle.js', format: 'es', intro, sourcemap: true, inlineDynamicImports: true }
-    ],
-    external: nodeBuiltinModules.concat(nodeDependencies),
-    plugins: [
-      alias({
-        entries: {
-          openpgp: `./dist/${process.env.npm_config_lightweight ? 'lightweight/' : ''}openpgp.mjs`
-        }
-      }),
-      resolve({
-        browser: true
-      }),
-      typescript({
-        compilerOptions: { outDir: './test/lib/tmp-ts' }
-      }),
-      commonjs({
-        ignore: nodeBuiltinModules.concat(nodeDependencies),
-        requireReturnsDefault: 'preferred'
-      }),
-      replace({
-        "import { createRequire } from 'module';": 'const createRequire = () => () => {}',
-        delimiters: ['', '']
-      }),
-      wasm(wasmOptions.browser)
-    ]
-  }
+  nodeBuild,
+  fullBrowserBuild,
+  lightweightBrowserBuild,
+  testBuild
 ].filter(config => {
   config.output = config.output.filter(output => {
     return (output.file || output.dir + '/' + output.entryFileNames).includes(

src/cleartext.js

@@ -59,20 +59,22 @@ export class CleartextMessage {
 
   /**
    * Sign the cleartext message
-   * @param {Array<Key>} privateKeys - private keys with decrypted secret key data for signing
+   * @param {Array<Key>} signingKeys - private keys with decrypted secret key data for signing
+   * @param {Array<Key>} recipientKeys - recipient keys to get the signing preferences from
    * @param {Signature} [signature] - Any existing detached signature
    * @param {Array<module:type/keyid~KeyID>} [signingKeyIDs] - Array of key IDs to use for signing. Each signingKeyIDs[i] corresponds to privateKeys[i]
    * @param {Date} [date] - The creation time of the signature that should be created
-   * @param {Array} [userIDs] - User IDs to sign with, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }]
+   * @param {Array} [signingKeyIDs] - User IDs to sign with, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }]
+   * @param {Array} [recipientUserIDs] - User IDs associated with `recipientKeys` to get the signing preferences from
    * @param {Array} [notations] - Notation Data to add to the signatures, e.g. [{ name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true, critical: false }]
    * @param {Object} [config] - Full configuration, defaults to openpgp.config
    * @returns {Promise<CleartextMessage>} New cleartext message with signed content.
    * @async
    */
-  async sign(privateKeys, signature = null, signingKeyIDs = [], date = new Date(), userIDs = [], notations = [], config = defaultConfig) {
+  async sign(signingKeys, recipientKeys = [], signature = null, signingKeyIDs = [], date = new Date(), signingUserIDs = [], recipientUserIDs = [], notations = [], config = defaultConfig) {
     const literalDataPacket = new LiteralDataPacket();
     literalDataPacket.setText(this.text);
-    const newSignature = new Signature(await createSignaturePackets(literalDataPacket, privateKeys, signature, signingKeyIDs, date, userIDs, notations, true, config));
+    const newSignature = new Signature(await createSignaturePackets(literalDataPacket, signingKeys, recipientKeys, signature, signingKeyIDs, date, signingUserIDs, recipientUserIDs, notations, true, config));
     return new CleartextMessage(this.text, newSignature);
   }
 

src/config/config.js

@@ -26,7 +26,7 @@ export default {
    * @memberof module:config
    * @property {Integer} preferredHashAlgorithm Default hash algorithm {@link module:enums.hash}
    */
-  preferredHashAlgorithm: enums.hash.sha256,
+  preferredHashAlgorithm: enums.hash.sha512,
   /**
    * @memberof module:config
    * @property {Integer} preferredSymmetricAlgorithm Default encryption cipher {@link module:enums.symmetric}

src/crypto/cipher/index.js

@@ -11,7 +11,8 @@ export async function getLegacyCipher(algo) {
     case enums.symmetric.twofish:
     case enums.symmetric.tripledes: {
       const { legacyCiphers } = await import('./legacy_ciphers');
-      const cipher = legacyCiphers.get(algo);
+      const algoName = enums.read(enums.symmetric, algo);
+      const cipher = legacyCiphers.get(algoName);
       if (!cipher) {
         throw new Error('Unsupported cipher algorithm');
       }

src/crypto/cipher/legacy_ciphers.js

@@ -3,15 +3,16 @@
  * Separate dynamic imports are not convenient as they result in multiple chunks.
  */
 
-import { TripleDES } from './des';
-import CAST5 from './cast5';
-import TwoFish from './twofish';
-import BlowFish from './blowfish';
-import enums from '../../enums';
+import { TripleDES as tripledes } from './des';
+import cast5 from './cast5';
+import twofish from './twofish';
+import blowfish from './blowfish';
 
-export const legacyCiphers = new Map([
-  [enums.symmetric.tripledes, TripleDES],
-  [enums.symmetric.cast5, CAST5],
-  [enums.symmetric.blowfish, BlowFish],
-  [enums.symmetric.twofish, TwoFish]
-]);
+// We avoid importing 'enums' as this module is lazy loaded, and doing so could mess up
+// chunking for the lightweight build
+export const legacyCiphers = new Map(Object.entries({
+  tripledes,
+  cast5,
+  twofish,
+  blowfish
+}));

src/crypto/cipherMode/cfb.js

@@ -23,10 +23,11 @@
 
 import { cfb as nobleAesCfb, unsafe as nobleAesHelpers } from '@noble/ciphers/aes';
 
-import * as stream from '@openpgp/web-stream-tools';
+import { transform as streamTransform } from '@openpgp/web-stream-tools';
 import util from '../../util';
 import enums from '../../enums';
 import { getLegacyCipher, getCipherParams } from '../cipher';
+import { getRandomBytes } from '../random';
 
 const webCrypto = util.getWebCrypto();
 const nodeCrypto = util.getNodeCrypto();
@@ -43,6 +44,20 @@ const nodeAlgos = {
   /* twofish is not implemented in OpenSSL */
 };
 
+/**
+ * Generates a random byte prefix for the specified algorithm
+ * See {@link https://tools.ietf.org/html/rfc4880#section-9.2|RFC 4880 9.2} for algorithms.
+ * @param {module:enums.symmetric} algo - Symmetric encryption algorithm
+ * @returns {Promise<Uint8Array>} Random bytes with length equal to the block size of the cipher, plus the last two bytes repeated.
+ * @async
+ */
+export async function getPrefixRandom(algo) {
+  const { blockSize } = getCipherParams(algo);
+  const prefixrandom = await getRandomBytes(blockSize);
+  const repeat = new Uint8Array([prefixrandom[prefixrandom.length - 2], prefixrandom[prefixrandom.length - 1]]);
+  return util.concat([prefixrandom, repeat]);
+}
+
 /**
  * CFB encryption
  * @param {enums.symmetric} algo - block cipher algorithm
@@ -84,7 +99,7 @@ export async function encrypt(algo, key, plaintext, iv, config) {
     }
     return ciphertext.subarray(0, j);
   };
-  return stream.transform(plaintext, process, process);
+  return streamTransform(plaintext, process, process);
 }
 
 /**
@@ -127,7 +142,7 @@ export async function decrypt(algo, key, ciphertext, iv) {
     }
     return plaintext.subarray(0, j);
   };
-  return stream.transform(ciphertext, process, process);
+  return streamTransform(ciphertext, process, process);
 }
 
 class WebCryptoEncryptor {
@@ -331,10 +346,10 @@ class NobleStreamProcessor {
 async function aesEncrypt(algo, key, pt, iv) {
   if (webCrypto && await WebCryptoEncryptor.isSupported(algo)) { // Chromium does not implement AES with 192-bit keys
     const cfb = new WebCryptoEncryptor(algo, key, iv);
-    return util.isStream(pt) ? stream.transform(pt, value => cfb.encryptChunk(value), () => cfb.finish()) : cfb.encrypt(pt);
-  } else if (util.isStream(pt)) { // async callbacks are not accepted by stream.transform unless the input is a stream
+    return util.isStream(pt) ? streamTransform(pt, value => cfb.encryptChunk(value), () => cfb.finish()) : cfb.encrypt(pt);
+  } else if (util.isStream(pt)) { // async callbacks are not accepted by streamTransform unless the input is a stream
     const cfb = new NobleStreamProcessor(true, algo, key, iv);
-    return stream.transform(pt, value => cfb.processChunk(value), () => cfb.finish());
+    return streamTransform(pt, value => cfb.processChunk(value), () => cfb.finish());
   }
   return nobleAesCfb(key, iv).encrypt(pt);
 }
@@ -342,7 +357,7 @@ async function aesEncrypt(algo, key, pt, iv) {
 async function aesDecrypt(algo, key, ct, iv) {
   if (util.isStream(ct)) {
     const cfb = new NobleStreamProcessor(false, algo, key, iv);
-    return stream.transform(ct, value => cfb.processChunk(value), () => cfb.finish());
+    return streamTransform(ct, value => cfb.processChunk(value), () => cfb.finish());
   }
   return nobleAesCfb(key, iv).decrypt(ct);
 }
@@ -359,11 +374,11 @@ const getUint32Array = arr => new Uint32Array(arr.buffer, arr.byteOffset, Math.f
 function nodeEncrypt(algo, key, pt, iv) {
   const algoName = enums.read(enums.symmetric, algo);
   const cipherObj = new nodeCrypto.createCipheriv(nodeAlgos[algoName], key, iv);
-  return stream.transform(pt, value => new Uint8Array(cipherObj.update(value)));
+  return streamTransform(pt, value => new Uint8Array(cipherObj.update(value)));
 }
 
 function nodeDecrypt(algo, key, ct, iv) {
   const algoName = enums.read(enums.symmetric, algo);
   const decipherObj = new nodeCrypto.createDecipheriv(nodeAlgos[algoName], key, iv);
-  return stream.transform(ct, value => new Uint8Array(decipherObj.update(value)));
+  return streamTransform(ct, value => new Uint8Array(decipherObj.update(value)));
 }

src/crypto/cipherMode/index.js

@@ -0,0 +1,35 @@
+/**
+ * @fileoverview Cipher modes
+ * @module crypto/cipherMode
+ */
+
+export * as cfb from './cfb';
+import eax from './eax';
+import ocb from './ocb';
+import gcm from './gcm';
+import enums from '../../enums';
+
+/**
+* Get implementation of the given AEAD mode
+* @param {enums.aead} algo
+* @param {Boolean} [acceptExperimentalGCM] - whether to allow the non-standard, legacy `experimentalGCM` algo
+* @returns {Object}
+* @throws {Error} on invalid algo
+*/
+export function getAEADMode(algo, acceptExperimentalGCM = false) {
+  switch (algo) {
+    case enums.aead.eax:
+      return eax;
+    case enums.aead.ocb:
+      return ocb;
+    case enums.aead.gcm:
+      return gcm;
+    case enums.aead.experimentalGCM:
+      if (!acceptExperimentalGCM) {
+        throw new Error('Unexpected non-standard `experimentalGCM` AEAD algorithm provided in `config.preferredAEADAlgorithm`: use `gcm` instead');
+      }
+      return gcm;
+    default:
+      throw new Error('Unsupported AEAD mode');
+  }
+}

src/crypto/cipherMode/ocb.js

@@ -73,9 +73,8 @@ async function OCB(cipher, key) {
   // `encipher` and `decipher` cannot be async, since `crypt` shares state across calls,
   // hence its execution cannot be broken up.
   // As a result, WebCrypto cannot currently be used for `encipher`.
-  const aes = nobleAesCbc(key, zeroBlock, { disablePadding: true });
-  const encipher = block => aes.encrypt(block);
-  const decipher = block => aes.decrypt(block);
+  const encipher = block => nobleAesCbc(key, zeroBlock, { disablePadding: true }).encrypt(block);
+  const decipher = block => nobleAesCbc(key, zeroBlock, { disablePadding: true }).decrypt(block);
   let mask;
 
   constructKeyVariables(cipher, key);

src/crypto/crypto.js

@@ -23,8 +23,7 @@
  * @module crypto/crypto
  */
 
-import publicKey from './public_key';
-import mode from './mode';
+import { rsa, elliptic, elgamal, dsa } from './public_key';
 import { getRandomBytes } from './random';
 import { getCipherParams } from './cipher';
 import ECDHSymkey from '../type/ecdh_symkey';
@@ -51,16 +50,16 @@ export async function publicKeyEncrypt(keyAlgo, symmetricAlgo, publicParams, dat
     case enums.publicKey.rsaEncrypt:
     case enums.publicKey.rsaEncryptSign: {
       const { n, e } = publicParams;
-      const c = await publicKey.rsa.encrypt(data, n, e);
+      const c = await rsa.encrypt(data, n, e);
       return { c };
     }
     case enums.publicKey.elgamal: {
       const { p, g, y } = publicParams;
-      return publicKey.elgamal.encrypt(data, p, g, y);
+      return elgamal.encrypt(data, p, g, y);
     }
     case enums.publicKey.ecdh: {
       const { oid, Q, kdfParams } = publicParams;
-      const { publicKey: V, wrappedKey: C } = await publicKey.elliptic.ecdh.encrypt(
+      const { publicKey: V, wrappedKey: C } = await elliptic.ecdh.encrypt(
         oid, kdfParams, data, Q, fingerprint);
       return { V, C: new ECDHSymkey(C) };
     }
@@ -71,7 +70,7 @@ export async function publicKeyEncrypt(keyAlgo, symmetricAlgo, publicParams, dat
         throw new Error('X25519 and X448 keys can only encrypt AES session keys');
       }
       const { A } = publicParams;
-      const { ephemeralPublicKey, wrappedKey } = await publicKey.elliptic.ecdhX.encrypt(
+      const { ephemeralPublicKey, wrappedKey } = await elliptic.ecdhX.encrypt(
         keyAlgo, data, A);
       const C = ECDHXSymmetricKey.fromObject({ algorithm: symmetricAlgo, wrappedKey });
       return { ephemeralPublicKey, C };
@@ -102,19 +101,19 @@ export async function publicKeyDecrypt(algo, publicKeyParams, privateKeyParams,
       const { c } = sessionKeyParams;
       const { n, e } = publicKeyParams;
       const { d, p, q, u } = privateKeyParams;
-      return publicKey.rsa.decrypt(c, n, e, d, p, q, u, randomPayload);
+      return rsa.decrypt(c, n, e, d, p, q, u, randomPayload);
     }
     case enums.publicKey.elgamal: {
       const { c1, c2 } = sessionKeyParams;
       const p = publicKeyParams.p;
       const x = privateKeyParams.x;
-      return publicKey.elgamal.decrypt(c1, c2, p, x, randomPayload);
+      return elgamal.decrypt(c1, c2, p, x, randomPayload);
     }
     case enums.publicKey.ecdh: {
       const { oid, Q, kdfParams } = publicKeyParams;
       const { d } = privateKeyParams;
       const { V, C } = sessionKeyParams;
-      return publicKey.elliptic.ecdh.decrypt(
+      return elliptic.ecdh.decrypt(
         oid, kdfParams, V, C.data, Q, d, fingerprint);
     }
     case enums.publicKey.x25519:
@@ -125,7 +124,7 @@ export async function publicKeyDecrypt(algo, publicKeyParams, privateKeyParams,
       if (C.algorithm !== null && !util.isAES(C.algorithm)) {
         throw new Error('AES session key expected');
       }
-      return publicKey.elliptic.ecdhX.decrypt(
+      return elliptic.ecdhX.decrypt(
         algo, ephemeralPublicKey, C.wrappedKey, A, k);
     }
     default:
@@ -338,22 +337,22 @@ export function generateParams(algo, bits, oid) {
     case enums.publicKey.rsaEncrypt:
     case enums.publicKey.rsaEncryptSign:
     case enums.publicKey.rsaSign:
-      return publicKey.rsa.generate(bits, 65537).then(({ n, e, d, p, q, u }) => ({
+      return rsa.generate(bits, 65537).then(({ n, e, d, p, q, u }) => ({
         privateParams: { d, p, q, u },
         publicParams: { n, e }
       }));
     case enums.publicKey.ecdsa:
-      return publicKey.elliptic.generate(oid).then(({ oid, Q, secret }) => ({
+      return elliptic.generate(oid).then(({ oid, Q, secret }) => ({
         privateParams: { d: secret },
         publicParams: { oid: new OID(oid), Q }
       }));
     case enums.publicKey.eddsaLegacy:
-      return publicKey.elliptic.generate(oid).then(({ oid, Q, secret }) => ({
+      return elliptic.generate(oid).then(({ oid, Q, secret }) => ({
         privateParams: { seed: secret },
         publicParams: { oid: new OID(oid), Q }
       }));
     case enums.publicKey.ecdh:
-      return publicKey.elliptic.generate(oid).then(({ oid, Q, secret, hash, cipher }) => ({
+      return elliptic.generate(oid).then(({ oid, Q, secret, hash, cipher }) => ({
         privateParams: { d: secret },
         publicParams: {
           oid: new OID(oid),
@@ -363,13 +362,13 @@ export function generateParams(algo, bits, oid) {
       }));
     case enums.publicKey.ed25519:
     case enums.publicKey.ed448:
-      return publicKey.elliptic.eddsa.generate(algo).then(({ A, seed }) => ({
+      return elliptic.eddsa.generate(algo).then(({ A, seed }) => ({
         privateParams: { seed },
         publicParams: { A }
       }));
     case enums.publicKey.x25519:
     case enums.publicKey.x448:
-      return publicKey.elliptic.ecdhX.generate(algo).then(({ A, k }) => ({
+      return elliptic.ecdhX.generate(algo).then(({ A, k }) => ({
         privateParams: { k },
         publicParams: { A }
       }));
@@ -399,21 +398,21 @@ export async function validateParams(algo, publicParams, privateParams) {
     case enums.publicKey.rsaSign: {
       const { n, e } = publicParams;
       const { d, p, q, u } = privateParams;
-      return publicKey.rsa.validateParams(n, e, d, p, q, u);
+      return rsa.validateParams(n, e, d, p, q, u);
     }
     case enums.publicKey.dsa: {
       const { p, q, g, y } = publicParams;
       const { x } = privateParams;
-      return publicKey.dsa.validateParams(p, q, g, y, x);
+      return dsa.validateParams(p, q, g, y, x);
     }
     case enums.publicKey.elgamal: {
       const { p, g, y } = publicParams;
       const { x } = privateParams;
-      return publicKey.elgamal.validateParams(p, g, y, x);
+      return elgamal.validateParams(p, g, y, x);
     }
     case enums.publicKey.ecdsa:
     case enums.publicKey.ecdh: {
-      const algoModule = publicKey.elliptic[enums.read(enums.publicKey, algo)];
+      const algoModule = elliptic[enums.read(enums.publicKey, algo)];
       const { oid, Q } = publicParams;
       const { d } = privateParams;
       return algoModule.validateParams(oid, Q, d);
@@ -421,39 +420,25 @@ export async function validateParams(algo, publicParams, privateParams) {
     case enums.publicKey.eddsaLegacy: {
       const { Q, oid } = publicParams;
       const { seed } = privateParams;
-      return publicKey.elliptic.eddsaLegacy.validateParams(oid, Q, seed);
+      return elliptic.eddsaLegacy.validateParams(oid, Q, seed);
     }
     case enums.publicKey.ed25519:
     case enums.publicKey.ed448: {
       const { A } = publicParams;
       const { seed } = privateParams;
-      return publicKey.elliptic.eddsa.validateParams(algo, A, seed);
+      return elliptic.eddsa.validateParams(algo, A, seed);
     }
     case enums.publicKey.x25519:
     case enums.publicKey.x448: {
       const { A } = publicParams;
       const { k } = privateParams;
-      return publicKey.elliptic.ecdhX.validateParams(algo, A, k);
+      return elliptic.ecdhX.validateParams(algo, A, k);
     }
     default:
       throw new Error('Unknown public key algorithm.');
   }
 }
 
-/**
- * Generates a random byte prefix for the specified algorithm
- * See {@link https://tools.ietf.org/html/rfc4880#section-9.2|RFC 4880 9.2} for algorithms.
- * @param {module:enums.symmetric} algo - Symmetric encryption algorithm
- * @returns {Promise<Uint8Array>} Random bytes with length equal to the block size of the cipher, plus the last two bytes repeated.
- * @async
- */
-export async function getPrefixRandom(algo) {
-  const { blockSize } = getCipherParams(algo);
-  const prefixrandom = await getRandomBytes(blockSize);
-  const repeat = new Uint8Array([prefixrandom[prefixrandom.length - 2], prefixrandom[prefixrandom.length - 1]]);
-  return util.concat([prefixrandom, repeat]);
-}
-
 /**
  * Generating a session key for the specified symmetric algorithm
  * See {@link https://tools.ietf.org/html/rfc4880#section-9.2|RFC 4880 9.2} for algorithms.
@@ -465,17 +450,6 @@ export function generateSessionKey(algo) {
   return getRandomBytes(keySize);
 }
 
-/**
- * Get implementation of the given AEAD mode
- * @param {enums.aead} algo
- * @returns {Object}
- * @throws {Error} on invalid algo
- */
-export function getAEADMode(algo) {
-  const algoName = enums.read(enums.aead, algo);
-  return mode[algoName];
-}
-
 /**
  * Check whether the given curve OID is supported
  * @param {module:type/oid} oid - EC object identifier
@@ -499,13 +473,13 @@ export function getCurvePayloadSize(algo, oid) {
     case enums.publicKey.ecdsa:
     case enums.publicKey.ecdh:
     case enums.publicKey.eddsaLegacy:
-      return new publicKey.elliptic.CurveWithOID(oid).payloadSize;
+      return new elliptic.CurveWithOID(oid).payloadSize;
     case enums.publicKey.ed25519:
     case enums.publicKey.ed448:
-      return publicKey.elliptic.eddsa.getPayloadSize(algo);
+      return elliptic.eddsa.getPayloadSize(algo);
     case enums.publicKey.x25519:
     case enums.publicKey.x448:
-      return publicKey.elliptic.ecdhX.getPayloadSize(algo);
+      return elliptic.ecdhX.getPayloadSize(algo);
     default:
       throw new Error('Unknown elliptic algo');
   }
@@ -520,14 +494,12 @@ export function getPreferredCurveHashAlgo(algo, oid) {
   switch (algo) {
     case enums.publicKey.ecdsa:
     case enums.publicKey.eddsaLegacy:
-      return publicKey.elliptic.getPreferredHashAlgo(oid);
+      return elliptic.getPreferredHashAlgo(oid);
     case enums.publicKey.ed25519:
     case enums.publicKey.ed448:
-      return publicKey.elliptic.eddsa.getPreferredHashAlgo(algo);
+      return elliptic.eddsa.getPreferredHashAlgo(algo);
     default:
       throw new Error('Unknown elliptic signing algo');
   }
 }
 
-
-export { getCipherParams };

src/crypto/hash/index.js

@@ -5,8 +5,7 @@
  * @module crypto/hash
  */
 
-import * as stream from '@openpgp/web-stream-tools';
-import md5 from './md5';
+import { transform as streamTransform, isArrayStream, readToEnd as streamReadToEnd } from '@openpgp/web-stream-tools';
 import util from '../../util';
 import enums from '../../enums';
 
@@ -20,7 +19,7 @@ function nodeHash(type) {
   }
   return async function (data) {
     const shasum = nodeCrypto.createHash(type);
-    return stream.transform(data, value => {
+    return streamTransform(data, value => {
       shasum.update(value);
     }, () => new Uint8Array(shasum.digest()));
   };
@@ -35,14 +34,14 @@ function nobleHash(nobleHashName, webCryptoHashName) {
   };
 
   return async function(data) {
-    if (stream.isArrayStream(data)) {
-      data = await stream.readToEnd(data);
+    if (isArrayStream(data)) {
+      data = await streamReadToEnd(data);
     }
     if (util.isStream(data)) {
       const hash = await getNobleHash();
 
       const hashInstance = hash.create();
-      return stream.transform(data, value => {
+      return streamTransform(data, value => {
         hashInstance.update(value);
       }, () => hashInstance.digest());
     } else if (webCrypto && webCryptoHashName) {
@@ -55,76 +54,72 @@ function nobleHash(nobleHashName, webCryptoHashName) {
   };
 }
 
-export default {
+const md5 = nodeHash('md5') || nobleHash('md5');
+const sha1 = nodeHash('sha1') || nobleHash('sha1', 'SHA-1');
+const sha224 = nodeHash('sha224') || nobleHash('sha224');
+const sha256 = nodeHash('sha256') || nobleHash('sha256', 'SHA-256');
+const sha384 = nodeHash('sha384') || nobleHash('sha384', 'SHA-384');
+const sha512 = nodeHash('sha512') || nobleHash('sha512', 'SHA-512');
+const ripemd = nodeHash('ripemd160') || nobleHash('ripemd160');
+const sha3_256 = nodeHash('sha3-256') || nobleHash('sha3_256');
+const sha3_512 = nodeHash('sha3-512') || nobleHash('sha3_512');
 
-  /** @see module:md5 */
-  md5: nodeHash('md5') || md5,
-  sha1: nodeHash('sha1') || nobleHash('sha1', 'SHA-1'),
-  sha224: nodeHash('sha224') || nobleHash('sha224'),
-  sha256: nodeHash('sha256') || nobleHash('sha256', 'SHA-256'),
-  sha384: nodeHash('sha384') || nobleHash('sha384', 'SHA-384'),
-  sha512: nodeHash('sha512') || nobleHash('sha512', 'SHA-512'),
-  ripemd: nodeHash('ripemd160') || nobleHash('ripemd160'),
-  sha3_256: nodeHash('sha3-256') || nobleHash('sha3_256'),
-  sha3_512: nodeHash('sha3-512') || nobleHash('sha3_512'),
-
-  /**
-   * Create a hash on the specified data using the specified algorithm
-   * @param {module:enums.hash} algo - Hash algorithm type (see {@link https://tools.ietf.org/html/rfc4880#section-9.4|RFC 4880 9.4})
-   * @param {Uint8Array} data - Data to be hashed
-   * @returns {Promise<Uint8Array>} Hash value.
-   */
-  digest: function(algo, data) {
-    switch (algo) {
-      case enums.hash.md5:
-        return this.md5(data);
-      case enums.hash.sha1:
-        return this.sha1(data);
-      case enums.hash.ripemd:
-        return this.ripemd(data);
-      case enums.hash.sha256:
-        return this.sha256(data);
-      case enums.hash.sha384:
-        return this.sha384(data);
-      case enums.hash.sha512:
-        return this.sha512(data);
-      case enums.hash.sha224:
-        return this.sha224(data);
-      case enums.hash.sha3_256:
-        return this.sha3_256(data);
-      case enums.hash.sha3_512:
-        return this.sha3_512(data);
-      default:
-        throw new Error('Unsupported hash function');
-    }
-  },
-
-  /**
-   * Returns the hash size in bytes of the specified hash algorithm type
-   * @param {module:enums.hash} algo - Hash algorithm type (See {@link https://tools.ietf.org/html/rfc4880#section-9.4|RFC 4880 9.4})
-   * @returns {Integer} Size in bytes of the resulting hash.
-   */
-  getHashByteLength: function(algo) {
-    switch (algo) {
-      case enums.hash.md5:
-        return 16;
-      case enums.hash.sha1:
-      case enums.hash.ripemd:
-        return 20;
-      case enums.hash.sha256:
-        return 32;
-      case enums.hash.sha384:
-        return 48;
-      case enums.hash.sha512:
-        return 64;
-      case enums.hash.sha224:
-        return 28;
-      case enums.hash.sha3_256:
-        return 32;
-      case enums.hash.sha3_512:
-        return 64;
-      default:
-        throw new Error('Invalid hash algorithm.');
-    }
+/**
+ * Create a hash on the specified data using the specified algorithm
+ * @param {module:enums.hash} algo - Hash algorithm type (see {@link https://tools.ietf.org/html/rfc4880#section-9.4|RFC 4880 9.4})
+ * @param {Uint8Array} data - Data to be hashed
+ * @returns {Promise<Uint8Array>} Hash value.
+ */
+export function computeDigest(algo, data) {
+  switch (algo) {
+    case enums.hash.md5:
+      return md5(data);
+    case enums.hash.sha1:
+      return sha1(data);
+    case enums.hash.ripemd:
+      return ripemd(data);
+    case enums.hash.sha256:
+      return sha256(data);
+    case enums.hash.sha384:
+      return sha384(data);
+    case enums.hash.sha512:
+      return sha512(data);
+    case enums.hash.sha224:
+      return sha224(data);
+    case enums.hash.sha3_256:
+      return sha3_256(data);
+    case enums.hash.sha3_512:
+      return sha3_512(data);
+    default:
+      throw new Error('Unsupported hash function');
   }
-};
+}
+
+/**
+ * Returns the hash size in bytes of the specified hash algorithm type
+ * @param {module:enums.hash} algo - Hash algorithm type (See {@link https://tools.ietf.org/html/rfc4880#section-9.4|RFC 4880 9.4})
+ * @returns {Integer} Size in bytes of the resulting hash.
+ */
+export function getHashByteLength(algo) {
+  switch (algo) {
+    case enums.hash.md5:
+      return 16;
+    case enums.hash.sha1:
+    case enums.hash.ripemd:
+      return 20;
+    case enums.hash.sha256:
+      return 32;
+    case enums.hash.sha384:
+      return 48;
+    case enums.hash.sha512:
+      return 64;
+    case enums.hash.sha224:
+      return 28;
+    case enums.hash.sha3_256:
+      return 32;
+    case enums.hash.sha3_512:
+      return 64;
+    default:
+      throw new Error('Invalid hash algorithm.');
+  }
+}

src/crypto/hash/md5.js

@@ -1,201 +0,0 @@
-/**
- * A fast MD5 JavaScript implementation
- * Copyright (c) 2012 Joseph Myers
- * http://www.myersdaily.org/joseph/javascript/md5-text.html
- *
- * Permission to use, copy, modify, and distribute this software
- * and its documentation for any purposes and without
- * fee is hereby granted provided that this copyright notice
- * appears in all copies.
- *
- * Of course, this soft is provided "as is" without express or implied
- * warranty of any kind.
- */
-
-import util from '../../util';
-
-// MD5 Digest
-async function md5(entree) {
-  const digest = md51(util.uint8ArrayToString(entree));
-  return util.hexToUint8Array(hex(digest));
-}
-
-function md5cycle(x, k) {
-  let a = x[0];
-  let b = x[1];
-  let c = x[2];
-  let d = x[3];
-
-  a = ff(a, b, c, d, k[0], 7, -680876936);
-  d = ff(d, a, b, c, k[1], 12, -389564586);
-  c = ff(c, d, a, b, k[2], 17, 606105819);
-  b = ff(b, c, d, a, k[3], 22, -1044525330);
-  a = ff(a, b, c, d, k[4], 7, -176418897);
-  d = ff(d, a, b, c, k[5], 12, 1200080426);
-  c = ff(c, d, a, b, k[6], 17, -1473231341);
-  b = ff(b, c, d, a, k[7], 22, -45705983);
-  a = ff(a, b, c, d, k[8], 7, 1770035416);
-  d = ff(d, a, b, c, k[9], 12, -1958414417);
-  c = ff(c, d, a, b, k[10], 17, -42063);
-  b = ff(b, c, d, a, k[11], 22, -1990404162);
-  a = ff(a, b, c, d, k[12], 7, 1804603682);
-  d = ff(d, a, b, c, k[13], 12, -40341101);
-  c = ff(c, d, a, b, k[14], 17, -1502002290);
-  b = ff(b, c, d, a, k[15], 22, 1236535329);
-
-  a = gg(a, b, c, d, k[1], 5, -165796510);
-  d = gg(d, a, b, c, k[6], 9, -1069501632);
-  c = gg(c, d, a, b, k[11], 14, 643717713);
-  b = gg(b, c, d, a, k[0], 20, -373897302);
-  a = gg(a, b, c, d, k[5], 5, -701558691);
-  d = gg(d, a, b, c, k[10], 9, 38016083);
-  c = gg(c, d, a, b, k[15], 14, -660478335);
-  b = gg(b, c, d, a, k[4], 20, -405537848);
-  a = gg(a, b, c, d, k[9], 5, 568446438);
-  d = gg(d, a, b, c, k[14], 9, -1019803690);
-  c = gg(c, d, a, b, k[3], 14, -187363961);
-  b = gg(b, c, d, a, k[8], 20, 1163531501);
-  a = gg(a, b, c, d, k[13], 5, -1444681467);
-  d = gg(d, a, b, c, k[2], 9, -51403784);
-  c = gg(c, d, a, b, k[7], 14, 1735328473);
-  b = gg(b, c, d, a, k[12], 20, -1926607734);
-
-  a = hh(a, b, c, d, k[5], 4, -378558);
-  d = hh(d, a, b, c, k[8], 11, -2022574463);
-  c = hh(c, d, a, b, k[11], 16, 1839030562);
-  b = hh(b, c, d, a, k[14], 23, -35309556);
-  a = hh(a, b, c, d, k[1], 4, -1530992060);
-  d = hh(d, a, b, c, k[4], 11, 1272893353);
-  c = hh(c, d, a, b, k[7], 16, -155497632);
-  b = hh(b, c, d, a, k[10], 23, -1094730640);
-  a = hh(a, b, c, d, k[13], 4, 681279174);
-  d = hh(d, a, b, c, k[0], 11, -358537222);
-  c = hh(c, d, a, b, k[3], 16, -722521979);
-  b = hh(b, c, d, a, k[6], 23, 76029189);
-  a = hh(a, b, c, d, k[9], 4, -640364487);
-  d = hh(d, a, b, c, k[12], 11, -421815835);
-  c = hh(c, d, a, b, k[15], 16, 530742520);
-  b = hh(b, c, d, a, k[2], 23, -995338651);
-
-  a = ii(a, b, c, d, k[0], 6, -198630844);
-  d = ii(d, a, b, c, k[7], 10, 1126891415);
-  c = ii(c, d, a, b, k[14], 15, -1416354905);
-  b = ii(b, c, d, a, k[5], 21, -57434055);
-  a = ii(a, b, c, d, k[12], 6, 1700485571);
-  d = ii(d, a, b, c, k[3], 10, -1894986606);
-  c = ii(c, d, a, b, k[10], 15, -1051523);
-  b = ii(b, c, d, a, k[1], 21, -2054922799);
-  a = ii(a, b, c, d, k[8], 6, 1873313359);
-  d = ii(d, a, b, c, k[15], 10, -30611744);
-  c = ii(c, d, a, b, k[6], 15, -1560198380);
-  b = ii(b, c, d, a, k[13], 21, 1309151649);
-  a = ii(a, b, c, d, k[4], 6, -145523070);
-  d = ii(d, a, b, c, k[11], 10, -1120210379);
-  c = ii(c, d, a, b, k[2], 15, 718787259);
-  b = ii(b, c, d, a, k[9], 21, -343485551);
-
-  x[0] = add32(a, x[0]);
-  x[1] = add32(b, x[1]);
-  x[2] = add32(c, x[2]);
-  x[3] = add32(d, x[3]);
-}
-
-function cmn(q, a, b, x, s, t) {
-  a = add32(add32(a, q), add32(x, t));
-  return add32((a << s) | (a >>> (32 - s)), b);
-}
-
-function ff(a, b, c, d, x, s, t) {
-  return cmn((b & c) | ((~b) & d), a, b, x, s, t);
-}
-
-function gg(a, b, c, d, x, s, t) {
-  return cmn((b & d) | (c & (~d)), a, b, x, s, t);
-}
-
-function hh(a, b, c, d, x, s, t) {
-  return cmn(b ^ c ^ d, a, b, x, s, t);
-}
-
-function ii(a, b, c, d, x, s, t) {
-  return cmn(c ^ (b | (~d)), a, b, x, s, t);
-}
-
-function md51(s) {
-  const n = s.length;
-  const state = [1732584193, -271733879, -1732584194, 271733878];
-  let i;
-  for (i = 64; i <= s.length; i += 64) {
-    md5cycle(state, md5blk(s.substring(i - 64, i)));
-  }
-  s = s.substring(i - 64);
-  const tail = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];
-  for (i = 0; i < s.length; i++) {
-    tail[i >> 2] |= s.charCodeAt(i) << ((i % 4) << 3);
-  }
-  tail[i >> 2] |= 0x80 << ((i % 4) << 3);
-  if (i > 55) {
-    md5cycle(state, tail);
-    for (i = 0; i < 16; i++) {
-      tail[i] = 0;
-    }
-  }
-  tail[14] = n * 8;
-  md5cycle(state, tail);
-  return state;
-}
-
-/* there needs to be support for Unicode here,
- * unless we pretend that we can redefine the MD-5
- * algorithm for multi-byte characters (perhaps
- * by adding every four 16-bit characters and
- * shortening the sum to 32 bits). Otherwise
- * I suggest performing MD-5 as if every character
- * was two bytes--e.g., 0040 0025 = @%--but then
- * how will an ordinary MD-5 sum be matched?
- * There is no way to standardize text to something
- * like UTF-8 before transformation; speed cost is
- * utterly prohibitive. The JavaScript standard
- * itself needs to look at this: it should start
- * providing access to strings as preformed UTF-8
- * 8-bit unsigned value arrays.
- */
-function md5blk(s) { /* I figured global was faster.   */
-  const md5blks = [];
-  let i; /* Andy King said do it this way. */
-  for (i = 0; i < 64; i += 4) {
-    md5blks[i >> 2] = s.charCodeAt(i) + (s.charCodeAt(i + 1) << 8) + (s.charCodeAt(i + 2) << 16) + (s.charCodeAt(i + 3) <<
-      24);
-  }
-  return md5blks;
-}
-
-const hex_chr = '0123456789abcdef'.split('');
-
-function rhex(n) {
-  let s = '';
-  let j = 0;
-  for (; j < 4; j++) {
-    s += hex_chr[(n >> (j * 8 + 4)) & 0x0F] + hex_chr[(n >> (j * 8)) & 0x0F];
-  }
-  return s;
-}
-
-function hex(x) {
-  for (let i = 0; i < x.length; i++) {
-    x[i] = rhex(x[i]);
-  }
-  return x.join('');
-}
-
-/* this function is much faster,
-so if possible we use it. Some IEs
-are the only ones I know of that
-need the idiotic second function,
-generated by an if clause.  */
-
-function add32(a, b) {
-  return (a + b) & 0xFFFFFFFF;
-}
-
-export default md5;

src/crypto/hash/md5.ts

@@ -0,0 +1,80 @@
+// Copied from https://github.com/paulmillr/noble-hashes/blob/main/test/misc/md5.ts
+
+import { HashMD } from '@noble/hashes/_md';
+import { rotl, wrapConstructor } from '@noble/hashes/utils';
+
+// Per-round constants
+const K = Array.from({ length: 64 }, (_, i) => Math.floor(2 ** 32 * Math.abs(Math.sin(i + 1))));
+// Choice: a ? b : c
+const Chi = (a: number, b: number, c: number) => (a & b) ^ (~a & c);
+// Initial state (same as sha1, but 4 u32 instead of 5)
+const IV = /* @__PURE__ */ new Uint32Array([0x67452301, 0xefcdab89, 0x98badcfe, 0x10325476]);
+// Temporary buffer, not used to store anything between runs
+// Named this way for SHA1 compat
+const MD5_W = /* @__PURE__ */ new Uint32Array(16);
+class MD5 extends HashMD<MD5> {
+  private A = IV[0] | 0;
+  private B = IV[1] | 0;
+  private C = IV[2] | 0;
+  private D = IV[3] | 0;
+  constructor() {
+    super(64, 16, 8, true);
+  }
+  protected get(): [number, number, number, number] {
+    const { A, B, C, D } = this;
+    return [A, B, C, D];
+  }
+  protected set(A: number, B: number, C: number, D: number) {
+    this.A = A | 0;
+    this.B = B | 0;
+    this.C = C | 0;
+    this.D = D | 0;
+  }
+  protected process(view: DataView, offset: number): void {
+    for (let i = 0; i < 16; i++, offset += 4) MD5_W[i] = view.getUint32(offset, true);
+    // Compression function main loop, 64 rounds
+    let { A, B, C, D } = this;
+    for (let i = 0; i < 64; i++) {
+      // eslint-disable-next-line one-var, one-var-declaration-per-line
+      let F, g, s;
+      if (i < 16) {
+        // eslint-disable-next-line new-cap
+        F = Chi(B, C, D);
+        g = i;
+        s = [7, 12, 17, 22];
+      } else if (i < 32) {
+        // eslint-disable-next-line new-cap
+        F = Chi(D, B, C);
+        g = (5 * i + 1) % 16;
+        s = [5, 9, 14, 20];
+      } else if (i < 48) {
+        F = B ^ C ^ D;
+        g = (3 * i + 5) % 16;
+        s = [4, 11, 16, 23];
+      } else {
+        F = C ^ (B | ~D);
+        g = (7 * i) % 16;
+        s = [6, 10, 15, 21];
+      }
+      F = F + A + K[i] + MD5_W[g];
+      A = D;
+      D = C;
+      C = B;
+      B = B + rotl(F, s[i % 4]);
+    }
+    // Add the compressed chunk to the current hash value
+    A = (A + this.A) | 0;
+    B = (B + this.B) | 0;
+    C = (C + this.C) | 0;
+    D = (D + this.D) | 0;
+    this.set(A, B, C, D);
+  }
+  protected roundClean() {
+    MD5_W.fill(0);
+  }
+  destroy() {
+    this.set(0, 0, 0, 0);
+    this.buffer.fill(0);
+  }
+}
+export const md5 = /* @__PURE__ */ wrapConstructor(() => new MD5());

src/crypto/hash/noble_hashes.js

@@ -9,8 +9,10 @@ import { sha224, sha256 } from '@noble/hashes/sha256';
 import { sha384, sha512 } from '@noble/hashes/sha512';
 import { sha3_256, sha3_512 } from '@noble/hashes/sha3';
 import { ripemd160 } from '@noble/hashes/ripemd160';
+import { md5 } from './md5';
 
 export const nobleHashes = new Map(Object.entries({
+  md5,
   sha1,
   sha224,
   sha256,

src/crypto/index.js

@@ -9,39 +9,10 @@
  * @module crypto
  */
 
-import * as cipher from './cipher';
-import hash from './hash';
-import mode from './mode';
-import publicKey from './public_key';
-import * as signature from './signature';
-import * as random from './random';
-import * as pkcs1 from './pkcs1';
-import * as pkcs5 from './pkcs5';
-import * as crypto from './crypto';
-import * as aesKW from './aes_kw';
-
-// TODO move cfb and gcm to cipher
-const mod = {
-  /** @see module:crypto/cipher */
-  cipher: cipher,
-  /** @see module:crypto/hash */
-  hash: hash,
-  /** @see module:crypto/mode */
-  mode: mode,
-  /** @see module:crypto/public_key */
-  publicKey: publicKey,
-  /** @see module:crypto/signature */
-  signature: signature,
-  /** @see module:crypto/random */
-  random: random,
-  /** @see module:crypto/pkcs1 */
-  pkcs1: pkcs1,
-  /** @see module:crypto/pkcs5 */
-  pkcs5: pkcs5,
-  /** @see module:crypto/aes_kw */
-  aesKW: aesKW
-};
-
-Object.assign(mod, crypto);
-
-export default mod;
+export * from './crypto';
+export { getCipherParams } from './cipher';
+export * from './hash';
+export * as cipherMode from './cipherMode';
+export * as publicKey from './public_key';
+export * as signature from './signature';
+export { getRandomBytes } from './random';

src/crypto/mode/index.js

@@ -1,21 +0,0 @@
-/**
- * @fileoverview Cipher modes
- * @module crypto/mode
- */
-
-import * as cfb from './cfb';
-import eax from './eax';
-import ocb from './ocb';
-import gcm from './gcm';
-
-export default {
-  /** @see module:crypto/mode/cfb */
-  cfb: cfb,
-  /** @see module:crypto/mode/gcm */
-  gcm: gcm,
-  experimentalGCM: gcm,
-  /** @see module:crypto/mode/eax */
-  eax: eax,
-  /** @see module:crypto/mode/ocb */
-  ocb: ocb
-};

src/crypto/pkcs1.js

@@ -24,7 +24,7 @@
  */
 
 import { getRandomBytes } from './random';
-import hash from './hash';
+import { getHashByteLength } from './hash';
 import util from '../util';
 
 /**
@@ -134,7 +134,7 @@ export function emeDecode(encoded, randomPayload) {
  */
 export function emsaEncode(algo, hashed, emLen) {
   let i;
-  if (hashed.length !== hash.getHashByteLength(algo)) {
+  if (hashed.length !== getHashByteLength(algo)) {
     throw new Error('Invalid hash length');
   }
   // produce an ASN.1 DER value for the hash function used.

src/crypto/public_key/elliptic/ecdh.js

@@ -22,7 +22,7 @@
 
 import { CurveWithOID, jwkToRawPublic, rawPublicToJWK, privateToJWK, validateStandardParams, checkPublicPointEnconding } from './oid_curves';
 import * as aesKW from '../../aes_kw';
-import hash from '../../hash';
+import { computeDigest } from '../../hash';
 import enums from '../../../enums';
 import util from '../../../util';
 import { b64ToUint8Array } from '../../../encoding/base64';
@@ -72,7 +72,7 @@ async function kdf(hashAlgo, X, length, param, stripLeading = false, stripTraili
     for (i = X.length - 1; i >= 0 && X[i] === 0; i--);
     X = X.subarray(0, i + 1);
   }
-  const digest = await hash.digest(hashAlgo, util.concatUint8Array([
+  const digest = await computeDigest(hashAlgo, util.concatUint8Array([
     new Uint8Array([0, 0, 0, 1]),
     X,
     param

src/crypto/public_key/elliptic/ecdh_x.js

@@ -11,6 +11,7 @@ import enums from '../../../enums';
 import util from '../../../util';
 import computeHKDF from '../../hkdf';
 import { getCipherParams } from '../../cipher';
+import { b64ToUint8Array, uint8ArrayToB64 } from '../../../encoding/base64';
 
 const HKDF_INFO = {
   x25519: util.encodeUTF8('OpenPGP X25519'),
@@ -24,12 +25,27 @@ const HKDF_INFO = {
  */
 export async function generate(algo) {
   switch (algo) {
-    case enums.publicKey.x25519: {
-      // k stays in little-endian, unlike legacy ECDH over curve25519
-      const k = getRandomBytes(32);
-      const { publicKey: A } = x25519.box.keyPair.fromSecretKey(k);
-      return { A, k };
-    }
+    case enums.publicKey.x25519:
+      try {
+        const webCrypto = util.getWebCrypto();
+        const webCryptoKey = await webCrypto.generateKey('X25519', true, ['deriveKey', 'deriveBits']);
+
+        const privateKey = await webCrypto.exportKey('jwk', webCryptoKey.privateKey);
+        const publicKey = await webCrypto.exportKey('jwk', webCryptoKey.publicKey);
+
+        return {
+          A: new Uint8Array(b64ToUint8Array(publicKey.x)),
+          k: b64ToUint8Array(privateKey.d)
+        };
+      } catch (err) {
+        if (err.name !== 'NotSupportedError') {
+          throw err;
+        }
+        // k stays in little-endian, unlike legacy ECDH over curve25519
+        const k = getRandomBytes(32);
+        const { publicKey: A } = x25519.box.keyPair.fromSecretKey(k);
+        return { A, k };
+      }
 
     case enums.publicKey.x448: {
       const x448 = await util.getNobleCurve(enums.publicKey.x448);
@@ -171,17 +187,37 @@ export function getPayloadSize(algo) {
  */
 export async function generateEphemeralEncryptionMaterial(algo, recipientA) {
   switch (algo) {
-    case enums.publicKey.x25519: {
-      const ephemeralSecretKey = getRandomBytes(getPayloadSize(algo));
-      const sharedSecret = x25519.scalarMult(ephemeralSecretKey, recipientA);
-      const { publicKey: ephemeralPublicKey } = x25519.box.keyPair.fromSecretKey(ephemeralSecretKey);
-
-      return { ephemeralPublicKey, sharedSecret };
-    }
+    case enums.publicKey.x25519:
+      try {
+        const webCrypto = util.getWebCrypto();
+        const jwk = publicKeyToJWK(algo, recipientA);
+        const ephemeralKeyPair = await webCrypto.generateKey('X25519', true, ['deriveKey', 'deriveBits']);
+        const recipientPublicKey = await webCrypto.importKey('jwk', jwk, 'X25519', false, []);
+        const sharedSecretBuffer = await webCrypto.deriveBits(
+          { name: 'X25519', public: recipientPublicKey },
+          ephemeralKeyPair.privateKey,
+          getPayloadSize(algo) * 8 // in bits
+        );
+        const ephemeralPublicKeyJwt = await webCrypto.exportKey('jwk', ephemeralKeyPair.publicKey);
+        return {
+          sharedSecret: new Uint8Array(sharedSecretBuffer),
+          ephemeralPublicKey: new Uint8Array(b64ToUint8Array(ephemeralPublicKeyJwt.x))
+        };
+      } catch (err) {
+        if (err.name !== 'NotSupportedError') {
+          throw err;
+        }
+        const ephemeralSecretKey = getRandomBytes(getPayloadSize(algo));
+        const sharedSecret = x25519.scalarMult(ephemeralSecretKey, recipientA);
+        assertNonZeroArray(sharedSecret);
+        const { publicKey: ephemeralPublicKey } = x25519.box.keyPair.fromSecretKey(ephemeralSecretKey);
+        return { ephemeralPublicKey, sharedSecret };
+      }
     case enums.publicKey.x448: {
       const x448 = await util.getNobleCurve(enums.publicKey.x448);
       const ephemeralSecretKey = x448.utils.randomPrivateKey();
       const sharedSecret = x448.getSharedSecret(ephemeralSecretKey, recipientA);
+      assertNonZeroArray(sharedSecret);
       const ephemeralPublicKey = x448.getPublicKey(ephemeralSecretKey);
       return { ephemeralPublicKey, sharedSecret };
     }
@@ -193,13 +229,78 @@ export async function generateEphemeralEncryptionMaterial(algo, recipientA) {
 export async function recomputeSharedSecret(algo, ephemeralPublicKey, A, k) {
   switch (algo) {
     case enums.publicKey.x25519:
-      return x25519.scalarMult(k, ephemeralPublicKey);
+      try {
+        const webCrypto = util.getWebCrypto();
+        const privateKeyJWK = privateKeyToJWK(algo, A, k);
+        const ephemeralPublicKeyJWK = publicKeyToJWK(algo, ephemeralPublicKey);
+        const privateKey = await webCrypto.importKey('jwk', privateKeyJWK, 'X25519', false, ['deriveKey', 'deriveBits']);
+        const ephemeralPublicKeyReference = await webCrypto.importKey('jwk', ephemeralPublicKeyJWK, 'X25519', false, []);
+        const sharedSecretBuffer = await webCrypto.deriveBits(
+          { name: 'X25519', public: ephemeralPublicKeyReference },
+          privateKey,
+          getPayloadSize(algo) * 8 // in bits
+        );
+        return new Uint8Array(sharedSecretBuffer);
+      } catch (err) {
+        if (err.name !== 'NotSupportedError') {
+          throw err;
+        }
+        const sharedSecret = x25519.scalarMult(k, ephemeralPublicKey);
+        assertNonZeroArray(sharedSecret);
+        return sharedSecret;
+      }
     case enums.publicKey.x448: {
       const x448 = await util.getNobleCurve(enums.publicKey.x448);
       const sharedSecret = x448.getSharedSecret(k, ephemeralPublicKey);
+      assertNonZeroArray(sharedSecret);
       return sharedSecret;
     }
     default:
       throw new Error('Unsupported ECDH algorithm');
   }
 }
+
+/**
+ * x25519 and x448 produce an all-zero value when given as input a point with small order.
+ * This does not lead to a security issue in the context of ECDH, but it is still unexpected,
+ * hence we throw.
+ * @param {Uint8Array} sharedSecret
+ */
+function assertNonZeroArray(sharedSecret) {
+  let acc = 0;
+  for (let i = 0; i < sharedSecret.length; i++) {
+    acc |= sharedSecret[i];
+  }
+  if (acc === 0) {
+    throw new Error('Unexpected low order point');
+  }
+}
+
+
+function publicKeyToJWK(algo, publicKey) {
+  switch (algo) {
+    case enums.publicKey.x25519: {
+      const jwk = {
+        kty: 'OKP',
+        crv: 'X25519',
+        x: uint8ArrayToB64(publicKey, true),
+        ext: true
+      };
+      return jwk;
+    }
+    default:
+      throw new Error('Unsupported ECDH algorithm');
+  }
+}
+
+function privateKeyToJWK(algo, publicKey, privateKey) {
+  switch (algo) {
+    case enums.publicKey.x25519: {
+      const jwk = publicKeyToJWK(algo, publicKey);
+      jwk.d = uint8ArrayToB64(privateKey, true);
+      return jwk;
+    }
+    default:
+      throw new Error('Unsupported ECDH algorithm');
+  }
+}