openpgp/dist/openpgp.min.mjs.map

OpenPGP.js is a Javascript implementation of the OpenPGP protocol. This is defined in RFC 4880.

{"version":3,"file":"openpgp.min.mjs","sources":["../node_modules/@openpgp/web-stream-tools/lib/writer.js","../node_modules/@openpgp/web-stream-tools/lib/util.js","../node_modules/@openpgp/web-stream-tools/lib/reader.js","../node_modules/@openpgp/web-stream-tools/lib/streams.js","../src/enums.js","../src/config/config.js","../src/util.js","../src/encoding/base64.js","../src/encoding/armor.js","../../../src/crypto/biginteger.ts","../src/crypto/random.js","../../../src/crypto/public_key/prime.ts","../src/crypto/hash/index.js","../src/crypto/pkcs1.js","../src/crypto/public_key/rsa.js","../src/crypto/public_key/elgamal.js","../node_modules/@openpgp/tweetnacl/cryptoBrowser.js","../node_modules/@openpgp/tweetnacl/nacl-fast.js","../src/type/oid.js","../src/packet/packet.js","../src/crypto/public_key/elliptic/eddsa.js","../node_modules/@noble/ciphers/esm/_assert.js","../node_modules/@noble/ciphers/esm/utils.js","../node_modules/@noble/ciphers/esm/_polyval.js","../node_modules/@noble/ciphers/esm/aes.js","../src/crypto/cipher/index.js","../src/crypto/aes_kw.js","../src/crypto/hkdf.js","../src/crypto/public_key/elliptic/ecdh_x.js","../src/crypto/public_key/elliptic/oid_curves.js","../src/crypto/public_key/elliptic/ecdsa.js","../src/crypto/public_key/elliptic/eddsa_legacy.js","../src/crypto/pkcs5.js","../src/crypto/public_key/elliptic/ecdh.js","../src/crypto/public_key/dsa.js","../src/type/ecdh_symkey.js","../src/type/kdf_params.js","../src/type/ecdh_x_symkey.js","../src/crypto/crypto.js","../src/crypto/cipherMode/cfb.js","../src/crypto/cmac.js","../src/crypto/cipherMode/eax.js","../src/crypto/cipherMode/ocb.js","../src/crypto/cipherMode/gcm.js","../src/crypto/cipherMode/index.js","../src/crypto/signature.js","../src/type/s2k/argon2.js","../src/type/s2k/generic.js","../src/type/s2k/index.js","../node_modules/fflate/esm/browser.js","../src/packet/literal_data.js","../src/type/keyid.js","../src/packet/signature.js","../src/packet/one_pass_signature.js","../src/packet/packetlist.js","../src/packet/compressed_data.js","../src/packet/sym_encrypted_integrity_protected_data.js","../src/packet/aead_encrypted_data.js","../src/packet/public_key_encrypted_session_key.js","../src/packet/sym_encrypted_session_key.js","../src/packet/public_key.js","../src/packet/symmetrically_encrypted_data.js","../src/packet/marker.js","../src/packet/public_subkey.js","../src/packet/user_attribute.js","../src/packet/secret_key.js","../src/packet/userid.js","../src/packet/secret_subkey.js","../src/packet/trust.js","../src/packet/padding.js","../src/signature.js","../src/key/helper.js","../src/key/user.js","../src/key/subkey.js","../src/key/key.js","../src/key/public_key.js","../src/key/private_key.js","../src/key/factory.js","../src/message.js","../src/cleartext.js","../src/openpgp.js","../node_modules/@noble/hashes/esm/_assert.js","../node_modules/@noble/hashes/esm/crypto.js","../node_modules/@noble/hashes/esm/utils.js","../node_modules/@noble/hashes/esm/_md.js","../node_modules/@noble/hashes/esm/sha256.js","../node_modules/@noble/hashes/esm/hmac.js","../node_modules/@noble/curves/esm/abstract/utils.js","../node_modules/@noble/curves/esm/abstract/modular.js","../node_modules/@noble/curves/esm/abstract/curve.js","../node_modules/@noble/curves/esm/abstract/weierstrass.js","../node_modules/@noble/curves/esm/_shortw_utils.js","../node_modules/@noble/curves/esm/p256.js","../node_modules/@noble/hashes/esm/_u64.js","../node_modules/@noble/hashes/esm/sha512.js","../node_modules/@noble/curves/esm/p384.js","../node_modules/@noble/curves/esm/p521.js","../node_modules/@noble/hashes/esm/sha3.js","../node_modules/@noble/curves/esm/abstract/edwards.js","../node_modules/@noble/curves/esm/abstract/montgomery.js","../node_modules/@noble/curves/esm/ed448.js","../node_modules/@noble/curves/esm/secp256k1.js","../../../src/crypto/public_key/elliptic/brainpool/brainpoolP256r1.ts","../../../src/crypto/public_key/elliptic/brainpool/brainpoolP384r1.ts","../../../src/crypto/public_key/elliptic/brainpool/brainpoolP512r1.ts","../src/crypto/public_key/elliptic/noble_curves.js","../node_modules/@noble/hashes/esm/sha1.js","../node_modules/@noble/hashes/esm/ripemd160.js","../../../src/crypto/hash/md5.ts","../src/crypto/hash/noble_hashes.js","../src/crypto/cipher/des.js","../src/crypto/cipher/cast5.js","../src/crypto/cipher/twofish.js","../src/crypto/cipher/blowfish.js","../src/crypto/cipher/legacy_ciphers.js","../node_modules/argon2id/lib/blake2b.js","../node_modules/argon2id/lib/argon2id.js","../node_modules/argon2id/lib/setup.js","../node_modules/argon2id/index.js","../node_modules/@openpgp/seek-bzip/lib/bitreader.js","../node_modules/@openpgp/seek-bzip/lib/stream.js","../node_modules/@openpgp/seek-bzip/lib/crc32.js","../node_modules/@openpgp/seek-bzip/lib/index.js"],"sourcesContent":["const doneWritingPromise = Symbol('doneWritingPromise');\nconst doneWritingResolve = Symbol('doneWritingResolve');\nconst doneWritingReject = Symbol('doneWritingReject');\n\nconst readingIndex = Symbol('readingIndex');\n\nclass ArrayStream extends Array {\n  constructor() {\n    super();\n    // ES5 patch, see https://github.com/Microsoft/TypeScript/wiki/FAQ#why-doesnt-extending-built-ins-like-error-array-and-map-work\n    Object.setPrototypeOf(this, ArrayStream.prototype);\n\n    this[doneWritingPromise] = new Promise((resolve, reject) => {\n      this[doneWritingResolve] = resolve;\n      this[doneWritingReject] = reject;\n    });\n    this[doneWritingPromise].catch(() => {});\n  }\n}\n\nArrayStream.prototype.getReader = function() {\n  if (this[readingIndex] === undefined) {\n    this[readingIndex] = 0;\n  }\n  return {\n    read: async () => {\n      await this[doneWritingPromise];\n      if (this[readingIndex] === this.length) {\n        return { value: undefined, done: true };\n      }\n      return { value: this[this[readingIndex]++], done: false };\n    }\n  };\n};\n\nArrayStream.prototype.readToEnd = async function(join) {\n  await this[doneWritingPromise];\n  const result = join(this.slice(this[readingIndex]));\n  this.length = 0;\n  return result;\n};\n\nArrayStream.prototype.clone = function() {\n  const clone = new ArrayStream();\n  clone[doneWritingPromise] = this[doneWritingPromise].then(() => {\n    clone.push(...this);\n  });\n  return clone;\n};\n\n/**\n * Check whether data is an ArrayStream\n * @param {Any} input  data to check\n * @returns {boolean}\n */\nfunction isArrayStream(input) {\n  return input && input.getReader && Array.isArray(input);\n}\n\n/**\n * A wrapper class over the native WritableStreamDefaultWriter.\n * It also lets you \"write data to\" array streams instead of streams.\n * @class\n */\nfunction Writer(input) {\n  if (!isArrayStream(input)) {\n    const writer = input.getWriter();\n    const releaseLock = writer.releaseLock;\n    writer.releaseLock = () => {\n      writer.closed.catch(function() {});\n      releaseLock.call(writer);\n    };\n    return writer;\n  }\n  this.stream = input;\n}\n\n/**\n * Write a chunk of data.\n * @returns {Promise<undefined>}\n * @async\n */\nWriter.prototype.write = async function(chunk) {\n  this.stream.push(chunk);\n};\n\n/**\n * Close the stream.\n * @returns {Promise<undefined>}\n * @async\n */\nWriter.prototype.close = async function() {\n  this.stream[doneWritingResolve]();\n};\n\n/**\n * Error the stream.\n * @returns {Promise<Object>}\n * @async\n */\nWriter.prototype.abort = async function(reason) {\n  this.stream[doneWritingReject](reason);\n  return reason;\n};\n\n/**\n * Release the writer's lock.\n * @returns {undefined}\n * @async\n */\nWriter.prototype.releaseLock = function() {};\n\nexport { ArrayStream, isArrayStream, Writer, doneWritingPromise };\n","/* eslint-disable no-prototype-builtins */\nimport { isArrayStream } from './writer.js';\nconst isNode = typeof globalThis.process === 'object' &&\n  typeof globalThis.process.versions === 'object';\n\n/**\n * Check whether data is a Stream, and if so of which type\n * @param {Any} input  data to check\n * @returns {'web'|'node'|'array'|'web-like'|false}\n */\nfunction isStream(input) {\n  if (isArrayStream(input)) {\n    return 'array';\n  }\n  if (globalThis.ReadableStream && globalThis.ReadableStream.prototype.isPrototypeOf(input)) {\n    return 'web';\n  }\n  // try and detect a node native stream without having to import its class\n  if (input &&\n    !(globalThis.ReadableStream && input instanceof globalThis.ReadableStream) &&\n    typeof input._read === 'function' && typeof input._readableState === 'object') {\n    throw new Error('Native Node streams are no longer supported: please manually convert the stream to a WebStream, using e.g. `stream.Readable.toWeb`');\n  }\n  if (input && input.getReader) {\n    return 'web-like';\n  }\n  return false;\n}\n\n/**\n * Check whether data is a Uint8Array\n * @param {Any} input  data to check\n * @returns {Boolean}\n */\nfunction isUint8Array(input) {\n  return Uint8Array.prototype.isPrototypeOf(input);\n}\n\n/**\n * Concat Uint8Arrays\n * @param {Array<Uint8array>} Array of Uint8Arrays to concatenate\n * @returns {Uint8array} Concatenated array\n */\nfunction concatUint8Array(arrays) {\n  if (arrays.length === 1) return arrays[0];\n\n  let totalLength = 0;\n  for (let i = 0; i < arrays.length; i++) {\n    if (!isUint8Array(arrays[i])) {\n      throw new Error('concatUint8Array: Data must be in the form of a Uint8Array');\n    }\n\n    totalLength += arrays[i].length;\n  }\n\n  const result = new Uint8Array(totalLength);\n  let pos = 0;\n  arrays.forEach(function (element) {\n    result.set(element, pos);\n    pos += element.length;\n  });\n\n  return result;\n}\n\nexport { isNode, isStream, isArrayStream, isUint8Array, concatUint8Array };\n","import { isUint8Array, isStream, isArrayStream } from './util.js';\nimport * as streams from './streams.js';\n\nconst doneReadingSet = new WeakSet();\n/**\n * The external buffer is used to store values that have been peeked or unshifted from the original stream.\n * Because of how streams are implemented, such values cannot be \"put back\" in the original stream,\n * but they need to be returned first when reading from the input again.\n */\nconst externalBuffer = Symbol('externalBuffer');\n\n/**\n * A wrapper class over the native ReadableStreamDefaultReader.\n * This additionally implements pushing back data on the stream, which\n * lets us implement peeking and a host of convenience functions.\n * It also lets you read data other than streams, such as a Uint8Array.\n * @class\n */\nfunction Reader(input) {\n  this.stream = input;\n  if (input[externalBuffer]) {\n    this[externalBuffer] = input[externalBuffer].slice();\n  }\n  if (isArrayStream(input)) {\n    const reader = input.getReader();\n    this._read = reader.read.bind(reader);\n    this._releaseLock = () => {};\n    this._cancel = () => {};\n    return;\n  }\n  let streamType = isStream(input);\n  if (streamType) {\n    const reader = input.getReader();\n    this._read = reader.read.bind(reader);\n    this._releaseLock = () => {\n      reader.closed.catch(function() {});\n      reader.releaseLock();\n    };\n    this._cancel = reader.cancel.bind(reader);\n    return;\n  }\n  let doneReading = false;\n  this._read = async () => {\n    if (doneReading || doneReadingSet.has(input)) {\n      return { value: undefined, done: true };\n    }\n    doneReading = true;\n    return { value: input, done: false };\n  };\n  this._releaseLock = () => {\n    if (doneReading) {\n      try {\n        doneReadingSet.add(input);\n      } catch(e) {}\n    }\n  };\n}\n\n/**\n * Read a chunk of data.\n * @returns {Promise<Object>} Either { done: false, value: Uint8Array | String } or { done: true, value: undefined }\n * @async\n */\nReader.prototype.read = async function() {\n  if (this[externalBuffer] && this[externalBuffer].length) {\n    const value = this[externalBuffer].shift();\n    return { done: false, value };\n  }\n  return this._read();\n};\n\n/**\n * Allow others to read the stream.\n */\nReader.prototype.releaseLock = function() {\n  if (this[externalBuffer]) {\n    this.stream[externalBuffer] = this[externalBuffer];\n  }\n  this._releaseLock();\n};\n\n/**\n * Cancel the stream.\n */\nReader.prototype.cancel = function(reason) {\n  return this._cancel(reason);\n};\n\n/**\n * Read up to and including the first \\n character.\n * @returns {Promise<String|Undefined>}\n * @async\n */\nReader.prototype.readLine = async function() {\n  let buffer = [];\n  let returnVal;\n  while (!returnVal) {\n    let { done, value } = await this.read();\n    value += '';\n    if (done) {\n      if (buffer.length) return streams.concat(buffer);\n      return;\n    }\n    const lineEndIndex = value.indexOf('\\n') + 1;\n    if (lineEndIndex) {\n      returnVal = streams.concat(buffer.concat(value.substr(0, lineEndIndex)));\n      buffer = [];\n    }\n    if (lineEndIndex !== value.length) {\n      buffer.push(value.substr(lineEndIndex));\n    }\n  }\n  this.unshift(...buffer);\n  return returnVal;\n};\n\n/**\n * Read a single byte/character.\n * @returns {Promise<Number|String|Undefined>}\n * @async\n */\nReader.prototype.readByte = async function() {\n  const { done, value } = await this.read();\n  if (done) return;\n  const byte = value[0];\n  this.unshift(streams.slice(value, 1));\n  return byte;\n};\n\n/**\n * Read a specific amount of bytes/characters, unless the stream ends before that amount.\n * @returns {Promise<Uint8Array|String|Undefined>}\n * @async\n */\nReader.prototype.readBytes = async function(length) {\n  const buffer = [];\n  let bufferLength = 0;\n  // eslint-disable-next-line no-constant-condition\n  while (true) {\n    const { done, value } = await this.read();\n    if (done) {\n      if (buffer.length) return streams.concat(buffer);\n      return;\n    }\n    buffer.push(value);\n    bufferLength += value.length;\n    if (bufferLength >= length) {\n      const bufferConcat = streams.concat(buffer);\n      this.unshift(streams.slice(bufferConcat, length));\n      return streams.slice(bufferConcat, 0, length);\n    }\n  }\n};\n\n/**\n * Peek (look ahead) a specific amount of bytes/characters, unless the stream ends before that amount.\n * @returns {Promise<Uint8Array|String|Undefined>}\n * @async\n */\nReader.prototype.peekBytes = async function(length) {\n  const bytes = await this.readBytes(length);\n  this.unshift(bytes);\n  return bytes;\n};\n\n/**\n * Push data to the front of the stream.\n * Data must have been read in the last call to read*.\n * @param {...(Uint8Array|String|Undefined)} values\n */\nReader.prototype.unshift = function(...values) {\n  if (!this[externalBuffer]) {\n    this[externalBuffer] = [];\n  }\n  if (\n    values.length === 1 && isUint8Array(values[0]) &&\n    this[externalBuffer].length && values[0].length &&\n    this[externalBuffer][0].byteOffset >= values[0].length\n  ) {\n    this[externalBuffer][0] = new Uint8Array(\n      this[externalBuffer][0].buffer,\n      this[externalBuffer][0].byteOffset - values[0].length,\n      this[externalBuffer][0].byteLength + values[0].length\n    );\n    return;\n  }\n  this[externalBuffer].unshift(...values.filter(value => value && value.length));\n};\n\n/**\n * Read the stream to the end and return its contents, concatenated by the join function (defaults to streams.concat).\n * @param {Function} join\n * @returns {Promise<Uint8array|String|Any>} the return value of join()\n * @async\n */\nReader.prototype.readToEnd = async function(join=streams.concat) {\n  const result = [];\n  // eslint-disable-next-line no-constant-condition\n  while (true) {\n    const { done, value } = await this.read();\n    if (done) break;\n    result.push(value);\n  }\n  return join(result);\n};\n\nexport { Reader, externalBuffer };\n","import { isStream, isArrayStream, isUint8Array, concatUint8Array } from './util.js';\nimport { Reader, externalBuffer } from './reader.js';\nimport { ArrayStream, Writer } from './writer.js';\n\n/**\n * Convert data to Stream\n * @param {ReadableStream|Uint8array|String} input  data to convert\n * @returns {ReadableStream} Converted data\n */\nfunction toStream(input) {\n  let streamType = isStream(input);\n  if (streamType) {\n    return input;\n  }\n  return new ReadableStream({\n    start(controller) {\n      controller.enqueue(input);\n      controller.close();\n    }\n  });\n}\n\n/**\n * Convert non-streamed data to ArrayStream; this is a noop if `input` is already a stream.\n * @param {Object} input  data to convert\n * @returns {ArrayStream} Converted data\n */\nfunction toArrayStream(input) {\n  if (isStream(input)) {\n    return input;\n  }\n  const stream = new ArrayStream();\n  (async () => {\n    const writer = getWriter(stream);\n    await writer.write(input);\n    await writer.close();\n  })();\n  return stream;\n}\n\n/**\n * Concat a list of Uint8Arrays, Strings or Streams\n * The caller should not mix Uint8Arrays with Strings, but may mix Streams with non-Streams.\n * @param {Array<Uint8array|String|ReadableStream>} Array of Uint8Arrays/Strings/Streams to concatenate\n * @returns {Uint8array|String|ReadableStream} Concatenated array\n */\nfunction concat(list) {\n  if (list.some(stream => isStream(stream) && !isArrayStream(stream))) {\n    return concatStream(list);\n  }\n  if (list.some(stream => isArrayStream(stream))) {\n    return concatArrayStream(list);\n  }\n  if (typeof list[0] === 'string') {\n    return list.join('');\n  }\n  return concatUint8Array(list);\n}\n\n/**\n * Concat a list of Streams\n * @param {Array<ReadableStream|Uint8array|String>} list  Array of Uint8Arrays/Strings/Streams to concatenate\n * @returns {ReadableStream} Concatenated list\n */\nfunction concatStream(list) {\n  list = list.map(toStream);\n  const transform = transformWithCancel(async function(reason) {\n    await Promise.all(transforms.map(stream => cancel(stream, reason)));\n  });\n  let prev = Promise.resolve();\n  const transforms = list.map((stream, i) => transformPair(stream, (readable, writable) => {\n    prev = prev.then(() => pipe(readable, transform.writable, {\n      preventClose: i !== list.length - 1\n    }));\n    return prev;\n  }));\n  return transform.readable;\n}\n\n/**\n * Concat a list of ArrayStreams\n * @param {Array<ArrayStream|Uint8array|String>} list  Array of Uint8Arrays/Strings/ArrayStreams to concatenate\n * @returns {ArrayStream} Concatenated streams\n */\nfunction concatArrayStream(list) {\n  const result = new ArrayStream();\n  let prev = Promise.resolve();\n  list.forEach((stream, i) => {\n    prev = prev.then(() => pipe(stream, result, {\n      preventClose: i !== list.length - 1\n    }));\n    return prev;\n  });\n  return result;\n}\n\n/**\n * Pipe a readable stream to a writable stream. Don't throw on input stream errors, but forward them to the output stream.\n * @param {ReadableStream|Uint8array|String} input\n * @param {WritableStream} target\n * @param {Object} (optional) options\n * @returns {Promise<undefined>} Promise indicating when piping has finished (input stream closed or errored)\n * @async\n */\nasync function pipe(input, target, {\n  preventClose = false,\n  preventAbort = false,\n  preventCancel = false\n} = {}) {\n  if (isStream(input) && !isArrayStream(input)) {\n    input = toStream(input);\n    try {\n      if (input[externalBuffer]) {\n        const writer = getWriter(target);\n        for (let i = 0; i < input[externalBuffer].length; i++) {\n          await writer.ready;\n          await writer.write(input[externalBuffer][i]);\n        }\n        writer.releaseLock();\n      }\n      await input.pipeTo(target, {\n        preventClose,\n        preventAbort,\n        preventCancel\n      });\n    } catch(e) {}\n    return;\n  }\n  input = toArrayStream(input);\n  const reader = getReader(input);\n  const writer = getWriter(target);\n  try {\n    // eslint-disable-next-line no-constant-condition\n    while (true) {\n      await writer.ready;\n      const { done, value } = await reader.read();\n      if (done) {\n        if (!preventClose) await writer.close();\n        break;\n      }\n      await writer.write(value);\n    }\n  } catch (e) {\n    if (!preventAbort) await writer.abort(e);\n  } finally {\n    reader.releaseLock();\n    writer.releaseLock();\n  }\n}\n\n/**\n * Pipe a readable stream through a transform stream.\n * @param {ReadableStream|Uint8array|String} input\n * @param {Object} (optional) options\n * @returns {ReadableStream} transformed stream\n */\nfunction transformRaw(input, options) {\n  const transformStream = new TransformStream(options);\n  pipe(input, transformStream.writable);\n  return transformStream.readable;\n}\n\n/**\n * Create a cancelable TransformStream.\n * @param {Function} cancel\n * @returns {TransformStream}\n */\nfunction transformWithCancel(customCancel) {\n  let pulled = false;\n  let cancelled = false;\n  let backpressureChangePromiseResolve, backpressureChangePromiseReject;\n  let outputController;\n  return {\n    readable: new ReadableStream({\n      start(controller) {\n        outputController = controller;\n      },\n      pull() {\n        if (backpressureChangePromiseResolve) {\n          backpressureChangePromiseResolve();\n        } else {\n          pulled = true;\n        }\n      },\n      async cancel(reason) {\n        cancelled = true;\n        if (customCancel) {\n          await customCancel(reason);\n        }\n        if (backpressureChangePromiseReject) {\n          backpressureChangePromiseReject(reason);\n        }\n      }\n    }, {highWaterMark: 0}),\n    writable: new WritableStream({\n      write: async function(chunk) {\n        if (cancelled) {\n          throw new Error('Stream is cancelled');\n        }\n        outputController.enqueue(chunk);\n        if (!pulled) {\n          await new Promise((resolve, reject) => {\n            backpressureChangePromiseResolve = resolve;\n            backpressureChangePromiseReject = reject;\n          });\n          backpressureChangePromiseResolve = null;\n          backpressureChangePromiseReject = null;\n        } else {\n          pulled = false;\n        }\n      },\n      close: outputController.close.bind(outputController),\n      abort: outputController.error.bind(outputController)\n    })\n  };\n}\n\n/**\n * Transform a stream using helper functions which are called on each chunk, and on stream close, respectively.\n * @param {ReadableStream|Uint8array|String} input\n * @param {Function} process\n * @param {Function} finish\n * @returns {ReadableStream|Uint8array|String}\n */\nfunction transform(input, process = () => undefined, finish = () => undefined) {\n  if (isArrayStream(input)) {\n    const output = new ArrayStream();\n    (async () => {\n      const writer = getWriter(output);\n      try {\n        const data = await readToEnd(input);\n        const result1 = process(data);\n        const result2 = finish();\n        let result;\n        if (result1 !== undefined && result2 !== undefined) result = concat([result1, result2]);\n        else result = result1 !== undefined ? result1 : result2;\n        await writer.write(result);\n        await writer.close();\n      } catch (e) {\n        await writer.abort(e);\n      }\n    })();\n    return output;\n  }\n  if (isStream(input)) {\n    return transformRaw(input, {\n      async transform(value, controller) {\n        try {\n          const result = await process(value);\n          if (result !== undefined) controller.enqueue(result);\n        } catch(e) {\n          controller.error(e);\n        }\n      },\n      async flush(controller) {\n        try {\n          const result = await finish();\n          if (result !== undefined) controller.enqueue(result);\n        } catch(e) {\n          controller.error(e);\n        }\n      }\n    });\n  }\n  const result1 = process(input);\n  const result2 = finish();\n  if (result1 !== undefined && result2 !== undefined) return concat([result1, result2]);\n  return result1 !== undefined ? result1 : result2;\n}\n\n/**\n * Transform a stream using a helper function which is passed a readable and a writable stream.\n *   This function also maintains the possibility to cancel the input stream,\n *   and does so on cancelation of the output stream, despite cancelation\n *   normally being impossible when the input stream is being read from.\n * @param {ReadableStream|Uint8array|String} input\n * @param {Function} fn\n * @returns {ReadableStream}\n */\nfunction transformPair(input, fn) {\n  if (isStream(input) && !isArrayStream(input)) {\n    let incomingTransformController;\n    const incoming = new TransformStream({\n      start(controller) {\n        incomingTransformController = controller;\n      }\n    });\n\n    const pipeDonePromise = pipe(input, incoming.writable);\n\n    const outgoing = transformWithCancel(async function(reason) {\n      incomingTransformController.error(reason);\n      await pipeDonePromise;\n      await new Promise(setTimeout);\n    });\n    fn(incoming.readable, outgoing.writable);\n    return outgoing.readable;\n  }\n  input = toArrayStream(input);\n  const output = new ArrayStream();\n  fn(input, output);\n  return output;\n}\n\n/**\n * Parse a stream using a helper function which is passed a Reader.\n *   The reader additionally has a remainder() method which returns a\n *   stream pointing to the remainder of input, and is linked to input\n *   for cancelation.\n * @param {ReadableStream|Uint8array|String} input\n * @param {Function} fn\n * @returns {Any} the return value of fn()\n */\nfunction parse(input, fn) {\n  let returnValue;\n  const transformed = transformPair(input, (readable, writable) => {\n    const reader = getReader(readable);\n    reader.remainder = () => {\n      reader.releaseLock();\n      pipe(readable, writable);\n      return transformed;\n    };\n    returnValue = fn(reader);\n  });\n  return returnValue;\n}\n\n/**\n * Tee a Stream for reading it twice. The input stream can no longer be read after tee()ing.\n *   Reading either of the two returned streams will pull from the input stream.\n *   The input stream will only be canceled if both of the returned streams are canceled.\n * @param {ReadableStream|Uint8array|String} input\n * @returns {Array<ReadableStream|Uint8array|String>} array containing two copies of input\n */\nfunction tee(input) {\n  if (isArrayStream(input)) {\n    throw new Error('ArrayStream cannot be tee()d, use clone() instead');\n  }\n  if (isStream(input)) {\n    const teed = toStream(input).tee();\n    teed[0][externalBuffer] = teed[1][externalBuffer] = input[externalBuffer];\n    return teed;\n  }\n  return [slice(input), slice(input)];\n}\n\n/**\n * Clone a Stream for reading it twice. The input stream can still be read after clone()ing.\n *   Reading from the clone will pull from the input stream.\n *   The input stream will only be canceled if both the clone and the input stream are canceled.\n * @param {ReadableStream|Uint8array|String} input\n * @returns {ReadableStream|Uint8array|String} cloned input\n */\nfunction clone(input) {\n  if (isArrayStream(input)) {\n    return input.clone();\n  }\n  if (isStream(input)) {\n    const teed = tee(input);\n    overwrite(input, teed[0]);\n    return teed[1];\n  }\n  return slice(input);\n}\n\n/**\n * Clone a Stream for reading it twice. Data will arrive at the same rate as the input stream is being read.\n *   Reading from the clone will NOT pull from the input stream. Data only arrives when reading the input stream.\n *   The input stream will NOT be canceled if the clone is canceled, only if the input stream are canceled.\n *   If the input stream is canceled, the clone will be errored.\n * @param {ReadableStream|Uint8array|String} input\n * @returns {ReadableStream|Uint8array|String} cloned input\n */\nfunction passiveClone(input) {\n  if (isArrayStream(input)) {\n    return clone(input);\n  }\n  if (isStream(input)) {\n    return new ReadableStream({\n      start(controller) {\n        const transformed = transformPair(input, async (readable, writable) => {\n          const reader = getReader(readable);\n          const writer = getWriter(writable);\n          try {\n            // eslint-disable-next-line no-constant-condition\n            while (true) {\n              await writer.ready;\n              const { done, value } = await reader.read();\n              if (done) {\n                try { controller.close(); } catch(e) {}\n                await writer.close();\n                return;\n              }\n              try { controller.enqueue(value); } catch(e) {}\n              await writer.write(value);\n            }\n          } catch(e) {\n            controller.error(e);\n            await writer.abort(e);\n          }\n        });\n        overwrite(input, transformed);\n      }\n    });\n  }\n  return slice(input);\n}\n\n/**\n * Modify a stream object to point to a different stream object.\n *   This is used internally by clone() and passiveClone() to provide an abstraction over tee().\n * @param {ReadableStream} input\n * @param {ReadableStream} clone\n */\nfunction overwrite(input, clone) {\n  // Overwrite input.getReader, input.locked, etc to point to clone\n  Object.entries(Object.getOwnPropertyDescriptors(input.constructor.prototype)).forEach(([name, descriptor]) => {\n    if (name === 'constructor') {\n      return;\n    }\n    if (descriptor.value) {\n      descriptor.value = descriptor.value.bind(clone);\n    } else {\n      descriptor.get = descriptor.get.bind(clone);\n    }\n    Object.defineProperty(input, name, descriptor);\n  });\n}\n\n/**\n * Return a stream pointing to a part of the input stream.\n * @param {ReadableStream|Uint8array|String} input\n * @returns {ReadableStream|Uint8array|String} clone\n */\nfunction slice(input, begin=0, end=Infinity) {\n  if (isArrayStream(input)) {\n    throw new Error('Not implemented');\n  }\n  if (isStream(input)) {\n    if (begin >= 0 && end >= 0) {\n      let bytesRead = 0;\n      return transformRaw(input, {\n        transform(value, controller) {\n          if (bytesRead < end) {\n            if (bytesRead + value.length >= begin) {\n              controller.enqueue(slice(value, Math.max(begin - bytesRead, 0), end - bytesRead));\n            }\n            bytesRead += value.length;\n          } else {\n            controller.terminate();\n          }\n        }\n      });\n    }\n    if (begin < 0 && (end < 0 || end === Infinity)) {\n      let lastBytes = [];\n      return transform(input, value => {\n        if (value.length >= -begin) lastBytes = [value];\n        else lastBytes.push(value);\n      }, () => slice(concat(lastBytes), begin, end));\n    }\n    if (begin === 0 && end < 0) {\n      let lastBytes;\n      return transform(input, value => {\n        const returnValue = lastBytes ? concat([lastBytes, value]) : value;\n        if (returnValue.length >= -end) {\n          lastBytes = slice(returnValue, end);\n          return slice(returnValue, begin, end);\n        }\n          lastBytes = returnValue;\n      });\n    }\n    console.warn(`stream.slice(input, ${begin}, ${end}) not implemented efficiently.`);\n    return fromAsync(async () => slice(await readToEnd(input), begin, end));\n  }\n  if (input[externalBuffer]) {\n    input = concat(input[externalBuffer].concat([input]));\n  }\n  if (isUint8Array(input)) {\n    return input.subarray(begin, end === Infinity ? input.length : end);\n  }\n  return input.slice(begin, end);\n}\n\n/**\n * Read a stream to the end and return its contents, concatenated by the join function (defaults to concat).\n * @param {ReadableStream|Uint8array|String} input\n * @param {Function} join\n * @returns {Promise<Uint8array|String|Any>} the return value of join()\n * @async\n */\nasync function readToEnd(input, join=concat) {\n  if (isArrayStream(input)) {\n    return input.readToEnd(join);\n  }\n  if (isStream(input)) {\n    return getReader(input).readToEnd(join);\n  }\n  return input;\n}\n\n/**\n * Cancel a stream.\n * @param {ReadableStream|Uint8array|String} input\n * @param {Any} reason\n * @returns {Promise<Any>} indicates when the stream has been canceled\n * @async\n */\nasync function cancel(input, reason) {\n  if (isStream(input)) {\n    if (input.cancel) {\n      const cancelled = await input.cancel(reason);\n      // the stream is not always cancelled at this point, so we wait some more\n      await new Promise(setTimeout);\n      return cancelled;\n    }\n    if (input.destroy) {\n      input.destroy(reason);\n      await new Promise(setTimeout);\n      return reason;\n    }\n  }\n}\n\n/**\n * Convert an async function to an ArrayStream. When the function returns, its return value is written to the stream.\n * @param {Function} fn\n * @returns {ArrayStream}\n */\nfunction fromAsync(fn) {\n  const arrayStream = new ArrayStream();\n  (async () => {\n    const writer = getWriter(arrayStream);\n    try {\n      await writer.write(await fn());\n      await writer.close();\n    } catch (e) {\n      await writer.abort(e);\n    }\n  })();\n  return arrayStream;\n}\n\n/**\n * Get a Reader\n * @param {ReadableStream|Uint8array|String} input\n * @returns {Reader}\n */\nfunction getReader(input) {\n  return new Reader(input);\n}\n\n/**\n * Get a Writer\n * @param {WritableStream} input\n * @returns {Writer}\n */\nfunction getWriter(input) {\n  return new Writer(input);\n}\n\n\nexport {\n  ArrayStream,\n  toStream,\n  concatStream,\n  concat,\n  getReader,\n  getWriter,\n  pipe,\n  transformRaw,\n  transform,\n  transformPair,\n  parse,\n  clone,\n  passiveClone,\n  slice,\n  readToEnd,\n  cancel,\n  fromAsync\n};\n","/**\n * @module enums\n */\n\nconst byValue = Symbol('byValue');\n\nexport default {\n\n  /** Maps curve names under various standards to one\n   * @see {@link https://wiki.gnupg.org/ECC|ECC - GnuPG wiki}\n   * @enum {String}\n   * @readonly\n   */\n  curve: {\n    /** NIST P-256 Curve */\n    'nistP256':               'nistP256',\n    /** @deprecated use `nistP256` instead */\n    'p256':                   'nistP256',\n\n    /** NIST P-384 Curve */\n    'nistP384':               'nistP384',\n    /** @deprecated use `nistP384` instead */\n    'p384':                   'nistP384',\n\n    /** NIST P-521 Curve */\n    'nistP521':               'nistP521',\n    /** @deprecated use `nistP521` instead */\n    'p521':                   'nistP521',\n\n    /** SECG SECP256k1 Curve */\n    'secp256k1':              'secp256k1',\n\n    /** Ed25519 - deprecated by crypto-refresh (replaced by standaone Ed25519 algo) */\n    'ed25519Legacy':          'ed25519Legacy',\n    /** @deprecated use `ed25519Legacy` instead */\n    'ed25519':                'ed25519Legacy',\n\n    /** Curve25519 - deprecated by crypto-refresh (replaced by standaone X25519 algo) */\n    'curve25519Legacy':       'curve25519Legacy',\n    /** @deprecated use `curve25519Legacy` instead */\n    'curve25519':             'curve25519Legacy',\n\n    /** BrainpoolP256r1 Curve */\n    'brainpoolP256r1':       'brainpoolP256r1',\n\n    /** BrainpoolP384r1 Curve */\n    'brainpoolP384r1':       'brainpoolP384r1',\n\n    /** BrainpoolP512r1 Curve */\n    'brainpoolP512r1':       'brainpoolP512r1'\n  },\n\n  /** A string to key specifier type\n   * @enum {Integer}\n   * @readonly\n   */\n  s2k: {\n    simple: 0,\n    salted: 1,\n    iterated: 3,\n    argon2: 4,\n    gnu: 101\n  },\n\n  /** {@link https://tools.ietf.org/html/draft-ietf-openpgp-crypto-refresh-08.html#section-9.1|crypto-refresh RFC, section 9.1}\n   * @enum {Integer}\n   * @readonly\n   */\n  publicKey: {\n    /** RSA (Encrypt or Sign) [HAC] */\n    rsaEncryptSign: 1,\n    /** RSA (Encrypt only) [HAC] */\n    rsaEncrypt: 2,\n    /** RSA (Sign only) [HAC] */\n    rsaSign: 3,\n    /** Elgamal (Encrypt only) [ELGAMAL] [HAC] */\n    elgamal: 16,\n    /** DSA (Sign only) [FIPS186] [HAC] */\n    dsa: 17,\n    /** ECDH (Encrypt only) [RFC6637] */\n    ecdh: 18,\n    /** ECDSA (Sign only) [RFC6637] */\n    ecdsa: 19,\n    /** EdDSA (Sign only) - deprecated by crypto-refresh (replaced by `ed25519` identifier below)\n     * [{@link https://tools.ietf.org/html/draft-koch-eddsa-for-openpgp-04|Draft RFC}] */\n    eddsaLegacy: 22,\n    /** Reserved for AEDH */\n    aedh: 23,\n    /** Reserved for AEDSA */\n    aedsa: 24,\n    /** X25519 (Encrypt only) */\n    x25519: 25,\n    /** X448 (Encrypt only) */\n    x448: 26,\n    /** Ed25519 (Sign only) */\n    ed25519: 27,\n    /** Ed448 (Sign only) */\n    ed448: 28\n  },\n\n  /** {@link https://tools.ietf.org/html/rfc4880#section-9.2|RFC4880, section 9.2}\n   * @enum {Integer}\n   * @readonly\n   */\n  symmetric: {\n    /** Not implemented! */\n    idea: 1,\n    tripledes: 2,\n    cast5: 3,\n    blowfish: 4,\n    aes128: 7,\n    aes192: 8,\n    aes256: 9,\n    twofish: 10\n  },\n\n  /** {@link https://tools.ietf.org/html/rfc4880#section-9.3|RFC4880, section 9.3}\n   * @enum {Integer}\n   * @readonly\n   */\n  compression: {\n    uncompressed: 0,\n    /** RFC1951 */\n    zip: 1,\n    /** RFC1950 */\n    zlib: 2,\n    bzip2: 3\n  },\n\n  /** {@link https://tools.ietf.org/html/rfc4880#section-9.4|RFC4880, section 9.4}\n   * @enum {Integer}\n   * @readonly\n   */\n  hash: {\n    md5: 1,\n    sha1: 2,\n    ripemd: 3,\n    sha256: 8,\n    sha384: 9,\n    sha512: 10,\n    sha224: 11,\n    sha3_256: 12,\n    sha3_512: 14\n  },\n\n  /** A list of hash names as accepted by webCrypto functions.\n   * {@link https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest|Parameters, algo}\n   * @enum {String}\n   */\n  webHash: {\n    'SHA-1': 2,\n    'SHA-256': 8,\n    'SHA-384': 9,\n    'SHA-512': 10\n  },\n\n  /** {@link https://www.rfc-editor.org/rfc/rfc9580.html#name-aead-algorithms}\n   * @enum {Integer}\n   * @readonly\n   */\n  aead: {\n    eax: 1,\n    ocb: 2,\n    gcm: 3,\n    /** @deprecated used by OpenPGP.js v5 for legacy AEAD support; use `gcm` instead for the RFC9580-standardized ID */\n    experimentalGCM: 100 // Private algorithm\n  },\n\n  /** A list of packet types and numeric tags associated with them.\n   * @enum {Integer}\n   * @readonly\n   */\n  packet: {\n    publicKeyEncryptedSessionKey: 1,\n    signature: 2,\n    symEncryptedSessionKey: 3,\n    onePassSignature: 4,\n    secretKey: 5,\n    publicKey: 6,\n    secretSubkey: 7,\n    compressedData: 8,\n    symmetricallyEncryptedData: 9,\n    marker: 10,\n    literalData: 11,\n    trust: 12,\n    userID: 13,\n    publicSubkey: 14,\n    userAttribute: 17,\n    symEncryptedIntegrityProtectedData: 18,\n    modificationDetectionCode: 19,\n    aeadEncryptedData: 20, // see IETF draft: https://tools.ietf.org/html/draft-ford-openpgp-format-00#section-2.1\n    padding: 21\n  },\n\n  /** Data types in the literal packet\n   * @enum {Integer}\n   * @readonly\n   */\n  literal: {\n    /** Binary data 'b' */\n    binary: 'b'.charCodeAt(),\n    /** Text data 't' */\n    text: 't'.charCodeAt(),\n    /** Utf8 data 'u' */\n    utf8: 'u'.charCodeAt(),\n    /** MIME message body part 'm' */\n    mime: 'm'.charCodeAt()\n  },\n\n\n  /** One pass signature packet type\n   * @enum {Integer}\n   * @readonly\n   */\n  signature: {\n    /** 0x00: Signature of a binary document. */\n    binary: 0,\n    /** 0x01: Signature of a canonical text document.\n     *\n     * Canonicalyzing the document by converting line endings. */\n    text: 1,\n    /** 0x02: Standalone signature.\n     *\n     * This signature is a signature of only its own subpacket contents.\n     * It is calculated identically to a signature over a zero-lengh\n     * binary document.  Note that it doesn't make sense to have a V3\n     * standalone signature. */\n    standalone: 2,\n    /** 0x10: Generic certification of a User ID and Public-Key packet.\n     *\n     * The issuer of this certification does not make any particular\n     * assertion as to how well the certifier has checked that the owner\n     * of the key is in fact the person described by the User ID. */\n    certGeneric: 16,\n    /** 0x11: Persona certification of a User ID and Public-Key packet.\n     *\n     * The issuer of this certification has not done any verification of\n     * the claim that the owner of this key is the User ID specified. */\n    certPersona: 17,\n    /** 0x12: Casual certification of a User ID and Public-Key packet.\n     *\n     * The issuer of this certification has done some casual\n     * verification of the claim of identity. */\n    certCasual: 18,\n    /** 0x13: Positive certification of a User ID and Public-Key packet.\n     *\n     * The issuer of this certification has done substantial\n     * verification of the claim of identity.\n     *\n     * Most OpenPGP implementations make their \"key signatures\" as 0x10\n     * certifications.  Some implementations can issue 0x11-0x13\n     * certifications, but few differentiate between the types. */\n    certPositive: 19,\n    /** 0x30: Certification revocation signature\n     *\n     * This signature revokes an earlier User ID certification signature\n     * (signature class 0x10 through 0x13) or direct-key signature\n     * (0x1F).  It should be issued by the same key that issued the\n     * revoked signature or an authorized revocation key.  The signature\n     * is computed over the same data as the certificate that it\n     * revokes, and should have a later creation date than that\n     * certificate. */\n    certRevocation: 48,\n    /** 0x18: Subkey Binding Signature\n     *\n     * This signature is a statement by the top-level signing key that\n     * indicates that it owns the subkey.  This signature is calculated\n     * directly on the primary key and subkey, and not on any User ID or\n     * other packets.  A signature that binds a signing subkey MUST have\n     * an Embedded Signature subpacket in this binding signature that\n     * contains a 0x19 signature made by the signing subkey on the\n     * primary key and subkey. */\n    subkeyBinding: 24,\n    /** 0x19: Primary Key Binding Signature\n     *\n     * This signature is a statement by a signing subkey, indicating\n     * that it is owned by the primary key and subkey.  This signature\n     * is calculated the same way as a 0x18 signature: directly on the\n     * primary key and subkey, and not on any User ID or other packets.\n     *\n     * When a signature is made over a key, the hash data starts with the\n     * octet 0x99, followed by a two-octet length of the key, and then body\n     * of the key packet.  (Note that this is an old-style packet header for\n     * a key packet with two-octet length.)  A subkey binding signature\n     * (type 0x18) or primary key binding signature (type 0x19) then hashes\n     * the subkey using the same format as the main key (also using 0x99 as\n     * the first octet). */\n    keyBinding: 25,\n    /** 0x1F: Signature directly on a key\n     *\n     * This signature is calculated directly on a key.  It binds the\n     * information in the Signature subpackets to the key, and is\n     * appropriate to be used for subpackets that provide information\n     * about the key, such as the Revocation Key subpacket.  It is also\n     * appropriate for statements that non-self certifiers want to make\n     * about the key itself, rather than the binding between a key and a\n     * name. */\n    key: 31,\n    /** 0x20: Key revocation signature\n     *\n     * The signature is calculated directly on the key being revoked.  A\n     * revoked key is not to be used.  Only revocation signatures by the\n     * key being revoked, or by an authorized revocation key, should be\n     * considered valid revocation signatures.a */\n    keyRevocation: 32,\n    /** 0x28: Subkey revocation signature\n     *\n     * The signature is calculated directly on the subkey being revoked.\n     * A revoked subkey is not to be used.  Only revocation signatures\n     * by the top-level signature key that is bound to this subkey, or\n     * by an authorized revocation key, should be considered valid\n     * revocation signatures.\n     *\n     * Key revocation signatures (types 0x20 and 0x28)\n     * hash only the key being revoked. */\n    subkeyRevocation: 40,\n    /** 0x40: Timestamp signature.\n     * This signature is only meaningful for the timestamp contained in\n     * it. */\n    timestamp: 64,\n    /** 0x50: Third-Party Confirmation signature.\n     *\n     * This signature is a signature over some other OpenPGP Signature\n     * packet(s).  It is analogous to a notary seal on the signed data.\n     * A third-party signature SHOULD include Signature Target\n     * subpacket(s) to give easy identification.  Note that we really do\n     * mean SHOULD.  There are plausible uses for this (such as a blind\n     * party that only sees the signature, not the key or source\n     * document) that cannot include a target subpacket. */\n    thirdParty: 80\n  },\n\n  /** Signature subpacket type\n   * @enum {Integer}\n   * @readonly\n   */\n  signatureSubpacket: {\n    signatureCreationTime: 2,\n    signatureExpirationTime: 3,\n    exportableCertification: 4,\n    trustSignature: 5,\n    regularExpression: 6,\n    revocable: 7,\n    keyExpirationTime: 9,\n    placeholderBackwardsCompatibility: 10,\n    preferredSymmetricAlgorithms: 11,\n    revocationKey: 12,\n    issuerKeyID: 16,\n    notationData: 20,\n    preferredHashAlgorithms: 21,\n    preferredCompressionAlgorithms: 22,\n    keyServerPreferences: 23,\n    preferredKeyServer: 24,\n    primaryUserID: 25,\n    policyURI: 26,\n    keyFlags: 27,\n    signersUserID: 28,\n    reasonForRevocation: 29,\n    features: 30,\n    signatureTarget: 31,\n    embeddedSignature: 32,\n    issuerFingerprint: 33,\n    preferredAEADAlgorithms: 34,\n    preferredCipherSuites: 39\n  },\n\n  /** Key flags\n   * @enum {Integer}\n   * @readonly\n   */\n  keyFlags: {\n    /** 0x01 - This key may be used to certify other keys. */\n    certifyKeys: 1,\n    /** 0x02 - This key may be used to sign data. */\n    signData: 2,\n    /** 0x04 - This key may be used to encrypt communications. */\n    encryptCommunication: 4,\n    /** 0x08 - This key may be used to encrypt storage. */\n    encryptStorage: 8,\n    /** 0x10 - The private component of this key may have been split\n     *        by a secret-sharing mechanism. */\n    splitPrivateKey: 16,\n    /** 0x20 - This key may be used for authentication. */\n    authentication: 32,\n    /** 0x80 - The private component of this key may be in the\n     *        possession of more than one person. */\n    sharedPrivateKey: 128\n  },\n\n  /** Armor type\n   * @enum {Integer}\n   * @readonly\n   */\n  armor: {\n    multipartSection: 0,\n    multipartLast: 1,\n    signed: 2,\n    message: 3,\n    publicKey: 4,\n    privateKey: 5,\n    signature: 6\n  },\n\n  /** {@link https://tools.ietf.org/html/rfc4880#section-5.2.3.23|RFC4880, section 5.2.3.23}\n   * @enum {Integer}\n   * @readonly\n   */\n  reasonForRevocation: {\n    /** No reason specified (key revocations or cert revocations) */\n    noReason: 0,\n    /** Key is superseded (key revocations) */\n    keySuperseded: 1,\n    /** Key material has been compromised (key revocations) */\n    keyCompromised: 2,\n    /** Key is retired and no longer used (key revocations) */\n    keyRetired: 3,\n    /** User ID information is no longer valid (cert revocations) */\n    userIDInvalid: 32\n  },\n\n  /** {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-5.2.3.25|RFC4880bis-04, section 5.2.3.25}\n   * @enum {Integer}\n   * @readonly\n   */\n  features: {\n    /** 0x01 - Modification Detection (packets 18 and 19) */\n    modificationDetection: 1,\n    /** 0x02 - AEAD Encrypted Data Packet (packet 20) and version 5\n     *         Symmetric-Key Encrypted Session Key Packets (packet 3) */\n    aead: 2,\n    /** 0x04 - Version 5 Public-Key Packet format and corresponding new\n      *        fingerprint format */\n    v5Keys: 4,\n    seipdv2: 8\n  },\n\n  /**\n   * Asserts validity of given value and converts from string/integer to integer.\n   * @param {Object} type target enum type\n   * @param {String|Integer} e value to check and/or convert\n   * @returns {Integer} enum value if it exists\n   * @throws {Error} if the value is invalid\n   */\n  write: function(type, e) {\n    if (typeof e === 'number') {\n      e = this.read(type, e);\n    }\n\n    if (type[e] !== undefined) {\n      return type[e];\n    }\n\n    throw new Error('Invalid enum value.');\n  },\n\n  /**\n   * Converts enum integer value to the corresponding string, if it exists.\n   * @param {Object} type target enum type\n   * @param {Integer} e value to convert\n   * @returns {String} name of enum value if it exists\n   * @throws {Error} if the value is invalid\n   */\n  read: function(type, e) {\n    if (!type[byValue]) {\n      type[byValue] = [];\n      Object.entries(type).forEach(([key, value]) => {\n        type[byValue][value] = key;\n      });\n    }\n\n    if (type[byValue][e] !== undefined) {\n      return type[byValue][e];\n    }\n\n    throw new Error('Invalid enum value.');\n  }\n};\n","// GPG4Browsers - An OpenPGP implementation in javascript\n// Copyright (C) 2011 Recurity Labs GmbH\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\n/**\n * Global configuration values.\n */\n\nimport enums from '../enums';\n\nexport default {\n  /**\n   * @memberof module:config\n   * @property {Integer} preferredHashAlgorithm Default hash algorithm {@link module:enums.hash}\n   */\n  preferredHashAlgorithm: enums.hash.sha512,\n  /**\n   * @memberof module:config\n   * @property {Integer} preferredSymmetricAlgorithm Default encryption cipher {@link module:enums.symmetric}\n   */\n  preferredSymmetricAlgorithm: enums.symmetric.aes256,\n  /**\n   * @memberof module:config\n   * @property {Integer} compression Default compression algorithm {@link module:enums.compression}\n   */\n  preferredCompressionAlgorithm: enums.compression.uncompressed,\n  /**\n   * Use Authenticated Encryption with Additional Data (AEAD) protection for symmetric encryption.\n   * This option is applicable to:\n   * - key generation (encryption key preferences),\n   * - password-based message encryption, and\n   * - private key encryption.\n   * In the case of message encryption using public keys, the encryption key preferences are respected instead.\n   * Note: not all OpenPGP implementations are compatible with this option.\n   * @see {@link https://tools.ietf.org/html/draft-ietf-openpgp-crypto-refresh-10.html|draft-crypto-refresh-10}\n   * @memberof module:config\n   * @property {Boolean} aeadProtect\n   */\n  aeadProtect: false,\n  /**\n   * When reading OpenPGP v4 private keys (e.g. those generated in OpenPGP.js when not setting `config.v5Keys = true`)\n   * which were encrypted by OpenPGP.js v5 (or older) using `config.aeadProtect = true`,\n   * this option must be set, otherwise key parsing and/or key decryption will fail.\n   * Note: only set this flag if you know that the keys are of the legacy type, as non-legacy keys\n   * will be processed incorrectly.\n   */\n  parseAEADEncryptedV4KeysAsLegacy: false,\n  /**\n   * Default Authenticated Encryption with Additional Data (AEAD) encryption mode\n   * Only has an effect when aeadProtect is set to true.\n   * @memberof module:config\n   * @property {Integer} preferredAEADAlgorithm Default AEAD mode {@link module:enums.aead}\n   */\n  preferredAEADAlgorithm: enums.aead.gcm,\n  /**\n   * Chunk Size Byte for Authenticated Encryption with Additional Data (AEAD) mode\n   * Only has an effect when aeadProtect is set to true.\n   * Must be an integer value from 0 to 56.\n   * @memberof module:config\n   * @property {Integer} aeadChunkSizeByte\n   */\n  aeadChunkSizeByte: 12,\n  /**\n   * Use v6 keys.\n   * Note: not all OpenPGP implementations are compatible with this option.\n   * **FUTURE OPENPGP.JS VERSIONS MAY BREAK COMPATIBILITY WHEN USING THIS OPTION**\n   * @memberof module:config\n   * @property {Boolean} v6Keys\n   */\n  v6Keys: false,\n  /**\n   * Enable parsing v5 keys and v5 signatures (which is different from the AEAD-encrypted SEIPDv2 packet).\n   * These are non-standard entities, which in the crypto-refresh have been superseded\n   * by v6 keys and v6 signatures, respectively.\n   * However, generation of v5 entities was supported behind config flag in OpenPGP.js v5, and some other libraries,\n   * hence parsing them might be necessary in some cases.\n   */\n  enableParsingV5Entities: false,\n  /**\n   * S2K (String to Key) type, used for key derivation in the context of secret key encryption\n   * and password-encrypted data. Weaker s2k options are not allowed.\n   * Note: Argon2 is the strongest option but not all OpenPGP implementations are compatible with it\n   * (pending standardisation).\n   * @memberof module:config\n   * @property {enums.s2k.argon2|enums.s2k.iterated} s2kType {@link module:enums.s2k}\n   */\n  s2kType: enums.s2k.iterated,\n  /**\n   * {@link https://tools.ietf.org/html/rfc4880#section-3.7.1.3| RFC4880 3.7.1.3}:\n   * Iteration Count Byte for Iterated and Salted S2K (String to Key).\n   * Only relevant if `config.s2kType` is set to `enums.s2k.iterated`.\n   * Note: this is the exponent value, not the final number of iterations (refer to specs for more details).\n   * @memberof module:config\n   * @property {Integer} s2kIterationCountByte\n   */\n  s2kIterationCountByte: 224,\n  /**\n   * {@link https://tools.ietf.org/html/draft-ietf-openpgp-crypto-refresh-07.html#section-3.7.1.4| draft-crypto-refresh 3.7.1.4}:\n   * Argon2 parameters for S2K (String to Key).\n   * Only relevant if `config.s2kType` is set to `enums.s2k.argon2`.\n   * Default settings correspond to the second recommendation from RFC9106 (\"uniformly safe option\"),\n   * to ensure compatibility with memory-constrained environments.\n   * For more details on the choice of parameters, see https://tools.ietf.org/html/rfc9106#section-4.\n   * @memberof module:config\n   * @property {Object} params\n   * @property {Integer} params.passes - number of iterations t\n   * @property {Integer} params.parallelism - degree of parallelism p\n   * @property {Integer} params.memoryExponent - one-octet exponent indicating the memory size, which will be: 2**memoryExponent kibibytes.\n   */\n  s2kArgon2Params: {\n    passes: 3,\n    parallelism: 4, // lanes\n    memoryExponent: 16 // 64 MiB of RAM\n  },\n  /**\n   * Allow decryption of messages without integrity protection.\n   * This is an **insecure** setting:\n   *  - message modifications cannot be detected, thus processing the decrypted data is potentially unsafe.\n   *  - it enables downgrade attacks against integrity-protected messages.\n   * @memberof module:config\n   * @property {Boolean} allowUnauthenticatedMessages\n   */\n  allowUnauthenticatedMessages: false,\n  /**\n   * Allow streaming unauthenticated data before its integrity has been checked. This would allow the application to\n   * process large streams while limiting memory usage by releasing the decrypted chunks as soon as possible\n   * and deferring checking their integrity until the decrypted stream has been read in full.\n   *\n   * This setting is **insecure** if the encrypted data has been corrupted by a malicious entity:\n   * - if the partially decrypted message is processed further or displayed to the user, it opens up the possibility of attacks such as EFAIL\n   *    (see https://efail.de/).\n   * - an attacker with access to traces or timing info of internal processing errors could learn some info about the data.\n   *\n   * NB: this setting does not apply to AEAD-encrypted data, where the AEAD data chunk is never released until integrity is confirmed.\n   * @memberof module:config\n   * @property {Boolean} allowUnauthenticatedStream\n   */\n  allowUnauthenticatedStream: false,\n  /**\n   * Minimum RSA key size allowed for key generation and message signing, verification and encryption.\n   * The default is 2047 since due to a bug, previous versions of OpenPGP.js could generate 2047-bit keys instead of 2048-bit ones.\n   * @memberof module:config\n   * @property {Number} minRSABits\n   */\n  minRSABits: 2047,\n  /**\n   * Work-around for rare GPG decryption bug when encrypting with multiple passwords.\n   * **Slower and slightly less secure**\n   * @memberof module:config\n   * @property {Boolean} passwordCollisionCheck\n   */\n  passwordCollisionCheck: false,\n  /**\n   * Allow decryption using RSA keys without `encrypt` flag.\n   * This setting is potentially insecure, but it is needed to get around an old openpgpjs bug\n   * where key flags were ignored when selecting a key for encryption.\n   * @memberof module:config\n   * @property {Boolean} allowInsecureDecryptionWithSigningKeys\n   */\n  allowInsecureDecryptionWithSigningKeys: false,\n  /**\n   * Allow verification of message signatures with keys whose validity at the time of signing cannot be determined.\n   * Instead, a verification key will also be consider valid as long as it is valid at the current time.\n   * This setting is potentially insecure, but it is needed to verify messages signed with keys that were later reformatted,\n   * and have self-signature's creation date that does not match the primary key creation date.\n   * @memberof module:config\n   * @property {Boolean} allowInsecureDecryptionWithSigningKeys\n   */\n  allowInsecureVerificationWithReformattedKeys: false,\n  /**\n   * Allow using keys that do not have any key flags set.\n   * Key flags are needed to restrict key usage to specific purposes: for instance, a signing key could only be allowed to certify other keys, and not sign messages\n   * (see https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#section-5.2.3.29).\n   * Some older keys do not declare any key flags, which means they are not allowed to be used for any operation.\n   * This setting allows using such keys for any operation for which they are compatible, based on their public key algorithm.\n   */\n  allowMissingKeyFlags: false,\n  /**\n   * Enable constant-time decryption of RSA- and ElGamal-encrypted session keys, to hinder Bleichenbacher-like attacks (https://link.springer.com/chapter/10.1007/BFb0055716).\n   * This setting has measurable performance impact and it is only helpful in application scenarios where both of the following conditions apply:\n   * - new/incoming messages are automatically decrypted (without user interaction);\n   * - an attacker can determine how long it takes to decrypt each message (e.g. due to decryption errors being logged remotely).\n   * See also `constantTimePKCS1DecryptionSupportedSymmetricAlgorithms`.\n   * @memberof module:config\n   * @property {Boolean} constantTimePKCS1Decryption\n   */\n  constantTimePKCS1Decryption: false,\n  /**\n   * This setting is only meaningful if `constantTimePKCS1Decryption` is enabled.\n   * Decryption of RSA- and ElGamal-encrypted session keys of symmetric algorithms different from the ones specified here will fail.\n   * However, the more algorithms are added, the slower the decryption procedure becomes.\n   * @memberof module:config\n   * @property {Set<Integer>} constantTimePKCS1DecryptionSupportedSymmetricAlgorithms {@link module:enums.symmetric}\n   */\n  constantTimePKCS1DecryptionSupportedSymmetricAlgorithms: new Set([enums.symmetric.aes128, enums.symmetric.aes192, enums.symmetric.aes256]),\n  /**\n   * @memberof module:config\n   * @property {Boolean} ignoreUnsupportedPackets Ignore unsupported/unrecognizable packets on parsing instead of throwing an error\n   */\n  ignoreUnsupportedPackets: true,\n  /**\n   * @memberof module:config\n   * @property {Boolean} ignoreMalformedPackets Ignore malformed packets on parsing instead of throwing an error\n   */\n  ignoreMalformedPackets: false,\n  /**\n   * Parsing of packets is normally restricted to a predefined set of packets. For example a Sym. Encrypted Integrity Protected Data Packet can only\n   * contain a certain set of packets including LiteralDataPacket. With this setting we can allow additional packets, which is probably not advisable\n   * as a global config setting, but can be used for specific function calls (e.g. decrypt method of Message).\n   * @memberof module:config\n   * @property {Array} additionalAllowedPackets Allow additional packets on parsing. Defined as array of packet classes, e.g. [PublicKeyPacket]\n   */\n  additionalAllowedPackets: [],\n  /**\n   * @memberof module:config\n   * @property {Boolean} showVersion Whether to include {@link module:config/config.versionString} in armored messages\n   */\n  showVersion: false,\n  /**\n   * @memberof module:config\n   * @property {Boolean} showComment Whether to include {@link module:config/config.commentString} in armored messages\n   */\n  showComment: false,\n  /**\n   * @memberof module:config\n   * @property {String} versionString A version string to be included in armored messages\n   */\n  versionString: 'OpenPGP.js VERSION',\n  /**\n   * @memberof module:config\n   * @property {String} commentString A comment string to be included in armored messages\n   */\n  commentString: 'https://openpgpjs.org',\n\n  /**\n   * Max userID string length (used for parsing)\n   * @memberof module:config\n   * @property {Integer} maxUserIDLength\n   */\n  maxUserIDLength: 1024 * 5,\n  /**\n   * Contains notatations that are considered \"known\". Known notations do not trigger\n   * validation error when the notation is marked as critical.\n   * @memberof module:config\n   * @property {Array} knownNotations\n   */\n  knownNotations: [],\n  /**\n   * If true, a salt notation is used to randomize signatures generated by v4 and v5 keys (v6 signatures are always non-deterministic, by design).\n   * This protects EdDSA signatures from potentially leaking the secret key in case of faults (i.e. bitflips) which, in principle, could occur\n   * during the signing computation. It is added to signatures of any algo for simplicity, and as it may also serve as protection in case of\n   * weaknesses in the hash algo, potentially hindering e.g. some chosen-prefix attacks.\n   * NOTE: the notation is interoperable, but will reveal that the signature has been generated using OpenPGP.js, which may not be desirable in some cases.\n   */\n  nonDeterministicSignaturesViaNotation: true,\n  /**\n   * Whether to use the the noble-curves library for curves (other than Curve25519) that are not supported by the available native crypto API.\n   * When false, certain standard curves will not be supported (depending on the platform).\n   * @memberof module:config\n   * @property {Boolean} useEllipticFallback\n   */\n  useEllipticFallback: true,\n  /**\n   * Reject insecure hash algorithms\n   * @memberof module:config\n   * @property {Set<Integer>} rejectHashAlgorithms {@link module:enums.hash}\n   */\n  rejectHashAlgorithms: new Set([enums.hash.md5, enums.hash.ripemd]),\n  /**\n   * Reject insecure message hash algorithms\n   * @memberof module:config\n   * @property {Set<Integer>} rejectMessageHashAlgorithms {@link module:enums.hash}\n   */\n  rejectMessageHashAlgorithms: new Set([enums.hash.md5, enums.hash.ripemd, enums.hash.sha1]),\n  /**\n   * Reject insecure public key algorithms for key generation and message encryption, signing or verification\n   * @memberof module:config\n   * @property {Set<Integer>} rejectPublicKeyAlgorithms {@link module:enums.publicKey}\n   */\n  rejectPublicKeyAlgorithms: new Set([enums.publicKey.elgamal, enums.publicKey.dsa]),\n  /**\n   * Reject non-standard curves for key generation, message encryption, signing or verification\n   * @memberof module:config\n   * @property {Set<String>} rejectCurves {@link module:enums.curve}\n   */\n  rejectCurves: new Set([enums.curve.secp256k1])\n};\n","// GPG4Browsers - An OpenPGP implementation in javascript\n// Copyright (C) 2011 Recurity Labs GmbH\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\n/* eslint-disable no-console */\n\n/**\n * This object contains utility functions\n * @module util\n */\n\nimport { concat as streamConcat, transform as streamTransform, concatUint8Array, isStream, isUint8Array } from '@openpgp/web-stream-tools';\nimport { createRequire } from 'module'; // Must be stripped in browser built\nimport enums from './enums';\nimport defaultConfig from './config';\n\nconst debugMode = (() => {\n  try {\n    return process.env.NODE_ENV === 'development'; // eslint-disable-line no-process-env\n  } catch (e) {}\n  return false;\n})();\n\nconst util = {\n  isString: function(data) {\n    return typeof data === 'string' || data instanceof String;\n  },\n\n  nodeRequire: createRequire(import.meta.url),\n\n  isArray: function(data) {\n    return data instanceof Array;\n  },\n\n  isUint8Array: isUint8Array,\n\n  isStream: isStream,\n\n  /**\n   * Load noble-curves lib on demand and return the requested curve function\n   * @param {enums.publicKey} publicKeyAlgo\n   * @param {enums.curve} [curveName] - for algos supporting different curves (e.g. ECDSA)\n   * @returns curve implementation\n   * @throws on unrecognized curve, or curve not implemented by noble-curve\n   */\n  getNobleCurve: async (publicKeyAlgo, curveName) => {\n    if (!defaultConfig.useEllipticFallback) {\n      throw new Error('This curve is only supported in the full build of OpenPGP.js');\n    }\n\n    const { nobleCurves } = await import('./crypto/public_key/elliptic/noble_curves');\n    switch (publicKeyAlgo) {\n      case enums.publicKey.ecdh:\n      case enums.publicKey.ecdsa: {\n        const curve = nobleCurves.get(curveName);\n        if (!curve) throw new Error('Unsupported curve');\n        return curve;\n      }\n      case enums.publicKey.x448:\n        return nobleCurves.get('x448');\n      case enums.publicKey.ed448:\n        return nobleCurves.get('ed448');\n      default:\n        throw new Error('Unsupported curve');\n    }\n  },\n\n  readNumber: function (bytes) {\n    let n = 0;\n    for (let i = 0; i < bytes.length; i++) {\n      n += (256 ** i) * bytes[bytes.length - 1 - i];\n    }\n    return n;\n  },\n\n  writeNumber: function (n, bytes) {\n    const b = new Uint8Array(bytes);\n    for (let i = 0; i < bytes; i++) {\n      b[i] = (n >> (8 * (bytes - i - 1))) & 0xFF;\n    }\n\n    return b;\n  },\n\n  readDate: function (bytes) {\n    const n = util.readNumber(bytes);\n    const d = new Date(n * 1000);\n    return d;\n  },\n\n  writeDate: function (time) {\n    const numeric = Math.floor(time.getTime() / 1000);\n\n    return util.writeNumber(numeric, 4);\n  },\n\n  normalizeDate: function (time = Date.now()) {\n    return time === null || time === Infinity ? time : new Date(Math.floor(+time / 1000) * 1000);\n  },\n\n  /**\n   * Read one MPI from bytes in input\n   * @param {Uint8Array} bytes - Input data to parse\n   * @returns {Uint8Array} Parsed MPI.\n   */\n  readMPI: function (bytes) {\n    const bits = (bytes[0] << 8) | bytes[1];\n    const bytelen = (bits + 7) >>> 3;\n    // There is a decryption oracle risk here by enforcing the MPI length using `readExactSubarray` in the context of SEIPDv1 encrypted signatures,\n    // where unauthenticated streamed decryption is done (via `config.allowUnauthenticatedStream`), since the decrypted signature data being processed\n    // has not been authenticated (yet).\n    // However, such config setting is known to be insecure, and there are other packet parsing errors that can cause similar issues.\n    // Also, AEAD is also not affected.\n    return util.readExactSubarray(bytes, 2, 2 + bytelen);\n  },\n\n  /**\n   * Read exactly `end - start` bytes from input.\n   * This is a stricter version of `.subarray`.\n   * @param {Uint8Array} input - Input data to parse\n   * @returns {Uint8Array} subarray of size always equal to `end - start`\n   * @throws if the input array is too short.\n   */\n  readExactSubarray: function (input, start, end) {\n    if (input.length < (end - start)) {\n      throw new Error('Input array too short');\n    }\n    return input.subarray(start, end);\n  },\n\n  /**\n   * Left-pad Uint8Array to length by adding 0x0 bytes\n   * @param {Uint8Array} bytes - Data to pad\n   * @param {Number} length - Padded length\n   * @returns {Uint8Array} Padded bytes.\n   */\n  leftPad(bytes, length) {\n    if (bytes.length > length) {\n      throw new Error('Input array too long');\n    }\n    const padded = new Uint8Array(length);\n    const offset = length - bytes.length;\n    padded.set(bytes, offset);\n    return padded;\n  },\n\n  /**\n   * Convert a Uint8Array to an MPI-formatted Uint8Array.\n   * @param {Uint8Array} bin - An array of 8-bit integers to convert\n   * @returns {Uint8Array} MPI-formatted Uint8Array.\n   */\n  uint8ArrayToMPI: function (bin) {\n    const bitSize = util.uint8ArrayBitLength(bin);\n    if (bitSize === 0) {\n      throw new Error('Zero MPI');\n    }\n    const stripped = bin.subarray(bin.length - Math.ceil(bitSize / 8));\n    const prefix = new Uint8Array([(bitSize & 0xFF00) >> 8, bitSize & 0xFF]);\n    return util.concatUint8Array([prefix, stripped]);\n  },\n\n  /**\n   * Return bit length of the input data\n   * @param {Uint8Array} bin input data (big endian)\n   * @returns bit length\n   */\n  uint8ArrayBitLength: function (bin) {\n    let i; // index of leading non-zero byte\n    for (i = 0; i < bin.length; i++) if (bin[i] !== 0) break;\n    if (i === bin.length) {\n      return 0;\n    }\n    const stripped = bin.subarray(i);\n    return (stripped.length - 1) * 8 + util.nbits(stripped[0]);\n  },\n\n  /**\n   * Convert a hex string to an array of 8-bit integers\n   * @param {String} hex - A hex string to convert\n   * @returns {Uint8Array} An array of 8-bit integers.\n   */\n  hexToUint8Array: function (hex) {\n    const result = new Uint8Array(hex.length >> 1);\n    for (let k = 0; k < hex.length >> 1; k++) {\n      result[k] = parseInt(hex.substr(k << 1, 2), 16);\n    }\n    return result;\n  },\n\n  /**\n   * Convert an array of 8-bit integers to a hex string\n   * @param {Uint8Array} bytes - Array of 8-bit integers to convert\n   * @returns {String} Hexadecimal representation of the array.\n   */\n  uint8ArrayToHex: function (bytes) {\n    const hexAlphabet = '0123456789abcdef';\n    let s = '';\n    bytes.forEach(v => { s += hexAlphabet[v >> 4] + hexAlphabet[v & 15]; });\n    return s;\n  },\n\n  /**\n   * Convert a string to an array of 8-bit integers\n   * @param {String} str - String to convert\n   * @returns {Uint8Array} An array of 8-bit integers.\n   */\n  stringToUint8Array: function (str) {\n    return streamTransform(str, str => {\n      if (!util.isString(str)) {\n        throw new Error('stringToUint8Array: Data must be in the form of a string');\n      }\n\n      const result = new Uint8Array(str.length);\n      for (let i = 0; i < str.length; i++) {\n        result[i] = str.charCodeAt(i);\n      }\n      return result;\n    });\n  },\n\n  /**\n   * Convert an array of 8-bit integers to a string\n   * @param {Uint8Array} bytes - An array of 8-bit integers to convert\n   * @returns {String} String representation of the array.\n   */\n  uint8ArrayToString: function (bytes) {\n    bytes = new Uint8Array(bytes);\n    const result = [];\n    const bs = 1 << 14;\n    const j = bytes.length;\n\n    for (let i = 0; i < j; i += bs) {\n      result.push(String.fromCharCode.apply(String, bytes.subarray(i, i + bs < j ? i + bs : j)));\n    }\n    return result.join('');\n  },\n\n  /**\n   * Convert a native javascript string to a Uint8Array of utf8 bytes\n   * @param {String|ReadableStream} str - The string to convert\n   * @returns {Uint8Array|ReadableStream} A valid squence of utf8 bytes.\n   */\n  encodeUTF8: function (str) {\n    const encoder = new TextEncoder('utf-8');\n    // eslint-disable-next-line no-inner-declarations\n    function process(value, lastChunk = false) {\n      return encoder.encode(value, { stream: !lastChunk });\n    }\n    return streamTransform(str, process, () => process('', true));\n  },\n\n  /**\n   * Convert a Uint8Array of utf8 bytes to a native javascript string\n   * @param {Uint8Array|ReadableStream} utf8 - A valid squence of utf8 bytes\n   * @returns {String|ReadableStream} A native javascript string.\n   */\n  decodeUTF8: function (utf8) {\n    const decoder = new TextDecoder('utf-8');\n    // eslint-disable-next-line no-inner-declarations\n    function process(value, lastChunk = false) {\n      return decoder.decode(value, { stream: !lastChunk });\n    }\n    return streamTransform(utf8, process, () => process(new Uint8Array(), true));\n  },\n\n  /**\n   * Concat a list of Uint8Arrays, Strings or Streams\n   * The caller must not mix Uint8Arrays with Strings, but may mix Streams with non-Streams.\n   * @param {Array<Uint8Array|String|ReadableStream>} Array - Of Uint8Arrays/Strings/Streams to concatenate\n   * @returns {Uint8Array|String|ReadableStream} Concatenated array.\n   */\n  concat: streamConcat,\n\n  /**\n   * Concat Uint8Arrays\n   * @param {Array<Uint8Array>} Array - Of Uint8Arrays to concatenate\n   * @returns {Uint8Array} Concatenated array.\n   */\n  concatUint8Array: concatUint8Array,\n\n  /**\n   * Check Uint8Array equality\n   * @param {Uint8Array} array1 - First array\n   * @param {Uint8Array} array2 - Second array\n   * @returns {Boolean} Equality.\n   */\n  equalsUint8Array: function (array1, array2) {\n    if (!util.isUint8Array(array1) || !util.isUint8Array(array2)) {\n      throw new Error('Data must be in the form of a Uint8Array');\n    }\n\n    if (array1.length !== array2.length) {\n      return false;\n    }\n\n    for (let i = 0; i < array1.length; i++) {\n      if (array1[i] !== array2[i]) {\n        return false;\n      }\n    }\n    return true;\n  },\n\n  /**\n   * Calculates a 16bit sum of a Uint8Array by adding each character\n   * codes modulus 65535\n   * @param {Uint8Array} Uint8Array - To create a sum of\n   * @returns {Uint8Array} 2 bytes containing the sum of all charcodes % 65535.\n   */\n  writeChecksum: function (text) {\n    let s = 0;\n    for (let i = 0; i < text.length; i++) {\n      s = (s + text[i]) & 0xFFFF;\n    }\n    return util.writeNumber(s, 2);\n  },\n\n  /**\n   * Helper function to print a debug message. Debug\n   * messages are only printed if\n   * @param {String} str - String of the debug message\n   */\n  printDebug: function (str) {\n    if (debugMode) {\n      console.log('[OpenPGP.js debug]', str);\n    }\n  },\n\n  /**\n   * Helper function to print a debug error. Debug\n   * messages are only printed if\n   * @param {String} str - String of the debug message\n   */\n  printDebugError: function (error) {\n    if (debugMode) {\n      console.error('[OpenPGP.js debug]', error);\n    }\n  },\n\n  // returns bit length of the integer x\n  nbits: function (x) {\n    let r = 1;\n    let t = x >>> 16;\n    if (t !== 0) {\n      x = t;\n      r += 16;\n    }\n    t = x >> 8;\n    if (t !== 0) {\n      x = t;\n      r += 8;\n    }\n    t = x >> 4;\n    if (t !== 0) {\n      x = t;\n      r += 4;\n    }\n    t = x >> 2;\n    if (t !== 0) {\n      x = t;\n      r += 2;\n    }\n    t = x >> 1;\n    if (t !== 0) {\n      x = t;\n      r += 1;\n    }\n    return r;\n  },\n\n  /**\n   * If S[1] == 0, then double(S) == (S[2..128] || 0);\n   * otherwise, double(S) == (S[2..128] || 0) xor\n   * (zeros(120) || 10000111).\n   *\n   * Both OCB and EAX (through CMAC) require this function to be constant-time.\n   *\n   * @param {Uint8Array} data\n   */\n  double: function(data) {\n    const doubleVar = new Uint8Array(data.length);\n    const last = data.length - 1;\n    for (let i = 0; i < last; i++) {\n      doubleVar[i] = (data[i] << 1) ^ (data[i + 1] >> 7);\n    }\n    doubleVar[last] = (data[last] << 1) ^ ((data[0] >> 7) * 0x87);\n    return doubleVar;\n  },\n\n  /**\n   * Shift a Uint8Array to the right by n bits\n   * @param {Uint8Array} array - The array to shift\n   * @param {Integer} bits - Amount of bits to shift (MUST be smaller\n   * than 8)\n   * @returns {String} Resulting array.\n   */\n  shiftRight: function (array, bits) {\n    if (bits) {\n      for (let i = array.length - 1; i >= 0; i--) {\n        array[i] >>= bits;\n        if (i > 0) {\n          array[i] |= (array[i - 1] << (8 - bits));\n        }\n      }\n    }\n    return array;\n  },\n\n  /**\n   * Get native Web Cryptography API.\n   * @returns {Object} The SubtleCrypto API\n   * @throws if the API is not available\n   */\n  getWebCrypto: function() {\n    const globalWebCrypto = typeof globalThis !== 'undefined' && globalThis.crypto && globalThis.crypto.subtle;\n    // Fallback for Node 16, which does not expose WebCrypto as a global\n    const webCrypto = globalWebCrypto || this.getNodeCrypto()?.webcrypto.subtle;\n    if (!webCrypto) {\n      throw new Error('The WebCrypto API is not available');\n    }\n    return webCrypto;\n  },\n\n  /**\n   * Get native Node.js crypto api.\n   * @returns {Object} The crypto module or 'undefined'.\n   */\n  getNodeCrypto: function() {\n    return this.nodeRequire('crypto');\n  },\n\n  getNodeZlib: function() {\n    return this.nodeRequire('zlib');\n  },\n\n  /**\n   * Get native Node.js Buffer constructor. This should be used since\n   * Buffer is not available under browserify.\n   * @returns {Function} The Buffer constructor or 'undefined'.\n   */\n  getNodeBuffer: function() {\n    return (this.nodeRequire('buffer') || {}).Buffer;\n  },\n\n  getHardwareConcurrency: function() {\n    if (typeof navigator !== 'undefined') {\n      return navigator.hardwareConcurrency || 1;\n    }\n\n    const os = this.nodeRequire('os'); // Assume we're on Node.js.\n    return os.cpus().length;\n  },\n\n  /**\n   * Test email format to ensure basic compliance:\n   * - must include a single @\n   * - no control or space unicode chars allowed\n   * - no backslash and square brackets (as the latter can mess with the userID parsing)\n   * - cannot end with a punctuation char\n   * These checks are not meant to be exhaustive; applications are strongly encouraged to implement stricter validation,\n   * e.g. based on the W3C HTML spec (https://html.spec.whatwg.org/multipage/input.html#email-state-(type=email)).\n   */\n  isEmailAddress: function(data) {\n    if (!util.isString(data)) {\n      return false;\n    }\n    const re = /^[^\\p{C}\\p{Z}@<>\\\\]+@[^\\p{C}\\p{Z}@<>\\\\]+[^\\p{C}\\p{Z}\\p{P}]$/u;\n    return re.test(data);\n  },\n\n  /**\n   * Normalize line endings to <CR><LF>\n   * Support any encoding where CR=0x0D, LF=0x0A\n   */\n  canonicalizeEOL: function(data) {\n    const CR = 13;\n    const LF = 10;\n    let carryOverCR = false;\n\n    return streamTransform(data, bytes => {\n      if (carryOverCR) {\n        bytes = util.concatUint8Array([new Uint8Array([CR]), bytes]);\n      }\n\n      if (bytes[bytes.length - 1] === CR) {\n        carryOverCR = true;\n        bytes = bytes.subarray(0, -1);\n      } else {\n        carryOverCR = false;\n      }\n\n      let index;\n      const indices = [];\n      for (let i = 0; ; i = index) {\n        index = bytes.indexOf(LF, i) + 1;\n        if (index) {\n          if (bytes[index - 2] !== CR) indices.push(index);\n        } else {\n          break;\n        }\n      }\n      if (!indices.length) {\n        return bytes;\n      }\n\n      const normalized = new Uint8Array(bytes.length + indices.length);\n      let j = 0;\n      for (let i = 0; i < indices.length; i++) {\n        const sub = bytes.subarray(indices[i - 1] || 0, indices[i]);\n        normalized.set(sub, j);\n        j += sub.length;\n        normalized[j - 1] = CR;\n        normalized[j] = LF;\n        j++;\n      }\n      normalized.set(bytes.subarray(indices[indices.length - 1] || 0), j);\n      return normalized;\n    }, () => (carryOverCR ? new Uint8Array([CR]) : undefined));\n  },\n\n  /**\n   * Convert line endings from canonicalized <CR><LF> to native <LF>\n   * Support any encoding where CR=0x0D, LF=0x0A\n   */\n  nativeEOL: function(data) {\n    const CR = 13;\n    const LF = 10;\n    let carryOverCR = false;\n\n    return streamTransform(data, bytes => {\n      if (carryOverCR && bytes[0] !== LF) {\n        bytes = util.concatUint8Array([new Uint8Array([CR]), bytes]);\n      } else {\n        bytes = new Uint8Array(bytes); // Don't mutate passed bytes\n      }\n\n      if (bytes[bytes.length - 1] === CR) {\n        carryOverCR = true;\n        bytes = bytes.subarray(0, -1);\n      } else {\n        carryOverCR = false;\n      }\n\n      let index;\n      let j = 0;\n      for (let i = 0; i !== bytes.length; i = index) {\n        index = bytes.indexOf(CR, i) + 1;\n        if (!index) index = bytes.length;\n        const last = index - (bytes[index] === LF ? 1 : 0);\n        if (i) bytes.copyWithin(j, i, last);\n        j += last - i;\n      }\n      return bytes.subarray(0, j);\n    }, () => (carryOverCR ? new Uint8Array([CR]) : undefined));\n  },\n\n  /**\n   * Remove trailing spaces, carriage returns and tabs from each line\n   */\n  removeTrailingSpaces: function(text) {\n    return text.split('\\n').map(line => {\n      let i = line.length - 1;\n      for (; i >= 0 && (line[i] === ' ' || line[i] === '\\t' || line[i] === '\\r'); i--);\n      return line.substr(0, i + 1);\n    }).join('\\n');\n  },\n\n  wrapError: function(message, error) {\n    if (!error) {\n      return new Error(message);\n    }\n\n    // update error message\n    try {\n      error.message = message + ': ' + error.message;\n    } catch (e) {}\n\n    return error;\n  },\n\n  /**\n   * Map allowed packet tags to corresponding classes\n   * Meant to be used to format `allowedPacket` for Packetlist.read\n   * @param {Array<Object>} allowedClasses\n   * @returns {Object} map from enum.packet to corresponding *Packet class\n   */\n  constructAllowedPackets: function(allowedClasses) {\n    const map = {};\n    allowedClasses.forEach(PacketClass => {\n      if (!PacketClass.tag) {\n        throw new Error('Invalid input: expected a packet class');\n      }\n      map[PacketClass.tag] = PacketClass;\n    });\n    return map;\n  },\n\n  /**\n   * Return a Promise that will resolve as soon as one of the promises in input resolves\n   * or will reject if all input promises all rejected\n   * (similar to Promise.any, but with slightly different error handling)\n   * @param {Array<Promise>} promises\n   * @return {Promise<Any>} Promise resolving to the result of the fastest fulfilled promise\n   *                          or rejected with the Error of the last resolved Promise (if all promises are rejected)\n   */\n  anyPromise: function(promises) {\n    // eslint-disable-next-line no-async-promise-executor\n    return new Promise(async (resolve, reject) => {\n      let exception;\n      await Promise.all(promises.map(async promise => {\n        try {\n          resolve(await promise);\n        } catch (e) {\n          exception = e;\n        }\n      }));\n      reject(exception);\n    });\n  },\n\n  /**\n   * Return either `a` or `b` based on `cond`, in algorithmic constant time.\n   * @param {Boolean} cond\n   * @param {Uint8Array} a\n   * @param {Uint8Array} b\n   * @returns `a` if `cond` is true, `b` otherwise\n   */\n  selectUint8Array: function(cond, a, b) {\n    const length = Math.max(a.length, b.length);\n    const result = new Uint8Array(length);\n    let end = 0;\n    for (let i = 0; i < result.length; i++) {\n      result[i] = (a[i] & (256 - cond)) | (b[i] & (255 + cond));\n      end += (cond & i < a.length) | ((1 - cond) & i < b.length);\n    }\n    return result.subarray(0, end);\n  },\n  /**\n   * Return either `a` or `b` based on `cond`, in algorithmic constant time.\n   * NB: it only supports `a, b` with values between 0-255.\n   * @param {Boolean} cond\n   * @param {Uint8} a\n   * @param {Uint8} b\n   * @returns `a` if `cond` is true, `b` otherwise\n   */\n  selectUint8: function(cond, a, b) {\n    return (a & (256 - cond)) | (b & (255 + cond));\n  },\n  /**\n   * @param {module:enums.symmetric} cipherAlgo\n   */\n  isAES: function(cipherAlgo) {\n    return cipherAlgo === enums.symmetric.aes128 || cipherAlgo === enums.symmetric.aes192 || cipherAlgo === enums.symmetric.aes256;\n  }\n};\n\nexport default util;\n","/* OpenPGP radix-64/base64 string encoding/decoding\n * Copyright 2005 Herbert Hanewinkel, www.haneWIN.de\n * version 1.0, check www.haneWIN.de for the latest version\n *\n * This software is provided as-is, without express or implied warranty.\n * Permission to use, copy, modify, distribute or sell this software, with or\n * without fee, for any purpose and by any individual or organization, is hereby\n * granted, provided that the above copyright notice and this paragraph appear\n * in all copies. Distribution as a part of an application or binary must\n * include the above copyright notice in the documentation and/or other materials\n * provided with the application or distribution.\n */\n\n/**\n * @module encoding/base64\n */\n\nimport { transform as streamTransform } from '@openpgp/web-stream-tools';\nimport util from '../util';\n\nconst Buffer = util.getNodeBuffer();\n\nlet encodeChunk;\nlet decodeChunk;\nif (Buffer) {\n  encodeChunk = buf => Buffer.from(buf).toString('base64');\n  decodeChunk = str => {\n    const b = Buffer.from(str, 'base64');\n    return new Uint8Array(b.buffer, b.byteOffset, b.byteLength);\n  };\n} else {\n  encodeChunk = buf => btoa(util.uint8ArrayToString(buf));\n  decodeChunk = str => util.stringToUint8Array(atob(str));\n}\n\n/**\n * Convert binary array to radix-64\n * @param {Uint8Array | ReadableStream<Uint8Array>} data - Uint8Array to convert\n * @returns {String | ReadableStream<String>} Radix-64 version of input string.\n * @static\n */\nexport function encode(data) {\n  let buf = new Uint8Array();\n  return streamTransform(data, value => {\n    buf = util.concatUint8Array([buf, value]);\n    const r = [];\n    const bytesPerLine = 45; // 60 chars per line * (3 bytes / 4 chars of base64).\n    const lines = Math.floor(buf.length / bytesPerLine);\n    const bytes = lines * bytesPerLine;\n    const encoded = encodeChunk(buf.subarray(0, bytes));\n    for (let i = 0; i < lines; i++) {\n      r.push(encoded.substr(i * 60, 60));\n      r.push('\\n');\n    }\n    buf = buf.subarray(bytes);\n    return r.join('');\n  }, () => (buf.length ? encodeChunk(buf) + '\\n' : ''));\n}\n\n/**\n * Convert radix-64 to binary array\n * @param {String | ReadableStream<String>} data - Radix-64 string to convert\n * @returns {Uint8Array | ReadableStream<Uint8Array>} Binary array version of input string.\n * @static\n */\nexport function decode(data) {\n  let buf = '';\n  return streamTransform(data, value => {\n    buf += value;\n\n    // Count how many whitespace characters there are in buf\n    let spaces = 0;\n    const spacechars = [' ', '\\t', '\\r', '\\n'];\n    for (let i = 0; i < spacechars.length; i++) {\n      const spacechar = spacechars[i];\n      for (let pos = buf.indexOf(spacechar); pos !== -1; pos = buf.indexOf(spacechar, pos + 1)) {\n        spaces++;\n      }\n    }\n\n    // Backtrack until we have 4n non-whitespace characters\n    // that we can safely base64-decode\n    let length = buf.length;\n    for (; length > 0 && (length - spaces) % 4 !== 0; length--) {\n      if (spacechars.includes(buf[length])) spaces--;\n    }\n\n    const decoded = decodeChunk(buf.substr(0, length));\n    buf = buf.substr(length);\n    return decoded;\n  }, () => decodeChunk(buf));\n}\n\n/**\n * Convert a Base-64 encoded string an array of 8-bit integer\n *\n * Note: accepts both Radix-64 and URL-safe strings\n * @param {String} base64 - Base-64 encoded string to convert\n * @returns {Uint8Array} An array of 8-bit integers.\n */\nexport function b64ToUint8Array(base64) {\n  return decode(base64.replace(/-/g, '+').replace(/_/g, '/'));\n}\n\n/**\n * Convert an array of 8-bit integer to a Base-64 encoded string\n * @param {Uint8Array} bytes - An array of 8-bit integers to convert\n * @param {bool} url - If true, output is URL-safe\n * @returns {String} Base-64 encoded string.\n */\nexport function uint8ArrayToB64(bytes, url) {\n  let encoded = encode(bytes).replace(/[\\r\\n]/g, '');\n  if (url) {\n    encoded = encoded.replace(/[+]/g, '-').replace(/[/]/g, '_').replace(/[=]/g, '');\n  }\n  return encoded;\n}\n","// GPG4Browsers - An OpenPGP implementation in javascript\n// Copyright (C) 2011 Recurity Labs GmbH\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\nimport { transform as streamTransform, transformPair as streamTransformPair, getReader as streamGetReader, getWriter as streamGetWriter, isArrayStream, readToEnd as streamReadToEnd, passiveClone as streamPassiveClone } from '@openpgp/web-stream-tools';\nimport { encode as encodeBase64, decode as decodeBase64 } from './base64';\nimport enums from '../enums';\nimport util from '../util';\nimport defaultConfig from '../config';\n\n/**\n * Finds out which Ascii Armoring type is used. Throws error if unknown type.\n * @param {String} text - ascii armored text\n * @returns {Integer} 0 = MESSAGE PART n of m.\n *         1 = MESSAGE PART n\n *         2 = SIGNED MESSAGE\n *         3 = PGP MESSAGE\n *         4 = PUBLIC KEY BLOCK\n *         5 = PRIVATE KEY BLOCK\n *         6 = SIGNATURE\n * @private\n */\nfunction getType(text) {\n  const reHeader = /^-----BEGIN PGP (MESSAGE, PART \\d+\\/\\d+|MESSAGE, PART \\d+|SIGNED MESSAGE|MESSAGE|PUBLIC KEY BLOCK|PRIVATE KEY BLOCK|SIGNATURE)-----$/m;\n\n  const header = text.match(reHeader);\n\n  if (!header) {\n    throw new Error('Unknown ASCII armor type');\n  }\n\n  // BEGIN PGP MESSAGE, PART X/Y\n  // Used for multi-part messages, where the armor is split amongst Y\n  // parts, and this is the Xth part out of Y.\n  if (/MESSAGE, PART \\d+\\/\\d+/.test(header[1])) {\n    return enums.armor.multipartSection;\n  }\n  // BEGIN PGP MESSAGE, PART X\n  // Used for multi-part messages, where this is the Xth part of an\n  // unspecified number of parts. Requires the MESSAGE-ID Armor\n  // Header to be used.\n  if (/MESSAGE, PART \\d+/.test(header[1])) {\n    return enums.armor.multipartLast;\n  }\n  // BEGIN PGP SIGNED MESSAGE\n  if (/SIGNED MESSAGE/.test(header[1])) {\n    return enums.armor.signed;\n  }\n  // BEGIN PGP MESSAGE\n  // Used for signed, encrypted, or compressed files.\n  if (/MESSAGE/.test(header[1])) {\n    return enums.armor.message;\n  }\n  // BEGIN PGP PUBLIC KEY BLOCK\n  // Used for armoring public keys.\n  if (/PUBLIC KEY BLOCK/.test(header[1])) {\n    return enums.armor.publicKey;\n  }\n  // BEGIN PGP PRIVATE KEY BLOCK\n  // Used for armoring private keys.\n  if (/PRIVATE KEY BLOCK/.test(header[1])) {\n    return enums.armor.privateKey;\n  }\n  // BEGIN PGP SIGNATURE\n  // Used for detached signatures, OpenPGP/MIME signatures, and\n  // cleartext signatures. Note that PGP 2.x uses BEGIN PGP MESSAGE\n  // for detached signatures.\n  if (/SIGNATURE/.test(header[1])) {\n    return enums.armor.signature;\n  }\n}\n\n/**\n * Add additional information to the armor version of an OpenPGP binary\n * packet block.\n * @author  Alex\n * @version 2011-12-16\n * @param {String} [customComment] - Additional comment to add to the armored string\n * @returns {String} The header information.\n * @private\n */\nfunction addheader(customComment, config) {\n  let result = '';\n  if (config.showVersion) {\n    result += 'Version: ' + config.versionString + '\\n';\n  }\n  if (config.showComment) {\n    result += 'Comment: ' + config.commentString + '\\n';\n  }\n  if (customComment) {\n    result += 'Comment: ' + customComment + '\\n';\n  }\n  result += '\\n';\n  return result;\n}\n\n/**\n * Calculates a checksum over the given data and returns it base64 encoded\n * @param {String | ReadableStream<String>} data - Data to create a CRC-24 checksum for\n * @returns {String | ReadableStream<String>} Base64 encoded checksum.\n * @private\n */\nfunction getCheckSum(data) {\n  const crc = createcrc24(data);\n  return encodeBase64(crc);\n}\n\n// https://create.stephan-brumme.com/crc32/#slicing-by-8-overview\n\nconst crc_table = [\n  new Array(0xFF),\n  new Array(0xFF),\n  new Array(0xFF),\n  new Array(0xFF)\n];\n\nfor (let i = 0; i <= 0xFF; i++) {\n  let crc = i << 16;\n  for (let j = 0; j < 8; j++) {\n    crc = (crc << 1) ^ ((crc & 0x800000) !== 0 ? 0x864CFB : 0);\n  }\n  crc_table[0][i] =\n    ((crc & 0xFF0000) >> 16) |\n    (crc & 0x00FF00) |\n    ((crc & 0x0000FF) << 16);\n}\nfor (let i = 0; i <= 0xFF; i++) {\n  crc_table[1][i] = (crc_table[0][i] >> 8) ^ crc_table[0][crc_table[0][i] & 0xFF];\n}\nfor (let i = 0; i <= 0xFF; i++) {\n  crc_table[2][i] = (crc_table[1][i] >> 8) ^ crc_table[0][crc_table[1][i] & 0xFF];\n}\nfor (let i = 0; i <= 0xFF; i++) {\n  crc_table[3][i] = (crc_table[2][i] >> 8) ^ crc_table[0][crc_table[2][i] & 0xFF];\n}\n\n// https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/DataView#Endianness\nconst isLittleEndian = (function() {\n  const buffer = new ArrayBuffer(2);\n  new DataView(buffer).setInt16(0, 0xFF, true /* littleEndian */);\n  // Int16Array uses the platform's endianness.\n  return new Int16Array(buffer)[0] === 0xFF;\n}());\n\n/**\n * Internal function to calculate a CRC-24 checksum over a given string (data)\n * @param {String | ReadableStream<String>} input - Data to create a CRC-24 checksum for\n * @returns {Uint8Array | ReadableStream<Uint8Array>} The CRC-24 checksum.\n * @private\n */\nfunction createcrc24(input) {\n  let crc = 0xCE04B7;\n  return streamTransform(input, value => {\n    const len32 = isLittleEndian ? Math.floor(value.length / 4) : 0;\n    const arr32 = new Uint32Array(value.buffer, value.byteOffset, len32);\n    for (let i = 0; i < len32; i++) {\n      crc ^= arr32[i];\n      crc =\n        crc_table[0][(crc >> 24) & 0xFF] ^\n        crc_table[1][(crc >> 16) & 0xFF] ^\n        crc_table[2][(crc >> 8) & 0xFF] ^\n        crc_table[3][(crc >> 0) & 0xFF];\n    }\n    for (let i = len32 * 4; i < value.length; i++) {\n      crc = (crc >> 8) ^ crc_table[0][(crc & 0xFF) ^ value[i]];\n    }\n  }, () => new Uint8Array([crc, crc >> 8, crc >> 16]));\n}\n\n/**\n * Verify armored headers. crypto-refresh-06, section 6.2:\n * \"An OpenPGP implementation may consider improperly formatted Armor\n * Headers to be corruption of the ASCII Armor, but SHOULD make an\n * effort to recover.\"\n * @private\n * @param {Array<String>} headers - Armor headers\n */\nfunction verifyHeaders(headers) {\n  for (let i = 0; i < headers.length; i++) {\n    if (!/^([^\\s:]|[^\\s:][^:]*[^\\s:]): .+$/.test(headers[i])) {\n      util.printDebugError(new Error('Improperly formatted armor header: ' + headers[i]));\n    }\n    if (!/^(Version|Comment|MessageID|Hash|Charset): .+$/.test(headers[i])) {\n      util.printDebugError(new Error('Unknown header: ' + headers[i]));\n    }\n  }\n}\n\n/**\n * Remove the (optional) checksum from an armored message.\n * @param {String} text - OpenPGP armored message\n * @returns {String} The body of the armored message.\n * @private\n */\nfunction removeChecksum(text) {\n  let body = text;\n\n  const lastEquals = text.lastIndexOf('=');\n\n  if (lastEquals >= 0 && lastEquals !== text.length - 1) { // '=' as the last char means no checksum\n    body = text.slice(0, lastEquals);\n  }\n\n  return body;\n}\n\n/**\n * Dearmor an OpenPGP armored message; verify the checksum and return\n * the encoded bytes\n * @param {String} input - OpenPGP armored message\n * @returns {Promise<Object>} An object with attribute \"text\" containing the message text,\n * an attribute \"data\" containing a stream of bytes and \"type\" for the ASCII armor type\n * @async\n * @static\n */\nexport function unarmor(input) {\n  // eslint-disable-next-line no-async-promise-executor\n  return new Promise(async (resolve, reject) => {\n    try {\n      const reSplit = /^-----[^-]+-----$/m;\n      const reEmptyLine = /^[ \\f\\r\\t\\u00a0\\u2000-\\u200a\\u202f\\u205f\\u3000]*$/;\n\n      let type;\n      const headers = [];\n      let lastHeaders = headers;\n      let headersDone;\n      let text = [];\n      let textDone;\n      const data = decodeBase64(streamTransformPair(input, async (readable, writable) => {\n        const reader = streamGetReader(readable);\n        try {\n          while (true) {\n            let line = await reader.readLine();\n            if (line === undefined) {\n              throw new Error('Misformed armored text');\n            }\n            // remove trailing whitespace at end of lines\n            line = util.removeTrailingSpaces(line.replace(/[\\r\\n]/g, ''));\n            if (!type) {\n              if (reSplit.test(line)) {\n                type = getType(line);\n              }\n            } else if (!headersDone) {\n              if (reSplit.test(line)) {\n                reject(new Error('Mandatory blank line missing between armor headers and armor data'));\n              }\n              if (!reEmptyLine.test(line)) {\n                lastHeaders.push(line);\n              } else {\n                verifyHeaders(lastHeaders);\n                headersDone = true;\n                if (textDone || type !== enums.armor.signed) {\n                  resolve({ text, data, headers, type });\n                  break;\n                }\n              }\n            } else if (!textDone && type === enums.armor.signed) {\n              if (!reSplit.test(line)) {\n                // Reverse dash-escaping for msg\n                text.push(line.replace(/^- /, ''));\n              } else {\n                text = text.join('\\r\\n');\n                textDone = true;\n                verifyHeaders(lastHeaders);\n                lastHeaders = [];\n                headersDone = false;\n              }\n            }\n          }\n        } catch (e) {\n          reject(e);\n          return;\n        }\n        const writer = streamGetWriter(writable);\n        try {\n          while (true) {\n            await writer.ready;\n            const { done, value } = await reader.read();\n            if (done) {\n              throw new Error('Misformed armored text');\n            }\n            const line = value + '';\n            if (line.indexOf('=') === -1 && line.indexOf('-') === -1) {\n              await writer.write(line);\n            } else {\n              let remainder = await reader.readToEnd();\n              if (!remainder.length) remainder = '';\n              remainder = line + remainder;\n              remainder = util.removeTrailingSpaces(remainder.replace(/\\r/g, ''));\n              const parts = remainder.split(reSplit);\n              if (parts.length === 1) {\n                throw new Error('Misformed armored text');\n              }\n              const body = removeChecksum(parts[0].slice(0, -1));\n              await writer.write(body);\n              break;\n            }\n          }\n          await writer.ready;\n          await writer.close();\n        } catch (e) {\n          await writer.abort(e);\n        }\n      }));\n    } catch (e) {\n      reject(e);\n    }\n  }).then(async result => {\n    if (isArrayStream(result.data)) {\n      result.data = await streamReadToEnd(result.data);\n    }\n    return result;\n  });\n}\n\n\n/**\n * Armor an OpenPGP binary packet block\n * @param {module:enums.armor} messageType - Type of the message\n * @param {Uint8Array | ReadableStream<Uint8Array>} body - The message body to armor\n * @param {Integer} [partIndex]\n * @param {Integer} [partTotal]\n * @param {String} [customComment] - Additional comment to add to the armored string\n * @param {Boolean} [emitChecksum] - Whether to compute and include the CRC checksum\n *  (NB: some types of data must not include it, but compliance is left as responsibility of the caller: this function does not carry out any checks)\n * @param {Object} [config] - Full configuration, defaults to openpgp.config\n * @returns {String | ReadableStream<String>} Armored text.\n * @static\n */\nexport function armor(messageType, body, partIndex, partTotal, customComment, emitChecksum = false, config = defaultConfig) {\n  let text;\n  let hash;\n  if (messageType === enums.armor.signed) {\n    text = body.text;\n    hash = body.hash;\n    body = body.data;\n  }\n  // unless explicitly forbidden by the spec, we need to include the checksum to work around a GnuPG bug\n  // where data fails to be decoded if the base64 ends with no padding chars (=) (see https://dev.gnupg.org/T7071)\n  const maybeBodyClone = emitChecksum && streamPassiveClone(body);\n\n  const result = [];\n  switch (messageType) {\n    case enums.armor.multipartSection:\n      result.push('-----BEGIN PGP MESSAGE, PART ' + partIndex + '/' + partTotal + '-----\\n');\n      result.push(addheader(customComment, config));\n      result.push(encodeBase64(body));\n      maybeBodyClone && result.push('=', getCheckSum(maybeBodyClone));\n      result.push('-----END PGP MESSAGE, PART ' + partIndex + '/' + partTotal + '-----\\n');\n      break;\n    case enums.armor.multipartLast:\n      result.push('-----BEGIN PGP MESSAGE, PART ' + partIndex + '-----\\n');\n      result.push(addheader(customComment, config));\n      result.push(encodeBase64(body));\n      maybeBodyClone && result.push('=', getCheckSum(maybeBodyClone));\n      result.push('-----END PGP MESSAGE, PART ' + partIndex + '-----\\n');\n      break;\n    case enums.armor.signed:\n      result.push('-----BEGIN PGP SIGNED MESSAGE-----\\n');\n      result.push(hash ? `Hash: ${hash}\\n\\n` : '\\n');\n      result.push(text.replace(/^-/mg, '- -'));\n      result.push('\\n-----BEGIN PGP SIGNATURE-----\\n');\n      result.push(addheader(customComment, config));\n      result.push(encodeBase64(body));\n      maybeBodyClone && result.push('=', getCheckSum(maybeBodyClone));\n      result.push('-----END PGP SIGNATURE-----\\n');\n      break;\n    case enums.armor.message:\n      result.push('-----BEGIN PGP MESSAGE-----\\n');\n      result.push(addheader(customComment, config));\n      result.push(encodeBase64(body));\n      maybeBodyClone && result.push('=', getCheckSum(maybeBodyClone));\n      result.push('-----END PGP MESSAGE-----\\n');\n      break;\n    case enums.armor.publicKey:\n      result.push('-----BEGIN PGP PUBLIC KEY BLOCK-----\\n');\n      result.push(addheader(customComment, config));\n      result.push(encodeBase64(body));\n      maybeBodyClone && result.push('=', getCheckSum(maybeBodyClone));\n      result.push('-----END PGP PUBLIC KEY BLOCK-----\\n');\n      break;\n    case enums.armor.privateKey:\n      result.push('-----BEGIN PGP PRIVATE KEY BLOCK-----\\n');\n      result.push(addheader(customComment, config));\n      result.push(encodeBase64(body));\n      maybeBodyClone && result.push('=', getCheckSum(maybeBodyClone));\n      result.push('-----END PGP PRIVATE KEY BLOCK-----\\n');\n      break;\n    case enums.armor.signature:\n      result.push('-----BEGIN PGP SIGNATURE-----\\n');\n      result.push(addheader(customComment, config));\n      result.push(encodeBase64(body));\n      maybeBodyClone && result.push('=', getCheckSum(maybeBodyClone));\n      result.push('-----END PGP SIGNATURE-----\\n');\n      break;\n  }\n\n  return util.concat(result);\n}\n","// Operations are not constant time, but we try and limit timing leakage where we can\n\nconst _0n = BigInt(0);\nconst _1n = BigInt(1);\n\nexport function uint8ArrayToBigInt(bytes: Uint8Array) {\n  const hexAlphabet = '0123456789ABCDEF';\n  let s = '';\n  bytes.forEach(v => {\n    s += hexAlphabet[v >> 4] + hexAlphabet[v & 15];\n  });\n  return BigInt('0x0' + s);\n}\n\nexport function mod(a: bigint, m: bigint) {\n  const reduced = a % m;\n  return reduced < _0n ? reduced + m : reduced;\n}\n\n/**\n * Compute modular exponentiation using square and multiply\n * @param {BigInt} a - Base\n * @param {BigInt} e - Exponent\n * @param {BigInt} n - Modulo\n * @returns {BigInt} b ** e mod n.\n */\nexport function modExp(b: bigint, e: bigint, n: bigint) {\n  if (n === _0n) throw Error('Modulo cannot be zero');\n  if (n === _1n) return BigInt(0);\n  if (e < _0n) throw Error('Unsopported negative exponent');\n\n  let exp = e;\n  let x = b;\n\n  x %= n;\n  let r = BigInt(1);\n  while (exp > _0n) {\n    const lsb = exp & _1n;\n    exp >>= _1n; // e / 2\n    // Always compute multiplication step, to reduce timing leakage\n    const rx = (r * x) % n;\n    // Update r only if lsb is 1 (odd exponent)\n    r = lsb ? rx : r;\n    x = (x * x) % n; // Square\n  }\n  return r;\n}\n\n\nfunction abs(x: bigint) {\n  return x >= _0n ? x : -x;\n}\n\n/**\n * Extended Eucleadian algorithm (http://anh.cs.luc.edu/331/notes/xgcd.pdf)\n * Given a and b, compute (x, y) such that ax + by = gdc(a, b).\n * Negative numbers are also supported.\n * @param {BigInt} a - First operand\n * @param {BigInt} b - Second operand\n * @returns {{ gcd, x, y: bigint }}\n */\nfunction _egcd(aInput: bigint, bInput: bigint) {\n  let x = BigInt(0);\n  let y = BigInt(1);\n  let xPrev = BigInt(1);\n  let yPrev = BigInt(0);\n\n  // Deal with negative numbers: run algo over absolute values,\n  // and \"move\" the sign to the returned x and/or y.\n  // See https://math.stackexchange.com/questions/37806/extended-euclidean-algorithm-with-negative-numbers\n  let a = abs(aInput);\n  let b = abs(bInput);\n  const aNegated = aInput < _0n;\n  const bNegated = bInput < _0n;\n\n  while (b !== _0n) {\n    const q = a / b;\n    let tmp = x;\n    x = xPrev - q * x;\n    xPrev = tmp;\n\n    tmp = y;\n    y = yPrev - q * y;\n    yPrev = tmp;\n\n    tmp = b;\n    b = a % b;\n    a = tmp;\n  }\n\n  return {\n    x: aNegated ? -xPrev : xPrev,\n    y: bNegated ? -yPrev : yPrev,\n    gcd: a\n  };\n}\n\n/**\n * Compute the inverse of `a` modulo `n`\n * Note: `a` and and `n` must be relatively prime\n * @param {BigInt} a\n * @param {BigInt} n - Modulo\n * @returns {BigInt} x such that a*x = 1 mod n\n * @throws {Error} if the inverse does not exist\n */\nexport function modInv(a: bigint, n: bigint) {\n  const { gcd, x } = _egcd(a, n);\n  if (gcd !== _1n) {\n    throw new Error('Inverse does not exist');\n  }\n  return mod(x + n, n);\n}\n\n/**\n * Compute greatest common divisor between this and n\n * @param {BigInt} aInput - Operand\n * @param {BigInt} bInput - Operand\n * @returns {BigInt} gcd\n */\nexport function gcd(aInput: bigint, bInput: bigint) {\n  let a = aInput;\n  let b = bInput;\n  while (b !== _0n) {\n    const tmp = b;\n    b = a % b;\n    a = tmp;\n  }\n  return a;\n}\n\n/**\n * Get this value as an exact Number (max 53 bits)\n * Fails if this value is too large\n * @returns {Number}\n */\nexport function bigIntToNumber(x: bigint) {\n  const number = Number(x);\n  if (number > Number.MAX_SAFE_INTEGER) {\n    // We throw and error to conform with the bn.js implementation\n    throw new Error('Number can only safely store up to 53 bits');\n  }\n  return number;\n}\n\n/**\n * Get value of i-th bit\n * @param {BigInt} x\n * @param {Number} i - Bit index\n * @returns {Number} Bit value.\n */\nexport function getBit(x:bigint, i: number) {\n  const bit = (x >> BigInt(i)) & _1n;\n  return bit === _0n ? 0 : 1;\n}\n\n/**\n * Compute bit length\n */\nexport function bitLength(x: bigint) {\n  // -1n >> -1n is -1n\n  // 1n >> 1n is 0n\n  const target = x < _0n ? BigInt(-1) : _0n;\n  let bitlen = 1;\n  let tmp = x;\n  // eslint-disable-next-line no-cond-assign\n  while ((tmp >>= _1n) !== target) {\n    bitlen++;\n  }\n  return bitlen;\n}\n\n/**\n * Compute byte length\n */\nexport function byteLength(x: bigint) {\n  const target = x < _0n ? BigInt(-1) : _0n;\n  const _8n = BigInt(8);\n  let len = 1;\n  let tmp = x;\n  // eslint-disable-next-line no-cond-assign\n  while ((tmp >>= _8n) !== target) {\n    len++;\n  }\n  return len;\n}\n\n/**\n * Get Uint8Array representation of this number\n * @param {String} endian - Endianess of output array (defaults to 'be')\n * @param {Number} length - Of output array\n * @returns {Uint8Array}\n */\nexport function bigIntToUint8Array(x: bigint, endian = 'be', length: number) {\n  // we get and parse the hex string (https://coolaj86.com/articles/convert-js-bigints-to-typedarrays/)\n  // this is faster than shift+mod iterations\n  let hex = x.toString(16);\n  if (hex.length % 2 === 1) {\n    hex = '0' + hex;\n  }\n\n  const rawLength = hex.length / 2;\n  const bytes = new Uint8Array(length || rawLength);\n  // parse hex\n  const offset = length ? length - rawLength : 0;\n  let i = 0;\n  while (i < rawLength) {\n    bytes[i + offset] = parseInt(hex.slice(2 * i, 2 * i + 2), 16);\n    i++;\n  }\n\n  if (endian !== 'be') {\n    bytes.reverse();\n  }\n\n  return bytes;\n}\n","// GPG4Browsers - An OpenPGP implementation in javascript\n// Copyright (C) 2011 Recurity Labs GmbH\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\n// The GPG4Browsers crypto interface\n\n/**\n * @fileoverview Provides tools for retrieving secure randomness from browsers or Node.js\n * @module crypto/random\n */\nimport { byteLength, mod, uint8ArrayToBigInt } from './biginteger';\nimport util from '../util';\n\nconst nodeCrypto = util.getNodeCrypto();\n\n/**\n * Retrieve secure random byte array of the specified length\n * @param {Integer} length - Length in bytes to generate\n * @returns {Uint8Array} Random byte array.\n */\nexport function getRandomBytes(length) {\n  const webcrypto = typeof crypto !== 'undefined' ? crypto : nodeCrypto?.webcrypto;\n  if (webcrypto?.getRandomValues) {\n    const buf = new Uint8Array(length);\n    return webcrypto.getRandomValues(buf);\n  } else {\n    throw new Error('No secure random number generator available.');\n  }\n}\n\n/**\n * Create a secure random BigInt that is greater than or equal to min and less than max.\n * @param {bigint} min - Lower bound, included\n * @param {bigint} max - Upper bound, excluded\n * @returns {bigint} Random BigInt.\n * @async\n */\nexport function getRandomBigInteger(min, max) {\n  if (max < min) {\n    throw new Error('Illegal parameter value: max <= min');\n  }\n\n  const modulus = max - min;\n  const bytes = byteLength(modulus);\n\n  // Using a while loop is necessary to avoid bias introduced by the mod operation.\n  // However, we request 64 extra random bits so that the bias is negligible.\n  // Section B.1.1 here: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf\n  const r = uint8ArrayToBigInt(getRandomBytes(bytes + 8));\n  return mod(r, modulus) + min;\n}\n","// OpenPGP.js - An OpenPGP implementation in javascript\n// Copyright (C) 2018 Proton Technologies AG\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\n/**\n * @fileoverview Algorithms for probabilistic random prime generation\n * @module crypto/public_key/prime\n */\nimport { bigIntToNumber, bitLength, gcd, getBit, mod, modExp } from '../biginteger';\nimport { getRandomBigInteger } from '../random';\n\nconst _1n = BigInt(1);\n\n/**\n * Generate a probably prime random number\n * @param bits - Bit length of the prime\n * @param e - Optional RSA exponent to check against the prime\n * @param k - Optional number of iterations of Miller-Rabin test\n */\nexport function randomProbablePrime(bits: number, e: bigint, k: number) {\n  const _30n = BigInt(30);\n  const min = _1n << BigInt(bits - 1);\n  /*\n   * We can avoid any multiples of 3 and 5 by looking at n mod 30\n   * n mod 30 = 0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29\n   * the next possible prime is mod 30:\n   *            1  7  7  7  7  7  7 11 11 11 11 13 13 17 17 17 17 19 19 23 23 23 23 29 29 29 29 29 29 1\n   */\n  const adds = [1, 6, 5, 4, 3, 2, 1, 4, 3, 2, 1, 2, 1, 4, 3, 2, 1, 2, 1, 4, 3, 2, 1, 6, 5, 4, 3, 2, 1, 2];\n\n  let n = getRandomBigInteger(min, min << _1n);\n  let i = bigIntToNumber(mod(n, _30n));\n\n  do {\n    n += BigInt(adds[i]);\n    i = (i + adds[i]) % adds.length;\n    // If reached the maximum, go back to the minimum.\n    if (bitLength(n) > bits) {\n      n = mod(n, min << _1n); n += min;\n      i = bigIntToNumber(mod(n, _30n));\n    }\n  } while (!isProbablePrime(n, e, k));\n  return n;\n}\n\n/**\n * Probabilistic primality testing\n * @param n - Number to test\n * @param e - Optional RSA exponent to check against the prime\n * @param k - Optional number of iterations of Miller-Rabin test\n */\nexport function isProbablePrime(n: bigint, e: bigint, k: number) {\n  if (e && gcd(n - _1n, e) !== _1n) {\n    return false;\n  }\n  if (!divisionTest(n)) {\n    return false;\n  }\n  if (!fermat(n)) {\n    return false;\n  }\n  if (!millerRabin(n, k)) {\n    return false;\n  }\n  // TODO implement the Lucas test\n  // See Section C.3.3 here: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf\n  return true;\n}\n\n/**\n * Tests whether n is probably prime or not using Fermat's test with b = 2.\n * Fails if b^(n-1) mod n != 1.\n * @param n - Number to test\n * @param b - Optional Fermat test base\n */\nexport function fermat(n: bigint, b = BigInt(2)) {\n  return modExp(b, n - _1n, n) === _1n;\n}\n\nexport function divisionTest(n: bigint) {\n  const _0n = BigInt(0);\n  return smallPrimes.every(m => mod(n, m) !== _0n);\n}\n\n// https://github.com/gpg/libgcrypt/blob/master/cipher/primegen.c\nconst smallPrimes = [\n  7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43,\n  47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101,\n  103, 107, 109, 113, 127, 131, 137, 139, 149, 151,\n  157, 163, 167, 173, 179, 181, 191, 193, 197, 199,\n  211, 223, 227, 229, 233, 239, 241, 251, 257, 263,\n  269, 271, 277, 281, 283, 293, 307, 311, 313, 317,\n  331, 337, 347, 349, 353, 359, 367, 373, 379, 383,\n  389, 397, 401, 409, 419, 421, 431, 433, 439, 443,\n  449, 457, 461, 463, 467, 479, 487, 491, 499, 503,\n  509, 521, 523, 541, 547, 557, 563, 569, 571, 577,\n  587, 593, 599, 601, 607, 613, 617, 619, 631, 641,\n  643, 647, 653, 659, 661, 673, 677, 683, 691, 701,\n  709, 719, 727, 733, 739, 743, 751, 757, 761, 769,\n  773, 787, 797, 809, 811, 821, 823, 827, 829, 839,\n  853, 857, 859, 863, 877, 881, 883, 887, 907, 911,\n  919, 929, 937, 941, 947, 953, 967, 971, 977, 983,\n  991, 997, 1009, 1013, 1019, 1021, 1031, 1033,\n  1039, 1049, 1051, 1061, 1063, 1069, 1087, 1091,\n  1093, 1097, 1103, 1109, 1117, 1123, 1129, 1151,\n  1153, 1163, 1171, 1181, 1187, 1193, 1201, 1213,\n  1217, 1223, 1229, 1231, 1237, 1249, 1259, 1277,\n  1279, 1283, 1289, 1291, 1297, 1301, 1303, 1307,\n  1319, 1321, 1327, 1361, 1367, 1373, 1381, 1399,\n  1409, 1423, 1427, 1429, 1433, 1439, 1447, 1451,\n  1453, 1459, 1471, 1481, 1483, 1487, 1489, 1493,\n  1499, 1511, 1523, 1531, 1543, 1549, 1553, 1559,\n  1567, 1571, 1579, 1583, 1597, 1601, 1607, 1609,\n  1613, 1619, 1621, 1627, 1637, 1657, 1663, 1667,\n  1669, 1693, 1697, 1699, 1709, 1721, 1723, 1733,\n  1741, 1747, 1753, 1759, 1777, 1783, 1787, 1789,\n  1801, 1811, 1823, 1831, 1847, 1861, 1867, 1871,\n  1873, 1877, 1879, 1889, 1901, 1907, 1913, 1931,\n  1933, 1949, 1951, 1973, 1979, 1987, 1993, 1997,\n  1999, 2003, 2011, 2017, 2027, 2029, 2039, 2053,\n  2063, 2069, 2081, 2083, 2087, 2089, 2099, 2111,\n  2113, 2129, 2131, 2137, 2141, 2143, 2153, 2161,\n  2179, 2203, 2207, 2213, 2221, 2237, 2239, 2243,\n  2251, 2267, 2269, 2273, 2281, 2287, 2293, 2297,\n  2309, 2311, 2333, 2339, 2341, 2347, 2351, 2357,\n  2371, 2377, 2381, 2383, 2389, 2393, 2399, 2411,\n  2417, 2423, 2437, 2441, 2447, 2459, 2467, 2473,\n  2477, 2503, 2521, 2531, 2539, 2543, 2549, 2551,\n  2557, 2579, 2591, 2593, 2609, 2617, 2621, 2633,\n  2647, 2657, 2659, 2663, 2671, 2677, 2683, 2687,\n  2689, 2693, 2699, 2707, 2711, 2713, 2719, 2729,\n  2731, 2741, 2749, 2753, 2767, 2777, 2789, 2791,\n  2797, 2801, 2803, 2819, 2833, 2837, 2843, 2851,\n  2857, 2861, 2879, 2887, 2897, 2903, 2909, 2917,\n  2927, 2939, 2953, 2957, 2963, 2969, 2971, 2999,\n  3001, 3011, 3019, 3023, 3037, 3041, 3049, 3061,\n  3067, 3079, 3083, 3089, 3109, 3119, 3121, 3137,\n  3163, 3167, 3169, 3181, 3187, 3191, 3203, 3209,\n  3217, 3221, 3229, 3251, 3253, 3257, 3259, 3271,\n  3299, 3301, 3307, 3313, 3319, 3323, 3329, 3331,\n  3343, 3347, 3359, 3361, 3371, 3373, 3389, 3391,\n  3407, 3413, 3433, 3449, 3457, 3461, 3463, 3467,\n  3469, 3491, 3499, 3511, 3517, 3527, 3529, 3533,\n  3539, 3541, 3547, 3557, 3559, 3571, 3581, 3583,\n  3593, 3607, 3613, 3617, 3623, 3631, 3637, 3643,\n  3659, 3671, 3673, 3677, 3691, 3697, 3701, 3709,\n  3719, 3727, 3733, 3739, 3761, 3767, 3769, 3779,\n  3793, 3797, 3803, 3821, 3823, 3833, 3847, 3851,\n  3853, 3863, 3877, 3881, 3889, 3907, 3911, 3917,\n  3919, 3923, 3929, 3931, 3943, 3947, 3967, 3989,\n  4001, 4003, 4007, 4013, 4019, 4021, 4027, 4049,\n  4051, 4057, 4073, 4079, 4091, 4093, 4099, 4111,\n  4127, 4129, 4133, 4139, 4153, 4157, 4159, 4177,\n  4201, 4211, 4217, 4219, 4229, 4231, 4241, 4243,\n  4253, 4259, 4261, 4271, 4273, 4283, 4289, 4297,\n  4327, 4337, 4339, 4349, 4357, 4363, 4373, 4391,\n  4397, 4409, 4421, 4423, 4441, 4447, 4451, 4457,\n  4463, 4481, 4483, 4493, 4507, 4513, 4517, 4519,\n  4523, 4547, 4549, 4561, 4567, 4583, 4591, 4597,\n  4603, 4621, 4637, 4639, 4643, 4649, 4651, 4657,\n  4663, 4673, 4679, 4691, 4703, 4721, 4723, 4729,\n  4733, 4751, 4759, 4783, 4787, 4789, 4793, 4799,\n  4801, 4813, 4817, 4831, 4861, 4871, 4877, 4889,\n  4903, 4909, 4919, 4931, 4933, 4937, 4943, 4951,\n  4957, 4967, 4969, 4973, 4987, 4993, 4999\n].map(n => BigInt(n));\n\n\n// Miller-Rabin - Miller Rabin algorithm for primality test\n// Copyright Fedor Indutny, 2014.\n//\n// This software is licensed under the MIT License.\n//\n// Permission is hereby granted, free of charge, to any person obtaining a\n// copy of this software and associated documentation files (the\n// \"Software\"), to deal in the Software without restriction, including\n// without limitation the rights to use, copy, modify, merge, publish,\n// distribute, sublicense, and/or sell copies of the Software, and to permit\n// persons to whom the Software is furnished to do so, subject to the\n// following conditions:\n//\n// The above copyright notice and this permission notice shall be included\n// in all copies or substantial portions of the Software.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS\n// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF\n// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN\n// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,\n// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR\n// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE\n// USE OR OTHER DEALINGS IN THE SOFTWARE.\n\n// Adapted on Jan 2018 from version 4.0.1 at https://github.com/indutny/miller-rabin\n\n// Sample syntax for Fixed-Base Miller-Rabin:\n// millerRabin(n, k, () => new BN(small_primes[Math.random() * small_primes.length | 0]))\n\n/**\n * Tests whether n is probably prime or not using the Miller-Rabin test.\n * See HAC Remark 4.28.\n * @param n - Number to test\n * @param k - Optional number of iterations of Miller-Rabin test\n * @param rand - Optional function to generate potential witnesses\n * @returns {boolean}\n * @async\n */\nexport function millerRabin(n: bigint, k: number, rand?: () => bigint) {\n  const len = bitLength(n);\n\n  if (!k) {\n    k = Math.max(1, (len / 48) | 0);\n  }\n\n  const n1 = n - _1n; // n - 1\n\n  // Find d and s, (n - 1) = (2 ^ s) * d;\n  let s = 0;\n  while (!getBit(n1, s)) { s++; }\n  const d = n >> BigInt(s);\n\n  for (; k > 0; k--) {\n    const a = rand ? rand() : getRandomBigInteger(BigInt(2), n1);\n\n    let x = modExp(a, d, n);\n    if (x === _1n || x === n1) {\n      continue;\n    }\n\n    let i;\n    for (i = 1; i < s; i++) {\n      x = mod(x * x, n);\n\n      if (x === _1n) {\n        return false;\n      }\n      if (x === n1) {\n        break;\n      }\n    }\n\n    if (i === s) {\n      return false;\n    }\n  }\n\n  return true;\n}\n","/**\n * @fileoverview Provides an interface to hashing functions available in Node.js or external libraries.\n * @see {@link https://github.com/asmcrypto/asmcrypto.js|asmCrypto}\n * @see {@link https://github.com/indutny/hash.js|hash.js}\n * @module crypto/hash\n */\n\nimport { transform as streamTransform, isArrayStream, readToEnd as streamReadToEnd } from '@openpgp/web-stream-tools';\nimport util from '../../util';\nimport enums from '../../enums';\n\nconst webCrypto = util.getWebCrypto();\nconst nodeCrypto = util.getNodeCrypto();\nconst nodeCryptoHashes = nodeCrypto && nodeCrypto.getHashes();\n\nfunction nodeHash(type) {\n  if (!nodeCrypto || !nodeCryptoHashes.includes(type)) {\n    return;\n  }\n  return async function (data) {\n    const shasum = nodeCrypto.createHash(type);\n    return streamTransform(data, value => {\n      shasum.update(value);\n    }, () => new Uint8Array(shasum.digest()));\n  };\n}\n\nfunction nobleHash(nobleHashName, webCryptoHashName) {\n  const getNobleHash = async () => {\n    const { nobleHashes } = await import('./noble_hashes');\n    const hash = nobleHashes.get(nobleHashName);\n    if (!hash) throw new Error('Unsupported hash');\n    return hash;\n  };\n\n  return async function(data) {\n    if (isArrayStream(data)) {\n      data = await streamReadToEnd(data);\n    }\n    if (util.isStream(data)) {\n      const hash = await getNobleHash();\n\n      const hashInstance = hash.create();\n      return streamTransform(data, value => {\n        hashInstance.update(value);\n      }, () => hashInstance.digest());\n    } else if (webCrypto && webCryptoHashName) {\n      return new Uint8Array(await webCrypto.digest(webCryptoHashName, data));\n    } else {\n      const hash = await getNobleHash();\n\n      return hash(data);\n    }\n  };\n}\n\nconst md5 = nodeHash('md5') || nobleHash('md5');\nconst sha1 = nodeHash('sha1') || nobleHash('sha1', 'SHA-1');\nconst sha224 = nodeHash('sha224') || nobleHash('sha224');\nconst sha256 = nodeHash('sha256') || nobleHash('sha256', 'SHA-256');\nconst sha384 = nodeHash('sha384') || nobleHash('sha384', 'SHA-384');\nconst sha512 = nodeHash('sha512') || nobleHash('sha512', 'SHA-512');\nconst ripemd = nodeHash('ripemd160') || nobleHash('ripemd160');\nconst sha3_256 = nodeHash('sha3-256') || nobleHash('sha3_256');\nconst sha3_512 = nodeHash('sha3-512') || nobleHash('sha3_512');\n\n/**\n * Create a hash on the specified data using the specified algorithm\n * @param {module:enums.hash} algo - Hash algorithm type (see {@link https://tools.ietf.org/html/rfc4880#section-9.4|RFC 4880 9.4})\n * @param {Uint8Array} data - Data to be hashed\n * @returns {Promise<Uint8Array>} Hash value.\n */\nexport function computeDigest(algo, data) {\n  switch (algo) {\n    case enums.hash.md5:\n      return md5(data);\n    case enums.hash.sha1:\n      return sha1(data);\n    case enums.hash.ripemd:\n      return ripemd(data);\n    case enums.hash.sha256:\n      return sha256(data);\n    case enums.hash.sha384:\n      return sha384(data);\n    case enums.hash.sha512:\n      return sha512(data);\n    case enums.hash.sha224:\n      return sha224(data);\n    case enums.hash.sha3_256:\n      return sha3_256(data);\n    case enums.hash.sha3_512:\n      return sha3_512(data);\n    default:\n      throw new Error('Unsupported hash function');\n  }\n}\n\n/**\n * Returns the hash size in bytes of the specified hash algorithm type\n * @param {module:enums.hash} algo - Hash algorithm type (See {@link https://tools.ietf.org/html/rfc4880#section-9.4|RFC 4880 9.4})\n * @returns {Integer} Size in bytes of the resulting hash.\n */\nexport function getHashByteLength(algo) {\n  switch (algo) {\n    case enums.hash.md5:\n      return 16;\n    case enums.hash.sha1:\n    case enums.hash.ripemd:\n      return 20;\n    case enums.hash.sha256:\n      return 32;\n    case enums.hash.sha384:\n      return 48;\n    case enums.hash.sha512:\n      return 64;\n    case enums.hash.sha224:\n      return 28;\n    case enums.hash.sha3_256:\n      return 32;\n    case enums.hash.sha3_512:\n      return 64;\n    default:\n      throw new Error('Invalid hash algorithm.');\n  }\n}\n","// GPG4Browsers - An OpenPGP implementation in javascript\n// Copyright (C) 2011 Recurity Labs GmbH\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\n/**\n * @fileoverview Provides EME-PKCS1-v1_5 encoding and decoding and EMSA-PKCS1-v1_5 encoding function\n * @see module:crypto/public_key/rsa\n * @see module:crypto/public_key/elliptic/ecdh\n * @see PublicKeyEncryptedSessionKeyPacket\n * @module crypto/pkcs1\n */\n\nimport { getRandomBytes } from './random';\nimport { getHashByteLength } from './hash';\nimport util from '../util';\n\n/**\n * ASN1 object identifiers for hashes\n * @see {@link https://tools.ietf.org/html/rfc4880#section-5.2.2}\n */\nconst hash_headers = [];\nhash_headers[1] = [0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04,\n  0x10];\nhash_headers[2] = [0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14];\nhash_headers[3] = [0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x24, 0x03, 0x02, 0x01, 0x05, 0x00, 0x04, 0x14];\nhash_headers[8] = [0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00,\n  0x04, 0x20];\nhash_headers[9] = [0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00,\n  0x04, 0x30];\nhash_headers[10] = [0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05,\n  0x00, 0x04, 0x40];\nhash_headers[11] = [0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05,\n  0x00, 0x04, 0x1C];\n\n/**\n * Create padding with secure random data\n * @private\n * @param {Integer} length - Length of the padding in bytes\n * @returns {Uint8Array} Random padding.\n */\nfunction getPKCS1Padding(length) {\n  const result = new Uint8Array(length);\n  let count = 0;\n  while (count < length) {\n    const randomBytes = getRandomBytes(length - count);\n    for (let i = 0; i < randomBytes.length; i++) {\n      if (randomBytes[i] !== 0) {\n        result[count++] = randomBytes[i];\n      }\n    }\n  }\n  return result;\n}\n\n/**\n * Create a EME-PKCS1-v1_5 padded message\n * @see {@link https://tools.ietf.org/html/rfc4880#section-13.1.1|RFC 4880 13.1.1}\n * @param {Uint8Array} message - Message to be encoded\n * @param {Integer} keyLength - The length in octets of the key modulus\n * @returns {Uint8Array} EME-PKCS1 padded message.\n */\nexport function emeEncode(message, keyLength) {\n  const mLength = message.length;\n  // length checking\n  if (mLength > keyLength - 11) {\n    throw new Error('Message too long');\n  }\n  // Generate an octet string PS of length k - mLen - 3 consisting of\n  // pseudo-randomly generated nonzero octets\n  const PS = getPKCS1Padding(keyLength - mLength - 3);\n  // Concatenate PS, the message M, and other padding to form an\n  // encoded message EM of length k octets as EM = 0x00 || 0x02 || PS || 0x00 || M.\n  const encoded = new Uint8Array(keyLength);\n  // 0x00 byte\n  encoded[1] = 2;\n  encoded.set(PS, 2);\n  // 0x00 bytes\n  encoded.set(message, keyLength - mLength);\n  return encoded;\n}\n\n/**\n * Decode a EME-PKCS1-v1_5 padded message\n * @see {@link https://tools.ietf.org/html/rfc4880#section-13.1.2|RFC 4880 13.1.2}\n * @param {Uint8Array} encoded - Encoded message bytes\n * @param {Uint8Array} randomPayload - Data to return in case of decoding error (needed for constant-time processing)\n * @returns {Uint8Array} decoded data or `randomPayload` (on error, if given)\n * @throws {Error} on decoding failure, unless `randomPayload` is provided\n */\nexport function emeDecode(encoded, randomPayload) {\n  // encoded format: 0x00 0x02 <PS> 0x00 <payload>\n  let offset = 2;\n  let separatorNotFound = 1;\n  for (let j = offset; j < encoded.length; j++) {\n    separatorNotFound &= encoded[j] !== 0;\n    offset += separatorNotFound;\n  }\n\n  const psLen = offset - 2;\n  const payload = encoded.subarray(offset + 1); // discard the 0x00 separator\n  const isValidPadding = encoded[0] === 0 & encoded[1] === 2 & psLen >= 8 & !separatorNotFound;\n\n  if (randomPayload) {\n    return util.selectUint8Array(isValidPadding, payload, randomPayload);\n  }\n\n  if (isValidPadding) {\n    return payload;\n  }\n\n  throw new Error('Decryption error');\n}\n\n/**\n * Create a EMSA-PKCS1-v1_5 padded message\n * @see {@link https://tools.ietf.org/html/rfc4880#section-13.1.3|RFC 4880 13.1.3}\n * @param {Integer} algo - Hash algorithm type used\n * @param {Uint8Array} hashed - Message to be encoded\n * @param {Integer} emLen - Intended length in octets of the encoded message\n * @returns {Uint8Array} Encoded message.\n */\nexport function emsaEncode(algo, hashed, emLen) {\n  let i;\n  if (hashed.length !== getHashByteLength(algo)) {\n    throw new Error('Invalid hash length');\n  }\n  // produce an ASN.1 DER value for the hash function used.\n  // Let T be the full hash prefix\n  const hashPrefix = new Uint8Array(hash_headers[algo].length);\n  for (i = 0; i < hash_headers[algo].length; i++) {\n    hashPrefix[i] = hash_headers[algo][i];\n  }\n  // and let tLen be the length in octets prefix and hashed data\n  const tLen = hashPrefix.length + hashed.length;\n  if (emLen < tLen + 11) {\n    throw new Error('Intended encoded message length too short');\n  }\n  // an octet string PS consisting of emLen - tLen - 3 octets with hexadecimal value 0xFF\n  // The length of PS will be at least 8 octets\n  const PS = new Uint8Array(emLen - tLen - 3).fill(0xff);\n\n  // Concatenate PS, the hash prefix, hashed data, and other padding to form the\n  // encoded message EM as EM = 0x00 || 0x01 || PS || 0x00 || prefix || hashed\n  const EM = new Uint8Array(emLen);\n  EM[1] = 0x01;\n  EM.set(PS, 2);\n  EM.set(hashPrefix, emLen - tLen);\n  EM.set(hashed, emLen - hashed.length);\n  return EM;\n}\n","// GPG4Browsers - An OpenPGP implementation in javascript\n// Copyright (C) 2011 Recurity Labs GmbH\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\n/**\n * @fileoverview RSA implementation\n * @module crypto/public_key/rsa\n */\nimport { randomProbablePrime } from './prime';\nimport { getRandomBigInteger } from '../random';\nimport util from '../../util';\nimport { uint8ArrayToB64, b64ToUint8Array } from '../../encoding/base64';\nimport { emsaEncode, emeEncode, emeDecode } from '../pkcs1';\nimport enums from '../../enums';\nimport { bigIntToNumber, bigIntToUint8Array, bitLength, byteLength, mod, modExp, modInv, uint8ArrayToBigInt } from '../biginteger';\nimport { getHashByteLength } from '../hash';\n\nconst webCrypto = util.getWebCrypto();\nconst nodeCrypto = util.getNodeCrypto();\nconst _1n = BigInt(1);\n\n/** Create signature\n * @param {module:enums.hash} hashAlgo - Hash algorithm\n * @param {Uint8Array} data - Message\n * @param {Uint8Array} n - RSA public modulus\n * @param {Uint8Array} e - RSA public exponent\n * @param {Uint8Array} d - RSA private exponent\n * @param {Uint8Array} p - RSA private prime p\n * @param {Uint8Array} q - RSA private prime q\n * @param {Uint8Array} u - RSA private coefficient\n * @param {Uint8Array} hashed - Hashed message\n * @returns {Promise<Uint8Array>} RSA Signature.\n * @async\n */\nexport async function sign(hashAlgo, data, n, e, d, p, q, u, hashed) {\n  if (getHashByteLength(hashAlgo) >= n.length) {\n    // Throw here instead of `emsaEncode` below, to provide a clearer and consistent error\n    // e.g. if a 512-bit RSA key is used with a SHA-512 digest.\n    // The size limit is actually slightly different but here we only care about throwing\n    // on common key sizes.\n    throw new Error('Digest size cannot exceed key modulus size');\n  }\n\n  if (data && !util.isStream(data)) {\n    if (util.getWebCrypto()) {\n      try {\n        return await webSign(enums.read(enums.webHash, hashAlgo), data, n, e, d, p, q, u);\n      } catch (err) {\n        util.printDebugError(err);\n      }\n    } else if (util.getNodeCrypto()) {\n      return nodeSign(hashAlgo, data, n, e, d, p, q, u);\n    }\n  }\n  return bnSign(hashAlgo, n, d, hashed);\n}\n\n/**\n * Verify signature\n * @param {module:enums.hash} hashAlgo - Hash algorithm\n * @param {Uint8Array} data - Message\n * @param {Uint8Array} s - Signature\n * @param {Uint8Array} n - RSA public modulus\n * @param {Uint8Array} e - RSA public exponent\n * @param {Uint8Array} hashed - Hashed message\n * @returns {Boolean}\n * @async\n */\nexport async function verify(hashAlgo, data, s, n, e, hashed) {\n  if (data && !util.isStream(data)) {\n    if (util.getWebCrypto()) {\n      try {\n        return await webVerify(enums.read(enums.webHash, hashAlgo), data, s, n, e);\n      } catch (err) {\n        util.printDebugError(err);\n      }\n    } else if (util.getNodeCrypto()) {\n      return nodeVerify(hashAlgo, data, s, n, e);\n    }\n  }\n  return bnVerify(hashAlgo, s, n, e, hashed);\n}\n\n/**\n * Encrypt message\n * @param {Uint8Array} data - Message\n * @param {Uint8Array} n - RSA public modulus\n * @param {Uint8Array} e - RSA public exponent\n * @returns {Promise<Uint8Array>} RSA Ciphertext.\n * @async\n */\nexport async function encrypt(data, n, e) {\n  if (util.getNodeCrypto()) {\n    return nodeEncrypt(data, n, e);\n  }\n  return bnEncrypt(data, n, e);\n}\n\n/**\n * Decrypt RSA message\n * @param {Uint8Array} m - Message\n * @param {Uint8Array} n - RSA public modulus\n * @param {Uint8Array} e - RSA public exponent\n * @param {Uint8Array} d - RSA private exponent\n * @param {Uint8Array} p - RSA private prime p\n * @param {Uint8Array} q - RSA private prime q\n * @param {Uint8Array} u - RSA private coefficient\n * @param {Uint8Array} randomPayload - Data to return on decryption error, instead of throwing\n *                                     (needed for constant-time processing)\n * @returns {Promise<String>} RSA Plaintext.\n * @throws {Error} on decryption error, unless `randomPayload` is given\n * @async\n */\nexport async function decrypt(data, n, e, d, p, q, u, randomPayload) {\n  // Node v18.19.1, 20.11.1 and 21.6.2 have disabled support for PKCS#1 decryption,\n  // and we want to avoid checking the error type to decide if the random payload\n  // should indeed be returned.\n  if (util.getNodeCrypto() && !randomPayload) {\n    try {\n      return await nodeDecrypt(data, n, e, d, p, q, u);\n    } catch (err) {\n      util.printDebugError(err);\n    }\n  }\n  return bnDecrypt(data, n, e, d, p, q, u, randomPayload);\n}\n\n/**\n * Generate a new random private key B bits long with public exponent E.\n *\n * When possible, webCrypto or nodeCrypto is used. Otherwise, primes are generated using\n * 40 rounds of the Miller-Rabin probabilistic random prime generation algorithm.\n * @see module:crypto/public_key/prime\n * @param {Integer} bits - RSA bit length\n * @param {Integer} e - RSA public exponent\n * @returns {{n, e, d,\n *            p, q ,u: Uint8Array}} RSA public modulus, RSA public exponent, RSA private exponent,\n *                                  RSA private prime p, RSA private prime q, u = p ** -1 mod q\n * @async\n */\nexport async function generate(bits, e) {\n  e = BigInt(e);\n\n  // Native RSA keygen using Web Crypto\n  if (util.getWebCrypto()) {\n    const keyGenOpt = {\n      name: 'RSASSA-PKCS1-v1_5',\n      modulusLength: bits, // the specified keysize in bits\n      publicExponent: bigIntToUint8Array(e), // take three bytes (max 65537) for exponent\n      hash: {\n        name: 'SHA-1' // not required for actual RSA keys, but for crypto api 'sign' and 'verify'\n      }\n    };\n    const keyPair = await webCrypto.generateKey(keyGenOpt, true, ['sign', 'verify']);\n\n    // export the generated keys as JsonWebKey (JWK)\n    // https://tools.ietf.org/html/draft-ietf-jose-json-web-key-33\n    const jwk = await webCrypto.exportKey('jwk', keyPair.privateKey);\n    // map JWK parameters to corresponding OpenPGP names\n    return jwkToPrivate(jwk, e);\n  } else if (util.getNodeCrypto()) {\n    const opts = {\n      modulusLength: bits,\n      publicExponent: bigIntToNumber(e),\n      publicKeyEncoding: { type: 'pkcs1', format: 'jwk' },\n      privateKeyEncoding: { type: 'pkcs1', format: 'jwk' }\n    };\n    const jwk = await new Promise((resolve, reject) => {\n      nodeCrypto.generateKeyPair('rsa', opts, (err, _, jwkPrivateKey) => {\n        if (err) {\n          reject(err);\n        } else {\n          resolve(jwkPrivateKey);\n        }\n      });\n    });\n    return jwkToPrivate(jwk, e);\n  }\n\n  // RSA keygen fallback using 40 iterations of the Miller-Rabin test\n  // See https://stackoverflow.com/a/6330138 for justification\n  // Also see section C.3 here: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST\n  let p;\n  let q;\n  let n;\n  do {\n    q = randomProbablePrime(bits - (bits >> 1), e, 40);\n    p = randomProbablePrime(bits >> 1, e, 40);\n    n = p * q;\n  } while (bitLength(n) !== bits);\n\n  const phi = (p - _1n) * (q - _1n);\n\n  if (q < p) {\n    [p, q] = [q, p];\n  }\n\n  return {\n    n: bigIntToUint8Array(n),\n    e: bigIntToUint8Array(e),\n    d: bigIntToUint8Array(modInv(e, phi)),\n    p: bigIntToUint8Array(p),\n    q: bigIntToUint8Array(q),\n    // dp: d.mod(p.subn(1)),\n    // dq: d.mod(q.subn(1)),\n    u: bigIntToUint8Array(modInv(p, q))\n  };\n}\n\n/**\n * Validate RSA parameters\n * @param {Uint8Array} n - RSA public modulus\n * @param {Uint8Array} e - RSA public exponent\n * @param {Uint8Array} d - RSA private exponent\n * @param {Uint8Array} p - RSA private prime p\n * @param {Uint8Array} q - RSA private prime q\n * @param {Uint8Array} u - RSA inverse of p w.r.t. q\n * @returns {Promise<Boolean>} Whether params are valid.\n * @async\n */\nexport async function validateParams(n, e, d, p, q, u) {\n  n = uint8ArrayToBigInt(n);\n  p = uint8ArrayToBigInt(p);\n  q = uint8ArrayToBigInt(q);\n\n  // expect pq = n\n  if ((p * q) !== n) {\n    return false;\n  }\n\n  const _2n = BigInt(2);\n  // expect p*u = 1 mod q\n  u = uint8ArrayToBigInt(u);\n  if (mod(p * u, q) !== BigInt(1)) {\n    return false;\n  }\n\n  e = uint8ArrayToBigInt(e);\n  d = uint8ArrayToBigInt(d);\n  /**\n   * In RSA pkcs#1 the exponents (d, e) are inverses modulo lcm(p-1, q-1)\n   * We check that [de = 1 mod (p-1)] and [de = 1 mod (q-1)]\n   * By CRT on coprime factors of (p-1, q-1) it follows that [de = 1 mod lcm(p-1, q-1)]\n   *\n   * We blind the multiplication with r, and check that rde = r mod lcm(p-1, q-1)\n   */\n  const nSizeOver3 = BigInt(Math.floor(bitLength(n) / 3));\n  const r = getRandomBigInteger(_2n, _2n << nSizeOver3); // r in [ 2, 2^{|n|/3} ) < p and q\n  const rde = r * d * e;\n\n  const areInverses = mod(rde, p - _1n) === r && mod(rde, q - _1n) === r;\n  if (!areInverses) {\n    return false;\n  }\n\n  return true;\n}\n\nasync function bnSign(hashAlgo, n, d, hashed) {\n  n = uint8ArrayToBigInt(n);\n  const m = uint8ArrayToBigInt(emsaEncode(hashAlgo, hashed, byteLength(n)));\n  d = uint8ArrayToBigInt(d);\n  return bigIntToUint8Array(modExp(m, d, n), 'be', byteLength(n));\n}\n\nasync function webSign(hashName, data, n, e, d, p, q, u) {\n  /** OpenPGP keys require that p < q, and Safari Web Crypto requires that p > q.\n   * We swap them in privateToJWK, so it usually works out, but nevertheless,\n   * not all OpenPGP keys are compatible with this requirement.\n   * OpenPGP.js used to generate RSA keys the wrong way around (p > q), and still\n   * does if the underlying Web Crypto does so (though the tested implementations\n   * don't do so).\n   */\n  const jwk = await privateToJWK(n, e, d, p, q, u);\n  const algo = {\n    name: 'RSASSA-PKCS1-v1_5',\n    hash: { name: hashName }\n  };\n  const key = await webCrypto.importKey('jwk', jwk, algo, false, ['sign']);\n  return new Uint8Array(await webCrypto.sign('RSASSA-PKCS1-v1_5', key, data));\n}\n\nasync function nodeSign(hashAlgo, data, n, e, d, p, q, u) {\n  const sign = nodeCrypto.createSign(enums.read(enums.hash, hashAlgo));\n  sign.write(data);\n  sign.end();\n\n  const jwk = await privateToJWK(n, e, d, p, q, u);\n  return new Uint8Array(sign.sign({ key: jwk, format: 'jwk', type: 'pkcs1' }));\n}\n\nasync function bnVerify(hashAlgo, s, n, e, hashed) {\n  n = uint8ArrayToBigInt(n);\n  s = uint8ArrayToBigInt(s);\n  e = uint8ArrayToBigInt(e);\n  if (s >= n) {\n    throw new Error('Signature size cannot exceed modulus size');\n  }\n  const EM1 = bigIntToUint8Array(modExp(s, e, n), 'be', byteLength(n));\n  const EM2 = emsaEncode(hashAlgo, hashed, byteLength(n));\n  return util.equalsUint8Array(EM1, EM2);\n}\n\nasync function webVerify(hashName, data, s, n, e) {\n  const jwk = publicToJWK(n, e);\n  const key = await webCrypto.importKey('jwk', jwk, {\n    name: 'RSASSA-PKCS1-v1_5',\n    hash: { name:  hashName }\n  }, false, ['verify']);\n  return webCrypto.verify('RSASSA-PKCS1-v1_5', key, s, data);\n}\n\nasync function nodeVerify(hashAlgo, data, s, n, e) {\n  const jwk = publicToJWK(n, e);\n  const key = { key: jwk, format: 'jwk', type: 'pkcs1' };\n\n  const verify = nodeCrypto.createVerify(enums.read(enums.hash, hashAlgo));\n  verify.write(data);\n  verify.end();\n\n  try {\n    return verify.verify(key, s);\n  } catch (err) {\n    return false;\n  }\n}\n\nasync function nodeEncrypt(data, n, e) {\n  const jwk = publicToJWK(n, e);\n  const key = { key: jwk, format: 'jwk', type: 'pkcs1', padding: nodeCrypto.constants.RSA_PKCS1_PADDING };\n\n  return new Uint8Array(nodeCrypto.publicEncrypt(key, data));\n}\n\nasync function bnEncrypt(data, n, e) {\n  n = uint8ArrayToBigInt(n);\n  data = uint8ArrayToBigInt(emeEncode(data, byteLength(n)));\n  e = uint8ArrayToBigInt(e);\n  if (data >= n) {\n    throw new Error('Message size cannot exceed modulus size');\n  }\n  return bigIntToUint8Array(modExp(data, e, n), 'be', byteLength(n));\n}\n\nasync function nodeDecrypt(data, n, e, d, p, q, u) {\n  const jwk = await privateToJWK(n, e, d, p, q, u);\n  const key = { key: jwk, format: 'jwk' , type: 'pkcs1', padding: nodeCrypto.constants.RSA_PKCS1_PADDING };\n\n  try {\n    return new Uint8Array(nodeCrypto.privateDecrypt(key, data));\n  } catch (err) {\n    throw new Error('Decryption error');\n  }\n}\n\nasync function bnDecrypt(data, n, e, d, p, q, u, randomPayload) {\n  data = uint8ArrayToBigInt(data);\n  n = uint8ArrayToBigInt(n);\n  e = uint8ArrayToBigInt(e);\n  d = uint8ArrayToBigInt(d);\n  p = uint8ArrayToBigInt(p);\n  q = uint8ArrayToBigInt(q);\n  u = uint8ArrayToBigInt(u);\n  if (data >= n) {\n    throw new Error('Data too large.');\n  }\n  const dq = mod(d, q - _1n); // d mod (q-1)\n  const dp = mod(d, p - _1n); // d mod (p-1)\n\n  const unblinder = getRandomBigInteger(BigInt(2), n);\n  const blinder = modExp(modInv(unblinder, n), e, n);\n  data = mod(data * blinder, n);\n\n  const mp = modExp(data, dp, p); // data**{d mod (q-1)} mod p\n  const mq = modExp(data, dq, q); // data**{d mod (p-1)} mod q\n  const h = mod(u * (mq - mp), q); // u * (mq-mp) mod q (operands already < q)\n\n  let result = h * p + mp; // result < n due to relations above\n\n  result = mod(result * unblinder, n);\n\n  return emeDecode(bigIntToUint8Array(result, 'be', byteLength(n)), randomPayload);\n}\n\n/** Convert Openpgp private key params to jwk key according to\n * @link https://tools.ietf.org/html/rfc7517\n * @param {String} hashAlgo\n * @param {Uint8Array} n\n * @param {Uint8Array} e\n * @param {Uint8Array} d\n * @param {Uint8Array} p\n * @param {Uint8Array} q\n * @param {Uint8Array} u\n */\nasync function privateToJWK(n, e, d, p, q, u) {\n  const pNum = uint8ArrayToBigInt(p);\n  const qNum = uint8ArrayToBigInt(q);\n  const dNum = uint8ArrayToBigInt(d);\n\n  let dq = mod(dNum, qNum - _1n); // d mod (q-1)\n  let dp = mod(dNum, pNum - _1n); // d mod (p-1)\n  dp = bigIntToUint8Array(dp);\n  dq = bigIntToUint8Array(dq);\n  return {\n    kty: 'RSA',\n    n: uint8ArrayToB64(n, true),\n    e: uint8ArrayToB64(e, true),\n    d: uint8ArrayToB64(d, true),\n    // switch p and q\n    p: uint8ArrayToB64(q, true),\n    q: uint8ArrayToB64(p, true),\n    // switch dp and dq\n    dp: uint8ArrayToB64(dq, true),\n    dq: uint8ArrayToB64(dp, true),\n    qi: uint8ArrayToB64(u, true),\n    ext: true\n  };\n}\n\n/** Convert Openpgp key public params to jwk key according to\n * @link https://tools.ietf.org/html/rfc7517\n * @param {String} hashAlgo\n * @param {Uint8Array} n\n * @param {Uint8Array} e\n */\nfunction publicToJWK(n, e) {\n  return {\n    kty: 'RSA',\n    n: uint8ArrayToB64(n, true),\n    e: uint8ArrayToB64(e, true),\n    ext: true\n  };\n}\n\n/** Convert JWK private key to OpenPGP private key params */\nfunction jwkToPrivate(jwk, e) {\n  return {\n    n: b64ToUint8Array(jwk.n),\n    e: bigIntToUint8Array(e),\n    d: b64ToUint8Array(jwk.d),\n    // switch p and q\n    p: b64ToUint8Array(jwk.q),\n    q: b64ToUint8Array(jwk.p),\n    // Since p and q are switched in places, u is the inverse of jwk.q\n    u: b64ToUint8Array(jwk.qi)\n  };\n}\n","// GPG4Browsers - An OpenPGP implementation in javascript\n// Copyright (C) 2011 Recurity Labs GmbH\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\n/**\n * @fileoverview ElGamal implementation\n * @module crypto/public_key/elgamal\n */\nimport { getRandomBigInteger } from '../random';\nimport { emeEncode, emeDecode } from '../pkcs1';\nimport { bigIntToUint8Array, bitLength, byteLength, mod, modExp, modInv, uint8ArrayToBigInt } from '../biginteger';\n\nconst _1n = BigInt(1);\n\n/**\n * ElGamal Encryption function\n * Note that in OpenPGP, the message needs to be padded with PKCS#1 (same as RSA)\n * @param {Uint8Array} data - To be padded and encrypted\n * @param {Uint8Array} p\n * @param {Uint8Array} g\n * @param {Uint8Array} y\n * @returns {Promise<{ c1: Uint8Array, c2: Uint8Array }>}\n * @async\n */\nexport async function encrypt(data, p, g, y) {\n  p = uint8ArrayToBigInt(p);\n  g = uint8ArrayToBigInt(g);\n  y = uint8ArrayToBigInt(y);\n\n  const padded = emeEncode(data, byteLength(p));\n  const m = uint8ArrayToBigInt(padded);\n\n  // OpenPGP uses a \"special\" version of ElGamal where g is generator of the full group Z/pZ*\n  // hence g has order p-1, and to avoid that k = 0 mod p-1, we need to pick k in [1, p-2]\n  const k = getRandomBigInteger(_1n, p - _1n);\n  return {\n    c1: bigIntToUint8Array(modExp(g, k, p)),\n    c2: bigIntToUint8Array(mod(modExp(y, k, p) * m, p))\n  };\n}\n\n/**\n * ElGamal Encryption function\n * @param {Uint8Array} c1\n * @param {Uint8Array} c2\n * @param {Uint8Array} p\n * @param {Uint8Array} x\n * @param {Uint8Array} randomPayload - Data to return on unpadding error, instead of throwing\n *                                     (needed for constant-time processing)\n * @returns {Promise<Uint8Array>} Unpadded message.\n * @throws {Error} on decryption error, unless `randomPayload` is given\n * @async\n */\nexport async function decrypt(c1, c2, p, x, randomPayload) {\n  c1 = uint8ArrayToBigInt(c1);\n  c2 = uint8ArrayToBigInt(c2);\n  p = uint8ArrayToBigInt(p);\n  x = uint8ArrayToBigInt(x);\n\n  const padded = mod(modInv(modExp(c1, x, p), p) * c2, p);\n  return emeDecode(bigIntToUint8Array(padded, 'be', byteLength(p)), randomPayload);\n}\n\n/**\n * Validate ElGamal parameters\n * @param {Uint8Array} p - ElGamal prime\n * @param {Uint8Array} g - ElGamal group generator\n * @param {Uint8Array} y - ElGamal public key\n * @param {Uint8Array} x - ElGamal private exponent\n * @returns {Promise<Boolean>} Whether params are valid.\n * @async\n */\nexport async function validateParams(p, g, y, x) {\n  p = uint8ArrayToBigInt(p);\n  g = uint8ArrayToBigInt(g);\n  y = uint8ArrayToBigInt(y);\n\n  // Check that 1 < g < p\n  if (g <= _1n || g >= p) {\n    return false;\n  }\n\n  // Expect p-1 to be large\n  const pSize = BigInt(bitLength(p));\n  const _1023n = BigInt(1023);\n  if (pSize < _1023n) {\n    return false;\n  }\n\n  /**\n   * g should have order p-1\n   * Check that g ** (p-1) = 1 mod p\n   */\n  if (modExp(g, p - _1n, p) !== _1n) {\n    return false;\n  }\n\n  /**\n   * Since p-1 is not prime, g might have a smaller order that divides p-1\n   * We want to make sure that the order is large enough to hinder a small subgroup attack\n   *\n   * We just check g**i != 1 for all i up to a threshold\n   */\n  let res = g;\n  let i = BigInt(1);\n  const _2n = BigInt(2);\n  const threshold = _2n << BigInt(17); // we want order > threshold\n  while (i < threshold) {\n    res = mod(res * g, p);\n    if (res === _1n) {\n      return false;\n    }\n    i++;\n  }\n\n  /**\n   * Re-derive public key y' = g ** x mod p\n   * Expect y == y'\n   *\n   * Blinded exponentiation computes g**{r(p-1) + x} to compare to y\n   */\n  x = uint8ArrayToBigInt(x);\n  const r = getRandomBigInteger(_2n << (pSize - _1n), _2n << pSize); // draw r of same size as p-1\n  const rqx = (p - _1n) * r + x;\n  if (y !== modExp(g, rqx, p)) {\n    return false;\n  }\n\n  return true;\n}\n","// declare const globalThis: Record<string, any> | undefined;\nexport const crypto =\n  typeof globalThis === 'object' && 'crypto' in globalThis ? globalThis.crypto : undefined;\n","import { crypto } from './crypto.js';\n\n'use strict';\nconst nacl = {};\nexport default nacl;\n\n// Ported in 2014 by Dmitry Chestnykh and Devi Mandiri.\n// Public domain.\n//\n// Implementation derived from TweetNaCl version 20140427.\n// See for details: http://tweetnacl.cr.yp.to/\n\nvar gf = function(init) {\n  var i, r = new Float64Array(16);\n  if (init) for (i = 0; i < init.length; i++) r[i] = init[i];\n  return r;\n};\n\n//  Pluggable, initialized in high-level API below.\nvar randombytes = function(/* x, n */) { throw new Error('no PRNG'); };\n\nvar _9 = new Uint8Array(32); _9[0] = 9;\n\nvar gf0 = gf(),\n    gf1 = gf([1]),\n    _121665 = gf([0xdb41, 1]),\n    D = gf([0x78a3, 0x1359, 0x4dca, 0x75eb, 0xd8ab, 0x4141, 0x0a4d, 0x0070, 0xe898, 0x7779, 0x4079, 0x8cc7, 0xfe73, 0x2b6f, 0x6cee, 0x5203]),\n    D2 = gf([0xf159, 0x26b2, 0x9b94, 0xebd6, 0xb156, 0x8283, 0x149a, 0x00e0, 0xd130, 0xeef3, 0x80f2, 0x198e, 0xfce7, 0x56df, 0xd9dc, 0x2406]),\n    X = gf([0xd51a, 0x8f25, 0x2d60, 0xc956, 0xa7b2, 0x9525, 0xc760, 0x692c, 0xdc5c, 0xfdd6, 0xe231, 0xc0a4, 0x53fe, 0xcd6e, 0x36d3, 0x2169]),\n    Y = gf([0x6658, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666]),\n    I = gf([0xa0b0, 0x4a0e, 0x1b27, 0xc4ee, 0xe478, 0xad2f, 0x1806, 0x2f43, 0xd7a7, 0x3dfb, 0x0099, 0x2b4d, 0xdf0b, 0x4fc1, 0x2480, 0x2b83]);\n\nfunction ts64(x, i, h, l) {\n  x[i]   = (h >> 24) & 0xff;\n  x[i+1] = (h >> 16) & 0xff;\n  x[i+2] = (h >>  8) & 0xff;\n  x[i+3] = h & 0xff;\n  x[i+4] = (l >> 24)  & 0xff;\n  x[i+5] = (l >> 16)  & 0xff;\n  x[i+6] = (l >>  8)  & 0xff;\n  x[i+7] = l & 0xff;\n}\n\nfunction vn(x, xi, y, yi, n) {\n  var i,d = 0;\n  for (i = 0; i < n; i++) d |= x[xi+i]^y[yi+i];\n  return (1 & ((d - 1) >>> 8)) - 1;\n}\n\nfunction crypto_verify_32(x, xi, y, yi) {\n  return vn(x,xi,y,yi,32);\n}\n\nfunction set25519(r, a) {\n  var i;\n  for (i = 0; i < 16; i++) r[i] = a[i]|0;\n}\n\nfunction car25519(o) {\n  var i, v, c = 1;\n  for (i = 0; i < 16; i++) {\n    v = o[i] + c + 65535;\n    c = Math.floor(v / 65536);\n    o[i] = v - c * 65536;\n  }\n  o[0] += c-1 + 37 * (c-1);\n}\n\nfunction sel25519(p, q, b) {\n  var t, c = ~(b-1);\n  for (var i = 0; i < 16; i++) {\n    t = c & (p[i] ^ q[i]);\n    p[i] ^= t;\n    q[i] ^= t;\n  }\n}\n\nfunction pack25519(o, n) {\n  var i, j, b;\n  var m = gf(), t = gf();\n  for (i = 0; i < 16; i++) t[i] = n[i];\n  car25519(t);\n  car25519(t);\n  car25519(t);\n  for (j = 0; j < 2; j++) {\n    m[0] = t[0] - 0xffed;\n    for (i = 1; i < 15; i++) {\n      m[i] = t[i] - 0xffff - ((m[i-1]>>16) & 1);\n      m[i-1] &= 0xffff;\n    }\n    m[15] = t[15] - 0x7fff - ((m[14]>>16) & 1);\n    b = (m[15]>>16) & 1;\n    m[14] &= 0xffff;\n    sel25519(t, m, 1-b);\n  }\n  for (i = 0; i < 16; i++) {\n    o[2*i] = t[i] & 0xff;\n    o[2*i+1] = t[i]>>8;\n  }\n}\n\nfunction neq25519(a, b) {\n  var c = new Uint8Array(32), d = new Uint8Array(32);\n  pack25519(c, a);\n  pack25519(d, b);\n  return crypto_verify_32(c, 0, d, 0);\n}\n\nfunction par25519(a) {\n  var d = new Uint8Array(32);\n  pack25519(d, a);\n  return d[0] & 1;\n}\n\nfunction unpack25519(o, n) {\n  var i;\n  for (i = 0; i < 16; i++) o[i] = n[2*i] + (n[2*i+1] << 8);\n  o[15] &= 0x7fff;\n}\n\nfunction A(o, a, b) {\n  for (var i = 0; i < 16; i++) o[i] = a[i] + b[i];\n}\n\nfunction Z(o, a, b) {\n  for (var i = 0; i < 16; i++) o[i] = a[i] - b[i];\n}\n\nfunction M(o, a, b) {\n  var v, c,\n     t0 = 0,  t1 = 0,  t2 = 0,  t3 = 0,  t4 = 0,  t5 = 0,  t6 = 0,  t7 = 0,\n     t8 = 0,  t9 = 0, t10 = 0, t11 = 0, t12 = 0, t13 = 0, t14 = 0, t15 = 0,\n    t16 = 0, t17 = 0, t18 = 0, t19 = 0, t20 = 0, t21 = 0, t22 = 0, t23 = 0,\n    t24 = 0, t25 = 0, t26 = 0, t27 = 0, t28 = 0, t29 = 0, t30 = 0,\n    b0 = b[0],\n    b1 = b[1],\n    b2 = b[2],\n    b3 = b[3],\n    b4 = b[4],\n    b5 = b[5],\n    b6 = b[6],\n    b7 = b[7],\n    b8 = b[8],\n    b9 = b[9],\n    b10 = b[10],\n    b11 = b[11],\n    b12 = b[12],\n    b13 = b[13],\n    b14 = b[14],\n    b15 = b[15];\n\n  v = a[0];\n  t0 += v * b0;\n  t1 += v * b1;\n  t2 += v * b2;\n  t3 += v * b3;\n  t4 += v * b4;\n  t5 += v * b5;\n  t6 += v * b6;\n  t7 += v * b7;\n  t8 += v * b8;\n  t9 += v * b9;\n  t10 += v * b10;\n  t11 += v * b11;\n  t12 += v * b12;\n  t13 += v * b13;\n  t14 += v * b14;\n  t15 += v * b15;\n  v = a[1];\n  t1 += v * b0;\n  t2 += v * b1;\n  t3 += v * b2;\n  t4 += v * b3;\n  t5 += v * b4;\n  t6 += v * b5;\n  t7 += v * b6;\n  t8 += v * b7;\n  t9 += v * b8;\n  t10 += v * b9;\n  t11 += v * b10;\n  t12 += v * b11;\n  t13 += v * b12;\n  t14 += v * b13;\n  t15 += v * b14;\n  t16 += v * b15;\n  v = a[2];\n  t2 += v * b0;\n  t3 += v * b1;\n  t4 += v * b2;\n  t5 += v * b3;\n  t6 += v * b4;\n  t7 += v * b5;\n  t8 += v * b6;\n  t9 += v * b7;\n  t10 += v * b8;\n  t11 += v * b9;\n  t12 += v * b10;\n  t13 += v * b11;\n  t14 += v * b12;\n  t15 += v * b13;\n  t16 += v * b14;\n  t17 += v * b15;\n  v = a[3];\n  t3 += v * b0;\n  t4 += v * b1;\n  t5 += v * b2;\n  t6 += v * b3;\n  t7 += v * b4;\n  t8 += v * b5;\n  t9 += v * b6;\n  t10 += v * b7;\n  t11 += v * b8;\n  t12 += v * b9;\n  t13 += v * b10;\n  t14 += v * b11;\n  t15 += v * b12;\n  t16 += v * b13;\n  t17 += v * b14;\n  t18 += v * b15;\n  v = a[4];\n  t4 += v * b0;\n  t5 += v * b1;\n  t6 += v * b2;\n  t7 += v * b3;\n  t8 += v * b4;\n  t9 += v * b5;\n  t10 += v * b6;\n  t11 += v * b7;\n  t12 += v * b8;\n  t13 += v * b9;\n  t14 += v * b10;\n  t15 += v * b11;\n  t16 += v * b12;\n  t17 += v * b13;\n  t18 += v * b14;\n  t19 += v * b15;\n  v = a[5];\n  t5 += v * b0;\n  t6 += v * b1;\n  t7 += v * b2;\n  t8 += v * b3;\n  t9 += v * b4;\n  t10 += v * b5;\n  t11 += v * b6;\n  t12 += v * b7;\n  t13 += v * b8;\n  t14 += v * b9;\n  t15 += v * b10;\n  t16 += v * b11;\n  t17 += v * b12;\n  t18 += v * b13;\n  t19 += v * b14;\n  t20 += v * b15;\n  v = a[6];\n  t6 += v * b0;\n  t7 += v * b1;\n  t8 += v * b2;\n  t9 += v * b3;\n  t10 += v * b4;\n  t11 += v * b5;\n  t12 += v * b6;\n  t13 += v * b7;\n  t14 += v * b8;\n  t15 += v * b9;\n  t16 += v * b10;\n  t17 += v * b11;\n  t18 += v * b12;\n  t19 += v * b13;\n  t20 += v * b14;\n  t21 += v * b15;\n  v = a[7];\n  t7 += v * b0;\n  t8 += v * b1;\n  t9 += v * b2;\n  t10 += v * b3;\n  t11 += v * b4;\n  t12 += v * b5;\n  t13 += v * b6;\n  t14 += v * b7;\n  t15 += v * b8;\n  t16 += v * b9;\n  t17 += v * b10;\n  t18 += v * b11;\n  t19 += v * b12;\n  t20 += v * b13;\n  t21 += v * b14;\n  t22 += v * b15;\n  v = a[8];\n  t8 += v * b0;\n  t9 += v * b1;\n  t10 += v * b2;\n  t11 += v * b3;\n  t12 += v * b4;\n  t13 += v * b5;\n  t14 += v * b6;\n  t15 += v * b7;\n  t16 += v * b8;\n  t17 += v * b9;\n  t18 += v * b10;\n  t19 += v * b11;\n  t20 += v * b12;\n  t21 += v * b13;\n  t22 += v * b14;\n  t23 += v * b15;\n  v = a[9];\n  t9 += v * b0;\n  t10 += v * b1;\n  t11 += v * b2;\n  t12 += v * b3;\n  t13 += v * b4;\n  t14 += v * b5;\n  t15 += v * b6;\n  t16 += v * b7;\n  t17 += v * b8;\n  t18 += v * b9;\n  t19 += v * b10;\n  t20 += v * b11;\n  t21 += v * b12;\n  t22 += v * b13;\n  t23 += v * b14;\n  t24 += v * b15;\n  v = a[10];\n  t10 += v * b0;\n  t11 += v * b1;\n  t12 += v * b2;\n  t13 += v * b3;\n  t14 += v * b4;\n  t15 += v * b5;\n  t16 += v * b6;\n  t17 += v * b7;\n  t18 += v * b8;\n  t19 += v * b9;\n  t20 += v * b10;\n  t21 += v * b11;\n  t22 += v * b12;\n  t23 += v * b13;\n  t24 += v * b14;\n  t25 += v * b15;\n  v = a[11];\n  t11 += v * b0;\n  t12 += v * b1;\n  t13 += v * b2;\n  t14 += v * b3;\n  t15 += v * b4;\n  t16 += v * b5;\n  t17 += v * b6;\n  t18 += v * b7;\n  t19 += v * b8;\n  t20 += v * b9;\n  t21 += v * b10;\n  t22 += v * b11;\n  t23 += v * b12;\n  t24 += v * b13;\n  t25 += v * b14;\n  t26 += v * b15;\n  v = a[12];\n  t12 += v * b0;\n  t13 += v * b1;\n  t14 += v * b2;\n  t15 += v * b3;\n  t16 += v * b4;\n  t17 += v * b5;\n  t18 += v * b6;\n  t19 += v * b7;\n  t20 += v * b8;\n  t21 += v * b9;\n  t22 += v * b10;\n  t23 += v * b11;\n  t24 += v * b12;\n  t25 += v * b13;\n  t26 += v * b14;\n  t27 += v * b15;\n  v = a[13];\n  t13 += v * b0;\n  t14 += v * b1;\n  t15 += v * b2;\n  t16 += v * b3;\n  t17 += v * b4;\n  t18 += v * b5;\n  t19 += v * b6;\n  t20 += v * b7;\n  t21 += v * b8;\n  t22 += v * b9;\n  t23 += v * b10;\n  t24 += v * b11;\n  t25 += v * b12;\n  t26 += v * b13;\n  t27 += v * b14;\n  t28 += v * b15;\n  v = a[14];\n  t14 += v * b0;\n  t15 += v * b1;\n  t16 += v * b2;\n  t17 += v * b3;\n  t18 += v * b4;\n  t19 += v * b5;\n  t20 += v * b6;\n  t21 += v * b7;\n  t22 += v * b8;\n  t23 += v * b9;\n  t24 += v * b10;\n  t25 += v * b11;\n  t26 += v * b12;\n  t27 += v * b13;\n  t28 += v * b14;\n  t29 += v * b15;\n  v = a[15];\n  t15 += v * b0;\n  t16 += v * b1;\n  t17 += v * b2;\n  t18 += v * b3;\n  t19 += v * b4;\n  t20 += v * b5;\n  t21 += v * b6;\n  t22 += v * b7;\n  t23 += v * b8;\n  t24 += v * b9;\n  t25 += v * b10;\n  t26 += v * b11;\n  t27 += v * b12;\n  t28 += v * b13;\n  t29 += v * b14;\n  t30 += v * b15;\n\n  t0  += 38 * t16;\n  t1  += 38 * t17;\n  t2  += 38 * t18;\n  t3  += 38 * t19;\n  t4  += 38 * t20;\n  t5  += 38 * t21;\n  t6  += 38 * t22;\n  t7  += 38 * t23;\n  t8  += 38 * t24;\n  t9  += 38 * t25;\n  t10 += 38 * t26;\n  t11 += 38 * t27;\n  t12 += 38 * t28;\n  t13 += 38 * t29;\n  t14 += 38 * t30;\n  // t15 left as is\n\n  // first car\n  c = 1;\n  v =  t0 + c + 65535; c = Math.floor(v / 65536);  t0 = v - c * 65536;\n  v =  t1 + c + 65535; c = Math.floor(v / 65536);  t1 = v - c * 65536;\n  v =  t2 + c + 65535; c = Math.floor(v / 65536);  t2 = v - c * 65536;\n  v =  t3 + c + 65535; c = Math.floor(v / 65536);  t3 = v - c * 65536;\n  v =  t4 + c + 65535; c = Math.floor(v / 65536);  t4 = v - c * 65536;\n  v =  t5 + c + 65535; c = Math.floor(v / 65536);  t5 = v - c * 65536;\n  v =  t6 + c + 65535; c = Math.floor(v / 65536);  t6 = v - c * 65536;\n  v =  t7 + c + 65535; c = Math.floor(v / 65536);  t7 = v - c * 65536;\n  v =  t8 + c + 65535; c = Math.floor(v / 65536);  t8 = v - c * 65536;\n  v =  t9 + c + 65535; c = Math.floor(v / 65536);  t9 = v - c * 65536;\n  v = t10 + c + 65535; c = Math.floor(v / 65536); t10 = v - c * 65536;\n  v = t11 + c + 65535; c = Math.floor(v / 65536); t11 = v - c * 65536;\n  v = t12 + c + 65535; c = Math.floor(v / 65536); t12 = v - c * 65536;\n  v = t13 + c + 65535; c = Math.floor(v / 65536); t13 = v - c * 65536;\n  v = t14 + c + 65535; c = Math.floor(v / 65536); t14 = v - c * 65536;\n  v = t15 + c + 65535; c = Math.floor(v / 65536); t15 = v - c * 65536;\n  t0 += c-1 + 37 * (c-1);\n\n  // second car\n  c = 1;\n  v =  t0 + c + 65535; c = Math.floor(v / 65536);  t0 = v - c * 65536;\n  v =  t1 + c + 65535; c = Math.floor(v / 65536);  t1 = v - c * 65536;\n  v =  t2 + c + 65535; c = Math.floor(v / 65536);  t2 = v - c * 65536;\n  v =  t3 + c + 65535; c = Math.floor(v / 65536);  t3 = v - c * 65536;\n  v =  t4 + c + 65535; c = Math.floor(v / 65536);  t4 = v - c * 65536;\n  v =  t5 + c + 65535; c = Math.floor(v / 65536);  t5 = v - c * 65536;\n  v =  t6 + c + 65535; c = Math.floor(v / 65536);  t6 = v - c * 65536;\n  v =  t7 + c + 65535; c = Math.floor(v / 65536);  t7 = v - c * 65536;\n  v =  t8 + c + 65535; c = Math.floor(v / 65536);  t8 = v - c * 65536;\n  v =  t9 + c + 65535; c = Math.floor(v / 65536);  t9 = v - c * 65536;\n  v = t10 + c + 65535; c = Math.floor(v / 65536); t10 = v - c * 65536;\n  v = t11 + c + 65535; c = Math.floor(v / 65536); t11 = v - c * 65536;\n  v = t12 + c + 65535; c = Math.floor(v / 65536); t12 = v - c * 65536;\n  v = t13 + c + 65535; c = Math.floor(v / 65536); t13 = v - c * 65536;\n  v = t14 + c + 65535; c = Math.floor(v / 65536); t14 = v - c * 65536;\n  v = t15 + c + 65535; c = Math.floor(v / 65536); t15 = v - c * 65536;\n  t0 += c-1 + 37 * (c-1);\n\n  o[ 0] = t0;\n  o[ 1] = t1;\n  o[ 2] = t2;\n  o[ 3] = t3;\n  o[ 4] = t4;\n  o[ 5] = t5;\n  o[ 6] = t6;\n  o[ 7] = t7;\n  o[ 8] = t8;\n  o[ 9] = t9;\n  o[10] = t10;\n  o[11] = t11;\n  o[12] = t12;\n  o[13] = t13;\n  o[14] = t14;\n  o[15] = t15;\n}\n\nfunction S(o, a) {\n  M(o, a, a);\n}\n\nfunction inv25519(o, i) {\n  var c = gf();\n  var a;\n  for (a = 0; a < 16; a++) c[a] = i[a];\n  for (a = 253; a >= 0; a--) {\n    S(c, c);\n    if(a !== 2 && a !== 4) M(c, c, i);\n  }\n  for (a = 0; a < 16; a++) o[a] = c[a];\n}\n\nfunction pow2523(o, i) {\n  var c = gf();\n  var a;\n  for (a = 0; a < 16; a++) c[a] = i[a];\n  for (a = 250; a >= 0; a--) {\n      S(c, c);\n      if(a !== 1) M(c, c, i);\n  }\n  for (a = 0; a < 16; a++) o[a] = c[a];\n}\n\nfunction crypto_scalarmult(q, n, p) {\n  var z = new Uint8Array(32);\n  var x = new Float64Array(80), r, i;\n  var a = gf(), b = gf(), c = gf(),\n      d = gf(), e = gf(), f = gf();\n  for (i = 0; i < 31; i++) z[i] = n[i];\n  z[31]=(n[31]&127)|64;\n  z[0]&=248;\n  unpack25519(x,p);\n  for (i = 0; i < 16; i++) {\n    b[i]=x[i];\n    d[i]=a[i]=c[i]=0;\n  }\n  a[0]=d[0]=1;\n  for (i=254; i>=0; --i) {\n    r=(z[i>>>3]>>>(i&7))&1;\n    sel25519(a,b,r);\n    sel25519(c,d,r);\n    A(e,a,c);\n    Z(a,a,c);\n    A(c,b,d);\n    Z(b,b,d);\n    S(d,e);\n    S(f,a);\n    M(a,c,a);\n    M(c,b,e);\n    A(e,a,c);\n    Z(a,a,c);\n    S(b,a);\n    Z(c,d,f);\n    M(a,c,_121665);\n    A(a,a,d);\n    M(c,c,a);\n    M(a,d,f);\n    M(d,b,x);\n    S(b,e);\n    sel25519(a,b,r);\n    sel25519(c,d,r);\n  }\n  for (i = 0; i < 16; i++) {\n    x[i+16]=a[i];\n    x[i+32]=c[i];\n    x[i+48]=b[i];\n    x[i+64]=d[i];\n  }\n  var x32 = x.subarray(32);\n  var x16 = x.subarray(16);\n  inv25519(x32,x32);\n  M(x16,x16,x32);\n  pack25519(q,x16);\n  return 0;\n}\n\nfunction crypto_scalarmult_base(q, n) {\n  return crypto_scalarmult(q, n, _9);\n}\n\nfunction crypto_box_keypair(y, x) {\n  randombytes(x, 32);\n  return crypto_scalarmult_base(y, x);\n}\n\nvar K = [\n  0x428a2f98, 0xd728ae22, 0x71374491, 0x23ef65cd,\n  0xb5c0fbcf, 0xec4d3b2f, 0xe9b5dba5, 0x8189dbbc,\n  0x3956c25b, 0xf348b538, 0x59f111f1, 0xb605d019,\n  0x923f82a4, 0xaf194f9b, 0xab1c5ed5, 0xda6d8118,\n  0xd807aa98, 0xa3030242, 0x12835b01, 0x45706fbe,\n  0x243185be, 0x4ee4b28c, 0x550c7dc3, 0xd5ffb4e2,\n  0x72be5d74, 0xf27b896f, 0x80deb1fe, 0x3b1696b1,\n  0x9bdc06a7, 0x25c71235, 0xc19bf174, 0xcf692694,\n  0xe49b69c1, 0x9ef14ad2, 0xefbe4786, 0x384f25e3,\n  0x0fc19dc6, 0x8b8cd5b5, 0x240ca1cc, 0x77ac9c65,\n  0x2de92c6f, 0x592b0275, 0x4a7484aa, 0x6ea6e483,\n  0x5cb0a9dc, 0xbd41fbd4, 0x76f988da, 0x831153b5,\n  0x983e5152, 0xee66dfab, 0xa831c66d, 0x2db43210,\n  0xb00327c8, 0x98fb213f, 0xbf597fc7, 0xbeef0ee4,\n  0xc6e00bf3, 0x3da88fc2, 0xd5a79147, 0x930aa725,\n  0x06ca6351, 0xe003826f, 0x14292967, 0x0a0e6e70,\n  0x27b70a85, 0x46d22ffc, 0x2e1b2138, 0x5c26c926,\n  0x4d2c6dfc, 0x5ac42aed, 0x53380d13, 0x9d95b3df,\n  0x650a7354, 0x8baf63de, 0x766a0abb, 0x3c77b2a8,\n  0x81c2c92e, 0x47edaee6, 0x92722c85, 0x1482353b,\n  0xa2bfe8a1, 0x4cf10364, 0xa81a664b, 0xbc423001,\n  0xc24b8b70, 0xd0f89791, 0xc76c51a3, 0x0654be30,\n  0xd192e819, 0xd6ef5218, 0xd6990624, 0x5565a910,\n  0xf40e3585, 0x5771202a, 0x106aa070, 0x32bbd1b8,\n  0x19a4c116, 0xb8d2d0c8, 0x1e376c08, 0x5141ab53,\n  0x2748774c, 0xdf8eeb99, 0x34b0bcb5, 0xe19b48a8,\n  0x391c0cb3, 0xc5c95a63, 0x4ed8aa4a, 0xe3418acb,\n  0x5b9cca4f, 0x7763e373, 0x682e6ff3, 0xd6b2b8a3,\n  0x748f82ee, 0x5defb2fc, 0x78a5636f, 0x43172f60,\n  0x84c87814, 0xa1f0ab72, 0x8cc70208, 0x1a6439ec,\n  0x90befffa, 0x23631e28, 0xa4506ceb, 0xde82bde9,\n  0xbef9a3f7, 0xb2c67915, 0xc67178f2, 0xe372532b,\n  0xca273ece, 0xea26619c, 0xd186b8c7, 0x21c0c207,\n  0xeada7dd6, 0xcde0eb1e, 0xf57d4f7f, 0xee6ed178,\n  0x06f067aa, 0x72176fba, 0x0a637dc5, 0xa2c898a6,\n  0x113f9804, 0xbef90dae, 0x1b710b35, 0x131c471b,\n  0x28db77f5, 0x23047d84, 0x32caab7b, 0x40c72493,\n  0x3c9ebe0a, 0x15c9bebc, 0x431d67c4, 0x9c100d4c,\n  0x4cc5d4be, 0xcb3e42b6, 0x597f299c, 0xfc657e2a,\n  0x5fcb6fab, 0x3ad6faec, 0x6c44198c, 0x4a475817\n];\n\nfunction crypto_hashblocks_hl(hh, hl, m, n) {\n  var wh = new Int32Array(16), wl = new Int32Array(16),\n      bh0, bh1, bh2, bh3, bh4, bh5, bh6, bh7,\n      bl0, bl1, bl2, bl3, bl4, bl5, bl6, bl7,\n      th, tl, i, j, h, l, a, b, c, d;\n\n  var ah0 = hh[0],\n      ah1 = hh[1],\n      ah2 = hh[2],\n      ah3 = hh[3],\n      ah4 = hh[4],\n      ah5 = hh[5],\n      ah6 = hh[6],\n      ah7 = hh[7],\n\n      al0 = hl[0],\n      al1 = hl[1],\n      al2 = hl[2],\n      al3 = hl[3],\n      al4 = hl[4],\n      al5 = hl[5],\n      al6 = hl[6],\n      al7 = hl[7];\n\n  var pos = 0;\n  while (n >= 128) {\n    for (i = 0; i < 16; i++) {\n      j = 8 * i + pos;\n      wh[i] = (m[j+0] << 24) | (m[j+1] << 16) | (m[j+2] << 8) | m[j+3];\n      wl[i] = (m[j+4] << 24) | (m[j+5] << 16) | (m[j+6] << 8) | m[j+7];\n    }\n    for (i = 0; i < 80; i++) {\n      bh0 = ah0;\n      bh1 = ah1;\n      bh2 = ah2;\n      bh3 = ah3;\n      bh4 = ah4;\n      bh5 = ah5;\n      bh6 = ah6;\n      bh7 = ah7;\n\n      bl0 = al0;\n      bl1 = al1;\n      bl2 = al2;\n      bl3 = al3;\n      bl4 = al4;\n      bl5 = al5;\n      bl6 = al6;\n      bl7 = al7;\n\n      // add\n      h = ah7;\n      l = al7;\n\n      a = l & 0xffff; b = l >>> 16;\n      c = h & 0xffff; d = h >>> 16;\n\n      // Sigma1\n      h = ((ah4 >>> 14) | (al4 << (32-14))) ^ ((ah4 >>> 18) | (al4 << (32-18))) ^ ((al4 >>> (41-32)) | (ah4 << (32-(41-32))));\n      l = ((al4 >>> 14) | (ah4 << (32-14))) ^ ((al4 >>> 18) | (ah4 << (32-18))) ^ ((ah4 >>> (41-32)) | (al4 << (32-(41-32))));\n\n      a += l & 0xffff; b += l >>> 16;\n      c += h & 0xffff; d += h >>> 16;\n\n      // Ch\n      h = (ah4 & ah5) ^ (~ah4 & ah6);\n      l = (al4 & al5) ^ (~al4 & al6);\n\n      a += l & 0xffff; b += l >>> 16;\n      c += h & 0xffff; d += h >>> 16;\n\n      // K\n      h = K[i*2];\n      l = K[i*2+1];\n\n      a += l & 0xffff; b += l >>> 16;\n      c += h & 0xffff; d += h >>> 16;\n\n      // w\n      h = wh[i%16];\n      l = wl[i%16];\n\n      a += l & 0xffff; b += l >>> 16;\n      c += h & 0xffff; d += h >>> 16;\n\n      b += a >>> 16;\n      c += b >>> 16;\n      d += c >>> 16;\n\n      th = c & 0xffff | d << 16;\n      tl = a & 0xffff | b << 16;\n\n      // add\n      h = th;\n      l = tl;\n\n      a = l & 0xffff; b = l >>> 16;\n      c = h & 0xffff; d = h >>> 16;\n\n      // Sigma0\n      h = ((ah0 >>> 28) | (al0 << (32-28))) ^ ((al0 >>> (34-32)) | (ah0 << (32-(34-32)))) ^ ((al0 >>> (39-32)) | (ah0 << (32-(39-32))));\n      l = ((al0 >>> 28) | (ah0 << (32-28))) ^ ((ah0 >>> (34-32)) | (al0 << (32-(34-32)))) ^ ((ah0 >>> (39-32)) | (al0 << (32-(39-32))));\n\n      a += l & 0xffff; b += l >>> 16;\n      c += h & 0xffff; d += h >>> 16;\n\n      // Maj\n      h = (ah0 & ah1) ^ (ah0 & ah2) ^ (ah1 & ah2);\n      l = (al0 & al1) ^ (al0 & al2) ^ (al1 & al2);\n\n      a += l & 0xffff; b += l >>> 16;\n      c += h & 0xffff; d += h >>> 16;\n\n      b += a >>> 16;\n      c += b >>> 16;\n      d += c >>> 16;\n\n      bh7 = (c & 0xffff) | (d << 16);\n      bl7 = (a & 0xffff) | (b << 16);\n\n      // add\n      h = bh3;\n      l = bl3;\n\n      a = l & 0xffff; b = l >>> 16;\n      c = h & 0xffff; d = h >>> 16;\n\n      h = th;\n      l = tl;\n\n      a += l & 0xffff; b += l >>> 16;\n      c += h & 0xffff; d += h >>> 16;\n\n      b += a >>> 16;\n      c += b >>> 16;\n      d += c >>> 16;\n\n      bh3 = (c & 0xffff) | (d << 16);\n      bl3 = (a & 0xffff) | (b << 16);\n\n      ah1 = bh0;\n      ah2 = bh1;\n      ah3 = bh2;\n      ah4 = bh3;\n      ah5 = bh4;\n      ah6 = bh5;\n      ah7 = bh6;\n      ah0 = bh7;\n\n      al1 = bl0;\n      al2 = bl1;\n      al3 = bl2;\n      al4 = bl3;\n      al5 = bl4;\n      al6 = bl5;\n      al7 = bl6;\n      al0 = bl7;\n\n      if (i%16 === 15) {\n        for (j = 0; j < 16; j++) {\n          // add\n          h = wh[j];\n          l = wl[j];\n\n          a = l & 0xffff; b = l >>> 16;\n          c = h & 0xffff; d = h >>> 16;\n\n          h = wh[(j+9)%16];\n          l = wl[(j+9)%16];\n\n          a += l & 0xffff; b += l >>> 16;\n          c += h & 0xffff; d += h >>> 16;\n\n          // sigma0\n          th = wh[(j+1)%16];\n          tl = wl[(j+1)%16];\n          h = ((th >>> 1) | (tl << (32-1))) ^ ((th >>> 8) | (tl << (32-8))) ^ (th >>> 7);\n          l = ((tl >>> 1) | (th << (32-1))) ^ ((tl >>> 8) | (th << (32-8))) ^ ((tl >>> 7) | (th << (32-7)));\n\n          a += l & 0xffff; b += l >>> 16;\n          c += h & 0xffff; d += h >>> 16;\n\n          // sigma1\n          th = wh[(j+14)%16];\n          tl = wl[(j+14)%16];\n          h = ((th >>> 19) | (tl << (32-19))) ^ ((tl >>> (61-32)) | (th << (32-(61-32)))) ^ (th >>> 6);\n          l = ((tl >>> 19) | (th << (32-19))) ^ ((th >>> (61-32)) | (tl << (32-(61-32)))) ^ ((tl >>> 6) | (th << (32-6)));\n\n          a += l & 0xffff; b += l >>> 16;\n          c += h & 0xffff; d += h >>> 16;\n\n          b += a >>> 16;\n          c += b >>> 16;\n          d += c >>> 16;\n\n          wh[j] = (c & 0xffff) | (d << 16);\n          wl[j] = (a & 0xffff) | (b << 16);\n        }\n      }\n    }\n\n    // add\n    h = ah0;\n    l = al0;\n\n    a = l & 0xffff; b = l >>> 16;\n    c = h & 0xffff; d = h >>> 16;\n\n    h = hh[0];\n    l = hl[0];\n\n    a += l & 0xffff; b += l >>> 16;\n    c += h & 0xffff; d += h >>> 16;\n\n    b += a >>> 16;\n    c += b >>> 16;\n    d += c >>> 16;\n\n    hh[0] = ah0 = (c & 0xffff) | (d << 16);\n    hl[0] = al0 = (a & 0xffff) | (b << 16);\n\n    h = ah1;\n    l = al1;\n\n    a = l & 0xffff; b = l >>> 16;\n    c = h & 0xffff; d = h >>> 16;\n\n    h = hh[1];\n    l = hl[1];\n\n    a += l & 0xffff; b += l >>> 16;\n    c += h & 0xffff; d += h >>> 16;\n\n    b += a >>> 16;\n    c += b >>> 16;\n    d += c >>> 16;\n\n    hh[1] = ah1 = (c & 0xffff) | (d << 16);\n    hl[1] = al1 = (a & 0xffff) | (b << 16);\n\n    h = ah2;\n    l = al2;\n\n    a = l & 0xffff; b = l >>> 16;\n    c = h & 0xffff; d = h >>> 16;\n\n    h = hh[2];\n    l = hl[2];\n\n    a += l & 0xffff; b += l >>> 16;\n    c += h & 0xffff; d += h >>> 16;\n\n    b += a >>> 16;\n    c += b >>> 16;\n    d += c >>> 16;\n\n    hh[2] = ah2 = (c & 0xffff) | (d << 16);\n    hl[2] = al2 = (a & 0xffff) | (b << 16);\n\n    h = ah3;\n    l = al3;\n\n    a = l & 0xffff; b = l >>> 16;\n    c = h & 0xffff; d = h >>> 16;\n\n    h = hh[3];\n    l = hl[3];\n\n    a += l & 0xffff; b += l >>> 16;\n    c += h & 0xffff; d += h >>> 16;\n\n    b += a >>> 16;\n    c += b >>> 16;\n    d += c >>> 16;\n\n    hh[3] = ah3 = (c & 0xffff) | (d << 16);\n    hl[3] = al3 = (a & 0xffff) | (b << 16);\n\n    h = ah4;\n    l = al4;\n\n    a = l & 0xffff; b = l >>> 16;\n    c = h & 0xffff; d = h >>> 16;\n\n    h = hh[4];\n    l = hl[4];\n\n    a += l & 0xffff; b += l >>> 16;\n    c += h & 0xffff; d += h >>> 16;\n\n    b += a >>> 16;\n    c += b >>> 16;\n    d += c >>> 16;\n\n    hh[4] = ah4 = (c & 0xffff) | (d << 16);\n    hl[4] = al4 = (a & 0xffff) | (b << 16);\n\n    h = ah5;\n    l = al5;\n\n    a = l & 0xffff; b = l >>> 16;\n    c = h & 0xffff; d = h >>> 16;\n\n    h = hh[5];\n    l = hl[5];\n\n    a += l & 0xffff; b += l >>> 16;\n    c += h & 0xffff; d += h >>> 16;\n\n    b += a >>> 16;\n    c += b >>> 16;\n    d += c >>> 16;\n\n    hh[5] = ah5 = (c & 0xffff) | (d << 16);\n    hl[5] = al5 = (a & 0xffff) | (b << 16);\n\n    h = ah6;\n    l = al6;\n\n    a = l & 0xffff; b = l >>> 16;\n    c = h & 0xffff; d = h >>> 16;\n\n    h = hh[6];\n    l = hl[6];\n\n    a += l & 0xffff; b += l >>> 16;\n    c += h & 0xffff; d += h >>> 16;\n\n    b += a >>> 16;\n    c += b >>> 16;\n    d += c >>> 16;\n\n    hh[6] = ah6 = (c & 0xffff) | (d << 16);\n    hl[6] = al6 = (a & 0xffff) | (b << 16);\n\n    h = ah7;\n    l = al7;\n\n    a = l & 0xffff; b = l >>> 16;\n    c = h & 0xffff; d = h >>> 16;\n\n    h = hh[7];\n    l = hl[7];\n\n    a += l & 0xffff; b += l >>> 16;\n    c += h & 0xffff; d += h >>> 16;\n\n    b += a >>> 16;\n    c += b >>> 16;\n    d += c >>> 16;\n\n    hh[7] = ah7 = (c & 0xffff) | (d << 16);\n    hl[7] = al7 = (a & 0xffff) | (b << 16);\n\n    pos += 128;\n    n -= 128;\n  }\n\n  return n;\n}\n\nfunction crypto_hash(out, m, n) {\n  var hh = new Int32Array(8),\n      hl = new Int32Array(8),\n      x = new Uint8Array(256),\n      i, b = n;\n\n  hh[0] = 0x6a09e667;\n  hh[1] = 0xbb67ae85;\n  hh[2] = 0x3c6ef372;\n  hh[3] = 0xa54ff53a;\n  hh[4] = 0x510e527f;\n  hh[5] = 0x9b05688c;\n  hh[6] = 0x1f83d9ab;\n  hh[7] = 0x5be0cd19;\n\n  hl[0] = 0xf3bcc908;\n  hl[1] = 0x84caa73b;\n  hl[2] = 0xfe94f82b;\n  hl[3] = 0x5f1d36f1;\n  hl[4] = 0xade682d1;\n  hl[5] = 0x2b3e6c1f;\n  hl[6] = 0xfb41bd6b;\n  hl[7] = 0x137e2179;\n\n  crypto_hashblocks_hl(hh, hl, m, n);\n  n %= 128;\n\n  for (i = 0; i < n; i++) x[i] = m[b-n+i];\n  x[n] = 128;\n\n  n = 256-128*(n<112?1:0);\n  x[n-9] = 0;\n  ts64(x, n-8,  (b / 0x20000000) | 0, b << 3);\n  crypto_hashblocks_hl(hh, hl, x, n);\n\n  for (i = 0; i < 8; i++) ts64(out, 8*i, hh[i], hl[i]);\n\n  return 0;\n}\n\nfunction add(p, q) {\n  var a = gf(), b = gf(), c = gf(),\n      d = gf(), e = gf(), f = gf(),\n      g = gf(), h = gf(), t = gf();\n\n  Z(a, p[1], p[0]);\n  Z(t, q[1], q[0]);\n  M(a, a, t);\n  A(b, p[0], p[1]);\n  A(t, q[0], q[1]);\n  M(b, b, t);\n  M(c, p[3], q[3]);\n  M(c, c, D2);\n  M(d, p[2], q[2]);\n  A(d, d, d);\n  Z(e, b, a);\n  Z(f, d, c);\n  A(g, d, c);\n  A(h, b, a);\n\n  M(p[0], e, f);\n  M(p[1], h, g);\n  M(p[2], g, f);\n  M(p[3], e, h);\n}\n\nfunction cswap(p, q, b) {\n  var i;\n  for (i = 0; i < 4; i++) {\n    sel25519(p[i], q[i], b);\n  }\n}\n\nfunction pack(r, p) {\n  var tx = gf(), ty = gf(), zi = gf();\n  inv25519(zi, p[2]);\n  M(tx, p[0], zi);\n  M(ty, p[1], zi);\n  pack25519(r, ty);\n  r[31] ^= par25519(tx) << 7;\n}\n\nfunction scalarmult(p, q, s) {\n  var b, i;\n  set25519(p[0], gf0);\n  set25519(p[1], gf1);\n  set25519(p[2], gf1);\n  set25519(p[3], gf0);\n  for (i = 255; i >= 0; --i) {\n    b = (s[(i/8)|0] >> (i&7)) & 1;\n    cswap(p, q, b);\n    add(q, p);\n    add(p, p);\n    cswap(p, q, b);\n  }\n}\n\nfunction scalarbase(p, s) {\n  var q = [gf(), gf(), gf(), gf()];\n  set25519(q[0], X);\n  set25519(q[1], Y);\n  set25519(q[2], gf1);\n  M(q[3], X, Y);\n  scalarmult(p, q, s);\n}\n\nfunction crypto_sign_keypair(pk, sk, seeded) {\n  var d = new Uint8Array(64);\n  var p = [gf(), gf(), gf(), gf()];\n  var i;\n\n  if (!seeded) randombytes(sk, 32);\n  crypto_hash(d, sk, 32);\n  d[0] &= 248;\n  d[31] &= 127;\n  d[31] |= 64;\n\n  scalarbase(p, d);\n  pack(pk, p);\n\n  for (i = 0; i < 32; i++) sk[i+32] = pk[i];\n  return 0;\n}\n\nvar L = new Float64Array([0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x10]);\n\nfunction modL(r, x) {\n  var carry, i, j, k;\n  for (i = 63; i >= 32; --i) {\n    carry = 0;\n    for (j = i - 32, k = i - 12; j < k; ++j) {\n      x[j] += carry - 16 * x[i] * L[j - (i - 32)];\n      carry = Math.floor((x[j] + 128) / 256);\n      x[j] -= carry * 256;\n    }\n    x[j] += carry;\n    x[i] = 0;\n  }\n  carry = 0;\n  for (j = 0; j < 32; j++) {\n    x[j] += carry - (x[31] >> 4) * L[j];\n    carry = x[j] >> 8;\n    x[j] &= 255;\n  }\n  for (j = 0; j < 32; j++) x[j] -= carry * L[j];\n  for (i = 0; i < 32; i++) {\n    x[i+1] += x[i] >> 8;\n    r[i] = x[i] & 255;\n  }\n}\n\nfunction reduce(r) {\n  var x = new Float64Array(64), i;\n  for (i = 0; i < 64; i++) x[i] = r[i];\n  for (i = 0; i < 64; i++) r[i] = 0;\n  modL(r, x);\n}\n\n// Note: difference from C - smlen returned, not passed as argument.\nfunction crypto_sign(sm, m, n, sk) {\n  var d = new Uint8Array(64), h = new Uint8Array(64), r = new Uint8Array(64);\n  var i, j, x = new Float64Array(64);\n  var p = [gf(), gf(), gf(), gf()];\n\n  crypto_hash(d, sk, 32);\n  d[0] &= 248;\n  d[31] &= 127;\n  d[31] |= 64;\n\n  var smlen = n + 64;\n  for (i = 0; i < n; i++) sm[64 + i] = m[i];\n  for (i = 0; i < 32; i++) sm[32 + i] = d[32 + i];\n\n  crypto_hash(r, sm.subarray(32), n+32);\n  reduce(r);\n  scalarbase(p, r);\n  pack(sm, p);\n\n  for (i = 32; i < 64; i++) sm[i] = sk[i];\n  crypto_hash(h, sm, n + 64);\n  reduce(h);\n\n  for (i = 0; i < 64; i++) x[i] = 0;\n  for (i = 0; i < 32; i++) x[i] = r[i];\n  for (i = 0; i < 32; i++) {\n    for (j = 0; j < 32; j++) {\n      x[i+j] += h[i] * d[j];\n    }\n  }\n\n  modL(sm.subarray(32), x);\n  return smlen;\n}\n\nfunction unpackneg(r, p) {\n  var t = gf(), chk = gf(), num = gf(),\n      den = gf(), den2 = gf(), den4 = gf(),\n      den6 = gf();\n\n  set25519(r[2], gf1);\n  unpack25519(r[1], p);\n  S(num, r[1]);\n  M(den, num, D);\n  Z(num, num, r[2]);\n  A(den, r[2], den);\n\n  S(den2, den);\n  S(den4, den2);\n  M(den6, den4, den2);\n  M(t, den6, num);\n  M(t, t, den);\n\n  pow2523(t, t);\n  M(t, t, num);\n  M(t, t, den);\n  M(t, t, den);\n  M(r[0], t, den);\n\n  S(chk, r[0]);\n  M(chk, chk, den);\n  if (neq25519(chk, num)) M(r[0], r[0], I);\n\n  S(chk, r[0]);\n  M(chk, chk, den);\n  if (neq25519(chk, num)) return -1;\n\n  if (par25519(r[0]) === (p[31]>>7)) Z(r[0], gf0, r[0]);\n\n  M(r[3], r[0], r[1]);\n  return 0;\n}\n\nfunction crypto_sign_open(m, sm, n, pk) {\n  var i;\n  var t = new Uint8Array(32), h = new Uint8Array(64);\n  var p = [gf(), gf(), gf(), gf()],\n      q = [gf(), gf(), gf(), gf()];\n\n  if (n < 64) return -1;\n\n  if (unpackneg(q, pk)) return -1;\n\n  for (i = 0; i < n; i++) m[i] = sm[i];\n  for (i = 0; i < 32; i++) m[i+32] = pk[i];\n  crypto_hash(h, m, n);\n  reduce(h);\n  scalarmult(p, q, h);\n\n  scalarbase(q, sm.subarray(32));\n  add(p, q);\n  pack(t, p);\n\n  n -= 64;\n  if (crypto_verify_32(sm, 0, t, 0)) {\n    for (i = 0; i < n; i++) m[i] = 0;\n    return -1;\n  }\n\n  for (i = 0; i < n; i++) m[i] = sm[i + 64];\n  return n;\n}\n\nvar crypto_scalarmult_BYTES = 32,\n    crypto_scalarmult_SCALARBYTES = 32,\n    crypto_box_PUBLICKEYBYTES = 32,\n    crypto_box_SECRETKEYBYTES = 32,\n    crypto_sign_BYTES = 64,\n    crypto_sign_PUBLICKEYBYTES = 32,\n    crypto_sign_SECRETKEYBYTES = 64,\n    crypto_sign_SEEDBYTES = 32;\n\nfunction checkArrayTypes() {\n  for (var i = 0; i < arguments.length; i++) {\n    if (!(arguments[i] instanceof Uint8Array))\n      throw new TypeError('unexpected type, use Uint8Array');\n  }\n}\n\nfunction cleanup(arr) {\n  for (var i = 0; i < arr.length; i++) arr[i] = 0;\n}\n\nnacl.scalarMult = function(n, p) {\n  checkArrayTypes(n, p);\n  if (n.length !== crypto_scalarmult_SCALARBYTES) throw new Error('bad n size');\n  if (p.length !== crypto_scalarmult_BYTES) throw new Error('bad p size');\n  var q = new Uint8Array(crypto_scalarmult_BYTES);\n  crypto_scalarmult(q, n, p);\n  return q;\n};\n\nnacl.box = {};\n\nnacl.box.keyPair = function() {\n  var pk = new Uint8Array(crypto_box_PUBLICKEYBYTES);\n  var sk = new Uint8Array(crypto_box_SECRETKEYBYTES);\n  crypto_box_keypair(pk, sk);\n  return {publicKey: pk, secretKey: sk};\n};\n\nnacl.box.keyPair.fromSecretKey = function(secretKey) {\n  checkArrayTypes(secretKey);\n  if (secretKey.length !== crypto_box_SECRETKEYBYTES)\n    throw new Error('bad secret key size');\n  var pk = new Uint8Array(crypto_box_PUBLICKEYBYTES);\n  crypto_scalarmult_base(pk, secretKey);\n  return {publicKey: pk, secretKey: new Uint8Array(secretKey)};\n};\n\nnacl.sign = function(msg, secretKey) {\n  checkArrayTypes(msg, secretKey);\n  if (secretKey.length !== crypto_sign_SECRETKEYBYTES)\n    throw new Error('bad secret key size');\n  var signedMsg = new Uint8Array(crypto_sign_BYTES+msg.length);\n  crypto_sign(signedMsg, msg, msg.length, secretKey);\n  return signedMsg;\n};\n\nnacl.sign.detached = function(msg, secretKey) {\n  var signedMsg = nacl.sign(msg, secretKey);\n  var sig = new Uint8Array(crypto_sign_BYTES);\n  for (var i = 0; i < sig.length; i++) sig[i] = signedMsg[i];\n  return sig;\n};\n\nnacl.sign.detached.verify = function(msg, sig, publicKey) {\n  checkArrayTypes(msg, sig, publicKey);\n  if (sig.length !== crypto_sign_BYTES)\n    throw new Error('bad signature size');\n  if (publicKey.length !== crypto_sign_PUBLICKEYBYTES)\n    throw new Error('bad public key size');\n  var sm = new Uint8Array(crypto_sign_BYTES + msg.length);\n  var m = new Uint8Array(crypto_sign_BYTES + msg.length);\n  var i;\n  for (i = 0; i < crypto_sign_BYTES; i++) sm[i] = sig[i];\n  for (i = 0; i < msg.length; i++) sm[i+crypto_sign_BYTES] = msg[i];\n  return (crypto_sign_open(m, sm, sm.length, publicKey) >= 0);\n};\n\nnacl.sign.keyPair = function() {\n  var pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES);\n  var sk = new Uint8Array(crypto_sign_SECRETKEYBYTES);\n  crypto_sign_keypair(pk, sk);\n  return {publicKey: pk, secretKey: sk};\n};\n\nnacl.sign.keyPair.fromSecretKey = function(secretKey) {\n  checkArrayTypes(secretKey);\n  if (secretKey.length !== crypto_sign_SECRETKEYBYTES)\n    throw new Error('bad secret key size');\n  var pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES);\n  for (var i = 0; i < pk.length; i++) pk[i] = secretKey[32+i];\n  return {publicKey: pk, secretKey: new Uint8Array(secretKey)};\n};\n\nnacl.sign.keyPair.fromSeed = function(seed) {\n  checkArrayTypes(seed);\n  if (seed.length !== crypto_sign_SEEDBYTES)\n    throw new Error('bad seed size');\n  var pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES);\n  var sk = new Uint8Array(crypto_sign_SECRETKEYBYTES);\n  for (var i = 0; i < 32; i++) sk[i] = seed[i];\n  crypto_sign_keypair(pk, sk, true);\n  return {publicKey: pk, secretKey: sk};\n};\n\nnacl.setPRNG = function(fn) {\n  randombytes = fn;\n};\n\n(function() {\n  // Initialize PRNG if environment provides CSPRNG.\n  // If not, methods calling randombytes will throw.\n  if (crypto && crypto.getRandomValues) {\n    // Browsers and Node v16+\n    var QUOTA = 65536;\n    nacl.setPRNG(function(x, n) {\n      var i, v = new Uint8Array(n);\n      for (i = 0; i < n; i += QUOTA) {\n        crypto.getRandomValues(v.subarray(i, i + Math.min(n - i, QUOTA)));\n      }\n      for (i = 0; i < n; i++) x[i] = v[i];\n      cleanup(v);\n    });\n  }\n})();\n","// OpenPGP.js - An OpenPGP implementation in javascript\n// Copyright (C) 2015-2016 Decentral\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\n/**\n * Wrapper to an OID value\n *\n * {@link https://tools.ietf.org/html/rfc6637#section-11|RFC6637, section 11}:\n * The sequence of octets in the third column is the result of applying\n * the Distinguished Encoding Rules (DER) to the ASN.1 Object Identifier\n * with subsequent truncation.  The truncation removes the two fields of\n * encoded Object Identifier.  The first omitted field is one octet\n * representing the Object Identifier tag, and the second omitted field\n * is the length of the Object Identifier body.  For example, the\n * complete ASN.1 DER encoding for the NIST P-256 curve OID is \"06 08 2A\n * 86 48 CE 3D 03 01 07\", from which the first entry in the table above\n * is constructed by omitting the first two octets.  Only the truncated\n * sequence of octets is the valid representation of a curve OID.\n * @module type/oid\n */\n\nimport util from '../util';\nimport enums from '../enums';\n\nconst knownOIDs = {\n  '2a8648ce3d030107': enums.curve.nistP256,\n  '2b81040022': enums.curve.nistP384,\n  '2b81040023': enums.curve.nistP521,\n  '2b8104000a': enums.curve.secp256k1,\n  '2b06010401da470f01': enums.curve.ed25519Legacy,\n  '2b060104019755010501': enums.curve.curve25519Legacy,\n  '2b2403030208010107': enums.curve.brainpoolP256r1,\n  '2b240303020801010b': enums.curve.brainpoolP384r1,\n  '2b240303020801010d': enums.curve.brainpoolP512r1\n};\n\nclass OID {\n  constructor(oid) {\n    if (oid instanceof OID) {\n      this.oid = oid.oid;\n    } else if (util.isArray(oid) ||\n               util.isUint8Array(oid)) {\n      oid = new Uint8Array(oid);\n      if (oid[0] === 0x06) { // DER encoded oid byte array\n        if (oid[1] !== oid.length - 2) {\n          throw new Error('Length mismatch in DER encoded oid');\n        }\n        oid = oid.subarray(2);\n      }\n      this.oid = oid;\n    } else {\n      this.oid = '';\n    }\n  }\n\n  /**\n   * Method to read an OID object\n   * @param {Uint8Array} input - Where to read the OID from\n   * @returns {Number} Number of read bytes.\n   */\n  read(input) {\n    if (input.length >= 1) {\n      const length = input[0];\n      if (input.length >= 1 + length) {\n        this.oid = input.subarray(1, 1 + length);\n        return 1 + this.oid.length;\n      }\n    }\n    throw new Error('Invalid oid');\n  }\n\n  /**\n   * Serialize an OID object\n   * @returns {Uint8Array} Array with the serialized value the OID.\n   */\n  write() {\n    return util.concatUint8Array([new Uint8Array([this.oid.length]), this.oid]);\n  }\n\n  /**\n   * Serialize an OID object as a hex string\n   * @returns {string} String with the hex value of the OID.\n   */\n  toHex() {\n    return util.uint8ArrayToHex(this.oid);\n  }\n\n  /**\n   * If a known curve object identifier, return the canonical name of the curve\n   * @returns {enums.curve} String with the canonical name of the curve\n   * @throws if unknown\n   */\n  getName() {\n    const name = knownOIDs[this.toHex()];\n    if (!name) {\n      throw new Error('Unknown curve object identifier.');\n    }\n\n    return name;\n  }\n}\n\nexport default OID;\n","// GPG4Browsers - An OpenPGP implementation in javascript\n// Copyright (C) 2011 Recurity Labs GmbH\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\n/**\n * @fileoverview Functions for reading and writing packets\n * @module packet/packet\n */\n\nimport { ArrayStream, getWriter as streamGetWriter, getReader as streamGetReader } from '@openpgp/web-stream-tools';\nimport enums from '../enums';\nimport util from '../util';\n\nexport function readSimpleLength(bytes) {\n  let len = 0;\n  let offset;\n  const type = bytes[0];\n\n\n  if (type < 192) {\n    [len] = bytes;\n    offset = 1;\n  } else if (type < 255) {\n    len = ((bytes[0] - 192) << 8) + (bytes[1]) + 192;\n    offset = 2;\n  } else if (type === 255) {\n    len = util.readNumber(bytes.subarray(1, 1 + 4));\n    offset = 5;\n  }\n\n  return {\n    len: len,\n    offset: offset\n  };\n}\n\n/**\n * Encodes a given integer of length to the openpgp length specifier to a\n * string\n *\n * @param {Integer} length - The length to encode\n * @returns {Uint8Array} String with openpgp length representation.\n */\nexport function writeSimpleLength(length) {\n  if (length < 192) {\n    return new Uint8Array([length]);\n  } else if (length > 191 && length < 8384) {\n    /*\n      * let a = (total data packet length) - 192 let bc = two octet\n      * representation of a let d = b + 192\n      */\n    return new Uint8Array([((length - 192) >> 8) + 192, (length - 192) & 0xFF]);\n  }\n  return util.concatUint8Array([new Uint8Array([255]), util.writeNumber(length, 4)]);\n}\n\nexport function writePartialLength(power) {\n  if (power < 0 || power > 30) {\n    throw new Error('Partial Length power must be between 1 and 30');\n  }\n  return new Uint8Array([224 + power]);\n}\n\nexport function writeTag(tag_type) {\n  /* we're only generating v4 packet headers here */\n  return new Uint8Array([0xC0 | tag_type]);\n}\n\n/**\n * Writes a packet header version 4 with the given tag_type and length to a\n * string\n *\n * @param {Integer} tag_type - Tag type\n * @param {Integer} length - Length of the payload\n * @returns {String} String of the header.\n */\nexport function writeHeader(tag_type, length) {\n  /* we're only generating v4 packet headers here */\n  return util.concatUint8Array([writeTag(tag_type), writeSimpleLength(length)]);\n}\n\n/**\n * Whether the packet type supports partial lengths per RFC4880\n * @param {Integer} tag - Tag type\n * @returns {Boolean} String of the header.\n */\nexport function supportsStreaming(tag) {\n  return [\n    enums.packet.literalData,\n    enums.packet.compressedData,\n    enums.packet.symmetricallyEncryptedData,\n    enums.packet.symEncryptedIntegrityProtectedData,\n    enums.packet.aeadEncryptedData\n  ].includes(tag);\n}\n\n/**\n * Generic static Packet Parser function\n *\n * @param {Uint8Array | ReadableStream<Uint8Array>} input - Input stream as string\n * @param {Function} callback - Function to call with the parsed packet\n * @returns {Boolean} Returns false if the stream was empty and parsing is done, and true otherwise.\n */\nexport async function readPackets(input, callback) {\n  const reader = streamGetReader(input);\n  let writer;\n  let callbackReturned;\n  try {\n    const peekedBytes = await reader.peekBytes(2);\n    // some sanity checks\n    if (!peekedBytes || peekedBytes.length < 2 || (peekedBytes[0] & 0x80) === 0) {\n      throw new Error('Error during parsing. This message / key probably does not conform to a valid OpenPGP format.');\n    }\n    const headerByte = await reader.readByte();\n    let tag = -1;\n    let format = -1;\n    let packetLength;\n\n    format = 0; // 0 = old format; 1 = new format\n    if ((headerByte & 0x40) !== 0) {\n      format = 1;\n    }\n\n    let packetLengthType;\n    if (format) {\n      // new format header\n      tag = headerByte & 0x3F; // bit 5-0\n    } else {\n      // old format header\n      tag = (headerByte & 0x3F) >> 2; // bit 5-2\n      packetLengthType = headerByte & 0x03; // bit 1-0\n    }\n\n    const packetSupportsStreaming = supportsStreaming(tag);\n    let packet = null;\n    if (packetSupportsStreaming) {\n      if (util.isStream(input) === 'array') {\n        const arrayStream = new ArrayStream();\n        writer = streamGetWriter(arrayStream);\n        packet = arrayStream;\n      } else {\n        const transform = new TransformStream();\n        writer = streamGetWriter(transform.writable);\n        packet = transform.readable;\n      }\n      // eslint-disable-next-line callback-return\n      callbackReturned = callback({ tag, packet });\n    } else {\n      packet = [];\n    }\n\n    let wasPartialLength;\n    do {\n      if (!format) {\n        // 4.2.1. Old Format Packet Lengths\n        switch (packetLengthType) {\n          case 0:\n            // The packet has a one-octet length. The header is 2 octets\n            // long.\n            packetLength = await reader.readByte();\n            break;\n          case 1:\n            // The packet has a two-octet length. The header is 3 octets\n            // long.\n            packetLength = (await reader.readByte() << 8) | await reader.readByte();\n            break;\n          case 2:\n            // The packet has a four-octet length. The header is 5\n            // octets long.\n            packetLength = (await reader.readByte() << 24) | (await reader.readByte() << 16) | (await reader.readByte() <<\n              8) | await reader.readByte();\n            break;\n          default:\n            // 3 - The packet is of indeterminate length. The header is 1\n            // octet long, and the implementation must determine how long\n            // the packet is. If the packet is in a file, this means that\n            // the packet extends until the end of the file. In general,\n            // an implementation SHOULD NOT use indeterminate-length\n            // packets except where the end of the data will be clear\n            // from the context, and even then it is better to use a\n            // definite length, or a new format header. The new format\n            // headers described below have a mechanism for precisely\n            // encoding data of indeterminate length.\n            packetLength = Infinity;\n            break;\n        }\n      } else { // 4.2.2. New Format Packet Lengths\n        // 4.2.2.1. One-Octet Lengths\n        const lengthByte = await reader.readByte();\n        wasPartialLength = false;\n        if (lengthByte < 192) {\n          packetLength = lengthByte;\n          // 4.2.2.2. Two-Octet Lengths\n        } else if (lengthByte >= 192 && lengthByte < 224) {\n          packetLength = ((lengthByte - 192) << 8) + (await reader.readByte()) + 192;\n          // 4.2.2.4. Partial Body Lengths\n        } else if (lengthByte > 223 && lengthByte < 255) {\n          packetLength = 1 << (lengthByte & 0x1F);\n          wasPartialLength = true;\n          if (!packetSupportsStreaming) {\n            throw new TypeError('This packet type does not support partial lengths.');\n          }\n          // 4.2.2.3. Five-Octet Lengths\n        } else {\n          packetLength = (await reader.readByte() << 24) | (await reader.readByte() << 16) | (await reader.readByte() <<\n            8) | await reader.readByte();\n        }\n      }\n      if (packetLength > 0) {\n        let bytesRead = 0;\n        while (true) {\n          if (writer) await writer.ready;\n          const { done, value } = await reader.read();\n          if (done) {\n            if (packetLength === Infinity) break;\n            throw new Error('Unexpected end of packet');\n          }\n          const chunk = packetLength === Infinity ? value : value.subarray(0, packetLength - bytesRead);\n          if (writer) await writer.write(chunk);\n          else packet.push(chunk);\n          bytesRead += value.length;\n          if (bytesRead >= packetLength) {\n            reader.unshift(value.subarray(packetLength - bytesRead + value.length));\n            break;\n          }\n        }\n      }\n    } while (wasPartialLength);\n\n    // If this was not a packet that \"supports streaming\", we peek to check\n    // whether it is the last packet in the message. We peek 2 bytes instead\n    // of 1 because the beginning of this function also peeks 2 bytes, and we\n    // want to cut a `subarray` of the correct length into `web-stream-tools`'\n    // `externalBuffer` as a tiny optimization here.\n    //\n    // If it *was* a streaming packet (i.e. the data packets), we peek at the\n    // entire remainder of the stream, in order to forward errors in the\n    // remainder of the stream to the packet data. (Note that this means we\n    // read/peek at all signature packets before closing the literal data\n    // packet, for example.) This forwards MDC errors to the literal data\n    // stream, for example, so that they don't get lost / forgotten on\n    // decryptedMessage.packets.stream, which we never look at.\n    //\n    // An example of what we do when stream-parsing a message containing\n    // [ one-pass signature packet, literal data packet, signature packet ]:\n    // 1. Read the one-pass signature packet\n    // 2. Peek 2 bytes of the literal data packet\n    // 3. Parse the one-pass signature packet\n    //\n    // 4. Read the literal data packet, simultaneously stream-parsing it\n    // 5. Peek until the end of the message\n    // 6. Finish parsing the literal data packet\n    //\n    // 7. Read the signature packet again (we already peeked at it in step 5)\n    // 8. Peek at the end of the stream again (`peekBytes` returns undefined)\n    // 9. Parse the signature packet\n    //\n    // Note that this means that if there's an error in the very end of the\n    // stream, such as an MDC error, we throw in step 5 instead of in step 8\n    // (or never), which is the point of this exercise.\n    const nextPacket = await reader.peekBytes(packetSupportsStreaming ? Infinity : 2);\n    if (writer) {\n      await writer.ready;\n      await writer.close();\n    } else {\n      packet = util.concatUint8Array(packet);\n      // eslint-disable-next-line callback-return\n      await callback({ tag, packet });\n    }\n    return !nextPacket || !nextPacket.length;\n  } catch (e) {\n    if (writer) {\n      await writer.abort(e);\n      return true;\n    } else {\n      throw e;\n    }\n  } finally {\n    if (writer) {\n      await callbackReturned;\n    }\n    reader.releaseLock();\n  }\n}\n\nexport class UnsupportedError extends Error {\n  constructor(...params) {\n    super(...params);\n\n    if (Error.captureStackTrace) {\n      Error.captureStackTrace(this, UnsupportedError);\n    }\n\n    this.name = 'UnsupportedError';\n  }\n}\n\n// unknown packet types are handled differently depending on the packet criticality\nexport class UnknownPacketError extends UnsupportedError {\n  constructor(...params) {\n    super(...params);\n\n    if (Error.captureStackTrace) {\n      Error.captureStackTrace(this, UnsupportedError);\n    }\n\n    this.name = 'UnknownPacketError';\n  }\n}\n\nexport class UnparseablePacket {\n  constructor(tag, rawContent) {\n    this.tag = tag;\n    this.rawContent = rawContent;\n  }\n\n  write() {\n    return this.rawContent;\n  }\n}\n","// OpenPGP.js - An OpenPGP implementation in javascript\n// Copyright (C) 2018 Proton Technologies AG\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\n/**\n * @fileoverview Implementation of EdDSA following RFC4880bis-03 for OpenPGP\n * @module crypto/public_key/elliptic/eddsa\n */\n\nimport ed25519 from '@openpgp/tweetnacl';\nimport util from '../../../util';\nimport enums from '../../../enums';\nimport { getHashByteLength } from '../../hash';\nimport { getRandomBytes } from '../../random';\nimport { b64ToUint8Array, uint8ArrayToB64 } from '../../../encoding/base64';\n\n\n/**\n * Generate (non-legacy) EdDSA key\n * @param {module:enums.publicKey} algo - Algorithm identifier\n * @returns {Promise<{ A: Uint8Array, seed: Uint8Array }>}\n */\nexport async function generate(algo) {\n  switch (algo) {\n    case enums.publicKey.ed25519:\n      try {\n        const webCrypto = util.getWebCrypto();\n        const webCryptoKey = await webCrypto.generateKey('Ed25519', true, ['sign', 'verify']);\n\n        const privateKey = await webCrypto.exportKey('jwk', webCryptoKey.privateKey);\n        const publicKey = await webCrypto.exportKey('jwk', webCryptoKey.publicKey);\n\n        return {\n          A: new Uint8Array(b64ToUint8Array(publicKey.x)),\n          seed: b64ToUint8Array(privateKey.d, true)\n        };\n      } catch (err) {\n        if (err.name !== 'NotSupportedError' && err.name !== 'OperationError') { // Temporary (hopefully) fix for WebKit on Linux\n          throw err;\n        }\n        const seed = getRandomBytes(getPayloadSize(algo));\n        const { publicKey: A } = ed25519.sign.keyPair.fromSeed(seed);\n        return { A, seed };\n      }\n\n    case enums.publicKey.ed448: {\n      const ed448 = await util.getNobleCurve(enums.publicKey.ed448);\n      const seed = ed448.utils.randomPrivateKey();\n      const A = ed448.getPublicKey(seed);\n      return { A, seed };\n    }\n    default:\n      throw new Error('Unsupported EdDSA algorithm');\n  }\n}\n\n/**\n * Sign a message using the provided key\n * @param {module:enums.publicKey} algo - Algorithm identifier\n * @param {module:enums.hash} hashAlgo - Hash algorithm used to sign (must be sha256 or stronger)\n * @param {Uint8Array} message - Message to sign\n * @param {Uint8Array} publicKey - Public key\n * @param {Uint8Array} privateKey - Private key used to sign the message\n * @param {Uint8Array} hashed - The hashed message\n * @returns {Promise<{\n *   RS: Uint8Array\n * }>} Signature of the message\n * @async\n */\nexport async function sign(algo, hashAlgo, message, publicKey, privateKey, hashed) {\n  if (getHashByteLength(hashAlgo) < getHashByteLength(getPreferredHashAlgo(algo))) {\n    // Enforce digest sizes:\n    // - Ed25519: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.4-4\n    // - Ed448: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.5-4\n    throw new Error('Hash algorithm too weak for EdDSA.');\n  }\n  switch (algo) {\n    case enums.publicKey.ed25519:\n      try {\n        const webCrypto = util.getWebCrypto();\n        const jwk = privateKeyToJWK(algo, publicKey, privateKey);\n        const key = await webCrypto.importKey('jwk', jwk, 'Ed25519', false, ['sign']);\n\n        const signature = new Uint8Array(\n          await webCrypto.sign('Ed25519', key, hashed)\n        );\n\n        return { RS: signature };\n      } catch (err) {\n        if (err.name !== 'NotSupportedError') {\n          throw err;\n        }\n        const secretKey = util.concatUint8Array([privateKey, publicKey]);\n        const signature = ed25519.sign.detached(hashed, secretKey);\n        return { RS: signature };\n      }\n\n    case enums.publicKey.ed448: {\n      const ed448 = await util.getNobleCurve(enums.publicKey.ed448);\n      const signature = ed448.sign(hashed, privateKey);\n      return { RS: signature };\n    }\n    default:\n      throw new Error('Unsupported EdDSA algorithm');\n  }\n\n}\n\n/**\n * Verifies if a signature is valid for a message\n * @param {module:enums.publicKey} algo - Algorithm identifier\n * @param {module:enums.hash} hashAlgo - Hash algorithm used in the signature\n * @param  {{ RS: Uint8Array }} signature Signature to verify the message\n * @param {Uint8Array} m - Message to verify\n * @param {Uint8Array} publicKey - Public key used to verify the message\n * @param {Uint8Array} hashed - The hashed message\n * @returns {Boolean}\n * @async\n */\nexport async function verify(algo, hashAlgo, { RS }, m, publicKey, hashed) {\n  if (getHashByteLength(hashAlgo) < getHashByteLength(getPreferredHashAlgo(algo))) {\n    // Enforce digest sizes:\n    // - Ed25519: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.4-4\n    // - Ed448: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.5-4\n    throw new Error('Hash algorithm too weak for EdDSA.');\n  }\n  switch (algo) {\n    case enums.publicKey.ed25519:\n      try {\n        const webCrypto = util.getWebCrypto();\n        const jwk = publicKeyToJWK(algo, publicKey);\n        const key = await webCrypto.importKey('jwk', jwk, 'Ed25519', false, ['verify']);\n        const verified = await webCrypto.verify('Ed25519', key, RS, hashed);\n        return verified;\n      } catch (err) {\n        if (err.name !== 'NotSupportedError') {\n          throw err;\n        }\n        return ed25519.sign.detached.verify(hashed, RS, publicKey);\n      }\n\n    case enums.publicKey.ed448: {\n      const ed448 = await util.getNobleCurve(enums.publicKey.ed448);\n      return ed448.verify(RS, hashed, publicKey);\n    }\n    default:\n      throw new Error('Unsupported EdDSA algorithm');\n  }\n}\n/**\n * Validate (non-legacy) EdDSA parameters\n * @param {module:enums.publicKey} algo - Algorithm identifier\n * @param {Uint8Array} A - EdDSA public point\n * @param {Uint8Array} seed - EdDSA secret seed\n * @param {Uint8Array} oid - (legacy only) EdDSA OID\n * @returns {Promise<Boolean>} Whether params are valid.\n * @async\n */\nexport async function validateParams(algo, A, seed) {\n  switch (algo) {\n    case enums.publicKey.ed25519: {\n      /**\n       * Derive public point A' from private key\n       * and expect A == A'\n       * TODO: move to sign-verify using WebCrypto (same as ECDSA) when curve is more widely implemented\n       */\n      const { publicKey } = ed25519.sign.keyPair.fromSeed(seed);\n      return util.equalsUint8Array(A, publicKey);\n    }\n\n    case enums.publicKey.ed448: {\n      const ed448 = await util.getNobleCurve(enums.publicKey.ed448);\n\n      const publicKey = ed448.getPublicKey(seed);\n      return util.equalsUint8Array(A, publicKey);\n    }\n    default:\n      return false;\n  }\n}\n\nexport function getPayloadSize(algo) {\n  switch (algo) {\n    case enums.publicKey.ed25519:\n      return 32;\n\n    case enums.publicKey.ed448:\n      return 57;\n\n    default:\n      throw new Error('Unsupported EdDSA algorithm');\n  }\n}\n\nexport function getPreferredHashAlgo(algo) {\n  switch (algo) {\n    case enums.publicKey.ed25519:\n      return enums.hash.sha256;\n    case enums.publicKey.ed448:\n      return enums.hash.sha512;\n    default:\n      throw new Error('Unknown EdDSA algo');\n  }\n}\n\nconst publicKeyToJWK = (algo, publicKey) => {\n  switch (algo) {\n    case enums.publicKey.ed25519: {\n      const jwk = {\n        kty: 'OKP',\n        crv: 'Ed25519',\n        x: uint8ArrayToB64(publicKey, true),\n        ext: true\n      };\n      return jwk;\n    }\n    default:\n      throw new Error('Unsupported EdDSA algorithm');\n  }\n};\n\nconst privateKeyToJWK = (algo, publicKey, privateKey) => {\n  switch (algo) {\n    case enums.publicKey.ed25519: {\n      const jwk = publicKeyToJWK(algo, publicKey);\n      jwk.d = uint8ArrayToB64(privateKey, true);\n      return jwk;\n    }\n    default:\n      throw new Error('Unsupported EdDSA algorithm');\n  }\n};\n","function number(n) {\n    if (!Number.isSafeInteger(n) || n < 0)\n        throw new Error(`positive integer expected, not ${n}`);\n}\nfunction bool(b) {\n    if (typeof b !== 'boolean')\n        throw new Error(`boolean expected, not ${b}`);\n}\nexport function isBytes(a) {\n    return (a instanceof Uint8Array ||\n        (a != null && typeof a === 'object' && a.constructor.name === 'Uint8Array'));\n}\nfunction bytes(b, ...lengths) {\n    if (!isBytes(b))\n        throw new Error('Uint8Array expected');\n    if (lengths.length > 0 && !lengths.includes(b.length))\n        throw new Error(`Uint8Array expected of length ${lengths}, not of length=${b.length}`);\n}\nfunction hash(hash) {\n    if (typeof hash !== 'function' || typeof hash.create !== 'function')\n        throw new Error('hash must be wrapped by utils.wrapConstructor');\n    number(hash.outputLen);\n    number(hash.blockLen);\n}\nfunction exists(instance, checkFinished = true) {\n    if (instance.destroyed)\n        throw new Error('Hash instance has been destroyed');\n    if (checkFinished && instance.finished)\n        throw new Error('Hash#digest() has already been called');\n}\nfunction output(out, instance) {\n    bytes(out);\n    const min = instance.outputLen;\n    if (out.length < min) {\n        throw new Error(`digestInto() expects output buffer of length at least ${min}`);\n    }\n}\nexport { number, bool, bytes, hash, exists, output };\nconst assert = { number, bool, bytes, hash, exists, output };\nexport default assert;\n//# sourceMappingURL=_assert.js.map","/*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) */\nimport { bytes as abytes, isBytes } from './_assert.js';\n// Cast array to different type\nexport const u8 = (arr) => new Uint8Array(arr.buffer, arr.byteOffset, arr.byteLength);\nexport const u16 = (arr) => new Uint16Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 2));\nexport const u32 = (arr) => new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));\n// Cast array to view\nexport const createView = (arr) => new DataView(arr.buffer, arr.byteOffset, arr.byteLength);\n// big-endian hardware is rare. Just in case someone still decides to run ciphers:\n// early-throw an error because we don't support BE yet.\nexport const isLE = new Uint8Array(new Uint32Array([0x11223344]).buffer)[0] === 0x44;\nif (!isLE)\n    throw new Error('Non little-endian hardware is not supported');\n// Array where index 0xf0 (240) is mapped to string 'f0'\nconst hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, '0'));\n/**\n * @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123'\n */\nexport function bytesToHex(bytes) {\n    abytes(bytes);\n    // pre-caching improves the speed 6x\n    let hex = '';\n    for (let i = 0; i < bytes.length; i++) {\n        hex += hexes[bytes[i]];\n    }\n    return hex;\n}\n// We use optimized technique to convert hex string to byte array\nconst asciis = { _0: 48, _9: 57, _A: 65, _F: 70, _a: 97, _f: 102 };\nfunction asciiToBase16(char) {\n    if (char >= asciis._0 && char <= asciis._9)\n        return char - asciis._0;\n    if (char >= asciis._A && char <= asciis._F)\n        return char - (asciis._A - 10);\n    if (char >= asciis._a && char <= asciis._f)\n        return char - (asciis._a - 10);\n    return;\n}\n/**\n * @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23])\n */\nexport function hexToBytes(hex) {\n    if (typeof hex !== 'string')\n        throw new Error('hex string expected, got ' + typeof hex);\n    const hl = hex.length;\n    const al = hl / 2;\n    if (hl % 2)\n        throw new Error('padded hex string expected, got unpadded hex of length ' + hl);\n    const array = new Uint8Array(al);\n    for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {\n        const n1 = asciiToBase16(hex.charCodeAt(hi));\n        const n2 = asciiToBase16(hex.charCodeAt(hi + 1));\n        if (n1 === undefined || n2 === undefined) {\n            const char = hex[hi] + hex[hi + 1];\n            throw new Error('hex string expected, got non-hex character \"' + char + '\" at index ' + hi);\n        }\n        array[ai] = n1 * 16 + n2;\n    }\n    return array;\n}\nexport function hexToNumber(hex) {\n    if (typeof hex !== 'string')\n        throw new Error('hex string expected, got ' + typeof hex);\n    // Big Endian\n    return BigInt(hex === '' ? '0' : `0x${hex}`);\n}\n// BE: Big Endian, LE: Little Endian\nexport function bytesToNumberBE(bytes) {\n    return hexToNumber(bytesToHex(bytes));\n}\nexport function numberToBytesBE(n, len) {\n    return hexToBytes(n.toString(16).padStart(len * 2, '0'));\n}\n// There is no setImmediate in browser and setTimeout is slow.\n// call of async fn will return Promise, which will be fullfiled only on\n// next scheduler queue processing step and this is exactly what we need.\nexport const nextTick = async () => { };\n// Returns control to thread each 'tick' ms to avoid blocking\nexport async function asyncLoop(iters, tick, cb) {\n    let ts = Date.now();\n    for (let i = 0; i < iters; i++) {\n        cb(i);\n        // Date.now() is not monotonic, so in case if clock goes backwards we return return control too\n        const diff = Date.now() - ts;\n        if (diff >= 0 && diff < tick)\n            continue;\n        await nextTick();\n        ts += diff;\n    }\n}\n/**\n * @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99])\n */\nexport function utf8ToBytes(str) {\n    if (typeof str !== 'string')\n        throw new Error(`string expected, got ${typeof str}`);\n    return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809\n}\n/**\n * @example bytesToUtf8(new Uint8Array([97, 98, 99])) // 'abc'\n */\nexport function bytesToUtf8(bytes) {\n    return new TextDecoder().decode(bytes);\n}\n/**\n * Normalizes (non-hex) string or Uint8Array to Uint8Array.\n * Warning: when Uint8Array is passed, it would NOT get copied.\n * Keep in mind for future mutable operations.\n */\nexport function toBytes(data) {\n    if (typeof data === 'string')\n        data = utf8ToBytes(data);\n    else if (isBytes(data))\n        data = copyBytes(data);\n    else\n        throw new Error(`Uint8Array expected, got ${typeof data}`);\n    return data;\n}\n/**\n * Copies several Uint8Arrays into one.\n */\nexport function concatBytes(...arrays) {\n    let sum = 0;\n    for (let i = 0; i < arrays.length; i++) {\n        const a = arrays[i];\n        abytes(a);\n        sum += a.length;\n    }\n    const res = new Uint8Array(sum);\n    for (let i = 0, pad = 0; i < arrays.length; i++) {\n        const a = arrays[i];\n        res.set(a, pad);\n        pad += a.length;\n    }\n    return res;\n}\nexport function checkOpts(defaults, opts) {\n    if (opts == null || typeof opts !== 'object')\n        throw new Error('options must be defined');\n    const merged = Object.assign(defaults, opts);\n    return merged;\n}\n// Compares 2 u8a-s in kinda constant time\nexport function equalBytes(a, b) {\n    if (a.length !== b.length)\n        return false;\n    let diff = 0;\n    for (let i = 0; i < a.length; i++)\n        diff |= a[i] ^ b[i];\n    return diff === 0;\n}\n// For runtime check if class implements interface\nexport class Hash {\n}\n/**\n * @__NO_SIDE_EFFECTS__\n */\nexport const wrapCipher = (params, c) => {\n    Object.assign(c, params);\n    return c;\n};\n// Polyfill for Safari 14\nexport function setBigUint64(view, byteOffset, value, isLE) {\n    if (typeof view.setBigUint64 === 'function')\n        return view.setBigUint64(byteOffset, value, isLE);\n    const _32n = BigInt(32);\n    const _u32_max = BigInt(0xffffffff);\n    const wh = Number((value >> _32n) & _u32_max);\n    const wl = Number(value & _u32_max);\n    const h = isLE ? 4 : 0;\n    const l = isLE ? 0 : 4;\n    view.setUint32(byteOffset + h, wh, isLE);\n    view.setUint32(byteOffset + l, wl, isLE);\n}\nexport function u64Lengths(ciphertext, AAD) {\n    const num = new Uint8Array(16);\n    const view = createView(num);\n    setBigUint64(view, 0, BigInt(AAD ? AAD.length : 0), true);\n    setBigUint64(view, 8, BigInt(ciphertext.length), true);\n    return num;\n}\n// Is byte array aligned to 4 byte offset (u32)?\nexport function isAligned32(bytes) {\n    return bytes.byteOffset % 4 === 0;\n}\n// copy bytes to new u8a (aligned). Because Buffer.slice is broken.\nexport function copyBytes(bytes) {\n    return Uint8Array.from(bytes);\n}\nexport function clean(...arrays) {\n    for (let i = 0; i < arrays.length; i++) {\n        arrays[i].fill(0);\n    }\n}\n//# sourceMappingURL=utils.js.map","import { bytes as abytes, exists as aexists, output as aoutput } from './_assert.js';\nimport { clean, copyBytes, createView, toBytes, u32 } from './utils.js';\n// GHash from AES-GCM and its little-endian \"mirror image\" Polyval from AES-SIV.\n// Implemented in terms of GHash with conversion function for keys\n// GCM GHASH from NIST SP800-38d, SIV from RFC 8452.\n// https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf\n// GHASH   modulo: x^128 + x^7   + x^2   + x     + 1\n// POLYVAL modulo: x^128 + x^127 + x^126 + x^121 + 1\nconst BLOCK_SIZE = 16;\n// TODO: rewrite\n// temporary padding buffer\nconst ZEROS16 = /* @__PURE__ */ new Uint8Array(16);\nconst ZEROS32 = u32(ZEROS16);\nconst POLY = 0xe1; // v = 2*v % POLY\n// v = 2*v % POLY\n// NOTE: because x + x = 0 (add/sub is same), mul2(x) != x+x\n// We can multiply any number using montgomery ladder and this function (works as double, add is simple xor)\nconst mul2 = (s0, s1, s2, s3) => {\n    const hiBit = s3 & 1;\n    return {\n        s3: (s2 << 31) | (s3 >>> 1),\n        s2: (s1 << 31) | (s2 >>> 1),\n        s1: (s0 << 31) | (s1 >>> 1),\n        s0: (s0 >>> 1) ^ ((POLY << 24) & -(hiBit & 1)), // reduce % poly\n    };\n};\nconst swapLE = (n) => (((n >>> 0) & 0xff) << 24) |\n    (((n >>> 8) & 0xff) << 16) |\n    (((n >>> 16) & 0xff) << 8) |\n    ((n >>> 24) & 0xff) |\n    0;\n/**\n * `mulX_POLYVAL(ByteReverse(H))` from spec\n * @param k mutated in place\n */\nexport function _toGHASHKey(k) {\n    k.reverse();\n    const hiBit = k[15] & 1;\n    // k >>= 1\n    let carry = 0;\n    for (let i = 0; i < k.length; i++) {\n        const t = k[i];\n        k[i] = (t >>> 1) | carry;\n        carry = (t & 1) << 7;\n    }\n    k[0] ^= -hiBit & 0xe1; // if (hiBit) n ^= 0xe1000000000000000000000000000000;\n    return k;\n}\nconst estimateWindow = (bytes) => {\n    if (bytes > 64 * 1024)\n        return 8;\n    if (bytes > 1024)\n        return 4;\n    return 2;\n};\nclass GHASH {\n    // We select bits per window adaptively based on expectedLength\n    constructor(key, expectedLength) {\n        this.blockLen = BLOCK_SIZE;\n        this.outputLen = BLOCK_SIZE;\n        this.s0 = 0;\n        this.s1 = 0;\n        this.s2 = 0;\n        this.s3 = 0;\n        this.finished = false;\n        key = toBytes(key);\n        abytes(key, 16);\n        const kView = createView(key);\n        let k0 = kView.getUint32(0, false);\n        let k1 = kView.getUint32(4, false);\n        let k2 = kView.getUint32(8, false);\n        let k3 = kView.getUint32(12, false);\n        // generate table of doubled keys (half of montgomery ladder)\n        const doubles = [];\n        for (let i = 0; i < 128; i++) {\n            doubles.push({ s0: swapLE(k0), s1: swapLE(k1), s2: swapLE(k2), s3: swapLE(k3) });\n            ({ s0: k0, s1: k1, s2: k2, s3: k3 } = mul2(k0, k1, k2, k3));\n        }\n        const W = estimateWindow(expectedLength || 1024);\n        if (![1, 2, 4, 8].includes(W))\n            throw new Error(`ghash: wrong window size=${W}, should be 2, 4 or 8`);\n        this.W = W;\n        const bits = 128; // always 128 bits;\n        const windows = bits / W;\n        const windowSize = (this.windowSize = 2 ** W);\n        const items = [];\n        // Create precompute table for window of W bits\n        for (let w = 0; w < windows; w++) {\n            // truth table: 00, 01, 10, 11\n            for (let byte = 0; byte < windowSize; byte++) {\n                // prettier-ignore\n                let s0 = 0, s1 = 0, s2 = 0, s3 = 0;\n                for (let j = 0; j < W; j++) {\n                    const bit = (byte >>> (W - j - 1)) & 1;\n                    if (!bit)\n                        continue;\n                    const { s0: d0, s1: d1, s2: d2, s3: d3 } = doubles[W * w + j];\n                    (s0 ^= d0), (s1 ^= d1), (s2 ^= d2), (s3 ^= d3);\n                }\n                items.push({ s0, s1, s2, s3 });\n            }\n        }\n        this.t = items;\n    }\n    _updateBlock(s0, s1, s2, s3) {\n        (s0 ^= this.s0), (s1 ^= this.s1), (s2 ^= this.s2), (s3 ^= this.s3);\n        const { W, t, windowSize } = this;\n        // prettier-ignore\n        let o0 = 0, o1 = 0, o2 = 0, o3 = 0;\n        const mask = (1 << W) - 1; // 2**W will kill performance.\n        let w = 0;\n        for (const num of [s0, s1, s2, s3]) {\n            for (let bytePos = 0; bytePos < 4; bytePos++) {\n                const byte = (num >>> (8 * bytePos)) & 0xff;\n                for (let bitPos = 8 / W - 1; bitPos >= 0; bitPos--) {\n                    const bit = (byte >>> (W * bitPos)) & mask;\n                    const { s0: e0, s1: e1, s2: e2, s3: e3 } = t[w * windowSize + bit];\n                    (o0 ^= e0), (o1 ^= e1), (o2 ^= e2), (o3 ^= e3);\n                    w += 1;\n                }\n            }\n        }\n        this.s0 = o0;\n        this.s1 = o1;\n        this.s2 = o2;\n        this.s3 = o3;\n    }\n    update(data) {\n        data = toBytes(data);\n        aexists(this);\n        const b32 = u32(data);\n        const blocks = Math.floor(data.length / BLOCK_SIZE);\n        const left = data.length % BLOCK_SIZE;\n        for (let i = 0; i < blocks; i++) {\n            this._updateBlock(b32[i * 4 + 0], b32[i * 4 + 1], b32[i * 4 + 2], b32[i * 4 + 3]);\n        }\n        if (left) {\n            ZEROS16.set(data.subarray(blocks * BLOCK_SIZE));\n            this._updateBlock(ZEROS32[0], ZEROS32[1], ZEROS32[2], ZEROS32[3]);\n            clean(ZEROS32); // clean tmp buffer\n        }\n        return this;\n    }\n    destroy() {\n        const { t } = this;\n        // clean precompute table\n        for (const elm of t) {\n            (elm.s0 = 0), (elm.s1 = 0), (elm.s2 = 0), (elm.s3 = 0);\n        }\n    }\n    digestInto(out) {\n        aexists(this);\n        aoutput(out, this);\n        this.finished = true;\n        const { s0, s1, s2, s3 } = this;\n        const o32 = u32(out);\n        o32[0] = s0;\n        o32[1] = s1;\n        o32[2] = s2;\n        o32[3] = s3;\n        return out;\n    }\n    digest() {\n        const res = new Uint8Array(BLOCK_SIZE);\n        this.digestInto(res);\n        this.destroy();\n        return res;\n    }\n}\nclass Polyval extends GHASH {\n    constructor(key, expectedLength) {\n        key = toBytes(key);\n        const ghKey = _toGHASHKey(copyBytes(key));\n        super(ghKey, expectedLength);\n        clean(ghKey);\n    }\n    update(data) {\n        data = toBytes(data);\n        aexists(this);\n        const b32 = u32(data);\n        const left = data.length % BLOCK_SIZE;\n        const blocks = Math.floor(data.length / BLOCK_SIZE);\n        for (let i = 0; i < blocks; i++) {\n            this._updateBlock(swapLE(b32[i * 4 + 3]), swapLE(b32[i * 4 + 2]), swapLE(b32[i * 4 + 1]), swapLE(b32[i * 4 + 0]));\n        }\n        if (left) {\n            ZEROS16.set(data.subarray(blocks * BLOCK_SIZE));\n            this._updateBlock(swapLE(ZEROS32[3]), swapLE(ZEROS32[2]), swapLE(ZEROS32[1]), swapLE(ZEROS32[0]));\n            clean(ZEROS32);\n        }\n        return this;\n    }\n    digestInto(out) {\n        aexists(this);\n        aoutput(out, this);\n        this.finished = true;\n        // tmp ugly hack\n        const { s0, s1, s2, s3 } = this;\n        const o32 = u32(out);\n        o32[0] = s0;\n        o32[1] = s1;\n        o32[2] = s2;\n        o32[3] = s3;\n        return out.reverse();\n    }\n}\nfunction wrapConstructorWithKey(hashCons) {\n    const hashC = (msg, key) => hashCons(key, msg.length).update(toBytes(msg)).digest();\n    const tmp = hashCons(new Uint8Array(16), 0);\n    hashC.outputLen = tmp.outputLen;\n    hashC.blockLen = tmp.blockLen;\n    hashC.create = (key, expectedLength) => hashCons(key, expectedLength);\n    return hashC;\n}\nexport const ghash = wrapConstructorWithKey((key, expectedLength) => new GHASH(key, expectedLength));\nexport const polyval = wrapConstructorWithKey((key, expectedLength) => new Polyval(key, expectedLength));\n//# sourceMappingURL=_polyval.js.map","// prettier-ignore\nimport { bytes as abytes } from './_assert.js';\nimport { ghash, polyval } from './_polyval.js';\nimport { clean, concatBytes, copyBytes, createView, equalBytes, isAligned32, setBigUint64, u32, u8, wrapCipher, } from './utils.js';\n/*\nAES (Advanced Encryption Standard) aka Rijndael block cipher.\n\nData is split into 128-bit blocks. Encrypted in 10/12/14 rounds (128/192/256 bits). In every round:\n1. **S-box**, table substitution\n2. **Shift rows**, cyclic shift left of all rows of data array\n3. **Mix columns**, multiplying every column by fixed polynomial\n4. **Add round key**, round_key xor i-th column of array\n\nResources:\n- FIPS-197 https://csrc.nist.gov/files/pubs/fips/197/final/docs/fips-197.pdf\n- Original proposal: https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf\n*/\nconst BLOCK_SIZE = 16;\nconst BLOCK_SIZE32 = 4;\nconst EMPTY_BLOCK = new Uint8Array(BLOCK_SIZE);\nconst POLY = 0x11b; // 1 + x + x**3 + x**4 + x**8\n// TODO: remove multiplication, binary ops only\nfunction mul2(n) {\n    return (n << 1) ^ (POLY & -(n >> 7));\n}\nfunction mul(a, b) {\n    let res = 0;\n    for (; b > 0; b >>= 1) {\n        // Montgomery ladder\n        res ^= a & -(b & 1); // if (b&1) res ^=a (but const-time).\n        a = mul2(a); // a = 2*a\n    }\n    return res;\n}\n// AES S-box is generated using finite field inversion,\n// an affine transform, and xor of a constant 0x63.\nconst sbox = /* @__PURE__ */ (() => {\n    const t = new Uint8Array(256);\n    for (let i = 0, x = 1; i < 256; i++, x ^= mul2(x))\n        t[i] = x;\n    const box = new Uint8Array(256);\n    box[0] = 0x63; // first elm\n    for (let i = 0; i < 255; i++) {\n        let x = t[255 - i];\n        x |= x << 8;\n        box[t[i]] = (x ^ (x >> 4) ^ (x >> 5) ^ (x >> 6) ^ (x >> 7) ^ 0x63) & 0xff;\n    }\n    clean(t);\n    return box;\n})();\n// Inverted S-box\nconst invSbox = /* @__PURE__ */ sbox.map((_, j) => sbox.indexOf(j));\n// Rotate u32 by 8\nconst rotr32_8 = (n) => (n << 24) | (n >>> 8);\nconst rotl32_8 = (n) => (n << 8) | (n >>> 24);\n// The byte swap operation for uint32 (LE<->BE)\nconst byteSwap = (word) => ((word << 24) & 0xff000000) |\n    ((word << 8) & 0xff0000) |\n    ((word >>> 8) & 0xff00) |\n    ((word >>> 24) & 0xff);\n// T-table is optimization suggested in 5.2 of original proposal (missed from FIPS-197). Changes:\n// - LE instead of BE\n// - bigger tables: T0 and T1 are merged into T01 table and T2 & T3 into T23;\n//   so index is u16, instead of u8. This speeds up things, unexpectedly\nfunction genTtable(sbox, fn) {\n    if (sbox.length !== 256)\n        throw new Error('Wrong sbox length');\n    const T0 = new Uint32Array(256).map((_, j) => fn(sbox[j]));\n    const T1 = T0.map(rotl32_8);\n    const T2 = T1.map(rotl32_8);\n    const T3 = T2.map(rotl32_8);\n    const T01 = new Uint32Array(256 * 256);\n    const T23 = new Uint32Array(256 * 256);\n    const sbox2 = new Uint16Array(256 * 256);\n    for (let i = 0; i < 256; i++) {\n        for (let j = 0; j < 256; j++) {\n            const idx = i * 256 + j;\n            T01[idx] = T0[i] ^ T1[j];\n            T23[idx] = T2[i] ^ T3[j];\n            sbox2[idx] = (sbox[i] << 8) | sbox[j];\n        }\n    }\n    return { sbox, sbox2, T0, T1, T2, T3, T01, T23 };\n}\nconst tableEncoding = /* @__PURE__ */ genTtable(sbox, (s) => (mul(s, 3) << 24) | (s << 16) | (s << 8) | mul(s, 2));\nconst tableDecoding = /* @__PURE__ */ genTtable(invSbox, (s) => (mul(s, 11) << 24) | (mul(s, 13) << 16) | (mul(s, 9) << 8) | mul(s, 14));\nconst xPowers = /* @__PURE__ */ (() => {\n    const p = new Uint8Array(16);\n    for (let i = 0, x = 1; i < 16; i++, x = mul2(x))\n        p[i] = x;\n    return p;\n})();\nexport function expandKeyLE(key) {\n    abytes(key);\n    const len = key.length;\n    if (![16, 24, 32].includes(len))\n        throw new Error(`aes: wrong key size: should be 16, 24 or 32, got: ${len}`);\n    const { sbox2 } = tableEncoding;\n    const toClean = [];\n    if (!isAligned32(key))\n        toClean.push((key = copyBytes(key)));\n    const k32 = u32(key);\n    const Nk = k32.length;\n    const subByte = (n) => applySbox(sbox2, n, n, n, n);\n    const xk = new Uint32Array(len + 28); // expanded key\n    xk.set(k32);\n    // 4.3.1 Key expansion\n    for (let i = Nk; i < xk.length; i++) {\n        let t = xk[i - 1];\n        if (i % Nk === 0)\n            t = subByte(rotr32_8(t)) ^ xPowers[i / Nk - 1];\n        else if (Nk > 6 && i % Nk === 4)\n            t = subByte(t);\n        xk[i] = xk[i - Nk] ^ t;\n    }\n    clean(...toClean);\n    return xk;\n}\nexport function expandKeyDecLE(key) {\n    const encKey = expandKeyLE(key);\n    const xk = encKey.slice();\n    const Nk = encKey.length;\n    const { sbox2 } = tableEncoding;\n    const { T0, T1, T2, T3 } = tableDecoding;\n    // Inverse key by chunks of 4 (rounds)\n    for (let i = 0; i < Nk; i += 4) {\n        for (let j = 0; j < 4; j++)\n            xk[i + j] = encKey[Nk - i - 4 + j];\n    }\n    clean(encKey);\n    // apply InvMixColumn except first & last round\n    for (let i = 4; i < Nk - 4; i++) {\n        const x = xk[i];\n        const w = applySbox(sbox2, x, x, x, x);\n        xk[i] = T0[w & 0xff] ^ T1[(w >>> 8) & 0xff] ^ T2[(w >>> 16) & 0xff] ^ T3[w >>> 24];\n    }\n    return xk;\n}\n// Apply tables\nfunction apply0123(T01, T23, s0, s1, s2, s3) {\n    return (T01[((s0 << 8) & 0xff00) | ((s1 >>> 8) & 0xff)] ^\n        T23[((s2 >>> 8) & 0xff00) | ((s3 >>> 24) & 0xff)]);\n}\nfunction applySbox(sbox2, s0, s1, s2, s3) {\n    return (sbox2[(s0 & 0xff) | (s1 & 0xff00)] |\n        (sbox2[((s2 >>> 16) & 0xff) | ((s3 >>> 16) & 0xff00)] << 16));\n}\nfunction encrypt(xk, s0, s1, s2, s3) {\n    const { sbox2, T01, T23 } = tableEncoding;\n    let k = 0;\n    (s0 ^= xk[k++]), (s1 ^= xk[k++]), (s2 ^= xk[k++]), (s3 ^= xk[k++]);\n    const rounds = xk.length / 4 - 2;\n    for (let i = 0; i < rounds; i++) {\n        const t0 = xk[k++] ^ apply0123(T01, T23, s0, s1, s2, s3);\n        const t1 = xk[k++] ^ apply0123(T01, T23, s1, s2, s3, s0);\n        const t2 = xk[k++] ^ apply0123(T01, T23, s2, s3, s0, s1);\n        const t3 = xk[k++] ^ apply0123(T01, T23, s3, s0, s1, s2);\n        (s0 = t0), (s1 = t1), (s2 = t2), (s3 = t3);\n    }\n    // last round (without mixcolumns, so using SBOX2 table)\n    const t0 = xk[k++] ^ applySbox(sbox2, s0, s1, s2, s3);\n    const t1 = xk[k++] ^ applySbox(sbox2, s1, s2, s3, s0);\n    const t2 = xk[k++] ^ applySbox(sbox2, s2, s3, s0, s1);\n    const t3 = xk[k++] ^ applySbox(sbox2, s3, s0, s1, s2);\n    return { s0: t0, s1: t1, s2: t2, s3: t3 };\n}\n// Can't be merged with encrypt: arg positions for apply0123 / applySbox are different\nfunction decrypt(xk, s0, s1, s2, s3) {\n    const { sbox2, T01, T23 } = tableDecoding;\n    let k = 0;\n    (s0 ^= xk[k++]), (s1 ^= xk[k++]), (s2 ^= xk[k++]), (s3 ^= xk[k++]);\n    const rounds = xk.length / 4 - 2;\n    for (let i = 0; i < rounds; i++) {\n        const t0 = xk[k++] ^ apply0123(T01, T23, s0, s3, s2, s1);\n        const t1 = xk[k++] ^ apply0123(T01, T23, s1, s0, s3, s2);\n        const t2 = xk[k++] ^ apply0123(T01, T23, s2, s1, s0, s3);\n        const t3 = xk[k++] ^ apply0123(T01, T23, s3, s2, s1, s0);\n        (s0 = t0), (s1 = t1), (s2 = t2), (s3 = t3);\n    }\n    // Last round\n    const t0 = xk[k++] ^ applySbox(sbox2, s0, s3, s2, s1);\n    const t1 = xk[k++] ^ applySbox(sbox2, s1, s0, s3, s2);\n    const t2 = xk[k++] ^ applySbox(sbox2, s2, s1, s0, s3);\n    const t3 = xk[k++] ^ applySbox(sbox2, s3, s2, s1, s0);\n    return { s0: t0, s1: t1, s2: t2, s3: t3 };\n}\nfunction getDst(len, dst) {\n    if (dst === undefined)\n        return new Uint8Array(len);\n    abytes(dst);\n    if (dst.length < len)\n        throw new Error(`aes: wrong destination length, expected at least ${len}, got: ${dst.length}`);\n    if (!isAligned32(dst))\n        throw new Error('unaligned dst');\n    return dst;\n}\n// TODO: investigate merging with ctr32\nfunction ctrCounter(xk, nonce, src, dst) {\n    abytes(nonce, BLOCK_SIZE);\n    abytes(src);\n    const srcLen = src.length;\n    dst = getDst(srcLen, dst);\n    const ctr = nonce;\n    const c32 = u32(ctr);\n    // Fill block (empty, ctr=0)\n    let { s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]);\n    const src32 = u32(src);\n    const dst32 = u32(dst);\n    // process blocks\n    for (let i = 0; i + 4 <= src32.length; i += 4) {\n        dst32[i + 0] = src32[i + 0] ^ s0;\n        dst32[i + 1] = src32[i + 1] ^ s1;\n        dst32[i + 2] = src32[i + 2] ^ s2;\n        dst32[i + 3] = src32[i + 3] ^ s3;\n        // Full 128 bit counter with wrap around\n        let carry = 1;\n        for (let i = ctr.length - 1; i >= 0; i--) {\n            carry = (carry + (ctr[i] & 0xff)) | 0;\n            ctr[i] = carry & 0xff;\n            carry >>>= 8;\n        }\n        ({ s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]));\n    }\n    // leftovers (less than block)\n    // It's possible to handle > u32 fast, but is it worth it?\n    const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32);\n    if (start < srcLen) {\n        const b32 = new Uint32Array([s0, s1, s2, s3]);\n        const buf = u8(b32);\n        for (let i = start, pos = 0; i < srcLen; i++, pos++)\n            dst[i] = src[i] ^ buf[pos];\n        clean(b32);\n    }\n    return dst;\n}\n// AES CTR with overflowing 32 bit counter\n// It's possible to do 32le significantly simpler (and probably faster) by using u32.\n// But, we need both, and perf bottleneck is in ghash anyway.\nfunction ctr32(xk, isLE, nonce, src, dst) {\n    abytes(nonce, BLOCK_SIZE);\n    abytes(src);\n    dst = getDst(src.length, dst);\n    const ctr = nonce; // write new value to nonce, so it can be re-used\n    const c32 = u32(ctr);\n    const view = createView(ctr);\n    const src32 = u32(src);\n    const dst32 = u32(dst);\n    const ctrPos = isLE ? 0 : 12;\n    const srcLen = src.length;\n    // Fill block (empty, ctr=0)\n    let ctrNum = view.getUint32(ctrPos, isLE); // read current counter value\n    let { s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]);\n    // process blocks\n    for (let i = 0; i + 4 <= src32.length; i += 4) {\n        dst32[i + 0] = src32[i + 0] ^ s0;\n        dst32[i + 1] = src32[i + 1] ^ s1;\n        dst32[i + 2] = src32[i + 2] ^ s2;\n        dst32[i + 3] = src32[i + 3] ^ s3;\n        ctrNum = (ctrNum + 1) >>> 0; // u32 wrap\n        view.setUint32(ctrPos, ctrNum, isLE);\n        ({ s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]));\n    }\n    // leftovers (less than a block)\n    const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32);\n    if (start < srcLen) {\n        const b32 = new Uint32Array([s0, s1, s2, s3]);\n        const buf = u8(b32);\n        for (let i = start, pos = 0; i < srcLen; i++, pos++)\n            dst[i] = src[i] ^ buf[pos];\n        clean(b32);\n    }\n    return dst;\n}\n/**\n * CTR: counter mode. Creates stream cipher.\n * Requires good IV. Parallelizable. OK, but no MAC.\n */\nexport const ctr = wrapCipher({ blockSize: 16, nonceLength: 16 }, function ctr(key, nonce) {\n    abytes(key);\n    abytes(nonce, BLOCK_SIZE);\n    function processCtr(buf, dst) {\n        abytes(buf);\n        if (dst !== undefined) {\n            abytes(dst);\n            if (!isAligned32(dst))\n                throw new Error('unaligned destination');\n        }\n        const xk = expandKeyLE(key);\n        const n = copyBytes(nonce); // align + avoid changing\n        const toClean = [xk, n];\n        if (!isAligned32(buf))\n            toClean.push((buf = copyBytes(buf)));\n        const out = ctrCounter(xk, n, buf, dst);\n        clean(...toClean);\n        return out;\n    }\n    return {\n        encrypt: (plaintext, dst) => processCtr(plaintext, dst),\n        decrypt: (ciphertext, dst) => processCtr(ciphertext, dst),\n    };\n});\nfunction validateBlockDecrypt(data) {\n    abytes(data);\n    if (data.length % BLOCK_SIZE !== 0) {\n        throw new Error(`aes/(cbc-ecb).decrypt ciphertext should consist of blocks with size ${BLOCK_SIZE}`);\n    }\n}\nfunction validateBlockEncrypt(plaintext, pcks5, dst) {\n    abytes(plaintext);\n    let outLen = plaintext.length;\n    const remaining = outLen % BLOCK_SIZE;\n    if (!pcks5 && remaining !== 0)\n        throw new Error('aec/(cbc-ecb): unpadded plaintext with disabled padding');\n    if (!isAligned32(plaintext))\n        plaintext = copyBytes(plaintext);\n    const b = u32(plaintext);\n    if (pcks5) {\n        let left = BLOCK_SIZE - remaining;\n        if (!left)\n            left = BLOCK_SIZE; // if no bytes left, create empty padding block\n        outLen = outLen + left;\n    }\n    const out = getDst(outLen, dst);\n    const o = u32(out);\n    return { b, o, out };\n}\nfunction validatePCKS(data, pcks5) {\n    if (!pcks5)\n        return data;\n    const len = data.length;\n    if (!len)\n        throw new Error('aes/pcks5: empty ciphertext not allowed');\n    const lastByte = data[len - 1];\n    if (lastByte <= 0 || lastByte > 16)\n        throw new Error('aes/pcks5: wrong padding');\n    const out = data.subarray(0, -lastByte);\n    for (let i = 0; i < lastByte; i++)\n        if (data[len - i - 1] !== lastByte)\n            throw new Error('aes/pcks5: wrong padding');\n    return out;\n}\nfunction padPCKS(left) {\n    const tmp = new Uint8Array(16);\n    const tmp32 = u32(tmp);\n    tmp.set(left);\n    const paddingByte = BLOCK_SIZE - left.length;\n    for (let i = BLOCK_SIZE - paddingByte; i < BLOCK_SIZE; i++)\n        tmp[i] = paddingByte;\n    return tmp32;\n}\n/**\n * ECB: Electronic CodeBook. Simple deterministic replacement.\n * Dangerous: always map x to y. See [AES Penguin](https://words.filippo.io/the-ecb-penguin/).\n */\nexport const ecb = wrapCipher({ blockSize: 16 }, function ecb(key, opts = {}) {\n    abytes(key);\n    const pcks5 = !opts.disablePadding;\n    return {\n        encrypt(plaintext, dst) {\n            const { b, o, out: _out } = validateBlockEncrypt(plaintext, pcks5, dst);\n            const xk = expandKeyLE(key);\n            let i = 0;\n            for (; i + 4 <= b.length;) {\n                const { s0, s1, s2, s3 } = encrypt(xk, b[i + 0], b[i + 1], b[i + 2], b[i + 3]);\n                (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3);\n            }\n            if (pcks5) {\n                const tmp32 = padPCKS(plaintext.subarray(i * 4));\n                const { s0, s1, s2, s3 } = encrypt(xk, tmp32[0], tmp32[1], tmp32[2], tmp32[3]);\n                (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3);\n            }\n            clean(xk);\n            return _out;\n        },\n        decrypt(ciphertext, dst) {\n            validateBlockDecrypt(ciphertext);\n            const xk = expandKeyDecLE(key);\n            const out = getDst(ciphertext.length, dst);\n            const toClean = [xk];\n            if (!isAligned32(ciphertext))\n                toClean.push((ciphertext = copyBytes(ciphertext)));\n            const b = u32(ciphertext);\n            const o = u32(out);\n            for (let i = 0; i + 4 <= b.length;) {\n                const { s0, s1, s2, s3 } = decrypt(xk, b[i + 0], b[i + 1], b[i + 2], b[i + 3]);\n                (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3);\n            }\n            clean(...toClean);\n            return validatePCKS(out, pcks5);\n        },\n    };\n});\n/**\n * CBC: Cipher-Block-Chaining. Key is previous round’s block.\n * Fragile: needs proper padding. Unauthenticated: needs MAC.\n */\nexport const cbc = wrapCipher({ blockSize: 16, nonceLength: 16 }, function cbc(key, iv, opts = {}) {\n    abytes(key);\n    abytes(iv, 16);\n    const pcks5 = !opts.disablePadding;\n    return {\n        encrypt(plaintext, dst) {\n            const xk = expandKeyLE(key);\n            const { b, o, out: _out } = validateBlockEncrypt(plaintext, pcks5, dst);\n            let _iv = iv;\n            const toClean = [xk];\n            if (!isAligned32(_iv))\n                toClean.push((_iv = copyBytes(_iv)));\n            const n32 = u32(_iv);\n            // prettier-ignore\n            let s0 = n32[0], s1 = n32[1], s2 = n32[2], s3 = n32[3];\n            let i = 0;\n            for (; i + 4 <= b.length;) {\n                (s0 ^= b[i + 0]), (s1 ^= b[i + 1]), (s2 ^= b[i + 2]), (s3 ^= b[i + 3]);\n                ({ s0, s1, s2, s3 } = encrypt(xk, s0, s1, s2, s3));\n                (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3);\n            }\n            if (pcks5) {\n                const tmp32 = padPCKS(plaintext.subarray(i * 4));\n                (s0 ^= tmp32[0]), (s1 ^= tmp32[1]), (s2 ^= tmp32[2]), (s3 ^= tmp32[3]);\n                ({ s0, s1, s2, s3 } = encrypt(xk, s0, s1, s2, s3));\n                (o[i++] = s0), (o[i++] = s1), (o[i++] = s2), (o[i++] = s3);\n            }\n            clean(...toClean);\n            return _out;\n        },\n        decrypt(ciphertext, dst) {\n            validateBlockDecrypt(ciphertext);\n            const xk = expandKeyDecLE(key);\n            let _iv = iv;\n            const toClean = [xk];\n            if (!isAligned32(_iv))\n                toClean.push((_iv = copyBytes(_iv)));\n            const n32 = u32(_iv);\n            const out = getDst(ciphertext.length, dst);\n            if (!isAligned32(ciphertext))\n                toClean.push((ciphertext = copyBytes(ciphertext)));\n            const b = u32(ciphertext);\n            const o = u32(out);\n            // prettier-ignore\n            let s0 = n32[0], s1 = n32[1], s2 = n32[2], s3 = n32[3];\n            for (let i = 0; i + 4 <= b.length;) {\n                // prettier-ignore\n                const ps0 = s0, ps1 = s1, ps2 = s2, ps3 = s3;\n                (s0 = b[i + 0]), (s1 = b[i + 1]), (s2 = b[i + 2]), (s3 = b[i + 3]);\n                const { s0: o0, s1: o1, s2: o2, s3: o3 } = decrypt(xk, s0, s1, s2, s3);\n                (o[i++] = o0 ^ ps0), (o[i++] = o1 ^ ps1), (o[i++] = o2 ^ ps2), (o[i++] = o3 ^ ps3);\n            }\n            clean(...toClean);\n            return validatePCKS(out, pcks5);\n        },\n    };\n});\n/**\n * CFB: Cipher Feedback Mode. The input for the block cipher is the previous cipher output.\n * Unauthenticated: needs MAC.\n */\nexport const cfb = wrapCipher({ blockSize: 16, nonceLength: 16 }, function cfb(key, iv) {\n    abytes(key);\n    abytes(iv, 16);\n    function processCfb(src, isEncrypt, dst) {\n        abytes(src);\n        const srcLen = src.length;\n        dst = getDst(srcLen, dst);\n        const xk = expandKeyLE(key);\n        let _iv = iv;\n        const toClean = [xk];\n        if (!isAligned32(_iv))\n            toClean.push((_iv = copyBytes(_iv)));\n        if (!isAligned32(src))\n            toClean.push((src = copyBytes(src)));\n        const src32 = u32(src);\n        const dst32 = u32(dst);\n        const next32 = isEncrypt ? dst32 : src32;\n        const n32 = u32(_iv);\n        // prettier-ignore\n        let s0 = n32[0], s1 = n32[1], s2 = n32[2], s3 = n32[3];\n        for (let i = 0; i + 4 <= src32.length;) {\n            const { s0: e0, s1: e1, s2: e2, s3: e3 } = encrypt(xk, s0, s1, s2, s3);\n            dst32[i + 0] = src32[i + 0] ^ e0;\n            dst32[i + 1] = src32[i + 1] ^ e1;\n            dst32[i + 2] = src32[i + 2] ^ e2;\n            dst32[i + 3] = src32[i + 3] ^ e3;\n            (s0 = next32[i++]), (s1 = next32[i++]), (s2 = next32[i++]), (s3 = next32[i++]);\n        }\n        // leftovers (less than block)\n        const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32);\n        if (start < srcLen) {\n            ({ s0, s1, s2, s3 } = encrypt(xk, s0, s1, s2, s3));\n            const buf = u8(new Uint32Array([s0, s1, s2, s3]));\n            for (let i = start, pos = 0; i < srcLen; i++, pos++)\n                dst[i] = src[i] ^ buf[pos];\n            clean(buf);\n        }\n        clean(...toClean);\n        return dst;\n    }\n    return {\n        encrypt: (plaintext, dst) => processCfb(plaintext, true, dst),\n        decrypt: (ciphertext, dst) => processCfb(ciphertext, false, dst),\n    };\n});\n// TODO: merge with chacha, however gcm has bitLen while chacha has byteLen\nfunction computeTag(fn, isLE, key, data, AAD) {\n    const aadLength = AAD == null ? 0 : AAD.length;\n    const h = fn.create(key, data.length + aadLength);\n    if (AAD)\n        h.update(AAD);\n    h.update(data);\n    const num = new Uint8Array(16);\n    const view = createView(num);\n    if (AAD)\n        setBigUint64(view, 0, BigInt(aadLength * 8), isLE);\n    setBigUint64(view, 8, BigInt(data.length * 8), isLE);\n    h.update(num);\n    const res = h.digest();\n    clean(num);\n    return res;\n}\n/**\n * GCM: Galois/Counter Mode.\n * Modern, parallel version of CTR, with MAC.\n * Be careful: MACs can be forged.\n * Unsafe to use random nonces under the same key, due to collision chance.\n * As for nonce size, prefer 12-byte, instead of 8-byte.\n */\nexport const gcm = wrapCipher({ blockSize: 16, nonceLength: 12, tagLength: 16 }, function gcm(key, nonce, AAD) {\n    abytes(key);\n    abytes(nonce);\n    if (AAD !== undefined)\n        abytes(AAD);\n    // NIST 800-38d doesn't enforce minimum nonce length.\n    // We enforce 8 bytes for compat with openssl.\n    // 12 bytes are recommended. More than 12 bytes would be converted into 12.\n    if (nonce.length < 8)\n        throw new Error('aes/gcm: invalid nonce length');\n    const tagLength = 16;\n    function _computeTag(authKey, tagMask, data) {\n        const tag = computeTag(ghash, false, authKey, data, AAD);\n        for (let i = 0; i < tagMask.length; i++)\n            tag[i] ^= tagMask[i];\n        return tag;\n    }\n    function deriveKeys() {\n        const xk = expandKeyLE(key);\n        const authKey = EMPTY_BLOCK.slice();\n        const counter = EMPTY_BLOCK.slice();\n        ctr32(xk, false, counter, counter, authKey);\n        // NIST 800-38d, page 15: different behavior for 96-bit and non-96-bit nonces\n        if (nonce.length === 12) {\n            counter.set(nonce);\n        }\n        else {\n            const nonceLen = EMPTY_BLOCK.slice();\n            const view = createView(nonceLen);\n            setBigUint64(view, 8, BigInt(nonce.length * 8), false);\n            // ghash(nonce || u64be(0) || u64be(nonceLen*8))\n            const g = ghash.create(authKey).update(nonce).update(nonceLen);\n            g.digestInto(counter); // digestInto doesn't trigger '.destroy'\n            g.destroy();\n        }\n        const tagMask = ctr32(xk, false, counter, EMPTY_BLOCK);\n        return { xk, authKey, counter, tagMask };\n    }\n    return {\n        encrypt(plaintext) {\n            abytes(plaintext);\n            const { xk, authKey, counter, tagMask } = deriveKeys();\n            const out = new Uint8Array(plaintext.length + tagLength);\n            const toClean = [xk, authKey, counter, tagMask];\n            if (!isAligned32(plaintext))\n                toClean.push((plaintext = copyBytes(plaintext)));\n            ctr32(xk, false, counter, plaintext, out);\n            const tag = _computeTag(authKey, tagMask, out.subarray(0, out.length - tagLength));\n            toClean.push(tag);\n            out.set(tag, plaintext.length);\n            clean(...toClean);\n            return out;\n        },\n        decrypt(ciphertext) {\n            abytes(ciphertext);\n            if (ciphertext.length < tagLength)\n                throw new Error(`aes/gcm: ciphertext less than tagLen (${tagLength})`);\n            const { xk, authKey, counter, tagMask } = deriveKeys();\n            const toClean = [xk, authKey, tagMask, counter];\n            if (!isAligned32(ciphertext))\n                toClean.push((ciphertext = copyBytes(ciphertext)));\n            const data = ciphertext.subarray(0, -tagLength);\n            const passedTag = ciphertext.subarray(-tagLength);\n            const tag = _computeTag(authKey, tagMask, data);\n            toClean.push(tag);\n            if (!equalBytes(tag, passedTag))\n                throw new Error('aes/gcm: invalid ghash tag');\n            const out = ctr32(xk, false, counter, data);\n            clean(...toClean);\n            return out;\n        },\n    };\n});\nconst limit = (name, min, max) => (value) => {\n    if (!Number.isSafeInteger(value) || min > value || value > max)\n        throw new Error(`${name}: invalid value=${value}, must be [${min}..${max}]`);\n};\n/**\n * AES-GCM-SIV: classic AES-GCM with nonce-misuse resistance.\n * Guarantees that, when a nonce is repeated, the only security loss is that identical\n * plaintexts will produce identical ciphertexts.\n * RFC 8452, https://datatracker.ietf.org/doc/html/rfc8452\n */\nexport const siv = wrapCipher({ blockSize: 16, nonceLength: 12, tagLength: 16 }, function siv(key, nonce, AAD) {\n    const tagLength = 16;\n    // From RFC 8452: Section 6\n    const AAD_LIMIT = limit('AAD', 0, 2 ** 36);\n    const PLAIN_LIMIT = limit('plaintext', 0, 2 ** 36);\n    const NONCE_LIMIT = limit('nonce', 12, 12);\n    const CIPHER_LIMIT = limit('ciphertext', 16, 2 ** 36 + 16);\n    abytes(key, 16, 24, 32);\n    abytes(nonce);\n    NONCE_LIMIT(nonce.length);\n    if (AAD !== undefined) {\n        abytes(AAD);\n        AAD_LIMIT(AAD.length);\n    }\n    function deriveKeys() {\n        const xk = expandKeyLE(key);\n        const encKey = new Uint8Array(key.length);\n        const authKey = new Uint8Array(16);\n        const toClean = [xk, encKey];\n        let _nonce = nonce;\n        if (!isAligned32(_nonce))\n            toClean.push((_nonce = copyBytes(_nonce)));\n        const n32 = u32(_nonce);\n        // prettier-ignore\n        let s0 = 0, s1 = n32[0], s2 = n32[1], s3 = n32[2];\n        let counter = 0;\n        for (const derivedKey of [authKey, encKey].map(u32)) {\n            const d32 = u32(derivedKey);\n            for (let i = 0; i < d32.length; i += 2) {\n                // aes(u32le(0) || nonce)[:8] || aes(u32le(1) || nonce)[:8] ...\n                const { s0: o0, s1: o1 } = encrypt(xk, s0, s1, s2, s3);\n                d32[i + 0] = o0;\n                d32[i + 1] = o1;\n                s0 = ++counter; // increment counter inside state\n            }\n        }\n        const res = { authKey, encKey: expandKeyLE(encKey) };\n        // Cleanup\n        clean(...toClean);\n        return res;\n    }\n    function _computeTag(encKey, authKey, data) {\n        const tag = computeTag(polyval, true, authKey, data, AAD);\n        // Compute the expected tag by XORing S_s and the nonce, clearing the\n        // most significant bit of the last byte and encrypting with the\n        // message-encryption key.\n        for (let i = 0; i < 12; i++)\n            tag[i] ^= nonce[i];\n        tag[15] &= 0x7f; // Clear the highest bit\n        // encrypt tag as block\n        const t32 = u32(tag);\n        // prettier-ignore\n        let s0 = t32[0], s1 = t32[1], s2 = t32[2], s3 = t32[3];\n        ({ s0, s1, s2, s3 } = encrypt(encKey, s0, s1, s2, s3));\n        (t32[0] = s0), (t32[1] = s1), (t32[2] = s2), (t32[3] = s3);\n        return tag;\n    }\n    // actual decrypt/encrypt of message.\n    function processSiv(encKey, tag, input) {\n        let block = copyBytes(tag);\n        block[15] |= 0x80; // Force highest bit\n        const res = ctr32(encKey, true, block, input);\n        // Cleanup\n        clean(block);\n        return res;\n    }\n    return {\n        encrypt(plaintext) {\n            abytes(plaintext);\n            PLAIN_LIMIT(plaintext.length);\n            const { encKey, authKey } = deriveKeys();\n            const tag = _computeTag(encKey, authKey, plaintext);\n            const toClean = [encKey, authKey, tag];\n            if (!isAligned32(plaintext))\n                toClean.push((plaintext = copyBytes(plaintext)));\n            const out = new Uint8Array(plaintext.length + tagLength);\n            out.set(tag, plaintext.length);\n            out.set(processSiv(encKey, tag, plaintext));\n            // Cleanup\n            clean(...toClean);\n            return out;\n        },\n        decrypt(ciphertext) {\n            abytes(ciphertext);\n            CIPHER_LIMIT(ciphertext.length);\n            const tag = ciphertext.subarray(-tagLength);\n            const { encKey, authKey } = deriveKeys();\n            const toClean = [encKey, authKey];\n            if (!isAligned32(ciphertext))\n                toClean.push((ciphertext = copyBytes(ciphertext)));\n            const plaintext = processSiv(encKey, tag, ciphertext.subarray(0, -tagLength));\n            const expectedTag = _computeTag(encKey, authKey, plaintext);\n            toClean.push(expectedTag);\n            if (!equalBytes(tag, expectedTag)) {\n                clean(...toClean);\n                throw new Error('invalid polyval tag');\n            }\n            // Cleanup\n            clean(...toClean);\n            return plaintext;\n        },\n    };\n});\nfunction isBytes32(a) {\n    return (a != null &&\n        typeof a === 'object' &&\n        (a instanceof Uint32Array || a.constructor.name === 'Uint32Array'));\n}\nfunction encryptBlock(xk, block) {\n    abytes(block, 16);\n    if (!isBytes32(xk))\n        throw new Error('_encryptBlock accepts result of expandKeyLE');\n    const b32 = u32(block);\n    let { s0, s1, s2, s3 } = encrypt(xk, b32[0], b32[1], b32[2], b32[3]);\n    (b32[0] = s0), (b32[1] = s1), (b32[2] = s2), (b32[3] = s3);\n    return block;\n}\nfunction decryptBlock(xk, block) {\n    abytes(block, 16);\n    if (!isBytes32(xk))\n        throw new Error('_decryptBlock accepts result of expandKeyLE');\n    const b32 = u32(block);\n    let { s0, s1, s2, s3 } = decrypt(xk, b32[0], b32[1], b32[2], b32[3]);\n    (b32[0] = s0), (b32[1] = s1), (b32[2] = s2), (b32[3] = s3);\n    return block;\n}\n/**\n * AES-W (base for AESKW/AESKWP).\n * Specs: [SP800-38F](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf),\n * [RFC 3394](https://datatracker.ietf.org/doc/rfc3394/),\n * [RFC 5649](https://datatracker.ietf.org/doc/rfc5649/).\n */\nconst AESW = {\n    /*\n    High-level pseudocode:\n    ```\n    A: u64 = IV\n    out = []\n    for (let i=0, ctr = 0; i<6; i++) {\n      for (const chunk of chunks(plaintext, 8)) {\n        A ^= swapEndianess(ctr++)\n        [A, res] = chunks(encrypt(A || chunk), 8);\n        out ||= res\n      }\n    }\n    out = A || out\n    ```\n    Decrypt is the same, but reversed.\n    */\n    encrypt(kek, out) {\n        // Size is limited to 4GB, otherwise ctr will overflow and we'll need to switch to bigints.\n        // If you need it larger, open an issue.\n        if (out.length >= 2 ** 32)\n            throw new Error('plaintext should be less than 4gb');\n        const xk = expandKeyLE(kek);\n        if (out.length === 16)\n            encryptBlock(xk, out);\n        else {\n            const o32 = u32(out);\n            // prettier-ignore\n            let a0 = o32[0], a1 = o32[1]; // A\n            for (let j = 0, ctr = 1; j < 6; j++) {\n                for (let pos = 2; pos < o32.length; pos += 2, ctr++) {\n                    const { s0, s1, s2, s3 } = encrypt(xk, a0, a1, o32[pos], o32[pos + 1]);\n                    // A = MSB(64, B) ^ t where t = (n*j)+i\n                    (a0 = s0), (a1 = s1 ^ byteSwap(ctr)), (o32[pos] = s2), (o32[pos + 1] = s3);\n                }\n            }\n            (o32[0] = a0), (o32[1] = a1); // out = A || out\n        }\n        xk.fill(0);\n    },\n    decrypt(kek, out) {\n        if (out.length - 8 >= 2 ** 32)\n            throw new Error('ciphertext should be less than 4gb');\n        const xk = expandKeyDecLE(kek);\n        const chunks = out.length / 8 - 1; // first chunk is IV\n        if (chunks === 1)\n            decryptBlock(xk, out);\n        else {\n            const o32 = u32(out);\n            // prettier-ignore\n            let a0 = o32[0], a1 = o32[1]; // A\n            for (let j = 0, ctr = chunks * 6; j < 6; j++) {\n                for (let pos = chunks * 2; pos >= 1; pos -= 2, ctr--) {\n                    a1 ^= byteSwap(ctr);\n                    const { s0, s1, s2, s3 } = decrypt(xk, a0, a1, o32[pos], o32[pos + 1]);\n                    (a0 = s0), (a1 = s1), (o32[pos] = s2), (o32[pos + 1] = s3);\n                }\n            }\n            (o32[0] = a0), (o32[1] = a1);\n        }\n        xk.fill(0);\n    },\n};\nconst AESKW_IV = new Uint8Array(8).fill(0xa6); // A6A6A6A6A6A6A6A6\n/**\n * AES-KW (key-wrap). Injects static IV into plaintext, adds counter, encrypts 6 times.\n * Reduces block size from 16 to 8 bytes.\n * For padded version, use aeskwp.\n * [RFC 3394](https://datatracker.ietf.org/doc/rfc3394/),\n * [NIST.SP.800-38F](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf).\n */\nexport const aeskw = wrapCipher({ blockSize: 8 }, (kek) => ({\n    encrypt(plaintext) {\n        abytes(plaintext);\n        if (!plaintext.length || plaintext.length % 8 !== 0)\n            throw new Error('invalid plaintext length');\n        if (plaintext.length === 8)\n            throw new Error('8-byte keys not allowed in AESKW, use AESKWP instead');\n        const out = concatBytes(AESKW_IV, plaintext);\n        AESW.encrypt(kek, out);\n        return out;\n    },\n    decrypt(ciphertext) {\n        abytes(ciphertext);\n        // ciphertext must be at least 24 bytes and a multiple of 8 bytes\n        // 24 because should have at least two block (1 iv + 2).\n        // Replace with 16 to enable '8-byte keys'\n        if (ciphertext.length % 8 !== 0 || ciphertext.length < 3 * 8)\n            throw new Error('invalid ciphertext length');\n        const out = copyBytes(ciphertext);\n        AESW.decrypt(kek, out);\n        if (!equalBytes(out.subarray(0, 8), AESKW_IV))\n            throw new Error('integrity check failed');\n        out.subarray(0, 8).fill(0); // ciphertext.subarray(0, 8) === IV, but we clean it anyway\n        return out.subarray(8);\n    },\n}));\n/*\nWe don't support 8-byte keys. The rabbit hole:\n\n- Wycheproof says: \"NIST SP 800-38F does not define the wrapping of 8 byte keys.\n  RFC 3394 Section 2  on the other hand specifies that 8 byte keys are wrapped\n  by directly encrypting one block with AES.\"\n    - https://github.com/C2SP/wycheproof/blob/master/doc/key_wrap.md\n    - \"RFC 3394 specifies in Section 2, that the input for the key wrap\n      algorithm must be at least two blocks and otherwise the constant\n      field and key are simply encrypted with ECB as a single block\"\n- What RFC 3394 actually says (in Section 2):\n    - \"Before being wrapped, the key data is parsed into n blocks of 64 bits.\n      The only restriction the key wrap algorithm places on n is that n be\n      at least two\"\n    - \"For key data with length less than or equal to 64 bits, the constant\n      field used in this specification and the key data form a single\n      128-bit codebook input making this key wrap unnecessary.\"\n- Which means \"assert(n >= 2)\" and \"use something else for 8 byte keys\"\n- NIST SP800-38F actually prohibits 8-byte in \"5.3.1 Mandatory Limits\".\n  It states that plaintext for KW should be \"2 to 2^54 -1 semiblocks\".\n- So, where does \"directly encrypt single block with AES\" come from?\n    - Not RFC 3394. Pseudocode of key wrap in 2.2 explicitly uses\n      loop of 6 for any code path\n    - There is a weird W3C spec:\n      https://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#kw-aes128\n    - This spec is outdated, as admitted by Wycheproof authors\n    - There is RFC 5649 for padded key wrap, which is padding construction on\n      top of AESKW. In '4.1.2' it says: \"If the padded plaintext contains exactly\n      eight octets, then prepend the AIV as defined in Section 3 above to P[1] and\n      encrypt the resulting 128-bit block using AES in ECB mode [Modes] with key\n      K (the KEK).  In this case, the output is two 64-bit blocks C[0] and C[1]:\"\n    - Browser subtle crypto is actually crashes on wrapping keys less than 16 bytes:\n      `Error: error:1C8000E6:Provider routines::invalid input length] { opensslErrorStack: [ 'error:030000BD:digital envelope routines::update error' ]`\n\nIn the end, seems like a bug in Wycheproof.\nThe 8-byte check can be easily disabled inside of AES_W.\n*/\nconst AESKWP_IV = 0xa65959a6; // single u32le value\n/**\n * AES-KW, but with padding and allows random keys.\n * Second u32 of IV is used as counter for length.\n * [RFC 5649](https://www.rfc-editor.org/rfc/rfc5649)\n */\nexport const aeskwp = wrapCipher({ blockSize: 8 }, (kek) => ({\n    encrypt(plaintext) {\n        abytes(plaintext);\n        if (!plaintext.length)\n            throw new Error('invalid plaintext length');\n        const padded = Math.ceil(plaintext.length / 8) * 8;\n        const out = new Uint8Array(8 + padded);\n        out.set(plaintext, 8);\n        const out32 = u32(out);\n        out32[0] = AESKWP_IV;\n        out32[1] = byteSwap(plaintext.length);\n        AESW.encrypt(kek, out);\n        return out;\n    },\n    decrypt(ciphertext) {\n        abytes(ciphertext);\n        // 16 because should have at least one block\n        if (ciphertext.length < 16)\n            throw new Error('invalid ciphertext length');\n        const out = copyBytes(ciphertext);\n        const o32 = u32(out);\n        AESW.decrypt(kek, out);\n        const len = byteSwap(o32[1]) >>> 0;\n        const padded = Math.ceil(len / 8) * 8;\n        if (o32[0] !== AESKWP_IV || out.length - 8 !== padded)\n            throw new Error('integrity check failed');\n        for (let i = len; i < padded; i++)\n            if (out[8 + i] !== 0)\n                throw new Error('integrity check failed');\n        out.subarray(0, 8).fill(0); // ciphertext.subarray(0, 8) === IV, but we clean it anyway\n        return out.subarray(8, 8 + len);\n    },\n}));\n// Private, unsafe low-level methods. Can change at any time.\nexport const unsafe = {\n    expandKeyLE,\n    expandKeyDecLE,\n    encrypt,\n    decrypt,\n    encryptBlock,\n    decryptBlock,\n    ctrCounter,\n    ctr32,\n};\n//# sourceMappingURL=aes.js.map","import enums from '../../enums';\n\nexport async function getLegacyCipher(algo) {\n  switch (algo) {\n    case enums.symmetric.aes128:\n    case enums.symmetric.aes192:\n    case enums.symmetric.aes256:\n      throw new Error('Not a legacy cipher');\n    case enums.symmetric.cast5:\n    case enums.symmetric.blowfish:\n    case enums.symmetric.twofish:\n    case enums.symmetric.tripledes: {\n      const { legacyCiphers } = await import('./legacy_ciphers');\n      const algoName = enums.read(enums.symmetric, algo);\n      const cipher = legacyCiphers.get(algoName);\n      if (!cipher) {\n        throw new Error('Unsupported cipher algorithm');\n      }\n      return cipher;\n    }\n    default:\n      throw new Error('Unsupported cipher algorithm');\n  }\n}\n\n/**\n * Get block size for given cipher algo\n * @param {module:enums.symmetric} algo - alrogithm identifier\n */\nfunction getCipherBlockSize(algo) {\n  switch (algo) {\n    case enums.symmetric.aes128:\n    case enums.symmetric.aes192:\n    case enums.symmetric.aes256:\n    case enums.symmetric.twofish:\n      return 16;\n    case enums.symmetric.blowfish:\n    case enums.symmetric.cast5:\n    case enums.symmetric.tripledes:\n      return 8;\n    default:\n      throw new Error('Unsupported cipher');\n  }\n}\n\n/**\n * Get key size for given cipher algo\n * @param {module:enums.symmetric} algo - alrogithm identifier\n */\nfunction getCipherKeySize(algo) {\n  switch (algo) {\n    case enums.symmetric.aes128:\n    case enums.symmetric.blowfish:\n    case enums.symmetric.cast5:\n      return 16;\n    case enums.symmetric.aes192:\n    case enums.symmetric.tripledes:\n      return 24;\n    case enums.symmetric.aes256:\n    case enums.symmetric.twofish:\n      return 32;\n    default:\n      throw new Error('Unsupported cipher');\n  }\n}\n\n/**\n * Get block and key size for given cipher algo\n * @param {module:enums.symmetric} algo - alrogithm identifier\n */\nexport function getCipherParams(algo) {\n  return { keySize: getCipherKeySize(algo), blockSize: getCipherBlockSize(algo) };\n}\n","// OpenPGP.js - An OpenPGP implementation in javascript\n// Copyright (C) 2015-2016 Decentral\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\n/**\n * @fileoverview Implementation of RFC 3394 AES Key Wrap & Key Unwrap funcions\n * @see module:crypto/public_key/elliptic/ecdh\n * @module crypto/aes_kw\n */\n\nimport { aeskw as nobleAesKW } from '@noble/ciphers/aes';\nimport { getCipherParams } from './cipher';\nimport util from '../util';\n\nconst webCrypto = util.getWebCrypto();\n/**\n * AES key wrap\n * @param {enums.symmetric.aes128|enums.symmetric.aes256|enums.symmetric.aes192} algo - AES algo\n * @param {Uint8Array} key - wrapping key\n * @param {Uint8Array} dataToWrap\n * @returns {Uint8Array} wrapped key\n */\nexport async function wrap(algo, key, dataToWrap) {\n  const { keySize } = getCipherParams(algo);\n  // sanity checks, since WebCrypto does not use the `algo` input\n  if (!util.isAES(algo) || key.length !== keySize) {\n    throw new Error('Unexpected algorithm or key size');\n  }\n\n  try {\n    const wrappingKey = await webCrypto.importKey('raw', key, { name: 'AES-KW' }, false, ['wrapKey']);\n    // Import data as HMAC key, as it has no key length requirements\n    const keyToWrap = await webCrypto.importKey('raw', dataToWrap, { name: 'HMAC', hash: 'SHA-256' }, true, ['sign']);\n    const wrapped = await webCrypto.wrapKey('raw', keyToWrap, wrappingKey, { name: 'AES-KW' });\n    return new Uint8Array(wrapped);\n  } catch (err) {\n    // no 192 bit support in Chromium, which throws `OperationError`, see: https://www.chromium.org/blink/webcrypto#TOC-AES-support\n    if (err.name !== 'NotSupportedError' &&\n      !(key.length === 24 && err.name === 'OperationError')) {\n      throw err;\n    }\n    util.printDebugError('Browser did not support operation: ' + err.message);\n  }\n\n  return nobleAesKW(key).encrypt(dataToWrap);\n}\n\n/**\n * AES key unwrap\n * @param {enums.symmetric.aes128|enums.symmetric.aes256|enums.symmetric.aes192} algo - AES algo\n * @param {Uint8Array} key - wrapping key\n * @param {Uint8Array} wrappedData\n * @returns {Uint8Array} unwrapped data\n */\nexport async function unwrap(algo, key, wrappedData) {\n  const { keySize } = getCipherParams(algo);\n  // sanity checks, since WebCrypto does not use the `algo` input\n  if (!util.isAES(algo) || key.length !== keySize) {\n    throw new Error('Unexpected algorithm or key size');\n  }\n\n  let wrappingKey;\n  try {\n    wrappingKey = await webCrypto.importKey('raw', key, { name: 'AES-KW' }, false, ['unwrapKey']);\n  } catch (err) {\n    // no 192 bit support in Chromium, which throws `OperationError`, see: https://www.chromium.org/blink/webcrypto#TOC-AES-support\n    if (err.name !== 'NotSupportedError' &&\n      !(key.length === 24 && err.name === 'OperationError')) {\n      throw err;\n    }\n    util.printDebugError('Browser did not support operation: ' + err.message);\n    return nobleAesKW(key).decrypt(wrappedData);\n  }\n\n  try {\n    const unwrapped = await webCrypto.unwrapKey('raw', wrappedData, wrappingKey, { name: 'AES-KW' }, { name: 'HMAC', hash: 'SHA-256' }, true, ['sign']);\n    return new Uint8Array(await webCrypto.exportKey('raw', unwrapped));\n  } catch (err) {\n    if (err.name === 'OperationError') {\n      throw new Error('Key Data Integrity failed');\n    }\n    throw err;\n  }\n}\n","/**\n * @fileoverview This module implements HKDF using either the WebCrypto API or Node.js' crypto API.\n * @module crypto/hkdf\n */\n\nimport enums from '../enums';\nimport util from '../util';\n\nconst webCrypto = util.getWebCrypto();\n\nexport default async function computeHKDF(hashAlgo, inputKey, salt, info, outLen) {\n  const hash = enums.read(enums.webHash, hashAlgo);\n  if (!hash) throw new Error('Hash algo not supported with HKDF');\n\n  const importedKey = await webCrypto.importKey('raw', inputKey, 'HKDF', false, ['deriveBits']);\n  const bits = await webCrypto.deriveBits({ name: 'HKDF', hash, salt, info }, importedKey, outLen * 8);\n  return new Uint8Array(bits);\n}\n","/**\n * @fileoverview Key encryption and decryption for RFC 6637 ECDH\n * @module crypto/public_key/elliptic/ecdh\n */\n\nimport x25519 from '@openpgp/tweetnacl';\nimport * as aesKW from '../../aes_kw';\nimport { getRandomBytes } from '../../random';\n\nimport enums from '../../../enums';\nimport util from '../../../util';\nimport computeHKDF from '../../hkdf';\nimport { getCipherParams } from '../../cipher';\n\nconst HKDF_INFO = {\n  x25519: util.encodeUTF8('OpenPGP X25519'),\n  x448: util.encodeUTF8('OpenPGP X448')\n};\n\n/**\n * Generate ECDH key for Montgomery curves\n * @param {module:enums.publicKey} algo - Algorithm identifier\n * @returns {Promise<{ A: Uint8Array, k: Uint8Array }>}\n */\nexport async function generate(algo) {\n  switch (algo) {\n    case enums.publicKey.x25519: {\n      // k stays in little-endian, unlike legacy ECDH over curve25519\n      const k = getRandomBytes(32);\n      const { publicKey: A } = x25519.box.keyPair.fromSecretKey(k);\n      return { A, k };\n    }\n\n    case enums.publicKey.x448: {\n      const x448 = await util.getNobleCurve(enums.publicKey.x448);\n      const k = x448.utils.randomPrivateKey();\n      const A = x448.getPublicKey(k);\n      return { A, k };\n    }\n    default:\n      throw new Error('Unsupported ECDH algorithm');\n  }\n}\n\n/**\n* Validate ECDH parameters\n* @param {module:enums.publicKey} algo - Algorithm identifier\n* @param {Uint8Array} A - ECDH public point\n* @param {Uint8Array} k - ECDH secret scalar\n* @returns {Promise<Boolean>} Whether params are valid.\n* @async\n*/\nexport async function validateParams(algo, A, k) {\n  switch (algo) {\n    case enums.publicKey.x25519: {\n      /**\n       * Derive public point A' from private key\n       * and expect A == A'\n       */\n      const { publicKey } = x25519.box.keyPair.fromSecretKey(k);\n      return util.equalsUint8Array(A, publicKey);\n    }\n    case enums.publicKey.x448: {\n      const x448 = await util.getNobleCurve(enums.publicKey.x448);\n      /**\n       * Derive public point A' from private key\n       * and expect A == A'\n       */\n      const publicKey = x448.getPublicKey(k);\n      return util.equalsUint8Array(A, publicKey);\n    }\n\n    default:\n      return false;\n  }\n}\n\n/**\n * Wrap and encrypt a session key\n *\n * @param {module:enums.publicKey} algo - Algorithm identifier\n * @param {Uint8Array} data - session key data to be encrypted\n * @param {Uint8Array} recipientA - Recipient public key (K_B)\n * @returns {Promise<{\n *  ephemeralPublicKey: Uint8Array,\n * wrappedKey: Uint8Array\n * }>} ephemeral public key (K_A) and encrypted key\n * @async\n */\nexport async function encrypt(algo, data, recipientA) {\n  const { ephemeralPublicKey, sharedSecret } = await generateEphemeralEncryptionMaterial(algo, recipientA);\n  const hkdfInput = util.concatUint8Array([\n    ephemeralPublicKey,\n    recipientA,\n    sharedSecret\n  ]);\n  switch (algo) {\n    case enums.publicKey.x25519: {\n      const cipherAlgo = enums.symmetric.aes128;\n      const { keySize } = getCipherParams(cipherAlgo);\n      const encryptionKey = await computeHKDF(enums.hash.sha256, hkdfInput, new Uint8Array(), HKDF_INFO.x25519, keySize);\n      const wrappedKey = await aesKW.wrap(cipherAlgo, encryptionKey, data);\n      return { ephemeralPublicKey, wrappedKey };\n    }\n    case enums.publicKey.x448: {\n      const cipherAlgo = enums.symmetric.aes256;\n      const { keySize } = getCipherParams(enums.symmetric.aes256);\n      const encryptionKey = await computeHKDF(enums.hash.sha512, hkdfInput, new Uint8Array(), HKDF_INFO.x448, keySize);\n      const wrappedKey = await aesKW.wrap(cipherAlgo, encryptionKey, data);\n      return { ephemeralPublicKey, wrappedKey };\n    }\n\n    default:\n      throw new Error('Unsupported ECDH algorithm');\n  }\n}\n\n/**\n * Decrypt and unwrap the session key\n *\n * @param {module:enums.publicKey} algo - Algorithm identifier\n * @param {Uint8Array} ephemeralPublicKey - (K_A)\n * @param {Uint8Array} wrappedKey,\n * @param {Uint8Array} A - Recipient public key (K_b), needed for KDF\n * @param {Uint8Array} k - Recipient secret key (b)\n * @returns {Promise<Uint8Array>} decrypted session key data\n * @async\n */\nexport async function decrypt(algo, ephemeralPublicKey, wrappedKey, A, k) {\n  const sharedSecret = await recomputeSharedSecret(algo, ephemeralPublicKey, A, k);\n  const hkdfInput = util.concatUint8Array([\n    ephemeralPublicKey,\n    A,\n    sharedSecret\n  ]);\n  switch (algo) {\n    case enums.publicKey.x25519: {\n      const cipherAlgo = enums.symmetric.aes128;\n      const { keySize } = getCipherParams(cipherAlgo);\n      const encryptionKey = await computeHKDF(enums.hash.sha256, hkdfInput, new Uint8Array(), HKDF_INFO.x25519, keySize);\n      return aesKW.unwrap(cipherAlgo, encryptionKey, wrappedKey);\n    }\n    case enums.publicKey.x448: {\n      const cipherAlgo = enums.symmetric.aes256;\n      const { keySize } = getCipherParams(enums.symmetric.aes256);\n      const encryptionKey = await computeHKDF(enums.hash.sha512, hkdfInput, new Uint8Array(), HKDF_INFO.x448, keySize);\n      return aesKW.unwrap(cipherAlgo, encryptionKey, wrappedKey);\n    }\n    default:\n      throw new Error('Unsupported ECDH algorithm');\n  }\n}\n\nexport function getPayloadSize(algo) {\n  switch (algo) {\n    case enums.publicKey.x25519:\n      return 32;\n\n    case enums.publicKey.x448:\n      return 56;\n\n    default:\n      throw new Error('Unsupported ECDH algorithm');\n  }\n}\n\n/**\n * Generate shared secret and ephemeral public key for encryption\n * @returns {Promise<{ ephemeralPublicKey: Uint8Array, sharedSecret: Uint8Array }>} ephemeral public key (K_A) and shared secret\n * @async\n */\nexport async function generateEphemeralEncryptionMaterial(algo, recipientA) {\n  switch (algo) {\n    case enums.publicKey.x25519: {\n      const ephemeralSecretKey = getRandomBytes(getPayloadSize(algo));\n      const sharedSecret = x25519.scalarMult(ephemeralSecretKey, recipientA);\n      assertNonZeroArray(sharedSecret);\n      const { publicKey: ephemeralPublicKey } = x25519.box.keyPair.fromSecretKey(ephemeralSecretKey);\n      return { ephemeralPublicKey, sharedSecret };\n    }\n    case enums.publicKey.x448: {\n      const x448 = await util.getNobleCurve(enums.publicKey.x448);\n      const ephemeralSecretKey = x448.utils.randomPrivateKey();\n      const sharedSecret = x448.getSharedSecret(ephemeralSecretKey, recipientA);\n      assertNonZeroArray(sharedSecret);\n      const ephemeralPublicKey = x448.getPublicKey(ephemeralSecretKey);\n      return { ephemeralPublicKey, sharedSecret };\n    }\n    default:\n      throw new Error('Unsupported ECDH algorithm');\n  }\n}\n\nexport async function recomputeSharedSecret(algo, ephemeralPublicKey, A, k) {\n  switch (algo) {\n    case enums.publicKey.x25519: {\n      const sharedSecret = x25519.scalarMult(k, ephemeralPublicKey);\n      assertNonZeroArray(sharedSecret);\n      return sharedSecret;\n    }\n    case enums.publicKey.x448: {\n      const x448 = await util.getNobleCurve(enums.publicKey.x448);\n      const sharedSecret = x448.getSharedSecret(k, ephemeralPublicKey);\n      assertNonZeroArray(sharedSecret);\n      return sharedSecret;\n    }\n    default:\n      throw new Error('Unsupported ECDH algorithm');\n  }\n}\n\n/**\n * x25519 and x448 produce an all-zero value when given as input a point with small order.\n * This does not lead to a security issue in the context of ECDH, but it is still unexpected,\n * hence we throw.\n * @param {Uint8Array} sharedSecret\n */\nfunction assertNonZeroArray(sharedSecret) {\n  let acc = 0;\n  for (let i = 0; i < sharedSecret.length; i++) {\n    acc |= sharedSecret[i];\n  }\n  if (acc === 0) {\n    throw new Error('Unexpected low order point');\n  }\n}\n","// OpenPGP.js - An OpenPGP implementation in javascript\n// Copyright (C) 2015-2016 Decentral\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\n/**\n * @fileoverview Wrapper of an instance of an Elliptic Curve\n * @module crypto/public_key/elliptic/curve\n */\nimport nacl from '@openpgp/tweetnacl';\nimport enums from '../../../enums';\nimport util from '../../../util';\nimport { uint8ArrayToB64, b64ToUint8Array } from '../../../encoding/base64';\nimport OID from '../../../type/oid';\nimport { UnsupportedError } from '../../../packet/packet';\nimport { generate as eddsaGenerate } from './eddsa';\nimport { generate as ecdhXGenerate } from './ecdh_x';\n\nconst webCrypto = util.getWebCrypto();\nconst nodeCrypto = util.getNodeCrypto();\n\nconst webCurves = {\n  [enums.curve.nistP256]: 'P-256',\n  [enums.curve.nistP384]: 'P-384',\n  [enums.curve.nistP521]: 'P-521'\n};\nconst knownCurves = nodeCrypto ? nodeCrypto.getCurves() : [];\nconst nodeCurves = nodeCrypto ? {\n  [enums.curve.secp256k1]: knownCurves.includes('secp256k1') ? 'secp256k1' : undefined,\n  [enums.curve.nistP256]: knownCurves.includes('prime256v1') ? 'prime256v1' : undefined,\n  [enums.curve.nistP384]: knownCurves.includes('secp384r1') ? 'secp384r1' : undefined,\n  [enums.curve.nistP521]: knownCurves.includes('secp521r1') ? 'secp521r1' : undefined,\n  [enums.curve.ed25519Legacy]: knownCurves.includes('ED25519') ? 'ED25519' : undefined,\n  [enums.curve.curve25519Legacy]: knownCurves.includes('X25519') ? 'X25519' : undefined,\n  [enums.curve.brainpoolP256r1]: knownCurves.includes('brainpoolP256r1') ? 'brainpoolP256r1' : undefined,\n  [enums.curve.brainpoolP384r1]: knownCurves.includes('brainpoolP384r1') ? 'brainpoolP384r1' : undefined,\n  [enums.curve.brainpoolP512r1]: knownCurves.includes('brainpoolP512r1') ? 'brainpoolP512r1' : undefined\n} : {};\n\nconst curves = {\n  [enums.curve.nistP256]: {\n    oid: [0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07],\n    keyType: enums.publicKey.ecdsa,\n    hash: enums.hash.sha256,\n    cipher: enums.symmetric.aes128,\n    node: nodeCurves[enums.curve.nistP256],\n    web: webCurves[enums.curve.nistP256],\n    payloadSize: 32,\n    sharedSize: 256,\n    wireFormatLeadingByte: 0x04\n  },\n  [enums.curve.nistP384]: {\n    oid: [0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x22],\n    keyType: enums.publicKey.ecdsa,\n    hash: enums.hash.sha384,\n    cipher: enums.symmetric.aes192,\n    node: nodeCurves[enums.curve.nistP384],\n    web: webCurves[enums.curve.nistP384],\n    payloadSize: 48,\n    sharedSize: 384,\n    wireFormatLeadingByte: 0x04\n  },\n  [enums.curve.nistP521]: {\n    oid: [0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x23],\n    keyType: enums.publicKey.ecdsa,\n    hash: enums.hash.sha512,\n    cipher: enums.symmetric.aes256,\n    node: nodeCurves[enums.curve.nistP521],\n    web: webCurves[enums.curve.nistP521],\n    payloadSize: 66,\n    sharedSize: 528,\n    wireFormatLeadingByte: 0x04\n  },\n  [enums.curve.secp256k1]: {\n    oid: [0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x0A],\n    keyType: enums.publicKey.ecdsa,\n    hash: enums.hash.sha256,\n    cipher: enums.symmetric.aes128,\n    node: nodeCurves[enums.curve.secp256k1],\n    payloadSize: 32,\n    wireFormatLeadingByte: 0x04\n  },\n  [enums.curve.ed25519Legacy]: {\n    oid: [0x06, 0x09, 0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01],\n    keyType: enums.publicKey.eddsaLegacy,\n    hash: enums.hash.sha512,\n    node: false, // nodeCurves.ed25519 TODO\n    payloadSize: 32,\n    wireFormatLeadingByte: 0x40\n  },\n  [enums.curve.curve25519Legacy]: {\n    oid: [0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x97, 0x55, 0x01, 0x05, 0x01],\n    keyType: enums.publicKey.ecdh,\n    hash: enums.hash.sha256,\n    cipher: enums.symmetric.aes128,\n    node: false, // nodeCurves.curve25519 TODO\n    payloadSize: 32,\n    wireFormatLeadingByte: 0x40\n  },\n  [enums.curve.brainpoolP256r1]: {\n    oid: [0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x07],\n    keyType: enums.publicKey.ecdsa,\n    hash: enums.hash.sha256,\n    cipher: enums.symmetric.aes128,\n    node: nodeCurves[enums.curve.brainpoolP256r1],\n    payloadSize: 32,\n    wireFormatLeadingByte: 0x04\n  },\n  [enums.curve.brainpoolP384r1]: {\n    oid: [0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x0B],\n    keyType: enums.publicKey.ecdsa,\n    hash: enums.hash.sha384,\n    cipher: enums.symmetric.aes192,\n    node: nodeCurves[enums.curve.brainpoolP384r1],\n    payloadSize: 48,\n    wireFormatLeadingByte: 0x04\n  },\n  [enums.curve.brainpoolP512r1]: {\n    oid: [0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x0D],\n    keyType: enums.publicKey.ecdsa,\n    hash: enums.hash.sha512,\n    cipher: enums.symmetric.aes256,\n    node: nodeCurves[enums.curve.brainpoolP512r1],\n    payloadSize: 64,\n    wireFormatLeadingByte: 0x04\n  }\n};\n\nclass CurveWithOID {\n  constructor(oidOrName) {\n    try {\n      this.name = oidOrName instanceof OID ?\n        oidOrName.getName() :\n        enums.write(enums.curve,oidOrName);\n    } catch (err) {\n      throw new UnsupportedError('Unknown curve');\n    }\n    const params = curves[this.name];\n\n    this.keyType = params.keyType;\n\n    this.oid = params.oid;\n    this.hash = params.hash;\n    this.cipher = params.cipher;\n    this.node = params.node;\n    this.web = params.web;\n    this.payloadSize = params.payloadSize;\n    this.sharedSize = params.sharedSize;\n    this.wireFormatLeadingByte = params.wireFormatLeadingByte;\n    if (this.web && util.getWebCrypto()) {\n      this.type = 'web';\n    } else if (this.node && util.getNodeCrypto()) {\n      this.type = 'node';\n    } else if (this.name === enums.curve.curve25519Legacy) {\n      this.type = 'curve25519Legacy';\n    } else if (this.name === enums.curve.ed25519Legacy) {\n      this.type = 'ed25519Legacy';\n    }\n  }\n\n  async genKeyPair() {\n    switch (this.type) {\n      case 'web':\n        try {\n          return await webGenKeyPair(this.name, this.wireFormatLeadingByte);\n        } catch (err) {\n          util.printDebugError('Browser did not support generating ec key ' + err.message);\n          return jsGenKeyPair(this.name);\n        }\n      case 'node':\n        return nodeGenKeyPair(this.name);\n      case 'curve25519Legacy': {\n        // the private key must be stored in big endian and already clamped: https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-13.html#section-5.5.5.6.1.1-3\n        const { k, A } = await ecdhXGenerate(enums.publicKey.x25519);\n        const privateKey = k.slice().reverse();\n        privateKey[0] = (privateKey[0] & 127) | 64;\n        privateKey[31] &= 248;\n        const publicKey = util.concatUint8Array([new Uint8Array([this.wireFormatLeadingByte]), A]);\n        return { publicKey, privateKey };\n      }\n      case 'ed25519Legacy': {\n        const { seed: privateKey, A } = await eddsaGenerate(enums.publicKey.ed25519);\n        const publicKey = util.concatUint8Array([new Uint8Array([this.wireFormatLeadingByte]), A]);\n        return { publicKey, privateKey };\n      }\n      default:\n        return jsGenKeyPair(this.name);\n    }\n  }\n}\n\nasync function generate(curveName) {\n  const curve = new CurveWithOID(curveName);\n  const { oid, hash, cipher } = curve;\n  const keyPair = await curve.genKeyPair();\n  return {\n    oid,\n    Q: keyPair.publicKey,\n    secret: util.leftPad(keyPair.privateKey, curve.payloadSize),\n    hash,\n    cipher\n  };\n}\n\n/**\n * Get preferred hash algo to use with the given curve\n * @param {module:type/oid} oid - curve oid\n * @returns {enums.hash} hash algorithm\n */\nfunction getPreferredHashAlgo(oid) {\n  return curves[oid.getName()].hash;\n}\n\n/**\n * Validate ECDH and ECDSA parameters\n * Not suitable for EdDSA (different secret key format)\n * @param {module:enums.publicKey} algo - EC algorithm, to filter supported curves\n * @param {module:type/oid} oid - EC object identifier\n * @param {Uint8Array} Q - EC public point\n * @param {Uint8Array} d - EC secret scalar\n * @returns {Promise<Boolean>} Whether params are valid.\n * @async\n */\nasync function validateStandardParams(algo, oid, Q, d) {\n  const supportedCurves = {\n    [enums.curve.nistP256]: true,\n    [enums.curve.nistP384]: true,\n    [enums.curve.nistP521]: true,\n    [enums.curve.secp256k1]: true,\n    [enums.curve.curve25519Legacy]: algo === enums.publicKey.ecdh,\n    [enums.curve.brainpoolP256r1]: true,\n    [enums.curve.brainpoolP384r1]: true,\n    [enums.curve.brainpoolP512r1]: true\n  };\n\n  // Check whether the given curve is supported\n  const curveName = oid.getName();\n  if (!supportedCurves[curveName]) {\n    return false;\n  }\n\n  if (curveName === enums.curve.curve25519Legacy) {\n    d = d.slice().reverse();\n    // Re-derive public point Q'\n    const { publicKey } = nacl.box.keyPair.fromSecretKey(d);\n\n    Q = new Uint8Array(Q);\n    const dG = new Uint8Array([0x40, ...publicKey]); // Add public key prefix\n    if (!util.equalsUint8Array(dG, Q)) {\n      return false;\n    }\n\n    return true;\n  }\n\n  const nobleCurve = await util.getNobleCurve(enums.publicKey.ecdsa, curveName); // excluding curve25519Legacy, ecdh and ecdsa use the same curves\n  /*\n   * Re-derive public point Q' = dG from private key\n   * Expect Q == Q'\n   */\n  const dG = nobleCurve.getPublicKey(d, false);\n  if (!util.equalsUint8Array(dG, Q)) {\n    return false;\n  }\n\n  return true;\n}\n\n/**\n * Check whether the public point has a valid encoding.\n * NB: this function does not check e.g. whether the point belongs to the curve.\n */\nfunction checkPublicPointEnconding(curve, V) {\n  const { payloadSize, wireFormatLeadingByte, name: curveName } = curve;\n\n  const pointSize = (curveName === enums.curve.curve25519Legacy || curveName === enums.curve.ed25519Legacy) ? payloadSize : payloadSize * 2;\n\n  if (V[0] !== wireFormatLeadingByte || V.length !== pointSize + 1) {\n    throw new Error('Invalid point encoding');\n  }\n}\n\nexport {\n  CurveWithOID, curves, webCurves, nodeCurves, generate, getPreferredHashAlgo, jwkToRawPublic, rawPublicToJWK, privateToJWK, validateStandardParams, checkPublicPointEnconding\n};\n\n//////////////////////////\n//                      //\n//   Helper functions   //\n//                      //\n//////////////////////////\nasync function jsGenKeyPair(name) {\n  const nobleCurve = await util.getNobleCurve(enums.publicKey.ecdsa, name); // excluding curve25519Legacy, ecdh and ecdsa use the same curves\n  const privateKey = nobleCurve.utils.randomPrivateKey();\n  const publicKey = nobleCurve.getPublicKey(privateKey, false);\n  return { publicKey, privateKey };\n}\n\nasync function webGenKeyPair(name, wireFormatLeadingByte) {\n  // Note: keys generated with ECDSA and ECDH are structurally equivalent\n  const webCryptoKey = await webCrypto.generateKey({ name: 'ECDSA', namedCurve: webCurves[name] }, true, ['sign', 'verify']);\n\n  const privateKey = await webCrypto.exportKey('jwk', webCryptoKey.privateKey);\n  const publicKey = await webCrypto.exportKey('jwk', webCryptoKey.publicKey);\n\n  return {\n    publicKey: jwkToRawPublic(publicKey, wireFormatLeadingByte),\n    privateKey: b64ToUint8Array(privateKey.d, true)\n  };\n}\n\nasync function nodeGenKeyPair(name) {\n  // Note: ECDSA and ECDH key generation is structurally equivalent\n  const ecdh = nodeCrypto.createECDH(nodeCurves[name]);\n  await ecdh.generateKeys();\n  return {\n    publicKey: new Uint8Array(ecdh.getPublicKey()),\n    privateKey: new Uint8Array(ecdh.getPrivateKey())\n  };\n}\n\n//////////////////////////\n//                      //\n//   Helper functions   //\n//                      //\n//////////////////////////\n\n/**\n * @param {JsonWebKey} jwk - key for conversion\n *\n * @returns {Uint8Array} Raw public key.\n */\nfunction jwkToRawPublic(jwk, wireFormatLeadingByte) {\n  const bufX = b64ToUint8Array(jwk.x);\n  const bufY = b64ToUint8Array(jwk.y);\n  const publicKey = new Uint8Array(bufX.length + bufY.length + 1);\n  publicKey[0] = wireFormatLeadingByte;\n  publicKey.set(bufX, 1);\n  publicKey.set(bufY, bufX.length + 1);\n  return publicKey;\n}\n\n/**\n * @param {Integer} payloadSize - ec payload size\n * @param {String} name - curve name\n * @param {Uint8Array} publicKey - public key\n *\n * @returns {JsonWebKey} Public key in jwk format.\n */\nfunction rawPublicToJWK(payloadSize, name, publicKey) {\n  const len = payloadSize;\n  const bufX = publicKey.slice(1, len + 1);\n  const bufY = publicKey.slice(len + 1, len * 2 + 1);\n  // https://www.rfc-editor.org/rfc/rfc7518.txt\n  const jwk = {\n    kty: 'EC',\n    crv: name,\n    x: uint8ArrayToB64(bufX, true),\n    y: uint8ArrayToB64(bufY, true),\n    ext: true\n  };\n  return jwk;\n}\n\n/**\n * @param {Integer} payloadSize - ec payload size\n * @param {String} name - curve name\n * @param {Uint8Array} publicKey - public key\n * @param {Uint8Array} privateKey - private key\n *\n * @returns {JsonWebKey} Private key in jwk format.\n */\nfunction privateToJWK(payloadSize, name, publicKey, privateKey) {\n  const jwk = rawPublicToJWK(payloadSize, name, publicKey);\n  jwk.d = uint8ArrayToB64(privateKey, true);\n  return jwk;\n}\n","// OpenPGP.js - An OpenPGP implementation in javascript\n// Copyright (C) 2015-2016 Decentral\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\n/**\n * @fileoverview Implementation of ECDSA following RFC6637 for Openpgpjs\n * @module crypto/public_key/elliptic/ecdsa\n */\n\nimport enums from '../../../enums';\nimport util from '../../../util';\nimport { getRandomBytes } from '../../random';\nimport { computeDigest } from '../../hash';\nimport { CurveWithOID, webCurves, privateToJWK, rawPublicToJWK, validateStandardParams, nodeCurves, checkPublicPointEnconding } from './oid_curves';\nimport { bigIntToUint8Array } from '../../biginteger';\n\nconst webCrypto = util.getWebCrypto();\nconst nodeCrypto = util.getNodeCrypto();\n\n/**\n * Sign a message using the provided key\n * @param {module:type/oid} oid - Elliptic curve object identifier\n * @param {module:enums.hash} hashAlgo - Hash algorithm used to sign\n * @param {Uint8Array} message - Message to sign\n * @param {Uint8Array} publicKey - Public key\n * @param {Uint8Array} privateKey - Private key used to sign the message\n * @param {Uint8Array} hashed - The hashed message\n * @returns {Promise<{\n *   r: Uint8Array,\n *   s: Uint8Array\n * }>} Signature of the message\n * @async\n */\nexport async function sign(oid, hashAlgo, message, publicKey, privateKey, hashed) {\n  const curve = new CurveWithOID(oid);\n  checkPublicPointEnconding(curve, publicKey);\n  if (message && !util.isStream(message)) {\n    const keyPair = { publicKey, privateKey };\n    switch (curve.type) {\n      case 'web':\n        // If browser doesn't support a curve, we'll catch it\n        try {\n          // Need to await to make sure browser succeeds\n          return await webSign(curve, hashAlgo, message, keyPair);\n        } catch (err) {\n          // We do not fallback if the error is related to key integrity\n          // Unfortunaley Safari does not support nistP521 and throws a DataError when using it\n          // So we need to always fallback for that curve\n          if (curve.name !== 'nistP521' && (err.name === 'DataError' || err.name === 'OperationError')) {\n            throw err;\n          }\n          util.printDebugError('Browser did not support signing: ' + err.message);\n        }\n        break;\n      case 'node':\n        return nodeSign(curve, hashAlgo, message, privateKey);\n    }\n  }\n\n  const nobleCurve = await util.getNobleCurve(enums.publicKey.ecdsa, curve.name);\n  // lowS: non-canonical sig: https://stackoverflow.com/questions/74338846/ecdsa-signature-verification-mismatch\n  const signature = nobleCurve.sign(hashed, privateKey, { lowS: false });\n  return {\n    r: bigIntToUint8Array(signature.r, 'be', curve.payloadSize),\n    s: bigIntToUint8Array(signature.s, 'be', curve.payloadSize)\n  };\n}\n\n/**\n * Verifies if a signature is valid for a message\n * @param {module:type/oid} oid - Elliptic curve object identifier\n * @param {module:enums.hash} hashAlgo - Hash algorithm used in the signature\n * @param  {{r: Uint8Array,\n             s: Uint8Array}}   signature Signature to verify\n * @param {Uint8Array} message - Message to verify\n * @param {Uint8Array} publicKey - Public key used to verify the message\n * @param {Uint8Array} hashed - The hashed message\n * @returns {Boolean}\n * @async\n */\nexport async function verify(oid, hashAlgo, signature, message, publicKey, hashed) {\n  const curve = new CurveWithOID(oid);\n  checkPublicPointEnconding(curve, publicKey);\n  // See https://github.com/openpgpjs/openpgpjs/pull/948.\n  // NB: the impact was more likely limited to Brainpool curves, since thanks\n  // to WebCrypto availability, NIST curve should not have been affected.\n  // Similarly, secp256k1 should have been used rarely enough.\n  // However, we implement the fix for all curves, since it's only needed in case of\n  // verification failure, which is unexpected, hence a minor slowdown is acceptable.\n  const tryFallbackVerificationForOldBug = async () => (\n    hashed[0] === 0 ?\n      jsVerify(curve, signature, hashed.subarray(1), publicKey) :\n      false\n  );\n\n  if (message && !util.isStream(message)) {\n    switch (curve.type) {\n      case 'web':\n        try {\n          // Need to await to make sure browser succeeds\n          const verified = await webVerify(curve, hashAlgo, signature, message, publicKey);\n          return verified || tryFallbackVerificationForOldBug();\n        } catch (err) {\n          // We do not fallback if the error is related to key integrity\n          // Unfortunately Safari does not support nistP521 and throws a DataError when using it\n          // So we need to always fallback for that curve\n          if (curve.name !== 'nistP521' && (err.name === 'DataError' || err.name === 'OperationError')) {\n            throw err;\n          }\n          util.printDebugError('Browser did not support verifying: ' + err.message);\n        }\n        break;\n      case 'node': {\n        const verified = await nodeVerify(curve, hashAlgo, signature, message, publicKey);\n        return verified || tryFallbackVerificationForOldBug();\n      }\n    }\n  }\n\n  const verified = await jsVerify(curve, signature, hashed, publicKey);\n  return verified || tryFallbackVerificationForOldBug();\n}\n\n/**\n * Validate ECDSA parameters\n * @param {module:type/oid} oid - Elliptic curve object identifier\n * @param {Uint8Array} Q - ECDSA public point\n * @param {Uint8Array} d - ECDSA secret scalar\n * @returns {Promise<Boolean>} Whether params are valid.\n * @async\n */\nexport async function validateParams(oid, Q, d) {\n  const curve = new CurveWithOID(oid);\n  // Reject curves x25519 and ed25519\n  if (curve.keyType !== enums.publicKey.ecdsa) {\n    return false;\n  }\n\n  // To speed up the validation, we try to use node- or webcrypto when available\n  // and sign + verify a random message\n  switch (curve.type) {\n    case 'web':\n    case 'node': {\n      const message = getRandomBytes(8);\n      const hashAlgo = enums.hash.sha256;\n      const hashed = await computeDigest(hashAlgo, message);\n      try {\n        const signature = await sign(oid, hashAlgo, message, Q, d, hashed);\n        // eslint-disable-next-line @typescript-eslint/return-await\n        return await verify(oid, hashAlgo, signature, message, Q, hashed);\n      } catch (err) {\n        return false;\n      }\n    }\n    default:\n      return validateStandardParams(enums.publicKey.ecdsa, oid, Q, d);\n  }\n}\n\n\n//////////////////////////\n//                      //\n//   Helper functions   //\n//                      //\n//////////////////////////\n\n/**\n * Fallback javascript implementation of ECDSA verification.\n * To be used if no native implementation is available for the given curve/operation.\n */\nasync function jsVerify(curve, signature, hashed, publicKey) {\n  const nobleCurve = await util.getNobleCurve(enums.publicKey.ecdsa, curve.name);\n  // lowS: non-canonical sig: https://stackoverflow.com/questions/74338846/ecdsa-signature-verification-mismatch\n  return nobleCurve.verify(util.concatUint8Array([signature.r, signature.s]), hashed, publicKey, { lowS: false });\n}\n\nasync function webSign(curve, hashAlgo, message, keyPair) {\n  const len = curve.payloadSize;\n  const jwk = privateToJWK(curve.payloadSize, webCurves[curve.name], keyPair.publicKey, keyPair.privateKey);\n  const key = await webCrypto.importKey(\n    'jwk',\n    jwk,\n    {\n      'name': 'ECDSA',\n      'namedCurve': webCurves[curve.name],\n      'hash': { name: enums.read(enums.webHash, curve.hash) }\n    },\n    false,\n    ['sign']\n  );\n\n  const signature = new Uint8Array(await webCrypto.sign(\n    {\n      'name': 'ECDSA',\n      'namedCurve': webCurves[curve.name],\n      'hash': { name: enums.read(enums.webHash, hashAlgo) }\n    },\n    key,\n    message\n  ));\n\n  return {\n    r: signature.slice(0, len),\n    s: signature.slice(len, len << 1)\n  };\n}\n\nasync function webVerify(curve, hashAlgo, { r, s }, message, publicKey) {\n  const jwk = rawPublicToJWK(curve.payloadSize, webCurves[curve.name], publicKey);\n  const key = await webCrypto.importKey(\n    'jwk',\n    jwk,\n    {\n      'name': 'ECDSA',\n      'namedCurve': webCurves[curve.name],\n      'hash': { name: enums.read(enums.webHash, curve.hash) }\n    },\n    false,\n    ['verify']\n  );\n\n  const signature = util.concatUint8Array([r, s]).buffer;\n\n  return webCrypto.verify(\n    {\n      'name': 'ECDSA',\n      'namedCurve': webCurves[curve.name],\n      'hash': { name: enums.read(enums.webHash, hashAlgo) }\n    },\n    key,\n    signature,\n    message\n  );\n}\n\nasync function nodeSign(curve, hashAlgo, message, privateKey) {\n  // JWT encoding cannot be used for now, as Brainpool curves are not supported\n  const ecKeyUtils = util.nodeRequire('eckey-utils');\n  const nodeBuffer = util.getNodeBuffer();\n  const { privateKey: derPrivateKey } = ecKeyUtils.generateDer({\n    curveName: nodeCurves[curve.name],\n    privateKey: nodeBuffer.from(privateKey)\n  });\n\n  const sign = nodeCrypto.createSign(enums.read(enums.hash, hashAlgo));\n  sign.write(message);\n  sign.end();\n\n  const signature = new Uint8Array(sign.sign({ key: derPrivateKey, format: 'der', type: 'sec1', dsaEncoding: 'ieee-p1363' }));\n  const len = curve.payloadSize;\n\n  return {\n    r: signature.subarray(0, len),\n    s: signature.subarray(len, len << 1)\n  };\n}\n\nasync function nodeVerify(curve, hashAlgo, { r, s }, message, publicKey) {\n  const ecKeyUtils = util.nodeRequire('eckey-utils');\n  const nodeBuffer = util.getNodeBuffer();\n  const { publicKey: derPublicKey } = ecKeyUtils.generateDer({\n    curveName: nodeCurves[curve.name],\n    publicKey: nodeBuffer.from(publicKey)\n  });\n\n  const verify = nodeCrypto.createVerify(enums.read(enums.hash, hashAlgo));\n  verify.write(message);\n  verify.end();\n\n  const signature = util.concatUint8Array([r, s]);\n\n  try {\n    return verify.verify({ key: derPublicKey, format: 'der', type: 'spki', dsaEncoding: 'ieee-p1363' }, signature);\n  } catch (err) {\n    return false;\n  }\n}\n","// OpenPGP.js - An OpenPGP implementation in javascript\n// Copyright (C) 2018 Proton Technologies AG\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\n/**\n * @fileoverview Implementation of legacy EdDSA following RFC4880bis-03 for OpenPGP.\n * This key type has been deprecated by the crypto-refresh RFC.\n * @module crypto/public_key/elliptic/eddsa_legacy\n */\n\nimport nacl from '@openpgp/tweetnacl';\nimport util from '../../../util';\nimport enums from '../../../enums';\nimport { getHashByteLength } from '../../hash';\nimport { CurveWithOID, checkPublicPointEnconding } from './oid_curves';\nimport { sign as eddsaSign, verify as eddsaVerify } from './eddsa';\n\n/**\n * Sign a message using the provided legacy EdDSA key\n * @param {module:type/oid} oid - Elliptic curve object identifier\n * @param {module:enums.hash} hashAlgo - Hash algorithm used to sign (must be sha256 or stronger)\n * @param {Uint8Array} message - Message to sign\n * @param {Uint8Array} publicKey - Public key\n * @param {Uint8Array} privateKey - Private key used to sign the message\n * @param {Uint8Array} hashed - The hashed message\n * @returns {Promise<{\n *   r: Uint8Array,\n *   s: Uint8Array\n * }>} Signature of the message\n * @async\n */\nexport async function sign(oid, hashAlgo, message, publicKey, privateKey, hashed) {\n  const curve = new CurveWithOID(oid);\n  checkPublicPointEnconding(curve, publicKey);\n  if (getHashByteLength(hashAlgo) < getHashByteLength(enums.hash.sha256)) {\n    // Enforce digest sizes, since the constraint was already present in RFC4880bis:\n    // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2\n    // and https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.3-3\n    throw new Error('Hash algorithm too weak for EdDSA.');\n  }\n  const { RS: signature } = await eddsaSign(enums.publicKey.ed25519, hashAlgo, message, publicKey.subarray(1), privateKey, hashed);\n  // EdDSA signature params are returned in little-endian format\n  return {\n    r: signature.subarray(0, 32),\n    s: signature.subarray(32)\n  };\n}\n\n/**\n * Verifies if a legacy EdDSA signature is valid for a message\n * @param {module:type/oid} oid - Elliptic curve object identifier\n * @param {module:enums.hash} hashAlgo - Hash algorithm used in the signature\n * @param  {{r: Uint8Array,\n             s: Uint8Array}}   signature Signature to verify the message\n * @param {Uint8Array} m - Message to verify\n * @param {Uint8Array} publicKey - Public key used to verify the message\n * @param {Uint8Array} hashed - The hashed message\n * @returns {Boolean}\n * @async\n */\nexport async function verify(oid, hashAlgo, { r, s }, m, publicKey, hashed) {\n  const curve = new CurveWithOID(oid);\n  checkPublicPointEnconding(curve, publicKey);\n  if (getHashByteLength(hashAlgo) < getHashByteLength(enums.hash.sha256)) {\n    // Enforce digest sizes, since the constraint was already present in RFC4880bis:\n    // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2\n    // and https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.3-3\n    throw new Error('Hash algorithm too weak for EdDSA.');\n  }\n  const RS = util.concatUint8Array([r, s]);\n  return eddsaVerify(enums.publicKey.ed25519, hashAlgo, { RS }, m, publicKey.subarray(1), hashed);\n}\n/**\n * Validate legacy EdDSA parameters\n * @param {module:type/oid} oid - Elliptic curve object identifier\n * @param {Uint8Array} Q - EdDSA public point\n * @param {Uint8Array} k - EdDSA secret seed\n * @returns {Promise<Boolean>} Whether params are valid.\n * @async\n */\nexport async function validateParams(oid, Q, k) {\n  // Check whether the given curve is supported\n  if (oid.getName() !== enums.curve.ed25519Legacy) {\n    return false;\n  }\n\n  /**\n   * Derive public point Q' = dG from private key\n   * and expect Q == Q'\n   */\n  const { publicKey } = nacl.sign.keyPair.fromSeed(k);\n  const dG = new Uint8Array([0x40, ...publicKey]); // Add public key prefix\n  return util.equalsUint8Array(Q, dG);\n\n}\n","// OpenPGP.js - An OpenPGP implementation in javascript\n// Copyright (C) 2015-2016 Decentral\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\nimport util from '../util';\n\n/**\n * @fileoverview Functions to add and remove PKCS5 padding\n * @see PublicKeyEncryptedSessionKeyPacket\n * @module crypto/pkcs5\n * @private\n */\n\n/**\n * Add pkcs5 padding to a message\n * @param {Uint8Array} message - message to pad\n * @returns {Uint8Array} Padded message.\n */\nexport function encode(message) {\n  const c = 8 - (message.length % 8);\n  const padded = new Uint8Array(message.length + c).fill(c);\n  padded.set(message);\n  return padded;\n}\n\n/**\n * Remove pkcs5 padding from a message\n * @param {Uint8Array} message - message to remove padding from\n * @returns {Uint8Array} Message without padding.\n */\nexport function decode(message) {\n  const len = message.length;\n  if (len > 0) {\n    const c = message[len - 1];\n    if (c >= 1) {\n      const provided = message.subarray(len - c);\n      const computed = new Uint8Array(c).fill(c);\n      if (util.equalsUint8Array(provided, computed)) {\n        return message.subarray(0, len - c);\n      }\n    }\n  }\n  throw new Error('Invalid padding');\n}\n","// OpenPGP.js - An OpenPGP implementation in javascript\n// Copyright (C) 2015-2016 Decentral\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\n/**\n * @fileoverview Key encryption and decryption for RFC 6637 ECDH\n * @module crypto/public_key/elliptic/ecdh\n */\n\nimport { CurveWithOID, jwkToRawPublic, rawPublicToJWK, privateToJWK, validateStandardParams, checkPublicPointEnconding } from './oid_curves';\nimport * as aesKW from '../../aes_kw';\nimport { computeDigest } from '../../hash';\nimport enums from '../../../enums';\nimport util from '../../../util';\nimport { b64ToUint8Array } from '../../../encoding/base64';\nimport * as pkcs5 from '../../pkcs5';\nimport { getCipherParams } from '../../cipher';\nimport { generateEphemeralEncryptionMaterial as ecdhXGenerateEphemeralEncryptionMaterial, recomputeSharedSecret as ecdhXRecomputeSharedSecret } from './ecdh_x';\n\nconst webCrypto = util.getWebCrypto();\nconst nodeCrypto = util.getNodeCrypto();\n\n/**\n * Validate ECDH parameters\n * @param {module:type/oid} oid - Elliptic curve object identifier\n * @param {Uint8Array} Q - ECDH public point\n * @param {Uint8Array} d - ECDH secret scalar\n * @returns {Promise<Boolean>} Whether params are valid.\n * @async\n */\nexport async function validateParams(oid, Q, d) {\n  return validateStandardParams(enums.publicKey.ecdh, oid, Q, d);\n}\n\n// Build Param for ECDH algorithm (RFC 6637)\nfunction buildEcdhParam(public_algo, oid, kdfParams, fingerprint) {\n  return util.concatUint8Array([\n    oid.write(),\n    new Uint8Array([public_algo]),\n    kdfParams.write(),\n    util.stringToUint8Array('Anonymous Sender    '),\n    fingerprint\n  ]);\n}\n\n// Key Derivation Function (RFC 6637)\nasync function kdf(hashAlgo, X, length, param, stripLeading = false, stripTrailing = false) {\n  // Note: X is little endian for Curve25519, big-endian for all others.\n  // This is not ideal, but the RFC's are unclear\n  // https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-02#appendix-B\n  let i;\n  if (stripLeading) {\n    // Work around old go crypto bug\n    for (i = 0; i < X.length && X[i] === 0; i++);\n    X = X.subarray(i);\n  }\n  if (stripTrailing) {\n    // Work around old OpenPGP.js bug\n    for (i = X.length - 1; i >= 0 && X[i] === 0; i--);\n    X = X.subarray(0, i + 1);\n  }\n  const digest = await computeDigest(hashAlgo, util.concatUint8Array([\n    new Uint8Array([0, 0, 0, 1]),\n    X,\n    param\n  ]));\n  return digest.subarray(0, length);\n}\n\n/**\n * Generate ECDHE ephemeral key and secret from public key\n *\n * @param {CurveWithOID} curve - Elliptic curve object\n * @param {Uint8Array} Q - Recipient public key\n * @returns {Promise<{publicKey: Uint8Array, sharedKey: Uint8Array}>}\n * @async\n */\nasync function genPublicEphemeralKey(curve, Q) {\n  switch (curve.type) {\n    case 'curve25519Legacy': {\n      const { sharedSecret: sharedKey, ephemeralPublicKey } = await ecdhXGenerateEphemeralEncryptionMaterial(enums.publicKey.x25519, Q.subarray(1));\n      const publicKey = util.concatUint8Array([new Uint8Array([curve.wireFormatLeadingByte]), ephemeralPublicKey]);\n      return { publicKey, sharedKey }; // Note: sharedKey is little-endian here, unlike below\n    }\n    case 'web':\n      if (curve.web && util.getWebCrypto()) {\n        try {\n          return await webPublicEphemeralKey(curve, Q);\n        } catch (err) {\n          util.printDebugError(err);\n          return jsPublicEphemeralKey(curve, Q);\n        }\n      }\n      break;\n    case 'node':\n      return nodePublicEphemeralKey(curve, Q);\n    default:\n      return jsPublicEphemeralKey(curve, Q);\n\n  }\n}\n\n/**\n * Encrypt and wrap a session key\n *\n * @param {module:type/oid} oid - Elliptic curve object identifier\n * @param {module:type/kdf_params} kdfParams - KDF params including cipher and algorithm to use\n * @param {Uint8Array} data - Unpadded session key data\n * @param {Uint8Array} Q - Recipient public key\n * @param {Uint8Array} fingerprint - Recipient fingerprint, already truncated depending on the key version\n * @returns {Promise<{publicKey: Uint8Array, wrappedKey: Uint8Array}>}\n * @async\n */\nexport async function encrypt(oid, kdfParams, data, Q, fingerprint) {\n  const m = pkcs5.encode(data);\n\n  const curve = new CurveWithOID(oid);\n  checkPublicPointEnconding(curve, Q);\n  const { publicKey, sharedKey } = await genPublicEphemeralKey(curve, Q);\n  const param = buildEcdhParam(enums.publicKey.ecdh, oid, kdfParams, fingerprint);\n  const { keySize } = getCipherParams(kdfParams.cipher);\n  const Z = await kdf(kdfParams.hash, sharedKey, keySize, param);\n  const wrappedKey = await aesKW.wrap(kdfParams.cipher, Z, m);\n  return { publicKey, wrappedKey };\n}\n\n/**\n * Generate ECDHE secret from private key and public part of ephemeral key\n *\n * @param {CurveWithOID} curve - Elliptic curve object\n * @param {Uint8Array} V - Public part of ephemeral key\n * @param {Uint8Array} Q - Recipient public key\n * @param {Uint8Array} d - Recipient private key\n * @returns {Promise<{secretKey: Uint8Array, sharedKey: Uint8Array}>}\n * @async\n */\nasync function genPrivateEphemeralKey(curve, V, Q, d) {\n  if (d.length !== curve.payloadSize) {\n    const privateKey = new Uint8Array(curve.payloadSize);\n    privateKey.set(d, curve.payloadSize - d.length);\n    d = privateKey;\n  }\n  switch (curve.type) {\n    case 'curve25519Legacy': {\n      const secretKey = d.slice().reverse();\n      const sharedKey = await ecdhXRecomputeSharedSecret(enums.publicKey.x25519, V.subarray(1), Q.subarray(1), secretKey);\n      return { secretKey, sharedKey }; // Note: sharedKey is little-endian here, unlike below\n    }\n    case 'web':\n      if (curve.web && util.getWebCrypto()) {\n        try {\n          return await webPrivateEphemeralKey(curve, V, Q, d);\n        } catch (err) {\n          util.printDebugError(err);\n          return jsPrivateEphemeralKey(curve, V, d);\n        }\n      }\n      break;\n    case 'node':\n      return nodePrivateEphemeralKey(curve, V, d);\n    default:\n      return jsPrivateEphemeralKey(curve, V, d);\n  }\n}\n\n/**\n * Decrypt and unwrap the value derived from session key\n *\n * @param {module:type/oid} oid - Elliptic curve object identifier\n * @param {module:type/kdf_params} kdfParams - KDF params including cipher and algorithm to use\n * @param {Uint8Array} V - Public part of ephemeral key\n * @param {Uint8Array} C - Encrypted and wrapped value derived from session key\n * @param {Uint8Array} Q - Recipient public key\n * @param {Uint8Array} d - Recipient private key\n * @param {Uint8Array} fingerprint - Recipient fingerprint, already truncated depending on the key version\n * @returns {Promise<Uint8Array>} Value derived from session key.\n * @async\n */\nexport async function decrypt(oid, kdfParams, V, C, Q, d, fingerprint) {\n  const curve = new CurveWithOID(oid);\n  checkPublicPointEnconding(curve, Q);\n  checkPublicPointEnconding(curve, V);\n  const { sharedKey } = await genPrivateEphemeralKey(curve, V, Q, d);\n  const param = buildEcdhParam(enums.publicKey.ecdh, oid, kdfParams, fingerprint);\n  const { keySize } = getCipherParams(kdfParams.cipher);\n  let err;\n  for (let i = 0; i < 3; i++) {\n    try {\n      // Work around old go crypto bug and old OpenPGP.js bug, respectively.\n      const Z = await kdf(kdfParams.hash, sharedKey, keySize, param, i === 1, i === 2);\n      return pkcs5.decode(await aesKW.unwrap(kdfParams.cipher, Z, C));\n    } catch (e) {\n      err = e;\n    }\n  }\n  throw err;\n}\n\nasync function jsPrivateEphemeralKey(curve, V, d) {\n  const nobleCurve = await util.getNobleCurve(enums.publicKey.ecdh, curve.name);\n  // The output includes parity byte\n  const sharedSecretWithParity = nobleCurve.getSharedSecret(d, V);\n  const sharedKey = sharedSecretWithParity.subarray(1);\n  return { secretKey: d, sharedKey };\n}\n\nasync function jsPublicEphemeralKey(curve, Q) {\n  const nobleCurve = await util.getNobleCurve(enums.publicKey.ecdh, curve.name);\n  const { publicKey: V, privateKey: v } = await curve.genKeyPair();\n\n  // The output includes parity byte\n  const sharedSecretWithParity = nobleCurve.getSharedSecret(v, Q);\n  const sharedKey = sharedSecretWithParity.subarray(1);\n  return { publicKey: V, sharedKey };\n}\n\n/**\n * Generate ECDHE secret from private key and public part of ephemeral key using webCrypto\n *\n * @param {CurveWithOID} curve - Elliptic curve object\n * @param {Uint8Array} V - Public part of ephemeral key\n * @param {Uint8Array} Q - Recipient public key\n * @param {Uint8Array} d - Recipient private key\n * @returns {Promise<{secretKey: Uint8Array, sharedKey: Uint8Array}>}\n * @async\n */\nasync function webPrivateEphemeralKey(curve, V, Q, d) {\n  const recipient = privateToJWK(curve.payloadSize, curve.web, Q, d);\n  let privateKey = webCrypto.importKey(\n    'jwk',\n    recipient,\n    {\n      name: 'ECDH',\n      namedCurve: curve.web\n    },\n    true,\n    ['deriveKey', 'deriveBits']\n  );\n  const jwk = rawPublicToJWK(curve.payloadSize, curve.web, V);\n  let sender = webCrypto.importKey(\n    'jwk',\n    jwk,\n    {\n      name: 'ECDH',\n      namedCurve: curve.web\n    },\n    true,\n    []\n  );\n  [privateKey, sender] = await Promise.all([privateKey, sender]);\n  let S = webCrypto.deriveBits(\n    {\n      name: 'ECDH',\n      namedCurve: curve.web,\n      public: sender\n    },\n    privateKey,\n    curve.sharedSize\n  );\n  let secret = webCrypto.exportKey(\n    'jwk',\n    privateKey\n  );\n  [S, secret] = await Promise.all([S, secret]);\n  const sharedKey = new Uint8Array(S);\n  const secretKey = b64ToUint8Array(secret.d, true);\n  return { secretKey, sharedKey };\n}\n\n/**\n * Generate ECDHE ephemeral key and secret from public key using webCrypto\n *\n * @param {CurveWithOID} curve - Elliptic curve object\n * @param {Uint8Array} Q - Recipient public key\n * @returns {Promise<{publicKey: Uint8Array, sharedKey: Uint8Array}>}\n * @async\n */\nasync function webPublicEphemeralKey(curve, Q) {\n  const jwk = rawPublicToJWK(curve.payloadSize, curve.web, Q);\n  let keyPair = webCrypto.generateKey(\n    {\n      name: 'ECDH',\n      namedCurve: curve.web\n    },\n    true,\n    ['deriveKey', 'deriveBits']\n  );\n  let recipient = webCrypto.importKey(\n    'jwk',\n    jwk,\n    {\n      name: 'ECDH',\n      namedCurve: curve.web\n    },\n    false,\n    []\n  );\n  [keyPair, recipient] = await Promise.all([keyPair, recipient]);\n  let s = webCrypto.deriveBits(\n    {\n      name: 'ECDH',\n      namedCurve: curve.web,\n      public: recipient\n    },\n    keyPair.privateKey,\n    curve.sharedSize\n  );\n  let p = webCrypto.exportKey(\n    'jwk',\n    keyPair.publicKey\n  );\n  [s, p] = await Promise.all([s, p]);\n  const sharedKey = new Uint8Array(s);\n  const publicKey = new Uint8Array(jwkToRawPublic(p, curve.wireFormatLeadingByte));\n  return { publicKey, sharedKey };\n}\n\n/**\n * Generate ECDHE secret from private key and public part of ephemeral key using nodeCrypto\n *\n * @param {CurveWithOID} curve - Elliptic curve object\n * @param {Uint8Array} V - Public part of ephemeral key\n * @param {Uint8Array} d - Recipient private key\n * @returns {Promise<{secretKey: Uint8Array, sharedKey: Uint8Array}>}\n * @async\n */\nasync function nodePrivateEphemeralKey(curve, V, d) {\n  const recipient = nodeCrypto.createECDH(curve.node);\n  recipient.setPrivateKey(d);\n  const sharedKey = new Uint8Array(recipient.computeSecret(V));\n  const secretKey = new Uint8Array(recipient.getPrivateKey());\n  return { secretKey, sharedKey };\n}\n\n/**\n * Generate ECDHE ephemeral key and secret from public key using nodeCrypto\n *\n * @param {CurveWithOID} curve - Elliptic curve object\n * @param {Uint8Array} Q - Recipient public key\n * @returns {Promise<{publicKey: Uint8Array, sharedKey: Uint8Array}>}\n * @async\n */\nasync function nodePublicEphemeralKey(curve, Q) {\n  const sender = nodeCrypto.createECDH(curve.node);\n  sender.generateKeys();\n  const sharedKey = new Uint8Array(sender.computeSecret(Q));\n  const publicKey = new Uint8Array(sender.getPublicKey());\n  return { publicKey, sharedKey };\n}\n","// GPG4Browsers - An OpenPGP implementation in javascript\n// Copyright (C) 2011 Recurity Labs GmbH\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\n/**\n * @fileoverview A Digital signature algorithm implementation\n * @module crypto/public_key/dsa\n */\nimport { getRandomBigInteger } from '../random';\nimport util from '../../util';\nimport { isProbablePrime } from './prime';\nimport { bigIntToUint8Array, bitLength, byteLength, mod, modExp, modInv, uint8ArrayToBigInt } from '../biginteger';\n\n/*\n  TODO regarding the hash function, read:\n   https://tools.ietf.org/html/rfc4880#section-13.6\n   https://tools.ietf.org/html/rfc4880#section-14\n*/\n\nconst _0n = BigInt(0);\nconst _1n = BigInt(1);\n\n/**\n * DSA Sign function\n * @param {Integer} hashAlgo\n * @param {Uint8Array} hashed\n * @param {Uint8Array} g\n * @param {Uint8Array} p\n * @param {Uint8Array} q\n * @param {Uint8Array} x\n * @returns {Promise<{ r: Uint8Array, s: Uint8Array }>}\n * @async\n */\nexport async function sign(hashAlgo, hashed, g, p, q, x) {\n  const _0n = BigInt(0);\n  p = uint8ArrayToBigInt(p);\n  q = uint8ArrayToBigInt(q);\n  g = uint8ArrayToBigInt(g);\n  x = uint8ArrayToBigInt(x);\n\n  let k;\n  let r;\n  let s;\n  let t;\n  g = mod(g, p);\n  x = mod(x, q);\n  // If the output size of the chosen hash is larger than the number of\n  // bits of q, the hash result is truncated to fit by taking the number\n  // of leftmost bits equal to the number of bits of q.  This (possibly\n  // truncated) hash function result is treated as a number and used\n  // directly in the DSA signature algorithm.\n  const h = mod(uint8ArrayToBigInt(hashed.subarray(0, byteLength(q))), q);\n  // FIPS-186-4, section 4.6:\n  // The values of r and s shall be checked to determine if r = 0 or s = 0.\n  // If either r = 0 or s = 0, a new value of k shall be generated, and the\n  // signature shall be recalculated. It is extremely unlikely that r = 0\n  // or s = 0 if signatures are generated properly.\n  while (true) {\n    // See Appendix B here: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf\n    k = getRandomBigInteger(_1n, q); // returns in [1, q-1]\n    r = mod(modExp(g, k, p), q); // (g**k mod p) mod q\n    if (r === _0n) {\n      continue;\n    }\n    const xr = mod(x * r, q);\n    t = mod(h + xr, q); // H(m) + x*r mod q\n    s = mod(modInv(k, q) * t, q); // k**-1 * (H(m) + x*r) mod q\n    if (s === _0n) {\n      continue;\n    }\n    break;\n  }\n  return {\n    r: bigIntToUint8Array(r, 'be', byteLength(p)),\n    s: bigIntToUint8Array(s, 'be', byteLength(p))\n  };\n}\n\n/**\n * DSA Verify function\n * @param {Integer} hashAlgo\n * @param {Uint8Array} r\n * @param {Uint8Array} s\n * @param {Uint8Array} hashed\n * @param {Uint8Array} g\n * @param {Uint8Array} p\n * @param {Uint8Array} q\n * @param {Uint8Array} y\n * @returns {boolean}\n * @async\n */\nexport async function verify(hashAlgo, r, s, hashed, g, p, q, y) {\n  r = uint8ArrayToBigInt(r);\n  s = uint8ArrayToBigInt(s);\n\n  p = uint8ArrayToBigInt(p);\n  q = uint8ArrayToBigInt(q);\n  g = uint8ArrayToBigInt(g);\n  y = uint8ArrayToBigInt(y);\n\n  if (r <= _0n || r >= q ||\n      s <= _0n || s >= q) {\n    util.printDebug('invalid DSA Signature');\n    return false;\n  }\n  const h = mod(uint8ArrayToBigInt(hashed.subarray(0, byteLength(q))), q);\n  const w = modInv(s, q); // s**-1 mod q\n  if (w === _0n) {\n    util.printDebug('invalid DSA Signature');\n    return false;\n  }\n\n  g = mod(g, p);\n  y = mod(y, p);\n  const u1 = mod(h * w, q); // H(m) * w mod q\n  const u2 = mod(r * w, q); // r * w mod q\n  const t1 = modExp(g, u1, p); // g**u1 mod p\n  const t2 = modExp(y, u2, p); // y**u2 mod p\n  const v = mod(mod(t1 * t2, p), q); // (g**u1 * y**u2 mod p) mod q\n  return v === r;\n}\n\n/**\n * Validate DSA parameters\n * @param {Uint8Array} p - DSA prime\n * @param {Uint8Array} q - DSA group order\n * @param {Uint8Array} g - DSA sub-group generator\n * @param {Uint8Array} y - DSA public key\n * @param {Uint8Array} x - DSA private key\n * @returns {Promise<Boolean>} Whether params are valid.\n * @async\n */\nexport async function validateParams(p, q, g, y, x) {\n  p = uint8ArrayToBigInt(p);\n  q = uint8ArrayToBigInt(q);\n  g = uint8ArrayToBigInt(g);\n  y = uint8ArrayToBigInt(y);\n  // Check that 1 < g < p\n  if (g <= _1n || g >= p) {\n    return false;\n  }\n\n  /**\n   * Check that subgroup order q divides p-1\n   */\n  if (mod(p - _1n, q) !== _0n) {\n    return false;\n  }\n\n  /**\n   * g has order q\n   * Check that g ** q = 1 mod p\n   */\n  if (modExp(g, q, p) !== _1n) {\n    return false;\n  }\n\n  /**\n   * Check q is large and probably prime (we mainly want to avoid small factors)\n   */\n  const qSize = BigInt(bitLength(q));\n  const _150n = BigInt(150);\n  if (qSize < _150n || !isProbablePrime(q, null, 32)) {\n    return false;\n  }\n\n  /**\n   * Re-derive public key y' = g ** x mod p\n   * Expect y == y'\n   *\n   * Blinded exponentiation computes g**{rq + x} to compare to y\n   */\n  x = uint8ArrayToBigInt(x);\n  const _2n = BigInt(2);\n  const r = getRandomBigInteger(_2n << (qSize - _1n), _2n << qSize); // draw r of same size as q\n  const rqx = q * r + x;\n  if (y !== modExp(g, rqx, p)) {\n    return false;\n  }\n\n  return true;\n}\n","// OpenPGP.js - An OpenPGP implementation in javascript\n// Copyright (C) 2015-2016 Decentral\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\n/**\n * Encoded symmetric key for ECDH (incl. legacy x25519)\n *\n * @module type/ecdh_symkey\n */\n\nimport util from '../util';\n\nclass ECDHSymmetricKey {\n  constructor(data) {\n    if (data) {\n      this.data = data;\n    }\n  }\n\n  /**\n   * Read an ECDHSymmetricKey from an Uint8Array:\n   * - 1 octect for the length `l`\n   * - `l` octects of encoded session key data\n   * @param {Uint8Array} bytes\n   * @returns {Number} Number of read bytes.\n   */\n  read(bytes) {\n    if (bytes.length >= 1) {\n      const length = bytes[0];\n      if (bytes.length >= 1 + length) {\n        this.data = bytes.subarray(1, 1 + length);\n        return 1 + this.data.length;\n      }\n    }\n    throw new Error('Invalid symmetric key');\n  }\n\n  /**\n   * Write an ECDHSymmetricKey as an Uint8Array\n   * @returns  {Uint8Array} Serialised data\n   */\n  write() {\n    return util.concatUint8Array([new Uint8Array([this.data.length]), this.data]);\n  }\n}\n\nexport default ECDHSymmetricKey;\n","// OpenPGP.js - An OpenPGP implementation in javascript\n// Copyright (C) 2015-2016 Decentral\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\nimport { UnsupportedError } from '../packet/packet';\n\n/**\n * Implementation of type KDF parameters\n *\n * {@link https://tools.ietf.org/html/rfc6637#section-7|RFC 6637 7}:\n * A key derivation function (KDF) is necessary to implement the EC\n * encryption.  The Concatenation Key Derivation Function (Approved\n * Alternative 1) [NIST-SP800-56A] with the KDF hash function that is\n * SHA2-256 [FIPS-180-3] or stronger is REQUIRED.\n * @module type/kdf_params\n * @private\n */\n\nclass KDFParams {\n  /**\n   * @param {enums.hash} hash - Hash algorithm\n   * @param {enums.symmetric} cipher - Symmetric algorithm\n   */\n  constructor(data) {\n    if (data) {\n      const { hash, cipher } = data;\n      this.hash = hash;\n      this.cipher = cipher;\n    } else {\n      this.hash = null;\n      this.cipher = null;\n    }\n  }\n\n  /**\n   * Read KDFParams from an Uint8Array\n   * @param {Uint8Array} input - Where to read the KDFParams from\n   * @returns {Number} Number of read bytes.\n   */\n  read(input) {\n    if (input.length < 4 || input[0] !== 3 || input[1] !== 1) {\n      throw new UnsupportedError('Cannot read KDFParams');\n    }\n    this.hash = input[2];\n    this.cipher = input[3];\n    return 4;\n  }\n\n  /**\n   * Write KDFParams to an Uint8Array\n   * @returns  {Uint8Array}  Array with the KDFParams value\n   */\n  write() {\n    return new Uint8Array([3, 1, this.hash, this.cipher]);\n  }\n}\n\nexport default KDFParams;\n","/**\n * Encoded symmetric key for x25519 and x448\n * The payload format varies for v3 and v6 PKESK:\n * the former includes an algorithm byte preceeding the encrypted session key.\n *\n * @module type/x25519x448_symkey\n */\n\nimport util from '../util';\n\nclass ECDHXSymmetricKey {\n  static fromObject({ wrappedKey, algorithm }) {\n    const instance = new ECDHXSymmetricKey();\n    instance.wrappedKey = wrappedKey;\n    instance.algorithm = algorithm;\n    return instance;\n  }\n\n  /**\n   * - 1 octect for the length `l`\n   * - `l` octects of encoded session key data (with optional leading algorithm byte)\n   * @param {Uint8Array} bytes\n   * @returns {Number} Number of read bytes.\n   */\n  read(bytes) {\n    let read = 0;\n    let followLength = bytes[read++];\n    this.algorithm = followLength % 2 ? bytes[read++] : null; // session key size is always even\n    followLength -= followLength % 2;\n    this.wrappedKey = util.readExactSubarray(bytes, read, read + followLength); read += followLength;\n  }\n\n  /**\n   * Write an MontgomerySymmetricKey as an Uint8Array\n   * @returns  {Uint8Array} Serialised data\n   */\n  write() {\n    return util.concatUint8Array([\n      this.algorithm ?\n        new Uint8Array([this.wrappedKey.length + 1, this.algorithm]) :\n        new Uint8Array([this.wrappedKey.length]),\n      this.wrappedKey\n    ]);\n  }\n}\n\nexport default ECDHXSymmetricKey;\n","// GPG4Browsers - An OpenPGP implementation in javascript\n// Copyright (C) 2011 Recurity Labs GmbH\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\n// The GPG4Browsers crypto interface\n\n/**\n * @fileoverview Provides functions for asymmetric encryption and decryption as\n * well as key generation and parameter handling for all public-key cryptosystems.\n * @module crypto/crypto\n */\n\nimport { rsa, elliptic, elgamal, dsa } from './public_key';\nimport { getRandomBytes } from './random';\nimport { getCipherParams } from './cipher';\nimport ECDHSymkey from '../type/ecdh_symkey';\nimport KDFParams from '../type/kdf_params';\nimport enums from '../enums';\nimport util from '../util';\nimport OID from '../type/oid';\nimport { UnsupportedError } from '../packet/packet';\nimport ECDHXSymmetricKey from '../type/ecdh_x_symkey';\n\n/**\n * Encrypts data using specified algorithm and public key parameters.\n * See {@link https://tools.ietf.org/html/rfc4880#section-9.1|RFC 4880 9.1} for public key algorithms.\n * @param {module:enums.publicKey} keyAlgo - Public key algorithm\n * @param {module:enums.symmetric|null} symmetricAlgo - Cipher algorithm (v3 only)\n * @param {Object} publicParams - Algorithm-specific public key parameters\n * @param {Uint8Array} data - Session key data to be encrypted\n * @param {Uint8Array} fingerprint - Recipient fingerprint\n * @returns {Promise<Object>} Encrypted session key parameters.\n * @async\n */\nexport async function publicKeyEncrypt(keyAlgo, symmetricAlgo, publicParams, data, fingerprint) {\n  switch (keyAlgo) {\n    case enums.publicKey.rsaEncrypt:\n    case enums.publicKey.rsaEncryptSign: {\n      const { n, e } = publicParams;\n      const c = await rsa.encrypt(data, n, e);\n      return { c };\n    }\n    case enums.publicKey.elgamal: {\n      const { p, g, y } = publicParams;\n      return elgamal.encrypt(data, p, g, y);\n    }\n    case enums.publicKey.ecdh: {\n      const { oid, Q, kdfParams } = publicParams;\n      const { publicKey: V, wrappedKey: C } = await elliptic.ecdh.encrypt(\n        oid, kdfParams, data, Q, fingerprint);\n      return { V, C: new ECDHSymkey(C) };\n    }\n    case enums.publicKey.x25519:\n    case enums.publicKey.x448: {\n      if (symmetricAlgo && !util.isAES(symmetricAlgo)) {\n        // see https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/276\n        throw new Error('X25519 and X448 keys can only encrypt AES session keys');\n      }\n      const { A } = publicParams;\n      const { ephemeralPublicKey, wrappedKey } = await elliptic.ecdhX.encrypt(\n        keyAlgo, data, A);\n      const C = ECDHXSymmetricKey.fromObject({ algorithm: symmetricAlgo, wrappedKey });\n      return { ephemeralPublicKey, C };\n    }\n    default:\n      return [];\n  }\n}\n\n/**\n * Decrypts data using specified algorithm and private key parameters.\n * See {@link https://tools.ietf.org/html/rfc4880#section-5.5.3|RFC 4880 5.5.3}\n * @param {module:enums.publicKey} algo - Public key algorithm\n * @param {Object} publicKeyParams - Algorithm-specific public key parameters\n * @param {Object} privateKeyParams - Algorithm-specific private key parameters\n * @param {Object} sessionKeyParams - Encrypted session key parameters\n * @param {Uint8Array} fingerprint - Recipient fingerprint\n * @param {Uint8Array} [randomPayload] - Data to return on decryption error, instead of throwing\n *                                    (needed for constant-time processing in RSA and ElGamal)\n * @returns {Promise<Uint8Array>} Decrypted data.\n * @throws {Error} on sensitive decryption error, unless `randomPayload` is given\n * @async\n */\nexport async function publicKeyDecrypt(algo, publicKeyParams, privateKeyParams, sessionKeyParams, fingerprint, randomPayload) {\n  switch (algo) {\n    case enums.publicKey.rsaEncryptSign:\n    case enums.publicKey.rsaEncrypt: {\n      const { c } = sessionKeyParams;\n      const { n, e } = publicKeyParams;\n      const { d, p, q, u } = privateKeyParams;\n      return rsa.decrypt(c, n, e, d, p, q, u, randomPayload);\n    }\n    case enums.publicKey.elgamal: {\n      const { c1, c2 } = sessionKeyParams;\n      const p = publicKeyParams.p;\n      const x = privateKeyParams.x;\n      return elgamal.decrypt(c1, c2, p, x, randomPayload);\n    }\n    case enums.publicKey.ecdh: {\n      const { oid, Q, kdfParams } = publicKeyParams;\n      const { d } = privateKeyParams;\n      const { V, C } = sessionKeyParams;\n      return elliptic.ecdh.decrypt(\n        oid, kdfParams, V, C.data, Q, d, fingerprint);\n    }\n    case enums.publicKey.x25519:\n    case enums.publicKey.x448: {\n      const { A } = publicKeyParams;\n      const { k } = privateKeyParams;\n      const { ephemeralPublicKey, C } = sessionKeyParams;\n      if (C.algorithm !== null && !util.isAES(C.algorithm)) {\n        throw new Error('AES session key expected');\n      }\n      return elliptic.ecdhX.decrypt(\n        algo, ephemeralPublicKey, C.wrappedKey, A, k);\n    }\n    default:\n      throw new Error('Unknown public key encryption algorithm.');\n  }\n}\n\n/**\n * Parse public key material in binary form to get the key parameters\n * @param {module:enums.publicKey} algo - The key algorithm\n * @param {Uint8Array} bytes - The key material to parse\n * @returns {{ read: Number, publicParams: Object }} Number of read bytes plus key parameters referenced by name.\n */\nexport function parsePublicKeyParams(algo, bytes) {\n  let read = 0;\n  switch (algo) {\n    case enums.publicKey.rsaEncrypt:\n    case enums.publicKey.rsaEncryptSign:\n    case enums.publicKey.rsaSign: {\n      const n = util.readMPI(bytes.subarray(read)); read += n.length + 2;\n      const e = util.readMPI(bytes.subarray(read)); read += e.length + 2;\n      return { read, publicParams: { n, e } };\n    }\n    case enums.publicKey.dsa: {\n      const p = util.readMPI(bytes.subarray(read)); read += p.length + 2;\n      const q = util.readMPI(bytes.subarray(read)); read += q.length + 2;\n      const g = util.readMPI(bytes.subarray(read)); read += g.length + 2;\n      const y = util.readMPI(bytes.subarray(read)); read += y.length + 2;\n      return { read, publicParams: { p, q, g, y } };\n    }\n    case enums.publicKey.elgamal: {\n      const p = util.readMPI(bytes.subarray(read)); read += p.length + 2;\n      const g = util.readMPI(bytes.subarray(read)); read += g.length + 2;\n      const y = util.readMPI(bytes.subarray(read)); read += y.length + 2;\n      return { read, publicParams: { p, g, y } };\n    }\n    case enums.publicKey.ecdsa: {\n      const oid = new OID(); read += oid.read(bytes);\n      checkSupportedCurve(oid);\n      const Q = util.readMPI(bytes.subarray(read)); read += Q.length + 2;\n      return { read: read, publicParams: { oid, Q } };\n    }\n    case enums.publicKey.eddsaLegacy: {\n      const oid = new OID(); read += oid.read(bytes);\n      checkSupportedCurve(oid);\n      if (oid.getName() !== enums.curve.ed25519Legacy) {\n        throw new Error('Unexpected OID for eddsaLegacy');\n      }\n      let Q = util.readMPI(bytes.subarray(read)); read += Q.length + 2;\n      Q = util.leftPad(Q, 33);\n      return { read: read, publicParams: { oid, Q } };\n    }\n    case enums.publicKey.ecdh: {\n      const oid = new OID(); read += oid.read(bytes);\n      checkSupportedCurve(oid);\n      const Q = util.readMPI(bytes.subarray(read)); read += Q.length + 2;\n      const kdfParams = new KDFParams(); read += kdfParams.read(bytes.subarray(read));\n      return { read: read, publicParams: { oid, Q, kdfParams } };\n    }\n    case enums.publicKey.ed25519:\n    case enums.publicKey.ed448:\n    case enums.publicKey.x25519:\n    case enums.publicKey.x448: {\n      const A = util.readExactSubarray(bytes, read, read + getCurvePayloadSize(algo)); read += A.length;\n      return { read, publicParams: { A } };\n    }\n    default:\n      throw new UnsupportedError('Unknown public key encryption algorithm.');\n  }\n}\n\n/**\n * Parse private key material in binary form to get the key parameters\n * @param {module:enums.publicKey} algo - The key algorithm\n * @param {Uint8Array} bytes - The key material to parse\n * @param {Object} publicParams - (ECC only) public params, needed to format some private params\n * @returns {{ read: Number, privateParams: Object }} Number of read bytes plus the key parameters referenced by name.\n */\nexport function parsePrivateKeyParams(algo, bytes, publicParams) {\n  let read = 0;\n  switch (algo) {\n    case enums.publicKey.rsaEncrypt:\n    case enums.publicKey.rsaEncryptSign:\n    case enums.publicKey.rsaSign: {\n      const d = util.readMPI(bytes.subarray(read)); read += d.length + 2;\n      const p = util.readMPI(bytes.subarray(read)); read += p.length + 2;\n      const q = util.readMPI(bytes.subarray(read)); read += q.length + 2;\n      const u = util.readMPI(bytes.subarray(read)); read += u.length + 2;\n      return { read, privateParams: { d, p, q, u } };\n    }\n    case enums.publicKey.dsa:\n    case enums.publicKey.elgamal: {\n      const x = util.readMPI(bytes.subarray(read)); read += x.length + 2;\n      return { read, privateParams: { x } };\n    }\n    case enums.publicKey.ecdsa:\n    case enums.publicKey.ecdh: {\n      const payloadSize = getCurvePayloadSize(algo, publicParams.oid);\n      let d = util.readMPI(bytes.subarray(read)); read += d.length + 2;\n      d = util.leftPad(d, payloadSize);\n      return { read, privateParams: { d } };\n    }\n    case enums.publicKey.eddsaLegacy: {\n      const payloadSize = getCurvePayloadSize(algo, publicParams.oid);\n      if (publicParams.oid.getName() !== enums.curve.ed25519Legacy) {\n        throw new Error('Unexpected OID for eddsaLegacy');\n      }\n      let seed = util.readMPI(bytes.subarray(read)); read += seed.length + 2;\n      seed = util.leftPad(seed, payloadSize);\n      return { read, privateParams: { seed } };\n    }\n    case enums.publicKey.ed25519:\n    case enums.publicKey.ed448: {\n      const payloadSize = getCurvePayloadSize(algo);\n      const seed = util.readExactSubarray(bytes, read, read + payloadSize); read += seed.length;\n      return { read, privateParams: { seed } };\n    }\n    case enums.publicKey.x25519:\n    case enums.publicKey.x448: {\n      const payloadSize = getCurvePayloadSize(algo);\n      const k = util.readExactSubarray(bytes, read, read + payloadSize); read += k.length;\n      return { read, privateParams: { k } };\n    }\n    default:\n      throw new UnsupportedError('Unknown public key encryption algorithm.');\n  }\n}\n\n/** Returns the types comprising the encrypted session key of an algorithm\n * @param {module:enums.publicKey} algo - The key algorithm\n * @param {Uint8Array} bytes - The key material to parse\n * @returns {Object} The session key parameters referenced by name.\n */\nexport function parseEncSessionKeyParams(algo, bytes) {\n  let read = 0;\n  switch (algo) {\n    //   Algorithm-Specific Fields for RSA encrypted session keys:\n    //       - MPI of RSA encrypted value m**e mod n.\n    case enums.publicKey.rsaEncrypt:\n    case enums.publicKey.rsaEncryptSign: {\n      const c = util.readMPI(bytes.subarray(read));\n      return { c };\n    }\n\n    //   Algorithm-Specific Fields for Elgamal encrypted session keys:\n    //       - MPI of Elgamal value g**k mod p\n    //       - MPI of Elgamal value m * y**k mod p\n    case enums.publicKey.elgamal: {\n      const c1 = util.readMPI(bytes.subarray(read)); read += c1.length + 2;\n      const c2 = util.readMPI(bytes.subarray(read));\n      return { c1, c2 };\n    }\n    //   Algorithm-Specific Fields for ECDH encrypted session keys:\n    //       - MPI containing the ephemeral key used to establish the shared secret\n    //       - ECDH Symmetric Key\n    case enums.publicKey.ecdh: {\n      const V = util.readMPI(bytes.subarray(read)); read += V.length + 2;\n      const C = new ECDHSymkey(); C.read(bytes.subarray(read));\n      return { V, C };\n    }\n    //   Algorithm-Specific Fields for X25519 or X448 encrypted session keys:\n    //       - 32 octets representing an ephemeral X25519 public key (or 57 octets for X448).\n    //       - A one-octet size of the following fields.\n    //       - The one-octet algorithm identifier, if it was passed (in the case of a v3 PKESK packet).\n    //       - The encrypted session key.\n    case enums.publicKey.x25519:\n    case enums.publicKey.x448: {\n      const pointSize = getCurvePayloadSize(algo);\n      const ephemeralPublicKey = util.readExactSubarray(bytes, read, read + pointSize); read += ephemeralPublicKey.length;\n      const C = new ECDHXSymmetricKey(); C.read(bytes.subarray(read));\n      return { ephemeralPublicKey, C };\n    }\n    default:\n      throw new UnsupportedError('Unknown public key encryption algorithm.');\n  }\n}\n\n/**\n * Convert params to MPI and serializes them in the proper order\n * @param {module:enums.publicKey} algo - The public key algorithm\n * @param {Object} params - The key parameters indexed by name\n * @returns {Uint8Array} The array containing the MPIs.\n */\nexport function serializeParams(algo, params) {\n  // Some algorithms do not rely on MPIs to store the binary params\n  const algosWithNativeRepresentation = new Set([\n    enums.publicKey.ed25519,\n    enums.publicKey.x25519,\n    enums.publicKey.ed448,\n    enums.publicKey.x448\n  ]);\n  const orderedParams = Object.keys(params).map(name => {\n    const param = params[name];\n    if (!util.isUint8Array(param)) return param.write();\n    return algosWithNativeRepresentation.has(algo) ? param : util.uint8ArrayToMPI(param);\n  });\n  return util.concatUint8Array(orderedParams);\n}\n\n/**\n * Generate algorithm-specific key parameters\n * @param {module:enums.publicKey} algo - The public key algorithm\n * @param {Integer} bits - Bit length for RSA keys\n * @param {module:type/oid} oid - Object identifier for ECC keys\n * @returns {Promise<{ publicParams: {Object}, privateParams: {Object} }>} The parameters referenced by name.\n * @async\n */\nexport function generateParams(algo, bits, oid) {\n  switch (algo) {\n    case enums.publicKey.rsaEncrypt:\n    case enums.publicKey.rsaEncryptSign:\n    case enums.publicKey.rsaSign:\n      return rsa.generate(bits, 65537).then(({ n, e, d, p, q, u }) => ({\n        privateParams: { d, p, q, u },\n        publicParams: { n, e }\n      }));\n    case enums.publicKey.ecdsa:\n      return elliptic.generate(oid).then(({ oid, Q, secret }) => ({\n        privateParams: { d: secret },\n        publicParams: { oid: new OID(oid), Q }\n      }));\n    case enums.publicKey.eddsaLegacy:\n      return elliptic.generate(oid).then(({ oid, Q, secret }) => ({\n        privateParams: { seed: secret },\n        publicParams: { oid: new OID(oid), Q }\n      }));\n    case enums.publicKey.ecdh:\n      return elliptic.generate(oid).then(({ oid, Q, secret, hash, cipher }) => ({\n        privateParams: { d: secret },\n        publicParams: {\n          oid: new OID(oid),\n          Q,\n          kdfParams: new KDFParams({ hash, cipher })\n        }\n      }));\n    case enums.publicKey.ed25519:\n    case enums.publicKey.ed448:\n      return elliptic.eddsa.generate(algo).then(({ A, seed }) => ({\n        privateParams: { seed },\n        publicParams: { A }\n      }));\n    case enums.publicKey.x25519:\n    case enums.publicKey.x448:\n      return elliptic.ecdhX.generate(algo).then(({ A, k }) => ({\n        privateParams: { k },\n        publicParams: { A }\n      }));\n    case enums.publicKey.dsa:\n    case enums.publicKey.elgamal:\n      throw new Error('Unsupported algorithm for key generation.');\n    default:\n      throw new Error('Unknown public key algorithm.');\n  }\n}\n\n/**\n * Validate algorithm-specific key parameters\n * @param {module:enums.publicKey} algo - The public key algorithm\n * @param {Object} publicParams - Algorithm-specific public key parameters\n * @param {Object} privateParams - Algorithm-specific private key parameters\n * @returns {Promise<Boolean>} Whether the parameters are valid.\n * @async\n */\nexport async function validateParams(algo, publicParams, privateParams) {\n  if (!publicParams || !privateParams) {\n    throw new Error('Missing key parameters');\n  }\n  switch (algo) {\n    case enums.publicKey.rsaEncrypt:\n    case enums.publicKey.rsaEncryptSign:\n    case enums.publicKey.rsaSign: {\n      const { n, e } = publicParams;\n      const { d, p, q, u } = privateParams;\n      return rsa.validateParams(n, e, d, p, q, u);\n    }\n    case enums.publicKey.dsa: {\n      const { p, q, g, y } = publicParams;\n      const { x } = privateParams;\n      return dsa.validateParams(p, q, g, y, x);\n    }\n    case enums.publicKey.elgamal: {\n      const { p, g, y } = publicParams;\n      const { x } = privateParams;\n      return elgamal.validateParams(p, g, y, x);\n    }\n    case enums.publicKey.ecdsa:\n    case enums.publicKey.ecdh: {\n      const algoModule = elliptic[enums.read(enums.publicKey, algo)];\n      const { oid, Q } = publicParams;\n      const { d } = privateParams;\n      return algoModule.validateParams(oid, Q, d);\n    }\n    case enums.publicKey.eddsaLegacy: {\n      const { Q, oid } = publicParams;\n      const { seed } = privateParams;\n      return elliptic.eddsaLegacy.validateParams(oid, Q, seed);\n    }\n    case enums.publicKey.ed25519:\n    case enums.publicKey.ed448: {\n      const { A } = publicParams;\n      const { seed } = privateParams;\n      return elliptic.eddsa.validateParams(algo, A, seed);\n    }\n    case enums.publicKey.x25519:\n    case enums.publicKey.x448: {\n      const { A } = publicParams;\n      const { k } = privateParams;\n      return elliptic.ecdhX.validateParams(algo, A, k);\n    }\n    default:\n      throw new Error('Unknown public key algorithm.');\n  }\n}\n\n/**\n * Generating a session key for the specified symmetric algorithm\n * See {@link https://tools.ietf.org/html/rfc4880#section-9.2|RFC 4880 9.2} for algorithms.\n * @param {module:enums.symmetric} algo - Symmetric encryption algorithm\n * @returns {Uint8Array} Random bytes as a string to be used as a key.\n */\nexport function generateSessionKey(algo) {\n  const { keySize } = getCipherParams(algo);\n  return getRandomBytes(keySize);\n}\n\n/**\n * Check whether the given curve OID is supported\n * @param {module:type/oid} oid - EC object identifier\n * @throws {UnsupportedError} if curve is not supported\n */\nfunction checkSupportedCurve(oid) {\n  try {\n    oid.getName();\n  } catch (e) {\n    throw new UnsupportedError('Unknown curve OID');\n  }\n}\n\n/**\n * Get encoded secret size for a given elliptic algo\n * @param {module:enums.publicKey} algo - alrogithm identifier\n * @param {module:type/oid} [oid] - curve OID if needed by algo\n */\nexport function getCurvePayloadSize(algo, oid) {\n  switch (algo) {\n    case enums.publicKey.ecdsa:\n    case enums.publicKey.ecdh:\n    case enums.publicKey.eddsaLegacy:\n      return new elliptic.CurveWithOID(oid).payloadSize;\n    case enums.publicKey.ed25519:\n    case enums.publicKey.ed448:\n      return elliptic.eddsa.getPayloadSize(algo);\n    case enums.publicKey.x25519:\n    case enums.publicKey.x448:\n      return elliptic.ecdhX.getPayloadSize(algo);\n    default:\n      throw new Error('Unknown elliptic algo');\n  }\n}\n\n/**\n * Get preferred signing hash algo for a given elliptic algo\n * @param {module:enums.publicKey} algo - alrogithm identifier\n * @param {module:type/oid} [oid] - curve OID if needed by algo\n */\nexport function getPreferredCurveHashAlgo(algo, oid) {\n  switch (algo) {\n    case enums.publicKey.ecdsa:\n    case enums.publicKey.eddsaLegacy:\n      return elliptic.getPreferredHashAlgo(oid);\n    case enums.publicKey.ed25519:\n    case enums.publicKey.ed448:\n      return elliptic.eddsa.getPreferredHashAlgo(algo);\n    default:\n      throw new Error('Unknown elliptic signing algo');\n  }\n}\n\n","// Modified by ProtonTech AG\n\n// Modified by Recurity Labs GmbH\n\n// modified version of https://www.hanewin.net/encrypt/PGdecode.js:\n\n/* OpenPGP encryption using RSA/AES\n * Copyright 2005-2006 Herbert Hanewinkel, www.haneWIN.de\n * version 2.0, check www.haneWIN.de for the latest version\n\n * This software is provided as-is, without express or implied warranty.\n * Permission to use, copy, modify, distribute or sell this software, with or\n * without fee, for any purpose and by any individual or organization, is hereby\n * granted, provided that the above copyright notice and this paragraph appear\n * in all copies. Distribution as a part of an application or binary must\n * include the above copyright notice in the documentation and/or other\n * materials provided with the application or distribution.\n */\n\n/**\n * @module crypto/mode/cfb\n */\n\nimport { cfb as nobleAesCfb, unsafe as nobleAesHelpers } from '@noble/ciphers/aes';\n\nimport { transform as streamTransform } from '@openpgp/web-stream-tools';\nimport util from '../../util';\nimport enums from '../../enums';\nimport { getLegacyCipher, getCipherParams } from '../cipher';\nimport { getRandomBytes } from '../random';\n\nconst webCrypto = util.getWebCrypto();\nconst nodeCrypto = util.getNodeCrypto();\n\nconst knownAlgos = nodeCrypto ? nodeCrypto.getCiphers() : [];\nconst nodeAlgos = {\n  idea: knownAlgos.includes('idea-cfb') ? 'idea-cfb' : undefined, /* Unused, not implemented */\n  tripledes: knownAlgos.includes('des-ede3-cfb') ? 'des-ede3-cfb' : undefined,\n  cast5: knownAlgos.includes('cast5-cfb') ? 'cast5-cfb' : undefined,\n  blowfish: knownAlgos.includes('bf-cfb') ? 'bf-cfb' : undefined,\n  aes128: knownAlgos.includes('aes-128-cfb') ? 'aes-128-cfb' : undefined,\n  aes192: knownAlgos.includes('aes-192-cfb') ? 'aes-192-cfb' : undefined,\n  aes256: knownAlgos.includes('aes-256-cfb') ? 'aes-256-cfb' : undefined\n  /* twofish is not implemented in OpenSSL */\n};\n\n/**\n * Generates a random byte prefix for the specified algorithm\n * See {@link https://tools.ietf.org/html/rfc4880#section-9.2|RFC 4880 9.2} for algorithms.\n * @param {module:enums.symmetric} algo - Symmetric encryption algorithm\n * @returns {Promise<Uint8Array>} Random bytes with length equal to the block size of the cipher, plus the last two bytes repeated.\n * @async\n */\nexport async function getPrefixRandom(algo) {\n  const { blockSize } = getCipherParams(algo);\n  const prefixrandom = await getRandomBytes(blockSize);\n  const repeat = new Uint8Array([prefixrandom[prefixrandom.length - 2], prefixrandom[prefixrandom.length - 1]]);\n  return util.concat([prefixrandom, repeat]);\n}\n\n/**\n * CFB encryption\n * @param {enums.symmetric} algo - block cipher algorithm\n * @param {Uint8Array} key\n * @param {MaybeStream<Uint8Array>} plaintext\n * @param {Uint8Array} iv\n * @param {Object} config - full configuration, defaults to openpgp.config\n * @returns MaybeStream<Uint8Array>\n */\nexport async function encrypt(algo, key, plaintext, iv, config) {\n  const algoName = enums.read(enums.symmetric, algo);\n  if (util.getNodeCrypto() && nodeAlgos[algoName]) { // Node crypto library.\n    return nodeEncrypt(algo, key, plaintext, iv);\n  }\n  if (util.isAES(algo)) {\n    return aesEncrypt(algo, key, plaintext, iv, config);\n  }\n\n  const LegacyCipher = await getLegacyCipher(algo);\n  const cipherfn = new LegacyCipher(key);\n  const block_size = cipherfn.blockSize;\n\n  const blockc = iv.slice();\n  let pt = new Uint8Array();\n  const process = chunk => {\n    if (chunk) {\n      pt = util.concatUint8Array([pt, chunk]);\n    }\n    const ciphertext = new Uint8Array(pt.length);\n    let i;\n    let j = 0;\n    while (chunk ? pt.length >= block_size : pt.length) {\n      const encblock = cipherfn.encrypt(blockc);\n      for (i = 0; i < block_size; i++) {\n        blockc[i] = pt[i] ^ encblock[i];\n        ciphertext[j++] = blockc[i];\n      }\n      pt = pt.subarray(block_size);\n    }\n    return ciphertext.subarray(0, j);\n  };\n  return streamTransform(plaintext, process, process);\n}\n\n/**\n * CFB decryption\n * @param {enums.symmetric} algo - block cipher algorithm\n * @param {Uint8Array} key\n * @param {MaybeStream<Uint8Array>} ciphertext\n * @param {Uint8Array} iv\n * @returns MaybeStream<Uint8Array>\n */\nexport async function decrypt(algo, key, ciphertext, iv) {\n  const algoName = enums.read(enums.symmetric, algo);\n  if (nodeCrypto && nodeAlgos[algoName]) { // Node crypto library.\n    return nodeDecrypt(algo, key, ciphertext, iv);\n  }\n  if (util.isAES(algo)) {\n    return aesDecrypt(algo, key, ciphertext, iv);\n  }\n\n  const LegacyCipher = await getLegacyCipher(algo);\n  const cipherfn = new LegacyCipher(key);\n  const block_size = cipherfn.blockSize;\n\n  let blockp = iv;\n  let ct = new Uint8Array();\n  const process = chunk => {\n    if (chunk) {\n      ct = util.concatUint8Array([ct, chunk]);\n    }\n    const plaintext = new Uint8Array(ct.length);\n    let i;\n    let j = 0;\n    while (chunk ? ct.length >= block_size : ct.length) {\n      const decblock = cipherfn.encrypt(blockp);\n      blockp = ct.subarray(0, block_size);\n      for (i = 0; i < block_size; i++) {\n        plaintext[j++] = blockp[i] ^ decblock[i];\n      }\n      ct = ct.subarray(block_size);\n    }\n    return plaintext.subarray(0, j);\n  };\n  return streamTransform(ciphertext, process, process);\n}\n\nclass WebCryptoEncryptor {\n  constructor(algo, key, iv) {\n    const { blockSize } = getCipherParams(algo);\n    this.key = key;\n    this.prevBlock = iv;\n    this.nextBlock = new Uint8Array(blockSize);\n    this.i = 0; // pointer inside next block\n    this.blockSize = blockSize;\n    this.zeroBlock = new Uint8Array(this.blockSize);\n  }\n\n  static async isSupported(algo) {\n    const { keySize } = getCipherParams(algo);\n    return webCrypto.importKey('raw', new Uint8Array(keySize), 'aes-cbc', false, ['encrypt'])\n      .then(() => true, () => false);\n  }\n\n  async _runCBC(plaintext, nonZeroIV) {\n    const mode = 'AES-CBC';\n    this.keyRef = this.keyRef || await webCrypto.importKey('raw', this.key, mode, false, ['encrypt']);\n    const ciphertext = await webCrypto.encrypt(\n      { name: mode, iv: nonZeroIV || this.zeroBlock },\n      this.keyRef,\n      plaintext\n    );\n    return new Uint8Array(ciphertext).subarray(0, plaintext.length);\n  }\n\n  async encryptChunk(value) {\n    const missing = this.nextBlock.length - this.i;\n    const added = value.subarray(0, missing);\n    this.nextBlock.set(added, this.i);\n    if ((this.i + value.length) >= (2 * this.blockSize)) {\n      const leftover = (value.length - missing) % this.blockSize;\n      const plaintext = util.concatUint8Array([\n        this.nextBlock,\n        value.subarray(missing, value.length - leftover)\n      ]);\n      const toEncrypt = util.concatUint8Array([\n        this.prevBlock,\n        plaintext.subarray(0, plaintext.length - this.blockSize) // stop one block \"early\", since we only need to xor the plaintext and pass it over as prevBlock\n      ]);\n\n      const encryptedBlocks = await this._runCBC(toEncrypt);\n      xorMut(encryptedBlocks, plaintext);\n      this.prevBlock = encryptedBlocks.slice(-this.blockSize);\n\n      // take care of leftover data\n      if (leftover > 0) this.nextBlock.set(value.subarray(-leftover));\n      this.i = leftover;\n\n      return encryptedBlocks;\n    }\n\n    this.i += added.length;\n    let encryptedBlock;\n    if (this.i === this.nextBlock.length) { // block ready to be encrypted\n      const curBlock = this.nextBlock;\n      encryptedBlock = await this._runCBC(this.prevBlock);\n      xorMut(encryptedBlock, curBlock);\n      this.prevBlock = encryptedBlock.slice();\n      this.i = 0;\n\n      const remaining = value.subarray(added.length);\n      this.nextBlock.set(remaining, this.i);\n      this.i += remaining.length;\n    } else {\n      encryptedBlock = new Uint8Array();\n    }\n\n    return encryptedBlock;\n  }\n\n  async finish() {\n    let result;\n    if (this.i === 0) { // nothing more to encrypt\n      result = new Uint8Array();\n    } else {\n      this.nextBlock = this.nextBlock.subarray(0, this.i);\n      const curBlock = this.nextBlock;\n      const encryptedBlock = await this._runCBC(this.prevBlock);\n      xorMut(encryptedBlock, curBlock);\n      result = encryptedBlock.subarray(0, curBlock.length);\n    }\n\n    this.clearSensitiveData();\n    return result;\n  }\n\n  clearSensitiveData() {\n    this.nextBlock.fill(0);\n    this.prevBlock.fill(0);\n    this.keyRef = null;\n    this.key = null;\n  }\n\n  async encrypt(plaintext) {\n    // plaintext is internally padded to block length before encryption\n    const encryptedWithPadding = await this._runCBC(\n      util.concatUint8Array([new Uint8Array(this.blockSize), plaintext]),\n      this.iv\n    );\n    // drop encrypted padding\n    const ct = encryptedWithPadding.subarray(0, plaintext.length);\n    xorMut(ct, plaintext);\n    this.clearSensitiveData();\n    return ct;\n  }\n}\n\nclass NobleStreamProcessor {\n  constructor(forEncryption, algo, key, iv) {\n    this.forEncryption = forEncryption;\n    const { blockSize } = getCipherParams(algo);\n    this.key = nobleAesHelpers.expandKeyLE(key);\n\n    if (iv.byteOffset % 4 !== 0) iv = iv.slice(); // aligned arrays required by noble-ciphers\n    this.prevBlock = getUint32Array(iv);\n    this.nextBlock = new Uint8Array(blockSize);\n    this.i = 0; // pointer inside next block\n    this.blockSize = blockSize;\n  }\n\n  _runCFB(src) {\n    const src32 = getUint32Array(src);\n    const dst = new Uint8Array(src.length);\n    const dst32 = getUint32Array(dst);\n    for (let i = 0; i + 4 <= dst32.length; i += 4) {\n      const { s0: e0, s1: e1, s2: e2, s3: e3 } = nobleAesHelpers.encrypt(this.key, this.prevBlock[0], this.prevBlock[1], this.prevBlock[2], this.prevBlock[3]);\n      dst32[i + 0] = src32[i + 0] ^ e0;\n      dst32[i + 1] = src32[i + 1] ^ e1;\n      dst32[i + 2] = src32[i + 2] ^ e2;\n      dst32[i + 3] = src32[i + 3] ^ e3;\n      this.prevBlock = (this.forEncryption ? dst32 : src32).slice(i, i + 4);\n    }\n    return dst;\n  }\n\n  async processChunk(value) {\n    const missing = this.nextBlock.length - this.i;\n    const added = value.subarray(0, missing);\n    this.nextBlock.set(added, this.i);\n\n    if ((this.i + value.length) >= (2 * this.blockSize)) {\n      const leftover = (value.length - missing) % this.blockSize;\n      const toProcess = util.concatUint8Array([\n        this.nextBlock,\n        value.subarray(missing, value.length - leftover)\n      ]);\n\n      const processedBlocks = this._runCFB(toProcess);\n\n      // take care of leftover data\n      if (leftover > 0) this.nextBlock.set(value.subarray(-leftover));\n      this.i = leftover;\n\n      return processedBlocks;\n    }\n\n    this.i += added.length;\n\n    let processedBlock;\n    if (this.i === this.nextBlock.length) { // block ready to be encrypted\n      processedBlock = this._runCFB(this.nextBlock);\n      this.i = 0;\n\n      const remaining = value.subarray(added.length);\n      this.nextBlock.set(remaining, this.i);\n      this.i += remaining.length;\n    } else {\n      processedBlock = new Uint8Array();\n    }\n\n    return processedBlock;\n  }\n\n  async finish() {\n    let result;\n    if (this.i === 0) { // nothing more to encrypt\n      result = new Uint8Array();\n    } else {\n      const processedBlock = this._runCFB(this.nextBlock);\n\n      result = processedBlock.subarray(0, this.i);\n    }\n\n    this.clearSensitiveData();\n    return result;\n  }\n\n  clearSensitiveData() {\n    this.nextBlock.fill(0);\n    this.prevBlock.fill(0);\n    this.key.fill(0);\n  }\n}\n\n\nasync function aesEncrypt(algo, key, pt, iv) {\n  if (webCrypto && await WebCryptoEncryptor.isSupported(algo)) { // Chromium does not implement AES with 192-bit keys\n    const cfb = new WebCryptoEncryptor(algo, key, iv);\n    return util.isStream(pt) ? streamTransform(pt, value => cfb.encryptChunk(value), () => cfb.finish()) : cfb.encrypt(pt);\n  } else if (util.isStream(pt)) { // async callbacks are not accepted by streamTransform unless the input is a stream\n    const cfb = new NobleStreamProcessor(true, algo, key, iv);\n    return streamTransform(pt, value => cfb.processChunk(value), () => cfb.finish());\n  }\n  return nobleAesCfb(key, iv).encrypt(pt);\n}\n\nasync function aesDecrypt(algo, key, ct, iv) {\n  if (util.isStream(ct)) {\n    const cfb = new NobleStreamProcessor(false, algo, key, iv);\n    return streamTransform(ct, value => cfb.processChunk(value), () => cfb.finish());\n  }\n  return nobleAesCfb(key, iv).decrypt(ct);\n}\n\nfunction xorMut(a, b) {\n  const aLength = Math.min(a.length, b.length);\n  for (let i = 0; i < aLength; i++) {\n    a[i] = a[i] ^ b[i];\n  }\n}\n\nconst getUint32Array = arr => new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));\n\nfunction nodeEncrypt(algo, key, pt, iv) {\n  const algoName = enums.read(enums.symmetric, algo);\n  const cipherObj = new nodeCrypto.createCipheriv(nodeAlgos[algoName], key, iv);\n  return streamTransform(pt, value => new Uint8Array(cipherObj.update(value)));\n}\n\nfunction nodeDecrypt(algo, key, ct, iv) {\n  const algoName = enums.read(enums.symmetric, algo);\n  const decipherObj = new nodeCrypto.createDecipheriv(nodeAlgos[algoName], key, iv);\n  return streamTransform(ct, value => new Uint8Array(decipherObj.update(value)));\n}\n","/**\n * @fileoverview This module implements AES-CMAC on top of\n * native AES-CBC using either the WebCrypto API or Node.js' crypto API.\n * @module crypto/cmac\n */\n\nimport { cbc as nobleAesCbc } from '@noble/ciphers/aes';\nimport util from '../util';\n\nconst webCrypto = util.getWebCrypto();\nconst nodeCrypto = util.getNodeCrypto();\n\n\n/**\n * This implementation of CMAC is based on the description of OMAC in\n * http://web.cs.ucdavis.edu/~rogaway/papers/eax.pdf. As per that\n * document:\n *\n * We have made a small modification to the OMAC algorithm as it was\n * originally presented, changing one of its two constants.\n * Specifically, the constant 4 at line 85 was the constant 1/2 (the\n * multiplicative inverse of 2) in the original definition of OMAC [14].\n * The OMAC authors indicate that they will promulgate this modification\n * [15], which slightly simplifies implementations.\n */\n\nconst blockLength = 16;\n\n\n/**\n * xor `padding` into the end of `data`. This function implements \"the\n * operation xor→ [which] xors the shorter string into the end of longer\n * one\". Since data is always as least as long as padding, we can\n * simplify the implementation.\n * @param {Uint8Array} data\n * @param {Uint8Array} padding\n */\nfunction rightXORMut(data, padding) {\n  const offset = data.length - blockLength;\n  for (let i = 0; i < blockLength; i++) {\n    data[i + offset] ^= padding[i];\n  }\n  return data;\n}\n\nfunction pad(data, padding, padding2) {\n  // if |M| in {n, 2n, 3n, ...}\n  if (data.length && data.length % blockLength === 0) {\n    // then return M xor→ B,\n    return rightXORMut(data, padding);\n  }\n  // else return (M || 10^(n−1−(|M| mod n))) xor→ P\n  const padded = new Uint8Array(data.length + (blockLength - (data.length % blockLength)));\n  padded.set(data);\n  padded[data.length] = 0b10000000;\n  return rightXORMut(padded, padding2);\n}\n\nconst zeroBlock = new Uint8Array(blockLength);\n\nexport default async function CMAC(key) {\n  const cbc = await CBC(key);\n\n  // L ← E_K(0^n); B ← 2L; P ← 4L\n  const padding = util.double(await cbc(zeroBlock));\n  const padding2 = util.double(padding);\n\n  return async function(data) {\n    // return CBC_K(pad(M; B, P))\n    return (await cbc(pad(data, padding, padding2))).subarray(-blockLength);\n  };\n}\n\nasync function CBC(key) {\n  if (util.getNodeCrypto()) { // Node crypto library\n    return async function(pt) {\n      const en = new nodeCrypto.createCipheriv('aes-' + (key.length * 8) + '-cbc', key, zeroBlock);\n      const ct = en.update(pt);\n      return new Uint8Array(ct);\n    };\n  }\n\n  if (util.getWebCrypto()) {\n    try {\n      key = await webCrypto.importKey('raw', key, { name: 'AES-CBC', length: key.length * 8 }, false, ['encrypt']);\n      return async function(pt) {\n        const ct = await webCrypto.encrypt({ name: 'AES-CBC', iv: zeroBlock, length: blockLength * 8 }, key, pt);\n        return new Uint8Array(ct).subarray(0, ct.byteLength - blockLength);\n      };\n    } catch (err) {\n      // no 192 bit support in Chromium, which throws `OperationError`, see: https://www.chromium.org/blink/webcrypto#TOC-AES-support\n      if (err.name !== 'NotSupportedError' &&\n        !(key.length === 24 && err.name === 'OperationError')) {\n        throw err;\n      }\n      util.printDebugError('Browser did not support operation: ' + err.message);\n    }\n  }\n\n  return async function(pt) {\n    return nobleAesCbc(key, zeroBlock, { disablePadding: true }).encrypt(pt);\n  };\n}\n","// OpenPGP.js - An OpenPGP implementation in javascript\n// Copyright (C) 2018 ProtonTech AG\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\n/**\n * @fileoverview This module implements AES-EAX en/decryption on top of\n * native AES-CTR using either the WebCrypto API or Node.js' crypto API.\n * @module crypto/mode/eax\n */\n\nimport { ctr as nobleAesCtr } from '@noble/ciphers/aes';\nimport CMAC from '../cmac';\nimport util from '../../util';\nimport enums from '../../enums';\n\nconst webCrypto = util.getWebCrypto();\nconst nodeCrypto = util.getNodeCrypto();\nconst Buffer = util.getNodeBuffer();\n\n\nconst blockLength = 16;\nconst ivLength = blockLength;\nconst tagLength = blockLength;\n\nconst zero = new Uint8Array(blockLength);\nconst one = new Uint8Array(blockLength); one[blockLength - 1] = 1;\nconst two = new Uint8Array(blockLength); two[blockLength - 1] = 2;\n\nasync function OMAC(key) {\n  const cmac = await CMAC(key);\n  return function(t, message) {\n    return cmac(util.concatUint8Array([t, message]));\n  };\n}\n\nasync function CTR(key) {\n  if (util.getNodeCrypto()) { // Node crypto library\n    return async function(pt, iv) {\n      const en = new nodeCrypto.createCipheriv('aes-' + (key.length * 8) + '-ctr', key, iv);\n      const ct = Buffer.concat([en.update(pt), en.final()]);\n      return new Uint8Array(ct);\n    };\n  }\n\n  if (util.getWebCrypto()) {\n    try {\n      const keyRef = await webCrypto.importKey('raw', key, { name: 'AES-CTR', length: key.length * 8 }, false, ['encrypt']);\n      return async function(pt, iv) {\n        const ct = await webCrypto.encrypt({ name: 'AES-CTR', counter: iv, length: blockLength * 8 }, keyRef, pt);\n        return new Uint8Array(ct);\n      };\n    } catch (err) {\n      // no 192 bit support in Chromium, which throws `OperationError`, see: https://www.chromium.org/blink/webcrypto#TOC-AES-support\n      if (err.name !== 'NotSupportedError' &&\n        !(key.length === 24 && err.name === 'OperationError')) {\n        throw err;\n      }\n      util.printDebugError('Browser did not support operation: ' + err.message);\n    }\n  }\n\n  return async function(pt, iv) {\n    return nobleAesCtr(key, iv).encrypt(pt);\n  };\n}\n\n\n/**\n * Class to en/decrypt using EAX mode.\n * @param {enums.symmetric} cipher - The symmetric cipher algorithm to use\n * @param {Uint8Array} key - The encryption key\n */\nasync function EAX(cipher, key) {\n  if (cipher !== enums.symmetric.aes128 &&\n    cipher !== enums.symmetric.aes192 &&\n    cipher !== enums.symmetric.aes256) {\n    throw new Error('EAX mode supports only AES cipher');\n  }\n\n  const [\n    omac,\n    ctr\n  ] = await Promise.all([\n    OMAC(key),\n    CTR(key)\n  ]);\n\n  return {\n    /**\n     * Encrypt plaintext input.\n     * @param {Uint8Array} plaintext - The cleartext input to be encrypted\n     * @param {Uint8Array} nonce - The nonce (16 bytes)\n     * @param {Uint8Array} adata - Associated data to sign\n     * @returns {Promise<Uint8Array>} The ciphertext output.\n     */\n    encrypt: async function(plaintext, nonce, adata) {\n      const [\n        omacNonce,\n        omacAdata\n      ] = await Promise.all([\n        omac(zero, nonce),\n        omac(one, adata)\n      ]);\n      const ciphered = await ctr(plaintext, omacNonce);\n      const omacCiphered = await omac(two, ciphered);\n      const tag = omacCiphered; // Assumes that omac(*).length === tagLength.\n      for (let i = 0; i < tagLength; i++) {\n        tag[i] ^= omacAdata[i] ^ omacNonce[i];\n      }\n      return util.concatUint8Array([ciphered, tag]);\n    },\n\n    /**\n     * Decrypt ciphertext input.\n     * @param {Uint8Array} ciphertext - The ciphertext input to be decrypted\n     * @param {Uint8Array} nonce - The nonce (16 bytes)\n     * @param {Uint8Array} adata - Associated data to verify\n     * @returns {Promise<Uint8Array>} The plaintext output.\n     */\n    decrypt: async function(ciphertext, nonce, adata) {\n      if (ciphertext.length < tagLength) throw new Error('Invalid EAX ciphertext');\n      const ciphered = ciphertext.subarray(0, -tagLength);\n      const ctTag = ciphertext.subarray(-tagLength);\n      const [\n        omacNonce,\n        omacAdata,\n        omacCiphered\n      ] = await Promise.all([\n        omac(zero, nonce),\n        omac(one, adata),\n        omac(two, ciphered)\n      ]);\n      const tag = omacCiphered; // Assumes that omac(*).length === tagLength.\n      for (let i = 0; i < tagLength; i++) {\n        tag[i] ^= omacAdata[i] ^ omacNonce[i];\n      }\n      if (!util.equalsUint8Array(ctTag, tag)) throw new Error('Authentication tag mismatch');\n      const plaintext = await ctr(ciphered, omacNonce);\n      return plaintext;\n    }\n  };\n}\n\n\n/**\n * Get EAX nonce as defined by {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-5.16.1|RFC4880bis-04, section 5.16.1}.\n * @param {Uint8Array} iv - The initialization vector (16 bytes)\n * @param {Uint8Array} chunkIndex - The chunk index (8 bytes)\n */\nEAX.getNonce = function(iv, chunkIndex) {\n  const nonce = iv.slice();\n  for (let i = 0; i < chunkIndex.length; i++) {\n    nonce[8 + i] ^= chunkIndex[i];\n  }\n  return nonce;\n};\n\nEAX.blockLength = blockLength;\nEAX.ivLength = ivLength;\nEAX.tagLength = tagLength;\n\nexport default EAX;\n","// OpenPGP.js - An OpenPGP implementation in javascript\n// Copyright (C) 2018 ProtonTech AG\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\n/**\n * @fileoverview This module implements AES-OCB en/decryption.\n * @module crypto/mode/ocb\n */\n\nimport { cbc as nobleAesCbc } from '@noble/ciphers/aes';\nimport { getCipherParams } from '../cipher';\nimport util from '../../util';\n\nconst blockLength = 16;\nconst ivLength = 15;\n\n// https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-5.16.2:\n// While OCB [RFC7253] allows the authentication tag length to be of any\n// number up to 128 bits long, this document requires a fixed\n// authentication tag length of 128 bits (16 octets) for simplicity.\nconst tagLength = 16;\n\n\nfunction ntz(n) {\n  let ntz = 0;\n  for (let i = 1; (n & i) === 0; i <<= 1) {\n    ntz++;\n  }\n  return ntz;\n}\n\nfunction xorMut(S, T) {\n  for (let i = 0; i < S.length; i++) {\n    S[i] ^= T[i];\n  }\n  return S;\n}\n\nfunction xor(S, T) {\n  return xorMut(S.slice(), T);\n}\n\nconst zeroBlock = new Uint8Array(blockLength);\nconst one = new Uint8Array([1]);\n\n/**\n * Class to en/decrypt using OCB mode.\n * @param {enums.symmetric} cipher - The symmetric cipher algorithm to use\n * @param {Uint8Array} key - The encryption key\n */\nasync function OCB(cipher, key) {\n  const { keySize } = getCipherParams(cipher);\n  // sanity checks\n  if (!util.isAES(cipher) || key.length !== keySize) {\n    throw new Error('Unexpected algorithm or key size');\n  }\n\n  let maxNtz = 0;\n\n  // `encipher` and `decipher` cannot be async, since `crypt` shares state across calls,\n  // hence its execution cannot be broken up.\n  // As a result, WebCrypto cannot currently be used for `encipher`.\n  const aes = nobleAesCbc(key, zeroBlock, { disablePadding: true });\n  const encipher = block => aes.encrypt(block);\n  const decipher = block => aes.decrypt(block);\n  let mask;\n\n  constructKeyVariables(cipher, key);\n\n  function constructKeyVariables() {\n    const mask_x = encipher(zeroBlock);\n    const mask_$ = util.double(mask_x);\n    mask = [];\n    mask[0] = util.double(mask_$);\n\n\n    mask.x = mask_x;\n    mask.$ = mask_$;\n  }\n\n  function extendKeyVariables(text, adata) {\n    const newMaxNtz = util.nbits(Math.max(text.length, adata.length) / blockLength | 0) - 1;\n    for (let i = maxNtz + 1; i <= newMaxNtz; i++) {\n      mask[i] = util.double(mask[i - 1]);\n    }\n    maxNtz = newMaxNtz;\n  }\n\n  function hash(adata) {\n    if (!adata.length) {\n      // Fast path\n      return zeroBlock;\n    }\n\n    //\n    // Consider A as a sequence of 128-bit blocks\n    //\n    const m = adata.length / blockLength | 0;\n\n    const offset = new Uint8Array(blockLength);\n    const sum = new Uint8Array(blockLength);\n    for (let i = 0; i < m; i++) {\n      xorMut(offset, mask[ntz(i + 1)]);\n      xorMut(sum, encipher(xor(offset, adata)));\n      adata = adata.subarray(blockLength);\n    }\n\n    //\n    // Process any final partial block; compute final hash value\n    //\n    if (adata.length) {\n      xorMut(offset, mask.x);\n\n      const cipherInput = new Uint8Array(blockLength);\n      cipherInput.set(adata, 0);\n      cipherInput[adata.length] = 0b10000000;\n      xorMut(cipherInput, offset);\n\n      xorMut(sum, encipher(cipherInput));\n    }\n\n    return sum;\n  }\n\n  /**\n   * Encrypt/decrypt data.\n   * @param {encipher|decipher} fn - Encryption/decryption block cipher function\n   * @param {Uint8Array} text - The cleartext or ciphertext (without tag) input\n   * @param {Uint8Array} nonce - The nonce (15 bytes)\n   * @param {Uint8Array} adata - Associated data to sign\n   * @returns {Promise<Uint8Array>} The ciphertext or plaintext output, with tag appended in both cases.\n   */\n  function crypt(fn, text, nonce, adata) {\n    //\n    // Consider P as a sequence of 128-bit blocks\n    //\n    const m = text.length / blockLength | 0;\n\n    //\n    // Key-dependent variables\n    //\n    extendKeyVariables(text, adata);\n\n    //\n    // Nonce-dependent and per-encryption variables\n    //\n    //    Nonce = num2str(TAGLEN mod 128,7) || zeros(120-bitlen(N)) || 1 || N\n    // Note: We assume here that tagLength mod 16 == 0.\n    const paddedNonce = util.concatUint8Array([zeroBlock.subarray(0, ivLength - nonce.length), one, nonce]);\n    //    bottom = str2num(Nonce[123..128])\n    const bottom = paddedNonce[blockLength - 1] & 0b111111;\n    //    Ktop = ENCIPHER(K, Nonce[1..122] || zeros(6))\n    paddedNonce[blockLength - 1] &= 0b11000000;\n    const kTop = encipher(paddedNonce);\n    //    Stretch = Ktop || (Ktop[1..64] xor Ktop[9..72])\n    const stretched = util.concatUint8Array([kTop, xor(kTop.subarray(0, 8), kTop.subarray(1, 9))]);\n    //    Offset_0 = Stretch[1+bottom..128+bottom]\n    const offset = util.shiftRight(stretched.subarray(0 + (bottom >> 3), 17 + (bottom >> 3)), 8 - (bottom & 7)).subarray(1);\n    //    Checksum_0 = zeros(128)\n    const checksum = new Uint8Array(blockLength);\n\n    const ct = new Uint8Array(text.length + tagLength);\n\n    //\n    // Process any whole blocks\n    //\n    let i;\n    let pos = 0;\n    for (i = 0; i < m; i++) {\n      // Offset_i = Offset_{i-1} xor L_{ntz(i)}\n      xorMut(offset, mask[ntz(i + 1)]);\n      // C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i)\n      // P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i)\n      ct.set(xorMut(fn(xor(offset, text)), offset), pos);\n      // Checksum_i = Checksum_{i-1} xor P_i\n      xorMut(checksum, fn === encipher ? text : ct.subarray(pos));\n\n      text = text.subarray(blockLength);\n      pos += blockLength;\n    }\n\n    //\n    // Process any final partial block and compute raw tag\n    //\n    if (text.length) {\n      // Offset_* = Offset_m xor L_*\n      xorMut(offset, mask.x);\n      // Pad = ENCIPHER(K, Offset_*)\n      const padding = encipher(offset);\n      // C_* = P_* xor Pad[1..bitlen(P_*)]\n      ct.set(xor(text, padding), pos);\n\n      // Checksum_* = Checksum_m xor (P_* || 1 || new Uint8Array(127-bitlen(P_*)))\n      const xorInput = new Uint8Array(blockLength);\n      xorInput.set(fn === encipher ? text : ct.subarray(pos, -tagLength), 0);\n      xorInput[text.length] = 0b10000000;\n      xorMut(checksum, xorInput);\n      pos += text.length;\n    }\n    // Tag = ENCIPHER(K, Checksum_* xor Offset_* xor L_$) xor HASH(K,A)\n    const tag = xorMut(encipher(xorMut(xorMut(checksum, offset), mask.$)), hash(adata));\n\n    //\n    // Assemble ciphertext\n    //\n    // C = C_1 || C_2 || ... || C_m || C_* || Tag[1..TAGLEN]\n    ct.set(tag, pos);\n    return ct;\n  }\n\n\n  return {\n    /**\n     * Encrypt plaintext input.\n     * @param {Uint8Array} plaintext - The cleartext input to be encrypted\n     * @param {Uint8Array} nonce - The nonce (15 bytes)\n     * @param {Uint8Array} adata - Associated data to sign\n     * @returns {Promise<Uint8Array>} The ciphertext output.\n     */\n    encrypt: async function(plaintext, nonce, adata) {\n      return crypt(encipher, plaintext, nonce, adata);\n    },\n\n    /**\n     * Decrypt ciphertext input.\n     * @param {Uint8Array} ciphertext - The ciphertext input to be decrypted\n     * @param {Uint8Array} nonce - The nonce (15 bytes)\n     * @param {Uint8Array} adata - Associated data to sign\n     * @returns {Promise<Uint8Array>} The ciphertext output.\n     */\n    decrypt: async function(ciphertext, nonce, adata) {\n      if (ciphertext.length < tagLength) throw new Error('Invalid OCB ciphertext');\n\n      const tag = ciphertext.subarray(-tagLength);\n      ciphertext = ciphertext.subarray(0, -tagLength);\n\n      const crypted = crypt(decipher, ciphertext, nonce, adata);\n      // if (Tag[1..TAGLEN] == T)\n      if (util.equalsUint8Array(tag, crypted.subarray(-tagLength))) {\n        return crypted.subarray(0, -tagLength);\n      }\n      throw new Error('Authentication tag mismatch');\n    }\n  };\n}\n\n\n/**\n * Get OCB nonce as defined by {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-5.16.2|RFC4880bis-04, section 5.16.2}.\n * @param {Uint8Array} iv - The initialization vector (15 bytes)\n * @param {Uint8Array} chunkIndex - The chunk index (8 bytes)\n */\nOCB.getNonce = function(iv, chunkIndex) {\n  const nonce = iv.slice();\n  for (let i = 0; i < chunkIndex.length; i++) {\n    nonce[7 + i] ^= chunkIndex[i];\n  }\n  return nonce;\n};\n\nOCB.blockLength = blockLength;\nOCB.ivLength = ivLength;\nOCB.tagLength = tagLength;\n\nexport default OCB;\n","// OpenPGP.js - An OpenPGP implementation in javascript\n// Copyright (C) 2016 Tankred Hase\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\n/**\n * @fileoverview This module wraps native AES-GCM en/decryption for both\n * the WebCrypto api as well as node.js' crypto api.\n * @module crypto/mode/gcm\n */\n\nimport { gcm as nobleAesGcm } from '@noble/ciphers/aes';\nimport util from '../../util';\nimport enums from '../../enums';\n\nconst webCrypto = util.getWebCrypto();\nconst nodeCrypto = util.getNodeCrypto();\nconst Buffer = util.getNodeBuffer();\n\nconst blockLength = 16;\nconst ivLength = 12; // size of the IV in bytes\nconst tagLength = 16; // size of the tag in bytes\nconst ALGO = 'AES-GCM';\n\n/**\n * Class to en/decrypt using GCM mode.\n * @param {enums.symmetric} cipher - The symmetric cipher algorithm to use\n * @param {Uint8Array} key - The encryption key\n */\nasync function GCM(cipher, key) {\n  if (cipher !== enums.symmetric.aes128 &&\n    cipher !== enums.symmetric.aes192 &&\n    cipher !== enums.symmetric.aes256) {\n    throw new Error('GCM mode supports only AES cipher');\n  }\n\n  if (util.getNodeCrypto()) { // Node crypto library\n    return {\n      encrypt: async function(pt, iv, adata = new Uint8Array()) {\n        const en = new nodeCrypto.createCipheriv('aes-' + (key.length * 8) + '-gcm', key, iv);\n        en.setAAD(adata);\n        const ct = Buffer.concat([en.update(pt), en.final(), en.getAuthTag()]); // append auth tag to ciphertext\n        return new Uint8Array(ct);\n      },\n\n      decrypt: async function(ct, iv, adata = new Uint8Array()) {\n        const de = new nodeCrypto.createDecipheriv('aes-' + (key.length * 8) + '-gcm', key, iv);\n        de.setAAD(adata);\n        de.setAuthTag(ct.slice(ct.length - tagLength, ct.length)); // read auth tag at end of ciphertext\n        const pt = Buffer.concat([de.update(ct.slice(0, ct.length - tagLength)), de.final()]);\n        return new Uint8Array(pt);\n      }\n    };\n  }\n\n  if (util.getWebCrypto()) {\n    try {\n      const _key = await webCrypto.importKey('raw', key, { name: ALGO }, false, ['encrypt', 'decrypt']);\n      // Safari 13 and Safari iOS 14 does not support GCM-en/decrypting empty messages\n      const webcryptoEmptyMessagesUnsupported = navigator.userAgent.match(/Version\\/13\\.\\d(\\.\\d)* Safari/) ||\n        navigator.userAgent.match(/Version\\/(13|14)\\.\\d(\\.\\d)* Mobile\\/\\S* Safari/);\n      return {\n        encrypt: async function(pt, iv, adata = new Uint8Array()) {\n          if (webcryptoEmptyMessagesUnsupported && !pt.length) {\n            return nobleAesGcm(key, iv, adata).encrypt(pt);\n          }\n          const ct = await webCrypto.encrypt({ name: ALGO, iv, additionalData: adata, tagLength: tagLength * 8 }, _key, pt);\n          return new Uint8Array(ct);\n        },\n\n        decrypt: async function(ct, iv, adata = new Uint8Array()) {\n          if (webcryptoEmptyMessagesUnsupported && ct.length === tagLength) {\n            return nobleAesGcm(key, iv, adata).decrypt(ct);\n          }\n          try {\n            const pt = await webCrypto.decrypt({ name: ALGO, iv, additionalData: adata, tagLength: tagLength * 8 }, _key, ct);\n            return new Uint8Array(pt);\n          } catch (e) {\n            if (e.name === 'OperationError') {\n              throw new Error('Authentication tag mismatch');\n            }\n          }\n        }\n      };\n    } catch (err) {\n      // no 192 bit support in Chromium, which throws `OperationError`, see: https://www.chromium.org/blink/webcrypto#TOC-AES-support\n      if (err.name !== 'NotSupportedError' &&\n        !(key.length === 24 && err.name === 'OperationError')) {\n        throw err;\n      }\n      util.printDebugError('Browser did not support operation: ' + err.message);\n    }\n  }\n\n  return {\n    encrypt: async function(pt, iv, adata) {\n      return nobleAesGcm(key, iv, adata).encrypt(pt);\n    },\n\n    decrypt: async function(ct, iv, adata) {\n      return nobleAesGcm(key, iv, adata).decrypt(ct);\n    }\n  };\n}\n\n\n/**\n * Get GCM nonce. Note: this operation is not defined by the standard.\n * A future version of the standard may define GCM mode differently,\n * hopefully under a different ID (we use Private/Experimental algorithm\n * ID 100) so that we can maintain backwards compatibility.\n * @param {Uint8Array} iv - The initialization vector (12 bytes)\n * @param {Uint8Array} chunkIndex - The chunk index (8 bytes)\n */\nGCM.getNonce = function(iv, chunkIndex) {\n  const nonce = iv.slice();\n  for (let i = 0; i < chunkIndex.length; i++) {\n    nonce[4 + i] ^= chunkIndex[i];\n  }\n  return nonce;\n};\n\nGCM.blockLength = blockLength;\nGCM.ivLength = ivLength;\nGCM.tagLength = tagLength;\n\nexport default GCM;\n","/**\n * @fileoverview Cipher modes\n * @module crypto/cipherMode\n */\n\nexport * as cfb from './cfb';\nimport eax from './eax';\nimport ocb from './ocb';\nimport gcm from './gcm';\nimport enums from '../../enums';\n\n/**\n* Get implementation of the given AEAD mode\n* @param {enums.aead} algo\n* @param {Boolean} [acceptExperimentalGCM] - whether to allow the non-standard, legacy `experimentalGCM` algo\n* @returns {Object}\n* @throws {Error} on invalid algo\n*/\nexport function getAEADMode(algo, acceptExperimentalGCM = false) {\n  switch (algo) {\n    case enums.aead.eax:\n      return eax;\n    case enums.aead.ocb:\n      return ocb;\n    case enums.aead.gcm:\n      return gcm;\n    case enums.aead.experimentalGCM:\n      if (!acceptExperimentalGCM) {\n        throw new Error('Unexpected non-standard `experimentalGCM` AEAD algorithm provided in `config.preferredAEADAlgorithm`: use `gcm` instead');\n      }\n      return gcm;\n    default:\n      throw new Error('Unsupported AEAD mode');\n  }\n}\n","/**\n * @fileoverview Provides functions for asymmetric signing and signature verification\n * @module crypto/signature\n */\n\nimport { elliptic, rsa, dsa } from './public_key';\nimport enums from '../enums';\nimport util from '../util';\nimport { UnsupportedError } from '../packet/packet';\n\n/**\n * Parse signature in binary form to get the parameters.\n * The returned values are only padded for EdDSA, since in the other cases their expected length\n * depends on the key params, hence we delegate the padding to the signature verification function.\n * See {@link https://tools.ietf.org/html/rfc4880#section-9.1|RFC 4880 9.1}\n * See {@link https://tools.ietf.org/html/rfc4880#section-5.2.2|RFC 4880 5.2.2.}\n * @param {module:enums.publicKey} algo - Public key algorithm\n * @param {Uint8Array} signature - Data for which the signature was created\n * @returns {Promise<Object>} True if signature is valid.\n * @async\n */\nexport function parseSignatureParams(algo, signature) {\n  let read = 0;\n  switch (algo) {\n    // Algorithm-Specific Fields for RSA signatures:\n    // -  MPI of RSA signature value m**d mod n.\n    case enums.publicKey.rsaEncryptSign:\n    case enums.publicKey.rsaEncrypt:\n    case enums.publicKey.rsaSign: {\n      const s = util.readMPI(signature.subarray(read)); read += s.length + 2;\n      // The signature needs to be the same length as the public key modulo n.\n      // We pad s on signature verification, where we have access to n.\n      return { read, signatureParams: { s } };\n    }\n    // Algorithm-Specific Fields for DSA or ECDSA signatures:\n    // -  MPI of DSA or ECDSA value r.\n    // -  MPI of DSA or ECDSA value s.\n    case enums.publicKey.dsa:\n    case enums.publicKey.ecdsa:\n    {\n      // If the signature payload sizes are unexpected, we will throw on verification,\n      // where we also have access to the OID curve from the key.\n      const r = util.readMPI(signature.subarray(read)); read += r.length + 2;\n      const s = util.readMPI(signature.subarray(read)); read += s.length + 2;\n      return { read, signatureParams: { r, s } };\n    }\n    // Algorithm-Specific Fields for legacy EdDSA signatures:\n    // -  MPI of an EC point r.\n    // -  EdDSA value s, in MPI, in the little endian representation\n    case enums.publicKey.eddsaLegacy: {\n      // Only Curve25519Legacy is supported (no Curve448Legacy), but the relevant checks are done on key parsing and signature\n      // verification: if the signature payload sizes are unexpected, we will throw on verification,\n      // where we also have access to the OID curve from the key.\n      const r = util.readMPI(signature.subarray(read)); read += r.length + 2;\n      const s = util.readMPI(signature.subarray(read)); read += s.length + 2;\n      return { read, signatureParams: { r, s } };\n    }\n    // Algorithm-Specific Fields for Ed25519 signatures:\n    // - 64 octets of the native signature\n    // Algorithm-Specific Fields for Ed448 signatures:\n    // - 114 octets of the native signature\n    case enums.publicKey.ed25519:\n    case enums.publicKey.ed448: {\n      const rsSize = 2 * elliptic.eddsa.getPayloadSize(algo);\n      const RS = util.readExactSubarray(signature, read, read + rsSize); read += RS.length;\n      return { read, signatureParams: { RS } };\n    }\n\n    default:\n      throw new UnsupportedError('Unknown signature algorithm.');\n  }\n}\n\n/**\n * Verifies the signature provided for data using specified algorithms and public key parameters.\n * See {@link https://tools.ietf.org/html/rfc4880#section-9.1|RFC 4880 9.1}\n * and {@link https://tools.ietf.org/html/rfc4880#section-9.4|RFC 4880 9.4}\n * for public key and hash algorithms.\n * @param {module:enums.publicKey} algo - Public key algorithm\n * @param {module:enums.hash} hashAlgo - Hash algorithm\n * @param {Object} signature - Named algorithm-specific signature parameters\n * @param {Object} publicParams - Algorithm-specific public key parameters\n * @param {Uint8Array} data - Data for which the signature was created\n * @param {Uint8Array} hashed - The hashed data\n * @returns {Promise<Boolean>} True if signature is valid.\n * @async\n */\nexport async function verify(algo, hashAlgo, signature, publicParams, data, hashed) {\n  switch (algo) {\n    case enums.publicKey.rsaEncryptSign:\n    case enums.publicKey.rsaEncrypt:\n    case enums.publicKey.rsaSign: {\n      const { n, e } = publicParams;\n      const s = util.leftPad(signature.s, n.length); // padding needed for webcrypto and node crypto\n      return rsa.verify(hashAlgo, data, s, n, e, hashed);\n    }\n    case enums.publicKey.dsa: {\n      const { g, p, q, y } = publicParams;\n      const { r, s } = signature; // no need to pad, since we always handle them as BigIntegers\n      return dsa.verify(hashAlgo, r, s, hashed, g, p, q, y);\n    }\n    case enums.publicKey.ecdsa: {\n      const { oid, Q } = publicParams;\n      const curveSize = new elliptic.CurveWithOID(oid).payloadSize;\n      // padding needed for webcrypto\n      const r = util.leftPad(signature.r, curveSize);\n      const s = util.leftPad(signature.s, curveSize);\n      return elliptic.ecdsa.verify(oid, hashAlgo, { r, s }, data, Q, hashed);\n    }\n    case enums.publicKey.eddsaLegacy: {\n      const { oid, Q } = publicParams;\n      const curveSize = new elliptic.CurveWithOID(oid).payloadSize;\n      // When dealing little-endian MPI data, we always need to left-pad it, as done with big-endian values:\n      // https://www.ietf.org/archive/id/draft-ietf-openpgp-rfc4880bis-10.html#section-3.2-9\n      const r = util.leftPad(signature.r, curveSize);\n      const s = util.leftPad(signature.s, curveSize);\n      return elliptic.eddsaLegacy.verify(oid, hashAlgo, { r, s }, data, Q, hashed);\n    }\n    case enums.publicKey.ed25519:\n    case enums.publicKey.ed448: {\n      const { A } = publicParams;\n      return elliptic.eddsa.verify(algo, hashAlgo, signature, data, A, hashed);\n    }\n    default:\n      throw new Error('Unknown signature algorithm.');\n  }\n}\n\n/**\n * Creates a signature on data using specified algorithms and private key parameters.\n * See {@link https://tools.ietf.org/html/rfc4880#section-9.1|RFC 4880 9.1}\n * and {@link https://tools.ietf.org/html/rfc4880#section-9.4|RFC 4880 9.4}\n * for public key and hash algorithms.\n * @param {module:enums.publicKey} algo - Public key algorithm\n * @param {module:enums.hash} hashAlgo - Hash algorithm\n * @param {Object} publicKeyParams - Algorithm-specific public and private key parameters\n * @param {Object} privateKeyParams - Algorithm-specific public and private key parameters\n * @param {Uint8Array} data - Data to be signed\n * @param {Uint8Array} hashed - The hashed data\n * @returns {Promise<Object>} Signature                      Object containing named signature parameters.\n * @async\n */\nexport async function sign(algo, hashAlgo, publicKeyParams, privateKeyParams, data, hashed) {\n  if (!publicKeyParams || !privateKeyParams) {\n    throw new Error('Missing key parameters');\n  }\n  switch (algo) {\n    case enums.publicKey.rsaEncryptSign:\n    case enums.publicKey.rsaEncrypt:\n    case enums.publicKey.rsaSign: {\n      const { n, e } = publicKeyParams;\n      const { d, p, q, u } = privateKeyParams;\n      const s = await rsa.sign(hashAlgo, data, n, e, d, p, q, u, hashed);\n      return { s };\n    }\n    case enums.publicKey.dsa: {\n      const { g, p, q } = publicKeyParams;\n      const { x } = privateKeyParams;\n      return dsa.sign(hashAlgo, hashed, g, p, q, x);\n    }\n    case enums.publicKey.elgamal:\n      throw new Error('Signing with Elgamal is not defined in the OpenPGP standard.');\n    case enums.publicKey.ecdsa: {\n      const { oid, Q } = publicKeyParams;\n      const { d } = privateKeyParams;\n      return elliptic.ecdsa.sign(oid, hashAlgo, data, Q, d, hashed);\n    }\n    case enums.publicKey.eddsaLegacy: {\n      const { oid, Q } = publicKeyParams;\n      const { seed } = privateKeyParams;\n      return elliptic.eddsaLegacy.sign(oid, hashAlgo, data, Q, seed, hashed);\n    }\n    case enums.publicKey.ed25519:\n    case enums.publicKey.ed448: {\n      const { A } = publicKeyParams;\n      const { seed } = privateKeyParams;\n      return elliptic.eddsa.sign(algo, hashAlgo, data, A, seed, hashed);\n    }\n    default:\n      throw new Error('Unknown signature algorithm.');\n  }\n}\n","import defaultConfig from '../../config';\nimport enums from '../../enums';\nimport util from '../../util';\nimport { getRandomBytes } from '../../crypto';\n\nconst ARGON2_TYPE = 0x02; // id\nconst ARGON2_VERSION = 0x13;\nconst ARGON2_SALT_SIZE = 16;\n\nexport class Argon2OutOfMemoryError extends Error {\n  constructor(...params) {\n    super(...params);\n\n    if (Error.captureStackTrace) {\n      Error.captureStackTrace(this, Argon2OutOfMemoryError);\n    }\n\n    this.name = 'Argon2OutOfMemoryError';\n  }\n}\n\n// cache argon wasm module\nlet loadArgonWasmModule;\nlet argon2Promise;\n// reload wasm module above this treshold, to deallocated used memory\nconst ARGON2_WASM_MEMORY_THRESHOLD_RELOAD = 2 << 19;\n\nclass Argon2S2K {\n  /**\n  * @param {Object} [config] - Full configuration, defaults to openpgp.config\n  */\n  constructor(config = defaultConfig) {\n    const { passes, parallelism, memoryExponent } = config.s2kArgon2Params;\n\n    this.type = 'argon2';\n    /**\n     * 16 bytes of salt\n     * @type {Uint8Array}\n     */\n    this.salt = null;\n    /**\n     * number of passes\n     * @type {Integer}\n     */\n    this.t = passes;\n    /**\n     * degree of parallelism (lanes)\n     * @type {Integer}\n     */\n    this.p = parallelism;\n    /**\n     * exponent indicating memory size\n     * @type {Integer}\n     */\n    this.encodedM = memoryExponent;\n  }\n\n  generateSalt() {\n    this.salt = getRandomBytes(ARGON2_SALT_SIZE);\n  }\n\n  /**\n  * Parsing function for argon2 string-to-key specifier.\n  * @param {Uint8Array} bytes - Payload of argon2 string-to-key specifier\n  * @returns {Integer} Actual length of the object.\n  */\n  read(bytes) {\n    let i = 0;\n\n    this.salt = bytes.subarray(i, i + 16);\n    i += 16;\n\n    this.t = bytes[i++];\n    this.p = bytes[i++];\n    this.encodedM = bytes[i++]; // memory size exponent, one-octect\n\n    return i;\n  }\n\n  /**\n  * Serializes s2k information\n  * @returns {Uint8Array} Binary representation of s2k.\n  */\n  write() {\n    const arr = [\n      new Uint8Array([enums.write(enums.s2k, this.type)]),\n      this.salt,\n      new Uint8Array([this.t, this.p, this.encodedM])\n    ];\n\n    return util.concatUint8Array(arr);\n  }\n\n  /**\n  * Produces a key using the specified passphrase and the defined\n  * hashAlgorithm\n  * @param {String} passphrase - Passphrase containing user input\n  * @returns {Promise<Uint8Array>} Produced key with a length corresponding to `keySize`\n  * @throws {Argon2OutOfMemoryError|Errors}\n  * @async\n  */\n  async produceKey(passphrase, keySize) {\n    const decodedM = 2 << (this.encodedM - 1);\n\n    try {\n      // on first load, the argon2 lib is imported and the WASM module is initialized.\n      // the two steps need to be atomic to avoid race conditions causing multiple wasm modules\n      // being loaded when `argon2Promise` is not initialized.\n      loadArgonWasmModule = loadArgonWasmModule || (await import('argon2id')).default;\n      argon2Promise = argon2Promise || loadArgonWasmModule();\n\n      // important to keep local ref to argon2 in case the module is reloaded by another instance\n      const argon2 = await argon2Promise;\n\n      const passwordBytes = util.encodeUTF8(passphrase);\n      const hash = argon2({\n        version: ARGON2_VERSION,\n        type: ARGON2_TYPE,\n        password: passwordBytes,\n        salt: this.salt,\n        tagLength: keySize,\n        memorySize: decodedM,\n        parallelism: this.p,\n        passes: this.t\n      });\n\n      // a lot of memory was used, reload to deallocate\n      if (decodedM > ARGON2_WASM_MEMORY_THRESHOLD_RELOAD) {\n        // it will be awaited if needed at the next `produceKey` invocation\n        argon2Promise = loadArgonWasmModule();\n        argon2Promise.catch(() => {});\n      }\n      return hash;\n    } catch (e) {\n      if (e.message && (\n        e.message.includes('Unable to grow instance memory') || // Chrome\n        e.message.includes('failed to grow memory') || // Firefox\n        e.message.includes('WebAssembly.Memory.grow') || // Safari\n        e.message.includes('Out of memory') // Safari iOS\n      )) {\n        throw new Argon2OutOfMemoryError('Could not allocate required memory for Argon2');\n      } else {\n        throw e;\n      }\n    }\n  }\n}\n\nexport default Argon2S2K;\n","// GPG4Browsers - An OpenPGP implementation in javascript\n// Copyright (C) 2011 Recurity Labs GmbH\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\n/**\n * Implementation of the String-to-key specifier\n *\n * {@link https://tools.ietf.org/html/rfc4880#section-3.7|RFC4880 3.7}:\n * String-to-key (S2K) specifiers are used to convert passphrase strings\n * into symmetric-key encryption/decryption keys.  They are used in two\n * places, currently: to encrypt the secret part of private keys in the\n * private keyring, and to convert passphrases to encryption keys for\n * symmetrically encrypted messages.\n * @module type/s2k\n */\n\nimport defaultConfig from '../../config';\nimport { getRandomBytes, computeDigest } from '../../crypto';\nimport enums from '../../enums';\nimport { UnsupportedError } from '../../packet/packet';\nimport util from '../../util';\n\nclass GenericS2K {\n  /**\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   */\n  constructor(s2kType, config = defaultConfig) {\n    /**\n     * Hash function identifier, or 0 for gnu-dummy keys\n     * @type {module:enums.hash | 0}\n     */\n    this.algorithm = enums.hash.sha256;\n    /**\n     * enums.s2k identifier or 'gnu-dummy'\n     * @type {String}\n     */\n    this.type = enums.read(enums.s2k, s2kType);\n    /** @type {Integer} */\n    this.c = config.s2kIterationCountByte;\n    /** Eight bytes of salt in a binary string.\n     * @type {Uint8Array}\n     */\n    this.salt = null;\n  }\n\n  generateSalt() {\n    switch (this.type) {\n      case 'salted':\n      case 'iterated':\n        this.salt = getRandomBytes(8);\n    }\n  }\n\n  getCount() {\n    // Exponent bias, defined in RFC4880\n    const expbias = 6;\n\n    return (16 + (this.c & 15)) << ((this.c >> 4) + expbias);\n  }\n\n  /**\n   * Parsing function for a string-to-key specifier ({@link https://tools.ietf.org/html/rfc4880#section-3.7|RFC 4880 3.7}).\n   * @param {Uint8Array} bytes - Payload of string-to-key specifier\n   * @returns {Integer} Actual length of the object.\n   */\n  read(bytes) {\n    let i = 0;\n    this.algorithm = bytes[i++];\n\n    switch (this.type) {\n      case 'simple':\n        break;\n\n      case 'salted':\n        this.salt = bytes.subarray(i, i + 8);\n        i += 8;\n        break;\n\n      case 'iterated':\n        this.salt = bytes.subarray(i, i + 8);\n        i += 8;\n\n        // Octet 10: count, a one-octet, coded value\n        this.c = bytes[i++];\n        break;\n\n      case 'gnu':\n        if (util.uint8ArrayToString(bytes.subarray(i, i + 3)) === 'GNU') {\n          i += 3; // GNU\n          const gnuExtType = 1000 + bytes[i++];\n          if (gnuExtType === 1001) {\n            this.type = 'gnu-dummy';\n            // GnuPG extension mode 1001 -- don't write secret key at all\n          } else {\n            throw new UnsupportedError('Unknown s2k gnu protection mode.');\n          }\n        } else {\n          throw new UnsupportedError('Unknown s2k type.');\n        }\n        break;\n\n      default:\n        throw new UnsupportedError('Unknown s2k type.'); // unreachable\n    }\n\n    return i;\n  }\n\n  /**\n   * Serializes s2k information\n   * @returns {Uint8Array} Binary representation of s2k.\n   */\n  write() {\n    if (this.type === 'gnu-dummy') {\n      return new Uint8Array([101, 0, ...util.stringToUint8Array('GNU'), 1]);\n    }\n    const arr = [new Uint8Array([enums.write(enums.s2k, this.type), this.algorithm])];\n\n    switch (this.type) {\n      case 'simple':\n        break;\n      case 'salted':\n        arr.push(this.salt);\n        break;\n      case 'iterated':\n        arr.push(this.salt);\n        arr.push(new Uint8Array([this.c]));\n        break;\n      case 'gnu':\n        throw new Error('GNU s2k type not supported.');\n      default:\n        throw new Error('Unknown s2k type.');\n    }\n\n    return util.concatUint8Array(arr);\n  }\n\n  /**\n   * Produces a key using the specified passphrase and the defined\n   * hashAlgorithm\n   * @param {String} passphrase - Passphrase containing user input\n   * @returns {Promise<Uint8Array>} Produced key with a length corresponding to.\n   * hashAlgorithm hash length\n   * @async\n   */\n  async produceKey(passphrase, numBytes) {\n    passphrase = util.encodeUTF8(passphrase);\n\n    const arr = [];\n    let rlength = 0;\n\n    let prefixlen = 0;\n    while (rlength < numBytes) {\n      let toHash;\n      switch (this.type) {\n        case 'simple':\n          toHash = util.concatUint8Array([new Uint8Array(prefixlen), passphrase]);\n          break;\n        case 'salted':\n          toHash = util.concatUint8Array([new Uint8Array(prefixlen), this.salt, passphrase]);\n          break;\n        case 'iterated': {\n          const data = util.concatUint8Array([this.salt, passphrase]);\n          let datalen = data.length;\n          const count = Math.max(this.getCount(), datalen);\n          toHash = new Uint8Array(prefixlen + count);\n          toHash.set(data, prefixlen);\n          for (let pos = prefixlen + datalen; pos < count; pos += datalen, datalen *= 2) {\n            toHash.copyWithin(pos, prefixlen, pos);\n          }\n          break;\n        }\n        case 'gnu':\n          throw new Error('GNU s2k type not supported.');\n        default:\n          throw new Error('Unknown s2k type.');\n      }\n      const result = await computeDigest(this.algorithm, toHash);\n      arr.push(result);\n      rlength += result.length;\n      prefixlen++;\n    }\n\n    return util.concatUint8Array(arr).subarray(0, numBytes);\n  }\n}\n\nexport default GenericS2K;\n","import defaultConfig from '../../config';\nimport Argon2S2K, { Argon2OutOfMemoryError } from './argon2';\nimport GenericS2K from './generic';\nimport enums from '../../enums';\nimport { UnsupportedError } from '../../packet/packet';\n\nconst allowedS2KTypesForEncryption = new Set([enums.s2k.argon2, enums.s2k.iterated]);\n\n/**\n * Instantiate a new S2K instance of the given type\n * @param {module:enums.s2k} type\n * @oaram {Object} [config]\n * @returns {Object} New s2k object\n * @throws {Error} for unknown or unsupported types\n */\nexport function newS2KFromType(type, config = defaultConfig) {\n  switch (type) {\n    case enums.s2k.argon2:\n      return new Argon2S2K(config);\n    case enums.s2k.iterated:\n    case enums.s2k.gnu:\n    case enums.s2k.salted:\n    case enums.s2k.simple:\n      return new GenericS2K(type, config);\n    default:\n      throw new UnsupportedError('Unsupported S2K type');\n  }\n}\n\n/**\n * Instantiate a new S2K instance based on the config settings\n * @oaram {Object} config\n * @returns {Object} New s2k object\n * @throws {Error} for unknown or unsupported types\n */\nexport function newS2KFromConfig(config) {\n  const { s2kType } = config;\n\n  if (!allowedS2KTypesForEncryption.has(s2kType)) {\n    throw new Error('The provided `config.s2kType` value is not allowed');\n  }\n\n  return newS2KFromType(s2kType, config);\n}\n\nexport { Argon2OutOfMemoryError };\n","// DEFLATE is a complex format; to read this code, you should probably check the RFC first:\n// https://tools.ietf.org/html/rfc1951\n// You may also wish to take a look at the guide I made about this program:\n// https://gist.github.com/101arrowz/253f31eb5abc3d9275ab943003ffecad\n// Some of the following code is similar to that of UZIP.js:\n// https://github.com/photopea/UZIP.js\n// However, the vast majority of the codebase has diverged from UZIP.js to increase performance and reduce bundle size.\n// Sometimes 0 will appear where -1 would be more appropriate. This is because using a uint\n// is better for memory in most engines (I *think*).\nvar ch2 = {};\nvar wk = (function (c, id, msg, transfer, cb) {\n    var w = new Worker(ch2[id] || (ch2[id] = URL.createObjectURL(new Blob([\n        c + ';addEventListener(\"error\",function(e){e=e.error;postMessage({$e$:[e.message,e.code,e.stack]})})'\n    ], { type: 'text/javascript' }))));\n    w.onmessage = function (e) {\n        var d = e.data, ed = d.$e$;\n        if (ed) {\n            var err = new Error(ed[0]);\n            err['code'] = ed[1];\n            err.stack = ed[2];\n            cb(err, null);\n        }\n        else\n            cb(null, d);\n    };\n    w.postMessage(msg, transfer);\n    return w;\n});\n\n// aliases for shorter compressed code (most minifers don't do this)\nvar u8 = Uint8Array, u16 = Uint16Array, u32 = Uint32Array;\n// fixed length extra bits\nvar fleb = new u8([0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0, /* unused */ 0, 0, /* impossible */ 0]);\n// fixed distance extra bits\n// see fleb note\nvar fdeb = new u8([0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13, /* unused */ 0, 0]);\n// code length index map\nvar clim = new u8([16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15]);\n// get base, reverse index map from extra bits\nvar freb = function (eb, start) {\n    var b = new u16(31);\n    for (var i = 0; i < 31; ++i) {\n        b[i] = start += 1 << eb[i - 1];\n    }\n    // numbers here are at max 18 bits\n    var r = new u32(b[30]);\n    for (var i = 1; i < 30; ++i) {\n        for (var j = b[i]; j < b[i + 1]; ++j) {\n            r[j] = ((j - b[i]) << 5) | i;\n        }\n    }\n    return [b, r];\n};\nvar _a = freb(fleb, 2), fl = _a[0], revfl = _a[1];\n// we can ignore the fact that the other numbers are wrong; they never happen anyway\nfl[28] = 258, revfl[258] = 28;\nvar _b = freb(fdeb, 0), fd = _b[0], revfd = _b[1];\n// map of value to reverse (assuming 16 bits)\nvar rev = new u16(32768);\nfor (var i = 0; i < 32768; ++i) {\n    // reverse table algorithm from SO\n    var x = ((i & 0xAAAA) >>> 1) | ((i & 0x5555) << 1);\n    x = ((x & 0xCCCC) >>> 2) | ((x & 0x3333) << 2);\n    x = ((x & 0xF0F0) >>> 4) | ((x & 0x0F0F) << 4);\n    rev[i] = (((x & 0xFF00) >>> 8) | ((x & 0x00FF) << 8)) >>> 1;\n}\n// create huffman tree from u8 \"map\": index -> code length for code index\n// mb (max bits) must be at most 15\n// TODO: optimize/split up?\nvar hMap = (function (cd, mb, r) {\n    var s = cd.length;\n    // index\n    var i = 0;\n    // u16 \"map\": index -> # of codes with bit length = index\n    var l = new u16(mb);\n    // length of cd must be 288 (total # of codes)\n    for (; i < s; ++i) {\n        if (cd[i])\n            ++l[cd[i] - 1];\n    }\n    // u16 \"map\": index -> minimum code for bit length = index\n    var le = new u16(mb);\n    for (i = 0; i < mb; ++i) {\n        le[i] = (le[i - 1] + l[i - 1]) << 1;\n    }\n    var co;\n    if (r) {\n        // u16 \"map\": index -> number of actual bits, symbol for code\n        co = new u16(1 << mb);\n        // bits to remove for reverser\n        var rvb = 15 - mb;\n        for (i = 0; i < s; ++i) {\n            // ignore 0 lengths\n            if (cd[i]) {\n                // num encoding both symbol and bits read\n                var sv = (i << 4) | cd[i];\n                // free bits\n                var r_1 = mb - cd[i];\n                // start value\n                var v = le[cd[i] - 1]++ << r_1;\n                // m is end value\n                for (var m = v | ((1 << r_1) - 1); v <= m; ++v) {\n                    // every 16 bit value starting with the code yields the same result\n                    co[rev[v] >>> rvb] = sv;\n                }\n            }\n        }\n    }\n    else {\n        co = new u16(s);\n        for (i = 0; i < s; ++i) {\n            if (cd[i]) {\n                co[i] = rev[le[cd[i] - 1]++] >>> (15 - cd[i]);\n            }\n        }\n    }\n    return co;\n});\n// fixed length tree\nvar flt = new u8(288);\nfor (var i = 0; i < 144; ++i)\n    flt[i] = 8;\nfor (var i = 144; i < 256; ++i)\n    flt[i] = 9;\nfor (var i = 256; i < 280; ++i)\n    flt[i] = 7;\nfor (var i = 280; i < 288; ++i)\n    flt[i] = 8;\n// fixed distance tree\nvar fdt = new u8(32);\nfor (var i = 0; i < 32; ++i)\n    fdt[i] = 5;\n// fixed length map\nvar flm = /*#__PURE__*/ hMap(flt, 9, 0), flrm = /*#__PURE__*/ hMap(flt, 9, 1);\n// fixed distance map\nvar fdm = /*#__PURE__*/ hMap(fdt, 5, 0), fdrm = /*#__PURE__*/ hMap(fdt, 5, 1);\n// find max of array\nvar max = function (a) {\n    var m = a[0];\n    for (var i = 1; i < a.length; ++i) {\n        if (a[i] > m)\n            m = a[i];\n    }\n    return m;\n};\n// read d, starting at bit p and mask with m\nvar bits = function (d, p, m) {\n    var o = (p / 8) | 0;\n    return ((d[o] | (d[o + 1] << 8)) >> (p & 7)) & m;\n};\n// read d, starting at bit p continuing for at least 16 bits\nvar bits16 = function (d, p) {\n    var o = (p / 8) | 0;\n    return ((d[o] | (d[o + 1] << 8) | (d[o + 2] << 16)) >> (p & 7));\n};\n// get end of byte\nvar shft = function (p) { return ((p + 7) / 8) | 0; };\n// typed array slice - allows garbage collector to free original reference,\n// while being more compatible than .slice\nvar slc = function (v, s, e) {\n    if (s == null || s < 0)\n        s = 0;\n    if (e == null || e > v.length)\n        e = v.length;\n    // can't use .constructor in case user-supplied\n    var n = new (v.BYTES_PER_ELEMENT == 2 ? u16 : v.BYTES_PER_ELEMENT == 4 ? u32 : u8)(e - s);\n    n.set(v.subarray(s, e));\n    return n;\n};\n/**\n * Codes for errors generated within this library\n */\nexport var FlateErrorCode = {\n    UnexpectedEOF: 0,\n    InvalidBlockType: 1,\n    InvalidLengthLiteral: 2,\n    InvalidDistance: 3,\n    StreamFinished: 4,\n    NoStreamHandler: 5,\n    InvalidHeader: 6,\n    NoCallback: 7,\n    InvalidUTF8: 8,\n    ExtraFieldTooLong: 9,\n    InvalidDate: 10,\n    FilenameTooLong: 11,\n    StreamFinishing: 12,\n    InvalidZipData: 13,\n    UnknownCompressionMethod: 14\n};\n// error codes\nvar ec = [\n    'unexpected EOF',\n    'invalid block type',\n    'invalid length/literal',\n    'invalid distance',\n    'stream finished',\n    'no stream handler',\n    ,\n    'no callback',\n    'invalid UTF-8 data',\n    'extra field too long',\n    'date not in range 1980-2099',\n    'filename too long',\n    'stream finishing',\n    'invalid zip data'\n    // determined by unknown compression method\n];\n;\nvar err = function (ind, msg, nt) {\n    var e = new Error(msg || ec[ind]);\n    e.code = ind;\n    if (Error.captureStackTrace)\n        Error.captureStackTrace(e, err);\n    if (!nt)\n        throw e;\n    return e;\n};\n// expands raw DEFLATE data\nvar inflt = function (dat, buf, st) {\n    // source length\n    var sl = dat.length;\n    if (!sl || (st && st.f && !st.l))\n        return buf || new u8(0);\n    // have to estimate size\n    var noBuf = !buf || st;\n    // no state\n    var noSt = !st || st.i;\n    if (!st)\n        st = {};\n    // Assumes roughly 33% compression ratio average\n    if (!buf)\n        buf = new u8(sl * 3);\n    // ensure buffer can fit at least l elements\n    var cbuf = function (l) {\n        var bl = buf.length;\n        // need to increase size to fit\n        if (l > bl) {\n            // Double or set to necessary, whichever is greater\n            var nbuf = new u8(Math.max(bl * 2, l));\n            nbuf.set(buf);\n            buf = nbuf;\n        }\n    };\n    //  last chunk         bitpos           bytes\n    var final = st.f || 0, pos = st.p || 0, bt = st.b || 0, lm = st.l, dm = st.d, lbt = st.m, dbt = st.n;\n    // total bits\n    var tbts = sl * 8;\n    do {\n        if (!lm) {\n            // BFINAL - this is only 1 when last chunk is next\n            final = bits(dat, pos, 1);\n            // type: 0 = no compression, 1 = fixed huffman, 2 = dynamic huffman\n            var type = bits(dat, pos + 1, 3);\n            pos += 3;\n            if (!type) {\n                // go to end of byte boundary\n                var s = shft(pos) + 4, l = dat[s - 4] | (dat[s - 3] << 8), t = s + l;\n                if (t > sl) {\n                    if (noSt)\n                        err(0);\n                    break;\n                }\n                // ensure size\n                if (noBuf)\n                    cbuf(bt + l);\n                // Copy over uncompressed data\n                buf.set(dat.subarray(s, t), bt);\n                // Get new bitpos, update byte count\n                st.b = bt += l, st.p = pos = t * 8, st.f = final;\n                continue;\n            }\n            else if (type == 1)\n                lm = flrm, dm = fdrm, lbt = 9, dbt = 5;\n            else if (type == 2) {\n                //  literal                            lengths\n                var hLit = bits(dat, pos, 31) + 257, hcLen = bits(dat, pos + 10, 15) + 4;\n                var tl = hLit + bits(dat, pos + 5, 31) + 1;\n                pos += 14;\n                // length+distance tree\n                var ldt = new u8(tl);\n                // code length tree\n                var clt = new u8(19);\n                for (var i = 0; i < hcLen; ++i) {\n                    // use index map to get real code\n                    clt[clim[i]] = bits(dat, pos + i * 3, 7);\n                }\n                pos += hcLen * 3;\n                // code lengths bits\n                var clb = max(clt), clbmsk = (1 << clb) - 1;\n                // code lengths map\n                var clm = hMap(clt, clb, 1);\n                for (var i = 0; i < tl;) {\n                    var r = clm[bits(dat, pos, clbmsk)];\n                    // bits read\n                    pos += r & 15;\n                    // symbol\n                    var s = r >>> 4;\n                    // code length to copy\n                    if (s < 16) {\n                        ldt[i++] = s;\n                    }\n                    else {\n                        //  copy   count\n                        var c = 0, n = 0;\n                        if (s == 16)\n                            n = 3 + bits(dat, pos, 3), pos += 2, c = ldt[i - 1];\n                        else if (s == 17)\n                            n = 3 + bits(dat, pos, 7), pos += 3;\n                        else if (s == 18)\n                            n = 11 + bits(dat, pos, 127), pos += 7;\n                        while (n--)\n                            ldt[i++] = c;\n                    }\n                }\n                //    length tree                 distance tree\n                var lt = ldt.subarray(0, hLit), dt = ldt.subarray(hLit);\n                // max length bits\n                lbt = max(lt);\n                // max dist bits\n                dbt = max(dt);\n                lm = hMap(lt, lbt, 1);\n                dm = hMap(dt, dbt, 1);\n            }\n            else\n                err(1);\n            if (pos > tbts) {\n                if (noSt)\n                    err(0);\n                break;\n            }\n        }\n        // Make sure the buffer can hold this + the largest possible addition\n        // Maximum chunk size (practically, theoretically infinite) is 2^17;\n        if (noBuf)\n            cbuf(bt + 131072);\n        var lms = (1 << lbt) - 1, dms = (1 << dbt) - 1;\n        var lpos = pos;\n        for (;; lpos = pos) {\n            // bits read, code\n            var c = lm[bits16(dat, pos) & lms], sym = c >>> 4;\n            pos += c & 15;\n            if (pos > tbts) {\n                if (noSt)\n                    err(0);\n                break;\n            }\n            if (!c)\n                err(2);\n            if (sym < 256)\n                buf[bt++] = sym;\n            else if (sym == 256) {\n                lpos = pos, lm = null;\n                break;\n            }\n            else {\n                var add = sym - 254;\n                // no extra bits needed if less\n                if (sym > 264) {\n                    // index\n                    var i = sym - 257, b = fleb[i];\n                    add = bits(dat, pos, (1 << b) - 1) + fl[i];\n                    pos += b;\n                }\n                // dist\n                var d = dm[bits16(dat, pos) & dms], dsym = d >>> 4;\n                if (!d)\n                    err(3);\n                pos += d & 15;\n                var dt = fd[dsym];\n                if (dsym > 3) {\n                    var b = fdeb[dsym];\n                    dt += bits16(dat, pos) & ((1 << b) - 1), pos += b;\n                }\n                if (pos > tbts) {\n                    if (noSt)\n                        err(0);\n                    break;\n                }\n                if (noBuf)\n                    cbuf(bt + 131072);\n                var end = bt + add;\n                for (; bt < end; bt += 4) {\n                    buf[bt] = buf[bt - dt];\n                    buf[bt + 1] = buf[bt + 1 - dt];\n                    buf[bt + 2] = buf[bt + 2 - dt];\n                    buf[bt + 3] = buf[bt + 3 - dt];\n                }\n                bt = end;\n            }\n        }\n        st.l = lm, st.p = lpos, st.b = bt, st.f = final;\n        if (lm)\n            final = 1, st.m = lbt, st.d = dm, st.n = dbt;\n    } while (!final);\n    return bt == buf.length ? buf : slc(buf, 0, bt);\n};\n// starting at p, write the minimum number of bits that can hold v to d\nvar wbits = function (d, p, v) {\n    v <<= p & 7;\n    var o = (p / 8) | 0;\n    d[o] |= v;\n    d[o + 1] |= v >>> 8;\n};\n// starting at p, write the minimum number of bits (>8) that can hold v to d\nvar wbits16 = function (d, p, v) {\n    v <<= p & 7;\n    var o = (p / 8) | 0;\n    d[o] |= v;\n    d[o + 1] |= v >>> 8;\n    d[o + 2] |= v >>> 16;\n};\n// creates code lengths from a frequency table\nvar hTree = function (d, mb) {\n    // Need extra info to make a tree\n    var t = [];\n    for (var i = 0; i < d.length; ++i) {\n        if (d[i])\n            t.push({ s: i, f: d[i] });\n    }\n    var s = t.length;\n    var t2 = t.slice();\n    if (!s)\n        return [et, 0];\n    if (s == 1) {\n        var v = new u8(t[0].s + 1);\n        v[t[0].s] = 1;\n        return [v, 1];\n    }\n    t.sort(function (a, b) { return a.f - b.f; });\n    // after i2 reaches last ind, will be stopped\n    // freq must be greater than largest possible number of symbols\n    t.push({ s: -1, f: 25001 });\n    var l = t[0], r = t[1], i0 = 0, i1 = 1, i2 = 2;\n    t[0] = { s: -1, f: l.f + r.f, l: l, r: r };\n    // efficient algorithm from UZIP.js\n    // i0 is lookbehind, i2 is lookahead - after processing two low-freq\n    // symbols that combined have high freq, will start processing i2 (high-freq,\n    // non-composite) symbols instead\n    // see https://reddit.com/r/photopea/comments/ikekht/uzipjs_questions/\n    while (i1 != s - 1) {\n        l = t[t[i0].f < t[i2].f ? i0++ : i2++];\n        r = t[i0 != i1 && t[i0].f < t[i2].f ? i0++ : i2++];\n        t[i1++] = { s: -1, f: l.f + r.f, l: l, r: r };\n    }\n    var maxSym = t2[0].s;\n    for (var i = 1; i < s; ++i) {\n        if (t2[i].s > maxSym)\n            maxSym = t2[i].s;\n    }\n    // code lengths\n    var tr = new u16(maxSym + 1);\n    // max bits in tree\n    var mbt = ln(t[i1 - 1], tr, 0);\n    if (mbt > mb) {\n        // more algorithms from UZIP.js\n        // TODO: find out how this code works (debt)\n        //  ind    debt\n        var i = 0, dt = 0;\n        //    left            cost\n        var lft = mbt - mb, cst = 1 << lft;\n        t2.sort(function (a, b) { return tr[b.s] - tr[a.s] || a.f - b.f; });\n        for (; i < s; ++i) {\n            var i2_1 = t2[i].s;\n            if (tr[i2_1] > mb) {\n                dt += cst - (1 << (mbt - tr[i2_1]));\n                tr[i2_1] = mb;\n            }\n            else\n                break;\n        }\n        dt >>>= lft;\n        while (dt > 0) {\n            var i2_2 = t2[i].s;\n            if (tr[i2_2] < mb)\n                dt -= 1 << (mb - tr[i2_2]++ - 1);\n            else\n                ++i;\n        }\n        for (; i >= 0 && dt; --i) {\n            var i2_3 = t2[i].s;\n            if (tr[i2_3] == mb) {\n                --tr[i2_3];\n                ++dt;\n            }\n        }\n        mbt = mb;\n    }\n    return [new u8(tr), mbt];\n};\n// get the max length and assign length codes\nvar ln = function (n, l, d) {\n    return n.s == -1\n        ? Math.max(ln(n.l, l, d + 1), ln(n.r, l, d + 1))\n        : (l[n.s] = d);\n};\n// length codes generation\nvar lc = function (c) {\n    var s = c.length;\n    // Note that the semicolon was intentional\n    while (s && !c[--s])\n        ;\n    var cl = new u16(++s);\n    //  ind      num         streak\n    var cli = 0, cln = c[0], cls = 1;\n    var w = function (v) { cl[cli++] = v; };\n    for (var i = 1; i <= s; ++i) {\n        if (c[i] == cln && i != s)\n            ++cls;\n        else {\n            if (!cln && cls > 2) {\n                for (; cls > 138; cls -= 138)\n                    w(32754);\n                if (cls > 2) {\n                    w(cls > 10 ? ((cls - 11) << 5) | 28690 : ((cls - 3) << 5) | 12305);\n                    cls = 0;\n                }\n            }\n            else if (cls > 3) {\n                w(cln), --cls;\n                for (; cls > 6; cls -= 6)\n                    w(8304);\n                if (cls > 2)\n                    w(((cls - 3) << 5) | 8208), cls = 0;\n            }\n            while (cls--)\n                w(cln);\n            cls = 1;\n            cln = c[i];\n        }\n    }\n    return [cl.subarray(0, cli), s];\n};\n// calculate the length of output from tree, code lengths\nvar clen = function (cf, cl) {\n    var l = 0;\n    for (var i = 0; i < cl.length; ++i)\n        l += cf[i] * cl[i];\n    return l;\n};\n// writes a fixed block\n// returns the new bit pos\nvar wfblk = function (out, pos, dat) {\n    // no need to write 00 as type: TypedArray defaults to 0\n    var s = dat.length;\n    var o = shft(pos + 2);\n    out[o] = s & 255;\n    out[o + 1] = s >>> 8;\n    out[o + 2] = out[o] ^ 255;\n    out[o + 3] = out[o + 1] ^ 255;\n    for (var i = 0; i < s; ++i)\n        out[o + i + 4] = dat[i];\n    return (o + 4 + s) * 8;\n};\n// writes a block\nvar wblk = function (dat, out, final, syms, lf, df, eb, li, bs, bl, p) {\n    wbits(out, p++, final);\n    ++lf[256];\n    var _a = hTree(lf, 15), dlt = _a[0], mlb = _a[1];\n    var _b = hTree(df, 15), ddt = _b[0], mdb = _b[1];\n    var _c = lc(dlt), lclt = _c[0], nlc = _c[1];\n    var _d = lc(ddt), lcdt = _d[0], ndc = _d[1];\n    var lcfreq = new u16(19);\n    for (var i = 0; i < lclt.length; ++i)\n        lcfreq[lclt[i] & 31]++;\n    for (var i = 0; i < lcdt.length; ++i)\n        lcfreq[lcdt[i] & 31]++;\n    var _e = hTree(lcfreq, 7), lct = _e[0], mlcb = _e[1];\n    var nlcc = 19;\n    for (; nlcc > 4 && !lct[clim[nlcc - 1]]; --nlcc)\n        ;\n    var flen = (bl + 5) << 3;\n    var ftlen = clen(lf, flt) + clen(df, fdt) + eb;\n    var dtlen = clen(lf, dlt) + clen(df, ddt) + eb + 14 + 3 * nlcc + clen(lcfreq, lct) + (2 * lcfreq[16] + 3 * lcfreq[17] + 7 * lcfreq[18]);\n    if (flen <= ftlen && flen <= dtlen)\n        return wfblk(out, p, dat.subarray(bs, bs + bl));\n    var lm, ll, dm, dl;\n    wbits(out, p, 1 + (dtlen < ftlen)), p += 2;\n    if (dtlen < ftlen) {\n        lm = hMap(dlt, mlb, 0), ll = dlt, dm = hMap(ddt, mdb, 0), dl = ddt;\n        var llm = hMap(lct, mlcb, 0);\n        wbits(out, p, nlc - 257);\n        wbits(out, p + 5, ndc - 1);\n        wbits(out, p + 10, nlcc - 4);\n        p += 14;\n        for (var i = 0; i < nlcc; ++i)\n            wbits(out, p + 3 * i, lct[clim[i]]);\n        p += 3 * nlcc;\n        var lcts = [lclt, lcdt];\n        for (var it = 0; it < 2; ++it) {\n            var clct = lcts[it];\n            for (var i = 0; i < clct.length; ++i) {\n                var len = clct[i] & 31;\n                wbits(out, p, llm[len]), p += lct[len];\n                if (len > 15)\n                    wbits(out, p, (clct[i] >>> 5) & 127), p += clct[i] >>> 12;\n            }\n        }\n    }\n    else {\n        lm = flm, ll = flt, dm = fdm, dl = fdt;\n    }\n    for (var i = 0; i < li; ++i) {\n        if (syms[i] > 255) {\n            var len = (syms[i] >>> 18) & 31;\n            wbits16(out, p, lm[len + 257]), p += ll[len + 257];\n            if (len > 7)\n                wbits(out, p, (syms[i] >>> 23) & 31), p += fleb[len];\n            var dst = syms[i] & 31;\n            wbits16(out, p, dm[dst]), p += dl[dst];\n            if (dst > 3)\n                wbits16(out, p, (syms[i] >>> 5) & 8191), p += fdeb[dst];\n        }\n        else {\n            wbits16(out, p, lm[syms[i]]), p += ll[syms[i]];\n        }\n    }\n    wbits16(out, p, lm[256]);\n    return p + ll[256];\n};\n// deflate options (nice << 13) | chain\nvar deo = /*#__PURE__*/ new u32([65540, 131080, 131088, 131104, 262176, 1048704, 1048832, 2114560, 2117632]);\n// empty\nvar et = /*#__PURE__*/ new u8(0);\n// compresses data into a raw DEFLATE buffer\nvar dflt = function (dat, lvl, plvl, pre, post, lst) {\n    var s = dat.length;\n    var o = new u8(pre + s + 5 * (1 + Math.ceil(s / 7000)) + post);\n    // writing to this writes to the output buffer\n    var w = o.subarray(pre, o.length - post);\n    var pos = 0;\n    if (!lvl || s < 8) {\n        for (var i = 0; i <= s; i += 65535) {\n            // end\n            var e = i + 65535;\n            if (e >= s) {\n                // write final block\n                w[pos >> 3] = lst;\n            }\n            pos = wfblk(w, pos + 1, dat.subarray(i, e));\n        }\n    }\n    else {\n        var opt = deo[lvl - 1];\n        var n = opt >>> 13, c = opt & 8191;\n        var msk_1 = (1 << plvl) - 1;\n        //    prev 2-byte val map    curr 2-byte val map\n        var prev = new u16(32768), head = new u16(msk_1 + 1);\n        var bs1_1 = Math.ceil(plvl / 3), bs2_1 = 2 * bs1_1;\n        var hsh = function (i) { return (dat[i] ^ (dat[i + 1] << bs1_1) ^ (dat[i + 2] << bs2_1)) & msk_1; };\n        // 24576 is an arbitrary number of maximum symbols per block\n        // 424 buffer for last block\n        var syms = new u32(25000);\n        // length/literal freq   distance freq\n        var lf = new u16(288), df = new u16(32);\n        //  l/lcnt  exbits  index  l/lind  waitdx  bitpos\n        var lc_1 = 0, eb = 0, i = 0, li = 0, wi = 0, bs = 0;\n        for (; i < s; ++i) {\n            // hash value\n            // deopt when i > s - 3 - at end, deopt acceptable\n            var hv = hsh(i);\n            // index mod 32768    previous index mod\n            var imod = i & 32767, pimod = head[hv];\n            prev[imod] = pimod;\n            head[hv] = imod;\n            // We always should modify head and prev, but only add symbols if\n            // this data is not yet processed (\"wait\" for wait index)\n            if (wi <= i) {\n                // bytes remaining\n                var rem = s - i;\n                if ((lc_1 > 7000 || li > 24576) && rem > 423) {\n                    pos = wblk(dat, w, 0, syms, lf, df, eb, li, bs, i - bs, pos);\n                    li = lc_1 = eb = 0, bs = i;\n                    for (var j = 0; j < 286; ++j)\n                        lf[j] = 0;\n                    for (var j = 0; j < 30; ++j)\n                        df[j] = 0;\n                }\n                //  len    dist   chain\n                var l = 2, d = 0, ch_1 = c, dif = (imod - pimod) & 32767;\n                if (rem > 2 && hv == hsh(i - dif)) {\n                    var maxn = Math.min(n, rem) - 1;\n                    var maxd = Math.min(32767, i);\n                    // max possible length\n                    // not capped at dif because decompressors implement \"rolling\" index population\n                    var ml = Math.min(258, rem);\n                    while (dif <= maxd && --ch_1 && imod != pimod) {\n                        if (dat[i + l] == dat[i + l - dif]) {\n                            var nl = 0;\n                            for (; nl < ml && dat[i + nl] == dat[i + nl - dif]; ++nl)\n                                ;\n                            if (nl > l) {\n                                l = nl, d = dif;\n                                // break out early when we reach \"nice\" (we are satisfied enough)\n                                if (nl > maxn)\n                                    break;\n                                // now, find the rarest 2-byte sequence within this\n                                // length of literals and search for that instead.\n                                // Much faster than just using the start\n                                var mmd = Math.min(dif, nl - 2);\n                                var md = 0;\n                                for (var j = 0; j < mmd; ++j) {\n                                    var ti = (i - dif + j + 32768) & 32767;\n                                    var pti = prev[ti];\n                                    var cd = (ti - pti + 32768) & 32767;\n                                    if (cd > md)\n                                        md = cd, pimod = ti;\n                                }\n                            }\n                        }\n                        // check the previous match\n                        imod = pimod, pimod = prev[imod];\n                        dif += (imod - pimod + 32768) & 32767;\n                    }\n                }\n                // d will be nonzero only when a match was found\n                if (d) {\n                    // store both dist and len data in one Uint32\n                    // Make sure this is recognized as a len/dist with 28th bit (2^28)\n                    syms[li++] = 268435456 | (revfl[l] << 18) | revfd[d];\n                    var lin = revfl[l] & 31, din = revfd[d] & 31;\n                    eb += fleb[lin] + fdeb[din];\n                    ++lf[257 + lin];\n                    ++df[din];\n                    wi = i + l;\n                    ++lc_1;\n                }\n                else {\n                    syms[li++] = dat[i];\n                    ++lf[dat[i]];\n                }\n            }\n        }\n        pos = wblk(dat, w, lst, syms, lf, df, eb, li, bs, i - bs, pos);\n        // this is the easiest way to avoid needing to maintain state\n        if (!lst && pos & 7)\n            pos = wfblk(w, pos + 1, et);\n    }\n    return slc(o, 0, pre + shft(pos) + post);\n};\n// CRC32 table\nvar crct = /*#__PURE__*/ (function () {\n    var t = new Int32Array(256);\n    for (var i = 0; i < 256; ++i) {\n        var c = i, k = 9;\n        while (--k)\n            c = ((c & 1) && -306674912) ^ (c >>> 1);\n        t[i] = c;\n    }\n    return t;\n})();\n// CRC32\nvar crc = function () {\n    var c = -1;\n    return {\n        p: function (d) {\n            // closures have awful performance\n            var cr = c;\n            for (var i = 0; i < d.length; ++i)\n                cr = crct[(cr & 255) ^ d[i]] ^ (cr >>> 8);\n            c = cr;\n        },\n        d: function () { return ~c; }\n    };\n};\n// Alder32\nvar adler = function () {\n    var a = 1, b = 0;\n    return {\n        p: function (d) {\n            // closures have awful performance\n            var n = a, m = b;\n            var l = d.length | 0;\n            for (var i = 0; i != l;) {\n                var e = Math.min(i + 2655, l);\n                for (; i < e; ++i)\n                    m += n += d[i];\n                n = (n & 65535) + 15 * (n >> 16), m = (m & 65535) + 15 * (m >> 16);\n            }\n            a = n, b = m;\n        },\n        d: function () {\n            a %= 65521, b %= 65521;\n            return (a & 255) << 24 | (a >>> 8) << 16 | (b & 255) << 8 | (b >>> 8);\n        }\n    };\n};\n;\n// deflate with opts\nvar dopt = function (dat, opt, pre, post, st) {\n    return dflt(dat, opt.level == null ? 6 : opt.level, opt.mem == null ? Math.ceil(Math.max(8, Math.min(13, Math.log(dat.length))) * 1.5) : (12 + opt.mem), pre, post, !st);\n};\n// Walmart object spread\nvar mrg = function (a, b) {\n    var o = {};\n    for (var k in a)\n        o[k] = a[k];\n    for (var k in b)\n        o[k] = b[k];\n    return o;\n};\n// worker clone\n// This is possibly the craziest part of the entire codebase, despite how simple it may seem.\n// The only parameter to this function is a closure that returns an array of variables outside of the function scope.\n// We're going to try to figure out the variable names used in the closure as strings because that is crucial for workerization.\n// We will return an object mapping of true variable name to value (basically, the current scope as a JS object).\n// The reason we can't just use the original variable names is minifiers mangling the toplevel scope.\n// This took me three weeks to figure out how to do.\nvar wcln = function (fn, fnStr, td) {\n    var dt = fn();\n    var st = fn.toString();\n    var ks = st.slice(st.indexOf('[') + 1, st.lastIndexOf(']')).replace(/\\s+/g, '').split(',');\n    for (var i = 0; i < dt.length; ++i) {\n        var v = dt[i], k = ks[i];\n        if (typeof v == 'function') {\n            fnStr += ';' + k + '=';\n            var st_1 = v.toString();\n            if (v.prototype) {\n                // for global objects\n                if (st_1.indexOf('[native code]') != -1) {\n                    var spInd = st_1.indexOf(' ', 8) + 1;\n                    fnStr += st_1.slice(spInd, st_1.indexOf('(', spInd));\n                }\n                else {\n                    fnStr += st_1;\n                    for (var t in v.prototype)\n                        fnStr += ';' + k + '.prototype.' + t + '=' + v.prototype[t].toString();\n                }\n            }\n            else\n                fnStr += st_1;\n        }\n        else\n            td[k] = v;\n    }\n    return [fnStr, td];\n};\nvar ch = [];\n// clone bufs\nvar cbfs = function (v) {\n    var tl = [];\n    for (var k in v) {\n        if (v[k].buffer) {\n            tl.push((v[k] = new v[k].constructor(v[k])).buffer);\n        }\n    }\n    return tl;\n};\n// use a worker to execute code\nvar wrkr = function (fns, init, id, cb) {\n    var _a;\n    if (!ch[id]) {\n        var fnStr = '', td_1 = {}, m = fns.length - 1;\n        for (var i = 0; i < m; ++i)\n            _a = wcln(fns[i], fnStr, td_1), fnStr = _a[0], td_1 = _a[1];\n        ch[id] = wcln(fns[m], fnStr, td_1);\n    }\n    var td = mrg({}, ch[id][1]);\n    return wk(ch[id][0] + ';onmessage=function(e){for(var k in e.data)self[k]=e.data[k];onmessage=' + init.toString() + '}', id, td, cbfs(td), cb);\n};\n// base async inflate fn\nvar bInflt = function () { return [u8, u16, u32, fleb, fdeb, clim, fl, fd, flrm, fdrm, rev, ec, hMap, max, bits, bits16, shft, slc, err, inflt, inflateSync, pbf, gu8]; };\nvar bDflt = function () { return [u8, u16, u32, fleb, fdeb, clim, revfl, revfd, flm, flt, fdm, fdt, rev, deo, et, hMap, wbits, wbits16, hTree, ln, lc, clen, wfblk, wblk, shft, slc, dflt, dopt, deflateSync, pbf]; };\n// gzip extra\nvar gze = function () { return [gzh, gzhl, wbytes, crc, crct]; };\n// gunzip extra\nvar guze = function () { return [gzs, gzl]; };\n// zlib extra\nvar zle = function () { return [zlh, wbytes, adler]; };\n// unzlib extra\nvar zule = function () { return [zlv]; };\n// post buf\nvar pbf = function (msg) { return postMessage(msg, [msg.buffer]); };\n// get u8\nvar gu8 = function (o) { return o && o.size && new u8(o.size); };\n// async helper\nvar cbify = function (dat, opts, fns, init, id, cb) {\n    var w = wrkr(fns, init, id, function (err, dat) {\n        w.terminate();\n        cb(err, dat);\n    });\n    w.postMessage([dat, opts], opts.consume ? [dat.buffer] : []);\n    return function () { w.terminate(); };\n};\n// auto stream\nvar astrm = function (strm) {\n    strm.ondata = function (dat, final) { return postMessage([dat, final], [dat.buffer]); };\n    return function (ev) { return strm.push(ev.data[0], ev.data[1]); };\n};\n// async stream attach\nvar astrmify = function (fns, strm, opts, init, id) {\n    var t;\n    var w = wrkr(fns, init, id, function (err, dat) {\n        if (err)\n            w.terminate(), strm.ondata.call(strm, err);\n        else {\n            if (dat[1])\n                w.terminate();\n            strm.ondata.call(strm, err, dat[0], dat[1]);\n        }\n    });\n    w.postMessage(opts);\n    strm.push = function (d, f) {\n        if (!strm.ondata)\n            err(5);\n        if (t)\n            strm.ondata(err(4, 0, 1), null, !!f);\n        w.postMessage([d, t = f], [d.buffer]);\n    };\n    strm.terminate = function () { w.terminate(); };\n};\n// read 2 bytes\nvar b2 = function (d, b) { return d[b] | (d[b + 1] << 8); };\n// read 4 bytes\nvar b4 = function (d, b) { return (d[b] | (d[b + 1] << 8) | (d[b + 2] << 16) | (d[b + 3] << 24)) >>> 0; };\nvar b8 = function (d, b) { return b4(d, b) + (b4(d, b + 4) * 4294967296); };\n// write bytes\nvar wbytes = function (d, b, v) {\n    for (; v; ++b)\n        d[b] = v, v >>>= 8;\n};\n// gzip header\nvar gzh = function (c, o) {\n    var fn = o.filename;\n    c[0] = 31, c[1] = 139, c[2] = 8, c[8] = o.level < 2 ? 4 : o.level == 9 ? 2 : 0, c[9] = 3; // assume Unix\n    if (o.mtime != 0)\n        wbytes(c, 4, Math.floor(new Date(o.mtime || Date.now()) / 1000));\n    if (fn) {\n        c[3] = 8;\n        for (var i = 0; i <= fn.length; ++i)\n            c[i + 10] = fn.charCodeAt(i);\n    }\n};\n// gzip footer: -8 to -4 = CRC, -4 to -0 is length\n// gzip start\nvar gzs = function (d) {\n    if (d[0] != 31 || d[1] != 139 || d[2] != 8)\n        err(6, 'invalid gzip data');\n    var flg = d[3];\n    var st = 10;\n    if (flg & 4)\n        st += d[10] | (d[11] << 8) + 2;\n    for (var zs = (flg >> 3 & 1) + (flg >> 4 & 1); zs > 0; zs -= !d[st++])\n        ;\n    return st + (flg & 2);\n};\n// gzip length\nvar gzl = function (d) {\n    var l = d.length;\n    return ((d[l - 4] | d[l - 3] << 8 | d[l - 2] << 16) | (d[l - 1] << 24)) >>> 0;\n};\n// gzip header length\nvar gzhl = function (o) { return 10 + ((o.filename && (o.filename.length + 1)) || 0); };\n// zlib header\nvar zlh = function (c, o) {\n    var lv = o.level, fl = lv == 0 ? 0 : lv < 6 ? 1 : lv == 9 ? 3 : 2;\n    c[0] = 120, c[1] = (fl << 6) | (fl ? (32 - 2 * fl) : 1);\n};\n// zlib valid\nvar zlv = function (d) {\n    if ((d[0] & 15) != 8 || (d[0] >>> 4) > 7 || ((d[0] << 8 | d[1]) % 31))\n        err(6, 'invalid zlib data');\n    if (d[1] & 32)\n        err(6, 'invalid zlib data: preset dictionaries not supported');\n};\nfunction AsyncCmpStrm(opts, cb) {\n    if (!cb && typeof opts == 'function')\n        cb = opts, opts = {};\n    this.ondata = cb;\n    return opts;\n}\n// zlib footer: -4 to -0 is Adler32\n/**\n * Streaming DEFLATE compression\n */\nvar Deflate = /*#__PURE__*/ (function () {\n    function Deflate(opts, cb) {\n        if (!cb && typeof opts == 'function')\n            cb = opts, opts = {};\n        this.ondata = cb;\n        this.o = opts || {};\n    }\n    Deflate.prototype.p = function (c, f) {\n        this.ondata(dopt(c, this.o, 0, 0, !f), f);\n    };\n    /**\n     * Pushes a chunk to be deflated\n     * @param chunk The chunk to push\n     * @param final Whether this is the last chunk\n     */\n    Deflate.prototype.push = function (chunk, final) {\n        if (!this.ondata)\n            err(5);\n        if (this.d)\n            err(4);\n        this.d = final;\n        this.p(chunk, final || false);\n    };\n    return Deflate;\n}());\nexport { Deflate };\n/**\n * Asynchronous streaming DEFLATE compression\n */\nvar AsyncDeflate = /*#__PURE__*/ (function () {\n    function AsyncDeflate(opts, cb) {\n        astrmify([\n            bDflt,\n            function () { return [astrm, Deflate]; }\n        ], this, AsyncCmpStrm.call(this, opts, cb), function (ev) {\n            var strm = new Deflate(ev.data);\n            onmessage = astrm(strm);\n        }, 6);\n    }\n    return AsyncDeflate;\n}());\nexport { AsyncDeflate };\nexport function deflate(data, opts, cb) {\n    if (!cb)\n        cb = opts, opts = {};\n    if (typeof cb != 'function')\n        err(7);\n    return cbify(data, opts, [\n        bDflt,\n    ], function (ev) { return pbf(deflateSync(ev.data[0], ev.data[1])); }, 0, cb);\n}\n/**\n * Compresses data with DEFLATE without any wrapper\n * @param data The data to compress\n * @param opts The compression options\n * @returns The deflated version of the data\n */\nexport function deflateSync(data, opts) {\n    return dopt(data, opts || {}, 0, 0);\n}\n/**\n * Streaming DEFLATE decompression\n */\nvar Inflate = /*#__PURE__*/ (function () {\n    /**\n     * Creates an inflation stream\n     * @param cb The callback to call whenever data is inflated\n     */\n    function Inflate(cb) {\n        this.s = {};\n        this.p = new u8(0);\n        this.ondata = cb;\n    }\n    Inflate.prototype.e = function (c) {\n        if (!this.ondata)\n            err(5);\n        if (this.d)\n            err(4);\n        var l = this.p.length;\n        var n = new u8(l + c.length);\n        n.set(this.p), n.set(c, l), this.p = n;\n    };\n    Inflate.prototype.c = function (final) {\n        this.d = this.s.i = final || false;\n        var bts = this.s.b;\n        var dt = inflt(this.p, this.o, this.s);\n        this.ondata(slc(dt, bts, this.s.b), this.d);\n        this.o = slc(dt, this.s.b - 32768), this.s.b = this.o.length;\n        this.p = slc(this.p, (this.s.p / 8) | 0), this.s.p &= 7;\n    };\n    /**\n     * Pushes a chunk to be inflated\n     * @param chunk The chunk to push\n     * @param final Whether this is the final chunk\n     */\n    Inflate.prototype.push = function (chunk, final) {\n        this.e(chunk), this.c(final);\n    };\n    return Inflate;\n}());\nexport { Inflate };\n/**\n * Asynchronous streaming DEFLATE decompression\n */\nvar AsyncInflate = /*#__PURE__*/ (function () {\n    /**\n     * Creates an asynchronous inflation stream\n     * @param cb The callback to call whenever data is deflated\n     */\n    function AsyncInflate(cb) {\n        this.ondata = cb;\n        astrmify([\n            bInflt,\n            function () { return [astrm, Inflate]; }\n        ], this, 0, function () {\n            var strm = new Inflate();\n            onmessage = astrm(strm);\n        }, 7);\n    }\n    return AsyncInflate;\n}());\nexport { AsyncInflate };\nexport function inflate(data, opts, cb) {\n    if (!cb)\n        cb = opts, opts = {};\n    if (typeof cb != 'function')\n        err(7);\n    return cbify(data, opts, [\n        bInflt\n    ], function (ev) { return pbf(inflateSync(ev.data[0], gu8(ev.data[1]))); }, 1, cb);\n}\n/**\n * Expands DEFLATE data with no wrapper\n * @param data The data to decompress\n * @param out Where to write the data. Saves memory if you know the decompressed size and provide an output buffer of that length.\n * @returns The decompressed version of the data\n */\nexport function inflateSync(data, out) {\n    return inflt(data, out);\n}\n// before you yell at me for not just using extends, my reason is that TS inheritance is hard to workerize.\n/**\n * Streaming GZIP compression\n */\nvar Gzip = /*#__PURE__*/ (function () {\n    function Gzip(opts, cb) {\n        this.c = crc();\n        this.l = 0;\n        this.v = 1;\n        Deflate.call(this, opts, cb);\n    }\n    /**\n     * Pushes a chunk to be GZIPped\n     * @param chunk The chunk to push\n     * @param final Whether this is the last chunk\n     */\n    Gzip.prototype.push = function (chunk, final) {\n        Deflate.prototype.push.call(this, chunk, final);\n    };\n    Gzip.prototype.p = function (c, f) {\n        this.c.p(c);\n        this.l += c.length;\n        var raw = dopt(c, this.o, this.v && gzhl(this.o), f && 8, !f);\n        if (this.v)\n            gzh(raw, this.o), this.v = 0;\n        if (f)\n            wbytes(raw, raw.length - 8, this.c.d()), wbytes(raw, raw.length - 4, this.l);\n        this.ondata(raw, f);\n    };\n    return Gzip;\n}());\nexport { Gzip };\n/**\n * Asynchronous streaming GZIP compression\n */\nvar AsyncGzip = /*#__PURE__*/ (function () {\n    function AsyncGzip(opts, cb) {\n        astrmify([\n            bDflt,\n            gze,\n            function () { return [astrm, Deflate, Gzip]; }\n        ], this, AsyncCmpStrm.call(this, opts, cb), function (ev) {\n            var strm = new Gzip(ev.data);\n            onmessage = astrm(strm);\n        }, 8);\n    }\n    return AsyncGzip;\n}());\nexport { AsyncGzip };\nexport function gzip(data, opts, cb) {\n    if (!cb)\n        cb = opts, opts = {};\n    if (typeof cb != 'function')\n        err(7);\n    return cbify(data, opts, [\n        bDflt,\n        gze,\n        function () { return [gzipSync]; }\n    ], function (ev) { return pbf(gzipSync(ev.data[0], ev.data[1])); }, 2, cb);\n}\n/**\n * Compresses data with GZIP\n * @param data The data to compress\n * @param opts The compression options\n * @returns The gzipped version of the data\n */\nexport function gzipSync(data, opts) {\n    if (!opts)\n        opts = {};\n    var c = crc(), l = data.length;\n    c.p(data);\n    var d = dopt(data, opts, gzhl(opts), 8), s = d.length;\n    return gzh(d, opts), wbytes(d, s - 8, c.d()), wbytes(d, s - 4, l), d;\n}\n/**\n * Streaming GZIP decompression\n */\nvar Gunzip = /*#__PURE__*/ (function () {\n    /**\n     * Creates a GUNZIP stream\n     * @param cb The callback to call whenever data is inflated\n     */\n    function Gunzip(cb) {\n        this.v = 1;\n        Inflate.call(this, cb);\n    }\n    /**\n     * Pushes a chunk to be GUNZIPped\n     * @param chunk The chunk to push\n     * @param final Whether this is the last chunk\n     */\n    Gunzip.prototype.push = function (chunk, final) {\n        Inflate.prototype.e.call(this, chunk);\n        if (this.v) {\n            var s = this.p.length > 3 ? gzs(this.p) : 4;\n            if (s >= this.p.length && !final)\n                return;\n            this.p = this.p.subarray(s), this.v = 0;\n        }\n        if (final) {\n            if (this.p.length < 8)\n                err(6, 'invalid gzip data');\n            this.p = this.p.subarray(0, -8);\n        }\n        // necessary to prevent TS from using the closure value\n        // This allows for workerization to function correctly\n        Inflate.prototype.c.call(this, final);\n    };\n    return Gunzip;\n}());\nexport { Gunzip };\n/**\n * Asynchronous streaming GZIP decompression\n */\nvar AsyncGunzip = /*#__PURE__*/ (function () {\n    /**\n     * Creates an asynchronous GUNZIP stream\n     * @param cb The callback to call whenever data is deflated\n     */\n    function AsyncGunzip(cb) {\n        this.ondata = cb;\n        astrmify([\n            bInflt,\n            guze,\n            function () { return [astrm, Inflate, Gunzip]; }\n        ], this, 0, function () {\n            var strm = new Gunzip();\n            onmessage = astrm(strm);\n        }, 9);\n    }\n    return AsyncGunzip;\n}());\nexport { AsyncGunzip };\nexport function gunzip(data, opts, cb) {\n    if (!cb)\n        cb = opts, opts = {};\n    if (typeof cb != 'function')\n        err(7);\n    return cbify(data, opts, [\n        bInflt,\n        guze,\n        function () { return [gunzipSync]; }\n    ], function (ev) { return pbf(gunzipSync(ev.data[0])); }, 3, cb);\n}\n/**\n * Expands GZIP data\n * @param data The data to decompress\n * @param out Where to write the data. GZIP already encodes the output size, so providing this doesn't save memory.\n * @returns The decompressed version of the data\n */\nexport function gunzipSync(data, out) {\n    return inflt(data.subarray(gzs(data), -8), out || new u8(gzl(data)));\n}\n/**\n * Streaming Zlib compression\n */\nvar Zlib = /*#__PURE__*/ (function () {\n    function Zlib(opts, cb) {\n        this.c = adler();\n        this.v = 1;\n        Deflate.call(this, opts, cb);\n    }\n    /**\n     * Pushes a chunk to be zlibbed\n     * @param chunk The chunk to push\n     * @param final Whether this is the last chunk\n     */\n    Zlib.prototype.push = function (chunk, final) {\n        Deflate.prototype.push.call(this, chunk, final);\n    };\n    Zlib.prototype.p = function (c, f) {\n        this.c.p(c);\n        var raw = dopt(c, this.o, this.v && 2, f && 4, !f);\n        if (this.v)\n            zlh(raw, this.o), this.v = 0;\n        if (f)\n            wbytes(raw, raw.length - 4, this.c.d());\n        this.ondata(raw, f);\n    };\n    return Zlib;\n}());\nexport { Zlib };\n/**\n * Asynchronous streaming Zlib compression\n */\nvar AsyncZlib = /*#__PURE__*/ (function () {\n    function AsyncZlib(opts, cb) {\n        astrmify([\n            bDflt,\n            zle,\n            function () { return [astrm, Deflate, Zlib]; }\n        ], this, AsyncCmpStrm.call(this, opts, cb), function (ev) {\n            var strm = new Zlib(ev.data);\n            onmessage = astrm(strm);\n        }, 10);\n    }\n    return AsyncZlib;\n}());\nexport { AsyncZlib };\nexport function zlib(data, opts, cb) {\n    if (!cb)\n        cb = opts, opts = {};\n    if (typeof cb != 'function')\n        err(7);\n    return cbify(data, opts, [\n        bDflt,\n        zle,\n        function () { return [zlibSync]; }\n    ], function (ev) { return pbf(zlibSync(ev.data[0], ev.data[1])); }, 4, cb);\n}\n/**\n * Compress data with Zlib\n * @param data The data to compress\n * @param opts The compression options\n * @returns The zlib-compressed version of the data\n */\nexport function zlibSync(data, opts) {\n    if (!opts)\n        opts = {};\n    var a = adler();\n    a.p(data);\n    var d = dopt(data, opts, 2, 4);\n    return zlh(d, opts), wbytes(d, d.length - 4, a.d()), d;\n}\n/**\n * Streaming Zlib decompression\n */\nvar Unzlib = /*#__PURE__*/ (function () {\n    /**\n     * Creates a Zlib decompression stream\n     * @param cb The callback to call whenever data is inflated\n     */\n    function Unzlib(cb) {\n        this.v = 1;\n        Inflate.call(this, cb);\n    }\n    /**\n     * Pushes a chunk to be unzlibbed\n     * @param chunk The chunk to push\n     * @param final Whether this is the last chunk\n     */\n    Unzlib.prototype.push = function (chunk, final) {\n        Inflate.prototype.e.call(this, chunk);\n        if (this.v) {\n            if (this.p.length < 2 && !final)\n                return;\n            this.p = this.p.subarray(2), this.v = 0;\n        }\n        if (final) {\n            if (this.p.length < 4)\n                err(6, 'invalid zlib data');\n            this.p = this.p.subarray(0, -4);\n        }\n        // necessary to prevent TS from using the closure value\n        // This allows for workerization to function correctly\n        Inflate.prototype.c.call(this, final);\n    };\n    return Unzlib;\n}());\nexport { Unzlib };\n/**\n * Asynchronous streaming Zlib decompression\n */\nvar AsyncUnzlib = /*#__PURE__*/ (function () {\n    /**\n     * Creates an asynchronous Zlib decompression stream\n     * @param cb The callback to call whenever data is deflated\n     */\n    function AsyncUnzlib(cb) {\n        this.ondata = cb;\n        astrmify([\n            bInflt,\n            zule,\n            function () { return [astrm, Inflate, Unzlib]; }\n        ], this, 0, function () {\n            var strm = new Unzlib();\n            onmessage = astrm(strm);\n        }, 11);\n    }\n    return AsyncUnzlib;\n}());\nexport { AsyncUnzlib };\nexport function unzlib(data, opts, cb) {\n    if (!cb)\n        cb = opts, opts = {};\n    if (typeof cb != 'function')\n        err(7);\n    return cbify(data, opts, [\n        bInflt,\n        zule,\n        function () { return [unzlibSync]; }\n    ], function (ev) { return pbf(unzlibSync(ev.data[0], gu8(ev.data[1]))); }, 5, cb);\n}\n/**\n * Expands Zlib data\n * @param data The data to decompress\n * @param out Where to write the data. Saves memory if you know the decompressed size and provide an output buffer of that length.\n * @returns The decompressed version of the data\n */\nexport function unzlibSync(data, out) {\n    return inflt((zlv(data), data.subarray(2, -4)), out);\n}\n// Default algorithm for compression (used because having a known output size allows faster decompression)\nexport { gzip as compress, AsyncGzip as AsyncCompress };\n// Default algorithm for compression (used because having a known output size allows faster decompression)\nexport { gzipSync as compressSync, Gzip as Compress };\n/**\n * Streaming GZIP, Zlib, or raw DEFLATE decompression\n */\nvar Decompress = /*#__PURE__*/ (function () {\n    /**\n     * Creates a decompression stream\n     * @param cb The callback to call whenever data is decompressed\n     */\n    function Decompress(cb) {\n        this.G = Gunzip;\n        this.I = Inflate;\n        this.Z = Unzlib;\n        this.ondata = cb;\n    }\n    /**\n     * Pushes a chunk to be decompressed\n     * @param chunk The chunk to push\n     * @param final Whether this is the last chunk\n     */\n    Decompress.prototype.push = function (chunk, final) {\n        if (!this.ondata)\n            err(5);\n        if (!this.s) {\n            if (this.p && this.p.length) {\n                var n = new u8(this.p.length + chunk.length);\n                n.set(this.p), n.set(chunk, this.p.length);\n            }\n            else\n                this.p = chunk;\n            if (this.p.length > 2) {\n                var _this_1 = this;\n                var cb = function () { _this_1.ondata.apply(_this_1, arguments); };\n                this.s = (this.p[0] == 31 && this.p[1] == 139 && this.p[2] == 8)\n                    ? new this.G(cb)\n                    : ((this.p[0] & 15) != 8 || (this.p[0] >> 4) > 7 || ((this.p[0] << 8 | this.p[1]) % 31))\n                        ? new this.I(cb)\n                        : new this.Z(cb);\n                this.s.push(this.p, final);\n                this.p = null;\n            }\n        }\n        else\n            this.s.push(chunk, final);\n    };\n    return Decompress;\n}());\nexport { Decompress };\n/**\n * Asynchronous streaming GZIP, Zlib, or raw DEFLATE decompression\n */\nvar AsyncDecompress = /*#__PURE__*/ (function () {\n    /**\n   * Creates an asynchronous decompression stream\n   * @param cb The callback to call whenever data is decompressed\n   */\n    function AsyncDecompress(cb) {\n        this.G = AsyncGunzip;\n        this.I = AsyncInflate;\n        this.Z = AsyncUnzlib;\n        this.ondata = cb;\n    }\n    /**\n     * Pushes a chunk to be decompressed\n     * @param chunk The chunk to push\n     * @param final Whether this is the last chunk\n     */\n    AsyncDecompress.prototype.push = function (chunk, final) {\n        Decompress.prototype.push.call(this, chunk, final);\n    };\n    return AsyncDecompress;\n}());\nexport { AsyncDecompress };\nexport function decompress(data, opts, cb) {\n    if (!cb)\n        cb = opts, opts = {};\n    if (typeof cb != 'function')\n        err(7);\n    return (data[0] == 31 && data[1] == 139 && data[2] == 8)\n        ? gunzip(data, opts, cb)\n        : ((data[0] & 15) != 8 || (data[0] >> 4) > 7 || ((data[0] << 8 | data[1]) % 31))\n            ? inflate(data, opts, cb)\n            : unzlib(data, opts, cb);\n}\n/**\n * Expands compressed GZIP, Zlib, or raw DEFLATE data, automatically detecting the format\n * @param data The data to decompress\n * @param out Where to write the data. Saves memory if you know the decompressed size and provide an output buffer of that length.\n * @returns The decompressed version of the data\n */\nexport function decompressSync(data, out) {\n    return (data[0] == 31 && data[1] == 139 && data[2] == 8)\n        ? gunzipSync(data, out)\n        : ((data[0] & 15) != 8 || (data[0] >> 4) > 7 || ((data[0] << 8 | data[1]) % 31))\n            ? inflateSync(data, out)\n            : unzlibSync(data, out);\n}\n// flatten a directory structure\nvar fltn = function (d, p, t, o) {\n    for (var k in d) {\n        var val = d[k], n = p + k, op = o;\n        if (Array.isArray(val))\n            op = mrg(o, val[1]), val = val[0];\n        if (val instanceof u8)\n            t[n] = [val, op];\n        else {\n            t[n += '/'] = [new u8(0), op];\n            fltn(val, n, t, o);\n        }\n    }\n};\n// text encoder\nvar te = typeof TextEncoder != 'undefined' && /*#__PURE__*/ new TextEncoder();\n// text decoder\nvar td = typeof TextDecoder != 'undefined' && /*#__PURE__*/ new TextDecoder();\n// text decoder stream\nvar tds = 0;\ntry {\n    td.decode(et, { stream: true });\n    tds = 1;\n}\ncatch (e) { }\n// decode UTF8\nvar dutf8 = function (d) {\n    for (var r = '', i = 0;;) {\n        var c = d[i++];\n        var eb = (c > 127) + (c > 223) + (c > 239);\n        if (i + eb > d.length)\n            return [r, slc(d, i - 1)];\n        if (!eb)\n            r += String.fromCharCode(c);\n        else if (eb == 3) {\n            c = ((c & 15) << 18 | (d[i++] & 63) << 12 | (d[i++] & 63) << 6 | (d[i++] & 63)) - 65536,\n                r += String.fromCharCode(55296 | (c >> 10), 56320 | (c & 1023));\n        }\n        else if (eb & 1)\n            r += String.fromCharCode((c & 31) << 6 | (d[i++] & 63));\n        else\n            r += String.fromCharCode((c & 15) << 12 | (d[i++] & 63) << 6 | (d[i++] & 63));\n    }\n};\n/**\n * Streaming UTF-8 decoding\n */\nvar DecodeUTF8 = /*#__PURE__*/ (function () {\n    /**\n     * Creates a UTF-8 decoding stream\n     * @param cb The callback to call whenever data is decoded\n     */\n    function DecodeUTF8(cb) {\n        this.ondata = cb;\n        if (tds)\n            this.t = new TextDecoder();\n        else\n            this.p = et;\n    }\n    /**\n     * Pushes a chunk to be decoded from UTF-8 binary\n     * @param chunk The chunk to push\n     * @param final Whether this is the last chunk\n     */\n    DecodeUTF8.prototype.push = function (chunk, final) {\n        if (!this.ondata)\n            err(5);\n        final = !!final;\n        if (this.t) {\n            this.ondata(this.t.decode(chunk, { stream: true }), final);\n            if (final) {\n                if (this.t.decode().length)\n                    err(8);\n                this.t = null;\n            }\n            return;\n        }\n        if (!this.p)\n            err(4);\n        var dat = new u8(this.p.length + chunk.length);\n        dat.set(this.p);\n        dat.set(chunk, this.p.length);\n        var _a = dutf8(dat), ch = _a[0], np = _a[1];\n        if (final) {\n            if (np.length)\n                err(8);\n            this.p = null;\n        }\n        else\n            this.p = np;\n        this.ondata(ch, final);\n    };\n    return DecodeUTF8;\n}());\nexport { DecodeUTF8 };\n/**\n * Streaming UTF-8 encoding\n */\nvar EncodeUTF8 = /*#__PURE__*/ (function () {\n    /**\n     * Creates a UTF-8 decoding stream\n     * @param cb The callback to call whenever data is encoded\n     */\n    function EncodeUTF8(cb) {\n        this.ondata = cb;\n    }\n    /**\n     * Pushes a chunk to be encoded to UTF-8\n     * @param chunk The string data to push\n     * @param final Whether this is the last chunk\n     */\n    EncodeUTF8.prototype.push = function (chunk, final) {\n        if (!this.ondata)\n            err(5);\n        if (this.d)\n            err(4);\n        this.ondata(strToU8(chunk), this.d = final || false);\n    };\n    return EncodeUTF8;\n}());\nexport { EncodeUTF8 };\n/**\n * Converts a string into a Uint8Array for use with compression/decompression methods\n * @param str The string to encode\n * @param latin1 Whether or not to interpret the data as Latin-1. This should\n *               not need to be true unless decoding a binary string.\n * @returns The string encoded in UTF-8/Latin-1 binary\n */\nexport function strToU8(str, latin1) {\n    if (latin1) {\n        var ar_1 = new u8(str.length);\n        for (var i = 0; i < str.length; ++i)\n            ar_1[i] = str.charCodeAt(i);\n        return ar_1;\n    }\n    if (te)\n        return te.encode(str);\n    var l = str.length;\n    var ar = new u8(str.length + (str.length >> 1));\n    var ai = 0;\n    var w = function (v) { ar[ai++] = v; };\n    for (var i = 0; i < l; ++i) {\n        if (ai + 5 > ar.length) {\n            var n = new u8(ai + 8 + ((l - i) << 1));\n            n.set(ar);\n            ar = n;\n        }\n        var c = str.charCodeAt(i);\n        if (c < 128 || latin1)\n            w(c);\n        else if (c < 2048)\n            w(192 | (c >> 6)), w(128 | (c & 63));\n        else if (c > 55295 && c < 57344)\n            c = 65536 + (c & 1023 << 10) | (str.charCodeAt(++i) & 1023),\n                w(240 | (c >> 18)), w(128 | ((c >> 12) & 63)), w(128 | ((c >> 6) & 63)), w(128 | (c & 63));\n        else\n            w(224 | (c >> 12)), w(128 | ((c >> 6) & 63)), w(128 | (c & 63));\n    }\n    return slc(ar, 0, ai);\n}\n/**\n * Converts a Uint8Array to a string\n * @param dat The data to decode to string\n * @param latin1 Whether or not to interpret the data as Latin-1. This should\n *               not need to be true unless encoding to binary string.\n * @returns The original UTF-8/Latin-1 string\n */\nexport function strFromU8(dat, latin1) {\n    if (latin1) {\n        var r = '';\n        for (var i = 0; i < dat.length; i += 16384)\n            r += String.fromCharCode.apply(null, dat.subarray(i, i + 16384));\n        return r;\n    }\n    else if (td)\n        return td.decode(dat);\n    else {\n        var _a = dutf8(dat), out = _a[0], ext = _a[1];\n        if (ext.length)\n            err(8);\n        return out;\n    }\n}\n;\n// deflate bit flag\nvar dbf = function (l) { return l == 1 ? 3 : l < 6 ? 2 : l == 9 ? 1 : 0; };\n// skip local zip header\nvar slzh = function (d, b) { return b + 30 + b2(d, b + 26) + b2(d, b + 28); };\n// read zip header\nvar zh = function (d, b, z) {\n    var fnl = b2(d, b + 28), fn = strFromU8(d.subarray(b + 46, b + 46 + fnl), !(b2(d, b + 8) & 2048)), es = b + 46 + fnl, bs = b4(d, b + 20);\n    var _a = z && bs == 4294967295 ? z64e(d, es) : [bs, b4(d, b + 24), b4(d, b + 42)], sc = _a[0], su = _a[1], off = _a[2];\n    return [b2(d, b + 10), sc, su, fn, es + b2(d, b + 30) + b2(d, b + 32), off];\n};\n// read zip64 extra field\nvar z64e = function (d, b) {\n    for (; b2(d, b) != 1; b += 4 + b2(d, b + 2))\n        ;\n    return [b8(d, b + 12), b8(d, b + 4), b8(d, b + 20)];\n};\n// extra field length\nvar exfl = function (ex) {\n    var le = 0;\n    if (ex) {\n        for (var k in ex) {\n            var l = ex[k].length;\n            if (l > 65535)\n                err(9);\n            le += l + 4;\n        }\n    }\n    return le;\n};\n// write zip header\nvar wzh = function (d, b, f, fn, u, c, ce, co) {\n    var fl = fn.length, ex = f.extra, col = co && co.length;\n    var exl = exfl(ex);\n    wbytes(d, b, ce != null ? 0x2014B50 : 0x4034B50), b += 4;\n    if (ce != null)\n        d[b++] = 20, d[b++] = f.os;\n    d[b] = 20, b += 2; // spec compliance? what's that?\n    d[b++] = (f.flag << 1) | (c < 0 && 8), d[b++] = u && 8;\n    d[b++] = f.compression & 255, d[b++] = f.compression >> 8;\n    var dt = new Date(f.mtime == null ? Date.now() : f.mtime), y = dt.getFullYear() - 1980;\n    if (y < 0 || y > 119)\n        err(10);\n    wbytes(d, b, (y << 25) | ((dt.getMonth() + 1) << 21) | (dt.getDate() << 16) | (dt.getHours() << 11) | (dt.getMinutes() << 5) | (dt.getSeconds() >>> 1)), b += 4;\n    if (c != -1) {\n        wbytes(d, b, f.crc);\n        wbytes(d, b + 4, c < 0 ? -c - 2 : c);\n        wbytes(d, b + 8, f.size);\n    }\n    wbytes(d, b + 12, fl);\n    wbytes(d, b + 14, exl), b += 16;\n    if (ce != null) {\n        wbytes(d, b, col);\n        wbytes(d, b + 6, f.attrs);\n        wbytes(d, b + 10, ce), b += 14;\n    }\n    d.set(fn, b);\n    b += fl;\n    if (exl) {\n        for (var k in ex) {\n            var exf = ex[k], l = exf.length;\n            wbytes(d, b, +k);\n            wbytes(d, b + 2, l);\n            d.set(exf, b + 4), b += 4 + l;\n        }\n    }\n    if (col)\n        d.set(co, b), b += col;\n    return b;\n};\n// write zip footer (end of central directory)\nvar wzf = function (o, b, c, d, e) {\n    wbytes(o, b, 0x6054B50); // skip disk\n    wbytes(o, b + 8, c);\n    wbytes(o, b + 10, c);\n    wbytes(o, b + 12, d);\n    wbytes(o, b + 16, e);\n};\n/**\n * A pass-through stream to keep data uncompressed in a ZIP archive.\n */\nvar ZipPassThrough = /*#__PURE__*/ (function () {\n    /**\n     * Creates a pass-through stream that can be added to ZIP archives\n     * @param filename The filename to associate with this data stream\n     */\n    function ZipPassThrough(filename) {\n        this.filename = filename;\n        this.c = crc();\n        this.size = 0;\n        this.compression = 0;\n    }\n    /**\n     * Processes a chunk and pushes to the output stream. You can override this\n     * method in a subclass for custom behavior, but by default this passes\n     * the data through. You must call this.ondata(err, chunk, final) at some\n     * point in this method.\n     * @param chunk The chunk to process\n     * @param final Whether this is the last chunk\n     */\n    ZipPassThrough.prototype.process = function (chunk, final) {\n        this.ondata(null, chunk, final);\n    };\n    /**\n     * Pushes a chunk to be added. If you are subclassing this with a custom\n     * compression algorithm, note that you must push data from the source\n     * file only, pre-compression.\n     * @param chunk The chunk to push\n     * @param final Whether this is the last chunk\n     */\n    ZipPassThrough.prototype.push = function (chunk, final) {\n        if (!this.ondata)\n            err(5);\n        this.c.p(chunk);\n        this.size += chunk.length;\n        if (final)\n            this.crc = this.c.d();\n        this.process(chunk, final || false);\n    };\n    return ZipPassThrough;\n}());\nexport { ZipPassThrough };\n// I don't extend because TypeScript extension adds 1kB of runtime bloat\n/**\n * Streaming DEFLATE compression for ZIP archives. Prefer using AsyncZipDeflate\n * for better performance\n */\nvar ZipDeflate = /*#__PURE__*/ (function () {\n    /**\n     * Creates a DEFLATE stream that can be added to ZIP archives\n     * @param filename The filename to associate with this data stream\n     * @param opts The compression options\n     */\n    function ZipDeflate(filename, opts) {\n        var _this_1 = this;\n        if (!opts)\n            opts = {};\n        ZipPassThrough.call(this, filename);\n        this.d = new Deflate(opts, function (dat, final) {\n            _this_1.ondata(null, dat, final);\n        });\n        this.compression = 8;\n        this.flag = dbf(opts.level);\n    }\n    ZipDeflate.prototype.process = function (chunk, final) {\n        try {\n            this.d.push(chunk, final);\n        }\n        catch (e) {\n            this.ondata(e, null, final);\n        }\n    };\n    /**\n     * Pushes a chunk to be deflated\n     * @param chunk The chunk to push\n     * @param final Whether this is the last chunk\n     */\n    ZipDeflate.prototype.push = function (chunk, final) {\n        ZipPassThrough.prototype.push.call(this, chunk, final);\n    };\n    return ZipDeflate;\n}());\nexport { ZipDeflate };\n/**\n * Asynchronous streaming DEFLATE compression for ZIP archives\n */\nvar AsyncZipDeflate = /*#__PURE__*/ (function () {\n    /**\n     * Creates a DEFLATE stream that can be added to ZIP archives\n     * @param filename The filename to associate with this data stream\n     * @param opts The compression options\n     */\n    function AsyncZipDeflate(filename, opts) {\n        var _this_1 = this;\n        if (!opts)\n            opts = {};\n        ZipPassThrough.call(this, filename);\n        this.d = new AsyncDeflate(opts, function (err, dat, final) {\n            _this_1.ondata(err, dat, final);\n        });\n        this.compression = 8;\n        this.flag = dbf(opts.level);\n        this.terminate = this.d.terminate;\n    }\n    AsyncZipDeflate.prototype.process = function (chunk, final) {\n        this.d.push(chunk, final);\n    };\n    /**\n     * Pushes a chunk to be deflated\n     * @param chunk The chunk to push\n     * @param final Whether this is the last chunk\n     */\n    AsyncZipDeflate.prototype.push = function (chunk, final) {\n        ZipPassThrough.prototype.push.call(this, chunk, final);\n    };\n    return AsyncZipDeflate;\n}());\nexport { AsyncZipDeflate };\n// TODO: Better tree shaking\n/**\n * A zippable archive to which files can incrementally be added\n */\nvar Zip = /*#__PURE__*/ (function () {\n    /**\n     * Creates an empty ZIP archive to which files can be added\n     * @param cb The callback to call whenever data for the generated ZIP archive\n     *           is available\n     */\n    function Zip(cb) {\n        this.ondata = cb;\n        this.u = [];\n        this.d = 1;\n    }\n    /**\n     * Adds a file to the ZIP archive\n     * @param file The file stream to add\n     */\n    Zip.prototype.add = function (file) {\n        var _this_1 = this;\n        if (!this.ondata)\n            err(5);\n        // finishing or finished\n        if (this.d & 2)\n            this.ondata(err(4 + (this.d & 1) * 8, 0, 1), null, false);\n        else {\n            var f = strToU8(file.filename), fl_1 = f.length;\n            var com = file.comment, o = com && strToU8(com);\n            var u = fl_1 != file.filename.length || (o && (com.length != o.length));\n            var hl_1 = fl_1 + exfl(file.extra) + 30;\n            if (fl_1 > 65535)\n                this.ondata(err(11, 0, 1), null, false);\n            var header = new u8(hl_1);\n            wzh(header, 0, file, f, u, -1);\n            var chks_1 = [header];\n            var pAll_1 = function () {\n                for (var _i = 0, chks_2 = chks_1; _i < chks_2.length; _i++) {\n                    var chk = chks_2[_i];\n                    _this_1.ondata(null, chk, false);\n                }\n                chks_1 = [];\n            };\n            var tr_1 = this.d;\n            this.d = 0;\n            var ind_1 = this.u.length;\n            var uf_1 = mrg(file, {\n                f: f,\n                u: u,\n                o: o,\n                t: function () {\n                    if (file.terminate)\n                        file.terminate();\n                },\n                r: function () {\n                    pAll_1();\n                    if (tr_1) {\n                        var nxt = _this_1.u[ind_1 + 1];\n                        if (nxt)\n                            nxt.r();\n                        else\n                            _this_1.d = 1;\n                    }\n                    tr_1 = 1;\n                }\n            });\n            var cl_1 = 0;\n            file.ondata = function (err, dat, final) {\n                if (err) {\n                    _this_1.ondata(err, dat, final);\n                    _this_1.terminate();\n                }\n                else {\n                    cl_1 += dat.length;\n                    chks_1.push(dat);\n                    if (final) {\n                        var dd = new u8(16);\n                        wbytes(dd, 0, 0x8074B50);\n                        wbytes(dd, 4, file.crc);\n                        wbytes(dd, 8, cl_1);\n                        wbytes(dd, 12, file.size);\n                        chks_1.push(dd);\n                        uf_1.c = cl_1, uf_1.b = hl_1 + cl_1 + 16, uf_1.crc = file.crc, uf_1.size = file.size;\n                        if (tr_1)\n                            uf_1.r();\n                        tr_1 = 1;\n                    }\n                    else if (tr_1)\n                        pAll_1();\n                }\n            };\n            this.u.push(uf_1);\n        }\n    };\n    /**\n     * Ends the process of adding files and prepares to emit the final chunks.\n     * This *must* be called after adding all desired files for the resulting\n     * ZIP file to work properly.\n     */\n    Zip.prototype.end = function () {\n        var _this_1 = this;\n        if (this.d & 2) {\n            this.ondata(err(4 + (this.d & 1) * 8, 0, 1), null, true);\n            return;\n        }\n        if (this.d)\n            this.e();\n        else\n            this.u.push({\n                r: function () {\n                    if (!(_this_1.d & 1))\n                        return;\n                    _this_1.u.splice(-1, 1);\n                    _this_1.e();\n                },\n                t: function () { }\n            });\n        this.d = 3;\n    };\n    Zip.prototype.e = function () {\n        var bt = 0, l = 0, tl = 0;\n        for (var _i = 0, _a = this.u; _i < _a.length; _i++) {\n            var f = _a[_i];\n            tl += 46 + f.f.length + exfl(f.extra) + (f.o ? f.o.length : 0);\n        }\n        var out = new u8(tl + 22);\n        for (var _b = 0, _c = this.u; _b < _c.length; _b++) {\n            var f = _c[_b];\n            wzh(out, bt, f, f.f, f.u, -f.c - 2, l, f.o);\n            bt += 46 + f.f.length + exfl(f.extra) + (f.o ? f.o.length : 0), l += f.b;\n        }\n        wzf(out, bt, this.u.length, tl, l);\n        this.ondata(null, out, true);\n        this.d = 2;\n    };\n    /**\n     * A method to terminate any internal workers used by the stream. Subsequent\n     * calls to add() will fail.\n     */\n    Zip.prototype.terminate = function () {\n        for (var _i = 0, _a = this.u; _i < _a.length; _i++) {\n            var f = _a[_i];\n            f.t();\n        }\n        this.d = 2;\n    };\n    return Zip;\n}());\nexport { Zip };\nexport function zip(data, opts, cb) {\n    if (!cb)\n        cb = opts, opts = {};\n    if (typeof cb != 'function')\n        err(7);\n    var r = {};\n    fltn(data, '', r, opts);\n    var k = Object.keys(r);\n    var lft = k.length, o = 0, tot = 0;\n    var slft = lft, files = new Array(lft);\n    var term = [];\n    var tAll = function () {\n        for (var i = 0; i < term.length; ++i)\n            term[i]();\n    };\n    var cbd = function (a, b) {\n        mt(function () { cb(a, b); });\n    };\n    mt(function () { cbd = cb; });\n    var cbf = function () {\n        var out = new u8(tot + 22), oe = o, cdl = tot - o;\n        tot = 0;\n        for (var i = 0; i < slft; ++i) {\n            var f = files[i];\n            try {\n                var l = f.c.length;\n                wzh(out, tot, f, f.f, f.u, l);\n                var badd = 30 + f.f.length + exfl(f.extra);\n                var loc = tot + badd;\n                out.set(f.c, loc);\n                wzh(out, o, f, f.f, f.u, l, tot, f.m), o += 16 + badd + (f.m ? f.m.length : 0), tot = loc + l;\n            }\n            catch (e) {\n                return cbd(e, null);\n            }\n        }\n        wzf(out, o, files.length, cdl, oe);\n        cbd(null, out);\n    };\n    if (!lft)\n        cbf();\n    var _loop_1 = function (i) {\n        var fn = k[i];\n        var _a = r[fn], file = _a[0], p = _a[1];\n        var c = crc(), size = file.length;\n        c.p(file);\n        var f = strToU8(fn), s = f.length;\n        var com = p.comment, m = com && strToU8(com), ms = m && m.length;\n        var exl = exfl(p.extra);\n        var compression = p.level == 0 ? 0 : 8;\n        var cbl = function (e, d) {\n            if (e) {\n                tAll();\n                cbd(e, null);\n            }\n            else {\n                var l = d.length;\n                files[i] = mrg(p, {\n                    size: size,\n                    crc: c.d(),\n                    c: d,\n                    f: f,\n                    m: m,\n                    u: s != fn.length || (m && (com.length != ms)),\n                    compression: compression\n                });\n                o += 30 + s + exl + l;\n                tot += 76 + 2 * (s + exl) + (ms || 0) + l;\n                if (!--lft)\n                    cbf();\n            }\n        };\n        if (s > 65535)\n            cbl(err(11, 0, 1), null);\n        if (!compression)\n            cbl(null, file);\n        else if (size < 160000) {\n            try {\n                cbl(null, deflateSync(file, p));\n            }\n            catch (e) {\n                cbl(e, null);\n            }\n        }\n        else\n            term.push(deflate(file, p, cbl));\n    };\n    // Cannot use lft because it can decrease\n    for (var i = 0; i < slft; ++i) {\n        _loop_1(i);\n    }\n    return tAll;\n}\n/**\n * Synchronously creates a ZIP file. Prefer using `zip` for better performance\n * with more than one file.\n * @param data The directory structure for the ZIP archive\n * @param opts The main options, merged with per-file options\n * @returns The generated ZIP archive\n */\nexport function zipSync(data, opts) {\n    if (!opts)\n        opts = {};\n    var r = {};\n    var files = [];\n    fltn(data, '', r, opts);\n    var o = 0;\n    var tot = 0;\n    for (var fn in r) {\n        var _a = r[fn], file = _a[0], p = _a[1];\n        var compression = p.level == 0 ? 0 : 8;\n        var f = strToU8(fn), s = f.length;\n        var com = p.comment, m = com && strToU8(com), ms = m && m.length;\n        var exl = exfl(p.extra);\n        if (s > 65535)\n            err(11);\n        var d = compression ? deflateSync(file, p) : file, l = d.length;\n        var c = crc();\n        c.p(file);\n        files.push(mrg(p, {\n            size: file.length,\n            crc: c.d(),\n            c: d,\n            f: f,\n            m: m,\n            u: s != fn.length || (m && (com.length != ms)),\n            o: o,\n            compression: compression\n        }));\n        o += 30 + s + exl + l;\n        tot += 76 + 2 * (s + exl) + (ms || 0) + l;\n    }\n    var out = new u8(tot + 22), oe = o, cdl = tot - o;\n    for (var i = 0; i < files.length; ++i) {\n        var f = files[i];\n        wzh(out, f.o, f, f.f, f.u, f.c.length);\n        var badd = 30 + f.f.length + exfl(f.extra);\n        out.set(f.c, f.o + badd);\n        wzh(out, o, f, f.f, f.u, f.c.length, f.o, f.m), o += 16 + badd + (f.m ? f.m.length : 0);\n    }\n    wzf(out, o, files.length, cdl, oe);\n    return out;\n}\n/**\n * Streaming pass-through decompression for ZIP archives\n */\nvar UnzipPassThrough = /*#__PURE__*/ (function () {\n    function UnzipPassThrough() {\n    }\n    UnzipPassThrough.prototype.push = function (data, final) {\n        this.ondata(null, data, final);\n    };\n    UnzipPassThrough.compression = 0;\n    return UnzipPassThrough;\n}());\nexport { UnzipPassThrough };\n/**\n * Streaming DEFLATE decompression for ZIP archives. Prefer AsyncZipInflate for\n * better performance.\n */\nvar UnzipInflate = /*#__PURE__*/ (function () {\n    /**\n     * Creates a DEFLATE decompression that can be used in ZIP archives\n     */\n    function UnzipInflate() {\n        var _this_1 = this;\n        this.i = new Inflate(function (dat, final) {\n            _this_1.ondata(null, dat, final);\n        });\n    }\n    UnzipInflate.prototype.push = function (data, final) {\n        try {\n            this.i.push(data, final);\n        }\n        catch (e) {\n            this.ondata(e, null, final);\n        }\n    };\n    UnzipInflate.compression = 8;\n    return UnzipInflate;\n}());\nexport { UnzipInflate };\n/**\n * Asynchronous streaming DEFLATE decompression for ZIP archives\n */\nvar AsyncUnzipInflate = /*#__PURE__*/ (function () {\n    /**\n     * Creates a DEFLATE decompression that can be used in ZIP archives\n     */\n    function AsyncUnzipInflate(_, sz) {\n        var _this_1 = this;\n        if (sz < 320000) {\n            this.i = new Inflate(function (dat, final) {\n                _this_1.ondata(null, dat, final);\n            });\n        }\n        else {\n            this.i = new AsyncInflate(function (err, dat, final) {\n                _this_1.ondata(err, dat, final);\n            });\n            this.terminate = this.i.terminate;\n        }\n    }\n    AsyncUnzipInflate.prototype.push = function (data, final) {\n        if (this.i.terminate)\n            data = slc(data, 0);\n        this.i.push(data, final);\n    };\n    AsyncUnzipInflate.compression = 8;\n    return AsyncUnzipInflate;\n}());\nexport { AsyncUnzipInflate };\n/**\n * A ZIP archive decompression stream that emits files as they are discovered\n */\nvar Unzip = /*#__PURE__*/ (function () {\n    /**\n     * Creates a ZIP decompression stream\n     * @param cb The callback to call whenever a file in the ZIP archive is found\n     */\n    function Unzip(cb) {\n        this.onfile = cb;\n        this.k = [];\n        this.o = {\n            0: UnzipPassThrough\n        };\n        this.p = et;\n    }\n    /**\n     * Pushes a chunk to be unzipped\n     * @param chunk The chunk to push\n     * @param final Whether this is the last chunk\n     */\n    Unzip.prototype.push = function (chunk, final) {\n        var _this_1 = this;\n        if (!this.onfile)\n            err(5);\n        if (!this.p)\n            err(4);\n        if (this.c > 0) {\n            var len = Math.min(this.c, chunk.length);\n            var toAdd = chunk.subarray(0, len);\n            this.c -= len;\n            if (this.d)\n                this.d.push(toAdd, !this.c);\n            else\n                this.k[0].push(toAdd);\n            chunk = chunk.subarray(len);\n            if (chunk.length)\n                return this.push(chunk, final);\n        }\n        else {\n            var f = 0, i = 0, is = void 0, buf = void 0;\n            if (!this.p.length)\n                buf = chunk;\n            else if (!chunk.length)\n                buf = this.p;\n            else {\n                buf = new u8(this.p.length + chunk.length);\n                buf.set(this.p), buf.set(chunk, this.p.length);\n            }\n            var l = buf.length, oc = this.c, add = oc && this.d;\n            var _loop_2 = function () {\n                var _a;\n                var sig = b4(buf, i);\n                if (sig == 0x4034B50) {\n                    f = 1, is = i;\n                    this_1.d = null;\n                    this_1.c = 0;\n                    var bf = b2(buf, i + 6), cmp_1 = b2(buf, i + 8), u = bf & 2048, dd = bf & 8, fnl = b2(buf, i + 26), es = b2(buf, i + 28);\n                    if (l > i + 30 + fnl + es) {\n                        var chks_3 = [];\n                        this_1.k.unshift(chks_3);\n                        f = 2;\n                        var sc_1 = b4(buf, i + 18), su_1 = b4(buf, i + 22);\n                        var fn_1 = strFromU8(buf.subarray(i + 30, i += 30 + fnl), !u);\n                        if (sc_1 == 4294967295) {\n                            _a = dd ? [-2] : z64e(buf, i), sc_1 = _a[0], su_1 = _a[1];\n                        }\n                        else if (dd)\n                            sc_1 = -1;\n                        i += es;\n                        this_1.c = sc_1;\n                        var d_1;\n                        var file_1 = {\n                            name: fn_1,\n                            compression: cmp_1,\n                            start: function () {\n                                if (!file_1.ondata)\n                                    err(5);\n                                if (!sc_1)\n                                    file_1.ondata(null, et, true);\n                                else {\n                                    var ctr = _this_1.o[cmp_1];\n                                    if (!ctr)\n                                        file_1.ondata(err(14, 'unknown compression type ' + cmp_1, 1), null, false);\n                                    d_1 = sc_1 < 0 ? new ctr(fn_1) : new ctr(fn_1, sc_1, su_1);\n                                    d_1.ondata = function (err, dat, final) { file_1.ondata(err, dat, final); };\n                                    for (var _i = 0, chks_4 = chks_3; _i < chks_4.length; _i++) {\n                                        var dat = chks_4[_i];\n                                        d_1.push(dat, false);\n                                    }\n                                    if (_this_1.k[0] == chks_3 && _this_1.c)\n                                        _this_1.d = d_1;\n                                    else\n                                        d_1.push(et, true);\n                                }\n                            },\n                            terminate: function () {\n                                if (d_1 && d_1.terminate)\n                                    d_1.terminate();\n                            }\n                        };\n                        if (sc_1 >= 0)\n                            file_1.size = sc_1, file_1.originalSize = su_1;\n                        this_1.onfile(file_1);\n                    }\n                    return \"break\";\n                }\n                else if (oc) {\n                    if (sig == 0x8074B50) {\n                        is = i += 12 + (oc == -2 && 8), f = 3, this_1.c = 0;\n                        return \"break\";\n                    }\n                    else if (sig == 0x2014B50) {\n                        is = i -= 4, f = 3, this_1.c = 0;\n                        return \"break\";\n                    }\n                }\n            };\n            var this_1 = this;\n            for (; i < l - 4; ++i) {\n                var state_1 = _loop_2();\n                if (state_1 === \"break\")\n                    break;\n            }\n            this.p = et;\n            if (oc < 0) {\n                var dat = f ? buf.subarray(0, is - 12 - (oc == -2 && 8) - (b4(buf, is - 16) == 0x8074B50 && 4)) : buf.subarray(0, i);\n                if (add)\n                    add.push(dat, !!f);\n                else\n                    this.k[+(f == 2)].push(dat);\n            }\n            if (f & 2)\n                return this.push(buf.subarray(i), final);\n            this.p = buf.subarray(i);\n        }\n        if (final) {\n            if (this.c)\n                err(13);\n            this.p = null;\n        }\n    };\n    /**\n     * Registers a decoder with the stream, allowing for files compressed with\n     * the compression type provided to be expanded correctly\n     * @param decoder The decoder constructor\n     */\n    Unzip.prototype.register = function (decoder) {\n        this.o[decoder.compression] = decoder;\n    };\n    return Unzip;\n}());\nexport { Unzip };\nvar mt = typeof queueMicrotask == 'function' ? queueMicrotask : typeof setTimeout == 'function' ? setTimeout : function (fn) { fn(); };\nexport function unzip(data, opts, cb) {\n    if (!cb)\n        cb = opts, opts = {};\n    if (typeof cb != 'function')\n        err(7);\n    var term = [];\n    var tAll = function () {\n        for (var i = 0; i < term.length; ++i)\n            term[i]();\n    };\n    var files = {};\n    var cbd = function (a, b) {\n        mt(function () { cb(a, b); });\n    };\n    mt(function () { cbd = cb; });\n    var e = data.length - 22;\n    for (; b4(data, e) != 0x6054B50; --e) {\n        if (!e || data.length - e > 65558) {\n            cbd(err(13, 0, 1), null);\n            return tAll;\n        }\n    }\n    ;\n    var lft = b2(data, e + 8);\n    if (lft) {\n        var c = lft;\n        var o = b4(data, e + 16);\n        var z = o == 4294967295 || c == 65535;\n        if (z) {\n            var ze = b4(data, e - 12);\n            z = b4(data, ze) == 0x6064B50;\n            if (z) {\n                c = lft = b4(data, ze + 32);\n                o = b4(data, ze + 48);\n            }\n        }\n        var fltr = opts && opts.filter;\n        var _loop_3 = function (i) {\n            var _a = zh(data, o, z), c_1 = _a[0], sc = _a[1], su = _a[2], fn = _a[3], no = _a[4], off = _a[5], b = slzh(data, off);\n            o = no;\n            var cbl = function (e, d) {\n                if (e) {\n                    tAll();\n                    cbd(e, null);\n                }\n                else {\n                    if (d)\n                        files[fn] = d;\n                    if (!--lft)\n                        cbd(null, files);\n                }\n            };\n            if (!fltr || fltr({\n                name: fn,\n                size: sc,\n                originalSize: su,\n                compression: c_1\n            })) {\n                if (!c_1)\n                    cbl(null, slc(data, b, b + sc));\n                else if (c_1 == 8) {\n                    var infl = data.subarray(b, b + sc);\n                    if (sc < 320000) {\n                        try {\n                            cbl(null, inflateSync(infl, new u8(su)));\n                        }\n                        catch (e) {\n                            cbl(e, null);\n                        }\n                    }\n                    else\n                        term.push(inflate(infl, { size: su }, cbl));\n                }\n                else\n                    cbl(err(14, 'unknown compression type ' + c_1, 1), null);\n            }\n            else\n                cbl(null, null);\n        };\n        for (var i = 0; i < c; ++i) {\n            _loop_3(i);\n        }\n    }\n    else\n        cbd(null, {});\n    return tAll;\n}\n/**\n * Synchronously decompresses a ZIP archive. Prefer using `unzip` for better\n * performance with more than one file.\n * @param data The raw compressed ZIP file\n * @param opts The ZIP extraction options\n * @returns The decompressed files\n */\nexport function unzipSync(data, opts) {\n    var files = {};\n    var e = data.length - 22;\n    for (; b4(data, e) != 0x6054B50; --e) {\n        if (!e || data.length - e > 65558)\n            err(13);\n    }\n    ;\n    var c = b2(data, e + 8);\n    if (!c)\n        return {};\n    var o = b4(data, e + 16);\n    var z = o == 4294967295 || c == 65535;\n    if (z) {\n        var ze = b4(data, e - 12);\n        z = b4(data, ze) == 0x6064B50;\n        if (z) {\n            c = b4(data, ze + 32);\n            o = b4(data, ze + 48);\n        }\n    }\n    var fltr = opts && opts.filter;\n    for (var i = 0; i < c; ++i) {\n        var _a = zh(data, o, z), c_2 = _a[0], sc = _a[1], su = _a[2], fn = _a[3], no = _a[4], off = _a[5], b = slzh(data, off);\n        o = no;\n        if (!fltr || fltr({\n            name: fn,\n            size: sc,\n            originalSize: su,\n            compression: c_2\n        })) {\n            if (!c_2)\n                files[fn] = slc(data, b, b + sc);\n            else if (c_2 == 8)\n                files[fn] = inflateSync(data.subarray(b, b + sc), new u8(su));\n            else\n                err(14, 'unknown compression type ' + c_2);\n        }\n    }\n    return files;\n}\n","// GPG4Browsers - An OpenPGP implementation in javascript\n// Copyright (C) 2011 Recurity Labs GmbH\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\nimport { isArrayStream, passiveClone as streamPassiveClone, parse as streamParse, readToEnd as streamReadToEnd } from '@openpgp/web-stream-tools';\nimport enums from '../enums';\nimport util from '../util';\n\n/**\n * Implementation of the Literal Data Packet (Tag 11)\n *\n * {@link https://tools.ietf.org/html/rfc4880#section-5.9|RFC4880 5.9}:\n * A Literal Data packet contains the body of a message; data that is not to be\n * further interpreted.\n */\nclass LiteralDataPacket {\n  static get tag() {\n    return enums.packet.literalData;\n  }\n\n  /**\n   * @param {Date} date - The creation date of the literal package\n   */\n  constructor(date = new Date()) {\n    this.format = enums.literal.utf8; // default format for literal data packets\n    this.date = util.normalizeDate(date);\n    this.text = null; // textual data representation\n    this.data = null; // literal data representation\n    this.filename = '';\n  }\n\n  /**\n   * Set the packet data to a javascript native string, end of line\n   * will be normalized to \\r\\n and by default text is converted to UTF8\n   * @param {String | ReadableStream<String>} text - Any native javascript string\n   * @param {enums.literal} [format] - The format of the string of bytes\n   */\n  setText(text, format = enums.literal.utf8) {\n    this.format = format;\n    this.text = text;\n    this.data = null;\n  }\n\n  /**\n   * Returns literal data packets as native JavaScript string\n   * with normalized end of line to \\n\n   * @param {Boolean} [clone] - Whether to return a clone so that getBytes/getText can be called again\n   * @returns {String | ReadableStream<String>} Literal data as text.\n   */\n  getText(clone = false) {\n    if (this.text === null || util.isStream(this.text)) { // Assume that this.text has been read\n      this.text = util.decodeUTF8(util.nativeEOL(this.getBytes(clone)));\n    }\n    return this.text;\n  }\n\n  /**\n   * Set the packet data to value represented by the provided string of bytes.\n   * @param {Uint8Array | ReadableStream<Uint8Array>} bytes - The string of bytes\n   * @param {enums.literal} format - The format of the string of bytes\n   */\n  setBytes(bytes, format) {\n    this.format = format;\n    this.data = bytes;\n    this.text = null;\n  }\n\n\n  /**\n   * Get the byte sequence representing the literal packet data\n   * @param {Boolean} [clone] - Whether to return a clone so that getBytes/getText can be called again\n   * @returns {Uint8Array | ReadableStream<Uint8Array>} A sequence of bytes.\n   */\n  getBytes(clone = false) {\n    if (this.data === null) {\n      // encode UTF8 and normalize EOL to \\r\\n\n      this.data = util.canonicalizeEOL(util.encodeUTF8(this.text));\n    }\n    if (clone) {\n      return streamPassiveClone(this.data);\n    }\n    return this.data;\n  }\n\n\n  /**\n   * Sets the filename of the literal packet data\n   * @param {String} filename - Any native javascript string\n   */\n  setFilename(filename) {\n    this.filename = filename;\n  }\n\n\n  /**\n   * Get the filename of the literal packet data\n   * @returns {String} Filename.\n   */\n  getFilename() {\n    return this.filename;\n  }\n\n  /**\n   * Parsing function for a literal data packet (tag 11).\n   *\n   * @param {Uint8Array | ReadableStream<Uint8Array>} input - Payload of a tag 11 packet\n   * @returns {Promise<LiteralDataPacket>} Object representation.\n   * @async\n   */\n  async read(bytes) {\n    await streamParse(bytes, async reader => {\n      // - A one-octet field that describes how the data is formatted.\n      const format = await reader.readByte(); // enums.literal\n\n      const filename_len = await reader.readByte();\n      this.filename = util.decodeUTF8(await reader.readBytes(filename_len));\n\n      this.date = util.readDate(await reader.readBytes(4));\n\n      let data = reader.remainder();\n      if (isArrayStream(data)) data = await streamReadToEnd(data);\n      this.setBytes(data, format);\n    });\n  }\n\n  /**\n   * Creates a Uint8Array representation of the packet, excluding the data\n   *\n   * @returns {Uint8Array} Uint8Array representation of the packet.\n   */\n  writeHeader() {\n    const filename = util.encodeUTF8(this.filename);\n    const filename_length = new Uint8Array([filename.length]);\n\n    const format = new Uint8Array([this.format]);\n    const date = util.writeDate(this.date);\n\n    return util.concatUint8Array([format, filename_length, filename, date]);\n  }\n\n  /**\n   * Creates a Uint8Array representation of the packet\n   *\n   * @returns {Uint8Array | ReadableStream<Uint8Array>} Uint8Array representation of the packet.\n   */\n  write() {\n    const header = this.writeHeader();\n    const data = this.getBytes();\n\n    return util.concat([header, data]);\n  }\n}\n\nexport default LiteralDataPacket;\n","// GPG4Browsers - An OpenPGP implementation in javascript\n// Copyright (C) 2011 Recurity Labs GmbH\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\n/**\n * @module type/keyid\n */\n\nimport util from '../util';\n\n/**\n * Implementation of type key id\n *\n * {@link https://tools.ietf.org/html/rfc4880#section-3.3|RFC4880 3.3}:\n * A Key ID is an eight-octet scalar that identifies a key.\n * Implementations SHOULD NOT assume that Key IDs are unique.  The\n * section \"Enhanced Key Formats\" below describes how Key IDs are\n * formed.\n */\nclass KeyID {\n  constructor() {\n    this.bytes = '';\n  }\n\n  /**\n   * Parsing method for a key id\n   * @param {Uint8Array} bytes - Input to read the key id from\n   */\n  read(bytes) {\n    this.bytes = util.uint8ArrayToString(bytes.subarray(0, 8));\n    return this.bytes.length;\n  }\n\n  /**\n   * Serializes the Key ID\n   * @returns {Uint8Array} Key ID as a Uint8Array.\n   */\n  write() {\n    return util.stringToUint8Array(this.bytes);\n  }\n\n  /**\n   * Returns the Key ID represented as a hexadecimal string\n   * @returns {String} Key ID as a hexadecimal string.\n   */\n  toHex() {\n    return util.uint8ArrayToHex(util.stringToUint8Array(this.bytes));\n  }\n\n  /**\n   * Checks equality of Key ID's\n   * @param {KeyID} keyID\n   * @param {Boolean} matchWildcard - Indicates whether to check if either keyID is a wildcard\n   */\n  equals(keyID, matchWildcard = false) {\n    return (matchWildcard && (keyID.isWildcard() || this.isWildcard())) || this.bytes === keyID.bytes;\n  }\n\n  /**\n   * Checks to see if the Key ID is unset\n   * @returns {Boolean} True if the Key ID is null.\n   */\n  isNull() {\n    return this.bytes === '';\n  }\n\n  /**\n   * Checks to see if the Key ID is a \"wildcard\" Key ID (all zeros)\n   * @returns {Boolean} True if this is a wildcard Key ID.\n   */\n  isWildcard() {\n    return /^0+$/.test(this.toHex());\n  }\n\n  static mapToHex(keyID) {\n    return keyID.toHex();\n  }\n\n  static fromID(hex) {\n    const keyID = new KeyID();\n    keyID.read(util.hexToUint8Array(hex));\n    return keyID;\n  }\n\n  static wildcard() {\n    const keyID = new KeyID();\n    keyID.read(new Uint8Array(8));\n    return keyID;\n  }\n}\n\nexport default KeyID;\n","// GPG4Browsers - An OpenPGP implementation in javascript\n// Copyright (C) 2011 Recurity Labs GmbH\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\nimport { fromAsync as streamFromAsync, slice as streamSlice, readToEnd as streamReadToEnd, clone as streamClone, transform as streamTransform } from '@openpgp/web-stream-tools';\nimport { readSimpleLength, UnsupportedError, writeSimpleLength } from './packet';\nimport KeyID from '../type/keyid';\nimport { signature, serializeParams, getRandomBytes, getHashByteLength, computeDigest } from '../crypto';\nimport enums from '../enums';\nimport util from '../util';\nimport defaultConfig from '../config';\n\n// Symbol to store cryptographic validity of the signature, to avoid recomputing multiple times on verification.\nconst verified = Symbol('verified');\n\n// A salt notation is used to randomize signatures.\n// This is to protect EdDSA signatures in particular, which are known to be vulnerable to fault attacks\n// leading to secret key extraction if two signatures over the same data can be collected (see https://github.com/jedisct1/libsodium/issues/170).\n// For simplicity, we add the salt to all algos, as it may also serve as protection in case of weaknesses in the hash algo, potentially hindering e.g.\n// some chosen-prefix attacks.\n// v6 signatures do not need to rely on this notation, as they already include a separate, built-in salt.\nconst SALT_NOTATION_NAME = 'salt@notations.openpgpjs.org';\n\n// GPG puts the Issuer and Signature subpackets in the unhashed area.\n// Tampering with those invalidates the signature, so we still trust them and parse them.\n// All other unhashed subpackets are ignored.\nconst allowedUnhashedSubpackets = new Set([\n  enums.signatureSubpacket.issuerKeyID,\n  enums.signatureSubpacket.issuerFingerprint,\n  enums.signatureSubpacket.embeddedSignature\n]);\n\n/**\n * Implementation of the Signature Packet (Tag 2)\n *\n * {@link https://tools.ietf.org/html/rfc4880#section-5.2|RFC4480 5.2}:\n * A Signature packet describes a binding between some public key and\n * some data.  The most common signatures are a signature of a file or a\n * block of text, and a signature that is a certification of a User ID.\n */\nclass SignaturePacket {\n  static get tag() {\n    return enums.packet.signature;\n  }\n\n  constructor() {\n    this.version = null;\n    /** @type {enums.signature} */\n    this.signatureType = null;\n    /** @type {enums.hash} */\n    this.hashAlgorithm = null;\n    /** @type {enums.publicKey} */\n    this.publicKeyAlgorithm = null;\n\n    this.signatureData = null;\n    this.unhashedSubpackets = [];\n    this.unknownSubpackets = [];\n    this.signedHashValue = null;\n    this.salt = null;\n\n    this.created = null;\n    this.signatureExpirationTime = null;\n    this.signatureNeverExpires = true;\n    this.exportable = null;\n    this.trustLevel = null;\n    this.trustAmount = null;\n    this.regularExpression = null;\n    this.revocable = null;\n    this.keyExpirationTime = null;\n    this.keyNeverExpires = null;\n    this.preferredSymmetricAlgorithms = null;\n    this.revocationKeyClass = null;\n    this.revocationKeyAlgorithm = null;\n    this.revocationKeyFingerprint = null;\n    this.issuerKeyID = new KeyID();\n    this.rawNotations = [];\n    this.notations = {};\n    this.preferredHashAlgorithms = null;\n    this.preferredCompressionAlgorithms = null;\n    this.keyServerPreferences = null;\n    this.preferredKeyServer = null;\n    this.isPrimaryUserID = null;\n    this.policyURI = null;\n    this.keyFlags = null;\n    this.signersUserID = null;\n    this.reasonForRevocationFlag = null;\n    this.reasonForRevocationString = null;\n    this.features = null;\n    this.signatureTargetPublicKeyAlgorithm = null;\n    this.signatureTargetHashAlgorithm = null;\n    this.signatureTargetHash = null;\n    this.embeddedSignature = null;\n    this.issuerKeyVersion = null;\n    this.issuerFingerprint = null;\n    this.preferredAEADAlgorithms = null;\n    this.preferredCipherSuites = null;\n\n    this.revoked = null;\n    this[verified] = null;\n  }\n\n  /**\n   * parsing function for a signature packet (tag 2).\n   * @param {String} bytes - Payload of a tag 2 packet\n   * @returns {SignaturePacket} Object representation.\n   */\n  read(bytes, config = defaultConfig) {\n    let i = 0;\n    this.version = bytes[i++];\n    if (this.version === 5 && !config.enableParsingV5Entities) {\n      throw new UnsupportedError('Support for v5 entities is disabled; turn on `config.enableParsingV5Entities` if needed');\n    }\n\n    if (this.version !== 4 && this.version !== 5 && this.version !== 6) {\n      throw new UnsupportedError(`Version ${this.version} of the signature packet is unsupported.`);\n    }\n\n    this.signatureType = bytes[i++];\n    this.publicKeyAlgorithm = bytes[i++];\n    this.hashAlgorithm = bytes[i++];\n\n    // hashed subpackets\n    i += this.readSubPackets(bytes.subarray(i, bytes.length), true);\n    if (!this.created) {\n      throw new Error('Missing signature creation time subpacket.');\n    }\n\n    // A V4 signature hashes the packet body\n    // starting from its first field, the version number, through the end\n    // of the hashed subpacket data.  Thus, the fields hashed are the\n    // signature version, the signature type, the public-key algorithm, the\n    // hash algorithm, the hashed subpacket length, and the hashed\n    // subpacket body.\n    this.signatureData = bytes.subarray(0, i);\n\n    // unhashed subpackets\n    i += this.readSubPackets(bytes.subarray(i, bytes.length), false);\n\n    // Two-octet field holding left 16 bits of signed hash value.\n    this.signedHashValue = bytes.subarray(i, i + 2);\n    i += 2;\n\n    // Only for v6 signatures, a variable-length field containing:\n    if (this.version === 6) {\n      // A one-octet salt size. The value MUST match the value defined\n      // for the hash algorithm as specified in Table 23 (Hash algorithm registry).\n      // To allow parsing unknown hash algos, we only check the expected salt length when verifying.\n      const saltLength = bytes[i++];\n\n      // The salt; a random value value of the specified size.\n      this.salt = bytes.subarray(i, i + saltLength);\n      i += saltLength;\n    }\n\n    const signatureMaterial = bytes.subarray(i, bytes.length);\n    const { read, signatureParams } = signature.parseSignatureParams(this.publicKeyAlgorithm, signatureMaterial);\n    if (read < signatureMaterial.length) {\n      throw new Error('Error reading MPIs');\n    }\n    this.params = signatureParams;\n  }\n\n  /**\n   * @returns {Uint8Array | ReadableStream<Uint8Array>}\n   */\n  writeParams() {\n    if (this.params instanceof Promise) {\n      return streamFromAsync(\n        async () => serializeParams(this.publicKeyAlgorithm, await this.params)\n      );\n    }\n    return serializeParams(this.publicKeyAlgorithm, this.params);\n  }\n\n  write() {\n    const arr = [];\n    arr.push(this.signatureData);\n    arr.push(this.writeUnhashedSubPackets());\n    arr.push(this.signedHashValue);\n    if (this.version === 6) {\n      arr.push(new Uint8Array([this.salt.length]));\n      arr.push(this.salt);\n    }\n    arr.push(this.writeParams());\n    return util.concat(arr);\n  }\n\n  /**\n   * Signs provided data. This needs to be done prior to serialization.\n   * @param {SecretKeyPacket} key - Private key used to sign the message.\n   * @param {Object} data - Contains packets to be signed.\n   * @param {Date} [date] - The signature creation time.\n   * @param {Boolean} [detached] - Whether to create a detached signature\n   * @throws {Error} if signing failed\n   * @async\n   */\n  async sign(key, data, date = new Date(), detached = false, config) {\n    this.version = key.version;\n\n    this.created = util.normalizeDate(date);\n    this.issuerKeyVersion = key.version;\n    this.issuerFingerprint = key.getFingerprintBytes();\n    this.issuerKeyID = key.getKeyID();\n\n    const arr = [new Uint8Array([this.version, this.signatureType, this.publicKeyAlgorithm, this.hashAlgorithm])];\n\n    // add randomness to the signature\n    if (this.version === 6) {\n      const saltLength = saltLengthForHash(this.hashAlgorithm);\n      if (this.salt === null) {\n        this.salt = getRandomBytes(saltLength);\n      } else if (saltLength !== this.salt.length) {\n        throw new Error('Provided salt does not have the required length');\n      }\n    } else if (config.nonDeterministicSignaturesViaNotation) {\n      const saltNotations = this.rawNotations.filter(({ name }) => (name === SALT_NOTATION_NAME));\n      // since re-signing the same object is not supported, it's not expected to have multiple salt notations,\n      // but we guard against it as a sanity check\n      if (saltNotations.length === 0) {\n        const saltValue = getRandomBytes(saltLengthForHash(this.hashAlgorithm));\n        this.rawNotations.push({\n          name: SALT_NOTATION_NAME,\n          value: saltValue,\n          humanReadable: false,\n          critical: false\n        });\n      } else {\n        throw new Error('Unexpected existing salt notation');\n      }\n    }\n\n    // Add hashed subpackets\n    arr.push(this.writeHashedSubPackets());\n\n    // Remove unhashed subpackets, in case some allowed unhashed\n    // subpackets existed, in order not to duplicate them (in both\n    // the hashed and unhashed subpackets) when re-signing.\n    this.unhashedSubpackets = [];\n\n    this.signatureData = util.concat(arr);\n\n    const toHash = this.toHash(this.signatureType, data, detached);\n    const hash = await this.hash(this.signatureType, data, toHash, detached);\n\n    this.signedHashValue = streamSlice(streamClone(hash), 0, 2);\n    const signed = async () => signature.sign(\n      this.publicKeyAlgorithm, this.hashAlgorithm, key.publicParams, key.privateParams, toHash, await streamReadToEnd(hash)\n    );\n    if (util.isStream(hash)) {\n      this.params = signed();\n    } else {\n      this.params = await signed();\n\n      // Store the fact that this signature is valid, e.g. for when we call `await\n      // getLatestValidSignature(this.revocationSignatures, key, data)` later.\n      // Note that this only holds up if the key and data passed to verify are the\n      // same as the ones passed to sign.\n      this[verified] = true;\n    }\n  }\n\n  /**\n   * Creates Uint8Array of bytes of all subpacket data except Issuer and Embedded Signature subpackets\n   * @returns {Uint8Array} Subpacket data.\n   */\n  writeHashedSubPackets() {\n    const sub = enums.signatureSubpacket;\n    const arr = [];\n    let bytes;\n    if (this.created === null) {\n      throw new Error('Missing signature creation time');\n    }\n    arr.push(writeSubPacket(sub.signatureCreationTime, true, util.writeDate(this.created)));\n    if (this.signatureExpirationTime !== null) {\n      arr.push(writeSubPacket(sub.signatureExpirationTime, true, util.writeNumber(this.signatureExpirationTime, 4)));\n    }\n    if (this.exportable !== null) {\n      arr.push(writeSubPacket(sub.exportableCertification, true, new Uint8Array([this.exportable ? 1 : 0])));\n    }\n    if (this.trustLevel !== null) {\n      bytes = new Uint8Array([this.trustLevel, this.trustAmount]);\n      arr.push(writeSubPacket(sub.trustSignature, true, bytes));\n    }\n    if (this.regularExpression !== null) {\n      arr.push(writeSubPacket(sub.regularExpression, true, this.regularExpression));\n    }\n    if (this.revocable !== null) {\n      arr.push(writeSubPacket(sub.revocable, true, new Uint8Array([this.revocable ? 1 : 0])));\n    }\n    if (this.keyExpirationTime !== null) {\n      arr.push(writeSubPacket(sub.keyExpirationTime, true, util.writeNumber(this.keyExpirationTime, 4)));\n    }\n    if (this.preferredSymmetricAlgorithms !== null) {\n      bytes = util.stringToUint8Array(util.uint8ArrayToString(this.preferredSymmetricAlgorithms));\n      arr.push(writeSubPacket(sub.preferredSymmetricAlgorithms, false, bytes));\n    }\n    if (this.revocationKeyClass !== null) {\n      bytes = new Uint8Array([this.revocationKeyClass, this.revocationKeyAlgorithm]);\n      bytes = util.concat([bytes, this.revocationKeyFingerprint]);\n      arr.push(writeSubPacket(sub.revocationKey, false, bytes));\n    }\n    if (!this.issuerKeyID.isNull() && this.issuerKeyVersion < 5) {\n      // If the version of [the] key is greater than 4, this subpacket\n      // MUST NOT be included in the signature.\n      arr.push(writeSubPacket(sub.issuerKeyID, true, this.issuerKeyID.write()));\n    }\n    this.rawNotations.forEach(({ name, value, humanReadable, critical }) => {\n      bytes = [new Uint8Array([humanReadable ? 0x80 : 0, 0, 0, 0])];\n      const encodedName = util.encodeUTF8(name);\n      // 2 octets of name length\n      bytes.push(util.writeNumber(encodedName.length, 2));\n      // 2 octets of value length\n      bytes.push(util.writeNumber(value.length, 2));\n      bytes.push(encodedName);\n      bytes.push(value);\n      bytes = util.concat(bytes);\n      arr.push(writeSubPacket(sub.notationData, critical, bytes));\n    });\n    if (this.preferredHashAlgorithms !== null) {\n      bytes = util.stringToUint8Array(util.uint8ArrayToString(this.preferredHashAlgorithms));\n      arr.push(writeSubPacket(sub.preferredHashAlgorithms, false, bytes));\n    }\n    if (this.preferredCompressionAlgorithms !== null) {\n      bytes = util.stringToUint8Array(util.uint8ArrayToString(this.preferredCompressionAlgorithms));\n      arr.push(writeSubPacket(sub.preferredCompressionAlgorithms, false, bytes));\n    }\n    if (this.keyServerPreferences !== null) {\n      bytes = util.stringToUint8Array(util.uint8ArrayToString(this.keyServerPreferences));\n      arr.push(writeSubPacket(sub.keyServerPreferences, false, bytes));\n    }\n    if (this.preferredKeyServer !== null) {\n      arr.push(writeSubPacket(sub.preferredKeyServer, false, util.encodeUTF8(this.preferredKeyServer)));\n    }\n    if (this.isPrimaryUserID !== null) {\n      arr.push(writeSubPacket(sub.primaryUserID, false, new Uint8Array([this.isPrimaryUserID ? 1 : 0])));\n    }\n    if (this.policyURI !== null) {\n      arr.push(writeSubPacket(sub.policyURI, false, util.encodeUTF8(this.policyURI)));\n    }\n    if (this.keyFlags !== null) {\n      bytes = util.stringToUint8Array(util.uint8ArrayToString(this.keyFlags));\n      arr.push(writeSubPacket(sub.keyFlags, true, bytes));\n    }\n    if (this.signersUserID !== null) {\n      arr.push(writeSubPacket(sub.signersUserID, false, util.encodeUTF8(this.signersUserID)));\n    }\n    if (this.reasonForRevocationFlag !== null) {\n      bytes = util.stringToUint8Array(String.fromCharCode(this.reasonForRevocationFlag) + this.reasonForRevocationString);\n      arr.push(writeSubPacket(sub.reasonForRevocation, true, bytes));\n    }\n    if (this.features !== null) {\n      bytes = util.stringToUint8Array(util.uint8ArrayToString(this.features));\n      arr.push(writeSubPacket(sub.features, false, bytes));\n    }\n    if (this.signatureTargetPublicKeyAlgorithm !== null) {\n      bytes = [new Uint8Array([this.signatureTargetPublicKeyAlgorithm, this.signatureTargetHashAlgorithm])];\n      bytes.push(util.stringToUint8Array(this.signatureTargetHash));\n      bytes = util.concat(bytes);\n      arr.push(writeSubPacket(sub.signatureTarget, true, bytes));\n    }\n    if (this.embeddedSignature !== null) {\n      arr.push(writeSubPacket(sub.embeddedSignature, true, this.embeddedSignature.write()));\n    }\n    if (this.issuerFingerprint !== null) {\n      bytes = [new Uint8Array([this.issuerKeyVersion]), this.issuerFingerprint];\n      bytes = util.concat(bytes);\n      arr.push(writeSubPacket(sub.issuerFingerprint, this.version >= 5, bytes));\n    }\n    if (this.preferredAEADAlgorithms !== null) {\n      bytes = util.stringToUint8Array(util.uint8ArrayToString(this.preferredAEADAlgorithms));\n      arr.push(writeSubPacket(sub.preferredAEADAlgorithms, false, bytes));\n    }\n    if (this.preferredCipherSuites !== null) {\n      bytes = new Uint8Array([].concat(...this.preferredCipherSuites));\n      arr.push(writeSubPacket(sub.preferredCipherSuites, false, bytes));\n    }\n\n    const result = util.concat(arr);\n    const length = util.writeNumber(result.length, this.version === 6 ? 4 : 2);\n\n    return util.concat([length, result]);\n  }\n\n  /**\n   * Creates an Uint8Array containing the unhashed subpackets\n   * @returns {Uint8Array} Subpacket data.\n   */\n  writeUnhashedSubPackets() {\n    const arr = this.unhashedSubpackets.map(({ type, critical, body }) => {\n      return writeSubPacket(type, critical, body);\n    });\n\n    const result = util.concat(arr);\n    const length = util.writeNumber(result.length, this.version === 6 ? 4 : 2);\n\n    return util.concat([length, result]);\n  }\n\n  // Signature subpackets\n  readSubPacket(bytes, hashed = true) {\n    let mypos = 0;\n\n    // The leftmost bit denotes a \"critical\" packet\n    const critical = !!(bytes[mypos] & 0x80);\n    const type = bytes[mypos] & 0x7F;\n\n    mypos++;\n\n    if (!hashed) {\n      this.unhashedSubpackets.push({\n        type,\n        critical,\n        body: bytes.subarray(mypos, bytes.length)\n      });\n      if (!allowedUnhashedSubpackets.has(type)) {\n        return;\n      }\n    }\n\n    // subpacket type\n    switch (type) {\n      case enums.signatureSubpacket.signatureCreationTime:\n        // Signature Creation Time\n        this.created = util.readDate(bytes.subarray(mypos, bytes.length));\n        break;\n      case enums.signatureSubpacket.signatureExpirationTime: {\n        // Signature Expiration Time in seconds\n        const seconds = util.readNumber(bytes.subarray(mypos, bytes.length));\n\n        this.signatureNeverExpires = seconds === 0;\n        this.signatureExpirationTime = seconds;\n\n        break;\n      }\n      case enums.signatureSubpacket.exportableCertification:\n        // Exportable Certification\n        this.exportable = bytes[mypos++] === 1;\n        break;\n      case enums.signatureSubpacket.trustSignature:\n        // Trust Signature\n        this.trustLevel = bytes[mypos++];\n        this.trustAmount = bytes[mypos++];\n        break;\n      case enums.signatureSubpacket.regularExpression:\n        // Regular Expression\n        this.regularExpression = bytes[mypos];\n        break;\n      case enums.signatureSubpacket.revocable:\n        // Revocable\n        this.revocable = bytes[mypos++] === 1;\n        break;\n      case enums.signatureSubpacket.keyExpirationTime: {\n        // Key Expiration Time in seconds\n        const seconds = util.readNumber(bytes.subarray(mypos, bytes.length));\n\n        this.keyExpirationTime = seconds;\n        this.keyNeverExpires = seconds === 0;\n\n        break;\n      }\n      case enums.signatureSubpacket.preferredSymmetricAlgorithms:\n        // Preferred Symmetric Algorithms\n        this.preferredSymmetricAlgorithms = [...bytes.subarray(mypos, bytes.length)];\n        break;\n      case enums.signatureSubpacket.revocationKey:\n        // Revocation Key\n        // (1 octet of class, 1 octet of public-key algorithm ID, 20\n        // octets of\n        // fingerprint)\n        this.revocationKeyClass = bytes[mypos++];\n        this.revocationKeyAlgorithm = bytes[mypos++];\n        this.revocationKeyFingerprint = bytes.subarray(mypos, mypos + 20);\n        break;\n\n      case enums.signatureSubpacket.issuerKeyID:\n        // Issuer\n        if (this.version === 4) {\n          this.issuerKeyID.read(bytes.subarray(mypos, bytes.length));\n        } else if (hashed) {\n          // If the version of the key is greater than 4, this subpacket MUST NOT be included in the signature,\n          // since the Issuer Fingerprint subpacket is to be used instead.\n          // The `issuerKeyID` value will be set when reading the issuerFingerprint packet.\n          // For this reason, if the issuer Key ID packet is present but unhashed, we simply ignore it,\n          // to avoid situations where `.getSigningKeyIDs()` returns a keyID potentially different from the (signed)\n          // issuerFingerprint.\n          // If the packet is hashed, then we reject the signature, to avoid verifying data different from\n          // what was parsed.\n          throw new Error('Unexpected Issuer Key ID subpacket');\n        }\n        break;\n\n      case enums.signatureSubpacket.notationData: {\n        // Notation Data\n        const humanReadable = !!(bytes[mypos] & 0x80);\n\n        // We extract key/value tuple from the byte stream.\n        mypos += 4;\n        const m = util.readNumber(bytes.subarray(mypos, mypos + 2));\n        mypos += 2;\n        const n = util.readNumber(bytes.subarray(mypos, mypos + 2));\n        mypos += 2;\n\n        const name = util.decodeUTF8(bytes.subarray(mypos, mypos + m));\n        const value = bytes.subarray(mypos + m, mypos + m + n);\n\n        this.rawNotations.push({ name, humanReadable, value, critical });\n\n        if (humanReadable) {\n          this.notations[name] = util.decodeUTF8(value);\n        }\n        break;\n      }\n      case enums.signatureSubpacket.preferredHashAlgorithms:\n        // Preferred Hash Algorithms\n        this.preferredHashAlgorithms = [...bytes.subarray(mypos, bytes.length)];\n        break;\n      case enums.signatureSubpacket.preferredCompressionAlgorithms:\n        // Preferred Compression Algorithms\n        this.preferredCompressionAlgorithms = [...bytes.subarray(mypos, bytes.length)];\n        break;\n      case enums.signatureSubpacket.keyServerPreferences:\n        // Key Server Preferences\n        this.keyServerPreferences = [...bytes.subarray(mypos, bytes.length)];\n        break;\n      case enums.signatureSubpacket.preferredKeyServer:\n        // Preferred Key Server\n        this.preferredKeyServer = util.decodeUTF8(bytes.subarray(mypos, bytes.length));\n        break;\n      case enums.signatureSubpacket.primaryUserID:\n        // Primary User ID\n        this.isPrimaryUserID = bytes[mypos++] !== 0;\n        break;\n      case enums.signatureSubpacket.policyURI:\n        // Policy URI\n        this.policyURI = util.decodeUTF8(bytes.subarray(mypos, bytes.length));\n        break;\n      case enums.signatureSubpacket.keyFlags:\n        // Key Flags\n        this.keyFlags = [...bytes.subarray(mypos, bytes.length)];\n        break;\n      case enums.signatureSubpacket.signersUserID:\n        // Signer's User ID\n        this.signersUserID = util.decodeUTF8(bytes.subarray(mypos, bytes.length));\n        break;\n      case enums.signatureSubpacket.reasonForRevocation:\n        // Reason for Revocation\n        this.reasonForRevocationFlag = bytes[mypos++];\n        this.reasonForRevocationString = util.decodeUTF8(bytes.subarray(mypos, bytes.length));\n        break;\n      case enums.signatureSubpacket.features:\n        // Features\n        this.features = [...bytes.subarray(mypos, bytes.length)];\n        break;\n      case enums.signatureSubpacket.signatureTarget: {\n        // Signature Target\n        // (1 octet public-key algorithm, 1 octet hash algorithm, N octets hash)\n        this.signatureTargetPublicKeyAlgorithm = bytes[mypos++];\n        this.signatureTargetHashAlgorithm = bytes[mypos++];\n\n        const len = getHashByteLength(this.signatureTargetHashAlgorithm);\n\n        this.signatureTargetHash = util.uint8ArrayToString(bytes.subarray(mypos, mypos + len));\n        break;\n      }\n      case enums.signatureSubpacket.embeddedSignature:\n        // Embedded Signature\n        this.embeddedSignature = new SignaturePacket();\n        this.embeddedSignature.read(bytes.subarray(mypos, bytes.length));\n        break;\n      case enums.signatureSubpacket.issuerFingerprint:\n        // Issuer Fingerprint\n        this.issuerKeyVersion = bytes[mypos++];\n        this.issuerFingerprint = bytes.subarray(mypos, bytes.length);\n        if (this.issuerKeyVersion >= 5) {\n          this.issuerKeyID.read(this.issuerFingerprint);\n        } else {\n          this.issuerKeyID.read(this.issuerFingerprint.subarray(-8));\n        }\n        break;\n      case enums.signatureSubpacket.preferredAEADAlgorithms:\n        // Preferred AEAD Algorithms\n        this.preferredAEADAlgorithms = [...bytes.subarray(mypos, bytes.length)];\n        break;\n      case enums.signatureSubpacket.preferredCipherSuites:\n        // Preferred AEAD Cipher Suites\n        this.preferredCipherSuites = [];\n        for (let i = mypos; i < bytes.length; i += 2) {\n          this.preferredCipherSuites.push([bytes[i], bytes[i + 1]]);\n        }\n        break;\n      default:\n        this.unknownSubpackets.push({\n          type,\n          critical,\n          body: bytes.subarray(mypos, bytes.length)\n        });\n        break;\n    }\n  }\n\n  readSubPackets(bytes, trusted = true, config) {\n    const subpacketLengthBytes = this.version === 6 ? 4 : 2;\n\n    // Two-octet scalar octet count for following subpacket data.\n    const subpacketLength = util.readNumber(bytes.subarray(0, subpacketLengthBytes));\n\n    let i = subpacketLengthBytes;\n\n    // subpacket data set (zero or more subpackets)\n    while (i < 2 + subpacketLength) {\n      const len = readSimpleLength(bytes.subarray(i, bytes.length));\n      i += len.offset;\n\n      this.readSubPacket(bytes.subarray(i, i + len.len), trusted, config);\n\n      i += len.len;\n    }\n\n    return i;\n  }\n\n  // Produces data to produce signature on\n  toSign(type, data) {\n    const t = enums.signature;\n\n    switch (type) {\n      case t.binary:\n        if (data.text !== null) {\n          return util.encodeUTF8(data.getText(true));\n        }\n        return data.getBytes(true);\n\n      case t.text: {\n        const bytes = data.getBytes(true);\n        // normalize EOL to \\r\\n\n        return util.canonicalizeEOL(bytes);\n      }\n      case t.standalone:\n        return new Uint8Array(0);\n\n      case t.certGeneric:\n      case t.certPersona:\n      case t.certCasual:\n      case t.certPositive:\n      case t.certRevocation: {\n        let packet;\n        let tag;\n\n        if (data.userID) {\n          tag = 0xB4;\n          packet = data.userID;\n        } else if (data.userAttribute) {\n          tag = 0xD1;\n          packet = data.userAttribute;\n        } else {\n          throw new Error('Either a userID or userAttribute packet needs to be ' +\n            'supplied for certification.');\n        }\n\n        const bytes = packet.write();\n\n        return util.concat([this.toSign(t.key, data),\n          new Uint8Array([tag]),\n          util.writeNumber(bytes.length, 4),\n          bytes]);\n      }\n      case t.subkeyBinding:\n      case t.subkeyRevocation:\n      case t.keyBinding:\n        return util.concat([this.toSign(t.key, data), this.toSign(t.key, {\n          key: data.bind\n        })]);\n\n      case t.key:\n        if (data.key === undefined) {\n          throw new Error('Key packet is required for this signature.');\n        }\n        return data.key.writeForHash(this.version);\n\n      case t.keyRevocation:\n        return this.toSign(t.key, data);\n      case t.timestamp:\n        return new Uint8Array(0);\n      case t.thirdParty:\n        throw new Error('Not implemented');\n      default:\n        throw new Error('Unknown signature type.');\n    }\n  }\n\n  calculateTrailer(data, detached) {\n    let length = 0;\n    return streamTransform(streamClone(this.signatureData), value => {\n      length += value.length;\n    }, () => {\n      const arr = [];\n      if (this.version === 5 && (this.signatureType === enums.signature.binary || this.signatureType === enums.signature.text)) {\n        if (detached) {\n          arr.push(new Uint8Array(6));\n        } else {\n          arr.push(data.writeHeader());\n        }\n      }\n      arr.push(new Uint8Array([this.version, 0xFF]));\n      if (this.version === 5) {\n        arr.push(new Uint8Array(4));\n      }\n      arr.push(util.writeNumber(length, 4));\n      // For v5, this should really be writeNumber(length, 8) rather than the\n      // hardcoded 4 zero bytes above\n      return util.concat(arr);\n    });\n  }\n\n  toHash(signatureType, data, detached = false) {\n    const bytes = this.toSign(signatureType, data);\n\n    return util.concat([this.salt || new Uint8Array(), bytes, this.signatureData, this.calculateTrailer(data, detached)]);\n  }\n\n  async hash(signatureType, data, toHash, detached = false) {\n    if (this.version === 6 && this.salt.length !== saltLengthForHash(this.hashAlgorithm)) {\n      // avoid hashing unexpected salt size\n      throw new Error('Signature salt does not have the expected length');\n    }\n\n    if (!toHash) toHash = this.toHash(signatureType, data, detached);\n    return computeDigest(this.hashAlgorithm, toHash);\n  }\n\n  /**\n   * verifies the signature packet. Note: not all signature types are implemented\n   * @param {PublicSubkeyPacket|PublicKeyPacket|\n   *         SecretSubkeyPacket|SecretKeyPacket} key - the public key to verify the signature\n   * @param {module:enums.signature} signatureType - Expected signature type\n   * @param {Uint8Array|Object} data - Data which on the signature applies\n   * @param {Date} [date] - Use the given date instead of the current time to check for signature validity and expiration\n   * @param {Boolean} [detached] - Whether to verify a detached signature\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @throws {Error} if signature validation failed\n   * @async\n   */\n  async verify(key, signatureType, data, date = new Date(), detached = false, config = defaultConfig) {\n    if (!this.issuerKeyID.equals(key.getKeyID())) {\n      throw new Error('Signature was not issued by the given public key');\n    }\n    if (this.publicKeyAlgorithm !== key.algorithm) {\n      throw new Error('Public key algorithm used to sign signature does not match issuer key algorithm.');\n    }\n\n    const isMessageSignature = signatureType === enums.signature.binary || signatureType === enums.signature.text;\n    // Cryptographic validity is cached after one successful verification.\n    // However, for message signatures, we always re-verify, since the passed `data` can change\n    const skipVerify = this[verified] && !isMessageSignature;\n    if (!skipVerify) {\n      let toHash;\n      let hash;\n      if (this.hashed) {\n        hash = await this.hashed;\n      } else {\n        toHash = this.toHash(signatureType, data, detached);\n        hash = await this.hash(signatureType, data, toHash);\n      }\n      hash = await streamReadToEnd(hash);\n      if (this.signedHashValue[0] !== hash[0] ||\n          this.signedHashValue[1] !== hash[1]) {\n        throw new Error('Signed digest did not match');\n      }\n\n      this.params = await this.params;\n\n      this[verified] = await signature.verify(\n        this.publicKeyAlgorithm, this.hashAlgorithm, this.params, key.publicParams,\n        toHash, hash\n      );\n\n      if (!this[verified]) {\n        throw new Error('Signature verification failed');\n      }\n    }\n\n    const normDate = util.normalizeDate(date);\n    if (normDate && this.created > normDate) {\n      throw new Error('Signature creation time is in the future');\n    }\n    if (normDate && normDate >= this.getExpirationTime()) {\n      throw new Error('Signature is expired');\n    }\n    if (config.rejectHashAlgorithms.has(this.hashAlgorithm)) {\n      throw new Error('Insecure hash algorithm: ' + enums.read(enums.hash, this.hashAlgorithm).toUpperCase());\n    }\n    if (config.rejectMessageHashAlgorithms.has(this.hashAlgorithm) &&\n      [enums.signature.binary, enums.signature.text].includes(this.signatureType)) {\n      throw new Error('Insecure message hash algorithm: ' + enums.read(enums.hash, this.hashAlgorithm).toUpperCase());\n    }\n    this.unknownSubpackets.forEach(({ type, critical }) => {\n      if (critical) {\n        throw new Error(`Unknown critical signature subpacket type ${type}`);\n      }\n    });\n    this.rawNotations.forEach(({ name, critical }) => {\n      if (critical && (config.knownNotations.indexOf(name) < 0)) {\n        throw new Error(`Unknown critical notation: ${name}`);\n      }\n    });\n    if (this.revocationKeyClass !== null) {\n      throw new Error('This key is intended to be revoked with an authorized key, which OpenPGP.js does not support.');\n    }\n  }\n\n  /**\n   * Verifies signature expiration date\n   * @param {Date} [date] - Use the given date for verification instead of the current time\n   * @returns {Boolean} True if expired.\n   */\n  isExpired(date = new Date()) {\n    const normDate = util.normalizeDate(date);\n    if (normDate !== null) {\n      return !(this.created <= normDate && normDate < this.getExpirationTime());\n    }\n    return false;\n  }\n\n  /**\n   * Returns the expiration time of the signature or Infinity if signature does not expire\n   * @returns {Date | Infinity} Expiration time.\n   */\n  getExpirationTime() {\n    return this.signatureNeverExpires ? Infinity : new Date(this.created.getTime() + this.signatureExpirationTime * 1000);\n  }\n}\n\nexport default SignaturePacket;\n\n/**\n * Creates a Uint8Array representation of a sub signature packet\n * @see {@link https://tools.ietf.org/html/rfc4880#section-5.2.3.1|RFC4880 5.2.3.1}\n * @see {@link https://tools.ietf.org/html/rfc4880#section-5.2.3.2|RFC4880 5.2.3.2}\n * @param {Integer} type - Subpacket signature type.\n * @param {Boolean} critical - Whether the subpacket should be critical.\n * @param {String} data - Data to be included\n * @returns {Uint8Array} The signature subpacket.\n * @private\n */\nfunction writeSubPacket(type, critical, data) {\n  const arr = [];\n  arr.push(writeSimpleLength(data.length + 1));\n  arr.push(new Uint8Array([(critical ? 0x80 : 0) | type]));\n  arr.push(data);\n  return util.concat(arr);\n}\n\n/**\n * Select the required salt length for the given hash algorithm, as per Table 23 (Hash algorithm registry) of the crypto refresh.\n * @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh#section-9.5|Crypto Refresh Section 9.5}\n * @param {enums.hash} hashAlgorithm - Hash algorithm.\n * @returns {Integer} Salt length.\n * @private\n */\nfunction saltLengthForHash(hashAlgorithm) {\n  switch (hashAlgorithm) {\n    case enums.hash.sha256: return 16;\n    case enums.hash.sha384: return 24;\n    case enums.hash.sha512: return 32;\n    case enums.hash.sha224: return 16;\n    case enums.hash.sha3_256: return 16;\n    case enums.hash.sha3_512: return 32;\n    default: throw new Error('Unsupported hash function');\n  }\n}\n","// GPG4Browsers - An OpenPGP implementation in javascript\n// Copyright (C) 2011 Recurity Labs GmbH\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\nimport { fromAsync as streamFromAsync } from '@openpgp/web-stream-tools';\nimport SignaturePacket from './signature';\nimport KeyID from '../type/keyid';\nimport enums from '../enums';\nimport util from '../util';\nimport { UnsupportedError } from './packet';\n\n/**\n * Implementation of the One-Pass Signature Packets (Tag 4)\n *\n * {@link https://tools.ietf.org/html/rfc4880#section-5.4|RFC4880 5.4}:\n * The One-Pass Signature packet precedes the signed data and contains\n * enough information to allow the receiver to begin calculating any\n * hashes needed to verify the signature.  It allows the Signature\n * packet to be placed at the end of the message, so that the signer\n * can compute the entire signed message in one pass.\n */\nclass OnePassSignaturePacket {\n  static get tag() {\n    return enums.packet.onePassSignature;\n  }\n\n  static fromSignaturePacket(signaturePacket, isLast) {\n    const onePassSig = new OnePassSignaturePacket();\n    onePassSig.version = signaturePacket.version === 6 ? 6 : 3;\n    onePassSig.signatureType = signaturePacket.signatureType;\n    onePassSig.hashAlgorithm = signaturePacket.hashAlgorithm;\n    onePassSig.publicKeyAlgorithm = signaturePacket.publicKeyAlgorithm;\n    onePassSig.issuerKeyID = signaturePacket.issuerKeyID;\n    onePassSig.salt = signaturePacket.salt; // v6 only\n    onePassSig.issuerFingerprint = signaturePacket.issuerFingerprint; // v6 only\n\n    onePassSig.flags = isLast ? 1 : 0;\n    return onePassSig;\n  }\n\n  constructor() {\n    /** A one-octet version number.  The current versions are 3 and 6. */\n    this.version = null;\n    /**\n     * A one-octet signature type.\n     * Signature types are described in\n     * {@link https://tools.ietf.org/html/rfc4880#section-5.2.1|RFC4880 Section 5.2.1}.\n     * @type {enums.signature}\n\n     */\n    this.signatureType = null;\n    /**\n     * A one-octet number describing the hash algorithm used.\n     * @see {@link https://tools.ietf.org/html/rfc4880#section-9.4|RFC4880 9.4}\n     * @type {enums.hash}\n     */\n    this.hashAlgorithm = null;\n    /**\n     * A one-octet number describing the public-key algorithm used.\n     * @see {@link https://tools.ietf.org/html/rfc4880#section-9.1|RFC4880 9.1}\n     * @type {enums.publicKey}\n     */\n    this.publicKeyAlgorithm = null;\n    /** Only for v6, a variable-length field containing the salt. */\n    this.salt = null;\n    /** Only for v3 packets, an eight-octet number holding the Key ID of the signing key. */\n    this.issuerKeyID = null;\n    /** Only for v6 packets, 32 octets of the fingerprint of the signing key. */\n    this.issuerFingerprint = null;\n    /**\n     * A one-octet number holding a flag showing whether the signature is nested.\n     * A zero value indicates that the next packet is another One-Pass Signature packet\n     * that describes another signature to be applied to the same message data.\n     */\n    this.flags = null;\n  }\n\n  /**\n   * parsing function for a one-pass signature packet (tag 4).\n   * @param {Uint8Array} bytes - Payload of a tag 4 packet\n   * @returns {OnePassSignaturePacket} Object representation.\n   */\n  read(bytes) {\n    let mypos = 0;\n    // A one-octet version number.  The current versions are 3 or 6.\n    this.version = bytes[mypos++];\n    if (this.version !== 3 && this.version !== 6) {\n      throw new UnsupportedError(`Version ${this.version} of the one-pass signature packet is unsupported.`);\n    }\n\n    // A one-octet signature type.  Signature types are described in\n    //   Section 5.2.1.\n    this.signatureType = bytes[mypos++];\n\n    // A one-octet number describing the hash algorithm used.\n    this.hashAlgorithm = bytes[mypos++];\n\n    // A one-octet number describing the public-key algorithm used.\n    this.publicKeyAlgorithm = bytes[mypos++];\n\n    if (this.version === 6) {\n      // Only for v6 signatures, a variable-length field containing:\n\n      // A one-octet salt size. The value MUST match the value defined\n      // for the hash algorithm as specified in Table 23 (Hash algorithm registry).\n      // To allow parsing unknown hash algos, we only check the expected salt length when verifying.\n      const saltLength = bytes[mypos++];\n\n      // The salt; a random value value of the specified size.\n      this.salt = bytes.subarray(mypos, mypos + saltLength);\n      mypos += saltLength;\n\n      // Only for v6 packets, 32 octets of the fingerprint of the signing key.\n      this.issuerFingerprint = bytes.subarray(mypos, mypos + 32);\n      mypos += 32;\n      this.issuerKeyID = new KeyID();\n      // For v6 the Key ID is the high-order 64 bits of the fingerprint.\n      this.issuerKeyID.read(this.issuerFingerprint);\n    } else {\n      // Only for v3 packets, an eight-octet number holding the Key ID of the signing key.\n      this.issuerKeyID = new KeyID();\n      this.issuerKeyID.read(bytes.subarray(mypos, mypos + 8));\n      mypos += 8;\n    }\n\n    // A one-octet number holding a flag showing whether the signature\n    //   is nested.  A zero value indicates that the next packet is\n    //   another One-Pass Signature packet that describes another\n    //   signature to be applied to the same message data.\n    this.flags = bytes[mypos++];\n    return this;\n  }\n\n  /**\n   * creates a string representation of a one-pass signature packet\n   * @returns {Uint8Array} A Uint8Array representation of a one-pass signature packet.\n   */\n  write() {\n    const arr = [new Uint8Array([\n      this.version,\n      this.signatureType,\n      this.hashAlgorithm,\n      this.publicKeyAlgorithm\n    ])];\n    if (this.version === 6) {\n      arr.push(\n        new Uint8Array([this.salt.length]),\n        this.salt,\n        this.issuerFingerprint\n      );\n    } else {\n      arr.push(this.issuerKeyID.write());\n    }\n    arr.push(new Uint8Array([this.flags]));\n    return util.concatUint8Array(arr);\n  }\n\n  calculateTrailer(...args) {\n    return streamFromAsync(async () => SignaturePacket.prototype.calculateTrailer.apply(await this.correspondingSig, args));\n  }\n\n  async verify() {\n    const correspondingSig = await this.correspondingSig;\n    if (!correspondingSig || correspondingSig.constructor.tag !== enums.packet.signature) {\n      throw new Error('Corresponding signature packet missing');\n    }\n    if (\n      correspondingSig.signatureType !== this.signatureType ||\n      correspondingSig.hashAlgorithm !== this.hashAlgorithm ||\n      correspondingSig.publicKeyAlgorithm !== this.publicKeyAlgorithm ||\n      !correspondingSig.issuerKeyID.equals(this.issuerKeyID) ||\n      (this.version === 3 && correspondingSig.version === 6) ||\n      (this.version === 6 && correspondingSig.version !== 6) ||\n      (this.version === 6 && !util.equalsUint8Array(correspondingSig.issuerFingerprint, this.issuerFingerprint)) ||\n      (this.version === 6 && !util.equalsUint8Array(correspondingSig.salt, this.salt))\n    ) {\n      throw new Error('Corresponding signature packet does not match one-pass signature packet');\n    }\n    correspondingSig.hashed = this.hashed;\n    return correspondingSig.verify.apply(correspondingSig, arguments);\n  }\n}\n\nOnePassSignaturePacket.prototype.hash = SignaturePacket.prototype.hash;\nOnePassSignaturePacket.prototype.toHash = SignaturePacket.prototype.toHash;\nOnePassSignaturePacket.prototype.toSign = SignaturePacket.prototype.toSign;\n\nexport default OnePassSignaturePacket;\n","import { transformPair as streamTransformPair, transform as streamTransform, getWriter as streamGetWriter, getReader as streamGetReader, clone as streamClone } from '@openpgp/web-stream-tools';\nimport {\n  readPackets, supportsStreaming,\n  writeTag, writeHeader,\n  writePartialLength, writeSimpleLength,\n  UnparseablePacket,\n  UnsupportedError,\n  UnknownPacketError\n} from './packet';\nimport util from '../util';\nimport enums from '../enums';\nimport defaultConfig from '../config';\n\n/**\n * Instantiate a new packet given its tag\n * @function newPacketFromTag\n * @param {module:enums.packet} tag - Property value from {@link module:enums.packet}\n * @param {Object} allowedPackets - mapping where keys are allowed packet tags, pointing to their Packet class\n * @returns {Object} New packet object with type based on tag\n * @throws {Error|UnsupportedError} for disallowed or unknown packets\n */\nexport function newPacketFromTag(tag, allowedPackets) {\n  if (!allowedPackets[tag]) {\n    // distinguish between disallowed packets and unknown ones\n    let packetType;\n    try {\n      packetType = enums.read(enums.packet, tag);\n    } catch (e) {\n      throw new UnknownPacketError(`Unknown packet type with tag: ${tag}`);\n    }\n    throw new Error(`Packet not allowed in this context: ${packetType}`);\n  }\n  return new allowedPackets[tag]();\n}\n\n/**\n * This class represents a list of openpgp packets.\n * Take care when iterating over it - the packets themselves\n * are stored as numerical indices.\n * @extends Array\n */\nclass PacketList extends Array {\n  /**\n   * Parses the given binary data and returns a list of packets.\n   * Equivalent to calling `read` on an empty PacketList instance.\n   * @param {Uint8Array | ReadableStream<Uint8Array>} bytes - binary data to parse\n   * @param {Object} allowedPackets - mapping where keys are allowed packet tags, pointing to their Packet class\n   * @param {Object} [config] - full configuration, defaults to openpgp.config\n   * @returns {PacketList} parsed list of packets\n   * @throws on parsing errors\n   * @async\n   */\n  static async fromBinary(bytes, allowedPackets, config = defaultConfig) {\n    const packets = new PacketList();\n    await packets.read(bytes, allowedPackets, config);\n    return packets;\n  }\n\n  /**\n   * Reads a stream of binary data and interprets it as a list of packets.\n   * @param {Uint8Array | ReadableStream<Uint8Array>} bytes - binary data to parse\n   * @param {Object} allowedPackets - mapping where keys are allowed packet tags, pointing to their Packet class\n   * @param {Object} [config] - full configuration, defaults to openpgp.config\n   * @throws on parsing errors\n   * @async\n   */\n  async read(bytes, allowedPackets, config = defaultConfig) {\n    if (config.additionalAllowedPackets.length) {\n      allowedPackets = { ...allowedPackets, ...util.constructAllowedPackets(config.additionalAllowedPackets) };\n    }\n    this.stream = streamTransformPair(bytes, async (readable, writable) => {\n      const writer = streamGetWriter(writable);\n      try {\n        while (true) {\n          await writer.ready;\n          const done = await readPackets(readable, async parsed => {\n            try {\n              if (parsed.tag === enums.packet.marker || parsed.tag === enums.packet.trust || parsed.tag === enums.packet.padding) {\n                // According to the spec, these packet types should be ignored and not cause parsing errors, even if not esplicitly allowed:\n                // - Marker packets MUST be ignored when received: https://github.com/openpgpjs/openpgpjs/issues/1145\n                // - Trust packets SHOULD be ignored outside of keyrings (unsupported): https://datatracker.ietf.org/doc/html/rfc4880#section-5.10\n                // - [Padding Packets] MUST be ignored when received: https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh#name-padding-packet-tag-21\n                return;\n              }\n              const packet = newPacketFromTag(parsed.tag, allowedPackets);\n              packet.packets = new PacketList();\n              packet.fromStream = util.isStream(parsed.packet);\n              await packet.read(parsed.packet, config);\n              await writer.write(packet);\n            } catch (e) {\n              // If an implementation encounters a critical packet where the packet type is unknown in a packet sequence,\n              // it MUST reject the whole packet sequence. On the other hand, an unknown non-critical packet MUST be ignored.\n              // Packet Tags from 0 to 39 are critical. Packet Tags from 40 to 63 are non-critical.\n              if (e instanceof UnknownPacketError) {\n                if (parsed.tag <= 39) {\n                  await writer.abort(e);\n                } else {\n                  return;\n                }\n              }\n\n              const throwUnsupportedError = !config.ignoreUnsupportedPackets && e instanceof UnsupportedError;\n              const throwMalformedError = !config.ignoreMalformedPackets && !(e instanceof UnsupportedError);\n              if (throwUnsupportedError || throwMalformedError || supportsStreaming(parsed.tag)) {\n                // The packets that support streaming are the ones that contain message data.\n                // Those are also the ones we want to be more strict about and throw on parse errors\n                // (since we likely cannot process the message without these packets anyway).\n                await writer.abort(e);\n              } else {\n                const unparsedPacket = new UnparseablePacket(parsed.tag, parsed.packet);\n                await writer.write(unparsedPacket);\n              }\n              util.printDebugError(e);\n            }\n          });\n          if (done) {\n            await writer.ready;\n            await writer.close();\n            return;\n          }\n        }\n      } catch (e) {\n        await writer.abort(e);\n      }\n    });\n\n    // Wait until first few packets have been read\n    const reader = streamGetReader(this.stream);\n    while (true) {\n      const { done, value } = await reader.read();\n      if (!done) {\n        this.push(value);\n      } else {\n        this.stream = null;\n      }\n      if (done || supportsStreaming(value.constructor.tag)) {\n        break;\n      }\n    }\n    reader.releaseLock();\n  }\n\n  /**\n   * Creates a binary representation of openpgp objects contained within the\n   * class instance.\n   * @returns {Uint8Array} A Uint8Array containing valid openpgp packets.\n   */\n  write() {\n    const arr = [];\n\n    for (let i = 0; i < this.length; i++) {\n      const tag = this[i] instanceof UnparseablePacket ? this[i].tag : this[i].constructor.tag;\n      const packetbytes = this[i].write();\n      if (util.isStream(packetbytes) && supportsStreaming(this[i].constructor.tag)) {\n        let buffer = [];\n        let bufferLength = 0;\n        const minLength = 512;\n        arr.push(writeTag(tag));\n        arr.push(streamTransform(packetbytes, value => {\n          buffer.push(value);\n          bufferLength += value.length;\n          if (bufferLength >= minLength) {\n            const powerOf2 = Math.min(Math.log(bufferLength) / Math.LN2 | 0, 30);\n            const chunkSize = 2 ** powerOf2;\n            const bufferConcat = util.concat([writePartialLength(powerOf2)].concat(buffer));\n            buffer = [bufferConcat.subarray(1 + chunkSize)];\n            bufferLength = buffer[0].length;\n            return bufferConcat.subarray(0, 1 + chunkSize);\n          }\n        }, () => util.concat([writeSimpleLength(bufferLength)].concat(buffer))));\n      } else {\n        if (util.isStream(packetbytes)) {\n          let length = 0;\n          arr.push(streamTransform(streamClone(packetbytes), value => {\n            length += value.length;\n          }, () => writeHeader(tag, length)));\n        } else {\n          arr.push(writeHeader(tag, packetbytes.length));\n        }\n        arr.push(packetbytes);\n      }\n    }\n\n    return util.concat(arr);\n  }\n\n  /**\n   * Creates a new PacketList with all packets matching the given tag(s)\n   * @param {...module:enums.packet} tags - packet tags to look for\n   * @returns {PacketList}\n   */\n  filterByTag(...tags) {\n    const filtered = new PacketList();\n\n    const handle = tag => packetType => tag === packetType;\n\n    for (let i = 0; i < this.length; i++) {\n      if (tags.some(handle(this[i].constructor.tag))) {\n        filtered.push(this[i]);\n      }\n    }\n\n    return filtered;\n  }\n\n  /**\n   * Traverses packet list and returns first packet with matching tag\n   * @param {module:enums.packet} tag - The packet tag\n   * @returns {Packet|undefined}\n   */\n  findPacket(tag) {\n    return this.find(packet => packet.constructor.tag === tag);\n  }\n\n  /**\n   * Find indices of packets with the given tag(s)\n   * @param {...module:enums.packet} tags - packet tags to look for\n   * @returns {Integer[]} packet indices\n   */\n  indexOfTag(...tags) {\n    const tagIndex = [];\n    const that = this;\n\n    const handle = tag => packetType => tag === packetType;\n\n    for (let i = 0; i < this.length; i++) {\n      if (tags.some(handle(that[i].constructor.tag))) {\n        tagIndex.push(i);\n      }\n    }\n    return tagIndex;\n  }\n}\n\nexport default PacketList;\n","// GPG4Browsers - An OpenPGP implementation in javascript\n// Copyright (C) 2011 Recurity Labs GmbH\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\nimport { Inflate, Deflate, Zlib, Unzlib } from 'fflate';\nimport { isArrayStream, fromAsync as streamFromAsync, parse as streamParse, readToEnd as streamReadToEnd } from '@openpgp/web-stream-tools';\nimport enums from '../enums';\nimport util from '../util';\nimport defaultConfig from '../config';\n\nimport LiteralDataPacket from './literal_data';\nimport OnePassSignaturePacket from './one_pass_signature';\nimport SignaturePacket from './signature';\nimport PacketList from './packetlist';\n\n// A Compressed Data packet can contain the following packet types\nconst allowedPackets = /*#__PURE__*/ util.constructAllowedPackets([\n  LiteralDataPacket,\n  OnePassSignaturePacket,\n  SignaturePacket\n]);\n\n/**\n * Implementation of the Compressed Data Packet (Tag 8)\n *\n * {@link https://tools.ietf.org/html/rfc4880#section-5.6|RFC4880 5.6}:\n * The Compressed Data packet contains compressed data.  Typically,\n * this packet is found as the contents of an encrypted packet, or following\n * a Signature or One-Pass Signature packet, and contains a literal data packet.\n */\nclass CompressedDataPacket {\n  static get tag() {\n    return enums.packet.compressedData;\n  }\n\n  /**\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   */\n  constructor(config = defaultConfig) {\n    /**\n     * List of packets\n     * @type {PacketList}\n     */\n    this.packets = null;\n    /**\n     * Compression algorithm\n     * @type {enums.compression}\n     */\n    this.algorithm = config.preferredCompressionAlgorithm;\n\n    /**\n     * Compressed packet data\n     * @type {Uint8Array | ReadableStream<Uint8Array>}\n     */\n    this.compressed = null;\n  }\n\n  /**\n   * Parsing function for the packet.\n   * @param {Uint8Array | ReadableStream<Uint8Array>} bytes - Payload of a tag 8 packet\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   */\n  async read(bytes, config = defaultConfig) {\n    await streamParse(bytes, async reader => {\n\n      // One octet that gives the algorithm used to compress the packet.\n      this.algorithm = await reader.readByte();\n\n      // Compressed data, which makes up the remainder of the packet.\n      this.compressed = reader.remainder();\n\n      await this.decompress(config);\n    });\n  }\n\n\n  /**\n   * Return the compressed packet.\n   * @returns {Uint8Array | ReadableStream<Uint8Array>} Binary compressed packet.\n   */\n  write() {\n    if (this.compressed === null) {\n      this.compress();\n    }\n\n    return util.concat([new Uint8Array([this.algorithm]), this.compressed]);\n  }\n\n\n  /**\n   * Decompression method for decompressing the compressed data\n   * read by read_packet\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   */\n  async decompress(config = defaultConfig) {\n    const compressionName = enums.read(enums.compression, this.algorithm);\n    const decompressionFn = decompress_fns[compressionName]; // bzip decompression is async\n    if (!decompressionFn) {\n      throw new Error(`${compressionName} decompression not supported`);\n    }\n\n    this.packets = await PacketList.fromBinary(await decompressionFn(this.compressed), allowedPackets, config);\n  }\n\n  /**\n   * Compress the packet data (member decompressedData)\n   */\n  compress() {\n    const compressionName = enums.read(enums.compression, this.algorithm);\n    const compressionFn = compress_fns[compressionName];\n    if (!compressionFn) {\n      throw new Error(`${compressionName} compression not supported`);\n    }\n\n    this.compressed = compressionFn(this.packets.write());\n  }\n}\n\nexport default CompressedDataPacket;\n\n//////////////////////////\n//                      //\n//   Helper functions   //\n//                      //\n//////////////////////////\n\n/**\n * Zlib processor relying on Compression Stream API if available, or falling back to fflate otherwise.\n * @param {function(): CompressionStream|function(): DecompressionStream} compressionStreamInstantiator\n * @param {FunctionConstructor} ZlibStreamedConstructor - fflate constructor\n * @returns {ReadableStream<Uint8Array>} compressed or decompressed data\n */\nfunction zlib(compressionStreamInstantiator, ZlibStreamedConstructor) {\n  return data => {\n    if (!util.isStream(data) || isArrayStream(data)) {\n      return streamFromAsync(() => streamReadToEnd(data).then(inputData => {\n        return new Promise((resolve, reject) => {\n          const zlibStream = new ZlibStreamedConstructor();\n          zlibStream.ondata = processedData => {\n            resolve(processedData);\n          };\n          try {\n            zlibStream.push(inputData, true); // only one chunk to push\n          } catch (err) {\n            reject(err);\n          }\n        });\n      }));\n    }\n\n    // Use Compression Streams API if available (see https://developer.mozilla.org/en-US/docs/Web/API/Compression_Streams_API)\n    if (compressionStreamInstantiator) {\n      try {\n        const compressorOrDecompressor = compressionStreamInstantiator();\n        return data.pipeThrough(compressorOrDecompressor);\n      } catch (err) {\n        // If format is unsupported in Compression/DecompressionStream, then a TypeError in thrown, and we fallback to fflate.\n        if (err.name !== 'TypeError') {\n          throw err;\n        }\n      }\n    }\n\n    // JS fallback\n    const inputReader = data.getReader();\n    const zlibStream = new ZlibStreamedConstructor();\n\n    return new ReadableStream({\n      async start(controller) {\n        zlibStream.ondata = async (value, isLast) => {\n          controller.enqueue(value);\n          if (isLast) {\n            controller.close();\n          }\n        };\n\n        while (true) {\n          const { done, value } = await inputReader.read();\n          if (done) {\n            zlibStream.push(new Uint8Array(), true);\n            return;\n          } else if (value.length) {\n            zlibStream.push(value);\n          }\n        }\n      }\n    });\n  };\n}\n\nfunction bzip2Decompress() {\n  return async function(data) {\n    const { decode: bunzipDecode } = await import('@openpgp/seek-bzip');\n    return streamFromAsync(async () => bunzipDecode(await streamReadToEnd(data)));\n  };\n}\n\n/**\n * Get Compression Stream API instatiators if the constructors are implemented.\n * NB: the return instatiator functions will throw when called if the provided `compressionFormat` is not supported\n * (supported formats cannot be determined in advance).\n * @param {'deflate-raw'|'deflate'|'gzip'|string} compressionFormat\n * @returns {{ compressor: function(): CompressionStream | false, decompressor: function(): DecompressionStream | false }}\n */\nconst getCompressionStreamInstantiators = compressionFormat => ({\n  compressor: typeof CompressionStream !== 'undefined' && (() => new CompressionStream(compressionFormat)),\n  decompressor: typeof DecompressionStream !== 'undefined' && (() => new DecompressionStream(compressionFormat))\n});\n\nconst compress_fns = {\n  zip: /*#__PURE__*/ zlib(getCompressionStreamInstantiators('deflate-raw').compressor, Deflate),\n  zlib: /*#__PURE__*/ zlib(getCompressionStreamInstantiators('deflate').compressor, Zlib)\n};\n\nconst decompress_fns = {\n  uncompressed: data => data,\n  zip: /*#__PURE__*/ zlib(getCompressionStreamInstantiators('deflate-raw').decompressor, Inflate),\n  zlib: /*#__PURE__*/ zlib(getCompressionStreamInstantiators('deflate').decompressor, Unzlib),\n  bzip2: /*#__PURE__*/ bzip2Decompress() // NB: async due to dynamic lib import\n};\n\n","// GPG4Browsers - An OpenPGP implementation in javascript\n// Copyright (C) 2011 Recurity Labs GmbH\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\nimport { slice as streamSlice, passiveClone as streamPassiveClone, readToEnd as streamReadToEnd, concat as streamConcat, fromAsync as streamFromAsync, getReader as streamGetReader, getWriter as streamGetWriter, clone as streamClone, pipe as streamPipe, transformPair as streamTransformPair, isArrayStream, parse as streamParse } from '@openpgp/web-stream-tools';\nimport { cipherMode, getRandomBytes, getCipherParams, computeDigest } from '../crypto';\nimport computeHKDF from '../crypto/hkdf';\nimport enums from '../enums';\nimport util from '../util';\nimport defaultConfig from '../config';\n\nimport LiteralDataPacket from './literal_data';\nimport CompressedDataPacket from './compressed_data';\nimport OnePassSignaturePacket from './one_pass_signature';\nimport SignaturePacket from './signature';\nimport PacketList from './packetlist';\nimport { UnsupportedError } from './packet';\n\n// A SEIP packet can contain the following packet types\nconst allowedPackets = /*#__PURE__*/ util.constructAllowedPackets([\n  LiteralDataPacket,\n  CompressedDataPacket,\n  OnePassSignaturePacket,\n  SignaturePacket\n]);\n\n/**\n * Implementation of the Sym. Encrypted Integrity Protected Data Packet (Tag 18)\n *\n * {@link https://tools.ietf.org/html/rfc4880#section-5.13|RFC4880 5.13}:\n * The Symmetrically Encrypted Integrity Protected Data packet is\n * a variant of the Symmetrically Encrypted Data packet. It is a new feature\n * created for OpenPGP that addresses the problem of detecting a modification to\n * encrypted data. It is used in combination with a Modification Detection Code\n * packet.\n */\nclass SymEncryptedIntegrityProtectedDataPacket {\n  static get tag() {\n    return enums.packet.symEncryptedIntegrityProtectedData;\n  }\n\n  static fromObject({ version, aeadAlgorithm }) {\n    if (version !== 1 && version !== 2) {\n      throw new Error('Unsupported SEIPD version');\n    }\n\n    const seip = new SymEncryptedIntegrityProtectedDataPacket();\n    seip.version = version;\n    if (version === 2) {\n      seip.aeadAlgorithm = aeadAlgorithm;\n    }\n\n    return seip;\n  }\n\n  constructor() {\n    this.version = null;\n\n    // The following 4 fields are for V2 only.\n    /** @type {enums.symmetric} */\n    this.cipherAlgorithm = null;\n    /** @type {enums.aead} */\n    this.aeadAlgorithm = null;\n    this.chunkSizeByte = null;\n    this.salt = null;\n\n    this.encrypted = null;\n    this.packets = null;\n  }\n\n  async read(bytes) {\n    await streamParse(bytes, async reader => {\n      this.version = await reader.readByte();\n      // - A one-octet version number with value 1 or 2.\n      if (this.version !== 1 && this.version !== 2) {\n        throw new UnsupportedError(`Version ${this.version} of the SEIP packet is unsupported.`);\n      }\n\n      if (this.version === 2) {\n        // - A one-octet cipher algorithm.\n        this.cipherAlgorithm = await reader.readByte();\n        // - A one-octet AEAD algorithm.\n        this.aeadAlgorithm = await reader.readByte();\n        // - A one-octet chunk size.\n        this.chunkSizeByte = await reader.readByte();\n        // - Thirty-two octets of salt. The salt is used to derive the message key and must be unique.\n        this.salt = await reader.readBytes(32);\n      }\n\n      // For V1:\n      // - Encrypted data, the output of the selected symmetric-key cipher\n      //   operating in Cipher Feedback mode with shift amount equal to the\n      //   block size of the cipher (CFB-n where n is the block size).\n      // For V2:\n      // - Encrypted data, the output of the selected symmetric-key cipher operating in the given AEAD mode.\n      // - A final, summary authentication tag for the AEAD mode.\n      this.encrypted = reader.remainder();\n    });\n  }\n\n  write() {\n    if (this.version === 2) {\n      return util.concat([new Uint8Array([this.version, this.cipherAlgorithm, this.aeadAlgorithm, this.chunkSizeByte]), this.salt, this.encrypted]);\n    }\n    return util.concat([new Uint8Array([this.version]), this.encrypted]);\n  }\n\n  /**\n   * Encrypt the payload in the packet.\n   * @param {enums.symmetric} sessionKeyAlgorithm - The symmetric encryption algorithm to use\n   * @param {Uint8Array} key - The key of cipher blocksize length to be used\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<Boolean>}\n   * @throws {Error} on encryption failure\n   * @async\n   */\n  async encrypt(sessionKeyAlgorithm, key, config = defaultConfig) {\n    // We check that the session key size matches the one expected by the symmetric algorithm.\n    // This is especially important for SEIPDv2 session keys, as a key derivation step is run where the resulting key will always match the expected cipher size,\n    // but we want to ensure that the input key isn't e.g. too short.\n    // The check is done here, instead of on encrypted session key (ESK) encryption, because v6 ESK packets do not store the session key algorithm,\n    // which is instead included in the SEIPDv2 data.\n    const { blockSize, keySize } = getCipherParams(sessionKeyAlgorithm);\n    if (key.length !== keySize) {\n      throw new Error('Unexpected session key size');\n    }\n\n    let bytes = this.packets.write();\n    if (isArrayStream(bytes)) bytes = await streamReadToEnd(bytes);\n\n    if (this.version === 2) {\n      this.cipherAlgorithm = sessionKeyAlgorithm;\n\n      this.salt = getRandomBytes(32);\n      this.chunkSizeByte = config.aeadChunkSizeByte;\n      this.encrypted = await runAEAD(this, 'encrypt', key, bytes);\n    } else {\n      const prefix = await cipherMode.cfb.getPrefixRandom(sessionKeyAlgorithm);\n      const mdc = new Uint8Array([0xD3, 0x14]); // modification detection code packet\n\n      const tohash = util.concat([prefix, bytes, mdc]);\n      const hash = await computeDigest(enums.hash.sha1, streamPassiveClone(tohash));\n      const plaintext = util.concat([tohash, hash]);\n\n      this.encrypted = await cipherMode.cfb.encrypt(sessionKeyAlgorithm, key, plaintext, new Uint8Array(blockSize), config);\n    }\n    return true;\n  }\n\n  /**\n   * Decrypts the encrypted data contained in the packet.\n   * @param {enums.symmetric} sessionKeyAlgorithm - The selected symmetric encryption algorithm to be used\n   * @param {Uint8Array} key - The key of cipher blocksize length to be used\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<Boolean>}\n   * @throws {Error} on decryption failure\n   * @async\n   */\n  async decrypt(sessionKeyAlgorithm, key, config = defaultConfig) {\n    // We check that the session key size matches the one expected by the symmetric algorithm.\n    // This is especially important for SEIPDv2 session keys, as a key derivation step is run where the resulting key will always match the expected cipher size,\n    // but we want to ensure that the input key isn't e.g. too short.\n    // The check is done here, instead of on encrypted session key (ESK) decryption, because v6 ESK packets do not store the session key algorithm,\n    // which is instead included in the SEIPDv2 data.\n    if (key.length !== getCipherParams(sessionKeyAlgorithm).keySize) {\n      throw new Error('Unexpected session key size');\n    }\n\n    let encrypted = streamClone(this.encrypted);\n    if (isArrayStream(encrypted)) encrypted = await streamReadToEnd(encrypted);\n\n    let packetbytes;\n    if (this.version === 2) {\n      if (this.cipherAlgorithm !== sessionKeyAlgorithm) {\n        // sanity check\n        throw new Error('Unexpected session key algorithm');\n      }\n      packetbytes = await runAEAD(this, 'decrypt', key, encrypted);\n    } else {\n      const { blockSize } = getCipherParams(sessionKeyAlgorithm);\n      const decrypted = await cipherMode.cfb.decrypt(sessionKeyAlgorithm, key, encrypted, new Uint8Array(blockSize));\n\n      // there must be a modification detection code packet as the\n      // last packet and everything gets hashed except the hash itself\n      const realHash = streamSlice(streamPassiveClone(decrypted), -20);\n      const tohash = streamSlice(decrypted, 0, -20);\n      const verifyHash = Promise.all([\n        streamReadToEnd(await computeDigest(enums.hash.sha1, streamPassiveClone(tohash))),\n        streamReadToEnd(realHash)\n      ]).then(([hash, mdc]) => {\n        if (!util.equalsUint8Array(hash, mdc)) {\n          throw new Error('Modification detected.');\n        }\n        return new Uint8Array();\n      });\n      const bytes = streamSlice(tohash, blockSize + 2); // Remove random prefix\n      packetbytes = streamSlice(bytes, 0, -2); // Remove MDC packet\n      packetbytes = streamConcat([packetbytes, streamFromAsync(() => verifyHash)]);\n      if (!util.isStream(encrypted) || !config.allowUnauthenticatedStream) {\n        packetbytes = await streamReadToEnd(packetbytes);\n      }\n    }\n\n    this.packets = await PacketList.fromBinary(packetbytes, allowedPackets, config);\n    return true;\n  }\n}\n\nexport default SymEncryptedIntegrityProtectedDataPacket;\n\n/**\n * En/decrypt the payload.\n * @param {encrypt|decrypt} fn - Whether to encrypt or decrypt\n * @param {Uint8Array} key - The session key used to en/decrypt the payload\n * @param {Uint8Array | ReadableStream<Uint8Array>} data - The data to en/decrypt\n * @returns {Promise<Uint8Array | ReadableStream<Uint8Array>>}\n * @async\n */\nexport async function runAEAD(packet, fn, key, data) {\n  const isSEIPDv2 = packet instanceof SymEncryptedIntegrityProtectedDataPacket && packet.version === 2;\n  const isAEADP = !isSEIPDv2 && packet.constructor.tag === enums.packet.aeadEncryptedData; // no `instanceof` to avoid importing the corresponding class (circular import)\n  if (!isSEIPDv2 && !isAEADP) throw new Error('Unexpected packet type');\n\n  // we allow `experimentalGCM` for AEADP for backwards compatibility, since v5 keys from OpenPGP.js v5 might be declaring\n  // that preference, as the `gcm` ID had not been standardized at the time.\n  // NB: AEADP are never automatically generate as part of message encryption by OpenPGP.js, the packet must be manually created.\n  const mode = cipherMode.getAEADMode(packet.aeadAlgorithm, isAEADP);\n  const tagLengthIfDecrypting = fn === 'decrypt' ? mode.tagLength : 0;\n  const tagLengthIfEncrypting = fn === 'encrypt' ? mode.tagLength : 0;\n  const chunkSize = 2 ** (packet.chunkSizeByte + 6) + tagLengthIfDecrypting; // ((uint64_t)1 << (c + 6))\n  const chunkIndexSizeIfAEADEP = isAEADP ? 8 : 0;\n  const adataBuffer = new ArrayBuffer(13 + chunkIndexSizeIfAEADEP);\n  const adataArray = new Uint8Array(adataBuffer, 0, 5 + chunkIndexSizeIfAEADEP);\n  const adataTagArray = new Uint8Array(adataBuffer);\n  const adataView = new DataView(adataBuffer);\n  const chunkIndexArray = new Uint8Array(adataBuffer, 5, 8);\n  adataArray.set([0xC0 | packet.constructor.tag, packet.version, packet.cipherAlgorithm, packet.aeadAlgorithm, packet.chunkSizeByte], 0);\n  let chunkIndex = 0;\n  let latestPromise = Promise.resolve();\n  let cryptedBytes = 0;\n  let queuedBytes = 0;\n  let iv;\n  let ivView;\n  if (isSEIPDv2) {\n    const { keySize } = getCipherParams(packet.cipherAlgorithm);\n    const { ivLength } = mode;\n    const info = new Uint8Array(adataBuffer, 0, 5);\n    const derived = await computeHKDF(enums.hash.sha256, key, packet.salt, info, keySize + ivLength);\n    key = derived.subarray(0, keySize);\n    iv = derived.subarray(keySize); // The last 8 bytes of HKDF output are unneeded, but this avoids one copy.\n    iv.fill(0, iv.length - 8);\n    ivView = new DataView(iv.buffer, iv.byteOffset, iv.byteLength);\n  } else { // AEADEncryptedDataPacket\n    iv = packet.iv;\n    // ivView is unused in this case\n  }\n  const modeInstance = await mode(packet.cipherAlgorithm, key);\n  return streamTransformPair(data, async (readable, writable) => {\n    if (util.isStream(readable) !== 'array') {\n      const buffer = new TransformStream({}, {\n        highWaterMark: util.getHardwareConcurrency() * 2 ** (packet.chunkSizeByte + 6),\n        size: array => array.length\n      });\n      streamPipe(buffer.readable, writable);\n      writable = buffer.writable;\n    }\n    const reader = streamGetReader(readable);\n    const writer = streamGetWriter(writable);\n    try {\n      while (true) {\n        let chunk = await reader.readBytes(chunkSize + tagLengthIfDecrypting) || new Uint8Array();\n        const finalChunk = chunk.subarray(chunk.length - tagLengthIfDecrypting);\n        chunk = chunk.subarray(0, chunk.length - tagLengthIfDecrypting);\n        let cryptedPromise;\n        let done;\n        let nonce;\n        if (isSEIPDv2) { // SEIPD V2\n          nonce = iv;\n        } else { // AEADEncryptedDataPacket\n          nonce = iv.slice();\n          for (let i = 0; i < 8; i++) {\n            nonce[iv.length - 8 + i] ^= chunkIndexArray[i];\n          }\n        }\n        if (!chunkIndex || chunk.length) {\n          reader.unshift(finalChunk);\n          cryptedPromise = modeInstance[fn](chunk, nonce, adataArray);\n          cryptedPromise.catch(() => {});\n          queuedBytes += chunk.length - tagLengthIfDecrypting + tagLengthIfEncrypting;\n        } else {\n          // After the last chunk, we either encrypt a final, empty\n          // data chunk to get the final authentication tag or\n          // validate that final authentication tag.\n          adataView.setInt32(5 + chunkIndexSizeIfAEADEP + 4, cryptedBytes); // Should be setInt64(5 + chunkIndexSizeIfAEADEP, ...)\n          cryptedPromise = modeInstance[fn](finalChunk, nonce, adataTagArray);\n          cryptedPromise.catch(() => {});\n          queuedBytes += tagLengthIfEncrypting;\n          done = true;\n        }\n        cryptedBytes += chunk.length - tagLengthIfDecrypting;\n        // eslint-disable-next-line @typescript-eslint/no-loop-func\n        latestPromise = latestPromise.then(() => cryptedPromise).then(async crypted => {\n          await writer.ready;\n          await writer.write(crypted);\n          queuedBytes -= crypted.length;\n        }).catch(err => writer.abort(err));\n        if (done || queuedBytes > writer.desiredSize) {\n          await latestPromise; // Respect backpressure\n        }\n        if (!done) {\n          if (isSEIPDv2) { // SEIPD V2\n            ivView.setInt32(iv.length - 4, ++chunkIndex); // Should be setInt64(iv.length - 8, ...)\n          } else { // AEADEncryptedDataPacket\n            adataView.setInt32(5 + 4, ++chunkIndex); // Should be setInt64(5, ...)\n          }\n        } else {\n          await writer.close();\n          break;\n        }\n      }\n    } catch (e) {\n      await writer.ready.catch(() => {});\n      await writer.abort(e);\n    }\n  });\n}\n","// OpenPGP.js - An OpenPGP implementation in javascript\n// Copyright (C) 2016 Tankred Hase\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\nimport { clone as streamClone, parse as streamParse } from '@openpgp/web-stream-tools';\nimport { cipherMode, getRandomBytes } from '../crypto';\nimport enums from '../enums';\nimport util from '../util';\nimport defaultConfig from '../config';\nimport { UnsupportedError } from './packet';\nimport { runAEAD } from './sym_encrypted_integrity_protected_data';\n\nimport LiteralDataPacket from './literal_data';\nimport CompressedDataPacket from './compressed_data';\nimport OnePassSignaturePacket from './one_pass_signature';\nimport SignaturePacket from './signature';\nimport PacketList from './packetlist';\n\n// An AEAD-encrypted Data packet can contain the following packet types\nconst allowedPackets = /*#__PURE__*/ util.constructAllowedPackets([\n  LiteralDataPacket,\n  CompressedDataPacket,\n  OnePassSignaturePacket,\n  SignaturePacket\n]);\n\nconst VERSION = 1; // A one-octet version number of the data packet.\n\n/**\n * Implementation of the Symmetrically Encrypted Authenticated Encryption with\n * Additional Data (AEAD) Protected Data Packet\n *\n * {@link https://tools.ietf.org/html/draft-ford-openpgp-format-00#section-2.1}:\n * AEAD Protected Data Packet\n */\nclass AEADEncryptedDataPacket {\n  static get tag() {\n    return enums.packet.aeadEncryptedData;\n  }\n\n  constructor() {\n    this.version = VERSION;\n    /** @type {enums.symmetric} */\n    this.cipherAlgorithm = null;\n    /** @type {enums.aead} */\n    this.aeadAlgorithm = enums.aead.eax;\n    this.chunkSizeByte = null;\n    this.iv = null;\n    this.encrypted = null;\n    this.packets = null;\n  }\n\n  /**\n   * Parse an encrypted payload of bytes in the order: version, IV, ciphertext (see specification)\n   * @param {Uint8Array | ReadableStream<Uint8Array>} bytes\n   * @throws {Error} on parsing failure\n   */\n  async read(bytes) {\n    await streamParse(bytes, async reader => {\n      const version = await reader.readByte();\n      if (version !== VERSION) { // The only currently defined value is 1.\n        throw new UnsupportedError(`Version ${version} of the AEAD-encrypted data packet is not supported.`);\n      }\n      this.cipherAlgorithm = await reader.readByte();\n      this.aeadAlgorithm = await reader.readByte();\n      this.chunkSizeByte = await reader.readByte();\n\n      const mode = cipherMode.getAEADMode(this.aeadAlgorithm, true);\n      this.iv = await reader.readBytes(mode.ivLength);\n      this.encrypted = reader.remainder();\n    });\n  }\n\n  /**\n   * Write the encrypted payload of bytes in the order: version, IV, ciphertext (see specification)\n   * @returns {Uint8Array | ReadableStream<Uint8Array>} The encrypted payload.\n   */\n  write() {\n    return util.concat([new Uint8Array([this.version, this.cipherAlgorithm, this.aeadAlgorithm, this.chunkSizeByte]), this.iv, this.encrypted]);\n  }\n\n  /**\n   * Decrypt the encrypted payload.\n   * @param {enums.symmetric} sessionKeyAlgorithm - The session key's cipher algorithm\n   * @param {Uint8Array} key - The session key used to encrypt the payload\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @throws {Error} if decryption was not successful\n   * @async\n   */\n  async decrypt(sessionKeyAlgorithm, key, config = defaultConfig) {\n    this.packets = await PacketList.fromBinary(\n      await runAEAD(this, 'decrypt', key, streamClone(this.encrypted)),\n      allowedPackets,\n      config\n    );\n  }\n\n  /**\n   * Encrypt the packet payload.\n   * @param {enums.symmetric} sessionKeyAlgorithm - The session key's cipher algorithm\n   * @param {Uint8Array} key - The session key used to encrypt the payload\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @throws {Error} if encryption was not successful\n   * @async\n   */\n  async encrypt(sessionKeyAlgorithm, key, config = defaultConfig) {\n    this.cipherAlgorithm = sessionKeyAlgorithm;\n\n    const { ivLength } = cipherMode.getAEADMode(this.aeadAlgorithm, true);\n    this.iv = getRandomBytes(ivLength); // generate new random IV\n    this.chunkSizeByte = config.aeadChunkSizeByte;\n    const data = this.packets.write();\n    this.encrypted = await runAEAD(this, 'encrypt', key, data);\n  }\n}\n\nexport default AEADEncryptedDataPacket;\n","// GPG4Browsers - An OpenPGP implementation in javascript\n// Copyright (C) 2011 Recurity Labs GmbH\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\nimport KeyID from '../type/keyid';\nimport { parseEncSessionKeyParams, publicKeyEncrypt, publicKeyDecrypt, getCipherParams, serializeParams } from '../crypto';\nimport enums from '../enums';\nimport util from '../util';\nimport { UnsupportedError } from './packet';\n\n/**\n * Public-Key Encrypted Session Key Packets (Tag 1)\n *\n * {@link https://tools.ietf.org/html/rfc4880#section-5.1|RFC4880 5.1}:\n * A Public-Key Encrypted Session Key packet holds the session key\n * used to encrypt a message. Zero or more Public-Key Encrypted Session Key\n * packets and/or Symmetric-Key Encrypted Session Key packets may precede a\n * Symmetrically Encrypted Data Packet, which holds an encrypted message. The\n * message is encrypted with the session key, and the session key is itself\n * encrypted and stored in the Encrypted Session Key packet(s). The\n * Symmetrically Encrypted Data Packet is preceded by one Public-Key Encrypted\n * Session Key packet for each OpenPGP key to which the message is encrypted.\n * The recipient of the message finds a session key that is encrypted to their\n * public key, decrypts the session key, and then uses the session key to\n * decrypt the message.\n */\nclass PublicKeyEncryptedSessionKeyPacket {\n  static get tag() {\n    return enums.packet.publicKeyEncryptedSessionKey;\n  }\n\n  constructor() {\n    this.version = null;\n\n    // For version 3, but also used internally by v6 in e.g. `getEncryptionKeyIDs()`\n    this.publicKeyID = new KeyID();\n\n    // For version 6:\n    this.publicKeyVersion = null;\n    this.publicKeyFingerprint = null;\n\n    // For all versions:\n    this.publicKeyAlgorithm = null;\n\n    this.sessionKey = null;\n    /**\n     * Algorithm to encrypt the message with\n     * @type {enums.symmetric}\n     */\n    this.sessionKeyAlgorithm = null;\n\n    /** @type {Object} */\n    this.encrypted = {};\n  }\n\n  static fromObject({\n    version, encryptionKeyPacket, anonymousRecipient, sessionKey, sessionKeyAlgorithm\n  }) {\n    const pkesk = new PublicKeyEncryptedSessionKeyPacket();\n\n    if (version !== 3 && version !== 6) {\n      throw new Error('Unsupported PKESK version');\n    }\n\n    pkesk.version = version;\n\n    if (version === 6) {\n      pkesk.publicKeyVersion = anonymousRecipient ? null : encryptionKeyPacket.version;\n      pkesk.publicKeyFingerprint = anonymousRecipient ? null : encryptionKeyPacket.getFingerprintBytes();\n    }\n\n    pkesk.publicKeyID = anonymousRecipient ? KeyID.wildcard() : encryptionKeyPacket.getKeyID();\n    pkesk.publicKeyAlgorithm = encryptionKeyPacket.algorithm;\n    pkesk.sessionKey = sessionKey;\n    pkesk.sessionKeyAlgorithm = sessionKeyAlgorithm;\n\n    return pkesk;\n  }\n\n  /**\n   * Parsing function for a publickey encrypted session key packet (tag 1).\n   *\n   * @param {Uint8Array} bytes - Payload of a tag 1 packet\n   */\n  read(bytes) {\n    let offset = 0;\n    this.version = bytes[offset++];\n    if (this.version !== 3 && this.version !== 6) {\n      throw new UnsupportedError(`Version ${this.version} of the PKESK packet is unsupported.`);\n    }\n    if (this.version === 6) {\n      // A one-octet size of the following two fields:\n      // - A one octet key version number.\n      // - The fingerprint of the public key or subkey to which the session key is encrypted.\n      // The size may also be zero.\n      const versionAndFingerprintLength = bytes[offset++];\n      if (versionAndFingerprintLength) {\n        this.publicKeyVersion = bytes[offset++];\n        const fingerprintLength = versionAndFingerprintLength - 1;\n        this.publicKeyFingerprint = bytes.subarray(offset, offset + fingerprintLength); offset += fingerprintLength;\n        if (this.publicKeyVersion >= 5) {\n          // For v5/6 the Key ID is the high-order 64 bits of the fingerprint.\n          this.publicKeyID.read(this.publicKeyFingerprint);\n        } else {\n          // For v4 The Key ID is the low-order 64 bits of the fingerprint.\n          this.publicKeyID.read(this.publicKeyFingerprint.subarray(-8));\n        }\n      } else {\n        // The size may also be zero, and the key version and\n        // fingerprint omitted for an \"anonymous recipient\"\n        this.publicKeyID = KeyID.wildcard();\n      }\n    } else {\n      offset += this.publicKeyID.read(bytes.subarray(offset, offset + 8));\n    }\n    this.publicKeyAlgorithm = bytes[offset++];\n    this.encrypted = parseEncSessionKeyParams(this.publicKeyAlgorithm, bytes.subarray(offset));\n    if (this.publicKeyAlgorithm === enums.publicKey.x25519 || this.publicKeyAlgorithm === enums.publicKey.x448) {\n      if (this.version === 3) {\n        this.sessionKeyAlgorithm = enums.write(enums.symmetric, this.encrypted.C.algorithm);\n      } else if (this.encrypted.C.algorithm !== null) {\n        throw new Error('Unexpected cleartext symmetric algorithm');\n      }\n    }\n  }\n\n  /**\n   * Create a binary representation of a tag 1 packet\n   *\n   * @returns {Uint8Array} The Uint8Array representation.\n   */\n  write() {\n    const arr = [\n      new Uint8Array([this.version])\n    ];\n\n    if (this.version === 6) {\n      if (this.publicKeyFingerprint !== null) {\n        arr.push(new Uint8Array([\n          this.publicKeyFingerprint.length + 1,\n          this.publicKeyVersion]\n        ));\n        arr.push(this.publicKeyFingerprint);\n      } else {\n        arr.push(new Uint8Array([0]));\n      }\n    } else {\n      arr.push(this.publicKeyID.write());\n    }\n\n    arr.push(\n      new Uint8Array([this.publicKeyAlgorithm]),\n      serializeParams(this.publicKeyAlgorithm, this.encrypted)\n    );\n\n    return util.concatUint8Array(arr);\n  }\n\n  /**\n   * Encrypt session key packet\n   * @param {PublicKeyPacket} key - Public key\n   * @throws {Error} if encryption failed\n   * @async\n   */\n  async encrypt(key) {\n    const algo = enums.write(enums.publicKey, this.publicKeyAlgorithm);\n    // No symmetric encryption algorithm identifier is passed to the public-key algorithm for a\n    // v6 PKESK packet, as it is included in the v2 SEIPD packet.\n    const sessionKeyAlgorithm = this.version === 3 ? this.sessionKeyAlgorithm : null;\n    const fingerprint = key.version === 5 ? key.getFingerprintBytes().subarray(0, 20) : key.getFingerprintBytes();\n    const encoded = encodeSessionKey(this.version, algo, sessionKeyAlgorithm, this.sessionKey);\n    this.encrypted = await publicKeyEncrypt(\n      algo, sessionKeyAlgorithm, key.publicParams, encoded, fingerprint);\n  }\n\n  /**\n   * Decrypts the session key (only for public key encrypted session key packets (tag 1)\n   * @param {SecretKeyPacket} key - decrypted private key\n   * @param {Object} [randomSessionKey] - Bogus session key to use in case of sensitive decryption error, or if the decrypted session key is of a different type/size.\n   *                                      This is needed for constant-time processing. Expected object of the form: { sessionKey: Uint8Array, sessionKeyAlgorithm: enums.symmetric }\n   * @throws {Error} if decryption failed, unless `randomSessionKey` is given\n   * @async\n   */\n  async decrypt(key, randomSessionKey) {\n    // check that session key algo matches the secret key algo\n    if (this.publicKeyAlgorithm !== key.algorithm) {\n      throw new Error('Decryption error');\n    }\n\n    const randomPayload = randomSessionKey ?\n      encodeSessionKey(this.version, this.publicKeyAlgorithm, randomSessionKey.sessionKeyAlgorithm, randomSessionKey.sessionKey) :\n      null;\n    const fingerprint = key.version === 5 ? key.getFingerprintBytes().subarray(0, 20) : key.getFingerprintBytes();\n    const decryptedData = await publicKeyDecrypt(this.publicKeyAlgorithm, key.publicParams, key.privateParams, this.encrypted, fingerprint, randomPayload);\n\n    const { sessionKey, sessionKeyAlgorithm } = decodeSessionKey(this.version, this.publicKeyAlgorithm, decryptedData, randomSessionKey);\n\n    if (this.version === 3) {\n      // v3 Montgomery curves have cleartext cipher algo\n      const hasEncryptedAlgo = this.publicKeyAlgorithm !== enums.publicKey.x25519 && this.publicKeyAlgorithm !== enums.publicKey.x448;\n      this.sessionKeyAlgorithm = hasEncryptedAlgo ? sessionKeyAlgorithm : this.sessionKeyAlgorithm;\n\n      if (sessionKey.length !== getCipherParams(this.sessionKeyAlgorithm).keySize) {\n        throw new Error('Unexpected session key size');\n      }\n    }\n    this.sessionKey = sessionKey;\n  }\n}\n\nexport default PublicKeyEncryptedSessionKeyPacket;\n\n\nfunction encodeSessionKey(version, keyAlgo, cipherAlgo, sessionKeyData) {\n  switch (keyAlgo) {\n    case enums.publicKey.rsaEncrypt:\n    case enums.publicKey.rsaEncryptSign:\n    case enums.publicKey.elgamal:\n    case enums.publicKey.ecdh:\n      // add checksum\n      return util.concatUint8Array([\n        new Uint8Array(version === 6 ? [] : [cipherAlgo]),\n        sessionKeyData,\n        util.writeChecksum(sessionKeyData.subarray(sessionKeyData.length % 8))\n      ]);\n    case enums.publicKey.x25519:\n    case enums.publicKey.x448:\n      return sessionKeyData;\n    default:\n      throw new Error('Unsupported public key algorithm');\n  }\n}\n\n\nfunction decodeSessionKey(version, keyAlgo, decryptedData, randomSessionKey) {\n  switch (keyAlgo) {\n    case enums.publicKey.rsaEncrypt:\n    case enums.publicKey.rsaEncryptSign:\n    case enums.publicKey.elgamal:\n    case enums.publicKey.ecdh: {\n      // verify checksum in constant time\n      const result = decryptedData.subarray(0, decryptedData.length - 2);\n      const checksum = decryptedData.subarray(decryptedData.length - 2);\n      const computedChecksum = util.writeChecksum(result.subarray(result.length % 8));\n      const isValidChecksum = computedChecksum[0] === checksum[0] & computedChecksum[1] === checksum[1];\n      const decryptedSessionKey = version === 6 ?\n        { sessionKeyAlgorithm: null, sessionKey: result } :\n        { sessionKeyAlgorithm: result[0], sessionKey: result.subarray(1) };\n      if (randomSessionKey) {\n        // We must not leak info about the validity of the decrypted checksum or cipher algo.\n        // The decrypted session key must be of the same algo and size as the random session key, otherwise we discard it and use the random data.\n        const isValidPayload = isValidChecksum &\n          decryptedSessionKey.sessionKeyAlgorithm === randomSessionKey.sessionKeyAlgorithm &\n          decryptedSessionKey.sessionKey.length === randomSessionKey.sessionKey.length;\n        return {\n          sessionKey: util.selectUint8Array(isValidPayload, decryptedSessionKey.sessionKey, randomSessionKey.sessionKey),\n          sessionKeyAlgorithm: version === 6 ? null : util.selectUint8(\n            isValidPayload,\n            decryptedSessionKey.sessionKeyAlgorithm,\n            randomSessionKey.sessionKeyAlgorithm\n          )\n        };\n      } else {\n        const isValidPayload = isValidChecksum && (\n          version === 6 || enums.read(enums.symmetric, decryptedSessionKey.sessionKeyAlgorithm));\n        if (isValidPayload) {\n          return decryptedSessionKey;\n        } else {\n          throw new Error('Decryption error');\n        }\n      }\n    }\n    case enums.publicKey.x25519:\n    case enums.publicKey.x448:\n      return {\n        sessionKeyAlgorithm: null,\n        sessionKey: decryptedData\n      };\n    default:\n      throw new Error('Unsupported public key algorithm');\n  }\n}\n","// GPG4Browsers - An OpenPGP implementation in javascript\n// Copyright (C) 2011 Recurity Labs GmbH\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\nimport { newS2KFromConfig, newS2KFromType } from '../type/s2k';\nimport defaultConfig from '../config';\nimport { cipherMode, generateSessionKey, getCipherParams, getRandomBytes } from '../crypto';\nimport computeHKDF from '../crypto/hkdf';\nimport enums from '../enums';\nimport util from '../util';\nimport { UnsupportedError } from './packet';\n\n/**\n * Symmetric-Key Encrypted Session Key Packets (Tag 3)\n *\n * {@link https://tools.ietf.org/html/rfc4880#section-5.3|RFC4880 5.3}:\n * The Symmetric-Key Encrypted Session Key packet holds the\n * symmetric-key encryption of a session key used to encrypt a message.\n * Zero or more Public-Key Encrypted Session Key packets and/or\n * Symmetric-Key Encrypted Session Key packets may precede a\n * Symmetrically Encrypted Data packet that holds an encrypted message.\n * The message is encrypted with a session key, and the session key is\n * itself encrypted and stored in the Encrypted Session Key packet or\n * the Symmetric-Key Encrypted Session Key packet.\n */\nclass SymEncryptedSessionKeyPacket {\n  static get tag() {\n    return enums.packet.symEncryptedSessionKey;\n  }\n\n  /**\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   */\n  constructor(config = defaultConfig) {\n    this.version = config.aeadProtect ? 6 : 4;\n    this.sessionKey = null;\n    /**\n     * Algorithm to encrypt the session key with\n     * @type {enums.symmetric}\n     */\n    this.sessionKeyEncryptionAlgorithm = null;\n    /**\n     * Algorithm to encrypt the message with\n     * @type {enums.symmetric}\n     */\n    this.sessionKeyAlgorithm = null;\n    /**\n     * AEAD mode to encrypt the session key with (if AEAD protection is enabled)\n     * @type {enums.aead}\n     */\n    this.aeadAlgorithm = enums.write(enums.aead, config.preferredAEADAlgorithm);\n    this.encrypted = null;\n    this.s2k = null;\n    this.iv = null;\n  }\n\n  /**\n   * Parsing function for a symmetric encrypted session key packet (tag 3).\n   *\n   * @param {Uint8Array} bytes - Payload of a tag 3 packet\n   */\n  read(bytes) {\n    let offset = 0;\n\n    // A one-octet version number with value 4, 5 or 6.\n    this.version = bytes[offset++];\n    if (this.version !== 4 && this.version !== 5 && this.version !== 6) {\n      throw new UnsupportedError(`Version ${this.version} of the SKESK packet is unsupported.`);\n    }\n\n    if (this.version === 6) {\n      // A one-octet scalar octet count of the following 5 fields.\n      offset++;\n    }\n\n    // A one-octet number describing the symmetric algorithm used.\n    const algo = bytes[offset++];\n\n    if (this.version >= 5) {\n      // A one-octet AEAD algorithm.\n      this.aeadAlgorithm = bytes[offset++];\n\n      if (this.version === 6) {\n        // A one-octet scalar octet count of the following field.\n        offset++;\n      }\n    }\n\n    // A string-to-key (S2K) specifier, length as defined above.\n    const s2kType = bytes[offset++];\n    this.s2k = newS2KFromType(s2kType);\n    offset += this.s2k.read(bytes.subarray(offset, bytes.length));\n\n    if (this.version >= 5) {\n      const mode = cipherMode.getAEADMode(this.aeadAlgorithm, true);\n\n      // A starting initialization vector of size specified by the AEAD\n      // algorithm.\n      this.iv = bytes.subarray(offset, offset += mode.ivLength);\n    }\n\n    // The encrypted session key itself, which is decrypted with the\n    // string-to-key object. This is optional in version 4.\n    if (this.version >= 5 || offset < bytes.length) {\n      this.encrypted = bytes.subarray(offset, bytes.length);\n      this.sessionKeyEncryptionAlgorithm = algo;\n    } else {\n      this.sessionKeyAlgorithm = algo;\n    }\n  }\n\n  /**\n   * Create a binary representation of a tag 3 packet\n   *\n   * @returns {Uint8Array} The Uint8Array representation.\n  */\n  write() {\n    const algo = this.encrypted === null ?\n      this.sessionKeyAlgorithm :\n      this.sessionKeyEncryptionAlgorithm;\n\n    let bytes;\n\n    const s2k = this.s2k.write();\n    if (this.version === 6) {\n      const s2kLen = s2k.length;\n      const fieldsLen = 3 + s2kLen + this.iv.length;\n      bytes = util.concatUint8Array([new Uint8Array([this.version, fieldsLen, algo, this.aeadAlgorithm, s2kLen]), s2k, this.iv, this.encrypted]);\n    } else if (this.version === 5) {\n      bytes = util.concatUint8Array([new Uint8Array([this.version, algo, this.aeadAlgorithm]), s2k, this.iv, this.encrypted]);\n    } else {\n      bytes = util.concatUint8Array([new Uint8Array([this.version, algo]), s2k]);\n\n      if (this.encrypted !== null) {\n        bytes = util.concatUint8Array([bytes, this.encrypted]);\n      }\n    }\n\n    return bytes;\n  }\n\n  /**\n   * Decrypts the session key with the given passphrase\n   * @param {String} passphrase - The passphrase in string form\n   * @throws {Error} if decryption was not successful\n   * @async\n   */\n  async decrypt(passphrase) {\n    const algo = this.sessionKeyEncryptionAlgorithm !== null ?\n      this.sessionKeyEncryptionAlgorithm :\n      this.sessionKeyAlgorithm;\n\n    const { blockSize, keySize } = getCipherParams(algo);\n    const key = await this.s2k.produceKey(passphrase, keySize);\n\n    if (this.version >= 5) {\n      const mode = cipherMode.getAEADMode(this.aeadAlgorithm, true);\n      const adata = new Uint8Array([0xC0 | SymEncryptedSessionKeyPacket.tag, this.version, this.sessionKeyEncryptionAlgorithm, this.aeadAlgorithm]);\n      const encryptionKey = this.version === 6 ? await computeHKDF(enums.hash.sha256, key, new Uint8Array(), adata, keySize) : key;\n      const modeInstance = await mode(algo, encryptionKey);\n      this.sessionKey = await modeInstance.decrypt(this.encrypted, this.iv, adata);\n    } else if (this.encrypted !== null) {\n      const decrypted = await cipherMode.cfb.decrypt(algo, key, this.encrypted, new Uint8Array(blockSize));\n\n      this.sessionKeyAlgorithm = enums.write(enums.symmetric, decrypted[0]);\n      this.sessionKey = decrypted.subarray(1, decrypted.length);\n      if (this.sessionKey.length !== getCipherParams(this.sessionKeyAlgorithm).keySize) {\n        throw new Error('Unexpected session key size');\n      }\n    } else {\n      // session key size is checked as part of SEIPDv2 decryption, where we know the expected symmetric algo\n      this.sessionKey = key;\n    }\n  }\n\n  /**\n   * Encrypts the session key with the given passphrase\n   * @param {String} passphrase - The passphrase in string form\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @throws {Error} if encryption was not successful\n   * @async\n   */\n  async encrypt(passphrase, config = defaultConfig) {\n    const algo = this.sessionKeyEncryptionAlgorithm !== null ?\n      this.sessionKeyEncryptionAlgorithm :\n      this.sessionKeyAlgorithm;\n\n    this.sessionKeyEncryptionAlgorithm = algo;\n\n    this.s2k = newS2KFromConfig(config);\n    this.s2k.generateSalt();\n\n    const { blockSize, keySize } = getCipherParams(algo);\n    const key = await this.s2k.produceKey(passphrase, keySize);\n\n    if (this.sessionKey === null) {\n      this.sessionKey = generateSessionKey(this.sessionKeyAlgorithm);\n    }\n\n    if (this.version >= 5) {\n      const mode = cipherMode.getAEADMode(this.aeadAlgorithm);\n      this.iv = getRandomBytes(mode.ivLength); // generate new random IV\n      const adata = new Uint8Array([0xC0 | SymEncryptedSessionKeyPacket.tag, this.version, this.sessionKeyEncryptionAlgorithm, this.aeadAlgorithm]);\n      const encryptionKey = this.version === 6 ? await computeHKDF(enums.hash.sha256, key, new Uint8Array(), adata, keySize) : key;\n      const modeInstance = await mode(algo, encryptionKey);\n      this.encrypted = await modeInstance.encrypt(this.sessionKey, this.iv, adata);\n    } else {\n      const toEncrypt = util.concatUint8Array([\n        new Uint8Array([this.sessionKeyAlgorithm]),\n        this.sessionKey\n      ]);\n      this.encrypted = await cipherMode.cfb.encrypt(algo, key, toEncrypt, new Uint8Array(blockSize), config);\n    }\n  }\n}\n\nexport default SymEncryptedSessionKeyPacket;\n","// GPG4Browsers - An OpenPGP implementation in javascript\n// Copyright (C) 2011 Recurity Labs GmbH\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\nimport KeyID from '../type/keyid';\nimport defaultConfig from '../config';\nimport { computeDigest, parsePublicKeyParams, serializeParams } from '../crypto';\nimport enums from '../enums';\nimport util from '../util';\nimport { UnsupportedError } from './packet';\n\n/**\n * Implementation of the Key Material Packet (Tag 5,6,7,14)\n *\n * {@link https://tools.ietf.org/html/rfc4880#section-5.5|RFC4480 5.5}:\n * A key material packet contains all the information about a public or\n * private key.  There are four variants of this packet type, and two\n * major versions.\n *\n * A Public-Key packet starts a series of packets that forms an OpenPGP\n * key (sometimes called an OpenPGP certificate).\n */\nclass PublicKeyPacket {\n  static get tag() {\n    return enums.packet.publicKey;\n  }\n\n  /**\n   * @param {Date} [date] - Creation date\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   */\n  constructor(date = new Date(), config = defaultConfig) {\n    /**\n     * Packet version\n     * @type {Integer}\n     */\n    this.version = config.v6Keys ? 6 : 4;\n    /**\n     * Key creation date.\n     * @type {Date}\n     */\n    this.created = util.normalizeDate(date);\n    /**\n     * Public key algorithm.\n     * @type {enums.publicKey}\n     */\n    this.algorithm = null;\n    /**\n     * Algorithm specific public params\n     * @type {Object}\n     */\n    this.publicParams = null;\n    /**\n     * Time until expiration in days (V3 only)\n     * @type {Integer}\n     */\n    this.expirationTimeV3 = 0;\n    /**\n     * Fingerprint bytes\n     * @type {Uint8Array}\n     */\n    this.fingerprint = null;\n    /**\n     * KeyID\n     * @type {module:type/keyid~KeyID}\n     */\n    this.keyID = null;\n  }\n\n  /**\n   * Create a PublicKeyPacket from a SecretKeyPacket\n   * @param {SecretKeyPacket} secretKeyPacket - key packet to convert\n   * @returns {PublicKeyPacket} public key packet\n   * @static\n   */\n  static fromSecretKeyPacket(secretKeyPacket) {\n    const keyPacket = new PublicKeyPacket();\n    const { version, created, algorithm, publicParams, keyID, fingerprint } = secretKeyPacket;\n    keyPacket.version = version;\n    keyPacket.created = created;\n    keyPacket.algorithm = algorithm;\n    keyPacket.publicParams = publicParams;\n    keyPacket.keyID = keyID;\n    keyPacket.fingerprint = fingerprint;\n    return keyPacket;\n  }\n\n  /**\n   * Internal Parser for public keys as specified in {@link https://tools.ietf.org/html/rfc4880#section-5.5.2|RFC 4880 section 5.5.2 Public-Key Packet Formats}\n   * @param {Uint8Array} bytes - Input array to read the packet from\n   * @returns {Object} This object with attributes set by the parser\n   * @async\n   */\n  async read(bytes, config = defaultConfig) {\n    let pos = 0;\n    // A one-octet version number (4, 5 or 6).\n    this.version = bytes[pos++];\n    if (this.version === 5 && !config.enableParsingV5Entities) {\n      throw new UnsupportedError('Support for parsing v5 entities is disabled; turn on `config.enableParsingV5Entities` if needed');\n    }\n\n    if (this.version === 4 || this.version === 5 || this.version === 6) {\n      // - A four-octet number denoting the time that the key was created.\n      this.created = util.readDate(bytes.subarray(pos, pos + 4));\n      pos += 4;\n\n      // - A one-octet number denoting the public-key algorithm of this key.\n      this.algorithm = bytes[pos++];\n\n      if (this.version >= 5) {\n        // - A four-octet scalar octet count for the following key material.\n        pos += 4;\n      }\n\n      // - A series of values comprising the key material.\n      const { read, publicParams } = parsePublicKeyParams(this.algorithm, bytes.subarray(pos));\n      // The deprecated OIDs for Ed25519Legacy and Curve25519Legacy are used in legacy version 4 keys and signatures.\n      // Implementations MUST NOT accept or generate v6 key material using the deprecated OIDs.\n      if (\n        this.version === 6 &&\n        publicParams.oid && (\n          publicParams.oid.getName() === enums.curve.curve25519Legacy ||\n          publicParams.oid.getName() === enums.curve.ed25519Legacy\n        )\n      ) {\n        throw new Error('Legacy curve25519 cannot be used with v6 keys');\n      }\n      this.publicParams = publicParams;\n      pos += read;\n\n      // we set the fingerprint and keyID already to make it possible to put together the key packets directly in the Key constructor\n      await this.computeFingerprintAndKeyID();\n      return pos;\n    }\n    throw new UnsupportedError(`Version ${this.version} of the key packet is unsupported.`);\n  }\n\n  /**\n   * Creates an OpenPGP public key packet for the given key.\n   * @returns {Uint8Array} Bytes encoding the public key OpenPGP packet.\n   */\n  write() {\n    const arr = [];\n    // Version\n    arr.push(new Uint8Array([this.version]));\n    arr.push(util.writeDate(this.created));\n    // A one-octet number denoting the public-key algorithm of this key\n    arr.push(new Uint8Array([this.algorithm]));\n\n    const params = serializeParams(this.algorithm, this.publicParams);\n    if (this.version >= 5) {\n      // A four-octet scalar octet count for the following key material\n      arr.push(util.writeNumber(params.length, 4));\n    }\n    // Algorithm-specific params\n    arr.push(params);\n    return util.concatUint8Array(arr);\n  }\n\n  /**\n   * Write packet in order to be hashed; either for a signature or a fingerprint\n   * @param {Integer} version - target version of signature or key\n   */\n  writeForHash(version) {\n    const bytes = this.writePublicKey();\n\n    const versionOctet = 0x95 + version;\n    const lengthOctets = version >= 5 ? 4 : 2;\n    return util.concatUint8Array([new Uint8Array([versionOctet]), util.writeNumber(bytes.length, lengthOctets), bytes]);\n  }\n\n  /**\n   * Check whether secret-key data is available in decrypted form. Returns null for public keys.\n   * @returns {Boolean|null}\n   */\n  isDecrypted() {\n    return null;\n  }\n\n  /**\n   * Returns the creation time of the key\n   * @returns {Date}\n   */\n  getCreationTime() {\n    return this.created;\n  }\n\n  /**\n   * Return the key ID of the key\n   * @returns {module:type/keyid~KeyID} The 8-byte key ID\n   */\n  getKeyID() {\n    return this.keyID;\n  }\n\n  /**\n   * Computes and set the key ID and fingerprint of the key\n   * @async\n   */\n  async computeFingerprintAndKeyID() {\n    await this.computeFingerprint();\n    this.keyID = new KeyID();\n\n    if (this.version >= 5) {\n      this.keyID.read(this.fingerprint.subarray(0, 8));\n    } else if (this.version === 4) {\n      this.keyID.read(this.fingerprint.subarray(12, 20));\n    } else {\n      throw new Error('Unsupported key version');\n    }\n  }\n\n  /**\n   * Computes and set the fingerprint of the key\n   */\n  async computeFingerprint() {\n    const toHash = this.writeForHash(this.version);\n\n    if (this.version >= 5) {\n      this.fingerprint = await computeDigest(enums.hash.sha256, toHash);\n    } else if (this.version === 4) {\n      this.fingerprint = await computeDigest(enums.hash.sha1, toHash);\n    } else {\n      throw new Error('Unsupported key version');\n    }\n  }\n\n  /**\n   * Returns the fingerprint of the key, as an array of bytes\n   * @returns {Uint8Array} A Uint8Array containing the fingerprint\n   */\n  getFingerprintBytes() {\n    return this.fingerprint;\n  }\n\n  /**\n   * Calculates and returns the fingerprint of the key, as a string\n   * @returns {String} A string containing the fingerprint in lowercase hex\n   */\n  getFingerprint() {\n    return util.uint8ArrayToHex(this.getFingerprintBytes());\n  }\n\n  /**\n   * Calculates whether two keys have the same fingerprint without actually calculating the fingerprint\n   * @returns {Boolean} Whether the two keys have the same version and public key data.\n   */\n  hasSameFingerprintAs(other) {\n    return this.version === other.version && util.equalsUint8Array(this.writePublicKey(), other.writePublicKey());\n  }\n\n  /**\n   * Returns algorithm information\n   * @returns {Object} An object of the form {algorithm: String, bits:int, curve:String}.\n   */\n  getAlgorithmInfo() {\n    const result = {};\n    result.algorithm = enums.read(enums.publicKey, this.algorithm);\n    // RSA, DSA or ElGamal public modulo\n    const modulo = this.publicParams.n || this.publicParams.p;\n    if (modulo) {\n      result.bits = util.uint8ArrayBitLength(modulo);\n    } else if (this.publicParams.oid) {\n      result.curve = this.publicParams.oid.getName();\n    }\n    return result;\n  }\n}\n\n/**\n * Alias of read()\n * @see PublicKeyPacket#read\n */\nPublicKeyPacket.prototype.readPublicKey = PublicKeyPacket.prototype.read;\n\n/**\n * Alias of write()\n * @see PublicKeyPacket#write\n */\nPublicKeyPacket.prototype.writePublicKey = PublicKeyPacket.prototype.write;\n\nexport default PublicKeyPacket;\n","// GPG4Browsers - An OpenPGP implementation in javascript\n// Copyright (C) 2011 Recurity Labs GmbH\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\nimport { readToEnd as streamReadToEnd, clone as streamClone } from '@openpgp/web-stream-tools';\nimport { cipherMode, getCipherParams } from '../crypto';\nimport enums from '../enums';\nimport util from '../util';\nimport defaultConfig from '../config';\n\nimport LiteralDataPacket from './literal_data';\nimport CompressedDataPacket from './compressed_data';\nimport OnePassSignaturePacket from './one_pass_signature';\nimport SignaturePacket from './signature';\nimport PacketList from './packetlist';\n\n// A SE packet can contain the following packet types\nconst allowedPackets = /*#__PURE__*/ util.constructAllowedPackets([\n  LiteralDataPacket,\n  CompressedDataPacket,\n  OnePassSignaturePacket,\n  SignaturePacket\n]);\n\n/**\n * Implementation of the Symmetrically Encrypted Data Packet (Tag 9)\n *\n * {@link https://tools.ietf.org/html/rfc4880#section-5.7|RFC4880 5.7}:\n * The Symmetrically Encrypted Data packet contains data encrypted with a\n * symmetric-key algorithm. When it has been decrypted, it contains other\n * packets (usually a literal data packet or compressed data packet, but in\n * theory other Symmetrically Encrypted Data packets or sequences of packets\n * that form whole OpenPGP messages).\n */\nclass SymmetricallyEncryptedDataPacket {\n  static get tag() {\n    return enums.packet.symmetricallyEncryptedData;\n  }\n\n  constructor() {\n    /**\n     * Encrypted secret-key data\n     */\n    this.encrypted = null;\n    /**\n     * Decrypted packets contained within.\n     * @type {PacketList}\n     */\n    this.packets = null;\n  }\n\n  read(bytes) {\n    this.encrypted = bytes;\n  }\n\n  write() {\n    return this.encrypted;\n  }\n\n  /**\n   * Decrypt the symmetrically-encrypted packet data\n   * See {@link https://tools.ietf.org/html/rfc4880#section-9.2|RFC 4880 9.2} for algorithms.\n   * @param {module:enums.symmetric} sessionKeyAlgorithm - Symmetric key algorithm to use\n   * @param {Uint8Array} key - The key of cipher blocksize length to be used\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n\n   * @throws {Error} if decryption was not successful\n   * @async\n   */\n  async decrypt(sessionKeyAlgorithm, key, config = defaultConfig) {\n    // If MDC errors are not being ignored, all missing MDC packets in symmetrically encrypted data should throw an error\n    if (!config.allowUnauthenticatedMessages) {\n      throw new Error('Message is not authenticated.');\n    }\n\n    const { blockSize } = getCipherParams(sessionKeyAlgorithm);\n    const encrypted = await streamReadToEnd(streamClone(this.encrypted));\n    const decrypted = await cipherMode.cfb.decrypt(sessionKeyAlgorithm, key,\n      encrypted.subarray(blockSize + 2),\n      encrypted.subarray(2, blockSize + 2)\n    );\n\n    this.packets = await PacketList.fromBinary(decrypted, allowedPackets, config);\n  }\n\n  /**\n   * Encrypt the symmetrically-encrypted packet data\n   * See {@link https://tools.ietf.org/html/rfc4880#section-9.2|RFC 4880 9.2} for algorithms.\n   * @param {module:enums.symmetric} sessionKeyAlgorithm - Symmetric key algorithm to use\n   * @param {Uint8Array} key - The key of cipher blocksize length to be used\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @throws {Error} if encryption was not successful\n   * @async\n   */\n  async encrypt(sessionKeyAlgorithm, key, config = defaultConfig) {\n    const data = this.packets.write();\n    const { blockSize } = getCipherParams(sessionKeyAlgorithm);\n\n    const prefix = await cipherMode.cfb.getPrefixRandom(sessionKeyAlgorithm);\n    const FRE = await cipherMode.cfb.encrypt(sessionKeyAlgorithm, key, prefix, new Uint8Array(blockSize), config);\n    const ciphertext = await cipherMode.cfb.encrypt(sessionKeyAlgorithm, key, data, FRE.subarray(2), config);\n    this.encrypted = util.concat([FRE, ciphertext]);\n  }\n}\n\nexport default SymmetricallyEncryptedDataPacket;\n","// GPG4Browsers - An OpenPGP implementation in javascript\n// Copyright (C) 2011 Recurity Labs GmbH\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\nimport enums from '../enums';\n\n/**\n * Implementation of the strange \"Marker packet\" (Tag 10)\n *\n * {@link https://tools.ietf.org/html/rfc4880#section-5.8|RFC4880 5.8}:\n * An experimental version of PGP used this packet as the Literal\n * packet, but no released version of PGP generated Literal packets with this\n * tag. With PGP 5.x, this packet has been reassigned and is reserved for use as\n * the Marker packet.\n *\n * The body of this packet consists of:\n *   The three octets 0x50, 0x47, 0x50 (which spell \"PGP\" in UTF-8).\n *\n * Such a packet MUST be ignored when received. It may be placed at the\n * beginning of a message that uses features not available in PGP\n * version 2.6 in order to cause that version to report that newer\n * software is necessary to process the message.\n */\nclass MarkerPacket {\n  static get tag() {\n    return enums.packet.marker;\n  }\n\n  /**\n   * Parsing function for a marker data packet (tag 10).\n   * @param {Uint8Array} bytes - Payload of a tag 10 packet\n   * @returns {Boolean} whether the packet payload contains \"PGP\"\n   */\n  read(bytes) {\n    if (bytes[0] === 0x50 && // P\n        bytes[1] === 0x47 && // G\n        bytes[2] === 0x50) { // P\n      return true;\n    }\n    return false;\n  }\n\n  write() {\n    return new Uint8Array([0x50, 0x47, 0x50]);\n  }\n}\n\nexport default MarkerPacket;\n","// GPG4Browsers - An OpenPGP implementation in javascript\n// Copyright (C) 2011 Recurity Labs GmbH\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\nimport PublicKeyPacket from './public_key';\nimport enums from '../enums';\n\n/**\n * A Public-Subkey packet (tag 14) has exactly the same format as a\n * Public-Key packet, but denotes a subkey.  One or more subkeys may be\n * associated with a top-level key.  By convention, the top-level key\n * provides signature services, and the subkeys provide encryption\n * services.\n * @extends PublicKeyPacket\n */\nclass PublicSubkeyPacket extends PublicKeyPacket {\n  static get tag() {\n    return enums.packet.publicSubkey;\n  }\n\n  /**\n   * @param {Date} [date] - Creation date\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   */\n  // eslint-disable-next-line @typescript-eslint/no-useless-constructor\n  constructor(date, config) {\n    super(date, config);\n  }\n\n  /**\n   * Create a PublicSubkeyPacket from a SecretSubkeyPacket\n   * @param {SecretSubkeyPacket} secretSubkeyPacket - subkey packet to convert\n   * @returns {SecretSubkeyPacket} public key packet\n   * @static\n   */\n  static fromSecretSubkeyPacket(secretSubkeyPacket) {\n    const keyPacket = new PublicSubkeyPacket();\n    const { version, created, algorithm, publicParams, keyID, fingerprint } = secretSubkeyPacket;\n    keyPacket.version = version;\n    keyPacket.created = created;\n    keyPacket.algorithm = algorithm;\n    keyPacket.publicParams = publicParams;\n    keyPacket.keyID = keyID;\n    keyPacket.fingerprint = fingerprint;\n    return keyPacket;\n  }\n}\n\nexport default PublicSubkeyPacket;\n","// GPG4Browsers - An OpenPGP implementation in javascript\n// Copyright (C) 2011 Recurity Labs GmbH\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\nimport { readSimpleLength, writeSimpleLength } from './packet';\nimport enums from '../enums';\nimport util from '../util';\n\n/**\n * Implementation of the User Attribute Packet (Tag 17)\n *\n * The User Attribute packet is a variation of the User ID packet.  It\n * is capable of storing more types of data than the User ID packet,\n * which is limited to text.  Like the User ID packet, a User Attribute\n * packet may be certified by the key owner (\"self-signed\") or any other\n * key owner who cares to certify it.  Except as noted, a User Attribute\n * packet may be used anywhere that a User ID packet may be used.\n *\n * While User Attribute packets are not a required part of the OpenPGP\n * standard, implementations SHOULD provide at least enough\n * compatibility to properly handle a certification signature on the\n * User Attribute packet.  A simple way to do this is by treating the\n * User Attribute packet as a User ID packet with opaque contents, but\n * an implementation may use any method desired.\n */\nclass UserAttributePacket {\n  static get tag() {\n    return enums.packet.userAttribute;\n  }\n\n  constructor() {\n    this.attributes = [];\n  }\n\n  /**\n   * parsing function for a user attribute packet (tag 17).\n   * @param {Uint8Array} input - Payload of a tag 17 packet\n   */\n  read(bytes) {\n    let i = 0;\n    while (i < bytes.length) {\n      const len = readSimpleLength(bytes.subarray(i, bytes.length));\n      i += len.offset;\n\n      this.attributes.push(util.uint8ArrayToString(bytes.subarray(i, i + len.len)));\n      i += len.len;\n    }\n  }\n\n  /**\n   * Creates a binary representation of the user attribute packet\n   * @returns {Uint8Array} String representation.\n   */\n  write() {\n    const arr = [];\n    for (let i = 0; i < this.attributes.length; i++) {\n      arr.push(writeSimpleLength(this.attributes[i].length));\n      arr.push(util.stringToUint8Array(this.attributes[i]));\n    }\n    return util.concatUint8Array(arr);\n  }\n\n  /**\n   * Compare for equality\n   * @param {UserAttributePacket} usrAttr\n   * @returns {Boolean} True if equal.\n   */\n  equals(usrAttr) {\n    if (!usrAttr || !(usrAttr instanceof UserAttributePacket)) {\n      return false;\n    }\n    return this.attributes.every(function(attr, index) {\n      return attr === usrAttr.attributes[index];\n    });\n  }\n}\n\nexport default UserAttributePacket;\n","// GPG4Browsers - An OpenPGP implementation in javascript\n// Copyright (C) 2011 Recurity Labs GmbH\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\nimport PublicKeyPacket from './public_key';\nimport { newS2KFromConfig, newS2KFromType } from '../type/s2k';\nimport { computeDigest, getCipherParams, parsePrivateKeyParams, serializeParams, generateParams, validateParams, getRandomBytes, cipherMode } from '../crypto';\nimport enums from '../enums';\nimport util from '../util';\nimport defaultConfig from '../config';\nimport { UnsupportedError, writeTag } from './packet';\nimport computeHKDF from '../crypto/hkdf';\n\n/**\n * A Secret-Key packet contains all the information that is found in a\n * Public-Key packet, including the public-key material, but also\n * includes the secret-key material after all the public-key fields.\n * @extends PublicKeyPacket\n */\nclass SecretKeyPacket extends PublicKeyPacket {\n  static get tag() {\n    return enums.packet.secretKey;\n  }\n\n  /**\n   * @param {Date} [date] - Creation date\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   */\n  constructor(date = new Date(), config = defaultConfig) {\n    super(date, config);\n    /**\n     * Secret-key data\n     */\n    this.keyMaterial = null;\n    /**\n     * Indicates whether secret-key data is encrypted. `this.isEncrypted === false` means data is available in decrypted form.\n     */\n    this.isEncrypted = null;\n    /**\n     * S2K usage\n     * @type {enums.symmetric}\n     */\n    this.s2kUsage = 0;\n    /**\n     * S2K object\n     * @type {type/s2k}\n     */\n    this.s2k = null;\n    /**\n     * Symmetric algorithm to encrypt the key with\n     * @type {enums.symmetric}\n     */\n    this.symmetric = null;\n    /**\n     * AEAD algorithm to encrypt the key with (if AEAD protection is enabled)\n     * @type {enums.aead}\n     */\n    this.aead = null;\n    /**\n     * Whether the key is encrypted using the legacy AEAD format proposal from RFC4880bis\n     * (i.e. it was encrypted with the flag `config.aeadProtect` in OpenPGP.js v5 or older).\n     * This value is only relevant to know how to decrypt the key:\n     * if AEAD is enabled, a v4 key is always re-encrypted using the standard AEAD mechanism.\n     * @type {Boolean}\n     * @private\n     */\n    this.isLegacyAEAD = null;\n    /**\n     * Decrypted private parameters, referenced by name\n     * @type {Object}\n     */\n    this.privateParams = null;\n    /**\n     * `true` for keys whose integrity is already confirmed, based on\n     * the AEAD encryption mechanism\n     * @type {Boolean}\n     * @private\n     */\n    this.usedModernAEAD = null;\n  }\n\n  // 5.5.3.  Secret-Key Packet Formats\n\n  /**\n   * Internal parser for private keys as specified in\n   * {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-5.5.3|RFC4880bis-04 section 5.5.3}\n   * @param {Uint8Array} bytes - Input string to read the packet from\n   * @async\n   */\n  async read(bytes, config = defaultConfig) {\n    // - A Public-Key or Public-Subkey packet, as described above.\n    let i = await this.readPublicKey(bytes, config);\n    const startOfSecretKeyData = i;\n\n    // - One octet indicating string-to-key usage conventions.  Zero\n    //   indicates that the secret-key data is not encrypted.  255 or 254\n    //   indicates that a string-to-key specifier is being given.  Any\n    //   other value is a symmetric-key encryption algorithm identifier.\n    this.s2kUsage = bytes[i++];\n\n    // - Only for a version 5 packet, a one-octet scalar octet count of\n    //   the next 4 optional fields.\n    if (this.version === 5) {\n      i++;\n    }\n\n    // - Only for a version 6 packet where the secret key material is\n    //   encrypted (that is, where the previous octet is not zero), a one-\n    //   octet scalar octet count of the cumulative length of all the\n    //   following optional string-to-key parameter fields.\n    if (this.version === 6 && this.s2kUsage) {\n      i++;\n    }\n\n    try {\n      // - [Optional] If string-to-key usage octet was 255, 254, or 253, a\n      //   one-octet symmetric encryption algorithm.\n      if (this.s2kUsage === 255 || this.s2kUsage === 254 || this.s2kUsage === 253) {\n        this.symmetric = bytes[i++];\n\n        // - [Optional] If string-to-key usage octet was 253, a one-octet\n        //   AEAD algorithm.\n        if (this.s2kUsage === 253) {\n          this.aead = bytes[i++];\n        }\n\n        // - [Optional] Only for a version 6 packet, and if string-to-key usage\n        //   octet was 255, 254, or 253, an one-octet count of the following field.\n        if (this.version === 6) {\n          i++;\n        }\n\n        // - [Optional] If string-to-key usage octet was 255, 254, or 253, a\n        //   string-to-key specifier.  The length of the string-to-key\n        //   specifier is implied by its type, as described above.\n        const s2kType = bytes[i++];\n        this.s2k = newS2KFromType(s2kType);\n        i += this.s2k.read(bytes.subarray(i, bytes.length));\n\n        if (this.s2k.type === 'gnu-dummy') {\n          return;\n        }\n      } else if (this.s2kUsage) {\n        this.symmetric = this.s2kUsage;\n      }\n\n\n      if (this.s2kUsage) {\n        // OpenPGP.js up to v5 used to support encrypting v4 keys using AEAD as specified by draft RFC4880bis (https://www.ietf.org/archive/id/draft-ietf-openpgp-rfc4880bis-10.html#section-5.5.3-3.5).\n        // This legacy format is incompatible, but fundamentally indistinguishable, from that of the crypto-refresh for v4 keys (v5 keys are always in legacy format).\n        // While parsing the key may succeed (if IV and AES block sizes match), key decryption will always\n        // fail if the key was parsed according to the wrong format, since the keys are processed differently.\n        // Thus, for v4 keys, we rely on the caller to instruct us to process the key as legacy, via config flag.\n        this.isLegacyAEAD = this.s2kUsage === 253 && (\n          this.version === 5 || (this.version === 4 && config.parseAEADEncryptedV4KeysAsLegacy));\n        // - crypto-refresh: If string-to-key usage octet was 255, 254 [..], an initialization vector (IV)\n        // of the same length as the cipher's block size.\n        // - RFC4880bis (v5 keys, regardless of AEAD): an Initial Vector (IV) of the same length as the\n        //   cipher's block size. If string-to-key usage octet was 253 the IV is used as the nonce for the AEAD algorithm.\n        // If the AEAD algorithm requires a shorter nonce, the high-order bits of the IV are used and the remaining bits MUST be zero\n        if (this.s2kUsage !== 253 || this.isLegacyAEAD) {\n          this.iv = bytes.subarray(\n            i,\n            i + getCipherParams(this.symmetric).blockSize\n          );\n          this.usedModernAEAD = false;\n        } else {\n          // crypto-refresh: If string-to-key usage octet was 253 (that is, the secret data is AEAD-encrypted),\n          // an initialization vector (IV) of size specified by the AEAD algorithm (see Section 5.13.2), which\n          // is used as the nonce for the AEAD algorithm.\n          this.iv = bytes.subarray(\n            i,\n            i + cipherMode.getAEADMode(this.aead).ivLength\n          );\n          // the non-legacy AEAD encryption mechanism also authenticates public key params; no need for manual validation.\n          this.usedModernAEAD = true;\n        }\n\n        i += this.iv.length;\n      }\n    } catch (e) {\n      // if the s2k is unsupported, we still want to support encrypting and verifying with the given key\n      if (!this.s2kUsage) throw e; // always throw for decrypted keys\n      this.unparseableKeyMaterial = bytes.subarray(startOfSecretKeyData);\n      this.isEncrypted = true;\n    }\n\n    // - Only for a version 5 packet, a four-octet scalar octet count for\n    //   the following key material.\n    if (this.version === 5) {\n      i += 4;\n    }\n\n    // - Plain or encrypted multiprecision integers comprising the secret\n    //   key data.  These algorithm-specific fields are as described\n    //   below.\n    this.keyMaterial = bytes.subarray(i);\n    this.isEncrypted = !!this.s2kUsage;\n\n    if (!this.isEncrypted) {\n      let cleartext;\n      if (this.version === 6) {\n        cleartext = this.keyMaterial;\n      } else {\n        cleartext = this.keyMaterial.subarray(0, -2);\n        if (!util.equalsUint8Array(util.writeChecksum(cleartext), this.keyMaterial.subarray(-2))) {\n          throw new Error('Key checksum mismatch');\n        }\n      }\n      try {\n        const { read, privateParams } = parsePrivateKeyParams(this.algorithm, cleartext, this.publicParams);\n        if (read < cleartext.length) {\n          throw new Error('Error reading MPIs');\n        }\n        this.privateParams = privateParams;\n      } catch (err) {\n        if (err instanceof UnsupportedError) throw err;\n        // avoid throwing potentially sensitive errors\n        throw new Error('Error reading MPIs');\n      }\n    }\n  }\n\n  /**\n   * Creates an OpenPGP key packet for the given key.\n   * @returns {Uint8Array} A string of bytes containing the secret key OpenPGP packet.\n   */\n  write() {\n    const serializedPublicKey = this.writePublicKey();\n    if (this.unparseableKeyMaterial) {\n      return util.concatUint8Array([\n        serializedPublicKey,\n        this.unparseableKeyMaterial\n      ]);\n    }\n\n    const arr = [serializedPublicKey];\n    arr.push(new Uint8Array([this.s2kUsage]));\n\n    const optionalFieldsArr = [];\n    // - [Optional] If string-to-key usage octet was 255, 254, or 253, a\n    //   one- octet symmetric encryption algorithm.\n    if (this.s2kUsage === 255 || this.s2kUsage === 254 || this.s2kUsage === 253) {\n      optionalFieldsArr.push(this.symmetric);\n\n      // - [Optional] If string-to-key usage octet was 253, a one-octet\n      //   AEAD algorithm.\n      if (this.s2kUsage === 253) {\n        optionalFieldsArr.push(this.aead);\n      }\n\n      const s2k = this.s2k.write();\n\n      // - [Optional] Only for a version 6 packet, and if string-to-key usage\n      //   octet was 255, 254, or 253, an one-octet count of the following field.\n      if (this.version === 6) {\n        optionalFieldsArr.push(s2k.length);\n      }\n\n      // - [Optional] If string-to-key usage octet was 255, 254, or 253, a\n      //   string-to-key specifier.  The length of the string-to-key\n      //   specifier is implied by its type, as described above.\n      optionalFieldsArr.push(...s2k);\n    }\n\n    // - [Optional] If secret data is encrypted (string-to-key usage octet\n    //   not zero), an Initial Vector (IV) of the same length as the\n    //   cipher's block size.\n    if (this.s2kUsage && this.s2k.type !== 'gnu-dummy') {\n      optionalFieldsArr.push(...this.iv);\n    }\n\n    if (this.version === 5 || (this.version === 6 && this.s2kUsage)) {\n      arr.push(new Uint8Array([optionalFieldsArr.length]));\n    }\n    arr.push(new Uint8Array(optionalFieldsArr));\n\n    if (!this.isDummy()) {\n      if (!this.s2kUsage) {\n        this.keyMaterial = serializeParams(this.algorithm, this.privateParams);\n      }\n\n      if (this.version === 5) {\n        arr.push(util.writeNumber(this.keyMaterial.length, 4));\n      }\n      arr.push(this.keyMaterial);\n\n      if (!this.s2kUsage && this.version !== 6) {\n        arr.push(util.writeChecksum(this.keyMaterial));\n      }\n    }\n\n    return util.concatUint8Array(arr);\n  }\n\n  /**\n   * Check whether secret-key data is available in decrypted form.\n   * Returns false for gnu-dummy keys and null for public keys.\n   * @returns {Boolean|null}\n   */\n  isDecrypted() {\n    return this.isEncrypted === false;\n  }\n\n  /**\n   * Check whether the key includes secret key material.\n   * Some secret keys do not include it, and can thus only be used\n   * for public-key operations (encryption and verification).\n   * Such keys are:\n   * - GNU-dummy keys, where the secret material has been stripped away\n   * - encrypted keys with unsupported S2K or cipher\n   */\n  isMissingSecretKeyMaterial() {\n    return this.unparseableKeyMaterial !== undefined || this.isDummy();\n  }\n\n  /**\n   * Check whether this is a gnu-dummy key\n   * @returns {Boolean}\n   */\n  isDummy() {\n    return !!(this.s2k && this.s2k.type === 'gnu-dummy');\n  }\n\n  /**\n   * Remove private key material, converting the key to a dummy one.\n   * The resulting key cannot be used for signing/decrypting but can still verify signatures.\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   */\n  makeDummy(config = defaultConfig) {\n    if (this.isDummy()) {\n      return;\n    }\n    if (this.isDecrypted()) {\n      this.clearPrivateParams();\n    }\n    delete this.unparseableKeyMaterial;\n    this.isEncrypted = null;\n    this.keyMaterial = null;\n    this.s2k = newS2KFromType(enums.s2k.gnu, config);\n    this.s2k.algorithm = 0;\n    this.s2k.c = 0;\n    this.s2k.type = 'gnu-dummy';\n    this.s2kUsage = 254;\n    this.symmetric = enums.symmetric.aes256;\n    this.isLegacyAEAD = null;\n    this.usedModernAEAD = null;\n  }\n\n  /**\n   * Encrypt the payload. By default, we use aes256 and iterated, salted string\n   * to key specifier. If the key is in a decrypted state (isEncrypted === false)\n   * and the passphrase is empty or undefined, the key will be set as not encrypted.\n   * This can be used to remove passphrase protection after calling decrypt().\n   * @param {String} passphrase\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @throws {Error} if encryption was not successful\n   * @async\n   */\n  async encrypt(passphrase, config = defaultConfig) {\n    if (this.isDummy()) {\n      return;\n    }\n\n    if (!this.isDecrypted()) {\n      throw new Error('Key packet is already encrypted');\n    }\n\n    if (!passphrase) {\n      throw new Error('A non-empty passphrase is required for key encryption.');\n    }\n\n    this.s2k = newS2KFromConfig(config);\n    this.s2k.generateSalt();\n    const cleartext = serializeParams(this.algorithm, this.privateParams);\n    this.symmetric = enums.symmetric.aes256;\n\n    const { blockSize } = getCipherParams(this.symmetric);\n\n    if (config.aeadProtect) {\n      this.s2kUsage = 253;\n      this.aead = config.preferredAEADAlgorithm;\n      const mode = cipherMode.getAEADMode(this.aead);\n      this.isLegacyAEAD = this.version === 5; // v4 is always re-encrypted with standard format instead.\n      this.usedModernAEAD = !this.isLegacyAEAD; // legacy AEAD does not guarantee integrity of public key material\n\n      const serializedPacketTag = writeTag(this.constructor.tag);\n      const key = await produceEncryptionKey(this.version, this.s2k, passphrase, this.symmetric, this.aead, serializedPacketTag, this.isLegacyAEAD);\n\n      const modeInstance = await mode(this.symmetric, key);\n      this.iv = this.isLegacyAEAD ? getRandomBytes(blockSize) : getRandomBytes(mode.ivLength);\n      const associateData = this.isLegacyAEAD ?\n        new Uint8Array() :\n        util.concatUint8Array([serializedPacketTag, this.writePublicKey()]);\n\n      this.keyMaterial = await modeInstance.encrypt(cleartext, this.iv.subarray(0, mode.ivLength), associateData);\n    } else {\n      this.s2kUsage = 254;\n      this.usedModernAEAD = false;\n      const key = await produceEncryptionKey(this.version, this.s2k, passphrase, this.symmetric);\n      this.iv = getRandomBytes(blockSize);\n      this.keyMaterial = await cipherMode.cfb.encrypt(this.symmetric, key, util.concatUint8Array([\n        cleartext,\n        await computeDigest(enums.hash.sha1, cleartext, config)\n      ]), this.iv, config);\n    }\n  }\n\n  /**\n   * Decrypts the private key params which are needed to use the key.\n   * Successful decryption does not imply key integrity, call validate() to confirm that.\n   * {@link SecretKeyPacket.isDecrypted} should be false, as\n   * otherwise calls to this function will throw an error.\n   * @param {String} passphrase - The passphrase for this private key as string\n   * @throws {Error} if the key is already decrypted, or if decryption was not successful\n   * @async\n   */\n  async decrypt(passphrase) {\n    if (this.isDummy()) {\n      return false;\n    }\n\n    if (this.unparseableKeyMaterial) {\n      throw new Error('Key packet cannot be decrypted: unsupported S2K or cipher algo');\n    }\n\n    if (this.isDecrypted()) {\n      throw new Error('Key packet is already decrypted.');\n    }\n\n    let key;\n    const serializedPacketTag = writeTag(this.constructor.tag); // relevant for AEAD only\n    if (this.s2kUsage === 254 || this.s2kUsage === 253) {\n      key = await produceEncryptionKey(\n        this.version, this.s2k, passphrase, this.symmetric, this.aead, serializedPacketTag, this.isLegacyAEAD);\n    } else if (this.s2kUsage === 255) {\n      throw new Error('Encrypted private key is authenticated using an insecure two-byte hash');\n    } else {\n      throw new Error('Private key is encrypted using an insecure S2K function: unsalted MD5');\n    }\n\n    let cleartext;\n    if (this.s2kUsage === 253) {\n      const mode = cipherMode.getAEADMode(this.aead, true);\n      const modeInstance = await mode(this.symmetric, key);\n      try {\n        const associateData = this.isLegacyAEAD ?\n          new Uint8Array() :\n          util.concatUint8Array([serializedPacketTag, this.writePublicKey()]);\n        cleartext = await modeInstance.decrypt(this.keyMaterial, this.iv.subarray(0, mode.ivLength), associateData);\n      } catch (err) {\n        if (err.message === 'Authentication tag mismatch') {\n          throw new Error('Incorrect key passphrase: ' + err.message);\n        }\n        throw err;\n      }\n    } else {\n      const cleartextWithHash = await cipherMode.cfb.decrypt(this.symmetric, key, this.keyMaterial, this.iv);\n\n      cleartext = cleartextWithHash.subarray(0, -20);\n      const hash = await computeDigest(enums.hash.sha1, cleartext);\n\n      if (!util.equalsUint8Array(hash, cleartextWithHash.subarray(-20))) {\n        throw new Error('Incorrect key passphrase');\n      }\n    }\n\n    try {\n      const { privateParams } = parsePrivateKeyParams(this.algorithm, cleartext, this.publicParams);\n      this.privateParams = privateParams;\n    } catch (err) {\n      throw new Error('Error reading MPIs');\n    }\n    this.isEncrypted = false;\n    this.keyMaterial = null;\n    this.s2kUsage = 0;\n    this.aead = null;\n    this.symmetric = null;\n    this.isLegacyAEAD = null;\n  }\n\n  /**\n   * Checks that the key parameters are consistent\n   * @throws {Error} if validation was not successful\n   * @async\n   */\n  async validate() {\n    if (this.isDummy()) {\n      return;\n    }\n\n    if (!this.isDecrypted()) {\n      throw new Error('Key is not decrypted');\n    }\n\n    if (this.usedModernAEAD) {\n      // key integrity confirmed by successful AEAD decryption\n      return;\n    }\n\n    let validParams;\n    try {\n      // this can throw if some parameters are undefined\n      validParams = await validateParams(this.algorithm, this.publicParams, this.privateParams);\n    } catch (_) {\n      validParams = false;\n    }\n    if (!validParams) {\n      throw new Error('Key is invalid');\n    }\n  }\n\n  async generate(bits, curve) {\n    // The deprecated OIDs for Ed25519Legacy and Curve25519Legacy are used in legacy version 4 keys and signatures.\n    // Implementations MUST NOT accept or generate v6 key material using the deprecated OIDs.\n    if (this.version === 6 && (\n      (this.algorithm === enums.publicKey.ecdh && curve === enums.curve.curve25519Legacy) ||\n      this.algorithm === enums.publicKey.eddsaLegacy\n    )) {\n      throw new Error(`Cannot generate v6 keys of type 'ecc' with curve ${curve}. Generate a key of type 'curve25519' instead`);\n    }\n    const { privateParams, publicParams } = await generateParams(this.algorithm, bits, curve);\n    this.privateParams = privateParams;\n    this.publicParams = publicParams;\n    this.isEncrypted = false;\n  }\n\n  /**\n   * Clear private key parameters\n   */\n  clearPrivateParams() {\n    if (this.isMissingSecretKeyMaterial()) {\n      return;\n    }\n\n    Object.keys(this.privateParams).forEach(name => {\n      const param = this.privateParams[name];\n      param.fill(0);\n      delete this.privateParams[name];\n    });\n    this.privateParams = null;\n    this.isEncrypted = true;\n  }\n}\n\n/**\n * Derive encryption key\n * @param {Number} keyVersion - key derivation differs for v5 keys\n * @param {module:type/s2k} s2k\n * @param {String} passphrase\n * @param {module:enums.symmetric} cipherAlgo\n * @param {module:enums.aead} [aeadMode] - for AEAD-encrypted keys only (excluding v5)\n * @param {Uint8Array} [serializedPacketTag] - for AEAD-encrypted keys only (excluding v5)\n * @param {Boolean} [isLegacyAEAD] - for AEAD-encrypted keys from RFC4880bis (v4 and v5 only)\n * @returns encryption key\n */\nasync function produceEncryptionKey(keyVersion, s2k, passphrase, cipherAlgo, aeadMode, serializedPacketTag, isLegacyAEAD) {\n  if (s2k.type === 'argon2' && !aeadMode) {\n    throw new Error('Using Argon2 S2K without AEAD is not allowed');\n  }\n  if (s2k.type === 'simple' && keyVersion === 6) {\n    throw new Error('Using Simple S2K with version 6 keys is not allowed');\n  }\n  const { keySize } = getCipherParams(cipherAlgo);\n  const derivedKey = await s2k.produceKey(passphrase, keySize);\n  if (!aeadMode || keyVersion === 5 || isLegacyAEAD) {\n    return derivedKey;\n  }\n  const info = util.concatUint8Array([\n    serializedPacketTag,\n    new Uint8Array([keyVersion, cipherAlgo, aeadMode])\n  ]);\n  return computeHKDF(enums.hash.sha256, derivedKey, new Uint8Array(), info, keySize);\n}\n\nexport default SecretKeyPacket;\n","// GPG4Browsers - An OpenPGP implementation in javascript\n// Copyright (C) 2011 Recurity Labs GmbH\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\nimport enums from '../enums';\nimport util from '../util';\nimport defaultConfig from '../config';\n\n/**\n * Implementation of the User ID Packet (Tag 13)\n *\n * A User ID packet consists of UTF-8 text that is intended to represent\n * the name and email address of the key holder.  By convention, it\n * includes an RFC 2822 [RFC2822] mail name-addr, but there are no\n * restrictions on its content.  The packet length in the header\n * specifies the length of the User ID.\n */\nclass UserIDPacket {\n  static get tag() {\n    return enums.packet.userID;\n  }\n\n  constructor() {\n    /** A string containing the user id. Usually in the form\n     * John Doe <john@example.com>\n     * @type {String}\n     */\n    this.userID = '';\n\n    this.name = '';\n    this.email = '';\n    this.comment = '';\n  }\n\n  /**\n   * Create UserIDPacket instance from object\n   * @param {Object} userID - Object specifying userID name, email and comment\n   * @returns {UserIDPacket}\n   * @static\n   */\n  static fromObject(userID) {\n    if (util.isString(userID) ||\n      (userID.name && !util.isString(userID.name)) ||\n      (userID.email && !util.isEmailAddress(userID.email)) ||\n      (userID.comment && !util.isString(userID.comment))) {\n      throw new Error('Invalid user ID format');\n    }\n    const packet = new UserIDPacket();\n    Object.assign(packet, userID);\n    const components = [];\n    if (packet.name) components.push(packet.name);\n    if (packet.comment) components.push(`(${packet.comment})`);\n    if (packet.email) components.push(`<${packet.email}>`);\n    packet.userID = components.join(' ');\n    return packet;\n  }\n\n  /**\n   * Parsing function for a user id packet (tag 13).\n   * @param {Uint8Array} input - Payload of a tag 13 packet\n   */\n  read(bytes, config = defaultConfig) {\n    const userID = util.decodeUTF8(bytes);\n    if (userID.length > config.maxUserIDLength) {\n      throw new Error('User ID string is too long');\n    }\n\n    /**\n     * We support the conventional cases described in https://www.ietf.org/id/draft-dkg-openpgp-userid-conventions-00.html#section-4.1,\n     * as well comments placed between the name (if present) and the bracketed email address:\n     * - name (comment) <email>\n     * - email\n     * In the first case, the `email` is the only required part, and it must contain the `@` symbol.\n     * The `name` and `comment` parts can include any letters, whitespace, and symbols, except for `(` and `)`,\n     * since they interfere with `comment` parsing.\n     */\n    const re = /^(?<name>[^()]+\\s+)?(?<comment>\\([^()]+\\)\\s+)?(?<email><\\S+@\\S+>)$/;\n    const matches = re.exec(userID);\n    if (matches !== null) {\n      const { name, comment, email } = matches.groups;\n      this.comment = comment?.replace(/^\\(|\\)|\\s$/g, '').trim() || ''; // remove parenthesis and separating whiltespace\n      this.name = name?.trim() || '';\n      this.email = email.substring(1, email.length - 1); // remove brackets\n    } else if (/^[^\\s@]+@[^\\s@]+$/.test(userID)) { // unbracketed email: enforce single @ and no whitespace\n      this.email = userID;\n    }\n\n    this.userID = userID;\n  }\n\n  /**\n   * Creates a binary representation of the user id packet\n   * @returns {Uint8Array} Binary representation.\n   */\n  write() {\n    return util.encodeUTF8(this.userID);\n  }\n\n  equals(otherUserID) {\n    return otherUserID && otherUserID.userID === this.userID;\n  }\n}\n\nexport default UserIDPacket;\n","// GPG4Browsers - An OpenPGP implementation in javascript\n// Copyright (C) 2011 Recurity Labs GmbH\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\nimport SecretKeyPacket from './secret_key';\nimport enums from '../enums';\nimport defaultConfig from '../config';\n\n/**\n * A Secret-Subkey packet (tag 7) is the subkey analog of the Secret\n * Key packet and has exactly the same format.\n * @extends SecretKeyPacket\n */\nclass SecretSubkeyPacket extends SecretKeyPacket {\n  static get tag() {\n    return enums.packet.secretSubkey;\n  }\n\n  /**\n   * @param {Date} [date] - Creation date\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   */\n  constructor(date = new Date(), config = defaultConfig) {\n    super(date, config);\n  }\n}\n\nexport default SecretSubkeyPacket;\n","import enums from '../enums';\nimport { UnsupportedError } from './packet';\n\n/**\n * Implementation of the Trust Packet (Tag 12)\n *\n * {@link https://tools.ietf.org/html/rfc4880#section-5.10|RFC4880 5.10}:\n * The Trust packet is used only within keyrings and is not normally\n * exported.  Trust packets contain data that record the user's\n * specifications of which key holders are trustworthy introducers,\n * along with other information that implementing software uses for\n * trust information.  The format of Trust packets is defined by a given\n * implementation.\n *\n * Trust packets SHOULD NOT be emitted to output streams that are\n * transferred to other users, and they SHOULD be ignored on any input\n * other than local keyring files.\n */\nclass TrustPacket {\n  static get tag() {\n    return enums.packet.trust;\n  }\n\n  /**\n   * Parsing function for a trust packet (tag 12).\n   * Currently not implemented as we ignore trust packets\n   */\n  read() {\n    throw new UnsupportedError('Trust packets are not supported');\n  }\n\n  write() {\n    throw new UnsupportedError('Trust packets are not supported');\n  }\n}\n\nexport default TrustPacket;\n","// OpenPGP.js - An OpenPGP implementation in javascript\n// Copyright (C) 2022 Proton AG\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\nimport { getRandomBytes } from '../crypto';\nimport enums from '../enums';\n\n/**\n * Implementation of the Padding Packet\n *\n * {@link https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh#name-padding-packet-tag-21}:\n * Padding Packet\n */\nclass PaddingPacket {\n  static get tag() {\n    return enums.packet.padding;\n  }\n\n  constructor() {\n    this.padding = null;\n  }\n\n  /**\n   * Read a padding packet\n   * @param {Uint8Array | ReadableStream<Uint8Array>} bytes\n   */\n  read(bytes) { // eslint-disable-line @typescript-eslint/no-unused-vars\n    // Padding packets are ignored, so this function is never called.\n  }\n\n  /**\n   * Write the padding packet\n   * @returns {Uint8Array} The padding packet.\n   */\n  write() {\n    return this.padding;\n  }\n\n  /**\n   * Create random padding.\n   * @param {Number} length - The length of padding to be generated.\n   * @throws {Error} if padding generation was not successful\n   * @async\n   */\n  async createPadding(length) {\n    this.padding = await getRandomBytes(length);\n  }\n}\n\nexport default PaddingPacket;\n","// GPG4Browsers - An OpenPGP implementation in javascript\n// Copyright (C) 2011 Recurity Labs GmbH\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\nimport { armor, unarmor } from './encoding/armor';\nimport { PacketList, SignaturePacket } from './packet';\nimport enums from './enums';\nimport util from './util';\nimport defaultConfig from './config';\n\n// A Signature can contain the following packets\nconst allowedPackets = /*#__PURE__*/ util.constructAllowedPackets([SignaturePacket]);\n\n/**\n * Class that represents an OpenPGP signature.\n */\nexport class Signature {\n  /**\n   * @param {PacketList} packetlist - The signature packets\n   */\n  constructor(packetlist) {\n    this.packets = packetlist || new PacketList();\n  }\n\n  /**\n   * Returns binary encoded signature\n   * @returns {ReadableStream<Uint8Array>} Binary signature.\n   */\n  write() {\n    return this.packets.write();\n  }\n\n  /**\n   * Returns ASCII armored text of signature\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {ReadableStream<String>} ASCII armor.\n   */\n  armor(config = defaultConfig) {\n    // An ASCII-armored sequence of Signature packets that only includes v6 Signature packets MUST NOT contain a CRC24 footer.\n    const emitChecksum = this.packets.some(packet => packet.constructor.tag === SignaturePacket.tag && packet.version !== 6);\n    return armor(enums.armor.signature, this.write(), undefined, undefined, undefined, emitChecksum, config);\n  }\n\n  /**\n   * Returns an array of KeyIDs of all of the issuers who created this signature\n   * @returns {Array<KeyID>} The Key IDs of the signing keys\n   */\n  getSigningKeyIDs() {\n    return this.packets.map(packet => packet.issuerKeyID);\n  }\n}\n\n/**\n * reads an (optionally armored) OpenPGP signature and returns a signature object\n * @param {Object} options\n * @param {String} [options.armoredSignature] - Armored signature to be parsed\n * @param {Uint8Array} [options.binarySignature] - Binary signature to be parsed\n * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}\n * @returns {Promise<Signature>} New signature object.\n * @async\n * @static\n */\nexport async function readSignature({ armoredSignature, binarySignature, config, ...rest }) {\n  config = { ...defaultConfig, ...config };\n  let input = armoredSignature || binarySignature;\n  if (!input) {\n    throw new Error('readSignature: must pass options object containing `armoredSignature` or `binarySignature`');\n  }\n  if (armoredSignature && !util.isString(armoredSignature)) {\n    throw new Error('readSignature: options.armoredSignature must be a string');\n  }\n  if (binarySignature && !util.isUint8Array(binarySignature)) {\n    throw new Error('readSignature: options.binarySignature must be a Uint8Array');\n  }\n  const unknownOptions = Object.keys(rest); if (unknownOptions.length > 0) throw new Error(`Unknown option: ${unknownOptions.join(', ')}`);\n\n  if (armoredSignature) {\n    const { type, data } = await unarmor(input, config);\n    if (type !== enums.armor.signature) {\n      throw new Error('Armored text not of type signature');\n    }\n    input = data;\n  }\n  const packetlist = await PacketList.fromBinary(input, allowedPackets, config);\n  return new Signature(packetlist);\n}\n","/**\n * @fileoverview Provides helpers methods for key module\n * @module key/helper\n */\n\nimport {\n  SecretKeyPacket,\n  SecretSubkeyPacket,\n  SignaturePacket\n} from '../packet';\nimport enums from '../enums';\nimport { getPreferredCurveHashAlgo, getHashByteLength } from '../crypto';\nimport util from '../util';\nimport defaultConfig from '../config';\n\nexport async function generateSecretSubkey(options, config) {\n  const secretSubkeyPacket = new SecretSubkeyPacket(options.date, config);\n  secretSubkeyPacket.packets = null;\n  secretSubkeyPacket.algorithm = enums.write(enums.publicKey, options.algorithm);\n  await secretSubkeyPacket.generate(options.rsaBits, options.curve);\n  await secretSubkeyPacket.computeFingerprintAndKeyID();\n  return secretSubkeyPacket;\n}\n\nexport async function generateSecretKey(options, config) {\n  const secretKeyPacket = new SecretKeyPacket(options.date, config);\n  secretKeyPacket.packets = null;\n  secretKeyPacket.algorithm = enums.write(enums.publicKey, options.algorithm);\n  await secretKeyPacket.generate(options.rsaBits, options.curve, options.config);\n  await secretKeyPacket.computeFingerprintAndKeyID();\n  return secretKeyPacket;\n}\n\n/**\n * Returns the valid and non-expired signature that has the latest creation date, while ignoring signatures created in the future.\n * @param {Array<SignaturePacket>} signatures - List of signatures\n * @param {PublicKeyPacket|PublicSubkeyPacket} publicKey - Public key packet to verify the signature\n * @param {module:enums.signature} signatureType - Signature type to determine how to hash the data (NB: for userID signatures,\n *                          `enums.signatures.certGeneric` should be given regardless of the actual trust level)\n * @param {Date} date - Use the given date instead of the current time\n * @param {Object} config - full configuration\n * @returns {Promise<SignaturePacket>} The latest valid signature.\n * @async\n */\nexport async function getLatestValidSignature(signatures, publicKey, signatureType, dataToVerify, date = new Date(), config) {\n  let latestValid;\n  let exception;\n  for (let i = signatures.length - 1; i >= 0; i--) {\n    try {\n      if (\n        (!latestValid || signatures[i].created >= latestValid.created)\n      ) {\n        await signatures[i].verify(publicKey, signatureType, dataToVerify, date, undefined, config);\n        latestValid = signatures[i];\n      }\n    } catch (e) {\n      exception = e;\n    }\n  }\n  if (!latestValid) {\n    throw util.wrapError(\n      `Could not find valid ${enums.read(enums.signature, signatureType)} signature in key ${publicKey.getKeyID().toHex()}`\n        .replace('certGeneric ', 'self-')\n        .replace(/([a-z])([A-Z])/g, (_, $1, $2) => $1 + ' ' + $2.toLowerCase()),\n      exception);\n  }\n  return latestValid;\n}\n\nexport function isDataExpired(keyPacket, signature, date = new Date()) {\n  const normDate = util.normalizeDate(date);\n  if (normDate !== null) {\n    const expirationTime = getKeyExpirationTime(keyPacket, signature);\n    return !(keyPacket.created <= normDate && normDate < expirationTime);\n  }\n  return false;\n}\n\n/**\n * Create Binding signature to the key according to the {@link https://tools.ietf.org/html/rfc4880#section-5.2.1}\n * @param {SecretSubkeyPacket} subkey - Subkey key packet\n * @param {SecretKeyPacket} primaryKey - Primary key packet\n * @param {Object} options\n * @param {Object} config - Full configuration\n */\nexport async function createBindingSignature(subkey, primaryKey, options, config) {\n  const dataToSign = {};\n  dataToSign.key = primaryKey;\n  dataToSign.bind = subkey;\n  const signatureProperties = { signatureType: enums.signature.subkeyBinding };\n  if (options.sign) {\n    signatureProperties.keyFlags = [enums.keyFlags.signData];\n    signatureProperties.embeddedSignature = await createSignaturePacket(dataToSign, [], subkey, {\n      signatureType: enums.signature.keyBinding\n    }, options.date, undefined, undefined, undefined, config);\n  } else {\n    signatureProperties.keyFlags = [enums.keyFlags.encryptCommunication | enums.keyFlags.encryptStorage];\n  }\n  if (options.keyExpirationTime > 0) {\n    signatureProperties.keyExpirationTime = options.keyExpirationTime;\n    signatureProperties.keyNeverExpires = false;\n  }\n  const subkeySignaturePacket = await createSignaturePacket(dataToSign, [], primaryKey, signatureProperties, options.date, undefined, undefined, undefined, config);\n  return subkeySignaturePacket;\n}\n\n/**\n * Returns the preferred signature hash algorithm for a set of keys.\n * @param {Array<Key>} [targetKeys] - The keys to get preferences from\n * @param {SecretKeyPacket|SecretSubkeyPacket} signingKeyPacket - key packet used for signing\n * @param {Date} [date] - Use the given date for verification instead of the current time\n * @param {Object} [targetUserID] - User IDs corresponding to `targetKeys` to get preferences from\n * @param {Object} config - full configuration\n * @returns {Promise<enums.hash>}\n * @async\n */\nexport async function getPreferredHashAlgo(targetKeys, signingKeyPacket, date = new Date(), targetUserIDs = [], config) {\n  /**\n   * If `preferredSenderAlgo` appears in the prefs of all recipients, we pick it; otherwise, we use the\n   * strongest supported algo (`defaultAlgo` is always implicitly supported by all keys).\n   * if no keys are available, `preferredSenderAlgo` is returned.\n   * For ECC signing key, the curve preferred hash is taken into account as well (see logic below).\n   */\n  const defaultAlgo = enums.hash.sha256; // MUST implement\n  const preferredSenderAlgo = config.preferredHashAlgorithm;\n\n  const supportedAlgosPerTarget = await Promise.all(targetKeys.map(async (key, i) => {\n    const selfCertification = await key.getPrimarySelfSignature(date, targetUserIDs[i], config);\n    const targetPrefs = selfCertification.preferredHashAlgorithms;\n    return targetPrefs || [];\n  }));\n  const supportedAlgosMap = new Map(); // use Map over object to preserve numeric keys\n  for (const supportedAlgos of supportedAlgosPerTarget) {\n    for (const hashAlgo of supportedAlgos) {\n      try {\n        // ensure that `hashAlgo` is recognized/implemented by us, otherwise e.g. `getHashByteLength` will throw later on\n        const supportedAlgo = enums.write(enums.hash, hashAlgo);\n        supportedAlgosMap.set(\n          supportedAlgo,\n          supportedAlgosMap.has(supportedAlgo) ? supportedAlgosMap.get(supportedAlgo) + 1 : 1\n        );\n      } catch {}\n    }\n  }\n  const isSupportedHashAlgo = hashAlgo => targetKeys.length === 0 || supportedAlgosMap.get(hashAlgo) === targetKeys.length || hashAlgo === defaultAlgo;\n  const getStrongestSupportedHashAlgo = () => {\n    if (supportedAlgosMap.size === 0) {\n      return defaultAlgo;\n    }\n    const sortedHashAlgos = Array.from(supportedAlgosMap.keys())\n      .filter(hashAlgo => isSupportedHashAlgo(hashAlgo))\n      .sort((algoA, algoB) => getHashByteLength(algoA) - getHashByteLength(algoB));\n    const strongestHashAlgo = sortedHashAlgos[0];\n    // defaultAlgo is always implicitly supported, and might be stronger than the rest\n    return getHashByteLength(strongestHashAlgo) >= getHashByteLength(defaultAlgo) ? strongestHashAlgo : defaultAlgo;\n  };\n\n  const eccAlgos = new Set([\n    enums.publicKey.ecdsa,\n    enums.publicKey.eddsaLegacy,\n    enums.publicKey.ed25519,\n    enums.publicKey.ed448\n  ]);\n\n  if (eccAlgos.has(signingKeyPacket.algorithm)) {\n    // For ECC, the returned hash algo MUST be at least as strong as `preferredCurveHashAlgo`, see:\n    // - ECDSA: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.2-5\n    // - EdDSALegacy: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.3-3\n    // - Ed25519: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.4-4\n    // - Ed448: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3.5-4\n    // Hence, we return the `preferredHashAlgo` as long as it's supported and strong enough;\n    // Otherwise, we look at the strongest supported algo, and ultimately fallback to the curve\n    // preferred algo, even if not supported by all targets.\n    const preferredCurveAlgo = getPreferredCurveHashAlgo(signingKeyPacket.algorithm, signingKeyPacket.publicParams.oid);\n\n    const preferredSenderAlgoIsSupported = isSupportedHashAlgo(preferredSenderAlgo);\n    const preferredSenderAlgoStrongerThanCurveAlgo = getHashByteLength(preferredSenderAlgo) >= getHashByteLength(preferredCurveAlgo);\n\n    if (preferredSenderAlgoIsSupported && preferredSenderAlgoStrongerThanCurveAlgo) {\n      return preferredSenderAlgo;\n    } else {\n      const strongestSupportedAlgo = getStrongestSupportedHashAlgo();\n      return getHashByteLength(strongestSupportedAlgo) >= getHashByteLength(preferredCurveAlgo) ?\n        strongestSupportedAlgo :\n        preferredCurveAlgo;\n    }\n  }\n\n  // `preferredSenderAlgo` may be weaker than the default, but we do not guard against this,\n  // since it was manually set by the sender.\n  return isSupportedHashAlgo(preferredSenderAlgo) ? preferredSenderAlgo : getStrongestSupportedHashAlgo();\n}\n\n/**\n * Returns the preferred compression algorithm for a set of keys\n * @param {Array<Key>} [keys] - Set of keys\n * @param {Date} [date] - Use the given date for verification instead of the current time\n * @param {Array} [userIDs] - User IDs\n * @param {Object} [config] - Full configuration, defaults to openpgp.config\n * @returns {Promise<module:enums.compression>} Preferred compression algorithm\n * @async\n */\nexport async function getPreferredCompressionAlgo(keys = [], date = new Date(), userIDs = [], config = defaultConfig) {\n  const defaultAlgo = enums.compression.uncompressed;\n  const preferredSenderAlgo = config.preferredCompressionAlgorithm;\n\n  // if preferredSenderAlgo appears in the prefs of all recipients, we pick it\n  // otherwise we use the default algo\n  // if no keys are available, preferredSenderAlgo is returned\n  const senderAlgoSupport = await Promise.all(keys.map(async function(key, i) {\n    const selfCertification = await key.getPrimarySelfSignature(date, userIDs[i], config);\n    const recipientPrefs = selfCertification.preferredCompressionAlgorithms;\n    return !!recipientPrefs && recipientPrefs.indexOf(preferredSenderAlgo) >= 0;\n  }));\n  return senderAlgoSupport.every(Boolean) ? preferredSenderAlgo : defaultAlgo;\n}\n\n/**\n * Returns the preferred symmetric and AEAD algorithm (if any) for a set of keys\n * @param {Array<Key>} [keys] - Set of keys\n * @param {Date} [date] - Use the given date for verification instead of the current time\n * @param {Array} [userIDs] - User IDs\n * @param {Object} [config] - Full configuration, defaults to openpgp.config\n * @returns {Promise<{ symmetricAlgo: module:enums.symmetric, aeadAlgo: module:enums.aead | undefined }>} Object containing the preferred symmetric algorithm, and the preferred AEAD algorithm, or undefined if CFB is preferred\n * @async\n */\nexport async function getPreferredCipherSuite(keys = [], date = new Date(), userIDs = [], config = defaultConfig) {\n  const selfSigs = await Promise.all(keys.map((key, i) => key.getPrimarySelfSignature(date, userIDs[i], config)));\n  const withAEAD = keys.length ?\n    selfSigs.every(selfSig => selfSig.features && (selfSig.features[0] & enums.features.seipdv2)) :\n    config.aeadProtect;\n\n  if (withAEAD) {\n    const defaultCipherSuite = { symmetricAlgo: enums.symmetric.aes128, aeadAlgo: enums.aead.ocb };\n    const desiredCipherSuites = [\n      { symmetricAlgo: config.preferredSymmetricAlgorithm, aeadAlgo: config.preferredAEADAlgorithm },\n      { symmetricAlgo: config.preferredSymmetricAlgorithm, aeadAlgo: enums.aead.ocb },\n      { symmetricAlgo: enums.symmetric.aes128, aeadAlgo: config.preferredAEADAlgorithm }\n    ];\n    for (const desiredCipherSuite of desiredCipherSuites) {\n      if (selfSigs.every(selfSig => selfSig.preferredCipherSuites && selfSig.preferredCipherSuites.some(\n        cipherSuite => cipherSuite[0] === desiredCipherSuite.symmetricAlgo && cipherSuite[1] === desiredCipherSuite.aeadAlgo\n      ))) {\n        return desiredCipherSuite;\n      }\n    }\n    return defaultCipherSuite;\n  }\n  const defaultSymAlgo = enums.symmetric.aes128;\n  const desiredSymAlgo = config.preferredSymmetricAlgorithm;\n  return {\n    symmetricAlgo: selfSigs.every(selfSig => selfSig.preferredSymmetricAlgorithms && selfSig.preferredSymmetricAlgorithms.includes(desiredSymAlgo)) ?\n      desiredSymAlgo :\n      defaultSymAlgo,\n    aeadAlgo: undefined\n  };\n}\n\n/**\n * Create signature packet\n * @param {Object} dataToSign - Contains packets to be signed\n * @param {Array<Key>} recipientKeys - keys to get preferences from\n * @param  {SecretKeyPacket|\n *          SecretSubkeyPacket}              signingKeyPacket secret key packet for signing\n * @param {Object} [signatureProperties] - Properties to write on the signature packet before signing\n * @param {Date} [date] - Override the creationtime of the signature\n * @param {Object} [userID] - User ID\n * @param {Array} [notations] - Notation Data to add to the signature, e.g. [{ name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true, critical: false }]\n * @param {Object} [detached] - Whether to create a detached signature packet\n * @param {Object} config - full configuration\n * @returns {Promise<SignaturePacket>} Signature packet.\n */\nexport async function createSignaturePacket(dataToSign, recipientKeys, signingKeyPacket, signatureProperties, date, recipientUserIDs, notations = [], detached = false, config) {\n  if (signingKeyPacket.isDummy()) {\n    throw new Error('Cannot sign with a gnu-dummy key.');\n  }\n  if (!signingKeyPacket.isDecrypted()) {\n    throw new Error('Signing key is not decrypted.');\n  }\n  const signaturePacket = new SignaturePacket();\n  Object.assign(signaturePacket, signatureProperties);\n  signaturePacket.publicKeyAlgorithm = signingKeyPacket.algorithm;\n  signaturePacket.hashAlgorithm = await getPreferredHashAlgo(recipientKeys, signingKeyPacket, date, recipientUserIDs, config);\n  signaturePacket.rawNotations = [...notations];\n  await signaturePacket.sign(signingKeyPacket, dataToSign, date, detached, config);\n  return signaturePacket;\n}\n\n/**\n * Merges signatures from source[attr] to dest[attr]\n * @param {Object} source\n * @param {Object} dest\n * @param {String} attr\n * @param {Date} [date] - date to use for signature expiration check, instead of the current time\n * @param {Function} [checkFn] - signature only merged if true\n */\nexport async function mergeSignatures(source, dest, attr, date = new Date(), checkFn) {\n  source = source[attr];\n  if (source) {\n    if (!dest[attr].length) {\n      dest[attr] = source;\n    } else {\n      await Promise.all(source.map(async function(sourceSig) {\n        if (!sourceSig.isExpired(date) && (!checkFn || await checkFn(sourceSig)) &&\n            !dest[attr].some(function(destSig) {\n              return util.equalsUint8Array(destSig.writeParams(), sourceSig.writeParams());\n            })) {\n          dest[attr].push(sourceSig);\n        }\n      }));\n    }\n  }\n}\n\n/**\n * Checks if a given certificate or binding signature is revoked\n * @param  {SecretKeyPacket|\n *          PublicKeyPacket}        primaryKey   The primary key packet\n * @param {Object} dataToVerify - The data to check\n * @param {Array<SignaturePacket>} revocations - The revocation signatures to check\n * @param {SignaturePacket} signature - The certificate or signature to check\n * @param  {PublicSubkeyPacket|\n *          SecretSubkeyPacket|\n *          PublicKeyPacket|\n *          SecretKeyPacket} key, optional The key packet to verify the signature, instead of the primary key\n * @param {Date} date - Use the given date instead of the current time\n * @param {Object} config - Full configuration\n * @returns {Promise<Boolean>} True if the signature revokes the data.\n * @async\n */\nexport async function isDataRevoked(primaryKey, signatureType, dataToVerify, revocations, signature, key, date = new Date(), config) {\n  key = key || primaryKey;\n  const revocationKeyIDs = [];\n  await Promise.all(revocations.map(async function(revocationSignature) {\n    try {\n      if (\n        // Note: a third-party revocation signature could legitimately revoke a\n        // self-signature if the signature has an authorized revocation key.\n        // However, we don't support passing authorized revocation keys, nor\n        // verifying such revocation signatures. Instead, we indicate an error\n        // when parsing a key with an authorized revocation key, and ignore\n        // third-party revocation signatures here. (It could also be revoking a\n        // third-party key certification, which should only affect\n        // `verifyAllCertifications`.)\n        !signature || revocationSignature.issuerKeyID.equals(signature.issuerKeyID)\n      ) {\n        const isHardRevocation = ![\n          enums.reasonForRevocation.keyRetired,\n          enums.reasonForRevocation.keySuperseded,\n          enums.reasonForRevocation.userIDInvalid\n        ].includes(revocationSignature.reasonForRevocationFlag);\n\n        await revocationSignature.verify(\n          key, signatureType, dataToVerify, isHardRevocation ? null : date, false, config\n        );\n\n        // TODO get an identifier of the revoked object instead\n        revocationKeyIDs.push(revocationSignature.issuerKeyID);\n      }\n    } catch (e) {}\n  }));\n  // TODO further verify that this is the signature that should be revoked\n  if (signature) {\n    signature.revoked = revocationKeyIDs.some(keyID => keyID.equals(signature.issuerKeyID)) ? true :\n      signature.revoked || false;\n    return signature.revoked;\n  }\n  return revocationKeyIDs.length > 0;\n}\n\n/**\n * Returns key expiration time based on the given certification signature.\n * The expiration time of the signature is ignored.\n * @param {PublicSubkeyPacket|PublicKeyPacket} keyPacket - key to check\n * @param {SignaturePacket} signature - signature to process\n * @returns {Date|Infinity} expiration time or infinity if the key does not expire\n */\nexport function getKeyExpirationTime(keyPacket, signature) {\n  let expirationTime;\n  // check V4 expiration time\n  if (signature.keyNeverExpires === false) {\n    expirationTime = keyPacket.created.getTime() + signature.keyExpirationTime * 1000;\n  }\n  return expirationTime ? new Date(expirationTime) : Infinity;\n}\n\nexport function sanitizeKeyOptions(options, subkeyDefaults = {}) {\n  options.type = options.type || subkeyDefaults.type;\n  options.curve = options.curve || subkeyDefaults.curve;\n  options.rsaBits = options.rsaBits || subkeyDefaults.rsaBits;\n  options.keyExpirationTime = options.keyExpirationTime !== undefined ? options.keyExpirationTime : subkeyDefaults.keyExpirationTime;\n  options.passphrase = util.isString(options.passphrase) ? options.passphrase : subkeyDefaults.passphrase;\n  options.date = options.date || subkeyDefaults.date;\n\n  options.sign = options.sign || false;\n\n  switch (options.type) {\n    case 'ecc': // NB: this case also handles legacy eddsa and x25519 keys, based on `options.curve`\n      try {\n        options.curve = enums.write(enums.curve, options.curve);\n      } catch (e) {\n        throw new Error('Unknown curve');\n      }\n      if (options.curve === enums.curve.ed25519Legacy || options.curve === enums.curve.curve25519Legacy ||\n        options.curve === 'ed25519' || options.curve === 'curve25519') { // keep support for curve names without 'Legacy' addition, for now\n        options.curve = options.sign ? enums.curve.ed25519Legacy : enums.curve.curve25519Legacy;\n      }\n      if (options.sign) {\n        options.algorithm = options.curve === enums.curve.ed25519Legacy ? enums.publicKey.eddsaLegacy : enums.publicKey.ecdsa;\n      } else {\n        options.algorithm = enums.publicKey.ecdh;\n      }\n      break;\n    case 'curve25519':\n      options.algorithm = options.sign ? enums.publicKey.ed25519 : enums.publicKey.x25519;\n      break;\n    case 'curve448':\n      options.algorithm = options.sign ? enums.publicKey.ed448 : enums.publicKey.x448;\n      break;\n    case 'rsa':\n      options.algorithm = enums.publicKey.rsaEncryptSign;\n      break;\n    default:\n      throw new Error(`Unsupported key type ${options.type}`);\n  }\n  return options;\n}\n\nexport function validateSigningKeyPacket(keyPacket, signature, config) {\n  switch (keyPacket.algorithm) {\n    case enums.publicKey.rsaEncryptSign:\n    case enums.publicKey.rsaSign:\n    case enums.publicKey.dsa:\n    case enums.publicKey.ecdsa:\n    case enums.publicKey.eddsaLegacy:\n    case enums.publicKey.ed25519:\n    case enums.publicKey.ed448:\n      if (!signature.keyFlags && !config.allowMissingKeyFlags) {\n        throw new Error('None of the key flags is set: consider passing `config.allowMissingKeyFlags`');\n      }\n      return !signature.keyFlags ||\n        (signature.keyFlags[0] & enums.keyFlags.signData) !== 0;\n    default:\n      return false;\n  }\n}\n\nexport function validateEncryptionKeyPacket(keyPacket, signature, config) {\n  switch (keyPacket.algorithm) {\n    case enums.publicKey.rsaEncryptSign:\n    case enums.publicKey.rsaEncrypt:\n    case enums.publicKey.elgamal:\n    case enums.publicKey.ecdh:\n    case enums.publicKey.x25519:\n    case enums.publicKey.x448:\n      if (!signature.keyFlags && !config.allowMissingKeyFlags) {\n        throw new Error('None of the key flags is set: consider passing `config.allowMissingKeyFlags`');\n      }\n      return !signature.keyFlags ||\n        (signature.keyFlags[0] & enums.keyFlags.encryptCommunication) !== 0 ||\n        (signature.keyFlags[0] & enums.keyFlags.encryptStorage) !== 0;\n    default:\n      return false;\n  }\n}\n\nexport function validateDecryptionKeyPacket(keyPacket, signature, config) {\n  if (!signature.keyFlags && !config.allowMissingKeyFlags) {\n    throw new Error('None of the key flags is set: consider passing `config.allowMissingKeyFlags`');\n  }\n\n  switch (keyPacket.algorithm) {\n    case enums.publicKey.rsaEncryptSign:\n    case enums.publicKey.rsaEncrypt:\n    case enums.publicKey.elgamal:\n    case enums.publicKey.ecdh:\n    case enums.publicKey.x25519:\n    case enums.publicKey.x448: {\n      const isValidSigningKeyPacket = !signature.keyFlags || (signature.keyFlags[0] & enums.keyFlags.signData) !== 0;\n      if (isValidSigningKeyPacket && config.allowInsecureDecryptionWithSigningKeys) {\n        // This is only relevant for RSA keys, all other signing algorithms cannot decrypt\n        return true;\n      }\n\n      return !signature.keyFlags ||\n      (signature.keyFlags[0] & enums.keyFlags.encryptCommunication) !== 0 ||\n      (signature.keyFlags[0] & enums.keyFlags.encryptStorage) !== 0;\n    }\n    default:\n      return false;\n  }\n}\n\n/**\n * Check key against blacklisted algorithms and minimum strength requirements.\n * @param {SecretKeyPacket|PublicKeyPacket|\n *        SecretSubkeyPacket|PublicSubkeyPacket} keyPacket\n * @param {Config} config\n * @throws {Error} if the key packet does not meet the requirements\n */\nexport function checkKeyRequirements(keyPacket, config) {\n  const keyAlgo = enums.write(enums.publicKey, keyPacket.algorithm);\n  const algoInfo = keyPacket.getAlgorithmInfo();\n  if (config.rejectPublicKeyAlgorithms.has(keyAlgo)) {\n    throw new Error(`${algoInfo.algorithm} keys are considered too weak.`);\n  }\n  switch (keyAlgo) {\n    case enums.publicKey.rsaEncryptSign:\n    case enums.publicKey.rsaSign:\n    case enums.publicKey.rsaEncrypt:\n      if (algoInfo.bits < config.minRSABits) {\n        throw new Error(`RSA keys shorter than ${config.minRSABits} bits are considered too weak.`);\n      }\n      break;\n    case enums.publicKey.ecdsa:\n    case enums.publicKey.eddsaLegacy:\n    case enums.publicKey.ecdh:\n      if (config.rejectCurves.has(algoInfo.curve)) {\n        throw new Error(`Support for ${algoInfo.algorithm} keys using curve ${algoInfo.curve} is disabled.`);\n      }\n      break;\n    default:\n      break;\n  }\n}\n","/**\n * @module key/User\n */\n\nimport enums from '../enums';\nimport util from '../util';\nimport { PacketList } from '../packet';\nimport { mergeSignatures, isDataRevoked, createSignaturePacket } from './helper';\nimport defaultConfig from '../config';\n\n/**\n * Class that represents an user ID or attribute packet and the relevant signatures.\n  * @param {UserIDPacket|UserAttributePacket} userPacket - packet containing the user info\n  * @param {Key} mainKey - reference to main Key object containing the primary key and subkeys that the user is associated with\n */\nclass User {\n  constructor(userPacket, mainKey) {\n    this.userID = userPacket.constructor.tag === enums.packet.userID ? userPacket : null;\n    this.userAttribute = userPacket.constructor.tag === enums.packet.userAttribute ? userPacket : null;\n    this.selfCertifications = [];\n    this.otherCertifications = [];\n    this.revocationSignatures = [];\n    this.mainKey = mainKey;\n  }\n\n  /**\n   * Transforms structured user data to packetlist\n   * @returns {PacketList}\n   */\n  toPacketList() {\n    const packetlist = new PacketList();\n    packetlist.push(this.userID || this.userAttribute);\n    packetlist.push(...this.revocationSignatures);\n    packetlist.push(...this.selfCertifications);\n    packetlist.push(...this.otherCertifications);\n    return packetlist;\n  }\n\n  /**\n   * Shallow clone\n   * @returns {User}\n   */\n  clone() {\n    const user = new User(this.userID || this.userAttribute, this.mainKey);\n    user.selfCertifications = [...this.selfCertifications];\n    user.otherCertifications = [...this.otherCertifications];\n    user.revocationSignatures = [...this.revocationSignatures];\n    return user;\n  }\n\n  /**\n   * Generate third-party certifications over this user and its primary key\n   * @param {Array<PrivateKey>} signingKeys - Decrypted private keys for signing\n   * @param {Date} [date] - Date to use as creation date of the certificate, instead of the current time\n   * @param {Object} config - Full configuration\n   * @returns {Promise<User>} New user with new certifications.\n   * @async\n   */\n  async certify(signingKeys, date, config) {\n    const primaryKey = this.mainKey.keyPacket;\n    const dataToSign = {\n      userID: this.userID,\n      userAttribute: this.userAttribute,\n      key: primaryKey\n    };\n    const user = new User(dataToSign.userID || dataToSign.userAttribute, this.mainKey);\n    user.otherCertifications = await Promise.all(signingKeys.map(async function(privateKey) {\n      if (!privateKey.isPrivate()) {\n        throw new Error('Need private key for signing');\n      }\n      if (privateKey.hasSameFingerprintAs(primaryKey)) {\n        throw new Error(\"The user's own key can only be used for self-certifications\");\n      }\n      const signingKey = await privateKey.getSigningKey(undefined, date, undefined, config);\n      return createSignaturePacket(dataToSign, [privateKey], signingKey.keyPacket, {\n        // Most OpenPGP implementations use generic certification (0x10)\n        signatureType: enums.signature.certGeneric,\n        keyFlags: [enums.keyFlags.certifyKeys | enums.keyFlags.signData]\n      }, date, undefined, undefined, undefined, config);\n    }));\n    await user.update(this, date, config);\n    return user;\n  }\n\n  /**\n   * Checks if a given certificate of the user is revoked\n   * @param {SignaturePacket} certificate - The certificate to verify\n   * @param  {PublicSubkeyPacket|\n   *          SecretSubkeyPacket|\n   *          PublicKeyPacket|\n   *          SecretKeyPacket} [keyPacket] The key packet to verify the signature, instead of the primary key\n   * @param {Date} [date] - Use the given date for verification instead of the current time\n   * @param {Object} config - Full configuration\n   * @returns {Promise<Boolean>} True if the certificate is revoked.\n   * @async\n   */\n  async isRevoked(certificate, keyPacket, date = new Date(), config = defaultConfig) {\n    const primaryKey = this.mainKey.keyPacket;\n    return isDataRevoked(primaryKey, enums.signature.certRevocation, {\n      key: primaryKey,\n      userID: this.userID,\n      userAttribute: this.userAttribute\n    }, this.revocationSignatures, certificate, keyPacket, date, config);\n  }\n\n  /**\n   * Verifies the user certificate.\n   * @param {SignaturePacket} certificate - A certificate of this user\n   * @param {Array<PublicKey>} verificationKeys - Array of keys to verify certificate signatures\n   * @param {Date} [date] - Use the given date instead of the current time\n   * @param {Object} config - Full configuration\n   * @returns {Promise<true|null>} true if the certificate could be verified, or null if the verification keys do not correspond to the certificate\n   * @throws if the user certificate is invalid.\n   * @async\n   */\n  async verifyCertificate(certificate, verificationKeys, date = new Date(), config) {\n    const that = this;\n    const primaryKey = this.mainKey.keyPacket;\n    const dataToVerify = {\n      userID: this.userID,\n      userAttribute: this.userAttribute,\n      key: primaryKey\n    };\n    const { issuerKeyID } = certificate;\n    const issuerKeys = verificationKeys.filter(key => key.getKeys(issuerKeyID).length > 0);\n    if (issuerKeys.length === 0) {\n      return null;\n    }\n    await Promise.all(issuerKeys.map(async key => {\n      const signingKey = await key.getSigningKey(issuerKeyID, certificate.created, undefined, config);\n      if (certificate.revoked || await that.isRevoked(certificate, signingKey.keyPacket, date, config)) {\n        throw new Error('User certificate is revoked');\n      }\n      try {\n        await certificate.verify(signingKey.keyPacket, enums.signature.certGeneric, dataToVerify, date, undefined, config);\n      } catch (e) {\n        throw util.wrapError('User certificate is invalid', e);\n      }\n    }));\n    return true;\n  }\n\n  /**\n   * Verifies all user certificates\n   * @param {Array<PublicKey>} verificationKeys - Array of keys to verify certificate signatures\n   * @param {Date} [date] - Use the given date instead of the current time\n   * @param {Object} config - Full configuration\n   * @returns {Promise<Array<{\n   *   keyID: module:type/keyid~KeyID,\n   *   valid: Boolean | null\n   * }>>} List of signer's keyID and validity of signature.\n   *      Signature validity is null if the verification keys do not correspond to the certificate.\n   * @async\n   */\n  async verifyAllCertifications(verificationKeys, date = new Date(), config) {\n    const that = this;\n    const certifications = this.selfCertifications.concat(this.otherCertifications);\n    return Promise.all(certifications.map(async certification => ({\n      keyID: certification.issuerKeyID,\n      valid: await that.verifyCertificate(certification, verificationKeys, date, config).catch(() => false)\n    })));\n  }\n\n  /**\n   * Verify User. Checks for existence of self signatures, revocation signatures\n   * and validity of self signature.\n   * @param {Date} date - Use the given date instead of the current time\n   * @param {Object} config - Full configuration\n   * @returns {Promise<true>} Status of user.\n   * @throws {Error} if there are no valid self signatures.\n   * @async\n   */\n  async verify(date = new Date(), config) {\n    if (!this.selfCertifications.length) {\n      throw new Error('No self-certifications found');\n    }\n    const that = this;\n    const primaryKey = this.mainKey.keyPacket;\n    const dataToVerify = {\n      userID: this.userID,\n      userAttribute: this.userAttribute,\n      key: primaryKey\n    };\n    // TODO replace when Promise.some or Promise.any are implemented\n    let exception;\n    for (let i = this.selfCertifications.length - 1; i >= 0; i--) {\n      try {\n        const selfCertification = this.selfCertifications[i];\n        if (selfCertification.revoked || await that.isRevoked(selfCertification, undefined, date, config)) {\n          throw new Error('Self-certification is revoked');\n        }\n        try {\n          await selfCertification.verify(primaryKey, enums.signature.certGeneric, dataToVerify, date, undefined, config);\n        } catch (e) {\n          throw util.wrapError('Self-certification is invalid', e);\n        }\n        return true;\n      } catch (e) {\n        exception = e;\n      }\n    }\n    throw exception;\n  }\n\n  /**\n   * Update user with new components from specified user\n   * @param {User} sourceUser - Source user to merge\n   * @param {Date} date - Date to verify the validity of signatures\n   * @param {Object} config - Full configuration\n   * @returns {Promise<undefined>}\n   * @async\n   */\n  async update(sourceUser, date, config) {\n    const primaryKey = this.mainKey.keyPacket;\n    const dataToVerify = {\n      userID: this.userID,\n      userAttribute: this.userAttribute,\n      key: primaryKey\n    };\n    // self signatures\n    await mergeSignatures(sourceUser, this, 'selfCertifications', date, async function(srcSelfSig) {\n      try {\n        await srcSelfSig.verify(primaryKey, enums.signature.certGeneric, dataToVerify, date, false, config);\n        return true;\n      } catch (e) {\n        return false;\n      }\n    });\n    // other signatures\n    await mergeSignatures(sourceUser, this, 'otherCertifications', date);\n    // revocation signatures\n    await mergeSignatures(sourceUser, this, 'revocationSignatures', date, function(srcRevSig) {\n      return isDataRevoked(primaryKey, enums.signature.certRevocation, dataToVerify, [srcRevSig], undefined, undefined, date, config);\n    });\n  }\n\n  /**\n   * Revokes the user\n   * @param {SecretKeyPacket} primaryKey - decrypted private primary key for revocation\n   * @param {Object} reasonForRevocation - optional, object indicating the reason for revocation\n   * @param  {module:enums.reasonForRevocation} reasonForRevocation.flag optional, flag indicating the reason for revocation\n   * @param  {String} reasonForRevocation.string optional, string explaining the reason for revocation\n   * @param {Date} date - optional, override the creationtime of the revocation signature\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<User>} New user with revocation signature.\n   * @async\n   */\n  async revoke(\n    primaryKey,\n    {\n      flag: reasonForRevocationFlag = enums.reasonForRevocation.noReason,\n      string: reasonForRevocationString = ''\n    } = {},\n    date = new Date(),\n    config = defaultConfig\n  ) {\n    const dataToSign = {\n      userID: this.userID,\n      userAttribute: this.userAttribute,\n      key: primaryKey\n    };\n    const user = new User(dataToSign.userID || dataToSign.userAttribute, this.mainKey);\n    user.revocationSignatures.push(await createSignaturePacket(dataToSign, [], primaryKey, {\n      signatureType: enums.signature.certRevocation,\n      reasonForRevocationFlag: enums.write(enums.reasonForRevocation, reasonForRevocationFlag),\n      reasonForRevocationString\n    }, date, undefined, undefined, false, config));\n    await user.update(this);\n    return user;\n  }\n}\n\nexport default User;\n","/**\n * @module key/Subkey\n */\n\nimport enums from '../enums';\nimport * as helper from './helper';\nimport { PacketList } from '../packet';\nimport defaultConfig from '../config';\n\n/**\n * Class that represents a subkey packet and the relevant signatures.\n * @borrows PublicSubkeyPacket#getKeyID as Subkey#getKeyID\n * @borrows PublicSubkeyPacket#getFingerprint as Subkey#getFingerprint\n * @borrows PublicSubkeyPacket#hasSameFingerprintAs as Subkey#hasSameFingerprintAs\n * @borrows PublicSubkeyPacket#getAlgorithmInfo as Subkey#getAlgorithmInfo\n * @borrows PublicSubkeyPacket#getCreationTime as Subkey#getCreationTime\n * @borrows PublicSubkeyPacket#isDecrypted as Subkey#isDecrypted\n */\nclass Subkey {\n  /**\n   * @param {SecretSubkeyPacket|PublicSubkeyPacket} subkeyPacket - subkey packet to hold in the Subkey\n   * @param {Key} mainKey - reference to main Key object, containing the primary key packet corresponding to the subkey\n   */\n  constructor(subkeyPacket, mainKey) {\n    this.keyPacket = subkeyPacket;\n    this.bindingSignatures = [];\n    this.revocationSignatures = [];\n    this.mainKey = mainKey;\n  }\n\n  /**\n   * Transforms structured subkey data to packetlist\n   * @returns {PacketList}\n   */\n  toPacketList() {\n    const packetlist = new PacketList();\n    packetlist.push(this.keyPacket);\n    packetlist.push(...this.revocationSignatures);\n    packetlist.push(...this.bindingSignatures);\n    return packetlist;\n  }\n\n  /**\n   * Shallow clone\n   * @return {Subkey}\n   */\n  clone() {\n    const subkey = new Subkey(this.keyPacket, this.mainKey);\n    subkey.bindingSignatures = [...this.bindingSignatures];\n    subkey.revocationSignatures = [...this.revocationSignatures];\n    return subkey;\n  }\n\n  /**\n   * Checks if a binding signature of a subkey is revoked\n   * @param {SignaturePacket} signature - The binding signature to verify\n   * @param  {PublicSubkeyPacket|\n   *          SecretSubkeyPacket|\n   *          PublicKeyPacket|\n   *          SecretKeyPacket} key, optional The key to verify the signature\n   * @param {Date} [date] - Use the given date for verification instead of the current time\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<Boolean>} True if the binding signature is revoked.\n   * @async\n   */\n  async isRevoked(signature, key, date = new Date(), config = defaultConfig) {\n    const primaryKey = this.mainKey.keyPacket;\n    return helper.isDataRevoked(\n      primaryKey, enums.signature.subkeyRevocation, {\n        key: primaryKey,\n        bind: this.keyPacket\n      }, this.revocationSignatures, signature, key, date, config\n    );\n  }\n\n  /**\n   * Verify subkey. Checks for revocation signatures, expiration time\n   * and valid binding signature.\n   * @param {Date} date - Use the given date instead of the current time\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<SignaturePacket>}\n   * @throws {Error}           if the subkey is invalid.\n   * @async\n   */\n  async verify(date = new Date(), config = defaultConfig) {\n    const primaryKey = this.mainKey.keyPacket;\n    const dataToVerify = { key: primaryKey, bind: this.keyPacket };\n    // check subkey binding signatures\n    const bindingSignature = await helper.getLatestValidSignature(this.bindingSignatures, primaryKey, enums.signature.subkeyBinding, dataToVerify, date, config);\n    // check binding signature is not revoked\n    if (bindingSignature.revoked || await this.isRevoked(bindingSignature, null, date, config)) {\n      throw new Error('Subkey is revoked');\n    }\n    // check for expiration time\n    if (helper.isDataExpired(this.keyPacket, bindingSignature, date)) {\n      throw new Error('Subkey is expired');\n    }\n    return bindingSignature;\n  }\n\n  /**\n   * Returns the expiration time of the subkey or Infinity if key does not expire.\n   * Returns null if the subkey is invalid.\n   * @param {Date} date - Use the given date instead of the current time\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<Date | Infinity | null>}\n   * @async\n   */\n  async getExpirationTime(date = new Date(), config = defaultConfig) {\n    const primaryKey = this.mainKey.keyPacket;\n    const dataToVerify = { key: primaryKey, bind: this.keyPacket };\n    let bindingSignature;\n    try {\n      bindingSignature = await helper.getLatestValidSignature(this.bindingSignatures, primaryKey, enums.signature.subkeyBinding, dataToVerify, date, config);\n    } catch (e) {\n      return null;\n    }\n    const keyExpiry = helper.getKeyExpirationTime(this.keyPacket, bindingSignature);\n    const sigExpiry = bindingSignature.getExpirationTime();\n    return keyExpiry < sigExpiry ? keyExpiry : sigExpiry;\n  }\n\n  /**\n   * Update subkey with new components from specified subkey\n   * @param {Subkey} subkey - Source subkey to merge\n   * @param {Date} [date] - Date to verify validity of signatures\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @throws {Error} if update failed\n   * @async\n   */\n  async update(subkey, date = new Date(), config = defaultConfig) {\n    const primaryKey = this.mainKey.keyPacket;\n    if (!this.hasSameFingerprintAs(subkey)) {\n      throw new Error('Subkey update method: fingerprints of subkeys not equal');\n    }\n    // key packet\n    if (this.keyPacket.constructor.tag === enums.packet.publicSubkey &&\n        subkey.keyPacket.constructor.tag === enums.packet.secretSubkey) {\n      this.keyPacket = subkey.keyPacket;\n    }\n    // update missing binding signatures\n    const that = this;\n    const dataToVerify = { key: primaryKey, bind: that.keyPacket };\n    await helper.mergeSignatures(subkey, this, 'bindingSignatures', date, async function(srcBindSig) {\n      for (let i = 0; i < that.bindingSignatures.length; i++) {\n        if (that.bindingSignatures[i].issuerKeyID.equals(srcBindSig.issuerKeyID)) {\n          if (srcBindSig.created > that.bindingSignatures[i].created) {\n            that.bindingSignatures[i] = srcBindSig;\n          }\n          return false;\n        }\n      }\n      try {\n        await srcBindSig.verify(primaryKey, enums.signature.subkeyBinding, dataToVerify, date, undefined, config);\n        return true;\n      } catch (e) {\n        return false;\n      }\n    });\n    // revocation signatures\n    await helper.mergeSignatures(subkey, this, 'revocationSignatures', date, function(srcRevSig) {\n      return helper.isDataRevoked(primaryKey, enums.signature.subkeyRevocation, dataToVerify, [srcRevSig], undefined, undefined, date, config);\n    });\n  }\n\n  /**\n   * Revokes the subkey\n   * @param {SecretKeyPacket} primaryKey - decrypted private primary key for revocation\n   * @param {Object} reasonForRevocation - optional, object indicating the reason for revocation\n   * @param  {module:enums.reasonForRevocation} reasonForRevocation.flag optional, flag indicating the reason for revocation\n   * @param  {String} reasonForRevocation.string optional, string explaining the reason for revocation\n   * @param {Date} date - optional, override the creationtime of the revocation signature\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<Subkey>} New subkey with revocation signature.\n   * @async\n   */\n  async revoke(\n    primaryKey,\n    {\n      flag: reasonForRevocationFlag = enums.reasonForRevocation.noReason,\n      string: reasonForRevocationString = ''\n    } = {},\n    date = new Date(),\n    config = defaultConfig\n  ) {\n    const dataToSign = { key: primaryKey, bind: this.keyPacket };\n    const subkey = new Subkey(this.keyPacket, this.mainKey);\n    subkey.revocationSignatures.push(await helper.createSignaturePacket(dataToSign, [], primaryKey, {\n      signatureType: enums.signature.subkeyRevocation,\n      reasonForRevocationFlag: enums.write(enums.reasonForRevocation, reasonForRevocationFlag),\n      reasonForRevocationString\n    }, date, undefined, undefined, false, config));\n    await subkey.update(this);\n    return subkey;\n  }\n\n  hasSameFingerprintAs(other) {\n    return this.keyPacket.hasSameFingerprintAs(other.keyPacket || other);\n  }\n}\n\n['getKeyID', 'getFingerprint', 'getAlgorithmInfo', 'getCreationTime', 'isDecrypted'].forEach(name => {\n  Subkey.prototype[name] =\n    function() {\n      return this.keyPacket[name]();\n    };\n});\n\nexport default Subkey;\n","// GPG4Browsers - An OpenPGP implementation in javascript\n// Copyright (C) 2011 Recurity Labs GmbH\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\nimport { armor, unarmor } from '../encoding/armor';\nimport {\n  PacketList,\n  SignaturePacket\n} from '../packet';\nimport defaultConfig from '../config';\nimport enums from '../enums';\nimport util from '../util';\nimport User from './user';\nimport Subkey from './subkey';\nimport * as helper from './helper';\nimport { UnparseablePacket } from '../packet/packet';\n\n// A key revocation certificate can contain the following packets\nconst allowedRevocationPackets = /*#__PURE__*/ util.constructAllowedPackets([SignaturePacket]);\nconst mainKeyPacketTags = new Set([enums.packet.publicKey, enums.packet.privateKey]);\nconst keyPacketTags = new Set([\n  enums.packet.publicKey, enums.packet.privateKey,\n  enums.packet.publicSubkey, enums.packet.privateSubkey\n]);\n\n/**\n * Abstract class that represents an OpenPGP key. Must contain a primary key.\n * Can contain additional subkeys, signatures, user ids, user attributes.\n * @borrows PublicKeyPacket#getKeyID as Key#getKeyID\n * @borrows PublicKeyPacket#getFingerprint as Key#getFingerprint\n * @borrows PublicKeyPacket#hasSameFingerprintAs as Key#hasSameFingerprintAs\n * @borrows PublicKeyPacket#getAlgorithmInfo as Key#getAlgorithmInfo\n * @borrows PublicKeyPacket#getCreationTime as Key#getCreationTime\n */\nclass Key {\n  /**\n   * Transforms packetlist to structured key data\n   * @param {PacketList} packetlist - The packets that form a key\n   * @param {Set<enums.packet>} disallowedPackets - disallowed packet tags\n   */\n  packetListToStructure(packetlist, disallowedPackets = new Set()) {\n    let user;\n    let primaryKeyID;\n    let subkey;\n    let ignoreUntil;\n\n    for (const packet of packetlist) {\n\n      if (packet instanceof UnparseablePacket) {\n        const isUnparseableKeyPacket = keyPacketTags.has(packet.tag);\n        if (isUnparseableKeyPacket && !ignoreUntil) {\n          // Since non-key packets apply to the preceding key packet, if a (sub)key is Unparseable we must\n          // discard all non-key packets that follow, until another (sub)key packet is found.\n          if (mainKeyPacketTags.has(packet.tag)) {\n            ignoreUntil = mainKeyPacketTags;\n          } else {\n            ignoreUntil = keyPacketTags;\n          }\n        }\n        continue;\n      }\n\n      const tag = packet.constructor.tag;\n      if (ignoreUntil) {\n        if (!ignoreUntil.has(tag)) continue;\n        ignoreUntil = null;\n      }\n      if (disallowedPackets.has(tag)) {\n        throw new Error(`Unexpected packet type: ${tag}`);\n      }\n      switch (tag) {\n        case enums.packet.publicKey:\n        case enums.packet.secretKey:\n          if (this.keyPacket) {\n            throw new Error('Key block contains multiple keys');\n          }\n          this.keyPacket = packet;\n          primaryKeyID = this.getKeyID();\n          if (!primaryKeyID) {\n            throw new Error('Missing Key ID');\n          }\n          break;\n        case enums.packet.userID:\n        case enums.packet.userAttribute:\n          user = new User(packet, this);\n          this.users.push(user);\n          break;\n        case enums.packet.publicSubkey:\n        case enums.packet.secretSubkey:\n          user = null;\n          subkey = new Subkey(packet, this);\n          this.subkeys.push(subkey);\n          break;\n        case enums.packet.signature:\n          switch (packet.signatureType) {\n            case enums.signature.certGeneric:\n            case enums.signature.certPersona:\n            case enums.signature.certCasual:\n            case enums.signature.certPositive:\n              if (!user) {\n                util.printDebug('Dropping certification signatures without preceding user packet');\n                continue;\n              }\n              if (packet.issuerKeyID.equals(primaryKeyID)) {\n                user.selfCertifications.push(packet);\n              } else {\n                user.otherCertifications.push(packet);\n              }\n              break;\n            case enums.signature.certRevocation:\n              if (user) {\n                user.revocationSignatures.push(packet);\n              } else {\n                this.directSignatures.push(packet);\n              }\n              break;\n            case enums.signature.key:\n              this.directSignatures.push(packet);\n              break;\n            case enums.signature.subkeyBinding:\n              if (!subkey) {\n                util.printDebug('Dropping subkey binding signature without preceding subkey packet');\n                continue;\n              }\n              subkey.bindingSignatures.push(packet);\n              break;\n            case enums.signature.keyRevocation:\n              this.revocationSignatures.push(packet);\n              break;\n            case enums.signature.subkeyRevocation:\n              if (!subkey) {\n                util.printDebug('Dropping subkey revocation signature without preceding subkey packet');\n                continue;\n              }\n              subkey.revocationSignatures.push(packet);\n              break;\n          }\n          break;\n      }\n    }\n  }\n\n  /**\n   * Transforms structured key data to packetlist\n   * @returns {PacketList} The packets that form a key.\n   */\n  toPacketList() {\n    const packetlist = new PacketList();\n    packetlist.push(this.keyPacket);\n    packetlist.push(...this.revocationSignatures);\n    packetlist.push(...this.directSignatures);\n    this.users.map(user => packetlist.push(...user.toPacketList()));\n    this.subkeys.map(subkey => packetlist.push(...subkey.toPacketList()));\n    return packetlist;\n  }\n\n  /**\n   * Clones the key object. The copy is shallow, as it references the same packet objects as the original. However, if the top-level API is used, the two key instances are effectively independent.\n   * @param {Boolean} [clonePrivateParams=false] Only relevant for private keys: whether the secret key paramenters should be deeply copied. This is needed if e.g. `encrypt()` is to be called either on the clone or the original key.\n   * @returns {Promise<Key>} Clone of the key.\n   */\n  clone(clonePrivateParams = false) {\n    const key = new this.constructor(this.toPacketList());\n    if (clonePrivateParams) {\n      key.getKeys().forEach(k => {\n        // shallow clone the key packets\n        k.keyPacket = Object.create(\n          Object.getPrototypeOf(k.keyPacket),\n          Object.getOwnPropertyDescriptors(k.keyPacket)\n        );\n        if (!k.keyPacket.isDecrypted()) return;\n        // deep clone the private params, which are cleared during encryption\n        const privateParams = {};\n        Object.keys(k.keyPacket.privateParams).forEach(name => {\n          privateParams[name] = new Uint8Array(k.keyPacket.privateParams[name]);\n        });\n        k.keyPacket.privateParams = privateParams;\n      });\n    }\n    return key;\n  }\n\n  /**\n   * Returns an array containing all public or private subkeys matching keyID;\n   * If no keyID is given, returns all subkeys.\n   * @param {type/keyID} [keyID] - key ID to look for\n   * @returns {Array<Subkey>} array of subkeys\n   */\n  getSubkeys(keyID = null) {\n    const subkeys = this.subkeys.filter(subkey => (\n      !keyID || subkey.getKeyID().equals(keyID, true)\n    ));\n    return subkeys;\n  }\n\n  /**\n   * Returns an array containing all public or private keys matching keyID.\n   * If no keyID is given, returns all keys, starting with the primary key.\n   * @param {type/keyid~KeyID} [keyID] - key ID to look for\n   * @returns {Array<Key|Subkey>} array of keys\n   */\n  getKeys(keyID = null) {\n    const keys = [];\n    if (!keyID || this.getKeyID().equals(keyID, true)) {\n      keys.push(this);\n    }\n    return keys.concat(this.getSubkeys(keyID));\n  }\n\n  /**\n   * Returns key IDs of all keys\n   * @returns {Array<module:type/keyid~KeyID>}\n   */\n  getKeyIDs() {\n    return this.getKeys().map(key => key.getKeyID());\n  }\n\n  /**\n   * Returns userIDs\n   * @returns {Array<string>} Array of userIDs.\n   */\n  getUserIDs() {\n    return this.users.map(user => {\n      return user.userID ? user.userID.userID : null;\n    }).filter(userID => userID !== null);\n  }\n\n  /**\n   * Returns binary encoded key\n   * @returns {Uint8Array} Binary key.\n   */\n  write() {\n    return this.toPacketList().write();\n  }\n\n  /**\n   * Returns last created key or key by given keyID that is available for signing and verification\n   * @param  {module:type/keyid~KeyID} [keyID] - key ID of a specific key to retrieve\n   * @param  {Date} [date] - use the fiven date date to  to check key validity instead of the current date\n   * @param  {Object} [userID] - filter keys for the given user ID\n   * @param  {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<Key|Subkey>} signing key\n   * @throws if no valid signing key was found\n   * @async\n   */\n  async getSigningKey(keyID = null, date = new Date(), userID = {}, config = defaultConfig) {\n    await this.verifyPrimaryKey(date, userID, config);\n    const primaryKey = this.keyPacket;\n    try {\n      helper.checkKeyRequirements(primaryKey, config);\n    } catch (err) {\n      throw util.wrapError('Could not verify primary key', err);\n    }\n    const subkeys = this.subkeys.slice().sort((a, b) => b.keyPacket.created - a.keyPacket.created);\n    let exception;\n    for (const subkey of subkeys) {\n      if (!keyID || subkey.getKeyID().equals(keyID)) {\n        try {\n          await subkey.verify(date, config);\n          const dataToVerify = { key: primaryKey, bind: subkey.keyPacket };\n          const bindingSignature = await helper.getLatestValidSignature(\n            subkey.bindingSignatures, primaryKey, enums.signature.subkeyBinding, dataToVerify, date, config\n          );\n          if (!helper.validateSigningKeyPacket(subkey.keyPacket, bindingSignature, config)) {\n            continue;\n          }\n          if (!bindingSignature.embeddedSignature) {\n            throw new Error('Missing embedded signature');\n          }\n          // verify embedded signature\n          await helper.getLatestValidSignature(\n            [bindingSignature.embeddedSignature], subkey.keyPacket, enums.signature.keyBinding, dataToVerify, date, config\n          );\n          helper.checkKeyRequirements(subkey.keyPacket, config);\n          return subkey;\n        } catch (e) {\n          exception = e;\n        }\n      }\n    }\n\n    try {\n      const selfCertification = await this.getPrimarySelfSignature(date, userID, config);\n      if ((!keyID || primaryKey.getKeyID().equals(keyID)) &&\n          helper.validateSigningKeyPacket(primaryKey, selfCertification, config)) {\n        helper.checkKeyRequirements(primaryKey, config);\n        return this;\n      }\n    } catch (e) {\n      exception = e;\n    }\n    throw util.wrapError('Could not find valid signing key packet in key ' + this.getKeyID().toHex(), exception);\n  }\n\n  /**\n   * Returns last created key or key by given keyID that is available for encryption or decryption\n   * @param  {module:type/keyid~KeyID} [keyID] - key ID of a specific key to retrieve\n   * @param  {Date}   [date] - use the fiven date date to  to check key validity instead of the current date\n   * @param  {Object} [userID] - filter keys for the given user ID\n   * @param  {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<Key|Subkey>} encryption key\n   * @throws if no valid encryption key was found\n   * @async\n   */\n  async getEncryptionKey(keyID, date = new Date(), userID = {}, config = defaultConfig) {\n    await this.verifyPrimaryKey(date, userID, config);\n    const primaryKey = this.keyPacket;\n    try {\n      helper.checkKeyRequirements(primaryKey, config);\n    } catch (err) {\n      throw util.wrapError('Could not verify primary key', err);\n    }\n    // V4: by convention subkeys are preferred for encryption service\n    const subkeys = this.subkeys.slice().sort((a, b) => b.keyPacket.created - a.keyPacket.created);\n    let exception;\n    for (const subkey of subkeys) {\n      if (!keyID || subkey.getKeyID().equals(keyID)) {\n        try {\n          await subkey.verify(date, config);\n          const dataToVerify = { key: primaryKey, bind: subkey.keyPacket };\n          const bindingSignature = await helper.getLatestValidSignature(subkey.bindingSignatures, primaryKey, enums.signature.subkeyBinding, dataToVerify, date, config);\n          if (helper.validateEncryptionKeyPacket(subkey.keyPacket, bindingSignature, config)) {\n            helper.checkKeyRequirements(subkey.keyPacket, config);\n            return subkey;\n          }\n        } catch (e) {\n          exception = e;\n        }\n      }\n    }\n\n    try {\n      // if no valid subkey for encryption, evaluate primary key\n      const selfCertification = await this.getPrimarySelfSignature(date, userID, config);\n      if ((!keyID || primaryKey.getKeyID().equals(keyID)) &&\n          helper.validateEncryptionKeyPacket(primaryKey, selfCertification, config)) {\n        helper.checkKeyRequirements(primaryKey, config);\n        return this;\n      }\n    } catch (e) {\n      exception = e;\n    }\n    throw util.wrapError('Could not find valid encryption key packet in key ' + this.getKeyID().toHex(), exception);\n  }\n\n  /**\n   * Checks if a signature on a key is revoked\n   * @param {SignaturePacket} signature - The signature to verify\n   * @param  {PublicSubkeyPacket|\n   *          SecretSubkeyPacket|\n   *          PublicKeyPacket|\n   *          SecretKeyPacket} key, optional The key to verify the signature\n   * @param {Date} [date] - Use the given date for verification, instead of the current time\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<Boolean>} True if the certificate is revoked.\n   * @async\n   */\n  async isRevoked(signature, key, date = new Date(), config = defaultConfig) {\n    return helper.isDataRevoked(\n      this.keyPacket, enums.signature.keyRevocation, { key: this.keyPacket }, this.revocationSignatures, signature, key, date, config\n    );\n  }\n\n  /**\n   * Verify primary key. Checks for revocation signatures, expiration time\n   * and valid self signature. Throws if the primary key is invalid.\n   * @param {Date} [date] - Use the given date for verification instead of the current time\n   * @param {Object} [userID] - User ID\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @throws {Error} If key verification failed\n   * @async\n   */\n  async verifyPrimaryKey(date = new Date(), userID = {}, config = defaultConfig) {\n    const primaryKey = this.keyPacket;\n    // check for key revocation signatures\n    if (await this.isRevoked(null, null, date, config)) {\n      throw new Error('Primary key is revoked');\n    }\n    // check for valid, unrevoked, unexpired self signature\n    const selfCertification = await this.getPrimarySelfSignature(date, userID, config);\n    // check for expiration time in binding signatures\n    if (helper.isDataExpired(primaryKey, selfCertification, date)) {\n      throw new Error('Primary key is expired');\n    }\n    if (primaryKey.version !== 6) {\n      // check for expiration time in direct signatures (for V6 keys, the above already did so)\n      const directSignature = await helper.getLatestValidSignature(\n        this.directSignatures, primaryKey, enums.signature.key, { key: primaryKey }, date, config\n      ).catch(() => {}); // invalid signatures are discarded, to avoid breaking the key\n\n      if (directSignature && helper.isDataExpired(primaryKey, directSignature, date)) {\n        throw new Error('Primary key is expired');\n      }\n    }\n  }\n\n  /**\n   * Returns the expiration date of the primary key, considering self-certifications and direct-key signatures.\n   * Returns `Infinity` if the key doesn't expire, or `null` if the key is revoked or invalid.\n   * @param  {Object} [userID] - User ID to consider instead of the primary user\n   * @param  {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<Date | Infinity | null>}\n   * @async\n   */\n  async getExpirationTime(userID, config = defaultConfig) {\n    let primaryKeyExpiry;\n    try {\n      const selfCertification = await this.getPrimarySelfSignature(null, userID, config);\n      const selfSigKeyExpiry = helper.getKeyExpirationTime(this.keyPacket, selfCertification);\n      const selfSigExpiry = selfCertification.getExpirationTime();\n      const directSignature = this.keyPacket.version !== 6 && // For V6 keys, the above already returns the direct-key signature.\n        await helper.getLatestValidSignature(\n          this.directSignatures, this.keyPacket, enums.signature.key, { key: this.keyPacket }, null, config\n        ).catch(() => {});\n      if (directSignature) {\n        const directSigKeyExpiry = helper.getKeyExpirationTime(this.keyPacket, directSignature);\n        // We do not support the edge case where the direct signature expires, since it would invalidate the corresponding key expiration,\n        // causing a discountinous validy period for the key\n        primaryKeyExpiry = Math.min(selfSigKeyExpiry, selfSigExpiry, directSigKeyExpiry);\n      } else {\n        primaryKeyExpiry = selfSigKeyExpiry < selfSigExpiry ? selfSigKeyExpiry : selfSigExpiry;\n      }\n    } catch (e) {\n      primaryKeyExpiry = null;\n    }\n\n    return util.normalizeDate(primaryKeyExpiry);\n  }\n\n\n  /**\n   * For V4 keys, returns the self-signature of the primary user.\n   * For V5 keys, returns the latest valid direct-key self-signature.\n   * This self-signature is to be used to check the key expiration,\n   * algorithm preferences, and so on.\n   * @param {Date} [date] - Use the given date for verification instead of the current time\n   * @param {Object} [userID] - User ID to get instead of the primary user for V4 keys, if it exists\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<SignaturePacket>} The primary self-signature\n   * @async\n   */\n  async getPrimarySelfSignature(date = new Date(), userID = {}, config = defaultConfig) {\n    const primaryKey = this.keyPacket;\n    if (primaryKey.version === 6) {\n      return helper.getLatestValidSignature(\n        this.directSignatures, primaryKey, enums.signature.key, { key: primaryKey }, date, config\n      );\n    }\n    const { selfCertification } = await this.getPrimaryUser(date, userID, config);\n    return selfCertification;\n  }\n\n  /**\n   * Returns primary user and most significant (latest valid) self signature\n   * - if multiple primary users exist, returns the one with the latest self signature\n   * - otherwise, returns the user with the latest self signature\n   * @param {Date} [date] - Use the given date for verification instead of the current time\n   * @param {Object} [userID] - User ID to get instead of the primary user, if it exists\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<{\n   *   user: User,\n   *   selfCertification: SignaturePacket\n   * }>} The primary user and the self signature\n   * @async\n   */\n  async getPrimaryUser(date = new Date(), userID = {}, config = defaultConfig) {\n    const primaryKey = this.keyPacket;\n    const users = [];\n    let exception;\n    for (let i = 0; i < this.users.length; i++) {\n      try {\n        const user = this.users[i];\n        if (!user.userID) {\n          continue;\n        }\n        if (\n          (userID.name !== undefined && user.userID.name !== userID.name) ||\n          (userID.email !== undefined && user.userID.email !== userID.email) ||\n          (userID.comment !== undefined && user.userID.comment !== userID.comment)\n        ) {\n          throw new Error('Could not find user that matches that user ID');\n        }\n        const dataToVerify = { userID: user.userID, key: primaryKey };\n        const selfCertification = await helper.getLatestValidSignature(user.selfCertifications, primaryKey, enums.signature.certGeneric, dataToVerify, date, config);\n        users.push({ index: i, user, selfCertification });\n      } catch (e) {\n        exception = e;\n      }\n    }\n    if (!users.length) {\n      // eslint-disable-next-line @typescript-eslint/no-throw-literal\n      throw exception || new Error('Could not find primary user');\n    }\n    await Promise.all(users.map(async function (a) {\n      return a.selfCertification.revoked || a.user.isRevoked(a.selfCertification, null, date, config);\n    }));\n    // sort by primary user flag and signature creation time\n    const primaryUser = users.sort(function(a, b) {\n      const A = a.selfCertification;\n      const B = b.selfCertification;\n      return B.revoked - A.revoked || A.isPrimaryUserID - B.isPrimaryUserID || A.created - B.created;\n    }).pop();\n    const { user, selfCertification: cert } = primaryUser;\n    if (cert.revoked || await user.isRevoked(cert, null, date, config)) {\n      throw new Error('Primary user is revoked');\n    }\n    return primaryUser;\n  }\n\n  /**\n   * Update key with new components from specified key with same key ID:\n   * users, subkeys, certificates are merged into the destination key,\n   * duplicates and expired signatures are ignored.\n   *\n   * If the source key is a private key and the destination key is public,\n   * a private key is returned.\n   * @param {Key} sourceKey - Source key to merge\n   * @param {Date} [date] - Date to verify validity of signatures and keys\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<Key>} updated key\n   * @async\n   */\n  async update(sourceKey, date = new Date(), config = defaultConfig) {\n    if (!this.hasSameFingerprintAs(sourceKey)) {\n      throw new Error('Primary key fingerprints must be equal to update the key');\n    }\n    if (!this.isPrivate() && sourceKey.isPrivate()) {\n      // check for equal subkey packets\n      const equal = (this.subkeys.length === sourceKey.subkeys.length) &&\n            (this.subkeys.every(destSubkey => {\n              return sourceKey.subkeys.some(srcSubkey => {\n                return destSubkey.hasSameFingerprintAs(srcSubkey);\n              });\n            }));\n      if (!equal) {\n        throw new Error('Cannot update public key with private key if subkeys mismatch');\n      }\n\n      return sourceKey.update(this, config);\n    }\n    // from here on, either:\n    // - destination key is private, source key is public\n    // - the keys are of the same type\n    // hence we don't need to convert the destination key type\n    const updatedKey = this.clone();\n    // revocation signatures\n    await helper.mergeSignatures(sourceKey, updatedKey, 'revocationSignatures', date, srcRevSig => {\n      return helper.isDataRevoked(updatedKey.keyPacket, enums.signature.keyRevocation, updatedKey, [srcRevSig], null, sourceKey.keyPacket, date, config);\n    });\n    // direct signatures\n    await helper.mergeSignatures(sourceKey, updatedKey, 'directSignatures', date);\n    // update users\n    await Promise.all(sourceKey.users.map(async srcUser => {\n      // multiple users with the same ID/attribute are not explicitly disallowed by the spec\n      // hence we support them, just in case\n      const usersToUpdate = updatedKey.users.filter(dstUser => (\n        (srcUser.userID && srcUser.userID.equals(dstUser.userID)) ||\n        (srcUser.userAttribute && srcUser.userAttribute.equals(dstUser.userAttribute))\n      ));\n      if (usersToUpdate.length > 0) {\n        await Promise.all(\n          usersToUpdate.map(userToUpdate => userToUpdate.update(srcUser, date, config))\n        );\n      } else {\n        const newUser = srcUser.clone();\n        newUser.mainKey = updatedKey;\n        updatedKey.users.push(newUser);\n      }\n    }));\n    // update subkeys\n    await Promise.all(sourceKey.subkeys.map(async srcSubkey => {\n      // multiple subkeys with same fingerprint might be preset\n      const subkeysToUpdate = updatedKey.subkeys.filter(dstSubkey => (\n        dstSubkey.hasSameFingerprintAs(srcSubkey)\n      ));\n      if (subkeysToUpdate.length > 0) {\n        await Promise.all(\n          subkeysToUpdate.map(subkeyToUpdate => subkeyToUpdate.update(srcSubkey, date, config))\n        );\n      } else {\n        const newSubkey = srcSubkey.clone();\n        newSubkey.mainKey = updatedKey;\n        updatedKey.subkeys.push(newSubkey);\n      }\n    }));\n\n    return updatedKey;\n  }\n\n  /**\n   * Get revocation certificate from a revoked key.\n   *   (To get a revocation certificate for an unrevoked key, call revoke() first.)\n   * @param {Date} date - Use the given date instead of the current time\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<String>} Armored revocation certificate.\n   * @async\n   */\n  async getRevocationCertificate(date = new Date(), config = defaultConfig) {\n    const dataToVerify = { key: this.keyPacket };\n    const revocationSignature = await helper.getLatestValidSignature(this.revocationSignatures, this.keyPacket, enums.signature.keyRevocation, dataToVerify, date, config);\n    const packetlist = new PacketList();\n    packetlist.push(revocationSignature);\n    // An ASCII-armored Transferable Public Key packet sequence of a v6 key MUST NOT contain a CRC24 footer.\n    const emitChecksum = this.keyPacket.version !== 6;\n    return armor(enums.armor.publicKey, packetlist.write(), null, null, 'This is a revocation certificate', emitChecksum, config);\n  }\n\n  /**\n   * Applies a revocation certificate to a key\n   * This adds the first signature packet in the armored text to the key,\n   * if it is a valid revocation signature.\n   * @param {String} revocationCertificate - armored revocation certificate\n   * @param {Date} [date] - Date to verify the certificate\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<Key>} Revoked key.\n   * @async\n   */\n  async applyRevocationCertificate(revocationCertificate, date = new Date(), config = defaultConfig) {\n    const input = await unarmor(revocationCertificate, config);\n    const packetlist = await PacketList.fromBinary(input.data, allowedRevocationPackets, config);\n    const revocationSignature = packetlist.findPacket(enums.packet.signature);\n    if (!revocationSignature || revocationSignature.signatureType !== enums.signature.keyRevocation) {\n      throw new Error('Could not find revocation signature packet');\n    }\n    if (!revocationSignature.issuerKeyID.equals(this.getKeyID())) {\n      throw new Error('Revocation signature does not match key');\n    }\n    try {\n      await revocationSignature.verify(this.keyPacket, enums.signature.keyRevocation, { key: this.keyPacket }, date, undefined, config);\n    } catch (e) {\n      throw util.wrapError('Could not verify revocation signature', e);\n    }\n    const key = this.clone();\n    key.revocationSignatures.push(revocationSignature);\n    return key;\n  }\n\n  /**\n   * Signs primary user of key\n   * @param {Array<PrivateKey>} privateKeys - decrypted private keys for signing\n   * @param {Date} [date] - Use the given date for verification instead of the current time\n   * @param {Object} [userID] - User ID to get instead of the primary user, if it exists\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<Key>} Key with new certificate signature.\n   * @async\n   */\n  async signPrimaryUser(privateKeys, date, userID, config = defaultConfig) {\n    const { index, user } = await this.getPrimaryUser(date, userID, config);\n    const userSign = await user.certify(privateKeys, date, config);\n    const key = this.clone();\n    key.users[index] = userSign;\n    return key;\n  }\n\n  /**\n   * Signs all users of key\n   * @param {Array<PrivateKey>} privateKeys - decrypted private keys for signing\n   * @param {Date} [date] - Use the given date for signing, instead of the current time\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<Key>} Key with new certificate signature.\n   * @async\n   */\n  async signAllUsers(privateKeys, date = new Date(), config = defaultConfig) {\n    const key = this.clone();\n    key.users = await Promise.all(this.users.map(function(user) {\n      return user.certify(privateKeys, date, config);\n    }));\n    return key;\n  }\n\n  /**\n   * Verifies primary user of key\n   * - if no arguments are given, verifies the self certificates;\n   * - otherwise, verifies all certificates signed with given keys.\n   * @param {Array<PublicKey>} [verificationKeys] - array of keys to verify certificate signatures, instead of the primary key\n   * @param {Date} [date] - Use the given date for verification instead of the current time\n   * @param {Object} [userID] - User ID to get instead of the primary user, if it exists\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<Array<{\n   *   keyID: module:type/keyid~KeyID,\n   *   valid: Boolean|null\n   * }>>} List of signer's keyID and validity of signature.\n   *      Signature validity is null if the verification keys do not correspond to the certificate.\n   * @async\n   */\n  async verifyPrimaryUser(verificationKeys, date = new Date(), userID, config = defaultConfig) {\n    const primaryKey = this.keyPacket;\n    const { user } = await this.getPrimaryUser(date, userID, config);\n    const results = verificationKeys ?\n      await user.verifyAllCertifications(verificationKeys, date, config) :\n      [{ keyID: primaryKey.getKeyID(), valid: await user.verify(date, config).catch(() => false) }];\n    return results;\n  }\n\n  /**\n   * Verifies all users of key\n   * - if no arguments are given, verifies the self certificates;\n   * - otherwise, verifies all certificates signed with given keys.\n   * @param {Array<PublicKey>} [verificationKeys] - array of keys to verify certificate signatures\n   * @param {Date} [date] - Use the given date for verification instead of the current time\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<Array<{\n   *   userID: String,\n   *   keyID: module:type/keyid~KeyID,\n   *   valid: Boolean|null\n   * }>>} List of userID, signer's keyID and validity of signature.\n   *      Signature validity is null if the verification keys do not correspond to the certificate.\n   * @async\n   */\n  async verifyAllUsers(verificationKeys, date = new Date(), config = defaultConfig) {\n    const primaryKey = this.keyPacket;\n    const results = [];\n    await Promise.all(this.users.map(async user => {\n      const signatures = verificationKeys ?\n        await user.verifyAllCertifications(verificationKeys, date, config) :\n        [{ keyID: primaryKey.getKeyID(), valid: await user.verify(date, config).catch(() => false) }];\n\n      results.push(...signatures.map(\n        signature => ({\n          userID: user.userID ? user.userID.userID : null,\n          userAttribute: user.userAttribute,\n          keyID: signature.keyID,\n          valid: signature.valid\n        }))\n      );\n    }));\n    return results;\n  }\n}\n\n['getKeyID', 'getFingerprint', 'getAlgorithmInfo', 'getCreationTime', 'hasSameFingerprintAs'].forEach(name => {\n  Key.prototype[name] =\n  Subkey.prototype[name];\n});\n\nexport default Key;\n","// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\nimport { armor } from '../encoding/armor';\nimport defaultConfig from '../config';\nimport enums from '../enums';\nimport Key from './key';\n\n/**\n * Class that represents an OpenPGP Public Key\n */\nclass PublicKey extends Key {\n  /**\n   * @param {PacketList} packetlist - The packets that form this key\n   */\n  constructor(packetlist) {\n    super();\n    this.keyPacket = null;\n    this.revocationSignatures = [];\n    this.directSignatures = [];\n    this.users = [];\n    this.subkeys = [];\n    if (packetlist) {\n      this.packetListToStructure(packetlist, new Set([enums.packet.secretKey, enums.packet.secretSubkey]));\n      if (!this.keyPacket) {\n        throw new Error('Invalid key: missing public-key packet');\n      }\n    }\n  }\n\n  /**\n   * Returns true if this is a private key\n   * @returns {false}\n   */\n  isPrivate() {\n    return false;\n  }\n\n  /**\n   * Returns key as public key (shallow copy)\n   * @returns {PublicKey} New public Key\n   */\n  toPublic() {\n    return this;\n  }\n\n  /**\n   * Returns ASCII armored text of key\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {ReadableStream<String>} ASCII armor.\n   */\n  armor(config = defaultConfig) {\n    // An ASCII-armored Transferable Public Key packet sequence of a v6 key MUST NOT contain a CRC24 footer.\n    const emitChecksum = this.keyPacket.version !== 6;\n    return armor(enums.armor.publicKey, this.toPacketList().write(), undefined, undefined, undefined, emitChecksum, config);\n  }\n}\n\nexport default PublicKey;\n\n","import PublicKey from './public_key';\nimport { armor } from '../encoding/armor';\nimport {\n  PacketList,\n  PublicKeyPacket,\n  PublicSubkeyPacket\n} from '../packet';\nimport defaultConfig from '../config';\nimport enums from '../enums';\nimport * as helper from './helper';\n\n/**\n * Class that represents an OpenPGP Private key\n */\nclass PrivateKey extends PublicKey {\n  /**\n * @param {PacketList} packetlist - The packets that form this key\n */\n  constructor(packetlist) {\n    super();\n    this.packetListToStructure(packetlist, new Set([enums.packet.publicKey, enums.packet.publicSubkey]));\n    if (!this.keyPacket) {\n      throw new Error('Invalid key: missing private-key packet');\n    }\n  }\n\n  /**\n   * Returns true if this is a private key\n   * @returns {Boolean}\n   */\n  isPrivate() {\n    return true;\n  }\n\n  /**\n   * Returns key as public key (shallow copy)\n   * @returns {PublicKey} New public Key\n   */\n  toPublic() {\n    const packetlist = new PacketList();\n    const keyPackets = this.toPacketList();\n    for (const keyPacket of keyPackets) {\n      switch (keyPacket.constructor.tag) {\n        case enums.packet.secretKey: {\n          const pubKeyPacket = PublicKeyPacket.fromSecretKeyPacket(keyPacket);\n          packetlist.push(pubKeyPacket);\n          break;\n        }\n        case enums.packet.secretSubkey: {\n          const pubSubkeyPacket = PublicSubkeyPacket.fromSecretSubkeyPacket(keyPacket);\n          packetlist.push(pubSubkeyPacket);\n          break;\n        }\n        default:\n          packetlist.push(keyPacket);\n      }\n    }\n    return new PublicKey(packetlist);\n  }\n\n  /**\n   * Returns ASCII armored text of key\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {ReadableStream<String>} ASCII armor.\n   */\n  armor(config = defaultConfig) {\n    // An ASCII-armored Transferable Public Key packet sequence of a v6 key MUST NOT contain a CRC24 footer.\n    const emitChecksum = this.keyPacket.version !== 6;\n    return armor(enums.armor.privateKey, this.toPacketList().write(), undefined, undefined, undefined, emitChecksum, config);\n  }\n\n  /**\n   * Returns all keys that are available for decryption, matching the keyID when given\n   * This is useful to retrieve keys for session key decryption\n   * @param  {module:type/keyid~KeyID} keyID, optional\n   * @param  {Date}              date, optional\n   * @param  {String}            userID, optional\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<Array<Key|Subkey>>} Array of decryption keys.\n   * @throws {Error} if no decryption key is found\n   * @async\n   */\n  async getDecryptionKeys(keyID, date = new Date(), userID = {}, config = defaultConfig) {\n    const primaryKey = this.keyPacket;\n    const keys = [];\n    let exception = null;\n    for (let i = 0; i < this.subkeys.length; i++) {\n      if (!keyID || this.subkeys[i].getKeyID().equals(keyID, true)) {\n        if (this.subkeys[i].keyPacket.isDummy()) {\n          exception = exception || new Error('Gnu-dummy key packets cannot be used for decryption');\n          continue;\n        }\n\n        try {\n          const dataToVerify = { key: primaryKey, bind: this.subkeys[i].keyPacket };\n          const bindingSignature = await helper.getLatestValidSignature(this.subkeys[i].bindingSignatures, primaryKey, enums.signature.subkeyBinding, dataToVerify, date, config);\n          if (helper.validateDecryptionKeyPacket(this.subkeys[i].keyPacket, bindingSignature, config)) {\n            keys.push(this.subkeys[i]);\n          }\n        } catch (e) {\n          exception = e;\n        }\n      }\n    }\n\n    // evaluate primary key\n    const selfCertification = await this.getPrimarySelfSignature(date, userID, config);\n    if ((!keyID || primaryKey.getKeyID().equals(keyID, true)) && helper.validateDecryptionKeyPacket(primaryKey, selfCertification, config)) {\n      if (primaryKey.isDummy()) {\n        exception = exception || new Error('Gnu-dummy key packets cannot be used for decryption');\n      } else {\n        keys.push(this);\n      }\n    }\n\n    if (keys.length === 0) {\n      // eslint-disable-next-line @typescript-eslint/no-throw-literal\n      throw exception || new Error('No decryption key packets found');\n    }\n\n    return keys;\n  }\n\n  /**\n   * Returns true if the primary key or any subkey is decrypted.\n   * A dummy key is considered encrypted.\n   */\n  isDecrypted() {\n    return this.getKeys().some(({ keyPacket }) => keyPacket.isDecrypted());\n  }\n\n  /**\n   * Check whether the private and public primary key parameters correspond\n   * Together with verification of binding signatures, this guarantees key integrity\n   * In case of gnu-dummy primary key, it is enough to validate any signing subkeys\n   *   otherwise all encryption subkeys are validated\n   * If only gnu-dummy keys are found, we cannot properly validate so we throw an error\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @throws {Error} if validation was not successful and the key cannot be trusted\n   * @async\n   */\n  async validate(config = defaultConfig) {\n    if (!this.isPrivate()) {\n      throw new Error('Cannot validate a public key');\n    }\n\n    let signingKeyPacket;\n    if (!this.keyPacket.isDummy()) {\n      signingKeyPacket = this.keyPacket;\n    } else {\n      /**\n       * It is enough to validate any signing keys\n       * since its binding signatures are also checked\n       */\n      const signingKey = await this.getSigningKey(null, null, undefined, { ...config, rejectPublicKeyAlgorithms: new Set(), minRSABits: 0 });\n      // This could again be a dummy key\n      if (signingKey && !signingKey.keyPacket.isDummy()) {\n        signingKeyPacket = signingKey.keyPacket;\n      }\n    }\n\n    if (signingKeyPacket) {\n      return signingKeyPacket.validate();\n    } else {\n      const keys = this.getKeys();\n      const allDummies = keys.map(key => key.keyPacket.isDummy()).every(Boolean);\n      if (allDummies) {\n        throw new Error('Cannot validate an all-gnu-dummy key');\n      }\n\n      return Promise.all(keys.map(async key => key.keyPacket.validate()));\n    }\n  }\n\n  /**\n   * Clear private key parameters\n   */\n  clearPrivateParams() {\n    this.getKeys().forEach(({ keyPacket }) => {\n      if (keyPacket.isDecrypted()) {\n        keyPacket.clearPrivateParams();\n      }\n    });\n  }\n\n  /**\n   * Revokes the key\n   * @param {Object} reasonForRevocation - optional, object indicating the reason for revocation\n   * @param  {module:enums.reasonForRevocation} reasonForRevocation.flag optional, flag indicating the reason for revocation\n   * @param  {String} reasonForRevocation.string optional, string explaining the reason for revocation\n   * @param {Date} date - optional, override the creationtime of the revocation signature\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<PrivateKey>} New key with revocation signature.\n   * @async\n   */\n  async revoke(\n    {\n      flag: reasonForRevocationFlag = enums.reasonForRevocation.noReason,\n      string: reasonForRevocationString = ''\n    } = {},\n    date = new Date(),\n    config = defaultConfig\n  ) {\n    if (!this.isPrivate()) {\n      throw new Error('Need private key for revoking');\n    }\n    const dataToSign = { key: this.keyPacket };\n    const key = this.clone();\n    key.revocationSignatures.push(await helper.createSignaturePacket(dataToSign, [], this.keyPacket, {\n      signatureType: enums.signature.keyRevocation,\n      reasonForRevocationFlag: enums.write(enums.reasonForRevocation, reasonForRevocationFlag),\n      reasonForRevocationString\n    }, date, undefined, undefined, undefined, config));\n    return key;\n  }\n\n\n  /**\n   * Generates a new OpenPGP subkey, and returns a clone of the Key object with the new subkey added.\n   * Supports RSA and ECC keys, as well as the newer Curve448 and Curve25519.\n   * Defaults to the algorithm and bit size/curve of the primary key. DSA primary keys default to RSA subkeys.\n   * @param {ecc|rsa|curve25519|curve448} options.type The subkey algorithm: ECC, RSA, Curve448 or Curve25519 (new format).\n   *                                                   Note: Curve448 and Curve25519 are not widely supported yet.\n   * @param {String}  options.curve      (optional) Elliptic curve for ECC keys\n   * @param {Integer} options.rsaBits    (optional) Number of bits for RSA subkeys\n   * @param {Number}  options.keyExpirationTime (optional) Number of seconds from the key creation time after which the key expires\n   * @param {Date}    options.date       (optional) Override the creation date of the key and the key signatures\n   * @param {Boolean} options.sign       (optional) Indicates whether the subkey should sign rather than encrypt. Defaults to false\n   * @param {Object}  options.config     (optional) custom configuration settings to overwrite those in [config]{@link module:config}\n   * @returns {Promise<PrivateKey>}\n   * @async\n   */\n  async addSubkey(options = {}) {\n    const config = { ...defaultConfig, ...options.config };\n    if (options.passphrase) {\n      throw new Error('Subkey could not be encrypted here, please encrypt whole key');\n    }\n    if (options.rsaBits < config.minRSABits) {\n      throw new Error(`rsaBits should be at least ${config.minRSABits}, got: ${options.rsaBits}`);\n    }\n    const secretKeyPacket = this.keyPacket;\n    if (secretKeyPacket.isDummy()) {\n      throw new Error('Cannot add subkey to gnu-dummy primary key');\n    }\n    if (!secretKeyPacket.isDecrypted()) {\n      throw new Error('Key is not decrypted');\n    }\n    const defaultOptions = secretKeyPacket.getAlgorithmInfo();\n    defaultOptions.type = getDefaultSubkeyType(defaultOptions.algorithm);\n    defaultOptions.rsaBits = defaultOptions.bits || 4096;\n    defaultOptions.curve = defaultOptions.curve || 'curve25519Legacy';\n    options = helper.sanitizeKeyOptions(options, defaultOptions);\n    // Every subkey for a v4 primary key MUST be a v4 subkey.\n    // Every subkey for a v6 primary key MUST be a v6 subkey.\n    // For v5 keys, since we dropped generation support, a v4 subkey is added.\n    // The config is always overwritten since we cannot tell if the defaultConfig was changed by the user.\n    const keyPacket = await helper.generateSecretSubkey(options, { ...config, v6Keys: this.keyPacket.version === 6 });\n    helper.checkKeyRequirements(keyPacket, config);\n    const bindingSignature = await helper.createBindingSignature(keyPacket, secretKeyPacket, options, config);\n    const packetList = this.toPacketList();\n    packetList.push(keyPacket, bindingSignature);\n    return new PrivateKey(packetList);\n  }\n}\n\nfunction getDefaultSubkeyType(algoName) {\n  const algo = enums.write(enums.publicKey, algoName);\n  // NB: no encryption-only algos, since they cannot be in primary keys\n  switch (algo) {\n    case enums.publicKey.rsaEncrypt:\n    case enums.publicKey.rsaEncryptSign:\n    case enums.publicKey.rsaSign:\n    case enums.publicKey.dsa:\n      return 'rsa';\n    case enums.publicKey.ecdsa:\n    case enums.publicKey.eddsaLegacy:\n      return 'ecc';\n    case enums.publicKey.ed25519:\n      return 'curve25519';\n    case enums.publicKey.ed448:\n      return 'curve448';\n    default:\n      throw new Error('Unsupported algorithm');\n  }\n}\n\nexport default PrivateKey;\n","// OpenPGP.js - An OpenPGP implementation in javascript\n// Copyright (C) 2015-2016 Decentral\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\nimport {\n  PacketList,\n  UserIDPacket,\n  SignaturePacket,\n  PublicKeyPacket,\n  PublicSubkeyPacket,\n  SecretKeyPacket,\n  SecretSubkeyPacket,\n  UserAttributePacket\n} from '../packet';\nimport PrivateKey from './private_key';\nimport PublicKey from './public_key';\nimport * as helper from './helper';\nimport enums from '../enums';\nimport util from '../util';\nimport defaultConfig from '../config';\nimport { unarmor } from '../encoding/armor';\n\n// A Key can contain the following packets\nconst allowedKeyPackets = /*#__PURE__*/ util.constructAllowedPackets([\n  PublicKeyPacket,\n  PublicSubkeyPacket,\n  SecretKeyPacket,\n  SecretSubkeyPacket,\n  UserIDPacket,\n  UserAttributePacket,\n  SignaturePacket\n]);\n\n/**\n * Creates a PublicKey or PrivateKey depending on the packetlist in input\n * @param {PacketList} - packets to parse\n * @return {Key} parsed key\n * @throws if no key packet was found\n */\nfunction createKey(packetlist) {\n  for (const packet of packetlist) {\n    switch (packet.constructor.tag) {\n      case enums.packet.secretKey:\n        return new PrivateKey(packetlist);\n      case enums.packet.publicKey:\n        return new PublicKey(packetlist);\n    }\n  }\n  throw new Error('No key packet found');\n}\n\n\n/**\n * Generates a new OpenPGP key. Supports RSA and ECC keys, as well as the newer Curve448 and Curve25519 keys.\n * By default, primary and subkeys will be of same type.\n * @param {ecc|rsa|curve448|curve25519} options.type                  The primary key algorithm type: ECC, RSA, Curve448 or Curve25519 (new format).\n * @param {String}  options.curve                 Elliptic curve for ECC keys\n * @param {Integer} options.rsaBits               Number of bits for RSA keys\n * @param {Array<String|Object>} options.userIDs  User IDs as strings or objects: 'Jo Doe <info@jo.com>' or { name:'Jo Doe', email:'info@jo.com' }\n * @param {String}  options.passphrase            Passphrase used to encrypt the resulting private key\n * @param {Number}  options.keyExpirationTime     (optional) Number of seconds from the key creation time after which the key expires\n * @param {Date}    options.date                  Creation date of the key and the key signatures\n * @param {Object} config - Full configuration\n * @param {Array<Object>} options.subkeys         (optional) options for each subkey, default to main key options. e.g. [{sign: true, passphrase: '123'}]\n *                                                  sign parameter defaults to false, and indicates whether the subkey should sign rather than encrypt\n * @returns {Promise<{{ key: PrivateKey, revocationCertificate: String }}>}\n * @async\n * @static\n * @private\n */\nexport async function generate(options, config) {\n  options.sign = true; // primary key is always a signing key\n  options = helper.sanitizeKeyOptions(options);\n  options.subkeys = options.subkeys.map((subkey, index) => helper.sanitizeKeyOptions(options.subkeys[index], options));\n  let promises = [helper.generateSecretKey(options, config)];\n  promises = promises.concat(options.subkeys.map(options => helper.generateSecretSubkey(options, config)));\n  const packets = await Promise.all(promises);\n\n  const key = await wrapKeyObject(packets[0], packets.slice(1), options, config);\n  const revocationCertificate = await key.getRevocationCertificate(options.date, config);\n  key.revocationSignatures = [];\n  return { key, revocationCertificate };\n}\n\n/**\n * Reformats and signs an OpenPGP key with a given User ID. Currently only supports RSA keys.\n * @param {PrivateKey} options.privateKey         The private key to reformat\n * @param {Array<String|Object>} options.userIDs  User IDs as strings or objects: 'Jo Doe <info@jo.com>' or { name:'Jo Doe', email:'info@jo.com' }\n * @param {String} options.passphrase             Passphrase used to encrypt the resulting private key\n * @param {Number} options.keyExpirationTime      Number of seconds from the key creation time after which the key expires\n * @param {Date}   options.date                   Override the creation date of the key signatures\n * @param {Array<Object>} options.subkeys         (optional) options for each subkey, default to main key options. e.g. [{sign: true, passphrase: '123'}]\n * @param {Object} config - Full configuration\n *\n * @returns {Promise<{{ key: PrivateKey, revocationCertificate: String }}>}\n * @async\n * @static\n * @private\n */\nexport async function reformat(options, config) {\n  options = sanitize(options);\n  const { privateKey } = options;\n\n  if (!privateKey.isPrivate()) {\n    throw new Error('Cannot reformat a public key');\n  }\n\n  if (privateKey.keyPacket.isDummy()) {\n    throw new Error('Cannot reformat a gnu-dummy primary key');\n  }\n\n  const isDecrypted = privateKey.getKeys().every(({ keyPacket }) => keyPacket.isDecrypted());\n  if (!isDecrypted) {\n    throw new Error('Key is not decrypted');\n  }\n\n  const secretKeyPacket = privateKey.keyPacket;\n\n  if (!options.subkeys) {\n    options.subkeys = await Promise.all(privateKey.subkeys.map(async subkey => {\n      const secretSubkeyPacket = subkey.keyPacket;\n      const dataToVerify = { key: secretKeyPacket, bind: secretSubkeyPacket };\n      const bindingSignature = await (\n        helper.getLatestValidSignature(subkey.bindingSignatures, secretKeyPacket, enums.signature.subkeyBinding, dataToVerify, null, config)\n      ).catch(() => ({}));\n      return {\n        sign: bindingSignature.keyFlags && (bindingSignature.keyFlags[0] & enums.keyFlags.signData)\n      };\n    }));\n  }\n\n  const secretSubkeyPackets = privateKey.subkeys.map(subkey => subkey.keyPacket);\n  if (options.subkeys.length !== secretSubkeyPackets.length) {\n    throw new Error('Number of subkey options does not match number of subkeys');\n  }\n\n  options.subkeys = options.subkeys.map(subkeyOptions => sanitize(subkeyOptions, options));\n\n  const key = await wrapKeyObject(secretKeyPacket, secretSubkeyPackets, options, config);\n  const revocationCertificate = await key.getRevocationCertificate(options.date, config);\n  key.revocationSignatures = [];\n  return { key, revocationCertificate };\n\n  function sanitize(options, subkeyDefaults = {}) {\n    options.keyExpirationTime = options.keyExpirationTime || subkeyDefaults.keyExpirationTime;\n    options.passphrase = util.isString(options.passphrase) ? options.passphrase : subkeyDefaults.passphrase;\n    options.date = options.date || subkeyDefaults.date;\n\n    return options;\n  }\n}\n\n/**\n * Construct PrivateKey object from the given key packets, add certification signatures and set passphrase protection\n * The new key includes a revocation certificate that must be removed before returning the key, otherwise the key is considered revoked.\n * @param {SecretKeyPacket} secretKeyPacket\n * @param {SecretSubkeyPacket} secretSubkeyPackets\n * @param {Object} options\n * @param {Object} config - Full configuration\n * @returns {PrivateKey}\n */\nasync function wrapKeyObject(secretKeyPacket, secretSubkeyPackets, options, config) {\n  // set passphrase protection\n  if (options.passphrase) {\n    await secretKeyPacket.encrypt(options.passphrase, config);\n  }\n\n  await Promise.all(secretSubkeyPackets.map(async function(secretSubkeyPacket, index) {\n    const subkeyPassphrase = options.subkeys[index].passphrase;\n    if (subkeyPassphrase) {\n      await secretSubkeyPacket.encrypt(subkeyPassphrase, config);\n    }\n  }));\n\n  const packetlist = new PacketList();\n  packetlist.push(secretKeyPacket);\n\n  function createPreferredAlgos(algos, preferredAlgo) {\n    return [preferredAlgo, ...algos.filter(algo => algo !== preferredAlgo)];\n  }\n\n  function getKeySignatureProperties() {\n    const signatureProperties = {};\n    signatureProperties.keyFlags = [enums.keyFlags.certifyKeys | enums.keyFlags.signData];\n    const symmetricAlgorithms = createPreferredAlgos([\n      // prefer aes256, aes128, no aes192 (no Web Crypto support in Chrome: https://www.chromium.org/blink/webcrypto#TOC-AES-support)\n      enums.symmetric.aes256,\n      enums.symmetric.aes128\n    ], config.preferredSymmetricAlgorithm);\n    signatureProperties.preferredSymmetricAlgorithms = symmetricAlgorithms;\n    if (config.aeadProtect) {\n      const aeadAlgorithms = createPreferredAlgos([\n        enums.aead.gcm,\n        enums.aead.eax,\n        enums.aead.ocb\n      ], config.preferredAEADAlgorithm);\n      signatureProperties.preferredCipherSuites = aeadAlgorithms.flatMap(aeadAlgorithm => {\n        return symmetricAlgorithms.map(symmetricAlgorithm => {\n          return [symmetricAlgorithm, aeadAlgorithm];\n        });\n      });\n    }\n    signatureProperties.preferredHashAlgorithms = createPreferredAlgos([\n      enums.hash.sha512,\n      enums.hash.sha256,\n      enums.hash.sha3_512,\n      enums.hash.sha3_256\n    ], config.preferredHashAlgorithm);\n    signatureProperties.preferredCompressionAlgorithms = createPreferredAlgos([\n      enums.compression.uncompressed,\n      enums.compression.zlib,\n      enums.compression.zip\n    ], config.preferredCompressionAlgorithm);\n    // integrity protection always enabled\n    signatureProperties.features = [0];\n    signatureProperties.features[0] |= enums.features.modificationDetection;\n    if (config.aeadProtect) {\n      signatureProperties.features[0] |= enums.features.seipdv2;\n    }\n    if (options.keyExpirationTime > 0) {\n      signatureProperties.keyExpirationTime = options.keyExpirationTime;\n      signatureProperties.keyNeverExpires = false;\n    }\n    return signatureProperties;\n  }\n\n  if (secretKeyPacket.version === 6) { // add direct key signature with key prefs\n    const dataToSign = {\n      key: secretKeyPacket\n    };\n\n    const signatureProperties = getKeySignatureProperties();\n    signatureProperties.signatureType = enums.signature.key;\n\n    const signaturePacket = await helper.createSignaturePacket(dataToSign, [], secretKeyPacket, signatureProperties, options.date, undefined, undefined, undefined, config);\n    packetlist.push(signaturePacket);\n  }\n\n  await Promise.all(options.userIDs.map(async function(userID, index) {\n    const userIDPacket = UserIDPacket.fromObject(userID);\n    const dataToSign = {\n      userID: userIDPacket,\n      key: secretKeyPacket\n    };\n    const signatureProperties = secretKeyPacket.version !== 6 ? getKeySignatureProperties() : {};\n    signatureProperties.signatureType = enums.signature.certPositive;\n    if (index === 0) {\n      signatureProperties.isPrimaryUserID = true;\n    }\n\n    const signaturePacket = await helper.createSignaturePacket(dataToSign, [], secretKeyPacket, signatureProperties, options.date, undefined, undefined, undefined, config);\n\n    return { userIDPacket, signaturePacket };\n  })).then(list => {\n    list.forEach(({ userIDPacket, signaturePacket }) => {\n      packetlist.push(userIDPacket);\n      packetlist.push(signaturePacket);\n    });\n  });\n\n  await Promise.all(secretSubkeyPackets.map(async function(secretSubkeyPacket, index) {\n    const subkeyOptions = options.subkeys[index];\n    const subkeySignaturePacket = await helper.createBindingSignature(secretSubkeyPacket, secretKeyPacket, subkeyOptions, config);\n    return { secretSubkeyPacket, subkeySignaturePacket };\n  })).then(packets => {\n    packets.forEach(({ secretSubkeyPacket, subkeySignaturePacket }) => {\n      packetlist.push(secretSubkeyPacket);\n      packetlist.push(subkeySignaturePacket);\n    });\n  });\n\n  // Add revocation signature packet for creating a revocation certificate.\n  // This packet should be removed before returning the key.\n  const dataToSign = { key: secretKeyPacket };\n  packetlist.push(await helper.createSignaturePacket(dataToSign, [], secretKeyPacket, {\n    signatureType: enums.signature.keyRevocation,\n    reasonForRevocationFlag: enums.reasonForRevocation.noReason,\n    reasonForRevocationString: ''\n  }, options.date, undefined, undefined, undefined, config));\n\n  if (options.passphrase) {\n    secretKeyPacket.clearPrivateParams();\n  }\n\n  await Promise.all(secretSubkeyPackets.map(async function(secretSubkeyPacket, index) {\n    const subkeyPassphrase = options.subkeys[index].passphrase;\n    if (subkeyPassphrase) {\n      secretSubkeyPacket.clearPrivateParams();\n    }\n  }));\n\n  return new PrivateKey(packetlist);\n}\n\n/**\n * Reads an (optionally armored) OpenPGP key and returns a key object\n * @param {Object} options\n * @param {String} [options.armoredKey] - Armored key to be parsed\n * @param {Uint8Array} [options.binaryKey] - Binary key to be parsed\n * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}\n * @returns {Promise<Key>} Key object.\n * @async\n * @static\n */\nexport async function readKey({ armoredKey, binaryKey, config, ...rest }) {\n  config = { ...defaultConfig, ...config };\n  if (!armoredKey && !binaryKey) {\n    throw new Error('readKey: must pass options object containing `armoredKey` or `binaryKey`');\n  }\n  if (armoredKey && !util.isString(armoredKey)) {\n    throw new Error('readKey: options.armoredKey must be a string');\n  }\n  if (binaryKey && !util.isUint8Array(binaryKey)) {\n    throw new Error('readKey: options.binaryKey must be a Uint8Array');\n  }\n  const unknownOptions = Object.keys(rest); if (unknownOptions.length > 0) throw new Error(`Unknown option: ${unknownOptions.join(', ')}`);\n\n  let input;\n  if (armoredKey) {\n    const { type, data } = await unarmor(armoredKey, config);\n    if (!(type === enums.armor.publicKey || type === enums.armor.privateKey)) {\n      throw new Error('Armored text not of type key');\n    }\n    input = data;\n  } else {\n    input = binaryKey;\n  }\n  const packetlist = await PacketList.fromBinary(input, allowedKeyPackets, config);\n  const keyIndex = packetlist.indexOfTag(enums.packet.publicKey, enums.packet.secretKey);\n  if (keyIndex.length === 0) {\n    throw new Error('No key packet found');\n  }\n  const firstKeyPacketList = packetlist.slice(keyIndex[0], keyIndex[1]);\n  return createKey(firstKeyPacketList);\n}\n\n/**\n * Reads an (optionally armored) OpenPGP private key and returns a PrivateKey object\n * @param {Object} options\n * @param {String} [options.armoredKey] - Armored key to be parsed\n * @param {Uint8Array} [options.binaryKey] - Binary key to be parsed\n * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}\n * @returns {Promise<PrivateKey>} Key object.\n * @async\n * @static\n */\nexport async function readPrivateKey({ armoredKey, binaryKey, config, ...rest }) {\n  config = { ...defaultConfig, ...config };\n  if (!armoredKey && !binaryKey) {\n    throw new Error('readPrivateKey: must pass options object containing `armoredKey` or `binaryKey`');\n  }\n  if (armoredKey && !util.isString(armoredKey)) {\n    throw new Error('readPrivateKey: options.armoredKey must be a string');\n  }\n  if (binaryKey && !util.isUint8Array(binaryKey)) {\n    throw new Error('readPrivateKey: options.binaryKey must be a Uint8Array');\n  }\n  const unknownOptions = Object.keys(rest); if (unknownOptions.length > 0) throw new Error(`Unknown option: ${unknownOptions.join(', ')}`);\n\n  let input;\n  if (armoredKey) {\n    const { type, data } = await unarmor(armoredKey, config);\n    if (!(type === enums.armor.privateKey)) {\n      throw new Error('Armored text not of type private key');\n    }\n    input = data;\n  } else {\n    input = binaryKey;\n  }\n  const packetlist = await PacketList.fromBinary(input, allowedKeyPackets, config);\n  const keyIndex = packetlist.indexOfTag(enums.packet.publicKey, enums.packet.secretKey);\n  for (let i = 0; i < keyIndex.length; i++) {\n    if (packetlist[keyIndex[i]].constructor.tag === enums.packet.publicKey) {\n      continue;\n    }\n    const firstPrivateKeyList = packetlist.slice(keyIndex[i], keyIndex[i + 1]);\n    return new PrivateKey(firstPrivateKeyList);\n  }\n  throw new Error('No secret key packet found');\n}\n\n/**\n * Reads an (optionally armored) OpenPGP key block and returns a list of key objects\n * @param {Object} options\n * @param {String} [options.armoredKeys] - Armored keys to be parsed\n * @param {Uint8Array} [options.binaryKeys] - Binary keys to be parsed\n * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}\n * @returns {Promise<Array<Key>>} Key objects.\n * @async\n * @static\n */\nexport async function readKeys({ armoredKeys, binaryKeys, config, ...rest }) {\n  config = { ...defaultConfig, ...config };\n  let input = armoredKeys || binaryKeys;\n  if (!input) {\n    throw new Error('readKeys: must pass options object containing `armoredKeys` or `binaryKeys`');\n  }\n  if (armoredKeys && !util.isString(armoredKeys)) {\n    throw new Error('readKeys: options.armoredKeys must be a string');\n  }\n  if (binaryKeys && !util.isUint8Array(binaryKeys)) {\n    throw new Error('readKeys: options.binaryKeys must be a Uint8Array');\n  }\n  const unknownOptions = Object.keys(rest); if (unknownOptions.length > 0) throw new Error(`Unknown option: ${unknownOptions.join(', ')}`);\n\n  if (armoredKeys) {\n    const { type, data } = await unarmor(armoredKeys, config);\n    if (type !== enums.armor.publicKey && type !== enums.armor.privateKey) {\n      throw new Error('Armored text not of type key');\n    }\n    input = data;\n  }\n  const keys = [];\n  const packetlist = await PacketList.fromBinary(input, allowedKeyPackets, config);\n  const keyIndex = packetlist.indexOfTag(enums.packet.publicKey, enums.packet.secretKey);\n  if (keyIndex.length === 0) {\n    throw new Error('No key packet found');\n  }\n  for (let i = 0; i < keyIndex.length; i++) {\n    const oneKeyList = packetlist.slice(keyIndex[i], keyIndex[i + 1]);\n    const newKey = createKey(oneKeyList);\n    keys.push(newKey);\n  }\n  return keys;\n}\n\n/**\n * Reads an (optionally armored) OpenPGP private key block and returns a list of PrivateKey objects\n * @param {Object} options\n * @param {String} [options.armoredKeys] - Armored keys to be parsed\n * @param {Uint8Array} [options.binaryKeys] - Binary keys to be parsed\n * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}\n * @returns {Promise<Array<PrivateKey>>} Key objects.\n * @async\n * @static\n */\nexport async function readPrivateKeys({ armoredKeys, binaryKeys, config }) {\n  config = { ...defaultConfig, ...config };\n  let input = armoredKeys || binaryKeys;\n  if (!input) {\n    throw new Error('readPrivateKeys: must pass options object containing `armoredKeys` or `binaryKeys`');\n  }\n  if (armoredKeys && !util.isString(armoredKeys)) {\n    throw new Error('readPrivateKeys: options.armoredKeys must be a string');\n  }\n  if (binaryKeys && !util.isUint8Array(binaryKeys)) {\n    throw new Error('readPrivateKeys: options.binaryKeys must be a Uint8Array');\n  }\n  if (armoredKeys) {\n    const { type, data } = await unarmor(armoredKeys, config);\n    if (type !== enums.armor.privateKey) {\n      throw new Error('Armored text not of type private key');\n    }\n    input = data;\n  }\n  const keys = [];\n  const packetlist = await PacketList.fromBinary(input, allowedKeyPackets, config);\n  const keyIndex = packetlist.indexOfTag(enums.packet.publicKey, enums.packet.secretKey);\n  for (let i = 0; i < keyIndex.length; i++) {\n    if (packetlist[keyIndex[i]].constructor.tag === enums.packet.publicKey) {\n      continue;\n    }\n    const oneKeyList = packetlist.slice(keyIndex[i], keyIndex[i + 1]);\n    const newKey = new PrivateKey(oneKeyList);\n    keys.push(newKey);\n  }\n  if (keys.length === 0) {\n    throw new Error('No secret key packet found');\n  }\n  return keys;\n}\n","// GPG4Browsers - An OpenPGP implementation in javascript\n// Copyright (C) 2011 Recurity Labs GmbH\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\nimport { isArrayStream, cancel as streamCancel, readToEnd as streamReadToEnd, fromAsync as streamFromAsync, transformPair as streamTransformPair, getWriter as streamGetWriter, getReader as streamGetReader } from '@openpgp/web-stream-tools';\nimport { armor, unarmor } from './encoding/armor';\nimport { Argon2OutOfMemoryError } from './type/s2k';\nimport defaultConfig from './config';\nimport { generateSessionKey } from './crypto';\nimport enums from './enums';\nimport util from './util';\nimport { Signature } from './signature';\nimport { getPreferredCipherSuite, createSignaturePacket } from './key';\nimport {\n  PacketList,\n  LiteralDataPacket,\n  CompressedDataPacket,\n  AEADEncryptedDataPacket,\n  SymEncryptedIntegrityProtectedDataPacket,\n  SymmetricallyEncryptedDataPacket,\n  PublicKeyEncryptedSessionKeyPacket,\n  SymEncryptedSessionKeyPacket,\n  OnePassSignaturePacket,\n  SignaturePacket\n} from './packet';\n\n// A Message can contain the following packets\nconst allowedMessagePackets = /*#__PURE__*/ util.constructAllowedPackets([\n  LiteralDataPacket,\n  CompressedDataPacket,\n  AEADEncryptedDataPacket,\n  SymEncryptedIntegrityProtectedDataPacket,\n  SymmetricallyEncryptedDataPacket,\n  PublicKeyEncryptedSessionKeyPacket,\n  SymEncryptedSessionKeyPacket,\n  OnePassSignaturePacket,\n  SignaturePacket\n]);\n// A SKESK packet can contain the following packets\nconst allowedSymSessionKeyPackets = /*#__PURE__*/ util.constructAllowedPackets([SymEncryptedSessionKeyPacket]);\n// A detached signature can contain the following packets\nconst allowedDetachedSignaturePackets = /*#__PURE__*/ util.constructAllowedPackets([SignaturePacket]);\n\n/**\n * Class that represents an OpenPGP message.\n * Can be an encrypted message, signed message, compressed message or literal message\n * See {@link https://tools.ietf.org/html/rfc4880#section-11.3}\n */\nexport class Message {\n  /**\n   * @param {PacketList} packetlist - The packets that form this message\n   */\n  constructor(packetlist) {\n    this.packets = packetlist || new PacketList();\n  }\n\n  /**\n   * Returns the key IDs of the keys to which the session key is encrypted\n   * @returns {Array<module:type/keyid~KeyID>} Array of keyID objects.\n   */\n  getEncryptionKeyIDs() {\n    const keyIDs = [];\n    const pkESKeyPacketlist = this.packets.filterByTag(enums.packet.publicKeyEncryptedSessionKey);\n    pkESKeyPacketlist.forEach(function(packet) {\n      keyIDs.push(packet.publicKeyID);\n    });\n    return keyIDs;\n  }\n\n  /**\n   * Returns the key IDs of the keys that signed the message\n   * @returns {Array<module:type/keyid~KeyID>} Array of keyID objects.\n   */\n  getSigningKeyIDs() {\n    const msg = this.unwrapCompressed();\n    // search for one pass signatures\n    const onePassSigList = msg.packets.filterByTag(enums.packet.onePassSignature);\n    if (onePassSigList.length > 0) {\n      return onePassSigList.map(packet => packet.issuerKeyID);\n    }\n    // if nothing found look for signature packets\n    const signatureList = msg.packets.filterByTag(enums.packet.signature);\n    return signatureList.map(packet => packet.issuerKeyID);\n  }\n\n  /**\n   * Decrypt the message. Either a private key, a session key, or a password must be specified.\n   * @param {Array<PrivateKey>} [decryptionKeys] - Private keys with decrypted secret data\n   * @param {Array<String>} [passwords] - Passwords used to decrypt\n   * @param {Array<Object>} [sessionKeys] - Session keys in the form: { data:Uint8Array, algorithm:String, [aeadAlgorithm:String] }\n   * @param {Date} [date] - Use the given date for key verification instead of the current time\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<Message>} New message with decrypted content.\n   * @async\n   */\n  async decrypt(decryptionKeys, passwords, sessionKeys, date = new Date(), config = defaultConfig) {\n    const symEncryptedPacketlist = this.packets.filterByTag(\n      enums.packet.symmetricallyEncryptedData,\n      enums.packet.symEncryptedIntegrityProtectedData,\n      enums.packet.aeadEncryptedData\n    );\n\n    if (symEncryptedPacketlist.length === 0) {\n      throw new Error('No encrypted data found');\n    }\n\n    const symEncryptedPacket = symEncryptedPacketlist[0];\n    const expectedSymmetricAlgorithm = symEncryptedPacket.cipherAlgorithm;\n\n    const sessionKeyObjects = sessionKeys || await this.decryptSessionKeys(decryptionKeys, passwords, expectedSymmetricAlgorithm, date, config);\n\n    let exception = null;\n    const decryptedPromise = Promise.all(sessionKeyObjects.map(async ({ algorithm: algorithmName, data }) => {\n      if (!util.isUint8Array(data) || (!symEncryptedPacket.cipherAlgorithm && !util.isString(algorithmName))) {\n        throw new Error('Invalid session key for decryption.');\n      }\n\n      try {\n        const algo = symEncryptedPacket.cipherAlgorithm || enums.write(enums.symmetric, algorithmName);\n        await symEncryptedPacket.decrypt(algo, data, config);\n      } catch (e) {\n        util.printDebugError(e);\n        exception = e;\n      }\n    }));\n    // We don't await stream.cancel here because it only returns when the other copy is canceled too.\n    streamCancel(symEncryptedPacket.encrypted); // Don't keep copy of encrypted data in memory.\n    symEncryptedPacket.encrypted = null;\n    await decryptedPromise;\n\n    if (!symEncryptedPacket.packets || !symEncryptedPacket.packets.length) {\n      throw exception || new Error('Decryption failed.');\n    }\n\n    const resultMsg = new Message(symEncryptedPacket.packets);\n    symEncryptedPacket.packets = new PacketList(); // remove packets after decryption\n\n    return resultMsg;\n  }\n\n  /**\n   * Decrypt encrypted session keys either with private keys or passwords.\n   * @param {Array<PrivateKey>} [decryptionKeys] - Private keys with decrypted secret data\n   * @param {Array<String>} [passwords] - Passwords used to decrypt\n   * @param {enums.symmetric} [expectedSymmetricAlgorithm] - The symmetric algorithm the SEIPDv2 / AEAD packet is encrypted with (if applicable)\n   * @param {Date} [date] - Use the given date for key verification, instead of current time\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<Array<{\n   *   data: Uint8Array,\n   *   algorithm: String\n   * }>>} array of object with potential sessionKey, algorithm pairs\n   * @async\n   */\n  async decryptSessionKeys(decryptionKeys, passwords, expectedSymmetricAlgorithm, date = new Date(), config = defaultConfig) {\n    let decryptedSessionKeyPackets = [];\n\n    let exception;\n    if (passwords) {\n      const skeskPackets = this.packets.filterByTag(enums.packet.symEncryptedSessionKey);\n      if (skeskPackets.length === 0) {\n        throw new Error('No symmetrically encrypted session key packet found.');\n      }\n      await Promise.all(passwords.map(async function(password, i) {\n        let packets;\n        if (i) {\n          packets = await PacketList.fromBinary(skeskPackets.write(), allowedSymSessionKeyPackets, config);\n        } else {\n          packets = skeskPackets;\n        }\n        await Promise.all(packets.map(async function(skeskPacket) {\n          try {\n            await skeskPacket.decrypt(password);\n            decryptedSessionKeyPackets.push(skeskPacket);\n          } catch (err) {\n            util.printDebugError(err);\n            if (err instanceof Argon2OutOfMemoryError) {\n              exception = err;\n            }\n          }\n        }));\n      }));\n    } else if (decryptionKeys) {\n      const pkeskPackets = this.packets.filterByTag(enums.packet.publicKeyEncryptedSessionKey);\n      if (pkeskPackets.length === 0) {\n        throw new Error('No public key encrypted session key packet found.');\n      }\n      await Promise.all(pkeskPackets.map(async function(pkeskPacket) {\n        await Promise.all(decryptionKeys.map(async function(decryptionKey) {\n          let decryptionKeyPackets;\n          try {\n            // do not check key expiration to allow decryption of old messages\n            decryptionKeyPackets = (await decryptionKey.getDecryptionKeys(pkeskPacket.publicKeyID, null, undefined, config)).map(key => key.keyPacket);\n          } catch (err) {\n            exception = err;\n            return;\n          }\n\n          let algos = [\n            enums.symmetric.aes256, // Old OpenPGP.js default fallback\n            enums.symmetric.aes128, // RFC4880bis fallback\n            enums.symmetric.tripledes, // RFC4880 fallback\n            enums.symmetric.cast5 // Golang OpenPGP fallback\n          ];\n          try {\n            const selfCertification = await decryptionKey.getPrimarySelfSignature(date, undefined, config); // TODO: Pass userID from somewhere.\n            if (selfCertification.preferredSymmetricAlgorithms) {\n              algos = algos.concat(selfCertification.preferredSymmetricAlgorithms);\n            }\n          } catch (e) {}\n\n          await Promise.all(decryptionKeyPackets.map(async function(decryptionKeyPacket) {\n            if (!decryptionKeyPacket.isDecrypted()) {\n              throw new Error('Decryption key is not decrypted.');\n            }\n\n            // To hinder CCA attacks against PKCS1, we carry out a constant-time decryption flow if the `constantTimePKCS1Decryption` config option is set.\n            const doConstantTimeDecryption = config.constantTimePKCS1Decryption && (\n              pkeskPacket.publicKeyAlgorithm === enums.publicKey.rsaEncrypt ||\n              pkeskPacket.publicKeyAlgorithm === enums.publicKey.rsaEncryptSign ||\n              pkeskPacket.publicKeyAlgorithm === enums.publicKey.rsaSign ||\n              pkeskPacket.publicKeyAlgorithm === enums.publicKey.elgamal\n            );\n\n            if (doConstantTimeDecryption) {\n              // The goal is to not reveal whether PKESK decryption (specifically the PKCS1 decoding step) failed, hence, we always proceed to decrypt the message,\n              // either with the successfully decrypted session key, or with a randomly generated one.\n              // Since the SEIP/AEAD's symmetric algorithm and key size are stored in the encrypted portion of the PKESK, and the execution flow cannot depend on\n              // the decrypted payload, we always assume the message to be encrypted with one of the symmetric algorithms specified in `config.constantTimePKCS1DecryptionSupportedSymmetricAlgorithms`:\n              // - If the PKESK decryption succeeds, and the session key cipher is in the supported set, then we try to decrypt the data with the decrypted session key as well as with the\n              // randomly generated keys of the remaining key types.\n              // - If the PKESK decryptions fails, or if it succeeds but support for the cipher is not enabled, then we discard the session key and try to decrypt the data using only the randomly\n              // generated session keys.\n              // NB: as a result, if the data is encrypted with a non-suported cipher, decryption will always fail.\n\n              const serialisedPKESK = pkeskPacket.write(); // make copies to be able to decrypt the PKESK packet multiple times\n              await Promise.all((\n                expectedSymmetricAlgorithm ?\n                  [expectedSymmetricAlgorithm] :\n                  Array.from(config.constantTimePKCS1DecryptionSupportedSymmetricAlgorithms)\n              ).map(async sessionKeyAlgorithm => {\n                const pkeskPacketCopy = new PublicKeyEncryptedSessionKeyPacket();\n                pkeskPacketCopy.read(serialisedPKESK);\n                const randomSessionKey = {\n                  sessionKeyAlgorithm,\n                  sessionKey: generateSessionKey(sessionKeyAlgorithm)\n                };\n                try {\n                  await pkeskPacketCopy.decrypt(decryptionKeyPacket, randomSessionKey);\n                  decryptedSessionKeyPackets.push(pkeskPacketCopy);\n                } catch (err) {\n                  // `decrypt` can still throw some non-security-sensitive errors\n                  util.printDebugError(err);\n                  exception = err;\n                }\n              }));\n\n            } else {\n              try {\n                await pkeskPacket.decrypt(decryptionKeyPacket);\n                const symmetricAlgorithm = expectedSymmetricAlgorithm || pkeskPacket.sessionKeyAlgorithm;\n                if (symmetricAlgorithm && !algos.includes(enums.write(enums.symmetric, symmetricAlgorithm))) {\n                  throw new Error('A non-preferred symmetric algorithm was used.');\n                }\n                decryptedSessionKeyPackets.push(pkeskPacket);\n              } catch (err) {\n                util.printDebugError(err);\n                exception = err;\n              }\n            }\n          }));\n        }));\n        streamCancel(pkeskPacket.encrypted); // Don't keep copy of encrypted data in memory.\n        pkeskPacket.encrypted = null;\n      }));\n    } else {\n      throw new Error('No key or password specified.');\n    }\n\n    if (decryptedSessionKeyPackets.length > 0) {\n      // Return only unique session keys\n      if (decryptedSessionKeyPackets.length > 1) {\n        const seen = new Set();\n        decryptedSessionKeyPackets = decryptedSessionKeyPackets.filter(item => {\n          const k = item.sessionKeyAlgorithm + util.uint8ArrayToString(item.sessionKey);\n          if (seen.has(k)) {\n            return false;\n          }\n          seen.add(k);\n          return true;\n        });\n      }\n\n      return decryptedSessionKeyPackets.map(packet => ({\n        data: packet.sessionKey,\n        algorithm: packet.sessionKeyAlgorithm && enums.read(enums.symmetric, packet.sessionKeyAlgorithm)\n      }));\n    }\n    throw exception || new Error('Session key decryption failed.');\n  }\n\n  /**\n   * Get literal data that is the body of the message\n   * @returns {(Uint8Array|null)} Literal body of the message as Uint8Array.\n   */\n  getLiteralData() {\n    const msg = this.unwrapCompressed();\n    const literal = msg.packets.findPacket(enums.packet.literalData);\n    return (literal && literal.getBytes()) || null;\n  }\n\n  /**\n   * Get filename from literal data packet\n   * @returns {(String|null)} Filename of literal data packet as string.\n   */\n  getFilename() {\n    const msg = this.unwrapCompressed();\n    const literal = msg.packets.findPacket(enums.packet.literalData);\n    return (literal && literal.getFilename()) || null;\n  }\n\n  /**\n   * Get literal data as text\n   * @returns {(String|null)} Literal body of the message interpreted as text.\n   */\n  getText() {\n    const msg = this.unwrapCompressed();\n    const literal = msg.packets.findPacket(enums.packet.literalData);\n    if (literal) {\n      return literal.getText();\n    }\n    return null;\n  }\n\n  /**\n   * Generate a new session key object, taking the algorithm preferences of the passed encryption keys into account, if any.\n   * @param {Array<PublicKey>} [encryptionKeys] - Public key(s) to select algorithm preferences for\n   * @param {Date} [date] - Date to select algorithm preferences at\n   * @param {Array<Object>} [userIDs] - User IDs to select algorithm preferences for\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<{ data: Uint8Array, algorithm: String, aeadAlgorithm: undefined|String }>} Object with session key data and algorithms.\n   * @async\n   */\n  static async generateSessionKey(encryptionKeys = [], date = new Date(), userIDs = [], config = defaultConfig) {\n    const { symmetricAlgo, aeadAlgo } = await getPreferredCipherSuite(encryptionKeys, date, userIDs, config);\n    const symmetricAlgoName = enums.read(enums.symmetric, symmetricAlgo);\n    const aeadAlgoName = aeadAlgo ? enums.read(enums.aead, aeadAlgo) : undefined;\n\n    await Promise.all(encryptionKeys.map(key => key.getEncryptionKey()\n      .catch(() => null) // ignore key strength requirements\n      .then(maybeKey => {\n        if (maybeKey && (maybeKey.keyPacket.algorithm === enums.publicKey.x25519 || maybeKey.keyPacket.algorithm === enums.publicKey.x448) &&\n          !aeadAlgoName && !util.isAES(symmetricAlgo)) { // if AEAD is defined, then PKESK v6 are used, and the algo info is encrypted\n          throw new Error('Could not generate a session key compatible with the given `encryptionKeys`: X22519 and X448 keys can only be used to encrypt AES session keys; change `config.preferredSymmetricAlgorithm` accordingly.');\n        }\n      })\n    ));\n\n    const sessionKeyData = generateSessionKey(symmetricAlgo);\n    return { data: sessionKeyData, algorithm: symmetricAlgoName, aeadAlgorithm: aeadAlgoName };\n  }\n\n  /**\n   * Encrypt the message either with public keys, passwords, or both at once.\n   * @param {Array<PublicKey>} [encryptionKeys] - Public key(s) for message encryption\n   * @param {Array<String>} [passwords] - Password(s) for message encryption\n   * @param {Object} [sessionKey] - Session key in the form: { data:Uint8Array, algorithm:String, [aeadAlgorithm:String] }\n   * @param {Boolean} [wildcard] - Use a key ID of 0 instead of the public key IDs\n   * @param {Array<module:type/keyid~KeyID>} [encryptionKeyIDs] - Array of key IDs to use for encryption. Each encryptionKeyIDs[i] corresponds to keys[i]\n   * @param {Date} [date] - Override the creation date of the literal package\n   * @param {Array<Object>} [userIDs] - User IDs to encrypt for, e.g. [{ name:'Robert Receiver', email:'robert@openpgp.org' }]\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<Message>} New message with encrypted content.\n   * @async\n   */\n  async encrypt(encryptionKeys, passwords, sessionKey, wildcard = false, encryptionKeyIDs = [], date = new Date(), userIDs = [], config = defaultConfig) {\n    if (sessionKey) {\n      if (!util.isUint8Array(sessionKey.data) || !util.isString(sessionKey.algorithm)) {\n        throw new Error('Invalid session key for encryption.');\n      }\n    } else if (encryptionKeys && encryptionKeys.length) {\n      sessionKey = await Message.generateSessionKey(encryptionKeys, date, userIDs, config);\n    } else if (passwords && passwords.length) {\n      sessionKey = await Message.generateSessionKey(undefined, undefined, undefined, config);\n    } else {\n      throw new Error('No keys, passwords, or session key provided.');\n    }\n\n    const { data: sessionKeyData, algorithm: algorithmName, aeadAlgorithm: aeadAlgorithmName } = sessionKey;\n\n    const msg = await Message.encryptSessionKey(sessionKeyData, algorithmName, aeadAlgorithmName, encryptionKeys, passwords, wildcard, encryptionKeyIDs, date, userIDs, config);\n\n    const symEncryptedPacket = SymEncryptedIntegrityProtectedDataPacket.fromObject({\n      version: aeadAlgorithmName ? 2 : 1,\n      aeadAlgorithm: aeadAlgorithmName ? enums.write(enums.aead, aeadAlgorithmName) : null\n    });\n    symEncryptedPacket.packets = this.packets;\n\n    const algorithm = enums.write(enums.symmetric, algorithmName);\n    await symEncryptedPacket.encrypt(algorithm, sessionKeyData, config);\n\n    msg.packets.push(symEncryptedPacket);\n    symEncryptedPacket.packets = new PacketList(); // remove packets after encryption\n    return msg;\n  }\n\n  /**\n   * Encrypt a session key either with public keys, passwords, or both at once.\n   * @param {Uint8Array} sessionKey - session key for encryption\n   * @param {String} algorithmName - session key algorithm\n   * @param {String} [aeadAlgorithmName] - AEAD algorithm, e.g. 'eax' or 'ocb'\n   * @param {Array<PublicKey>} [encryptionKeys] - Public key(s) for message encryption\n   * @param {Array<String>} [passwords] - For message encryption\n   * @param {Boolean} [wildcard] - Use a key ID of 0 instead of the public key IDs\n   * @param {Array<module:type/keyid~KeyID>} [encryptionKeyIDs] - Array of key IDs to use for encryption. Each encryptionKeyIDs[i] corresponds to encryptionKeys[i]\n   * @param {Date} [date] - Override the date\n   * @param {Array} [userIDs] - User IDs to encrypt for, e.g. [{ name:'Robert Receiver', email:'robert@openpgp.org' }]\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<Message>} New message with encrypted content.\n   * @async\n   */\n  static async encryptSessionKey(sessionKey, algorithmName, aeadAlgorithmName, encryptionKeys, passwords, wildcard = false, encryptionKeyIDs = [], date = new Date(), userIDs = [], config = defaultConfig) {\n    const packetlist = new PacketList();\n    const symmetricAlgorithm = enums.write(enums.symmetric, algorithmName);\n    const aeadAlgorithm = aeadAlgorithmName && enums.write(enums.aead, aeadAlgorithmName);\n\n    if (encryptionKeys) {\n      const results = await Promise.all(encryptionKeys.map(async function(primaryKey, i) {\n        const encryptionKey = await primaryKey.getEncryptionKey(encryptionKeyIDs[i], date, userIDs, config);\n\n        const pkESKeyPacket = PublicKeyEncryptedSessionKeyPacket.fromObject({\n          version: aeadAlgorithm ? 6 : 3,\n          encryptionKeyPacket: encryptionKey.keyPacket,\n          anonymousRecipient: wildcard,\n          sessionKey,\n          sessionKeyAlgorithm: symmetricAlgorithm\n        });\n\n        await pkESKeyPacket.encrypt(encryptionKey.keyPacket);\n        delete pkESKeyPacket.sessionKey; // delete plaintext session key after encryption\n        return pkESKeyPacket;\n      }));\n      packetlist.push(...results);\n    }\n    if (passwords) {\n      const testDecrypt = async function(keyPacket, password) {\n        try {\n          await keyPacket.decrypt(password);\n          return 1;\n        } catch (e) {\n          return 0;\n        }\n      };\n\n      const sum = (accumulator, currentValue) => accumulator + currentValue;\n\n      const encryptPassword = async function(sessionKey, algorithm, aeadAlgorithm, password) {\n        const symEncryptedSessionKeyPacket = new SymEncryptedSessionKeyPacket(config);\n        symEncryptedSessionKeyPacket.sessionKey = sessionKey;\n        symEncryptedSessionKeyPacket.sessionKeyAlgorithm = algorithm;\n        if (aeadAlgorithm) {\n          symEncryptedSessionKeyPacket.aeadAlgorithm = aeadAlgorithm;\n        }\n        await symEncryptedSessionKeyPacket.encrypt(password, config);\n\n        if (config.passwordCollisionCheck) {\n          const results = await Promise.all(passwords.map(pwd => testDecrypt(symEncryptedSessionKeyPacket, pwd)));\n          if (results.reduce(sum) !== 1) {\n            return encryptPassword(sessionKey, algorithm, password);\n          }\n        }\n\n        delete symEncryptedSessionKeyPacket.sessionKey; // delete plaintext session key after encryption\n        return symEncryptedSessionKeyPacket;\n      };\n\n      const results = await Promise.all(passwords.map(pwd => encryptPassword(sessionKey, symmetricAlgorithm, aeadAlgorithm, pwd)));\n      packetlist.push(...results);\n    }\n\n    return new Message(packetlist);\n  }\n\n  /**\n   * Sign the message (the literal data packet of the message)\n   * @param {Array<PrivateKey>} signingKeys - private keys with decrypted secret key data for signing\n   * @param {Array<Key>} recipientKeys - recipient keys to get the signing preferences from\n   * @param {Signature} [signature] - Any existing detached signature to add to the message\n   * @param {Array<module:type/keyid~KeyID>} [signingKeyIDs] - Array of key IDs to use for signing. Each signingKeyIDs[i] corresponds to signingKeys[i]\n   * @param {Date} [date] - Override the creation time of the signature\n   * @param {Array<UserID>} [signingUserIDs] - User IDs to sign with, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }]\n   * @param {Array<UserID>} [recipientUserIDs] - User IDs associated with `recipientKeys` to get the signing preferences from\n   * @param {Array} [notations] - Notation Data to add to the signatures, e.g. [{ name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true, critical: false }]\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<Message>} New message with signed content.\n   * @async\n   */\n  async sign(signingKeys = [], recipientKeys = [], signature = null, signingKeyIDs = [], date = new Date(), signingUserIDs = [], recipientUserIDs = [], notations = [], config = defaultConfig) {\n    const packetlist = new PacketList();\n\n    const literalDataPacket = this.packets.findPacket(enums.packet.literalData);\n    if (!literalDataPacket) {\n      throw new Error('No literal data packet to sign.');\n    }\n\n    const signaturePackets = await createSignaturePackets(literalDataPacket, signingKeys, recipientKeys, signature, signingKeyIDs, date, signingUserIDs, recipientUserIDs, notations, false, config); // this returns the existing signature packets as well\n    const onePassSignaturePackets = signaturePackets.map(\n      (signaturePacket, i) => OnePassSignaturePacket.fromSignaturePacket(signaturePacket, i === 0))\n      .reverse(); // innermost OPS refers to the first signature packet\n\n    packetlist.push(...onePassSignaturePackets);\n    packetlist.push(literalDataPacket);\n    packetlist.push(...signaturePackets);\n\n    return new Message(packetlist);\n  }\n\n  /**\n   * Compresses the message (the literal and -if signed- signature data packets of the message)\n   * @param {module:enums.compression} algo - compression algorithm\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Message} New message with compressed content.\n   */\n  compress(algo, config = defaultConfig) {\n    if (algo === enums.compression.uncompressed) {\n      return this;\n    }\n\n    const compressed = new CompressedDataPacket(config);\n    compressed.algorithm = algo;\n    compressed.packets = this.packets;\n\n    const packetList = new PacketList();\n    packetList.push(compressed);\n\n    return new Message(packetList);\n  }\n\n  /**\n   * Create a detached signature for the message (the literal data packet of the message)\n   * @param {Array<PrivateKey>} signingKeys - private keys with decrypted secret key data for signing\n   * @param {Array<Key>} recipientKeys - recipient keys to get the signing preferences from\n   * @param {Signature} [signature] - Any existing detached signature\n   * @param {Array<module:type/keyid~KeyID>} [signingKeyIDs] - Array of key IDs to use for signing. Each signingKeyIDs[i] corresponds to signingKeys[i]\n   * @param {Date} [date] - Override the creation time of the signature\n   * @param {Array<UserID>} [signingUserIDs] - User IDs to sign with, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }]\n   * @param {Array<UserID>} [recipientUserIDs] - User IDs associated with `recipientKeys` to get the signing preferences from\n   * @param {Array} [notations] - Notation Data to add to the signatures, e.g. [{ name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true, critical: false }]\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<Signature>} New detached signature of message content.\n   * @async\n   */\n  async signDetached(signingKeys = [], recipientKeys = [], signature = null, signingKeyIDs = [], recipientKeyIDs = [], date = new Date(), userIDs = [], notations = [], config = defaultConfig) {\n    const literalDataPacket = this.packets.findPacket(enums.packet.literalData);\n    if (!literalDataPacket) {\n      throw new Error('No literal data packet to sign.');\n    }\n    return new Signature(await createSignaturePackets(literalDataPacket, signingKeys, recipientKeys, signature, signingKeyIDs, recipientKeyIDs, date, userIDs, notations, true, config));\n  }\n\n  /**\n   * Verify message signatures\n   * @param {Array<PublicKey>} verificationKeys - Array of public keys to verify signatures\n   * @param {Date} [date] - Verify the signature against the given date, i.e. check signature creation time < date < expiration time\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<Array<{\n   *   keyID: module:type/keyid~KeyID,\n   *   signature: Promise<Signature>,\n   *   verified: Promise<true>\n   * }>>} List of signer's keyID and validity of signatures.\n   * @async\n   */\n  async verify(verificationKeys, date = new Date(), config = defaultConfig) {\n    const msg = this.unwrapCompressed();\n    const literalDataList = msg.packets.filterByTag(enums.packet.literalData);\n    if (literalDataList.length !== 1) {\n      throw new Error('Can only verify message with one literal data packet.');\n    }\n    if (isArrayStream(msg.packets.stream)) {\n      msg.packets.push(...await streamReadToEnd(msg.packets.stream, _ => _ || []));\n    }\n    const onePassSigList = msg.packets.filterByTag(enums.packet.onePassSignature).reverse();\n    const signatureList = msg.packets.filterByTag(enums.packet.signature);\n    if (onePassSigList.length && !signatureList.length && util.isStream(msg.packets.stream) && !isArrayStream(msg.packets.stream)) {\n      await Promise.all(onePassSigList.map(async onePassSig => {\n        onePassSig.correspondingSig = new Promise((resolve, reject) => {\n          onePassSig.correspondingSigResolve = resolve;\n          onePassSig.correspondingSigReject = reject;\n        });\n        onePassSig.signatureData = streamFromAsync(async () => (await onePassSig.correspondingSig).signatureData);\n        onePassSig.hashed = streamReadToEnd(await onePassSig.hash(onePassSig.signatureType, literalDataList[0], undefined, false));\n        onePassSig.hashed.catch(() => {});\n      }));\n      msg.packets.stream = streamTransformPair(msg.packets.stream, async (readable, writable) => {\n        const reader = streamGetReader(readable);\n        const writer = streamGetWriter(writable);\n        try {\n          for (let i = 0; i < onePassSigList.length; i++) {\n            const { value: signature } = await reader.read();\n            onePassSigList[i].correspondingSigResolve(signature);\n          }\n          await reader.readToEnd();\n          await writer.ready;\n          await writer.close();\n        } catch (e) {\n          onePassSigList.forEach(onePassSig => {\n            onePassSig.correspondingSigReject(e);\n          });\n          await writer.abort(e);\n        }\n      });\n      return createVerificationObjects(onePassSigList, literalDataList, verificationKeys, date, false, config);\n    }\n    return createVerificationObjects(signatureList, literalDataList, verificationKeys, date, false, config);\n  }\n\n  /**\n   * Verify detached message signature\n   * @param {Array<PublicKey>} verificationKeys - Array of public keys to verify signatures\n   * @param {Signature} signature\n   * @param {Date} date - Verify the signature against the given date, i.e. check signature creation time < date < expiration time\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<Array<{\n   *   keyID: module:type/keyid~KeyID,\n   *   signature: Promise<Signature>,\n   *   verified: Promise<true>\n   * }>>} List of signer's keyID and validity of signature.\n   * @async\n   */\n  verifyDetached(signature, verificationKeys, date = new Date(), config = defaultConfig) {\n    const msg = this.unwrapCompressed();\n    const literalDataList = msg.packets.filterByTag(enums.packet.literalData);\n    if (literalDataList.length !== 1) {\n      throw new Error('Can only verify message with one literal data packet.');\n    }\n    const signatureList = signature.packets.filterByTag(enums.packet.signature); // drop UnparsablePackets\n    return createVerificationObjects(signatureList, literalDataList, verificationKeys, date, true, config);\n  }\n\n  /**\n   * Unwrap compressed message\n   * @returns {Message} Message Content of compressed message.\n   */\n  unwrapCompressed() {\n    const compressed = this.packets.filterByTag(enums.packet.compressedData);\n    if (compressed.length) {\n      return new Message(compressed[0].packets);\n    }\n    return this;\n  }\n\n  /**\n   * Append signature to unencrypted message object\n   * @param {String|Uint8Array} detachedSignature - The detached ASCII-armored or Uint8Array PGP signature\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   */\n  async appendSignature(detachedSignature, config = defaultConfig) {\n    await this.packets.read(\n      util.isUint8Array(detachedSignature) ? detachedSignature : (await unarmor(detachedSignature)).data,\n      allowedDetachedSignaturePackets,\n      config\n    );\n  }\n\n  /**\n   * Returns binary encoded message\n   * @returns {ReadableStream<Uint8Array>} Binary message.\n   */\n  write() {\n    return this.packets.write();\n  }\n\n  /**\n   * Returns ASCII armored text of message\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {ReadableStream<String>} ASCII armor.\n   */\n  armor(config = defaultConfig) {\n    const trailingPacket = this.packets[this.packets.length - 1];\n    // An ASCII-armored Encrypted Message packet sequence that ends in an v2 SEIPD packet MUST NOT contain a CRC24 footer.\n    // An ASCII-armored sequence of Signature packets that only includes v6 Signature packets MUST NOT contain a CRC24 footer.\n    const emitChecksum = trailingPacket.constructor.tag === SymEncryptedIntegrityProtectedDataPacket.tag ?\n      trailingPacket.version !== 2 :\n      this.packets.some(packet => packet.constructor.tag === SignaturePacket.tag && packet.version !== 6);\n    return armor(enums.armor.message, this.write(), null, null, null, emitChecksum, config);\n  }\n}\n\n/**\n * Create signature packets for the message\n * @param {LiteralDataPacket} literalDataPacket - the literal data packet to sign\n * @param {Array<PrivateKey>} [signingKeys] - private keys with decrypted secret key data for signing\n * @param {Array<Key>} [recipientKeys] - recipient keys to get the signing preferences from\n * @param {Signature} [signature] - Any existing detached signature to append\n * @param {Array<module:type/keyid~KeyID>} [signingKeyIDs] - Array of key IDs to use for signing. Each signingKeyIDs[i] corresponds to signingKeys[i]\n * @param {Date} [date] - Override the creationtime of the signature\n * @param {Array<UserID>} [signingUserIDs] - User IDs to sign to, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }]\n * @param {Array<UserID>} [recipientUserIDs] - User IDs associated with `recipientKeys` to get the signing preferences from\n * @param {Array} [notations] - Notation Data to add to the signatures, e.g. [{ name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true, critical: false }]\n * @param {Array} [signatureSalts] - A list of signature salts matching the number of signingKeys that should be used for v6 signatures\n * @param {Boolean} [detached] - Whether to create detached signature packets\n * @param {Object} [config] - Full configuration, defaults to openpgp.config\n * @returns {Promise<PacketList>} List of signature packets.\n * @async\n * @private\n */\nexport async function createSignaturePackets(literalDataPacket, signingKeys, recipientKeys = [], signature = null, signingKeyIDs = [], date = new Date(), signingUserIDs = [], recipientUserIDs = [], notations = [], detached = false, config = defaultConfig) {\n  const packetlist = new PacketList();\n\n  // If data packet was created from Uint8Array, use binary, otherwise use text\n  const signatureType = literalDataPacket.text === null ?\n    enums.signature.binary : enums.signature.text;\n\n  await Promise.all(signingKeys.map(async (primaryKey, i) => {\n    const signingUserID = signingUserIDs[i];\n    if (!primaryKey.isPrivate()) {\n      throw new Error('Need private key for signing');\n    }\n    const signingKey = await primaryKey.getSigningKey(signingKeyIDs[i], date, signingUserID, config);\n    return createSignaturePacket(literalDataPacket, recipientKeys.length ? recipientKeys : [primaryKey], signingKey.keyPacket, { signatureType }, date, recipientUserIDs, notations, detached, config);\n  })).then(signatureList => {\n    packetlist.push(...signatureList);\n  });\n\n  if (signature) {\n    const existingSigPacketlist = signature.packets.filterByTag(enums.packet.signature);\n    packetlist.push(...existingSigPacketlist);\n  }\n  return packetlist;\n}\n\n/**\n * Create object containing signer's keyID and validity of signature\n * @param {SignaturePacket} signature - Signature packet\n * @param {Array<LiteralDataPacket>} literalDataList - Array of literal data packets\n * @param {Array<PublicKey>} verificationKeys - Array of public keys to verify signatures\n * @param {Date} [date] - Check signature validity with respect to the given date\n * @param {Boolean} [detached] - Whether to verify detached signature packets\n * @param {Object} [config] - Full configuration, defaults to openpgp.config\n * @returns {Promise<{\n *   keyID: module:type/keyid~KeyID,\n *   signature: Promise<Signature>,\n *   verified: Promise<true>\n * }>} signer's keyID and validity of signature\n * @async\n * @private\n */\nasync function createVerificationObject(signature, literalDataList, verificationKeys, date = new Date(), detached = false, config = defaultConfig) {\n  let primaryKey;\n  let unverifiedSigningKey;\n\n  for (const key of verificationKeys) {\n    const issuerKeys = key.getKeys(signature.issuerKeyID);\n    if (issuerKeys.length > 0) {\n      primaryKey = key;\n      unverifiedSigningKey = issuerKeys[0];\n      break;\n    }\n  }\n\n  const isOnePassSignature = signature instanceof OnePassSignaturePacket;\n  const signaturePacketPromise = isOnePassSignature ? signature.correspondingSig : signature;\n\n  const verifiedSig = {\n    keyID: signature.issuerKeyID,\n    verified: (async () => {\n      if (!unverifiedSigningKey) {\n        throw new Error(`Could not find signing key with key ID ${signature.issuerKeyID.toHex()}`);\n      }\n\n      await signature.verify(unverifiedSigningKey.keyPacket, signature.signatureType, literalDataList[0], date, detached, config);\n      const signaturePacket = await signaturePacketPromise;\n      if (unverifiedSigningKey.getCreationTime() > signaturePacket.created) {\n        throw new Error('Key is newer than the signature');\n      }\n      // We pass the signature creation time to check whether the key was expired at the time of signing.\n      // We check this after signature verification because for streamed one-pass signatures, the creation time is not available before\n      try {\n        await primaryKey.getSigningKey(unverifiedSigningKey.getKeyID(), signaturePacket.created, undefined, config);\n      } catch (e) {\n        // If a key was reformatted then the self-signatures of the signing key might be in the future compared to the message signature,\n        // making the key invalid at the time of signing.\n        // However, if the key is valid at the given `date`, we still allow using it provided the relevant `config` setting is enabled.\n        // Note: we do not support the edge case of a key that was reformatted and it has expired.\n        if (config.allowInsecureVerificationWithReformattedKeys && e.message.match(/Signature creation time is in the future/)) {\n          await primaryKey.getSigningKey(unverifiedSigningKey.getKeyID(), date, undefined, config);\n        } else {\n          throw e;\n        }\n      }\n      return true;\n    })(),\n    signature: (async () => {\n      const signaturePacket = await signaturePacketPromise;\n      const packetlist = new PacketList();\n      signaturePacket && packetlist.push(signaturePacket);\n      return new Signature(packetlist);\n    })()\n  };\n\n  // Mark potential promise rejections as \"handled\". This is needed because in\n  // some cases, we reject them before the user has a reasonable chance to\n  // handle them (e.g. `await readToEnd(result.data); await result.verified` and\n  // the data stream errors).\n  verifiedSig.signature.catch(() => {});\n  verifiedSig.verified.catch(() => {});\n\n  return verifiedSig;\n}\n\n/**\n * Create list of objects containing signer's keyID and validity of signature\n * @param {Array<SignaturePacket>} signatureList - Array of signature packets\n * @param {Array<LiteralDataPacket>} literalDataList - Array of literal data packets\n * @param {Array<PublicKey>} verificationKeys - Array of public keys to verify signatures\n * @param {Date} date - Verify the signature against the given date,\n *                    i.e. check signature creation time < date < expiration time\n * @param {Boolean} [detached] - Whether to verify detached signature packets\n * @param {Object} [config] - Full configuration, defaults to openpgp.config\n * @returns {Promise<Array<{\n *   keyID: module:type/keyid~KeyID,\n *   signature: Promise<Signature>,\n *   verified: Promise<true>\n * }>>} list of signer's keyID and validity of signatures (one entry per signature packet in input)\n * @async\n * @private\n */\nexport async function createVerificationObjects(signatureList, literalDataList, verificationKeys, date = new Date(), detached = false, config = defaultConfig) {\n  return Promise.all(signatureList.filter(function(signature) {\n    return ['text', 'binary'].includes(enums.read(enums.signature, signature.signatureType));\n  }).map(async function(signature) {\n    return createVerificationObject(signature, literalDataList, verificationKeys, date, detached, config);\n  }));\n}\n\n/**\n * Reads an (optionally armored) OpenPGP message and returns a Message object\n * @param {Object} options\n * @param {String | ReadableStream<String>} [options.armoredMessage] - Armored message to be parsed\n * @param {Uint8Array | ReadableStream<Uint8Array>} [options.binaryMessage] - Binary to be parsed\n * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}\n * @returns {Promise<Message>} New message object.\n * @async\n * @static\n */\nexport async function readMessage({ armoredMessage, binaryMessage, config, ...rest }) {\n  config = { ...defaultConfig, ...config };\n  let input = armoredMessage || binaryMessage;\n  if (!input) {\n    throw new Error('readMessage: must pass options object containing `armoredMessage` or `binaryMessage`');\n  }\n  if (armoredMessage && !util.isString(armoredMessage) && !util.isStream(armoredMessage)) {\n    throw new Error('readMessage: options.armoredMessage must be a string or stream');\n  }\n  if (binaryMessage && !util.isUint8Array(binaryMessage) && !util.isStream(binaryMessage)) {\n    throw new Error('readMessage: options.binaryMessage must be a Uint8Array or stream');\n  }\n  const unknownOptions = Object.keys(rest); if (unknownOptions.length > 0) throw new Error(`Unknown option: ${unknownOptions.join(', ')}`);\n\n  const streamType = util.isStream(input);\n  if (armoredMessage) {\n    const { type, data } = await unarmor(input, config);\n    if (type !== enums.armor.message) {\n      throw new Error('Armored text not of type message');\n    }\n    input = data;\n  }\n  const packetlist = await PacketList.fromBinary(input, allowedMessagePackets, config);\n  const message = new Message(packetlist);\n  message.fromStream = streamType;\n  return message;\n}\n\n/**\n * Creates new message object from text or binary data.\n * @param {Object} options\n * @param {String | ReadableStream<String>} [options.text] - The text message contents\n * @param {Uint8Array | ReadableStream<Uint8Array>} [options.binary] - The binary message contents\n * @param {String} [options.filename=\"\"] - Name of the file (if any)\n * @param {Date} [options.date=current date] - Date of the message, or modification date of the file\n * @param {'utf8'|'binary'|'text'|'mime'} [options.format='utf8' if text is passed, 'binary' otherwise] - Data packet type\n * @returns {Promise<Message>} New message object.\n * @async\n * @static\n */\nexport async function createMessage({ text, binary, filename, date = new Date(), format = text !== undefined ? 'utf8' : 'binary', ...rest }) {\n  const input = text !== undefined ? text : binary;\n  if (input === undefined) {\n    throw new Error('createMessage: must pass options object containing `text` or `binary`');\n  }\n  if (text && !util.isString(text) && !util.isStream(text)) {\n    throw new Error('createMessage: options.text must be a string or stream');\n  }\n  if (binary && !util.isUint8Array(binary) && !util.isStream(binary)) {\n    throw new Error('createMessage: options.binary must be a Uint8Array or stream');\n  }\n  const unknownOptions = Object.keys(rest); if (unknownOptions.length > 0) throw new Error(`Unknown option: ${unknownOptions.join(', ')}`);\n\n  const streamType = util.isStream(input);\n  const literalDataPacket = new LiteralDataPacket(date);\n  if (text !== undefined) {\n    literalDataPacket.setText(input, enums.write(enums.literal, format));\n  } else {\n    literalDataPacket.setBytes(input, enums.write(enums.literal, format));\n  }\n  if (filename !== undefined) {\n    literalDataPacket.setFilename(filename);\n  }\n  const literalDataPacketlist = new PacketList();\n  literalDataPacketlist.push(literalDataPacket);\n  const message = new Message(literalDataPacketlist);\n  message.fromStream = streamType;\n  return message;\n}\n","// GPG4Browsers - An OpenPGP implementation in javascript\n// Copyright (C) 2011 Recurity Labs GmbH\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\nimport { armor, unarmor } from './encoding/armor';\nimport enums from './enums';\nimport util from './util';\nimport { PacketList, LiteralDataPacket, SignaturePacket } from './packet';\nimport { Signature } from './signature';\nimport { createVerificationObjects, createSignaturePackets } from './message';\nimport defaultConfig from './config';\n\n// A Cleartext message can contain the following packets\nconst allowedPackets = /*#__PURE__*/ util.constructAllowedPackets([SignaturePacket]);\n\n/**\n * Class that represents an OpenPGP cleartext signed message.\n * See {@link https://tools.ietf.org/html/rfc4880#section-7}\n */\nexport class CleartextMessage {\n  /**\n   * @param {String} text - The cleartext of the signed message\n   * @param {Signature} signature - The detached signature or an empty signature for unsigned messages\n   */\n  constructor(text, signature) {\n    // remove trailing whitespace and normalize EOL to canonical form <CR><LF>\n    this.text = util.removeTrailingSpaces(text).replace(/\\r?\\n/g, '\\r\\n');\n    if (signature && !(signature instanceof Signature)) {\n      throw new Error('Invalid signature input');\n    }\n    this.signature = signature || new Signature(new PacketList());\n  }\n\n  /**\n   * Returns the key IDs of the keys that signed the cleartext message\n   * @returns {Array<module:type/keyid~KeyID>} Array of keyID objects.\n   */\n  getSigningKeyIDs() {\n    const keyIDs = [];\n    const signatureList = this.signature.packets;\n    signatureList.forEach(function(packet) {\n      keyIDs.push(packet.issuerKeyID);\n    });\n    return keyIDs;\n  }\n\n  /**\n   * Sign the cleartext message\n   * @param {Array<Key>} signingKeys - private keys with decrypted secret key data for signing\n   * @param {Array<Key>} recipientKeys - recipient keys to get the signing preferences from\n   * @param {Signature} [signature] - Any existing detached signature\n   * @param {Array<module:type/keyid~KeyID>} [signingKeyIDs] - Array of key IDs to use for signing. Each signingKeyIDs[i] corresponds to privateKeys[i]\n   * @param {Date} [date] - The creation time of the signature that should be created\n   * @param {Array} [signingKeyIDs] - User IDs to sign with, e.g. [{ name:'Steve Sender', email:'steve@openpgp.org' }]\n   * @param {Array} [recipientUserIDs] - User IDs associated with `recipientKeys` to get the signing preferences from\n   * @param {Array} [notations] - Notation Data to add to the signatures, e.g. [{ name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true, critical: false }]\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<CleartextMessage>} New cleartext message with signed content.\n   * @async\n   */\n  async sign(signingKeys, recipientKeys = [], signature = null, signingKeyIDs = [], date = new Date(), signingUserIDs = [], recipientUserIDs = [], notations = [], config = defaultConfig) {\n    const literalDataPacket = new LiteralDataPacket();\n    literalDataPacket.setText(this.text);\n    const newSignature = new Signature(await createSignaturePackets(literalDataPacket, signingKeys, recipientKeys, signature, signingKeyIDs, date, signingUserIDs, recipientUserIDs, notations, true, config));\n    return new CleartextMessage(this.text, newSignature);\n  }\n\n  /**\n   * Verify signatures of cleartext signed message\n   * @param {Array<Key>} keys - Array of keys to verify signatures\n   * @param {Date} [date] - Verify the signature against the given date, i.e. check signature creation time < date < expiration time\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {Promise<Array<{\n   *   keyID: module:type/keyid~KeyID,\n   *   signature: Promise<Signature>,\n   *   verified: Promise<true>\n   * }>>} List of signer's keyID and validity of signature.\n   * @async\n   */\n  verify(keys, date = new Date(), config = defaultConfig) {\n    const signatureList = this.signature.packets.filterByTag(enums.packet.signature); // drop UnparsablePackets\n    const literalDataPacket = new LiteralDataPacket();\n    // we assume that cleartext signature is generated based on UTF8 cleartext\n    literalDataPacket.setText(this.text);\n    return createVerificationObjects(signatureList, [literalDataPacket], keys, date, true, config);\n  }\n\n  /**\n   * Get cleartext\n   * @returns {String} Cleartext of message.\n   */\n  getText() {\n    // normalize end of line to \\n\n    return this.text.replace(/\\r\\n/g, '\\n');\n  }\n\n  /**\n   * Returns ASCII armored text of cleartext signed message\n   * @param {Object} [config] - Full configuration, defaults to openpgp.config\n   * @returns {String | ReadableStream<String>} ASCII armor.\n   */\n  armor(config = defaultConfig) {\n    // emit header and checksum if one of the signatures has a version not 6\n    const emitHeaderAndChecksum = this.signature.packets.some(packet => packet.version !== 6);\n    const hash = emitHeaderAndChecksum ?\n      Array.from(new Set(this.signature.packets.map(\n        packet => enums.read(enums.hash, packet.hashAlgorithm).toUpperCase()\n      ))).join() :\n      null;\n\n    const body = {\n      hash,\n      text: this.text,\n      data: this.signature.packets.write()\n    };\n\n    // An ASCII-armored sequence of Signature packets that only includes v6 Signature packets MUST NOT contain a CRC24 footer.\n    return armor(enums.armor.signed, body, undefined, undefined, undefined, emitHeaderAndChecksum, config);\n  }\n}\n\n/**\n * Reads an OpenPGP cleartext signed message and returns a CleartextMessage object\n * @param {Object} options\n * @param {String} options.cleartextMessage - Text to be parsed\n * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}\n * @returns {Promise<CleartextMessage>} New cleartext message object.\n * @async\n * @static\n */\nexport async function readCleartextMessage({ cleartextMessage, config, ...rest }) {\n  config = { ...defaultConfig, ...config };\n  if (!cleartextMessage) {\n    throw new Error('readCleartextMessage: must pass options object containing `cleartextMessage`');\n  }\n  if (!util.isString(cleartextMessage)) {\n    throw new Error('readCleartextMessage: options.cleartextMessage must be a string');\n  }\n  const unknownOptions = Object.keys(rest); if (unknownOptions.length > 0) throw new Error(`Unknown option: ${unknownOptions.join(', ')}`);\n\n  const input = await unarmor(cleartextMessage);\n  if (input.type !== enums.armor.signed) {\n    throw new Error('No cleartext signed message.');\n  }\n  const packetlist = await PacketList.fromBinary(input.data, allowedPackets, config);\n  verifyHeaders(input.headers, packetlist);\n  const signature = new Signature(packetlist);\n  return new CleartextMessage(input.text, signature);\n}\n\n/**\n * Compare hash algorithm specified in the armor header with signatures\n * @param {Array<String>} headers - Armor headers\n * @param {PacketList} packetlist - The packetlist with signature packets\n * @private\n */\nfunction verifyHeaders(headers, packetlist) {\n  const checkHashAlgos = function(hashAlgos) {\n    const check = packet => algo => packet.hashAlgorithm === algo;\n\n    for (let i = 0; i < packetlist.length; i++) {\n      if (packetlist[i].constructor.tag === enums.packet.signature && !hashAlgos.some(check(packetlist[i]))) {\n        return false;\n      }\n    }\n    return true;\n  };\n\n  const hashAlgos = [];\n  headers.forEach(header => {\n    const hashHeader = header.match(/^Hash: (.+)$/); // get header value\n    if (hashHeader) {\n      const parsedHashIDs = hashHeader[1]\n        .replace(/\\s/g, '') // remove whitespace\n        .split(',')\n        .map(hashName => {\n          try {\n            return enums.write(enums.hash, hashName.toLowerCase());\n          } catch (e) {\n            throw new Error('Unknown hash algorithm in armor header: ' + hashName.toLowerCase());\n          }\n        });\n      hashAlgos.push(...parsedHashIDs);\n    } else {\n      throw new Error('Only \"Hash\" header allowed in cleartext signed message');\n    }\n  });\n\n  if (hashAlgos.length && !checkHashAlgos(hashAlgos)) {\n    throw new Error('Hash algorithm mismatch in armor header and signature');\n  }\n}\n\n/**\n * Creates a new CleartextMessage object from text\n * @param {Object} options\n * @param {String} options.text\n * @static\n * @async\n */\nexport async function createCleartextMessage({ text, ...rest }) {\n  if (!text) {\n    throw new Error('createCleartextMessage: must pass options object containing `text`');\n  }\n  if (!util.isString(text)) {\n    throw new Error('createCleartextMessage: options.text must be a string');\n  }\n  const unknownOptions = Object.keys(rest); if (unknownOptions.length > 0) throw new Error(`Unknown option: ${unknownOptions.join(', ')}`);\n\n  return new CleartextMessage(text);\n}\n","// OpenPGP.js - An OpenPGP implementation in javascript\n// Copyright (C) 2016 Tankred Hase\n//\n// This library is free software; you can redistribute it and/or\n// modify it under the terms of the GNU Lesser General Public\n// License as published by the Free Software Foundation; either\n// version 3.0 of the License, or (at your option) any later version.\n//\n// This library is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU\n// Lesser General Public License for more details.\n//\n// You should have received a copy of the GNU Lesser General Public\n// License along with this library; if not, write to the Free Software\n// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA\n\nimport { fromAsync as streamFromAsync, concat as streamConcat, transformPair as streamTransformPair, pipe as streamPipe, readToEnd as streamReadToEnd, getWriter as streamGetWriter } from '@openpgp/web-stream-tools';\nimport { Message } from './message';\nimport { CleartextMessage } from './cleartext';\nimport { generate, reformat, getPreferredCompressionAlgo } from './key';\nimport defaultConfig from './config';\nimport util from './util';\nimport { checkKeyRequirements } from './key/helper';\n\n\n//////////////////////\n//                  //\n//   Key handling   //\n//                  //\n//////////////////////\n\n\n/**\n * Generates a new OpenPGP key pair. Supports RSA and ECC keys, as well as the newer Curve448 and Curve25519 keys.\n * By default, primary and subkeys will be of same type.\n * The generated primary key will have signing capabilities. By default, one subkey with encryption capabilities is also generated.\n * @param {Object} options\n * @param {Object|Array<Object>} options.userIDs - User IDs as objects: `{ name: 'Jo Doe', email: 'info@jo.com' }`\n * @param {'ecc'|'rsa'|'curve448'|'curve25519'} [options.type='ecc'] - The primary key algorithm type: ECC (default for v4 keys), RSA, Curve448 or Curve25519 (new format, default for v6 keys).\n *                                                                     Note: Curve448 and Curve25519 (new format) are not widely supported yet.\n * @param {String} [options.passphrase=(not protected)] - The passphrase used to encrypt the generated private key. If omitted or empty, the key won't be encrypted.\n * @param {Number} [options.rsaBits=4096] - Number of bits for RSA keys\n * @param {String} [options.curve='curve25519Legacy'] - Elliptic curve for ECC keys:\n *                                             curve25519Legacy (default), nistP256, nistP384, nistP521, secp256k1,\n *                                             brainpoolP256r1, brainpoolP384r1, or brainpoolP512r1\n * @param {Date} [options.date=current date] - Override the creation date of the key and the key signatures\n * @param {Number} [options.keyExpirationTime=0 (never expires)] - Number of seconds from the key creation time after which the key expires\n * @param {Array<Object>} [options.subkeys=a single encryption subkey] - Options for each subkey e.g. `[{sign: true, passphrase: '123'}]`\n *                                             default to main key options, except for `sign` parameter that defaults to false, and indicates whether the subkey should sign rather than encrypt\n * @param {'armored'|'binary'|'object'} [options.format='armored'] - format of the output keys\n * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}\n * @returns {Promise<Object>} The generated key object in the form:\n *                                     { privateKey:PrivateKey|Uint8Array|String, publicKey:PublicKey|Uint8Array|String, revocationCertificate:String }\n * @async\n * @static\n */\nexport async function generateKey({ userIDs = [], passphrase, type, curve, rsaBits = 4096, keyExpirationTime = 0, date = new Date(), subkeys = [{}], format = 'armored', config, ...rest }) {\n  config = { ...defaultConfig, ...config }; checkConfig(config);\n  if (!type && !curve) {\n    type = config.v6Keys ? 'curve25519' : 'ecc'; // default to new curve25519 for v6 keys (legacy curve25519 cannot be used with them)\n    curve = 'curve25519Legacy'; // unused with type != 'ecc'\n  } else {\n    type = type || 'ecc';\n    curve = curve || 'curve25519Legacy';\n  }\n  userIDs = toArray(userIDs);\n  const unknownOptions = Object.keys(rest); if (unknownOptions.length > 0) throw new Error(`Unknown option: ${unknownOptions.join(', ')}`);\n\n  if (userIDs.length === 0 && !config.v6Keys) {\n    throw new Error('UserIDs are required for V4 keys');\n  }\n  if (type === 'rsa' && rsaBits < config.minRSABits) {\n    throw new Error(`rsaBits should be at least ${config.minRSABits}, got: ${rsaBits}`);\n  }\n\n  const options = { userIDs, passphrase, type, rsaBits, curve, keyExpirationTime, date, subkeys };\n\n  try {\n    const { key, revocationCertificate } = await generate(options, config);\n    key.getKeys().forEach(({ keyPacket }) => checkKeyRequirements(keyPacket, config));\n\n    return {\n      privateKey: formatObject(key, format, config),\n      publicKey: formatObject(key.toPublic(), format, config),\n      revocationCertificate\n    };\n  } catch (err) {\n    throw util.wrapError('Error generating keypair', err);\n  }\n}\n\n/**\n * Reformats signature packets for a key and rewraps key object.\n * @param {Object} options\n * @param {PrivateKey} options.privateKey - Private key to reformat\n * @param {Object|Array<Object>} options.userIDs - User IDs as objects: `{ name: 'Jo Doe', email: 'info@jo.com' }`\n * @param {String} [options.passphrase=(not protected)] - The passphrase used to encrypt the reformatted private key. If omitted or empty, the key won't be encrypted.\n * @param {Number} [options.keyExpirationTime=0 (never expires)] - Number of seconds from the key creation time after which the key expires\n * @param {Date}   [options.date] - Override the creation date of the key signatures. If the key was previously used to sign messages, it is recommended\n *                                  to set the same date as the key creation time to ensure that old message signatures will still be verifiable using the reformatted key.\n * @param {'armored'|'binary'|'object'} [options.format='armored'] - format of the output keys\n * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}\n * @returns {Promise<Object>} The generated key object in the form:\n *                                     { privateKey:PrivateKey|Uint8Array|String, publicKey:PublicKey|Uint8Array|String, revocationCertificate:String }\n * @async\n * @static\n */\nexport async function reformatKey({ privateKey, userIDs = [], passphrase, keyExpirationTime = 0, date, format = 'armored', config, ...rest }) {\n  config = { ...defaultConfig, ...config }; checkConfig(config);\n  userIDs = toArray(userIDs);\n  const unknownOptions = Object.keys(rest); if (unknownOptions.length > 0) throw new Error(`Unknown option: ${unknownOptions.join(', ')}`);\n\n  if (userIDs.length === 0 && privateKey.keyPacket.version !== 6) {\n    throw new Error('UserIDs are required for V4 keys');\n  }\n  const options = { privateKey, userIDs, passphrase, keyExpirationTime, date };\n\n  try {\n    const { key: reformattedKey, revocationCertificate } = await reformat(options, config);\n\n    return {\n      privateKey: formatObject(reformattedKey, format, config),\n      publicKey: formatObject(reformattedKey.toPublic(), format, config),\n      revocationCertificate\n    };\n  } catch (err) {\n    throw util.wrapError('Error reformatting keypair', err);\n  }\n}\n\n/**\n * Revokes a key. Requires either a private key or a revocation certificate.\n *   If a revocation certificate is passed, the reasonForRevocation parameter will be ignored.\n * @param {Object} options\n * @param {Key} options.key - Public or private key to revoke\n * @param {String} [options.revocationCertificate] - Revocation certificate to revoke the key with\n * @param {Object} [options.reasonForRevocation] - Object indicating the reason for revocation\n * @param {module:enums.reasonForRevocation} [options.reasonForRevocation.flag=[noReason]{@link module:enums.reasonForRevocation}] - Flag indicating the reason for revocation\n * @param {String} [options.reasonForRevocation.string=\"\"] - String explaining the reason for revocation\n * @param {Date} [options.date] - Use the given date instead of the current time to verify validity of revocation certificate (if provided), or as creation time of the revocation signature\n * @param {'armored'|'binary'|'object'} [options.format='armored'] - format of the output key(s)\n * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}\n * @returns {Promise<Object>} The revoked key in the form:\n *                              { privateKey:PrivateKey|Uint8Array|String, publicKey:PublicKey|Uint8Array|String } if private key is passed, or\n *                              { privateKey: null, publicKey:PublicKey|Uint8Array|String } otherwise\n * @async\n * @static\n */\nexport async function revokeKey({ key, revocationCertificate, reasonForRevocation, date = new Date(), format = 'armored', config, ...rest }) {\n  config = { ...defaultConfig, ...config }; checkConfig(config);\n  const unknownOptions = Object.keys(rest); if (unknownOptions.length > 0) throw new Error(`Unknown option: ${unknownOptions.join(', ')}`);\n\n  try {\n    const revokedKey = revocationCertificate ?\n      await key.applyRevocationCertificate(revocationCertificate, date, config) :\n      await key.revoke(reasonForRevocation, date, config);\n\n    return revokedKey.isPrivate() ? {\n      privateKey: formatObject(revokedKey, format, config),\n      publicKey: formatObject(revokedKey.toPublic(), format, config)\n    } : {\n      privateKey: null,\n      publicKey: formatObject(revokedKey, format, config)\n    };\n  } catch (err) {\n    throw util.wrapError('Error revoking key', err);\n  }\n}\n\n/**\n * Unlock a private key with the given passphrase.\n * This method does not change the original key.\n * @param {Object} options\n * @param {PrivateKey} options.privateKey - The private key to decrypt\n * @param {String|Array<String>} options.passphrase - The user's passphrase(s)\n * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}\n * @returns {Promise<PrivateKey>} The unlocked key object.\n * @async\n */\nexport async function decryptKey({ privateKey, passphrase, config, ...rest }) {\n  config = { ...defaultConfig, ...config }; checkConfig(config);\n  const unknownOptions = Object.keys(rest); if (unknownOptions.length > 0) throw new Error(`Unknown option: ${unknownOptions.join(', ')}`);\n\n  if (!privateKey.isPrivate()) {\n    throw new Error('Cannot decrypt a public key');\n  }\n  const clonedPrivateKey = privateKey.clone(true);\n  const passphrases = util.isArray(passphrase) ? passphrase : [passphrase];\n\n  try {\n    await Promise.all(clonedPrivateKey.getKeys().map(key => (\n      // try to decrypt each key with any of the given passphrases\n      util.anyPromise(passphrases.map(passphrase => key.keyPacket.decrypt(passphrase)))\n    )));\n\n    await clonedPrivateKey.validate(config);\n    return clonedPrivateKey;\n  } catch (err) {\n    clonedPrivateKey.clearPrivateParams();\n    throw util.wrapError('Error decrypting private key', err);\n  }\n}\n\n/**\n * Lock a private key with the given passphrase.\n * This method does not change the original key.\n * @param {Object} options\n * @param {PrivateKey} options.privateKey - The private key to encrypt\n * @param {String|Array<String>} options.passphrase - If multiple passphrases, they should be in the same order as the packets each should encrypt\n * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}\n * @returns {Promise<PrivateKey>} The locked key object.\n * @async\n */\nexport async function encryptKey({ privateKey, passphrase, config, ...rest }) {\n  config = { ...defaultConfig, ...config }; checkConfig(config);\n  const unknownOptions = Object.keys(rest); if (unknownOptions.length > 0) throw new Error(`Unknown option: ${unknownOptions.join(', ')}`);\n\n  if (!privateKey.isPrivate()) {\n    throw new Error('Cannot encrypt a public key');\n  }\n  const clonedPrivateKey = privateKey.clone(true);\n\n  const keys = clonedPrivateKey.getKeys();\n  const passphrases = util.isArray(passphrase) ? passphrase : new Array(keys.length).fill(passphrase);\n  if (passphrases.length !== keys.length) {\n    throw new Error('Invalid number of passphrases given for key encryption');\n  }\n\n  try {\n    await Promise.all(keys.map(async (key, i) => {\n      const { keyPacket } = key;\n      await keyPacket.encrypt(passphrases[i], config);\n      keyPacket.clearPrivateParams();\n    }));\n    return clonedPrivateKey;\n  } catch (err) {\n    clonedPrivateKey.clearPrivateParams();\n    throw util.wrapError('Error encrypting private key', err);\n  }\n}\n\n\n///////////////////////////////////////////\n//                                       //\n//   Message encryption and decryption   //\n//                                       //\n///////////////////////////////////////////\n\n\n/**\n * Encrypts a message using public keys, passwords or both at once. At least one of `encryptionKeys`, `passwords` or `sessionKeys`\n *   must be specified. If signing keys are specified, those will be used to sign the message.\n * @param {Object} options\n * @param {Message} options.message - Message to be encrypted as created by {@link createMessage}\n * @param {PublicKey|PublicKey[]} [options.encryptionKeys] - Array of keys or single key, used to encrypt the message\n * @param {PrivateKey|PrivateKey[]} [options.signingKeys] - Private keys for signing. If omitted message will not be signed\n * @param {String|String[]} [options.passwords] - Array of passwords or a single password to encrypt the message\n * @param {Object} [options.sessionKey] - Session key in the form: `{ data:Uint8Array, algorithm:String }`\n * @param {'armored'|'binary'|'object'} [options.format='armored'] - Format of the returned message\n * @param {Signature} [options.signature] - A detached signature to add to the encrypted message\n * @param {Boolean} [options.wildcard=false] - Use a key ID of 0 instead of the public key IDs\n * @param {KeyID|KeyID[]} [options.signingKeyIDs=latest-created valid signing (sub)keys] - Array of key IDs to use for signing. Each `signingKeyIDs[i]` corresponds to `signingKeys[i]`\n * @param {KeyID|KeyID[]} [options.encryptionKeyIDs=latest-created valid encryption (sub)keys] - Array of key IDs to use for encryption. Each `encryptionKeyIDs[i]` corresponds to `encryptionKeys[i]`\n * @param {Date} [options.date=current date] - Override the creation date of the message signature\n * @param {Object|Object[]} [options.signingUserIDs=primary user IDs] - Array of user IDs to sign with, one per key in `signingKeys`, e.g. `[{ name: 'Steve Sender', email: 'steve@openpgp.org' }]`\n * @param {Object|Object[]} [options.encryptionUserIDs=primary user IDs] - Array of user IDs to encrypt for, one per key in `encryptionKeys`, e.g. `[{ name: 'Robert Receiver', email: 'robert@openpgp.org' }]`\n * @param {Object|Object[]} [options.signatureNotations=[]] - Array of notations to add to the signatures, e.g. `[{ name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true, critical: false }]`\n * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}\n * @returns {Promise<MaybeStream<String>|MaybeStream<Uint8Array>>} Encrypted message (string if `armor` was true, the default; Uint8Array if `armor` was false).\n * @async\n * @static\n */\nexport async function encrypt({ message, encryptionKeys, signingKeys, passwords, sessionKey, format = 'armored', signature = null, wildcard = false, signingKeyIDs = [], encryptionKeyIDs = [], date = new Date(), signingUserIDs = [], encryptionUserIDs = [], signatureNotations = [], config, ...rest }) {\n  config = { ...defaultConfig, ...config }; checkConfig(config);\n  checkMessage(message); checkOutputMessageFormat(format);\n  encryptionKeys = toArray(encryptionKeys); signingKeys = toArray(signingKeys); passwords = toArray(passwords);\n  signingKeyIDs = toArray(signingKeyIDs); encryptionKeyIDs = toArray(encryptionKeyIDs); signingUserIDs = toArray(signingUserIDs); encryptionUserIDs = toArray(encryptionUserIDs); signatureNotations = toArray(signatureNotations);\n  if (rest.detached) {\n    throw new Error(\"The `detached` option has been removed from openpgp.encrypt, separately call openpgp.sign instead. Don't forget to remove the `privateKeys` option as well.\");\n  }\n  if (rest.publicKeys) throw new Error('The `publicKeys` option has been removed from openpgp.encrypt, pass `encryptionKeys` instead');\n  if (rest.privateKeys) throw new Error('The `privateKeys` option has been removed from openpgp.encrypt, pass `signingKeys` instead');\n  if (rest.armor !== undefined) throw new Error('The `armor` option has been removed from openpgp.encrypt, pass `format` instead.');\n  const unknownOptions = Object.keys(rest); if (unknownOptions.length > 0) throw new Error(`Unknown option: ${unknownOptions.join(', ')}`);\n\n  if (!signingKeys) {\n    signingKeys = [];\n  }\n\n  try {\n    if (signingKeys.length || signature) { // sign the message only if signing keys or signature is specified\n      message = await message.sign(signingKeys, encryptionKeys, signature, signingKeyIDs, date, signingUserIDs, encryptionKeyIDs, signatureNotations, config);\n    }\n    message = message.compress(\n      await getPreferredCompressionAlgo(encryptionKeys, date, encryptionUserIDs, config),\n      config\n    );\n    message = await message.encrypt(encryptionKeys, passwords, sessionKey, wildcard, encryptionKeyIDs, date, encryptionUserIDs, config);\n    if (format === 'object') return message;\n    // serialize data\n    const armor = format === 'armored';\n    const data = armor ? message.armor(config) : message.write();\n    return await convertStream(data);\n  } catch (err) {\n    throw util.wrapError('Error encrypting message', err);\n  }\n}\n\n/**\n * Decrypts a message with the user's private key, a session key or a password.\n * One of `decryptionKeys`, `sessionkeys` or `passwords` must be specified (passing a combination of these options is not supported).\n * @param {Object} options\n * @param {Message} options.message - The message object with the encrypted data\n * @param {PrivateKey|PrivateKey[]} [options.decryptionKeys] - Private keys with decrypted secret key data or session key\n * @param {String|String[]} [options.passwords] - Passwords to decrypt the message\n * @param {Object|Object[]} [options.sessionKeys] - Session keys in the form: { data:Uint8Array, algorithm:String }\n * @param {PublicKey|PublicKey[]} [options.verificationKeys] - Array of public keys or single key, to verify signatures\n * @param {Boolean} [options.expectSigned=false] - If true, data decryption fails if the message is not signed with the provided publicKeys\n * @param {'utf8'|'binary'} [options.format='utf8'] - Whether to return data as a string(Stream) or Uint8Array(Stream). If 'utf8' (the default), also normalize newlines.\n * @param {Signature} [options.signature] - Detached signature for verification\n * @param {Date} [options.date=current date] - Use the given date for verification instead of the current time\n * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}\n * @returns {Promise<Object>} Object containing decrypted and verified message in the form:\n *\n *     {\n *       data: MaybeStream<String>, (if format was 'utf8', the default)\n *       data: MaybeStream<Uint8Array>, (if format was 'binary')\n *       filename: String,\n *       signatures: [\n *         {\n *           keyID: module:type/keyid~KeyID,\n *           verified: Promise<true>,\n *           signature: Promise<Signature>\n *         }, ...\n *       ]\n *     }\n *\n *     where `signatures` contains a separate entry for each signature packet found in the input message.\n * @async\n * @static\n */\nexport async function decrypt({ message, decryptionKeys, passwords, sessionKeys, verificationKeys, expectSigned = false, format = 'utf8', signature = null, date = new Date(), config, ...rest }) {\n  config = { ...defaultConfig, ...config }; checkConfig(config);\n  checkMessage(message); verificationKeys = toArray(verificationKeys); decryptionKeys = toArray(decryptionKeys); passwords = toArray(passwords); sessionKeys = toArray(sessionKeys);\n  if (rest.privateKeys) throw new Error('The `privateKeys` option has been removed from openpgp.decrypt, pass `decryptionKeys` instead');\n  if (rest.publicKeys) throw new Error('The `publicKeys` option has been removed from openpgp.decrypt, pass `verificationKeys` instead');\n  const unknownOptions = Object.keys(rest); if (unknownOptions.length > 0) throw new Error(`Unknown option: ${unknownOptions.join(', ')}`);\n\n  try {\n    const decrypted = await message.decrypt(decryptionKeys, passwords, sessionKeys, date, config);\n    if (!verificationKeys) {\n      verificationKeys = [];\n    }\n\n    const result = {};\n    result.signatures = signature ? await decrypted.verifyDetached(signature, verificationKeys, date, config) : await decrypted.verify(verificationKeys, date, config);\n    result.data = format === 'binary' ? decrypted.getLiteralData() : decrypted.getText();\n    result.filename = decrypted.getFilename();\n    linkStreams(result, message);\n    if (expectSigned) {\n      if (verificationKeys.length === 0) {\n        throw new Error('Verification keys are required to verify message signatures');\n      }\n      if (result.signatures.length === 0) {\n        throw new Error('Message is not signed');\n      }\n      result.data = streamConcat([\n        result.data,\n        streamFromAsync(async () => {\n          await util.anyPromise(result.signatures.map(sig => sig.verified));\n          return format === 'binary' ? new Uint8Array() : '';\n        })\n      ]);\n    }\n    result.data = await convertStream(result.data);\n    return result;\n  } catch (err) {\n    throw util.wrapError('Error decrypting message', err);\n  }\n}\n\n\n//////////////////////////////////////////\n//                                      //\n//   Message signing and verification   //\n//                                      //\n//////////////////////////////////////////\n\n\n/**\n * Signs a message.\n * @param {Object} options\n * @param {CleartextMessage|Message} options.message - (cleartext) message to be signed\n * @param {PrivateKey|PrivateKey[]} options.signingKeys - Array of keys or single key with decrypted secret key data to sign cleartext\n * @param {Key|Key[]} options.recipientKeys - Array of keys or single to get the signing preferences from\n * @param {'armored'|'binary'|'object'} [options.format='armored'] - Format of the returned message\n * @param {Boolean} [options.detached=false] - If the return value should contain a detached signature\n * @param {KeyID|KeyID[]} [options.signingKeyIDs=latest-created valid signing (sub)keys] - Array of key IDs to use for signing. Each signingKeyIDs[i] corresponds to signingKeys[i]\n * @param {Date} [options.date=current date] - Override the creation date of the signature\n * @param {Object|Object[]} [options.signingUserIDs=primary user IDs] - Array of user IDs to sign with, one per key in `signingKeys`, e.g. `[{ name: 'Steve Sender', email: 'steve@openpgp.org' }]`\n * @param {Object|Object[]} [options.recipientUserIDs=primary user IDs] - Array of user IDs to get the signing preferences from, one per key in `recipientKeys`\n * @param {Object|Object[]} [options.signatureNotations=[]] - Array of notations to add to the signatures, e.g. `[{ name: 'test@example.org', value: new TextEncoder().encode('test'), humanReadable: true, critical: false }]`\n * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}\n * @returns {Promise<MaybeStream<String|Uint8Array>>} Signed message (string if `armor` was true, the default; Uint8Array if `armor` was false).\n * @async\n * @static\n */\nexport async function sign({ message, signingKeys, recipientKeys = [], format = 'armored', detached = false, signingKeyIDs = [], date = new Date(), signingUserIDs = [], recipientUserIDs = [], signatureNotations = [], config, ...rest }) {\n  config = { ...defaultConfig, ...config }; checkConfig(config);\n  checkCleartextOrMessage(message); checkOutputMessageFormat(format);\n  signingKeys = toArray(signingKeys); signingKeyIDs = toArray(signingKeyIDs); signingUserIDs = toArray(signingUserIDs); recipientKeys = toArray(recipientKeys); recipientUserIDs = toArray(recipientUserIDs); signatureNotations = toArray(signatureNotations);\n\n  if (rest.privateKeys) throw new Error('The `privateKeys` option has been removed from openpgp.sign, pass `signingKeys` instead');\n  if (rest.armor !== undefined) throw new Error('The `armor` option has been removed from openpgp.sign, pass `format` instead.');\n  const unknownOptions = Object.keys(rest); if (unknownOptions.length > 0) throw new Error(`Unknown option: ${unknownOptions.join(', ')}`);\n\n  if (message instanceof CleartextMessage && format === 'binary') throw new Error('Cannot return signed cleartext message in binary format');\n  if (message instanceof CleartextMessage && detached) throw new Error('Cannot detach-sign a cleartext message');\n\n  if (!signingKeys || signingKeys.length === 0) {\n    throw new Error('No signing keys provided');\n  }\n\n  try {\n    let signature;\n    if (detached) {\n      signature = await message.signDetached(signingKeys, recipientKeys, undefined, signingKeyIDs, date, signingUserIDs, recipientUserIDs, signatureNotations, config);\n    } else {\n      signature = await message.sign(signingKeys, recipientKeys, undefined, signingKeyIDs, date, signingUserIDs, recipientUserIDs, signatureNotations, config);\n    }\n    if (format === 'object') return signature;\n\n    const armor = format === 'armored';\n    signature = armor ? signature.armor(config) : signature.write();\n    if (detached) {\n      signature = streamTransformPair(message.packets.write(), async (readable, writable) => {\n        await Promise.all([\n          streamPipe(signature, writable),\n          streamReadToEnd(readable).catch(() => {})\n        ]);\n      });\n    }\n    return await convertStream(signature);\n  } catch (err) {\n    throw util.wrapError('Error signing message', err);\n  }\n}\n\n/**\n * Verifies signatures of cleartext signed message\n * @param {Object} options\n * @param {CleartextMessage|Message} options.message - (cleartext) message object with signatures\n * @param {PublicKey|PublicKey[]} options.verificationKeys - Array of publicKeys or single key, to verify signatures\n * @param {Boolean} [options.expectSigned=false] - If true, verification throws if the message is not signed with the provided publicKeys\n * @param {'utf8'|'binary'} [options.format='utf8'] - Whether to return data as a string(Stream) or Uint8Array(Stream). If 'utf8' (the default), also normalize newlines.\n * @param {Signature} [options.signature] - Detached signature for verification\n * @param {Date} [options.date=current date] - Use the given date for verification instead of the current time\n * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}\n * @returns {Promise<Object>} Object containing verified message in the form:\n *\n *     {\n *       data: MaybeStream<String>, (if `message` was a CleartextMessage)\n *       data: MaybeStream<Uint8Array>, (if `message` was a Message)\n *       signatures: [\n *         {\n *           keyID: module:type/keyid~KeyID,\n *           verified: Promise<true>,\n *           signature: Promise<Signature>\n *         }, ...\n *       ]\n *     }\n *\n *     where `signatures` contains a separate entry for each signature packet found in the input message.\n * @async\n * @static\n */\nexport async function verify({ message, verificationKeys, expectSigned = false, format = 'utf8', signature = null, date = new Date(), config, ...rest }) {\n  config = { ...defaultConfig, ...config }; checkConfig(config);\n  checkCleartextOrMessage(message); verificationKeys = toArray(verificationKeys);\n  if (rest.publicKeys) throw new Error('The `publicKeys` option has been removed from openpgp.verify, pass `verificationKeys` instead');\n  const unknownOptions = Object.keys(rest); if (unknownOptions.length > 0) throw new Error(`Unknown option: ${unknownOptions.join(', ')}`);\n\n  if (message instanceof CleartextMessage && format === 'binary') throw new Error(\"Can't return cleartext message data as binary\");\n  if (message instanceof CleartextMessage && signature) throw new Error(\"Can't verify detached cleartext signature\");\n\n  try {\n    const result = {};\n    if (signature) {\n      result.signatures = await message.verifyDetached(signature, verificationKeys, date, config);\n    } else {\n      result.signatures = await message.verify(verificationKeys, date, config);\n    }\n    result.data = format === 'binary' ? message.getLiteralData() : message.getText();\n    if (message.fromStream && !signature) linkStreams(result, message);\n    if (expectSigned) {\n      if (result.signatures.length === 0) {\n        throw new Error('Message is not signed');\n      }\n      result.data = streamConcat([\n        result.data,\n        streamFromAsync(async () => {\n          await util.anyPromise(result.signatures.map(sig => sig.verified));\n          return format === 'binary' ? new Uint8Array() : '';\n        })\n      ]);\n    }\n    result.data = await convertStream(result.data);\n    return result;\n  } catch (err) {\n    throw util.wrapError('Error verifying signed message', err);\n  }\n}\n\n\n///////////////////////////////////////////////\n//                                           //\n//   Session key encryption and decryption   //\n//                                           //\n///////////////////////////////////////////////\n\n/**\n * Generate a new session key object, taking the algorithm preferences of the passed public keys into account, if any.\n * @param {Object} options\n * @param {PublicKey|PublicKey[]} [options.encryptionKeys] - Array of public keys or single key used to select algorithm preferences for. If no keys are given, the algorithm will be [config.preferredSymmetricAlgorithm]{@link module:config.preferredSymmetricAlgorithm}\n * @param {Date} [options.date=current date] - Date to select algorithm preferences at\n * @param {Object|Object[]} [options.encryptionUserIDs=primary user IDs] - User IDs to select algorithm preferences for\n * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}\n * @returns {Promise<{ data: Uint8Array, algorithm: String }>} Object with session key data and algorithm.\n * @async\n * @static\n */\nexport async function generateSessionKey({ encryptionKeys, date = new Date(), encryptionUserIDs = [], config, ...rest }) {\n  config = { ...defaultConfig, ...config }; checkConfig(config);\n  encryptionKeys = toArray(encryptionKeys); encryptionUserIDs = toArray(encryptionUserIDs);\n  if (rest.publicKeys) throw new Error('The `publicKeys` option has been removed from openpgp.generateSessionKey, pass `encryptionKeys` instead');\n  const unknownOptions = Object.keys(rest); if (unknownOptions.length > 0) throw new Error(`Unknown option: ${unknownOptions.join(', ')}`);\n\n  try {\n    const sessionKeys = await Message.generateSessionKey(encryptionKeys, date, encryptionUserIDs, config);\n    return sessionKeys;\n  } catch (err) {\n    throw util.wrapError('Error generating session key', err);\n  }\n}\n\n/**\n * Encrypt a symmetric session key with public keys, passwords, or both at once.\n * At least one of `encryptionKeys` or `passwords` must be specified.\n * @param {Object} options\n * @param {Uint8Array} options.data - The session key to be encrypted e.g. 16 random bytes (for aes128)\n * @param {String} options.algorithm - Algorithm of the symmetric session key e.g. 'aes128' or 'aes256'\n * @param {String} [options.aeadAlgorithm] - AEAD algorithm, e.g. 'eax' or 'ocb'\n * @param {PublicKey|PublicKey[]} [options.encryptionKeys] - Array of public keys or single key, used to encrypt the key\n * @param {String|String[]} [options.passwords] - Passwords for the message\n * @param {'armored'|'binary'} [options.format='armored'] - Format of the returned value\n * @param {Boolean} [options.wildcard=false] - Use a key ID of 0 instead of the public key IDs\n * @param {KeyID|KeyID[]} [options.encryptionKeyIDs=latest-created valid encryption (sub)keys] - Array of key IDs to use for encryption. Each encryptionKeyIDs[i] corresponds to encryptionKeys[i]\n * @param {Date} [options.date=current date] - Override the date\n * @param {Object|Object[]} [options.encryptionUserIDs=primary user IDs] - Array of user IDs to encrypt for, one per key in `encryptionKeys`, e.g. `[{ name: 'Phil Zimmermann', email: 'phil@openpgp.org' }]`\n * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}\n * @returns {Promise<String|Uint8Array>} Encrypted session keys (string if `armor` was true, the default; Uint8Array if `armor` was false).\n * @async\n * @static\n */\nexport async function encryptSessionKey({ data, algorithm, aeadAlgorithm, encryptionKeys, passwords, format = 'armored', wildcard = false, encryptionKeyIDs = [], date = new Date(), encryptionUserIDs = [], config, ...rest }) {\n  config = { ...defaultConfig, ...config }; checkConfig(config);\n  checkBinary(data); checkString(algorithm, 'algorithm'); checkOutputMessageFormat(format);\n  encryptionKeys = toArray(encryptionKeys); passwords = toArray(passwords); encryptionKeyIDs = toArray(encryptionKeyIDs); encryptionUserIDs = toArray(encryptionUserIDs);\n  if (rest.publicKeys) throw new Error('The `publicKeys` option has been removed from openpgp.encryptSessionKey, pass `encryptionKeys` instead');\n  const unknownOptions = Object.keys(rest); if (unknownOptions.length > 0) throw new Error(`Unknown option: ${unknownOptions.join(', ')}`);\n\n  if ((!encryptionKeys || encryptionKeys.length === 0) && (!passwords || passwords.length === 0)) {\n    throw new Error('No encryption keys or passwords provided.');\n  }\n\n  try {\n    const message = await Message.encryptSessionKey(data, algorithm, aeadAlgorithm, encryptionKeys, passwords, wildcard, encryptionKeyIDs, date, encryptionUserIDs, config);\n    return formatObject(message, format, config);\n  } catch (err) {\n    throw util.wrapError('Error encrypting session key', err);\n  }\n}\n\n/**\n * Decrypt symmetric session keys using private keys or passwords (not both).\n * One of `decryptionKeys` or `passwords` must be specified.\n * @param {Object} options\n * @param {Message} options.message - A message object containing the encrypted session key packets\n * @param {PrivateKey|PrivateKey[]} [options.decryptionKeys] - Private keys with decrypted secret key data\n * @param {String|String[]} [options.passwords] - Passwords to decrypt the session key\n * @param {Date} [options.date] - Date to use for key verification instead of the current time\n * @param {Object} [options.config] - Custom configuration settings to overwrite those in [config]{@link module:config}\n * @returns {Promise<Object[]>} Array of decrypted session key, algorithm pairs in the form:\n *                                            { data:Uint8Array, algorithm:String }\n * @throws if no session key could be found or decrypted\n * @async\n * @static\n */\nexport async function decryptSessionKeys({ message, decryptionKeys, passwords, date = new Date(), config, ...rest }) {\n  config = { ...defaultConfig, ...config }; checkConfig(config);\n  checkMessage(message); decryptionKeys = toArray(decryptionKeys); passwords = toArray(passwords);\n  if (rest.privateKeys) throw new Error('The `privateKeys` option has been removed from openpgp.decryptSessionKeys, pass `decryptionKeys` instead');\n  const unknownOptions = Object.keys(rest); if (unknownOptions.length > 0) throw new Error(`Unknown option: ${unknownOptions.join(', ')}`);\n\n  try {\n    const sessionKeys = await message.decryptSessionKeys(decryptionKeys, passwords, undefined, date, config);\n    return sessionKeys;\n  } catch (err) {\n    throw util.wrapError('Error decrypting session keys', err);\n  }\n}\n\n\n//////////////////////////\n//                      //\n//   Helper functions   //\n//                      //\n//////////////////////////\n\n\n/**\n * Input validation\n * @private\n */\nfunction checkString(data, name) {\n  if (!util.isString(data)) {\n    throw new Error('Parameter [' + (name || 'data') + '] must be of type String');\n  }\n}\nfunction checkBinary(data, name) {\n  if (!util.isUint8Array(data)) {\n    throw new Error('Parameter [' + (name || 'data') + '] must be of type Uint8Array');\n  }\n}\nfunction checkMessage(message) {\n  if (!(message instanceof Message)) {\n    throw new Error('Parameter [message] needs to be of type Message');\n  }\n}\nfunction checkCleartextOrMessage(message) {\n  if (!(message instanceof CleartextMessage) && !(message instanceof Message)) {\n    throw new Error('Parameter [message] needs to be of type Message or CleartextMessage');\n  }\n}\nfunction checkOutputMessageFormat(format) {\n  if (format !== 'armored' && format !== 'binary' && format !== 'object') {\n    throw new Error(`Unsupported format ${format}`);\n  }\n}\nconst defaultConfigPropsCount = Object.keys(defaultConfig).length;\nfunction checkConfig(config) {\n  const inputConfigProps = Object.keys(config);\n  if (inputConfigProps.length !== defaultConfigPropsCount) {\n    for (const inputProp of inputConfigProps) {\n      if (defaultConfig[inputProp] === undefined) {\n        throw new Error(`Unknown config property: ${inputProp}`);\n      }\n    }\n  }\n}\n\n/**\n * Normalize parameter to an array if it is not undefined.\n * @param {Object} param - the parameter to be normalized\n * @returns {Array<Object>|undefined} The resulting array or undefined.\n * @private\n */\nfunction toArray(param) {\n  if (param && !util.isArray(param)) {\n    param = [param];\n  }\n  return param;\n}\n\n/**\n * Convert data to or from Stream\n * @param {Object} data - the data to convert\n * @returns {Promise<Object>} The data in the respective format.\n * @async\n * @private\n */\nasync function convertStream(data) {\n  const streamType = util.isStream(data);\n  if (streamType === 'array') {\n    return streamReadToEnd(data);\n  }\n  return data;\n}\n\n/**\n * Link result.data to the message stream for cancellation.\n * Also, forward errors in the message to result.data.\n * @param {Object} result - the data to convert\n * @param {Message} message - message object\n * @returns {Object}\n * @private\n */\nfunction linkStreams(result, message) {\n  result.data = streamTransformPair(message.packets.stream, async (readable, writable) => {\n    await streamPipe(result.data, writable, {\n      preventClose: true\n    });\n    const writer = streamGetWriter(writable);\n    try {\n      // Forward errors in the message stream to result.data.\n      await streamReadToEnd(readable, _ => _);\n      await writer.close();\n    } catch (e) {\n      await writer.abort(e);\n    }\n  });\n}\n\n/**\n * Convert the object to the given format\n * @param {Key|Message} object\n * @param {'armored'|'binary'|'object'} format\n * @param {Object} config - Full configuration\n * @returns {String|Uint8Array|Object}\n */\nfunction formatObject(object, format, config) {\n  switch (format) {\n    case 'object':\n      return object;\n    case 'armored':\n      return object.armor(config);\n    case 'binary':\n      return object.write();\n    default:\n      throw new Error(`Unsupported format ${format}`);\n  }\n}\n","function number(n) {\n    if (!Number.isSafeInteger(n) || n < 0)\n        throw new Error(`positive integer expected, not ${n}`);\n}\nfunction bool(b) {\n    if (typeof b !== 'boolean')\n        throw new Error(`boolean expected, not ${b}`);\n}\n// copied from utils\nexport function isBytes(a) {\n    return (a instanceof Uint8Array ||\n        (a != null && typeof a === 'object' && a.constructor.name === 'Uint8Array'));\n}\nfunction bytes(b, ...lengths) {\n    if (!isBytes(b))\n        throw new Error('Uint8Array expected');\n    if (lengths.length > 0 && !lengths.includes(b.length))\n        throw new Error(`Uint8Array expected of length ${lengths}, not of length=${b.length}`);\n}\nfunction hash(h) {\n    if (typeof h !== 'function' || typeof h.create !== 'function')\n        throw new Error('Hash should be wrapped by utils.wrapConstructor');\n    number(h.outputLen);\n    number(h.blockLen);\n}\nfunction exists(instance, checkFinished = true) {\n    if (instance.destroyed)\n        throw new Error('Hash instance has been destroyed');\n    if (checkFinished && instance.finished)\n        throw new Error('Hash#digest() has already been called');\n}\nfunction output(out, instance) {\n    bytes(out);\n    const min = instance.outputLen;\n    if (out.length < min) {\n        throw new Error(`digestInto() expects output buffer of length at least ${min}`);\n    }\n}\nexport { number, bool, bytes, hash, exists, output };\nconst assert = { number, bool, bytes, hash, exists, output };\nexport default assert;\n//# sourceMappingURL=_assert.js.map","export const crypto = typeof globalThis === 'object' && 'crypto' in globalThis ? globalThis.crypto : undefined;\n//# sourceMappingURL=crypto.js.map","/*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */\n// We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+.\n// node.js versions earlier than v19 don't declare it in global scope.\n// For node.js, package.json#exports field mapping rewrites import\n// from `crypto` to `cryptoNode`, which imports native module.\n// Makes the utils un-importable in browsers without a bundler.\n// Once node.js 18 is deprecated (2025-04-30), we can just drop the import.\nimport { crypto } from '@noble/hashes/crypto';\nimport { bytes as abytes } from './_assert.js';\n// export { isBytes } from './_assert.js';\n// We can't reuse isBytes from _assert, because somehow this causes huge perf issues\nexport function isBytes(a) {\n    return (a instanceof Uint8Array ||\n        (a != null && typeof a === 'object' && a.constructor.name === 'Uint8Array'));\n}\n// Cast array to different type\nexport const u8 = (arr) => new Uint8Array(arr.buffer, arr.byteOffset, arr.byteLength);\nexport const u32 = (arr) => new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));\n// Cast array to view\nexport const createView = (arr) => new DataView(arr.buffer, arr.byteOffset, arr.byteLength);\n// The rotate right (circular right shift) operation for uint32\nexport const rotr = (word, shift) => (word << (32 - shift)) | (word >>> shift);\n// The rotate left (circular left shift) operation for uint32\nexport const rotl = (word, shift) => (word << shift) | ((word >>> (32 - shift)) >>> 0);\nexport const isLE = new Uint8Array(new Uint32Array([0x11223344]).buffer)[0] === 0x44;\n// The byte swap operation for uint32\nexport const byteSwap = (word) => ((word << 24) & 0xff000000) |\n    ((word << 8) & 0xff0000) |\n    ((word >>> 8) & 0xff00) |\n    ((word >>> 24) & 0xff);\n// Conditionally byte swap if on a big-endian platform\nexport const byteSwapIfBE = isLE ? (n) => n : (n) => byteSwap(n);\n// In place byte swap for Uint32Array\nexport function byteSwap32(arr) {\n    for (let i = 0; i < arr.length; i++) {\n        arr[i] = byteSwap(arr[i]);\n    }\n}\n// Array where index 0xf0 (240) is mapped to string 'f0'\nconst hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, '0'));\n/**\n * @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123'\n */\nexport function bytesToHex(bytes) {\n    abytes(bytes);\n    // pre-caching improves the speed 6x\n    let hex = '';\n    for (let i = 0; i < bytes.length; i++) {\n        hex += hexes[bytes[i]];\n    }\n    return hex;\n}\n// We use optimized technique to convert hex string to byte array\nconst asciis = { _0: 48, _9: 57, _A: 65, _F: 70, _a: 97, _f: 102 };\nfunction asciiToBase16(char) {\n    if (char >= asciis._0 && char <= asciis._9)\n        return char - asciis._0;\n    if (char >= asciis._A && char <= asciis._F)\n        return char - (asciis._A - 10);\n    if (char >= asciis._a && char <= asciis._f)\n        return char - (asciis._a - 10);\n    return;\n}\n/**\n * @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23])\n */\nexport function hexToBytes(hex) {\n    if (typeof hex !== 'string')\n        throw new Error('hex string expected, got ' + typeof hex);\n    const hl = hex.length;\n    const al = hl / 2;\n    if (hl % 2)\n        throw new Error('padded hex string expected, got unpadded hex of length ' + hl);\n    const array = new Uint8Array(al);\n    for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {\n        const n1 = asciiToBase16(hex.charCodeAt(hi));\n        const n2 = asciiToBase16(hex.charCodeAt(hi + 1));\n        if (n1 === undefined || n2 === undefined) {\n            const char = hex[hi] + hex[hi + 1];\n            throw new Error('hex string expected, got non-hex character \"' + char + '\" at index ' + hi);\n        }\n        array[ai] = n1 * 16 + n2;\n    }\n    return array;\n}\n// There is no setImmediate in browser and setTimeout is slow.\n// call of async fn will return Promise, which will be fullfiled only on\n// next scheduler queue processing step and this is exactly what we need.\nexport const nextTick = async () => { };\n// Returns control to thread each 'tick' ms to avoid blocking\nexport async function asyncLoop(iters, tick, cb) {\n    let ts = Date.now();\n    for (let i = 0; i < iters; i++) {\n        cb(i);\n        // Date.now() is not monotonic, so in case if clock goes backwards we return return control too\n        const diff = Date.now() - ts;\n        if (diff >= 0 && diff < tick)\n            continue;\n        await nextTick();\n        ts += diff;\n    }\n}\n/**\n * @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99])\n */\nexport function utf8ToBytes(str) {\n    if (typeof str !== 'string')\n        throw new Error(`utf8ToBytes expected string, got ${typeof str}`);\n    return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809\n}\n/**\n * Normalizes (non-hex) string or Uint8Array to Uint8Array.\n * Warning: when Uint8Array is passed, it would NOT get copied.\n * Keep in mind for future mutable operations.\n */\nexport function toBytes(data) {\n    if (typeof data === 'string')\n        data = utf8ToBytes(data);\n    abytes(data);\n    return data;\n}\n/**\n * Copies several Uint8Arrays into one.\n */\nexport function concatBytes(...arrays) {\n    let sum = 0;\n    for (let i = 0; i < arrays.length; i++) {\n        const a = arrays[i];\n        abytes(a);\n        sum += a.length;\n    }\n    const res = new Uint8Array(sum);\n    for (let i = 0, pad = 0; i < arrays.length; i++) {\n        const a = arrays[i];\n        res.set(a, pad);\n        pad += a.length;\n    }\n    return res;\n}\n// For runtime check if class implements interface\nexport class Hash {\n    // Safe version that clones internal state\n    clone() {\n        return this._cloneInto();\n    }\n}\nconst toStr = {}.toString;\nexport function checkOpts(defaults, opts) {\n    if (opts !== undefined && toStr.call(opts) !== '[object Object]')\n        throw new Error('Options should be object or undefined');\n    const merged = Object.assign(defaults, opts);\n    return merged;\n}\nexport function wrapConstructor(hashCons) {\n    const hashC = (msg) => hashCons().update(toBytes(msg)).digest();\n    const tmp = hashCons();\n    hashC.outputLen = tmp.outputLen;\n    hashC.blockLen = tmp.blockLen;\n    hashC.create = () => hashCons();\n    return hashC;\n}\nexport function wrapConstructorWithOpts(hashCons) {\n    const hashC = (msg, opts) => hashCons(opts).update(toBytes(msg)).digest();\n    const tmp = hashCons({});\n    hashC.outputLen = tmp.outputLen;\n    hashC.blockLen = tmp.blockLen;\n    hashC.create = (opts) => hashCons(opts);\n    return hashC;\n}\nexport function wrapXOFConstructorWithOpts(hashCons) {\n    const hashC = (msg, opts) => hashCons(opts).update(toBytes(msg)).digest();\n    const tmp = hashCons({});\n    hashC.outputLen = tmp.outputLen;\n    hashC.blockLen = tmp.blockLen;\n    hashC.create = (opts) => hashCons(opts);\n    return hashC;\n}\n/**\n * Secure PRNG. Uses `crypto.getRandomValues`, which defers to OS.\n */\nexport function randomBytes(bytesLength = 32) {\n    if (crypto && typeof crypto.getRandomValues === 'function') {\n        return crypto.getRandomValues(new Uint8Array(bytesLength));\n    }\n    // Legacy Node.js compatibility\n    if (crypto && typeof crypto.randomBytes === 'function') {\n        return crypto.randomBytes(bytesLength);\n    }\n    throw new Error('crypto.getRandomValues must be defined');\n}\n//# sourceMappingURL=utils.js.map","import { exists, output } from './_assert.js';\nimport { Hash, createView, toBytes } from './utils.js';\n/**\n * Polyfill for Safari 14\n */\nfunction setBigUint64(view, byteOffset, value, isLE) {\n    if (typeof view.setBigUint64 === 'function')\n        return view.setBigUint64(byteOffset, value, isLE);\n    const _32n = BigInt(32);\n    const _u32_max = BigInt(0xffffffff);\n    const wh = Number((value >> _32n) & _u32_max);\n    const wl = Number(value & _u32_max);\n    const h = isLE ? 4 : 0;\n    const l = isLE ? 0 : 4;\n    view.setUint32(byteOffset + h, wh, isLE);\n    view.setUint32(byteOffset + l, wl, isLE);\n}\n/**\n * Choice: a ? b : c\n */\nexport const Chi = (a, b, c) => (a & b) ^ (~a & c);\n/**\n * Majority function, true if any two inputs is true\n */\nexport const Maj = (a, b, c) => (a & b) ^ (a & c) ^ (b & c);\n/**\n * Merkle-Damgard hash construction base class.\n * Could be used to create MD5, RIPEMD, SHA1, SHA2.\n */\nexport class HashMD extends Hash {\n    constructor(blockLen, outputLen, padOffset, isLE) {\n        super();\n        this.blockLen = blockLen;\n        this.outputLen = outputLen;\n        this.padOffset = padOffset;\n        this.isLE = isLE;\n        this.finished = false;\n        this.length = 0;\n        this.pos = 0;\n        this.destroyed = false;\n        this.buffer = new Uint8Array(blockLen);\n        this.view = createView(this.buffer);\n    }\n    update(data) {\n        exists(this);\n        const { view, buffer, blockLen } = this;\n        data = toBytes(data);\n        const len = data.length;\n        for (let pos = 0; pos < len;) {\n            const take = Math.min(blockLen - this.pos, len - pos);\n            // Fast path: we have at least one block in input, cast it to view and process\n            if (take === blockLen) {\n                const dataView = createView(data);\n                for (; blockLen <= len - pos; pos += blockLen)\n                    this.process(dataView, pos);\n                continue;\n            }\n            buffer.set(data.subarray(pos, pos + take), this.pos);\n            this.pos += take;\n            pos += take;\n            if (this.pos === blockLen) {\n                this.process(view, 0);\n                this.pos = 0;\n            }\n        }\n        this.length += data.length;\n        this.roundClean();\n        return this;\n    }\n    digestInto(out) {\n        exists(this);\n        output(out, this);\n        this.finished = true;\n        // Padding\n        // We can avoid allocation of buffer for padding completely if it\n        // was previously not allocated here. But it won't change performance.\n        const { buffer, view, blockLen, isLE } = this;\n        let { pos } = this;\n        // append the bit '1' to the message\n        buffer[pos++] = 0b10000000;\n        this.buffer.subarray(pos).fill(0);\n        // we have less than padOffset left in buffer, so we cannot put length in\n        // current block, need process it and pad again\n        if (this.padOffset > blockLen - pos) {\n            this.process(view, 0);\n            pos = 0;\n        }\n        // Pad until full block byte with zeros\n        for (let i = pos; i < blockLen; i++)\n            buffer[i] = 0;\n        // Note: sha512 requires length to be 128bit integer, but length in JS will overflow before that\n        // You need to write around 2 exabytes (u64_max / 8 / (1024**6)) for this to happen.\n        // So we just write lowest 64 bits of that value.\n        setBigUint64(view, blockLen - 8, BigInt(this.length * 8), isLE);\n        this.process(view, 0);\n        const oview = createView(out);\n        const len = this.outputLen;\n        // NOTE: we do division by 4 later, which should be fused in single op with modulo by JIT\n        if (len % 4)\n            throw new Error('_sha2: outputLen should be aligned to 32bit');\n        const outLen = len / 4;\n        const state = this.get();\n        if (outLen > state.length)\n            throw new Error('_sha2: outputLen bigger than state');\n        for (let i = 0; i < outLen; i++)\n            oview.setUint32(4 * i, state[i], isLE);\n    }\n    digest() {\n        const { buffer, outputLen } = this;\n        this.digestInto(buffer);\n        const res = buffer.slice(0, outputLen);\n        this.destroy();\n        return res;\n    }\n    _cloneInto(to) {\n        to || (to = new this.constructor());\n        to.set(...this.get());\n        const { blockLen, buffer, length, finished, destroyed, pos } = this;\n        to.length = length;\n        to.pos = pos;\n        to.finished = finished;\n        to.destroyed = destroyed;\n        if (length % blockLen)\n            to.buffer.set(buffer);\n        return to;\n    }\n}\n//# sourceMappingURL=_md.js.map","import { HashMD, Chi, Maj } from './_md.js';\nimport { rotr, wrapConstructor } from './utils.js';\n// SHA2-256 need to try 2^128 hashes to execute birthday attack.\n// BTC network is doing 2^67 hashes/sec as per early 2023.\n// Round constants:\n// first 32 bits of the fractional parts of the cube roots of the first 64 primes 2..311)\n// prettier-ignore\nconst SHA256_K = /* @__PURE__ */ new Uint32Array([\n    0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,\n    0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,\n    0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,\n    0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,\n    0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,\n    0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,\n    0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,\n    0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2\n]);\n// Initial state:\n// first 32 bits of the fractional parts of the square roots of the first 8 primes 2..19\n// prettier-ignore\nconst SHA256_IV = /* @__PURE__ */ new Uint32Array([\n    0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19\n]);\n// Temporary buffer, not used to store anything between runs\n// Named this way because it matches specification.\nconst SHA256_W = /* @__PURE__ */ new Uint32Array(64);\nexport class SHA256 extends HashMD {\n    constructor() {\n        super(64, 32, 8, false);\n        // We cannot use array here since array allows indexing by variable\n        // which means optimizer/compiler cannot use registers.\n        this.A = SHA256_IV[0] | 0;\n        this.B = SHA256_IV[1] | 0;\n        this.C = SHA256_IV[2] | 0;\n        this.D = SHA256_IV[3] | 0;\n        this.E = SHA256_IV[4] | 0;\n        this.F = SHA256_IV[5] | 0;\n        this.G = SHA256_IV[6] | 0;\n        this.H = SHA256_IV[7] | 0;\n    }\n    get() {\n        const { A, B, C, D, E, F, G, H } = this;\n        return [A, B, C, D, E, F, G, H];\n    }\n    // prettier-ignore\n    set(A, B, C, D, E, F, G, H) {\n        this.A = A | 0;\n        this.B = B | 0;\n        this.C = C | 0;\n        this.D = D | 0;\n        this.E = E | 0;\n        this.F = F | 0;\n        this.G = G | 0;\n        this.H = H | 0;\n    }\n    process(view, offset) {\n        // Extend the first 16 words into the remaining 48 words w[16..63] of the message schedule array\n        for (let i = 0; i < 16; i++, offset += 4)\n            SHA256_W[i] = view.getUint32(offset, false);\n        for (let i = 16; i < 64; i++) {\n            const W15 = SHA256_W[i - 15];\n            const W2 = SHA256_W[i - 2];\n            const s0 = rotr(W15, 7) ^ rotr(W15, 18) ^ (W15 >>> 3);\n            const s1 = rotr(W2, 17) ^ rotr(W2, 19) ^ (W2 >>> 10);\n            SHA256_W[i] = (s1 + SHA256_W[i - 7] + s0 + SHA256_W[i - 16]) | 0;\n        }\n        // Compression function main loop, 64 rounds\n        let { A, B, C, D, E, F, G, H } = this;\n        for (let i = 0; i < 64; i++) {\n            const sigma1 = rotr(E, 6) ^ rotr(E, 11) ^ rotr(E, 25);\n            const T1 = (H + sigma1 + Chi(E, F, G) + SHA256_K[i] + SHA256_W[i]) | 0;\n            const sigma0 = rotr(A, 2) ^ rotr(A, 13) ^ rotr(A, 22);\n            const T2 = (sigma0 + Maj(A, B, C)) | 0;\n            H = G;\n            G = F;\n            F = E;\n            E = (D + T1) | 0;\n            D = C;\n            C = B;\n            B = A;\n            A = (T1 + T2) | 0;\n        }\n        // Add the compressed chunk to the current hash value\n        A = (A + this.A) | 0;\n        B = (B + this.B) | 0;\n        C = (C + this.C) | 0;\n        D = (D + this.D) | 0;\n        E = (E + this.E) | 0;\n        F = (F + this.F) | 0;\n        G = (G + this.G) | 0;\n        H = (H + this.H) | 0;\n        this.set(A, B, C, D, E, F, G, H);\n    }\n    roundClean() {\n        SHA256_W.fill(0);\n    }\n    destroy() {\n        this.set(0, 0, 0, 0, 0, 0, 0, 0);\n        this.buffer.fill(0);\n    }\n}\n// Constants from https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf\nclass SHA224 extends SHA256 {\n    constructor() {\n        super();\n        this.A = 0xc1059ed8 | 0;\n        this.B = 0x367cd507 | 0;\n        this.C = 0x3070dd17 | 0;\n        this.D = 0xf70e5939 | 0;\n        this.E = 0xffc00b31 | 0;\n        this.F = 0x68581511 | 0;\n        this.G = 0x64f98fa7 | 0;\n        this.H = 0xbefa4fa4 | 0;\n        this.outputLen = 28;\n    }\n}\n/**\n * SHA2-256 hash function\n * @param message - data that would be hashed\n */\nexport const sha256 = /* @__PURE__ */ wrapConstructor(() => new SHA256());\n/**\n * SHA2-224 hash function\n */\nexport const sha224 = /* @__PURE__ */ wrapConstructor(() => new SHA224());\n//# sourceMappingURL=sha256.js.map","import { hash as assertHash, bytes as assertBytes, exists as assertExists } from './_assert.js';\nimport { Hash, toBytes } from './utils.js';\n// HMAC (RFC 2104)\nexport class HMAC extends Hash {\n    constructor(hash, _key) {\n        super();\n        this.finished = false;\n        this.destroyed = false;\n        assertHash(hash);\n        const key = toBytes(_key);\n        this.iHash = hash.create();\n        if (typeof this.iHash.update !== 'function')\n            throw new Error('Expected instance of class which extends utils.Hash');\n        this.blockLen = this.iHash.blockLen;\n        this.outputLen = this.iHash.outputLen;\n        const blockLen = this.blockLen;\n        const pad = new Uint8Array(blockLen);\n        // blockLen can be bigger than outputLen\n        pad.set(key.length > blockLen ? hash.create().update(key).digest() : key);\n        for (let i = 0; i < pad.length; i++)\n            pad[i] ^= 0x36;\n        this.iHash.update(pad);\n        // By doing update (processing of first block) of outer hash here we can re-use it between multiple calls via clone\n        this.oHash = hash.create();\n        // Undo internal XOR && apply outer XOR\n        for (let i = 0; i < pad.length; i++)\n            pad[i] ^= 0x36 ^ 0x5c;\n        this.oHash.update(pad);\n        pad.fill(0);\n    }\n    update(buf) {\n        assertExists(this);\n        this.iHash.update(buf);\n        return this;\n    }\n    digestInto(out) {\n        assertExists(this);\n        assertBytes(out, this.outputLen);\n        this.finished = true;\n        this.iHash.digestInto(out);\n        this.oHash.update(out);\n        this.oHash.digestInto(out);\n        this.destroy();\n    }\n    digest() {\n        const out = new Uint8Array(this.oHash.outputLen);\n        this.digestInto(out);\n        return out;\n    }\n    _cloneInto(to) {\n        // Create new instance without calling constructor since key already in state and we don't know it.\n        to || (to = Object.create(Object.getPrototypeOf(this), {}));\n        const { oHash, iHash, finished, destroyed, blockLen, outputLen } = this;\n        to = to;\n        to.finished = finished;\n        to.destroyed = destroyed;\n        to.blockLen = blockLen;\n        to.outputLen = outputLen;\n        to.oHash = oHash._cloneInto(to.oHash);\n        to.iHash = iHash._cloneInto(to.iHash);\n        return to;\n    }\n    destroy() {\n        this.destroyed = true;\n        this.oHash.destroy();\n        this.iHash.destroy();\n    }\n}\n/**\n * HMAC: RFC2104 message authentication code.\n * @param hash - function that would be used e.g. sha256\n * @param key - message key\n * @param message - message data\n * @example\n * import { hmac } from '@noble/hashes/hmac';\n * import { sha256 } from '@noble/hashes/sha2';\n * const mac1 = hmac(sha256, 'key', 'message');\n */\nexport const hmac = (hash, key, message) => new HMAC(hash, key).update(message).digest();\nhmac.create = (hash, key) => new HMAC(hash, key);\n//# sourceMappingURL=hmac.js.map","/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */\n// 100 lines of code in the file are duplicated from noble-hashes (utils).\n// This is OK: `abstract` directory does not use noble-hashes.\n// User may opt-in into using different hashing library. This way, noble-hashes\n// won't be included into their bundle.\nconst _0n = /* @__PURE__ */ BigInt(0);\nconst _1n = /* @__PURE__ */ BigInt(1);\nconst _2n = /* @__PURE__ */ BigInt(2);\nexport function isBytes(a) {\n    return (a instanceof Uint8Array ||\n        (a != null && typeof a === 'object' && a.constructor.name === 'Uint8Array'));\n}\nexport function abytes(item) {\n    if (!isBytes(item))\n        throw new Error('Uint8Array expected');\n}\nexport function abool(title, value) {\n    if (typeof value !== 'boolean')\n        throw new Error(`${title} must be valid boolean, got \"${value}\".`);\n}\n// Array where index 0xf0 (240) is mapped to string 'f0'\nconst hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, '0'));\n/**\n * @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123'\n */\nexport function bytesToHex(bytes) {\n    abytes(bytes);\n    // pre-caching improves the speed 6x\n    let hex = '';\n    for (let i = 0; i < bytes.length; i++) {\n        hex += hexes[bytes[i]];\n    }\n    return hex;\n}\nexport function numberToHexUnpadded(num) {\n    const hex = num.toString(16);\n    return hex.length & 1 ? `0${hex}` : hex;\n}\nexport function hexToNumber(hex) {\n    if (typeof hex !== 'string')\n        throw new Error('hex string expected, got ' + typeof hex);\n    // Big Endian\n    return BigInt(hex === '' ? '0' : `0x${hex}`);\n}\n// We use optimized technique to convert hex string to byte array\nconst asciis = { _0: 48, _9: 57, _A: 65, _F: 70, _a: 97, _f: 102 };\nfunction asciiToBase16(char) {\n    if (char >= asciis._0 && char <= asciis._9)\n        return char - asciis._0;\n    if (char >= asciis._A && char <= asciis._F)\n        return char - (asciis._A - 10);\n    if (char >= asciis._a && char <= asciis._f)\n        return char - (asciis._a - 10);\n    return;\n}\n/**\n * @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23])\n */\nexport function hexToBytes(hex) {\n    if (typeof hex !== 'string')\n        throw new Error('hex string expected, got ' + typeof hex);\n    const hl = hex.length;\n    const al = hl / 2;\n    if (hl % 2)\n        throw new Error('padded hex string expected, got unpadded hex of length ' + hl);\n    const array = new Uint8Array(al);\n    for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {\n        const n1 = asciiToBase16(hex.charCodeAt(hi));\n        const n2 = asciiToBase16(hex.charCodeAt(hi + 1));\n        if (n1 === undefined || n2 === undefined) {\n            const char = hex[hi] + hex[hi + 1];\n            throw new Error('hex string expected, got non-hex character \"' + char + '\" at index ' + hi);\n        }\n        array[ai] = n1 * 16 + n2;\n    }\n    return array;\n}\n// BE: Big Endian, LE: Little Endian\nexport function bytesToNumberBE(bytes) {\n    return hexToNumber(bytesToHex(bytes));\n}\nexport function bytesToNumberLE(bytes) {\n    abytes(bytes);\n    return hexToNumber(bytesToHex(Uint8Array.from(bytes).reverse()));\n}\nexport function numberToBytesBE(n, len) {\n    return hexToBytes(n.toString(16).padStart(len * 2, '0'));\n}\nexport function numberToBytesLE(n, len) {\n    return numberToBytesBE(n, len).reverse();\n}\n// Unpadded, rarely used\nexport function numberToVarBytesBE(n) {\n    return hexToBytes(numberToHexUnpadded(n));\n}\n/**\n * Takes hex string or Uint8Array, converts to Uint8Array.\n * Validates output length.\n * Will throw error for other types.\n * @param title descriptive title for an error e.g. 'private key'\n * @param hex hex string or Uint8Array\n * @param expectedLength optional, will compare to result array's length\n * @returns\n */\nexport function ensureBytes(title, hex, expectedLength) {\n    let res;\n    if (typeof hex === 'string') {\n        try {\n            res = hexToBytes(hex);\n        }\n        catch (e) {\n            throw new Error(`${title} must be valid hex string, got \"${hex}\". Cause: ${e}`);\n        }\n    }\n    else if (isBytes(hex)) {\n        // Uint8Array.from() instead of hash.slice() because node.js Buffer\n        // is instance of Uint8Array, and its slice() creates **mutable** copy\n        res = Uint8Array.from(hex);\n    }\n    else {\n        throw new Error(`${title} must be hex string or Uint8Array`);\n    }\n    const len = res.length;\n    if (typeof expectedLength === 'number' && len !== expectedLength)\n        throw new Error(`${title} expected ${expectedLength} bytes, got ${len}`);\n    return res;\n}\n/**\n * Copies several Uint8Arrays into one.\n */\nexport function concatBytes(...arrays) {\n    let sum = 0;\n    for (let i = 0; i < arrays.length; i++) {\n        const a = arrays[i];\n        abytes(a);\n        sum += a.length;\n    }\n    const res = new Uint8Array(sum);\n    for (let i = 0, pad = 0; i < arrays.length; i++) {\n        const a = arrays[i];\n        res.set(a, pad);\n        pad += a.length;\n    }\n    return res;\n}\n// Compares 2 u8a-s in kinda constant time\nexport function equalBytes(a, b) {\n    if (a.length !== b.length)\n        return false;\n    let diff = 0;\n    for (let i = 0; i < a.length; i++)\n        diff |= a[i] ^ b[i];\n    return diff === 0;\n}\n/**\n * @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99])\n */\nexport function utf8ToBytes(str) {\n    if (typeof str !== 'string')\n        throw new Error(`utf8ToBytes expected string, got ${typeof str}`);\n    return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809\n}\n// Is positive bigint\nconst isPosBig = (n) => typeof n === 'bigint' && _0n <= n;\nexport function inRange(n, min, max) {\n    return isPosBig(n) && isPosBig(min) && isPosBig(max) && min <= n && n < max;\n}\n/**\n * Asserts min <= n < max. NOTE: It's < max and not <= max.\n * @example\n * aInRange('x', x, 1n, 256n); // would assume x is in (1n..255n)\n */\nexport function aInRange(title, n, min, max) {\n    // Why min <= n < max and not a (min < n < max) OR b (min <= n <= max)?\n    // consider P=256n, min=0n, max=P\n    // - a for min=0 would require -1:          `inRange('x', x, -1n, P)`\n    // - b would commonly require subtraction:  `inRange('x', x, 0n, P - 1n)`\n    // - our way is the cleanest:               `inRange('x', x, 0n, P)\n    if (!inRange(n, min, max))\n        throw new Error(`expected valid ${title}: ${min} <= n < ${max}, got ${typeof n} ${n}`);\n}\n// Bit operations\n/**\n * Calculates amount of bits in a bigint.\n * Same as `n.toString(2).length`\n */\nexport function bitLen(n) {\n    let len;\n    for (len = 0; n > _0n; n >>= _1n, len += 1)\n        ;\n    return len;\n}\n/**\n * Gets single bit at position.\n * NOTE: first bit position is 0 (same as arrays)\n * Same as `!!+Array.from(n.toString(2)).reverse()[pos]`\n */\nexport function bitGet(n, pos) {\n    return (n >> BigInt(pos)) & _1n;\n}\n/**\n * Sets single bit at position.\n */\nexport function bitSet(n, pos, value) {\n    return n | ((value ? _1n : _0n) << BigInt(pos));\n}\n/**\n * Calculate mask for N bits. Not using ** operator with bigints because of old engines.\n * Same as BigInt(`0b${Array(i).fill('1').join('')}`)\n */\nexport const bitMask = (n) => (_2n << BigInt(n - 1)) - _1n;\n// DRBG\nconst u8n = (data) => new Uint8Array(data); // creates Uint8Array\nconst u8fr = (arr) => Uint8Array.from(arr); // another shortcut\n/**\n * Minimal HMAC-DRBG from NIST 800-90 for RFC6979 sigs.\n * @returns function that will call DRBG until 2nd arg returns something meaningful\n * @example\n *   const drbg = createHmacDRBG<Key>(32, 32, hmac);\n *   drbg(seed, bytesToKey); // bytesToKey must return Key or undefined\n */\nexport function createHmacDrbg(hashLen, qByteLen, hmacFn) {\n    if (typeof hashLen !== 'number' || hashLen < 2)\n        throw new Error('hashLen must be a number');\n    if (typeof qByteLen !== 'number' || qByteLen < 2)\n        throw new Error('qByteLen must be a number');\n    if (typeof hmacFn !== 'function')\n        throw new Error('hmacFn must be a function');\n    // Step B, Step C: set hashLen to 8*ceil(hlen/8)\n    let v = u8n(hashLen); // Minimal non-full-spec HMAC-DRBG from NIST 800-90 for RFC6979 sigs.\n    let k = u8n(hashLen); // Steps B and C of RFC6979 3.2: set hashLen, in our case always same\n    let i = 0; // Iterations counter, will throw when over 1000\n    const reset = () => {\n        v.fill(1);\n        k.fill(0);\n        i = 0;\n    };\n    const h = (...b) => hmacFn(k, v, ...b); // hmac(k)(v, ...values)\n    const reseed = (seed = u8n()) => {\n        // HMAC-DRBG reseed() function. Steps D-G\n        k = h(u8fr([0x00]), seed); // k = hmac(k || v || 0x00 || seed)\n        v = h(); // v = hmac(k || v)\n        if (seed.length === 0)\n            return;\n        k = h(u8fr([0x01]), seed); // k = hmac(k || v || 0x01 || seed)\n        v = h(); // v = hmac(k || v)\n    };\n    const gen = () => {\n        // HMAC-DRBG generate() function\n        if (i++ >= 1000)\n            throw new Error('drbg: tried 1000 values');\n        let len = 0;\n        const out = [];\n        while (len < qByteLen) {\n            v = h();\n            const sl = v.slice();\n            out.push(sl);\n            len += v.length;\n        }\n        return concatBytes(...out);\n    };\n    const genUntil = (seed, pred) => {\n        reset();\n        reseed(seed); // Steps D-G\n        let res = undefined; // Step H: grind until k is in [1..n-1]\n        while (!(res = pred(gen())))\n            reseed();\n        reset();\n        return res;\n    };\n    return genUntil;\n}\n// Validating curves and fields\nconst validatorFns = {\n    bigint: (val) => typeof val === 'bigint',\n    function: (val) => typeof val === 'function',\n    boolean: (val) => typeof val === 'boolean',\n    string: (val) => typeof val === 'string',\n    stringOrUint8Array: (val) => typeof val === 'string' || isBytes(val),\n    isSafeInteger: (val) => Number.isSafeInteger(val),\n    array: (val) => Array.isArray(val),\n    field: (val, object) => object.Fp.isValid(val),\n    hash: (val) => typeof val === 'function' && Number.isSafeInteger(val.outputLen),\n};\n// type Record<K extends string | number | symbol, T> = { [P in K]: T; }\nexport function validateObject(object, validators, optValidators = {}) {\n    const checkField = (fieldName, type, isOptional) => {\n        const checkVal = validatorFns[type];\n        if (typeof checkVal !== 'function')\n            throw new Error(`Invalid validator \"${type}\", expected function`);\n        const val = object[fieldName];\n        if (isOptional && val === undefined)\n            return;\n        if (!checkVal(val, object)) {\n            throw new Error(`Invalid param ${String(fieldName)}=${val} (${typeof val}), expected ${type}`);\n        }\n    };\n    for (const [fieldName, type] of Object.entries(validators))\n        checkField(fieldName, type, false);\n    for (const [fieldName, type] of Object.entries(optValidators))\n        checkField(fieldName, type, true);\n    return object;\n}\n// validate type tests\n// const o: { a: number; b: number; c: number } = { a: 1, b: 5, c: 6 };\n// const z0 = validateObject(o, { a: 'isSafeInteger' }, { c: 'bigint' }); // Ok!\n// // Should fail type-check\n// const z1 = validateObject(o, { a: 'tmp' }, { c: 'zz' });\n// const z2 = validateObject(o, { a: 'isSafeInteger' }, { c: 'zz' });\n// const z3 = validateObject(o, { test: 'boolean', z: 'bug' });\n// const z4 = validateObject(o, { a: 'boolean', z: 'bug' });\n/**\n * throws not implemented error\n */\nexport const notImplemented = () => {\n    throw new Error('not implemented');\n};\n/**\n * Memoizes (caches) computation result.\n * Uses WeakMap: the value is going auto-cleaned by GC after last reference is removed.\n */\nexport function memoized(fn) {\n    const map = new WeakMap();\n    return (arg, ...args) => {\n        const val = map.get(arg);\n        if (val !== undefined)\n            return val;\n        const computed = fn(arg, ...args);\n        map.set(arg, computed);\n        return computed;\n    };\n}\n//# sourceMappingURL=utils.js.map","/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */\n// Utilities for modular arithmetics and finite fields\nimport { bitMask, bytesToNumberBE, bytesToNumberLE, ensureBytes, numberToBytesBE, numberToBytesLE, validateObject, } from './utils.js';\n// prettier-ignore\nconst _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);\n// prettier-ignore\nconst _4n = BigInt(4), _5n = BigInt(5), _8n = BigInt(8);\n// prettier-ignore\nconst _9n = BigInt(9), _16n = BigInt(16);\n// Calculates a modulo b\nexport function mod(a, b) {\n    const result = a % b;\n    return result >= _0n ? result : b + result;\n}\n/**\n * Efficiently raise num to power and do modular division.\n * Unsafe in some contexts: uses ladder, so can expose bigint bits.\n * @example\n * pow(2n, 6n, 11n) // 64n % 11n == 9n\n */\n// TODO: use field version && remove\nexport function pow(num, power, modulo) {\n    if (modulo <= _0n || power < _0n)\n        throw new Error('Expected power/modulo > 0');\n    if (modulo === _1n)\n        return _0n;\n    let res = _1n;\n    while (power > _0n) {\n        if (power & _1n)\n            res = (res * num) % modulo;\n        num = (num * num) % modulo;\n        power >>= _1n;\n    }\n    return res;\n}\n// Does x ^ (2 ^ power) mod p. pow2(30, 4) == 30 ^ (2 ^ 4)\nexport function pow2(x, power, modulo) {\n    let res = x;\n    while (power-- > _0n) {\n        res *= res;\n        res %= modulo;\n    }\n    return res;\n}\n// Inverses number over modulo\nexport function invert(number, modulo) {\n    if (number === _0n || modulo <= _0n) {\n        throw new Error(`invert: expected positive integers, got n=${number} mod=${modulo}`);\n    }\n    // Euclidean GCD https://brilliant.org/wiki/extended-euclidean-algorithm/\n    // Fermat's little theorem \"CT-like\" version inv(n) = n^(m-2) mod m is 30x slower.\n    let a = mod(number, modulo);\n    let b = modulo;\n    // prettier-ignore\n    let x = _0n, y = _1n, u = _1n, v = _0n;\n    while (a !== _0n) {\n        // JIT applies optimization if those two lines follow each other\n        const q = b / a;\n        const r = b % a;\n        const m = x - u * q;\n        const n = y - v * q;\n        // prettier-ignore\n        b = a, a = r, x = u, y = v, u = m, v = n;\n    }\n    const gcd = b;\n    if (gcd !== _1n)\n        throw new Error('invert: does not exist');\n    return mod(x, modulo);\n}\n/**\n * Tonelli-Shanks square root search algorithm.\n * 1. https://eprint.iacr.org/2012/685.pdf (page 12)\n * 2. Square Roots from 1; 24, 51, 10 to Dan Shanks\n * Will start an infinite loop if field order P is not prime.\n * @param P field order\n * @returns function that takes field Fp (created from P) and number n\n */\nexport function tonelliShanks(P) {\n    // Legendre constant: used to calculate Legendre symbol (a | p),\n    // which denotes the value of a^((p-1)/2) (mod p).\n    // (a | p) ≡ 1    if a is a square (mod p)\n    // (a | p) ≡ -1   if a is not a square (mod p)\n    // (a | p) ≡ 0    if a ≡ 0 (mod p)\n    const legendreC = (P - _1n) / _2n;\n    let Q, S, Z;\n    // Step 1: By factoring out powers of 2 from p - 1,\n    // find q and s such that p - 1 = q*(2^s) with q odd\n    for (Q = P - _1n, S = 0; Q % _2n === _0n; Q /= _2n, S++)\n        ;\n    // Step 2: Select a non-square z such that (z | p) ≡ -1 and set c ≡ zq\n    for (Z = _2n; Z < P && pow(Z, legendreC, P) !== P - _1n; Z++)\n        ;\n    // Fast-path\n    if (S === 1) {\n        const p1div4 = (P + _1n) / _4n;\n        return function tonelliFast(Fp, n) {\n            const root = Fp.pow(n, p1div4);\n            if (!Fp.eql(Fp.sqr(root), n))\n                throw new Error('Cannot find square root');\n            return root;\n        };\n    }\n    // Slow-path\n    const Q1div2 = (Q + _1n) / _2n;\n    return function tonelliSlow(Fp, n) {\n        // Step 0: Check that n is indeed a square: (n | p) should not be ≡ -1\n        if (Fp.pow(n, legendreC) === Fp.neg(Fp.ONE))\n            throw new Error('Cannot find square root');\n        let r = S;\n        // TODO: will fail at Fp2/etc\n        let g = Fp.pow(Fp.mul(Fp.ONE, Z), Q); // will update both x and b\n        let x = Fp.pow(n, Q1div2); // first guess at the square root\n        let b = Fp.pow(n, Q); // first guess at the fudge factor\n        while (!Fp.eql(b, Fp.ONE)) {\n            if (Fp.eql(b, Fp.ZERO))\n                return Fp.ZERO; // https://en.wikipedia.org/wiki/Tonelli%E2%80%93Shanks_algorithm (4. If t = 0, return r = 0)\n            // Find m such b^(2^m)==1\n            let m = 1;\n            for (let t2 = Fp.sqr(b); m < r; m++) {\n                if (Fp.eql(t2, Fp.ONE))\n                    break;\n                t2 = Fp.sqr(t2); // t2 *= t2\n            }\n            // NOTE: r-m-1 can be bigger than 32, need to convert to bigint before shift, otherwise there will be overflow\n            const ge = Fp.pow(g, _1n << BigInt(r - m - 1)); // ge = 2^(r-m-1)\n            g = Fp.sqr(ge); // g = ge * ge\n            x = Fp.mul(x, ge); // x *= ge\n            b = Fp.mul(b, g); // b *= g\n            r = m;\n        }\n        return x;\n    };\n}\nexport function FpSqrt(P) {\n    // NOTE: different algorithms can give different roots, it is up to user to decide which one they want.\n    // For example there is FpSqrtOdd/FpSqrtEven to choice root based on oddness (used for hash-to-curve).\n    // P ≡ 3 (mod 4)\n    // √n = n^((P+1)/4)\n    if (P % _4n === _3n) {\n        // Not all roots possible!\n        // const ORDER =\n        //   0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaabn;\n        // const NUM = 72057594037927816n;\n        const p1div4 = (P + _1n) / _4n;\n        return function sqrt3mod4(Fp, n) {\n            const root = Fp.pow(n, p1div4);\n            // Throw if root**2 != n\n            if (!Fp.eql(Fp.sqr(root), n))\n                throw new Error('Cannot find square root');\n            return root;\n        };\n    }\n    // Atkin algorithm for q ≡ 5 (mod 8), https://eprint.iacr.org/2012/685.pdf (page 10)\n    if (P % _8n === _5n) {\n        const c1 = (P - _5n) / _8n;\n        return function sqrt5mod8(Fp, n) {\n            const n2 = Fp.mul(n, _2n);\n            const v = Fp.pow(n2, c1);\n            const nv = Fp.mul(n, v);\n            const i = Fp.mul(Fp.mul(nv, _2n), v);\n            const root = Fp.mul(nv, Fp.sub(i, Fp.ONE));\n            if (!Fp.eql(Fp.sqr(root), n))\n                throw new Error('Cannot find square root');\n            return root;\n        };\n    }\n    // P ≡ 9 (mod 16)\n    if (P % _16n === _9n) {\n        // NOTE: tonelli is too slow for bls-Fp2 calculations even on start\n        // Means we cannot use sqrt for constants at all!\n        //\n        // const c1 = Fp.sqrt(Fp.negate(Fp.ONE)); //  1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F\n        // const c2 = Fp.sqrt(c1);                //  2. c2 = sqrt(c1) in F, i.e., (c2^2) == c1 in F\n        // const c3 = Fp.sqrt(Fp.negate(c1));     //  3. c3 = sqrt(-c1) in F, i.e., (c3^2) == -c1 in F\n        // const c4 = (P + _7n) / _16n;           //  4. c4 = (q + 7) / 16        # Integer arithmetic\n        // sqrt = (x) => {\n        //   let tv1 = Fp.pow(x, c4);             //  1. tv1 = x^c4\n        //   let tv2 = Fp.mul(c1, tv1);           //  2. tv2 = c1 * tv1\n        //   const tv3 = Fp.mul(c2, tv1);         //  3. tv3 = c2 * tv1\n        //   let tv4 = Fp.mul(c3, tv1);           //  4. tv4 = c3 * tv1\n        //   const e1 = Fp.equals(Fp.square(tv2), x); //  5.  e1 = (tv2^2) == x\n        //   const e2 = Fp.equals(Fp.square(tv3), x); //  6.  e2 = (tv3^2) == x\n        //   tv1 = Fp.cmov(tv1, tv2, e1); //  7. tv1 = CMOV(tv1, tv2, e1)  # Select tv2 if (tv2^2) == x\n        //   tv2 = Fp.cmov(tv4, tv3, e2); //  8. tv2 = CMOV(tv4, tv3, e2)  # Select tv3 if (tv3^2) == x\n        //   const e3 = Fp.equals(Fp.square(tv2), x); //  9.  e3 = (tv2^2) == x\n        //   return Fp.cmov(tv1, tv2, e3); //  10.  z = CMOV(tv1, tv2, e3)  # Select the sqrt from tv1 and tv2\n        // }\n    }\n    // Other cases: Tonelli-Shanks algorithm\n    return tonelliShanks(P);\n}\n// Little-endian check for first LE bit (last BE bit);\nexport const isNegativeLE = (num, modulo) => (mod(num, modulo) & _1n) === _1n;\n// prettier-ignore\nconst FIELD_FIELDS = [\n    'create', 'isValid', 'is0', 'neg', 'inv', 'sqrt', 'sqr',\n    'eql', 'add', 'sub', 'mul', 'pow', 'div',\n    'addN', 'subN', 'mulN', 'sqrN'\n];\nexport function validateField(field) {\n    const initial = {\n        ORDER: 'bigint',\n        MASK: 'bigint',\n        BYTES: 'isSafeInteger',\n        BITS: 'isSafeInteger',\n    };\n    const opts = FIELD_FIELDS.reduce((map, val) => {\n        map[val] = 'function';\n        return map;\n    }, initial);\n    return validateObject(field, opts);\n}\n// Generic field functions\n/**\n * Same as `pow` but for Fp: non-constant-time.\n * Unsafe in some contexts: uses ladder, so can expose bigint bits.\n */\nexport function FpPow(f, num, power) {\n    // Should have same speed as pow for bigints\n    // TODO: benchmark!\n    if (power < _0n)\n        throw new Error('Expected power > 0');\n    if (power === _0n)\n        return f.ONE;\n    if (power === _1n)\n        return num;\n    let p = f.ONE;\n    let d = num;\n    while (power > _0n) {\n        if (power & _1n)\n            p = f.mul(p, d);\n        d = f.sqr(d);\n        power >>= _1n;\n    }\n    return p;\n}\n/**\n * Efficiently invert an array of Field elements.\n * `inv(0)` will return `undefined` here: make sure to throw an error.\n */\nexport function FpInvertBatch(f, nums) {\n    const tmp = new Array(nums.length);\n    // Walk from first to last, multiply them by each other MOD p\n    const lastMultiplied = nums.reduce((acc, num, i) => {\n        if (f.is0(num))\n            return acc;\n        tmp[i] = acc;\n        return f.mul(acc, num);\n    }, f.ONE);\n    // Invert last element\n    const inverted = f.inv(lastMultiplied);\n    // Walk from last to first, multiply them by inverted each other MOD p\n    nums.reduceRight((acc, num, i) => {\n        if (f.is0(num))\n            return acc;\n        tmp[i] = f.mul(acc, tmp[i]);\n        return f.mul(acc, num);\n    }, inverted);\n    return tmp;\n}\nexport function FpDiv(f, lhs, rhs) {\n    return f.mul(lhs, typeof rhs === 'bigint' ? invert(rhs, f.ORDER) : f.inv(rhs));\n}\nexport function FpLegendre(order) {\n    // (a | p) ≡ 1    if a is a square (mod p), quadratic residue\n    // (a | p) ≡ -1   if a is not a square (mod p), quadratic non residue\n    // (a | p) ≡ 0    if a ≡ 0 (mod p)\n    const legendreConst = (order - _1n) / _2n; // Integer arithmetic\n    return (f, x) => f.pow(x, legendreConst);\n}\n// This function returns True whenever the value x is a square in the field F.\nexport function FpIsSquare(f) {\n    const legendre = FpLegendre(f.ORDER);\n    return (x) => {\n        const p = legendre(f, x);\n        return f.eql(p, f.ZERO) || f.eql(p, f.ONE);\n    };\n}\n// CURVE.n lengths\nexport function nLength(n, nBitLength) {\n    // Bit size, byte size of CURVE.n\n    const _nBitLength = nBitLength !== undefined ? nBitLength : n.toString(2).length;\n    const nByteLength = Math.ceil(_nBitLength / 8);\n    return { nBitLength: _nBitLength, nByteLength };\n}\n/**\n * Initializes a finite field over prime. **Non-primes are not supported.**\n * Do not init in loop: slow. Very fragile: always run a benchmark on a change.\n * Major performance optimizations:\n * * a) denormalized operations like mulN instead of mul\n * * b) same object shape: never add or remove keys\n * * c) Object.freeze\n * NOTE: operations don't check 'isValid' for all elements for performance reasons,\n * it is caller responsibility to check this.\n * This is low-level code, please make sure you know what you doing.\n * @param ORDER prime positive bigint\n * @param bitLen how many bits the field consumes\n * @param isLE (def: false) if encoding / decoding should be in little-endian\n * @param redef optional faster redefinitions of sqrt and other methods\n */\nexport function Field(ORDER, bitLen, isLE = false, redef = {}) {\n    if (ORDER <= _0n)\n        throw new Error(`Expected Field ORDER > 0, got ${ORDER}`);\n    const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, bitLen);\n    if (BYTES > 2048)\n        throw new Error('Field lengths over 2048 bytes are not supported');\n    const sqrtP = FpSqrt(ORDER);\n    const f = Object.freeze({\n        ORDER,\n        BITS,\n        BYTES,\n        MASK: bitMask(BITS),\n        ZERO: _0n,\n        ONE: _1n,\n        create: (num) => mod(num, ORDER),\n        isValid: (num) => {\n            if (typeof num !== 'bigint')\n                throw new Error(`Invalid field element: expected bigint, got ${typeof num}`);\n            return _0n <= num && num < ORDER; // 0 is valid element, but it's not invertible\n        },\n        is0: (num) => num === _0n,\n        isOdd: (num) => (num & _1n) === _1n,\n        neg: (num) => mod(-num, ORDER),\n        eql: (lhs, rhs) => lhs === rhs,\n        sqr: (num) => mod(num * num, ORDER),\n        add: (lhs, rhs) => mod(lhs + rhs, ORDER),\n        sub: (lhs, rhs) => mod(lhs - rhs, ORDER),\n        mul: (lhs, rhs) => mod(lhs * rhs, ORDER),\n        pow: (num, power) => FpPow(f, num, power),\n        div: (lhs, rhs) => mod(lhs * invert(rhs, ORDER), ORDER),\n        // Same as above, but doesn't normalize\n        sqrN: (num) => num * num,\n        addN: (lhs, rhs) => lhs + rhs,\n        subN: (lhs, rhs) => lhs - rhs,\n        mulN: (lhs, rhs) => lhs * rhs,\n        inv: (num) => invert(num, ORDER),\n        sqrt: redef.sqrt || ((n) => sqrtP(f, n)),\n        invertBatch: (lst) => FpInvertBatch(f, lst),\n        // TODO: do we really need constant cmov?\n        // We don't have const-time bigints anyway, so probably will be not very useful\n        cmov: (a, b, c) => (c ? b : a),\n        toBytes: (num) => (isLE ? numberToBytesLE(num, BYTES) : numberToBytesBE(num, BYTES)),\n        fromBytes: (bytes) => {\n            if (bytes.length !== BYTES)\n                throw new Error(`Fp.fromBytes: expected ${BYTES}, got ${bytes.length}`);\n            return isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);\n        },\n    });\n    return Object.freeze(f);\n}\nexport function FpSqrtOdd(Fp, elm) {\n    if (!Fp.isOdd)\n        throw new Error(`Field doesn't have isOdd`);\n    const root = Fp.sqrt(elm);\n    return Fp.isOdd(root) ? root : Fp.neg(root);\n}\nexport function FpSqrtEven(Fp, elm) {\n    if (!Fp.isOdd)\n        throw new Error(`Field doesn't have isOdd`);\n    const root = Fp.sqrt(elm);\n    return Fp.isOdd(root) ? Fp.neg(root) : root;\n}\n/**\n * \"Constant-time\" private key generation utility.\n * Same as mapKeyToField, but accepts less bytes (40 instead of 48 for 32-byte field).\n * Which makes it slightly more biased, less secure.\n * @deprecated use mapKeyToField instead\n */\nexport function hashToPrivateScalar(hash, groupOrder, isLE = false) {\n    hash = ensureBytes('privateHash', hash);\n    const hashLen = hash.length;\n    const minLen = nLength(groupOrder).nByteLength + 8;\n    if (minLen < 24 || hashLen < minLen || hashLen > 1024)\n        throw new Error(`hashToPrivateScalar: expected ${minLen}-1024 bytes of input, got ${hashLen}`);\n    const num = isLE ? bytesToNumberLE(hash) : bytesToNumberBE(hash);\n    return mod(num, groupOrder - _1n) + _1n;\n}\n/**\n * Returns total number of bytes consumed by the field element.\n * For example, 32 bytes for usual 256-bit weierstrass curve.\n * @param fieldOrder number of field elements, usually CURVE.n\n * @returns byte length of field\n */\nexport function getFieldBytesLength(fieldOrder) {\n    if (typeof fieldOrder !== 'bigint')\n        throw new Error('field order must be bigint');\n    const bitLength = fieldOrder.toString(2).length;\n    return Math.ceil(bitLength / 8);\n}\n/**\n * Returns minimal amount of bytes that can be safely reduced\n * by field order.\n * Should be 2^-128 for 128-bit curve such as P256.\n * @param fieldOrder number of field elements, usually CURVE.n\n * @returns byte length of target hash\n */\nexport function getMinHashLength(fieldOrder) {\n    const length = getFieldBytesLength(fieldOrder);\n    return length + Math.ceil(length / 2);\n}\n/**\n * \"Constant-time\" private key generation utility.\n * Can take (n + n/2) or more bytes of uniform input e.g. from CSPRNG or KDF\n * and convert them into private scalar, with the modulo bias being negligible.\n * Needs at least 48 bytes of input for 32-byte private key.\n * https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/\n * FIPS 186-5, A.2 https://csrc.nist.gov/publications/detail/fips/186/5/final\n * RFC 9380, https://www.rfc-editor.org/rfc/rfc9380#section-5\n * @param hash hash output from SHA3 or a similar function\n * @param groupOrder size of subgroup - (e.g. secp256k1.CURVE.n)\n * @param isLE interpret hash bytes as LE num\n * @returns valid private scalar\n */\nexport function mapHashToField(key, fieldOrder, isLE = false) {\n    const len = key.length;\n    const fieldLen = getFieldBytesLength(fieldOrder);\n    const minLen = getMinHashLength(fieldOrder);\n    // No small numbers: need to understand bias story. No huge numbers: easier to detect JS timings.\n    if (len < 16 || len < minLen || len > 1024)\n        throw new Error(`expected ${minLen}-1024 bytes of input, got ${len}`);\n    const num = isLE ? bytesToNumberBE(key) : bytesToNumberLE(key);\n    // `mod(x, 11)` can sometimes produce 0. `mod(x, 10) + 1` is the same, but no 0\n    const reduced = mod(num, fieldOrder - _1n) + _1n;\n    return isLE ? numberToBytesLE(reduced, fieldLen) : numberToBytesBE(reduced, fieldLen);\n}\n//# sourceMappingURL=modular.js.map","/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */\n// Abelian group utilities\nimport { validateField, nLength } from './modular.js';\nimport { validateObject, bitLen } from './utils.js';\nconst _0n = BigInt(0);\nconst _1n = BigInt(1);\n// Since points in different groups cannot be equal (different object constructor),\n// we can have single place to store precomputes\nconst pointPrecomputes = new WeakMap();\nconst pointWindowSizes = new WeakMap(); // This allows use make points immutable (nothing changes inside)\n// Elliptic curve multiplication of Point by scalar. Fragile.\n// Scalars should always be less than curve order: this should be checked inside of a curve itself.\n// Creates precomputation tables for fast multiplication:\n// - private scalar is split by fixed size windows of W bits\n// - every window point is collected from window's table & added to accumulator\n// - since windows are different, same point inside tables won't be accessed more than once per calc\n// - each multiplication is 'Math.ceil(CURVE_ORDER / 𝑊) + 1' point additions (fixed for any scalar)\n// - +1 window is neccessary for wNAF\n// - wNAF reduces table size: 2x less memory + 2x faster generation, but 10% slower multiplication\n// TODO: Research returning 2d JS array of windows, instead of a single window. This would allow\n// windows to be in different memory locations\nexport function wNAF(c, bits) {\n    const constTimeNegate = (condition, item) => {\n        const neg = item.negate();\n        return condition ? neg : item;\n    };\n    const validateW = (W) => {\n        if (!Number.isSafeInteger(W) || W <= 0 || W > bits)\n            throw new Error(`Wrong window size=${W}, should be [1..${bits}]`);\n    };\n    const opts = (W) => {\n        validateW(W);\n        const windows = Math.ceil(bits / W) + 1; // +1, because\n        const windowSize = 2 ** (W - 1); // -1 because we skip zero\n        return { windows, windowSize };\n    };\n    return {\n        constTimeNegate,\n        // non-const time multiplication ladder\n        unsafeLadder(elm, n) {\n            let p = c.ZERO;\n            let d = elm;\n            while (n > _0n) {\n                if (n & _1n)\n                    p = p.add(d);\n                d = d.double();\n                n >>= _1n;\n            }\n            return p;\n        },\n        /**\n         * Creates a wNAF precomputation window. Used for caching.\n         * Default window size is set by `utils.precompute()` and is equal to 8.\n         * Number of precomputed points depends on the curve size:\n         * 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where:\n         * - 𝑊 is the window size\n         * - 𝑛 is the bitlength of the curve order.\n         * For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.\n         * @returns precomputed point tables flattened to a single array\n         */\n        precomputeWindow(elm, W) {\n            const { windows, windowSize } = opts(W);\n            const points = [];\n            let p = elm;\n            let base = p;\n            for (let window = 0; window < windows; window++) {\n                base = p;\n                points.push(base);\n                // =1, because we skip zero\n                for (let i = 1; i < windowSize; i++) {\n                    base = base.add(p);\n                    points.push(base);\n                }\n                p = base.double();\n            }\n            return points;\n        },\n        /**\n         * Implements ec multiplication using precomputed tables and w-ary non-adjacent form.\n         * @param W window size\n         * @param precomputes precomputed tables\n         * @param n scalar (we don't check here, but should be less than curve order)\n         * @returns real and fake (for const-time) points\n         */\n        wNAF(W, precomputes, n) {\n            // TODO: maybe check that scalar is less than group order? wNAF behavious is undefined otherwise\n            // But need to carefully remove other checks before wNAF. ORDER == bits here\n            const { windows, windowSize } = opts(W);\n            let p = c.ZERO;\n            let f = c.BASE;\n            const mask = BigInt(2 ** W - 1); // Create mask with W ones: 0b1111 for W=4 etc.\n            const maxNumber = 2 ** W;\n            const shiftBy = BigInt(W);\n            for (let window = 0; window < windows; window++) {\n                const offset = window * windowSize;\n                // Extract W bits.\n                let wbits = Number(n & mask);\n                // Shift number by W bits.\n                n >>= shiftBy;\n                // If the bits are bigger than max size, we'll split those.\n                // +224 => 256 - 32\n                if (wbits > windowSize) {\n                    wbits -= maxNumber;\n                    n += _1n;\n                }\n                // This code was first written with assumption that 'f' and 'p' will never be infinity point:\n                // since each addition is multiplied by 2 ** W, it cannot cancel each other. However,\n                // there is negate now: it is possible that negated element from low value\n                // would be the same as high element, which will create carry into next window.\n                // It's not obvious how this can fail, but still worth investigating later.\n                // Check if we're onto Zero point.\n                // Add random point inside current window to f.\n                const offset1 = offset;\n                const offset2 = offset + Math.abs(wbits) - 1; // -1 because we skip zero\n                const cond1 = window % 2 !== 0;\n                const cond2 = wbits < 0;\n                if (wbits === 0) {\n                    // The most important part for const-time getPublicKey\n                    f = f.add(constTimeNegate(cond1, precomputes[offset1]));\n                }\n                else {\n                    p = p.add(constTimeNegate(cond2, precomputes[offset2]));\n                }\n            }\n            // JIT-compiler should not eliminate f here, since it will later be used in normalizeZ()\n            // Even if the variable is still unused, there are some checks which will\n            // throw an exception, so compiler needs to prove they won't happen, which is hard.\n            // At this point there is a way to F be infinity-point even if p is not,\n            // which makes it less const-time: around 1 bigint multiply.\n            return { p, f };\n        },\n        wNAFCached(P, n, transform) {\n            const W = pointWindowSizes.get(P) || 1;\n            // Calculate precomputes on a first run, reuse them after\n            let comp = pointPrecomputes.get(P);\n            if (!comp) {\n                comp = this.precomputeWindow(P, W);\n                if (W !== 1)\n                    pointPrecomputes.set(P, transform(comp));\n            }\n            return this.wNAF(W, comp, n);\n        },\n        // We calculate precomputes for elliptic curve point multiplication\n        // using windowed method. This specifies window size and\n        // stores precomputed values. Usually only base point would be precomputed.\n        setWindowSize(P, W) {\n            validateW(W);\n            pointWindowSizes.set(P, W);\n            pointPrecomputes.delete(P);\n        },\n    };\n}\n/**\n * Pippenger algorithm for multi-scalar multiplication (MSM).\n * MSM is basically (Pa + Qb + Rc + ...).\n * 30x faster vs naive addition on L=4096, 10x faster with precomputes.\n * For N=254bit, L=1, it does: 1024 ADD + 254 DBL. For L=5: 1536 ADD + 254 DBL.\n * Algorithmically constant-time (for same L), even when 1 point + scalar, or when scalar = 0.\n * @param c Curve Point constructor\n * @param field field over CURVE.N - important that it's not over CURVE.P\n * @param points array of L curve points\n * @param scalars array of L scalars (aka private keys / bigints)\n */\nexport function pippenger(c, field, points, scalars) {\n    // If we split scalars by some window (let's say 8 bits), every chunk will only\n    // take 256 buckets even if there are 4096 scalars, also re-uses double.\n    // TODO:\n    // - https://eprint.iacr.org/2024/750.pdf\n    // - https://tches.iacr.org/index.php/TCHES/article/view/10287\n    // 0 is accepted in scalars\n    if (!Array.isArray(points) || !Array.isArray(scalars) || scalars.length !== points.length)\n        throw new Error('arrays of points and scalars must have equal length');\n    scalars.forEach((s, i) => {\n        if (!field.isValid(s))\n            throw new Error(`wrong scalar at index ${i}`);\n    });\n    points.forEach((p, i) => {\n        if (!(p instanceof c))\n            throw new Error(`wrong point at index ${i}`);\n    });\n    const wbits = bitLen(BigInt(points.length));\n    const windowSize = wbits > 12 ? wbits - 3 : wbits > 4 ? wbits - 2 : wbits ? 2 : 1; // in bits\n    const MASK = (1 << windowSize) - 1;\n    const buckets = new Array(MASK + 1).fill(c.ZERO); // +1 for zero array\n    const lastBits = Math.floor((field.BITS - 1) / windowSize) * windowSize;\n    let sum = c.ZERO;\n    for (let i = lastBits; i >= 0; i -= windowSize) {\n        buckets.fill(c.ZERO);\n        for (let j = 0; j < scalars.length; j++) {\n            const scalar = scalars[j];\n            const wbits = Number((scalar >> BigInt(i)) & BigInt(MASK));\n            buckets[wbits] = buckets[wbits].add(points[j]);\n        }\n        let resI = c.ZERO; // not using this will do small speed-up, but will lose ct\n        // Skip first bucket, because it is zero\n        for (let j = buckets.length - 1, sumI = c.ZERO; j > 0; j--) {\n            sumI = sumI.add(buckets[j]);\n            resI = resI.add(sumI);\n        }\n        sum = sum.add(resI);\n        if (i !== 0)\n            for (let j = 0; j < windowSize; j++)\n                sum = sum.double();\n    }\n    return sum;\n}\nexport function validateBasic(curve) {\n    validateField(curve.Fp);\n    validateObject(curve, {\n        n: 'bigint',\n        h: 'bigint',\n        Gx: 'field',\n        Gy: 'field',\n    }, {\n        nBitLength: 'isSafeInteger',\n        nByteLength: 'isSafeInteger',\n    });\n    // Set defaults\n    return Object.freeze({\n        ...nLength(curve.n, curve.nBitLength),\n        ...curve,\n        ...{ p: curve.Fp.ORDER },\n    });\n}\n//# sourceMappingURL=curve.js.map","/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */\n// Short Weierstrass curve. The formula is: y² = x³ + ax + b\nimport { validateBasic, wNAF, pippenger, } from './curve.js';\nimport * as mod from './modular.js';\nimport * as ut from './utils.js';\nimport { ensureBytes, memoized, abool } from './utils.js';\nfunction validateSigVerOpts(opts) {\n    if (opts.lowS !== undefined)\n        abool('lowS', opts.lowS);\n    if (opts.prehash !== undefined)\n        abool('prehash', opts.prehash);\n}\nfunction validatePointOpts(curve) {\n    const opts = validateBasic(curve);\n    ut.validateObject(opts, {\n        a: 'field',\n        b: 'field',\n    }, {\n        allowedPrivateKeyLengths: 'array',\n        wrapPrivateKey: 'boolean',\n        isTorsionFree: 'function',\n        clearCofactor: 'function',\n        allowInfinityPoint: 'boolean',\n        fromBytes: 'function',\n        toBytes: 'function',\n    });\n    const { endo, Fp, a } = opts;\n    if (endo) {\n        if (!Fp.eql(a, Fp.ZERO)) {\n            throw new Error('Endomorphism can only be defined for Koblitz curves that have a=0');\n        }\n        if (typeof endo !== 'object' ||\n            typeof endo.beta !== 'bigint' ||\n            typeof endo.splitScalar !== 'function') {\n            throw new Error('Expected endomorphism with beta: bigint and splitScalar: function');\n        }\n    }\n    return Object.freeze({ ...opts });\n}\nconst { bytesToNumberBE: b2n, hexToBytes: h2b } = ut;\n/**\n * ASN.1 DER encoding utilities. ASN is very complex & fragile. Format:\n *\n *     [0x30 (SEQUENCE), bytelength, 0x02 (INTEGER), intLength, R, 0x02 (INTEGER), intLength, S]\n *\n * Docs: https://letsencrypt.org/docs/a-warm-welcome-to-asn1-and-der/, https://luca.ntop.org/Teaching/Appunti/asn1.html\n */\nexport const DER = {\n    // asn.1 DER encoding utils\n    Err: class DERErr extends Error {\n        constructor(m = '') {\n            super(m);\n        }\n    },\n    // Basic building block is TLV (Tag-Length-Value)\n    _tlv: {\n        encode: (tag, data) => {\n            const { Err: E } = DER;\n            if (tag < 0 || tag > 256)\n                throw new E('tlv.encode: wrong tag');\n            if (data.length & 1)\n                throw new E('tlv.encode: unpadded data');\n            const dataLen = data.length / 2;\n            const len = ut.numberToHexUnpadded(dataLen);\n            if ((len.length / 2) & 128)\n                throw new E('tlv.encode: long form length too big');\n            // length of length with long form flag\n            const lenLen = dataLen > 127 ? ut.numberToHexUnpadded((len.length / 2) | 128) : '';\n            return `${ut.numberToHexUnpadded(tag)}${lenLen}${len}${data}`;\n        },\n        // v - value, l - left bytes (unparsed)\n        decode(tag, data) {\n            const { Err: E } = DER;\n            let pos = 0;\n            if (tag < 0 || tag > 256)\n                throw new E('tlv.encode: wrong tag');\n            if (data.length < 2 || data[pos++] !== tag)\n                throw new E('tlv.decode: wrong tlv');\n            const first = data[pos++];\n            const isLong = !!(first & 128); // First bit of first length byte is flag for short/long form\n            let length = 0;\n            if (!isLong)\n                length = first;\n            else {\n                // Long form: [longFlag(1bit), lengthLength(7bit), length (BE)]\n                const lenLen = first & 127;\n                if (!lenLen)\n                    throw new E('tlv.decode(long): indefinite length not supported');\n                if (lenLen > 4)\n                    throw new E('tlv.decode(long): byte length is too big'); // this will overflow u32 in js\n                const lengthBytes = data.subarray(pos, pos + lenLen);\n                if (lengthBytes.length !== lenLen)\n                    throw new E('tlv.decode: length bytes not complete');\n                if (lengthBytes[0] === 0)\n                    throw new E('tlv.decode(long): zero leftmost byte');\n                for (const b of lengthBytes)\n                    length = (length << 8) | b;\n                pos += lenLen;\n                if (length < 128)\n                    throw new E('tlv.decode(long): not minimal encoding');\n            }\n            const v = data.subarray(pos, pos + length);\n            if (v.length !== length)\n                throw new E('tlv.decode: wrong value length');\n            return { v, l: data.subarray(pos + length) };\n        },\n    },\n    // https://crypto.stackexchange.com/a/57734 Leftmost bit of first byte is 'negative' flag,\n    // since we always use positive integers here. It must always be empty:\n    // - add zero byte if exists\n    // - if next byte doesn't have a flag, leading zero is not allowed (minimal encoding)\n    _int: {\n        encode(num) {\n            const { Err: E } = DER;\n            if (num < _0n)\n                throw new E('integer: negative integers are not allowed');\n            let hex = ut.numberToHexUnpadded(num);\n            // Pad with zero byte if negative flag is present\n            if (Number.parseInt(hex[0], 16) & 0b1000)\n                hex = '00' + hex;\n            if (hex.length & 1)\n                throw new E('unexpected assertion');\n            return hex;\n        },\n        decode(data) {\n            const { Err: E } = DER;\n            if (data[0] & 128)\n                throw new E('Invalid signature integer: negative');\n            if (data[0] === 0x00 && !(data[1] & 128))\n                throw new E('Invalid signature integer: unnecessary leading zero');\n            return b2n(data);\n        },\n    },\n    toSig(hex) {\n        // parse DER signature\n        const { Err: E, _int: int, _tlv: tlv } = DER;\n        const data = typeof hex === 'string' ? h2b(hex) : hex;\n        ut.abytes(data);\n        const { v: seqBytes, l: seqLeftBytes } = tlv.decode(0x30, data);\n        if (seqLeftBytes.length)\n            throw new E('Invalid signature: left bytes after parsing');\n        const { v: rBytes, l: rLeftBytes } = tlv.decode(0x02, seqBytes);\n        const { v: sBytes, l: sLeftBytes } = tlv.decode(0x02, rLeftBytes);\n        if (sLeftBytes.length)\n            throw new E('Invalid signature: left bytes after parsing');\n        return { r: int.decode(rBytes), s: int.decode(sBytes) };\n    },\n    hexFromSig(sig) {\n        const { _tlv: tlv, _int: int } = DER;\n        const seq = `${tlv.encode(0x02, int.encode(sig.r))}${tlv.encode(0x02, int.encode(sig.s))}`;\n        return tlv.encode(0x30, seq);\n    },\n};\n// Be friendly to bad ECMAScript parsers by not using bigint literals\n// prettier-ignore\nconst _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3), _4n = BigInt(4);\nexport function weierstrassPoints(opts) {\n    const CURVE = validatePointOpts(opts);\n    const { Fp } = CURVE; // All curves has same field / group length as for now, but they can differ\n    const Fn = mod.Field(CURVE.n, CURVE.nBitLength);\n    const toBytes = CURVE.toBytes ||\n        ((_c, point, _isCompressed) => {\n            const a = point.toAffine();\n            return ut.concatBytes(Uint8Array.from([0x04]), Fp.toBytes(a.x), Fp.toBytes(a.y));\n        });\n    const fromBytes = CURVE.fromBytes ||\n        ((bytes) => {\n            // const head = bytes[0];\n            const tail = bytes.subarray(1);\n            // if (head !== 0x04) throw new Error('Only non-compressed encoding is supported');\n            const x = Fp.fromBytes(tail.subarray(0, Fp.BYTES));\n            const y = Fp.fromBytes(tail.subarray(Fp.BYTES, 2 * Fp.BYTES));\n            return { x, y };\n        });\n    /**\n     * y² = x³ + ax + b: Short weierstrass curve formula\n     * @returns y²\n     */\n    function weierstrassEquation(x) {\n        const { a, b } = CURVE;\n        const x2 = Fp.sqr(x); // x * x\n        const x3 = Fp.mul(x2, x); // x2 * x\n        return Fp.add(Fp.add(x3, Fp.mul(x, a)), b); // x3 + a * x + b\n    }\n    // Validate whether the passed curve params are valid.\n    // We check if curve equation works for generator point.\n    // `assertValidity()` won't work: `isTorsionFree()` is not available at this point in bls12-381.\n    // ProjectivePoint class has not been initialized yet.\n    if (!Fp.eql(Fp.sqr(CURVE.Gy), weierstrassEquation(CURVE.Gx)))\n        throw new Error('bad generator point: equation left != right');\n    // Valid group elements reside in range 1..n-1\n    function isWithinCurveOrder(num) {\n        return ut.inRange(num, _1n, CURVE.n);\n    }\n    // Validates if priv key is valid and converts it to bigint.\n    // Supports options allowedPrivateKeyLengths and wrapPrivateKey.\n    function normPrivateKeyToScalar(key) {\n        const { allowedPrivateKeyLengths: lengths, nByteLength, wrapPrivateKey, n: N } = CURVE;\n        if (lengths && typeof key !== 'bigint') {\n            if (ut.isBytes(key))\n                key = ut.bytesToHex(key);\n            // Normalize to hex string, pad. E.g. P521 would norm 130-132 char hex to 132-char bytes\n            if (typeof key !== 'string' || !lengths.includes(key.length))\n                throw new Error('Invalid key');\n            key = key.padStart(nByteLength * 2, '0');\n        }\n        let num;\n        try {\n            num =\n                typeof key === 'bigint'\n                    ? key\n                    : ut.bytesToNumberBE(ensureBytes('private key', key, nByteLength));\n        }\n        catch (error) {\n            throw new Error(`private key must be ${nByteLength} bytes, hex or bigint, not ${typeof key}`);\n        }\n        if (wrapPrivateKey)\n            num = mod.mod(num, N); // disabled by default, enabled for BLS\n        ut.aInRange('private key', num, _1n, N); // num in range [1..N-1]\n        return num;\n    }\n    function assertPrjPoint(other) {\n        if (!(other instanceof Point))\n            throw new Error('ProjectivePoint expected');\n    }\n    // Memoized toAffine / validity check. They are heavy. Points are immutable.\n    // Converts Projective point to affine (x, y) coordinates.\n    // Can accept precomputed Z^-1 - for example, from invertBatch.\n    // (x, y, z) ∋ (x=x/z, y=y/z)\n    const toAffineMemo = memoized((p, iz) => {\n        const { px: x, py: y, pz: z } = p;\n        // Fast-path for normalized points\n        if (Fp.eql(z, Fp.ONE))\n            return { x, y };\n        const is0 = p.is0();\n        // If invZ was 0, we return zero point. However we still want to execute\n        // all operations, so we replace invZ with a random number, 1.\n        if (iz == null)\n            iz = is0 ? Fp.ONE : Fp.inv(z);\n        const ax = Fp.mul(x, iz);\n        const ay = Fp.mul(y, iz);\n        const zz = Fp.mul(z, iz);\n        if (is0)\n            return { x: Fp.ZERO, y: Fp.ZERO };\n        if (!Fp.eql(zz, Fp.ONE))\n            throw new Error('invZ was invalid');\n        return { x: ax, y: ay };\n    });\n    // NOTE: on exception this will crash 'cached' and no value will be set.\n    // Otherwise true will be return\n    const assertValidMemo = memoized((p) => {\n        if (p.is0()) {\n            // (0, 1, 0) aka ZERO is invalid in most contexts.\n            // In BLS, ZERO can be serialized, so we allow it.\n            // (0, 0, 0) is wrong representation of ZERO and is always invalid.\n            if (CURVE.allowInfinityPoint && !Fp.is0(p.py))\n                return;\n            throw new Error('bad point: ZERO');\n        }\n        // Some 3rd-party test vectors require different wording between here & `fromCompressedHex`\n        const { x, y } = p.toAffine();\n        // Check if x, y are valid field elements\n        if (!Fp.isValid(x) || !Fp.isValid(y))\n            throw new Error('bad point: x or y not FE');\n        const left = Fp.sqr(y); // y²\n        const right = weierstrassEquation(x); // x³ + ax + b\n        if (!Fp.eql(left, right))\n            throw new Error('bad point: equation left != right');\n        if (!p.isTorsionFree())\n            throw new Error('bad point: not in prime-order subgroup');\n        return true;\n    });\n    /**\n     * Projective Point works in 3d / projective (homogeneous) coordinates: (x, y, z) ∋ (x=x/z, y=y/z)\n     * Default Point works in 2d / affine coordinates: (x, y)\n     * We're doing calculations in projective, because its operations don't require costly inversion.\n     */\n    class Point {\n        constructor(px, py, pz) {\n            this.px = px;\n            this.py = py;\n            this.pz = pz;\n            if (px == null || !Fp.isValid(px))\n                throw new Error('x required');\n            if (py == null || !Fp.isValid(py))\n                throw new Error('y required');\n            if (pz == null || !Fp.isValid(pz))\n                throw new Error('z required');\n            Object.freeze(this);\n        }\n        // Does not validate if the point is on-curve.\n        // Use fromHex instead, or call assertValidity() later.\n        static fromAffine(p) {\n            const { x, y } = p || {};\n            if (!p || !Fp.isValid(x) || !Fp.isValid(y))\n                throw new Error('invalid affine point');\n            if (p instanceof Point)\n                throw new Error('projective point not allowed');\n            const is0 = (i) => Fp.eql(i, Fp.ZERO);\n            // fromAffine(x:0, y:0) would produce (x:0, y:0, z:1), but we need (x:0, y:1, z:0)\n            if (is0(x) && is0(y))\n                return Point.ZERO;\n            return new Point(x, y, Fp.ONE);\n        }\n        get x() {\n            return this.toAffine().x;\n        }\n        get y() {\n            return this.toAffine().y;\n        }\n        /**\n         * Takes a bunch of Projective Points but executes only one\n         * inversion on all of them. Inversion is very slow operation,\n         * so this improves performance massively.\n         * Optimization: converts a list of projective points to a list of identical points with Z=1.\n         */\n        static normalizeZ(points) {\n            const toInv = Fp.invertBatch(points.map((p) => p.pz));\n            return points.map((p, i) => p.toAffine(toInv[i])).map(Point.fromAffine);\n        }\n        /**\n         * Converts hash string or Uint8Array to Point.\n         * @param hex short/long ECDSA hex\n         */\n        static fromHex(hex) {\n            const P = Point.fromAffine(fromBytes(ensureBytes('pointHex', hex)));\n            P.assertValidity();\n            return P;\n        }\n        // Multiplies generator point by privateKey.\n        static fromPrivateKey(privateKey) {\n            return Point.BASE.multiply(normPrivateKeyToScalar(privateKey));\n        }\n        // Multiscalar Multiplication\n        static msm(points, scalars) {\n            return pippenger(Point, Fn, points, scalars);\n        }\n        // \"Private method\", don't use it directly\n        _setWindowSize(windowSize) {\n            wnaf.setWindowSize(this, windowSize);\n        }\n        // A point on curve is valid if it conforms to equation.\n        assertValidity() {\n            assertValidMemo(this);\n        }\n        hasEvenY() {\n            const { y } = this.toAffine();\n            if (Fp.isOdd)\n                return !Fp.isOdd(y);\n            throw new Error(\"Field doesn't support isOdd\");\n        }\n        /**\n         * Compare one point to another.\n         */\n        equals(other) {\n            assertPrjPoint(other);\n            const { px: X1, py: Y1, pz: Z1 } = this;\n            const { px: X2, py: Y2, pz: Z2 } = other;\n            const U1 = Fp.eql(Fp.mul(X1, Z2), Fp.mul(X2, Z1));\n            const U2 = Fp.eql(Fp.mul(Y1, Z2), Fp.mul(Y2, Z1));\n            return U1 && U2;\n        }\n        /**\n         * Flips point to one corresponding to (x, -y) in Affine coordinates.\n         */\n        negate() {\n            return new Point(this.px, Fp.neg(this.py), this.pz);\n        }\n        // Renes-Costello-Batina exception-free doubling formula.\n        // There is 30% faster Jacobian formula, but it is not complete.\n        // https://eprint.iacr.org/2015/1060, algorithm 3\n        // Cost: 8M + 3S + 3*a + 2*b3 + 15add.\n        double() {\n            const { a, b } = CURVE;\n            const b3 = Fp.mul(b, _3n);\n            const { px: X1, py: Y1, pz: Z1 } = this;\n            let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO; // prettier-ignore\n            let t0 = Fp.mul(X1, X1); // step 1\n            let t1 = Fp.mul(Y1, Y1);\n            let t2 = Fp.mul(Z1, Z1);\n            let t3 = Fp.mul(X1, Y1);\n            t3 = Fp.add(t3, t3); // step 5\n            Z3 = Fp.mul(X1, Z1);\n            Z3 = Fp.add(Z3, Z3);\n            X3 = Fp.mul(a, Z3);\n            Y3 = Fp.mul(b3, t2);\n            Y3 = Fp.add(X3, Y3); // step 10\n            X3 = Fp.sub(t1, Y3);\n            Y3 = Fp.add(t1, Y3);\n            Y3 = Fp.mul(X3, Y3);\n            X3 = Fp.mul(t3, X3);\n            Z3 = Fp.mul(b3, Z3); // step 15\n            t2 = Fp.mul(a, t2);\n            t3 = Fp.sub(t0, t2);\n            t3 = Fp.mul(a, t3);\n            t3 = Fp.add(t3, Z3);\n            Z3 = Fp.add(t0, t0); // step 20\n            t0 = Fp.add(Z3, t0);\n            t0 = Fp.add(t0, t2);\n            t0 = Fp.mul(t0, t3);\n            Y3 = Fp.add(Y3, t0);\n            t2 = Fp.mul(Y1, Z1); // step 25\n            t2 = Fp.add(t2, t2);\n            t0 = Fp.mul(t2, t3);\n            X3 = Fp.sub(X3, t0);\n            Z3 = Fp.mul(t2, t1);\n            Z3 = Fp.add(Z3, Z3); // step 30\n            Z3 = Fp.add(Z3, Z3);\n            return new Point(X3, Y3, Z3);\n        }\n        // Renes-Costello-Batina exception-free addition formula.\n        // There is 30% faster Jacobian formula, but it is not complete.\n        // https://eprint.iacr.org/2015/1060, algorithm 1\n        // Cost: 12M + 0S + 3*a + 3*b3 + 23add.\n        add(other) {\n            assertPrjPoint(other);\n            const { px: X1, py: Y1, pz: Z1 } = this;\n            const { px: X2, py: Y2, pz: Z2 } = other;\n            let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO; // prettier-ignore\n            const a = CURVE.a;\n            const b3 = Fp.mul(CURVE.b, _3n);\n            let t0 = Fp.mul(X1, X2); // step 1\n            let t1 = Fp.mul(Y1, Y2);\n            let t2 = Fp.mul(Z1, Z2);\n            let t3 = Fp.add(X1, Y1);\n            let t4 = Fp.add(X2, Y2); // step 5\n            t3 = Fp.mul(t3, t4);\n            t4 = Fp.add(t0, t1);\n            t3 = Fp.sub(t3, t4);\n            t4 = Fp.add(X1, Z1);\n            let t5 = Fp.add(X2, Z2); // step 10\n            t4 = Fp.mul(t4, t5);\n            t5 = Fp.add(t0, t2);\n            t4 = Fp.sub(t4, t5);\n            t5 = Fp.add(Y1, Z1);\n            X3 = Fp.add(Y2, Z2); // step 15\n            t5 = Fp.mul(t5, X3);\n            X3 = Fp.add(t1, t2);\n            t5 = Fp.sub(t5, X3);\n            Z3 = Fp.mul(a, t4);\n            X3 = Fp.mul(b3, t2); // step 20\n            Z3 = Fp.add(X3, Z3);\n            X3 = Fp.sub(t1, Z3);\n            Z3 = Fp.add(t1, Z3);\n            Y3 = Fp.mul(X3, Z3);\n            t1 = Fp.add(t0, t0); // step 25\n            t1 = Fp.add(t1, t0);\n            t2 = Fp.mul(a, t2);\n            t4 = Fp.mul(b3, t4);\n            t1 = Fp.add(t1, t2);\n            t2 = Fp.sub(t0, t2); // step 30\n            t2 = Fp.mul(a, t2);\n            t4 = Fp.add(t4, t2);\n            t0 = Fp.mul(t1, t4);\n            Y3 = Fp.add(Y3, t0);\n            t0 = Fp.mul(t5, t4); // step 35\n            X3 = Fp.mul(t3, X3);\n            X3 = Fp.sub(X3, t0);\n            t0 = Fp.mul(t3, t1);\n            Z3 = Fp.mul(t5, Z3);\n            Z3 = Fp.add(Z3, t0); // step 40\n            return new Point(X3, Y3, Z3);\n        }\n        subtract(other) {\n            return this.add(other.negate());\n        }\n        is0() {\n            return this.equals(Point.ZERO);\n        }\n        wNAF(n) {\n            return wnaf.wNAFCached(this, n, Point.normalizeZ);\n        }\n        /**\n         * Non-constant-time multiplication. Uses double-and-add algorithm.\n         * It's faster, but should only be used when you don't care about\n         * an exposed private key e.g. sig verification, which works over *public* keys.\n         */\n        multiplyUnsafe(sc) {\n            ut.aInRange('scalar', sc, _0n, CURVE.n);\n            const I = Point.ZERO;\n            if (sc === _0n)\n                return I;\n            if (sc === _1n)\n                return this;\n            const { endo } = CURVE;\n            if (!endo)\n                return wnaf.unsafeLadder(this, sc);\n            // Apply endomorphism\n            let { k1neg, k1, k2neg, k2 } = endo.splitScalar(sc);\n            let k1p = I;\n            let k2p = I;\n            let d = this;\n            while (k1 > _0n || k2 > _0n) {\n                if (k1 & _1n)\n                    k1p = k1p.add(d);\n                if (k2 & _1n)\n                    k2p = k2p.add(d);\n                d = d.double();\n                k1 >>= _1n;\n                k2 >>= _1n;\n            }\n            if (k1neg)\n                k1p = k1p.negate();\n            if (k2neg)\n                k2p = k2p.negate();\n            k2p = new Point(Fp.mul(k2p.px, endo.beta), k2p.py, k2p.pz);\n            return k1p.add(k2p);\n        }\n        /**\n         * Constant time multiplication.\n         * Uses wNAF method. Windowed method may be 10% faster,\n         * but takes 2x longer to generate and consumes 2x memory.\n         * Uses precomputes when available.\n         * Uses endomorphism for Koblitz curves.\n         * @param scalar by which the point would be multiplied\n         * @returns New point\n         */\n        multiply(scalar) {\n            const { endo, n: N } = CURVE;\n            ut.aInRange('scalar', scalar, _1n, N);\n            let point, fake; // Fake point is used to const-time mult\n            if (endo) {\n                const { k1neg, k1, k2neg, k2 } = endo.splitScalar(scalar);\n                let { p: k1p, f: f1p } = this.wNAF(k1);\n                let { p: k2p, f: f2p } = this.wNAF(k2);\n                k1p = wnaf.constTimeNegate(k1neg, k1p);\n                k2p = wnaf.constTimeNegate(k2neg, k2p);\n                k2p = new Point(Fp.mul(k2p.px, endo.beta), k2p.py, k2p.pz);\n                point = k1p.add(k2p);\n                fake = f1p.add(f2p);\n            }\n            else {\n                const { p, f } = this.wNAF(scalar);\n                point = p;\n                fake = f;\n            }\n            // Normalize `z` for both points, but return only real one\n            return Point.normalizeZ([point, fake])[0];\n        }\n        /**\n         * Efficiently calculate `aP + bQ`. Unsafe, can expose private key, if used incorrectly.\n         * Not using Strauss-Shamir trick: precomputation tables are faster.\n         * The trick could be useful if both P and Q are not G (not in our case).\n         * @returns non-zero affine point\n         */\n        multiplyAndAddUnsafe(Q, a, b) {\n            const G = Point.BASE; // No Strauss-Shamir trick: we have 10% faster G precomputes\n            const mul = (P, a // Select faster multiply() method\n            ) => (a === _0n || a === _1n || !P.equals(G) ? P.multiplyUnsafe(a) : P.multiply(a));\n            const sum = mul(this, a).add(mul(Q, b));\n            return sum.is0() ? undefined : sum;\n        }\n        // Converts Projective point to affine (x, y) coordinates.\n        // Can accept precomputed Z^-1 - for example, from invertBatch.\n        // (x, y, z) ∋ (x=x/z, y=y/z)\n        toAffine(iz) {\n            return toAffineMemo(this, iz);\n        }\n        isTorsionFree() {\n            const { h: cofactor, isTorsionFree } = CURVE;\n            if (cofactor === _1n)\n                return true; // No subgroups, always torsion-free\n            if (isTorsionFree)\n                return isTorsionFree(Point, this);\n            throw new Error('isTorsionFree() has not been declared for the elliptic curve');\n        }\n        clearCofactor() {\n            const { h: cofactor, clearCofactor } = CURVE;\n            if (cofactor === _1n)\n                return this; // Fast-path\n            if (clearCofactor)\n                return clearCofactor(Point, this);\n            return this.multiplyUnsafe(CURVE.h);\n        }\n        toRawBytes(isCompressed = true) {\n            abool('isCompressed', isCompressed);\n            this.assertValidity();\n            return toBytes(Point, this, isCompressed);\n        }\n        toHex(isCompressed = true) {\n            abool('isCompressed', isCompressed);\n            return ut.bytesToHex(this.toRawBytes(isCompressed));\n        }\n    }\n    Point.BASE = new Point(CURVE.Gx, CURVE.Gy, Fp.ONE);\n    Point.ZERO = new Point(Fp.ZERO, Fp.ONE, Fp.ZERO);\n    const _bits = CURVE.nBitLength;\n    const wnaf = wNAF(Point, CURVE.endo ? Math.ceil(_bits / 2) : _bits);\n    // Validate if generator point is on curve\n    return {\n        CURVE,\n        ProjectivePoint: Point,\n        normPrivateKeyToScalar,\n        weierstrassEquation,\n        isWithinCurveOrder,\n    };\n}\nfunction validateOpts(curve) {\n    const opts = validateBasic(curve);\n    ut.validateObject(opts, {\n        hash: 'hash',\n        hmac: 'function',\n        randomBytes: 'function',\n    }, {\n        bits2int: 'function',\n        bits2int_modN: 'function',\n        lowS: 'boolean',\n    });\n    return Object.freeze({ lowS: true, ...opts });\n}\n/**\n * Creates short weierstrass curve and ECDSA signature methods for it.\n * @example\n * import { Field } from '@noble/curves/abstract/modular';\n * // Before that, define BigInt-s: a, b, p, n, Gx, Gy\n * const curve = weierstrass({ a, b, Fp: Field(p), n, Gx, Gy, h: 1n })\n */\nexport function weierstrass(curveDef) {\n    const CURVE = validateOpts(curveDef);\n    const { Fp, n: CURVE_ORDER } = CURVE;\n    const compressedLen = Fp.BYTES + 1; // e.g. 33 for 32\n    const uncompressedLen = 2 * Fp.BYTES + 1; // e.g. 65 for 32\n    function modN(a) {\n        return mod.mod(a, CURVE_ORDER);\n    }\n    function invN(a) {\n        return mod.invert(a, CURVE_ORDER);\n    }\n    const { ProjectivePoint: Point, normPrivateKeyToScalar, weierstrassEquation, isWithinCurveOrder, } = weierstrassPoints({\n        ...CURVE,\n        toBytes(_c, point, isCompressed) {\n            const a = point.toAffine();\n            const x = Fp.toBytes(a.x);\n            const cat = ut.concatBytes;\n            abool('isCompressed', isCompressed);\n            if (isCompressed) {\n                return cat(Uint8Array.from([point.hasEvenY() ? 0x02 : 0x03]), x);\n            }\n            else {\n                return cat(Uint8Array.from([0x04]), x, Fp.toBytes(a.y));\n            }\n        },\n        fromBytes(bytes) {\n            const len = bytes.length;\n            const head = bytes[0];\n            const tail = bytes.subarray(1);\n            // this.assertValidity() is done inside of fromHex\n            if (len === compressedLen && (head === 0x02 || head === 0x03)) {\n                const x = ut.bytesToNumberBE(tail);\n                if (!ut.inRange(x, _1n, Fp.ORDER))\n                    throw new Error('Point is not on curve');\n                const y2 = weierstrassEquation(x); // y² = x³ + ax + b\n                let y;\n                try {\n                    y = Fp.sqrt(y2); // y = y² ^ (p+1)/4\n                }\n                catch (sqrtError) {\n                    const suffix = sqrtError instanceof Error ? ': ' + sqrtError.message : '';\n                    throw new Error('Point is not on curve' + suffix);\n                }\n                const isYOdd = (y & _1n) === _1n;\n                // ECDSA\n                const isHeadOdd = (head & 1) === 1;\n                if (isHeadOdd !== isYOdd)\n                    y = Fp.neg(y);\n                return { x, y };\n            }\n            else if (len === uncompressedLen && head === 0x04) {\n                const x = Fp.fromBytes(tail.subarray(0, Fp.BYTES));\n                const y = Fp.fromBytes(tail.subarray(Fp.BYTES, 2 * Fp.BYTES));\n                return { x, y };\n            }\n            else {\n                throw new Error(`Point of length ${len} was invalid. Expected ${compressedLen} compressed bytes or ${uncompressedLen} uncompressed bytes`);\n            }\n        },\n    });\n    const numToNByteStr = (num) => ut.bytesToHex(ut.numberToBytesBE(num, CURVE.nByteLength));\n    function isBiggerThanHalfOrder(number) {\n        const HALF = CURVE_ORDER >> _1n;\n        return number > HALF;\n    }\n    function normalizeS(s) {\n        return isBiggerThanHalfOrder(s) ? modN(-s) : s;\n    }\n    // slice bytes num\n    const slcNum = (b, from, to) => ut.bytesToNumberBE(b.slice(from, to));\n    /**\n     * ECDSA signature with its (r, s) properties. Supports DER & compact representations.\n     */\n    class Signature {\n        constructor(r, s, recovery) {\n            this.r = r;\n            this.s = s;\n            this.recovery = recovery;\n            this.assertValidity();\n        }\n        // pair (bytes of r, bytes of s)\n        static fromCompact(hex) {\n            const l = CURVE.nByteLength;\n            hex = ensureBytes('compactSignature', hex, l * 2);\n            return new Signature(slcNum(hex, 0, l), slcNum(hex, l, 2 * l));\n        }\n        // DER encoded ECDSA signature\n        // https://bitcoin.stackexchange.com/questions/57644/what-are-the-parts-of-a-bitcoin-transaction-input-script\n        static fromDER(hex) {\n            const { r, s } = DER.toSig(ensureBytes('DER', hex));\n            return new Signature(r, s);\n        }\n        assertValidity() {\n            ut.aInRange('r', this.r, _1n, CURVE_ORDER); // r in [1..N]\n            ut.aInRange('s', this.s, _1n, CURVE_ORDER); // s in [1..N]\n        }\n        addRecoveryBit(recovery) {\n            return new Signature(this.r, this.s, recovery);\n        }\n        recoverPublicKey(msgHash) {\n            const { r, s, recovery: rec } = this;\n            const h = bits2int_modN(ensureBytes('msgHash', msgHash)); // Truncate hash\n            if (rec == null || ![0, 1, 2, 3].includes(rec))\n                throw new Error('recovery id invalid');\n            const radj = rec === 2 || rec === 3 ? r + CURVE.n : r;\n            if (radj >= Fp.ORDER)\n                throw new Error('recovery id 2 or 3 invalid');\n            const prefix = (rec & 1) === 0 ? '02' : '03';\n            const R = Point.fromHex(prefix + numToNByteStr(radj));\n            const ir = invN(radj); // r^-1\n            const u1 = modN(-h * ir); // -hr^-1\n            const u2 = modN(s * ir); // sr^-1\n            const Q = Point.BASE.multiplyAndAddUnsafe(R, u1, u2); // (sr^-1)R-(hr^-1)G = -(hr^-1)G + (sr^-1)\n            if (!Q)\n                throw new Error('point at infinify'); // unsafe is fine: no priv data leaked\n            Q.assertValidity();\n            return Q;\n        }\n        // Signatures should be low-s, to prevent malleability.\n        hasHighS() {\n            return isBiggerThanHalfOrder(this.s);\n        }\n        normalizeS() {\n            return this.hasHighS() ? new Signature(this.r, modN(-this.s), this.recovery) : this;\n        }\n        // DER-encoded\n        toDERRawBytes() {\n            return ut.hexToBytes(this.toDERHex());\n        }\n        toDERHex() {\n            return DER.hexFromSig({ r: this.r, s: this.s });\n        }\n        // padded bytes of r, then padded bytes of s\n        toCompactRawBytes() {\n            return ut.hexToBytes(this.toCompactHex());\n        }\n        toCompactHex() {\n            return numToNByteStr(this.r) + numToNByteStr(this.s);\n        }\n    }\n    const utils = {\n        isValidPrivateKey(privateKey) {\n            try {\n                normPrivateKeyToScalar(privateKey);\n                return true;\n            }\n            catch (error) {\n                return false;\n            }\n        },\n        normPrivateKeyToScalar: normPrivateKeyToScalar,\n        /**\n         * Produces cryptographically secure private key from random of size\n         * (groupLen + ceil(groupLen / 2)) with modulo bias being negligible.\n         */\n        randomPrivateKey: () => {\n            const length = mod.getMinHashLength(CURVE.n);\n            return mod.mapHashToField(CURVE.randomBytes(length), CURVE.n);\n        },\n        /**\n         * Creates precompute table for an arbitrary EC point. Makes point \"cached\".\n         * Allows to massively speed-up `point.multiply(scalar)`.\n         * @returns cached point\n         * @example\n         * const fast = utils.precompute(8, ProjectivePoint.fromHex(someonesPubKey));\n         * fast.multiply(privKey); // much faster ECDH now\n         */\n        precompute(windowSize = 8, point = Point.BASE) {\n            point._setWindowSize(windowSize);\n            point.multiply(BigInt(3)); // 3 is arbitrary, just need any number here\n            return point;\n        },\n    };\n    /**\n     * Computes public key for a private key. Checks for validity of the private key.\n     * @param privateKey private key\n     * @param isCompressed whether to return compact (default), or full key\n     * @returns Public key, full when isCompressed=false; short when isCompressed=true\n     */\n    function getPublicKey(privateKey, isCompressed = true) {\n        return Point.fromPrivateKey(privateKey).toRawBytes(isCompressed);\n    }\n    /**\n     * Quick and dirty check for item being public key. Does not validate hex, or being on-curve.\n     */\n    function isProbPub(item) {\n        const arr = ut.isBytes(item);\n        const str = typeof item === 'string';\n        const len = (arr || str) && item.length;\n        if (arr)\n            return len === compressedLen || len === uncompressedLen;\n        if (str)\n            return len === 2 * compressedLen || len === 2 * uncompressedLen;\n        if (item instanceof Point)\n            return true;\n        return false;\n    }\n    /**\n     * ECDH (Elliptic Curve Diffie Hellman).\n     * Computes shared public key from private key and public key.\n     * Checks: 1) private key validity 2) shared key is on-curve.\n     * Does NOT hash the result.\n     * @param privateA private key\n     * @param publicB different public key\n     * @param isCompressed whether to return compact (default), or full key\n     * @returns shared public key\n     */\n    function getSharedSecret(privateA, publicB, isCompressed = true) {\n        if (isProbPub(privateA))\n            throw new Error('first arg must be private key');\n        if (!isProbPub(publicB))\n            throw new Error('second arg must be public key');\n        const b = Point.fromHex(publicB); // check for being on-curve\n        return b.multiply(normPrivateKeyToScalar(privateA)).toRawBytes(isCompressed);\n    }\n    // RFC6979: ensure ECDSA msg is X bytes and < N. RFC suggests optional truncating via bits2octets.\n    // FIPS 186-4 4.6 suggests the leftmost min(nBitLen, outLen) bits, which matches bits2int.\n    // bits2int can produce res>N, we can do mod(res, N) since the bitLen is the same.\n    // int2octets can't be used; pads small msgs with 0: unacceptatble for trunc as per RFC vectors\n    const bits2int = CURVE.bits2int ||\n        function (bytes) {\n            // For curves with nBitLength % 8 !== 0: bits2octets(bits2octets(m)) !== bits2octets(m)\n            // for some cases, since bytes.length * 8 is not actual bitLength.\n            const num = ut.bytesToNumberBE(bytes); // check for == u8 done here\n            const delta = bytes.length * 8 - CURVE.nBitLength; // truncate to nBitLength leftmost bits\n            return delta > 0 ? num >> BigInt(delta) : num;\n        };\n    const bits2int_modN = CURVE.bits2int_modN ||\n        function (bytes) {\n            return modN(bits2int(bytes)); // can't use bytesToNumberBE here\n        };\n    // NOTE: pads output with zero as per spec\n    const ORDER_MASK = ut.bitMask(CURVE.nBitLength);\n    /**\n     * Converts to bytes. Checks if num in `[0..ORDER_MASK-1]` e.g.: `[0..2^256-1]`.\n     */\n    function int2octets(num) {\n        ut.aInRange(`num < 2^${CURVE.nBitLength}`, num, _0n, ORDER_MASK);\n        // works with order, can have different size than numToField!\n        return ut.numberToBytesBE(num, CURVE.nByteLength);\n    }\n    // Steps A, D of RFC6979 3.2\n    // Creates RFC6979 seed; converts msg/privKey to numbers.\n    // Used only in sign, not in verify.\n    // NOTE: we cannot assume here that msgHash has same amount of bytes as curve order, this will be wrong at least for P521.\n    // Also it can be bigger for P224 + SHA256\n    function prepSig(msgHash, privateKey, opts = defaultSigOpts) {\n        if (['recovered', 'canonical'].some((k) => k in opts))\n            throw new Error('sign() legacy options not supported');\n        const { hash, randomBytes } = CURVE;\n        let { lowS, prehash, extraEntropy: ent } = opts; // generates low-s sigs by default\n        if (lowS == null)\n            lowS = true; // RFC6979 3.2: we skip step A, because we already provide hash\n        msgHash = ensureBytes('msgHash', msgHash);\n        validateSigVerOpts(opts);\n        if (prehash)\n            msgHash = ensureBytes('prehashed msgHash', hash(msgHash));\n        // We can't later call bits2octets, since nested bits2int is broken for curves\n        // with nBitLength % 8 !== 0. Because of that, we unwrap it here as int2octets call.\n        // const bits2octets = (bits) => int2octets(bits2int_modN(bits))\n        const h1int = bits2int_modN(msgHash);\n        const d = normPrivateKeyToScalar(privateKey); // validate private key, convert to bigint\n        const seedArgs = [int2octets(d), int2octets(h1int)];\n        // extraEntropy. RFC6979 3.6: additional k' (optional).\n        if (ent != null && ent !== false) {\n            // K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1) || k')\n            const e = ent === true ? randomBytes(Fp.BYTES) : ent; // generate random bytes OR pass as-is\n            seedArgs.push(ensureBytes('extraEntropy', e)); // check for being bytes\n        }\n        const seed = ut.concatBytes(...seedArgs); // Step D of RFC6979 3.2\n        const m = h1int; // NOTE: no need to call bits2int second time here, it is inside truncateHash!\n        // Converts signature params into point w r/s, checks result for validity.\n        function k2sig(kBytes) {\n            // RFC 6979 Section 3.2, step 3: k = bits2int(T)\n            const k = bits2int(kBytes); // Cannot use fields methods, since it is group element\n            if (!isWithinCurveOrder(k))\n                return; // Important: all mod() calls here must be done over N\n            const ik = invN(k); // k^-1 mod n\n            const q = Point.BASE.multiply(k).toAffine(); // q = Gk\n            const r = modN(q.x); // r = q.x mod n\n            if (r === _0n)\n                return;\n            // Can use scalar blinding b^-1(bm + bdr) where b ∈ [1,q−1] according to\n            // https://tches.iacr.org/index.php/TCHES/article/view/7337/6509. We've decided against it:\n            // a) dependency on CSPRNG b) 15% slowdown c) doesn't really help since bigints are not CT\n            const s = modN(ik * modN(m + r * d)); // Not using blinding here\n            if (s === _0n)\n                return;\n            let recovery = (q.x === r ? 0 : 2) | Number(q.y & _1n); // recovery bit (2 or 3, when q.x > n)\n            let normS = s;\n            if (lowS && isBiggerThanHalfOrder(s)) {\n                normS = normalizeS(s); // if lowS was passed, ensure s is always\n                recovery ^= 1; // // in the bottom half of N\n            }\n            return new Signature(r, normS, recovery); // use normS, not s\n        }\n        return { seed, k2sig };\n    }\n    const defaultSigOpts = { lowS: CURVE.lowS, prehash: false };\n    const defaultVerOpts = { lowS: CURVE.lowS, prehash: false };\n    /**\n     * Signs message hash with a private key.\n     * ```\n     * sign(m, d, k) where\n     *   (x, y) = G × k\n     *   r = x mod n\n     *   s = (m + dr)/k mod n\n     * ```\n     * @param msgHash NOT message. msg needs to be hashed to `msgHash`, or use `prehash`.\n     * @param privKey private key\n     * @param opts lowS for non-malleable sigs. extraEntropy for mixing randomness into k. prehash will hash first arg.\n     * @returns signature with recovery param\n     */\n    function sign(msgHash, privKey, opts = defaultSigOpts) {\n        const { seed, k2sig } = prepSig(msgHash, privKey, opts); // Steps A, D of RFC6979 3.2.\n        const C = CURVE;\n        const drbg = ut.createHmacDrbg(C.hash.outputLen, C.nByteLength, C.hmac);\n        return drbg(seed, k2sig); // Steps B, C, D, E, F, G\n    }\n    // Enable precomputes. Slows down first publicKey computation by 20ms.\n    Point.BASE._setWindowSize(8);\n    // utils.precompute(8, ProjectivePoint.BASE)\n    /**\n     * Verifies a signature against message hash and public key.\n     * Rejects lowS signatures by default: to override,\n     * specify option `{lowS: false}`. Implements section 4.1.4 from https://www.secg.org/sec1-v2.pdf:\n     *\n     * ```\n     * verify(r, s, h, P) where\n     *   U1 = hs^-1 mod n\n     *   U2 = rs^-1 mod n\n     *   R = U1⋅G - U2⋅P\n     *   mod(R.x, n) == r\n     * ```\n     */\n    function verify(signature, msgHash, publicKey, opts = defaultVerOpts) {\n        const sg = signature;\n        msgHash = ensureBytes('msgHash', msgHash);\n        publicKey = ensureBytes('publicKey', publicKey);\n        if ('strict' in opts)\n            throw new Error('options.strict was renamed to lowS');\n        validateSigVerOpts(opts);\n        const { lowS, prehash } = opts;\n        let _sig = undefined;\n        let P;\n        try {\n            if (typeof sg === 'string' || ut.isBytes(sg)) {\n                // Signature can be represented in 2 ways: compact (2*nByteLength) & DER (variable-length).\n                // Since DER can also be 2*nByteLength bytes, we check for it first.\n                try {\n                    _sig = Signature.fromDER(sg);\n                }\n                catch (derError) {\n                    if (!(derError instanceof DER.Err))\n                        throw derError;\n                    _sig = Signature.fromCompact(sg);\n                }\n            }\n            else if (typeof sg === 'object' && typeof sg.r === 'bigint' && typeof sg.s === 'bigint') {\n                const { r, s } = sg;\n                _sig = new Signature(r, s);\n            }\n            else {\n                throw new Error('PARSE');\n            }\n            P = Point.fromHex(publicKey);\n        }\n        catch (error) {\n            if (error.message === 'PARSE')\n                throw new Error(`signature must be Signature instance, Uint8Array or hex string`);\n            return false;\n        }\n        if (lowS && _sig.hasHighS())\n            return false;\n        if (prehash)\n            msgHash = CURVE.hash(msgHash);\n        const { r, s } = _sig;\n        const h = bits2int_modN(msgHash); // Cannot use fields methods, since it is group element\n        const is = invN(s); // s^-1\n        const u1 = modN(h * is); // u1 = hs^-1 mod n\n        const u2 = modN(r * is); // u2 = rs^-1 mod n\n        const R = Point.BASE.multiplyAndAddUnsafe(P, u1, u2)?.toAffine(); // R = u1⋅G + u2⋅P\n        if (!R)\n            return false;\n        const v = modN(R.x);\n        return v === r;\n    }\n    return {\n        CURVE,\n        getPublicKey,\n        getSharedSecret,\n        sign,\n        verify,\n        ProjectivePoint: Point,\n        Signature,\n        utils,\n    };\n}\n/**\n * Implementation of the Shallue and van de Woestijne method for any weierstrass curve.\n * TODO: check if there is a way to merge this with uvRatio in Edwards; move to modular.\n * b = True and y = sqrt(u / v) if (u / v) is square in F, and\n * b = False and y = sqrt(Z * (u / v)) otherwise.\n * @param Fp\n * @param Z\n * @returns\n */\nexport function SWUFpSqrtRatio(Fp, Z) {\n    // Generic implementation\n    const q = Fp.ORDER;\n    let l = _0n;\n    for (let o = q - _1n; o % _2n === _0n; o /= _2n)\n        l += _1n;\n    const c1 = l; // 1. c1, the largest integer such that 2^c1 divides q - 1.\n    // We need 2n ** c1 and 2n ** (c1-1). We can't use **; but we can use <<.\n    // 2n ** c1 == 2n << (c1-1)\n    const _2n_pow_c1_1 = _2n << (c1 - _1n - _1n);\n    const _2n_pow_c1 = _2n_pow_c1_1 * _2n;\n    const c2 = (q - _1n) / _2n_pow_c1; // 2. c2 = (q - 1) / (2^c1)  # Integer arithmetic\n    const c3 = (c2 - _1n) / _2n; // 3. c3 = (c2 - 1) / 2            # Integer arithmetic\n    const c4 = _2n_pow_c1 - _1n; // 4. c4 = 2^c1 - 1                # Integer arithmetic\n    const c5 = _2n_pow_c1_1; // 5. c5 = 2^(c1 - 1)                  # Integer arithmetic\n    const c6 = Fp.pow(Z, c2); // 6. c6 = Z^c2\n    const c7 = Fp.pow(Z, (c2 + _1n) / _2n); // 7. c7 = Z^((c2 + 1) / 2)\n    let sqrtRatio = (u, v) => {\n        let tv1 = c6; // 1. tv1 = c6\n        let tv2 = Fp.pow(v, c4); // 2. tv2 = v^c4\n        let tv3 = Fp.sqr(tv2); // 3. tv3 = tv2^2\n        tv3 = Fp.mul(tv3, v); // 4. tv3 = tv3 * v\n        let tv5 = Fp.mul(u, tv3); // 5. tv5 = u * tv3\n        tv5 = Fp.pow(tv5, c3); // 6. tv5 = tv5^c3\n        tv5 = Fp.mul(tv5, tv2); // 7. tv5 = tv5 * tv2\n        tv2 = Fp.mul(tv5, v); // 8. tv2 = tv5 * v\n        tv3 = Fp.mul(tv5, u); // 9. tv3 = tv5 * u\n        let tv4 = Fp.mul(tv3, tv2); // 10. tv4 = tv3 * tv2\n        tv5 = Fp.pow(tv4, c5); // 11. tv5 = tv4^c5\n        let isQR = Fp.eql(tv5, Fp.ONE); // 12. isQR = tv5 == 1\n        tv2 = Fp.mul(tv3, c7); // 13. tv2 = tv3 * c7\n        tv5 = Fp.mul(tv4, tv1); // 14. tv5 = tv4 * tv1\n        tv3 = Fp.cmov(tv2, tv3, isQR); // 15. tv3 = CMOV(tv2, tv3, isQR)\n        tv4 = Fp.cmov(tv5, tv4, isQR); // 16. tv4 = CMOV(tv5, tv4, isQR)\n        // 17. for i in (c1, c1 - 1, ..., 2):\n        for (let i = c1; i > _1n; i--) {\n            let tv5 = i - _2n; // 18.    tv5 = i - 2\n            tv5 = _2n << (tv5 - _1n); // 19.    tv5 = 2^tv5\n            let tvv5 = Fp.pow(tv4, tv5); // 20.    tv5 = tv4^tv5\n            const e1 = Fp.eql(tvv5, Fp.ONE); // 21.    e1 = tv5 == 1\n            tv2 = Fp.mul(tv3, tv1); // 22.    tv2 = tv3 * tv1\n            tv1 = Fp.mul(tv1, tv1); // 23.    tv1 = tv1 * tv1\n            tvv5 = Fp.mul(tv4, tv1); // 24.    tv5 = tv4 * tv1\n            tv3 = Fp.cmov(tv2, tv3, e1); // 25.    tv3 = CMOV(tv2, tv3, e1)\n            tv4 = Fp.cmov(tvv5, tv4, e1); // 26.    tv4 = CMOV(tv5, tv4, e1)\n        }\n        return { isValid: isQR, value: tv3 };\n    };\n    if (Fp.ORDER % _4n === _3n) {\n        // sqrt_ratio_3mod4(u, v)\n        const c1 = (Fp.ORDER - _3n) / _4n; // 1. c1 = (q - 3) / 4     # Integer arithmetic\n        const c2 = Fp.sqrt(Fp.neg(Z)); // 2. c2 = sqrt(-Z)\n        sqrtRatio = (u, v) => {\n            let tv1 = Fp.sqr(v); // 1. tv1 = v^2\n            const tv2 = Fp.mul(u, v); // 2. tv2 = u * v\n            tv1 = Fp.mul(tv1, tv2); // 3. tv1 = tv1 * tv2\n            let y1 = Fp.pow(tv1, c1); // 4. y1 = tv1^c1\n            y1 = Fp.mul(y1, tv2); // 5. y1 = y1 * tv2\n            const y2 = Fp.mul(y1, c2); // 6. y2 = y1 * c2\n            const tv3 = Fp.mul(Fp.sqr(y1), v); // 7. tv3 = y1^2; 8. tv3 = tv3 * v\n            const isQR = Fp.eql(tv3, u); // 9. isQR = tv3 == u\n            let y = Fp.cmov(y2, y1, isQR); // 10. y = CMOV(y2, y1, isQR)\n            return { isValid: isQR, value: y }; // 11. return (isQR, y) isQR ? y : y*c2\n        };\n    }\n    // No curves uses that\n    // if (Fp.ORDER % _8n === _5n) // sqrt_ratio_5mod8\n    return sqrtRatio;\n}\n/**\n * Simplified Shallue-van de Woestijne-Ulas Method\n * https://www.rfc-editor.org/rfc/rfc9380#section-6.6.2\n */\nexport function mapToCurveSimpleSWU(Fp, opts) {\n    mod.validateField(Fp);\n    if (!Fp.isValid(opts.A) || !Fp.isValid(opts.B) || !Fp.isValid(opts.Z))\n        throw new Error('mapToCurveSimpleSWU: invalid opts');\n    const sqrtRatio = SWUFpSqrtRatio(Fp, opts.Z);\n    if (!Fp.isOdd)\n        throw new Error('Fp.isOdd is not implemented!');\n    // Input: u, an element of F.\n    // Output: (x, y), a point on E.\n    return (u) => {\n        // prettier-ignore\n        let tv1, tv2, tv3, tv4, tv5, tv6, x, y;\n        tv1 = Fp.sqr(u); // 1.  tv1 = u^2\n        tv1 = Fp.mul(tv1, opts.Z); // 2.  tv1 = Z * tv1\n        tv2 = Fp.sqr(tv1); // 3.  tv2 = tv1^2\n        tv2 = Fp.add(tv2, tv1); // 4.  tv2 = tv2 + tv1\n        tv3 = Fp.add(tv2, Fp.ONE); // 5.  tv3 = tv2 + 1\n        tv3 = Fp.mul(tv3, opts.B); // 6.  tv3 = B * tv3\n        tv4 = Fp.cmov(opts.Z, Fp.neg(tv2), !Fp.eql(tv2, Fp.ZERO)); // 7.  tv4 = CMOV(Z, -tv2, tv2 != 0)\n        tv4 = Fp.mul(tv4, opts.A); // 8.  tv4 = A * tv4\n        tv2 = Fp.sqr(tv3); // 9.  tv2 = tv3^2\n        tv6 = Fp.sqr(tv4); // 10. tv6 = tv4^2\n        tv5 = Fp.mul(tv6, opts.A); // 11. tv5 = A * tv6\n        tv2 = Fp.add(tv2, tv5); // 12. tv2 = tv2 + tv5\n        tv2 = Fp.mul(tv2, tv3); // 13. tv2 = tv2 * tv3\n        tv6 = Fp.mul(tv6, tv4); // 14. tv6 = tv6 * tv4\n        tv5 = Fp.mul(tv6, opts.B); // 15. tv5 = B * tv6\n        tv2 = Fp.add(tv2, tv5); // 16. tv2 = tv2 + tv5\n        x = Fp.mul(tv1, tv3); // 17.   x = tv1 * tv3\n        const { isValid, value } = sqrtRatio(tv2, tv6); // 18. (is_gx1_square, y1) = sqrt_ratio(tv2, tv6)\n        y = Fp.mul(tv1, u); // 19.   y = tv1 * u  -> Z * u^3 * y1\n        y = Fp.mul(y, value); // 20.   y = y * y1\n        x = Fp.cmov(x, tv3, isValid); // 21.   x = CMOV(x, tv3, is_gx1_square)\n        y = Fp.cmov(y, value, isValid); // 22.   y = CMOV(y, y1, is_gx1_square)\n        const e1 = Fp.isOdd(u) === Fp.isOdd(y); // 23.  e1 = sgn0(u) == sgn0(y)\n        y = Fp.cmov(Fp.neg(y), y, e1); // 24.   y = CMOV(-y, y, e1)\n        x = Fp.div(x, tv4); // 25.   x = x / tv4\n        return { x, y };\n    };\n}\n//# sourceMappingURL=weierstrass.js.map","/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */\nimport { hmac } from '@noble/hashes/hmac';\nimport { concatBytes, randomBytes } from '@noble/hashes/utils';\nimport { weierstrass } from './abstract/weierstrass.js';\n// connects noble-curves to noble-hashes\nexport function getHash(hash) {\n    return {\n        hash,\n        hmac: (key, ...msgs) => hmac(hash, key, concatBytes(...msgs)),\n        randomBytes,\n    };\n}\nexport function createCurve(curveDef, defHash) {\n    const create = (hash) => weierstrass({ ...curveDef, ...getHash(hash) });\n    return Object.freeze({ ...create(defHash), create });\n}\n//# sourceMappingURL=_shortw_utils.js.map","/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */\nimport { sha256 } from '@noble/hashes/sha256';\nimport { createCurve } from './_shortw_utils.js';\nimport { createHasher } from './abstract/hash-to-curve.js';\nimport { Field } from './abstract/modular.js';\nimport { mapToCurveSimpleSWU } from './abstract/weierstrass.js';\n// NIST secp256r1 aka p256\n// https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-256\nconst Fp = Field(BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'));\nconst CURVE_A = Fp.create(BigInt('-3'));\nconst CURVE_B = BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b');\n// prettier-ignore\nexport const p256 = createCurve({\n    a: CURVE_A, // Equation params: a, b\n    b: CURVE_B,\n    Fp, // Field: 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n\n    // Curve order, total count of valid points in the field\n    n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),\n    // Base (generator) point (x, y)\n    Gx: BigInt('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296'),\n    Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),\n    h: BigInt(1),\n    lowS: false,\n}, sha256);\nexport const secp256r1 = p256;\nconst mapSWU = /* @__PURE__ */ (() => mapToCurveSimpleSWU(Fp, {\n    A: CURVE_A,\n    B: CURVE_B,\n    Z: Fp.create(BigInt('-10')),\n}))();\nconst htf = /* @__PURE__ */ (() => createHasher(secp256r1.ProjectivePoint, (scalars) => mapSWU(scalars[0]), {\n    DST: 'P256_XMD:SHA-256_SSWU_RO_',\n    encodeDST: 'P256_XMD:SHA-256_SSWU_NU_',\n    p: Fp.ORDER,\n    m: 1,\n    k: 128,\n    expand: 'xmd',\n    hash: sha256,\n}))();\nexport const hashToCurve = /* @__PURE__ */ (() => htf.hashToCurve)();\nexport const encodeToCurve = /* @__PURE__ */ (() => htf.encodeToCurve)();\n//# sourceMappingURL=p256.js.map","const U32_MASK64 = /* @__PURE__ */ BigInt(2 ** 32 - 1);\nconst _32n = /* @__PURE__ */ BigInt(32);\n// We are not using BigUint64Array, because they are extremely slow as per 2022\nfunction fromBig(n, le = false) {\n    if (le)\n        return { h: Number(n & U32_MASK64), l: Number((n >> _32n) & U32_MASK64) };\n    return { h: Number((n >> _32n) & U32_MASK64) | 0, l: Number(n & U32_MASK64) | 0 };\n}\nfunction split(lst, le = false) {\n    let Ah = new Uint32Array(lst.length);\n    let Al = new Uint32Array(lst.length);\n    for (let i = 0; i < lst.length; i++) {\n        const { h, l } = fromBig(lst[i], le);\n        [Ah[i], Al[i]] = [h, l];\n    }\n    return [Ah, Al];\n}\nconst toBig = (h, l) => (BigInt(h >>> 0) << _32n) | BigInt(l >>> 0);\n// for Shift in [0, 32)\nconst shrSH = (h, _l, s) => h >>> s;\nconst shrSL = (h, l, s) => (h << (32 - s)) | (l >>> s);\n// Right rotate for Shift in [1, 32)\nconst rotrSH = (h, l, s) => (h >>> s) | (l << (32 - s));\nconst rotrSL = (h, l, s) => (h << (32 - s)) | (l >>> s);\n// Right rotate for Shift in (32, 64), NOTE: 32 is special case.\nconst rotrBH = (h, l, s) => (h << (64 - s)) | (l >>> (s - 32));\nconst rotrBL = (h, l, s) => (h >>> (s - 32)) | (l << (64 - s));\n// Right rotate for shift===32 (just swaps l&h)\nconst rotr32H = (_h, l) => l;\nconst rotr32L = (h, _l) => h;\n// Left rotate for Shift in [1, 32)\nconst rotlSH = (h, l, s) => (h << s) | (l >>> (32 - s));\nconst rotlSL = (h, l, s) => (l << s) | (h >>> (32 - s));\n// Left rotate for Shift in (32, 64), NOTE: 32 is special case.\nconst rotlBH = (h, l, s) => (l << (s - 32)) | (h >>> (64 - s));\nconst rotlBL = (h, l, s) => (h << (s - 32)) | (l >>> (64 - s));\n// JS uses 32-bit signed integers for bitwise operations which means we cannot\n// simple take carry out of low bit sum by shift, we need to use division.\nfunction add(Ah, Al, Bh, Bl) {\n    const l = (Al >>> 0) + (Bl >>> 0);\n    return { h: (Ah + Bh + ((l / 2 ** 32) | 0)) | 0, l: l | 0 };\n}\n// Addition with more than 2 elements\nconst add3L = (Al, Bl, Cl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0);\nconst add3H = (low, Ah, Bh, Ch) => (Ah + Bh + Ch + ((low / 2 ** 32) | 0)) | 0;\nconst add4L = (Al, Bl, Cl, Dl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0);\nconst add4H = (low, Ah, Bh, Ch, Dh) => (Ah + Bh + Ch + Dh + ((low / 2 ** 32) | 0)) | 0;\nconst add5L = (Al, Bl, Cl, Dl, El) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0) + (El >>> 0);\nconst add5H = (low, Ah, Bh, Ch, Dh, Eh) => (Ah + Bh + Ch + Dh + Eh + ((low / 2 ** 32) | 0)) | 0;\n// prettier-ignore\nexport { fromBig, split, toBig, shrSH, shrSL, rotrSH, rotrSL, rotrBH, rotrBL, rotr32H, rotr32L, rotlSH, rotlSL, rotlBH, rotlBL, add, add3L, add3H, add4L, add4H, add5H, add5L, };\n// prettier-ignore\nconst u64 = {\n    fromBig, split, toBig,\n    shrSH, shrSL,\n    rotrSH, rotrSL, rotrBH, rotrBL,\n    rotr32H, rotr32L,\n    rotlSH, rotlSL, rotlBH, rotlBL,\n    add, add3L, add3H, add4L, add4H, add5H, add5L,\n};\nexport default u64;\n//# sourceMappingURL=_u64.js.map","import { HashMD } from './_md.js';\nimport u64 from './_u64.js';\nimport { wrapConstructor } from './utils.js';\n// Round contants (first 32 bits of the fractional parts of the cube roots of the first 80 primes 2..409):\n// prettier-ignore\nconst [SHA512_Kh, SHA512_Kl] = /* @__PURE__ */ (() => u64.split([\n    '0x428a2f98d728ae22', '0x7137449123ef65cd', '0xb5c0fbcfec4d3b2f', '0xe9b5dba58189dbbc',\n    '0x3956c25bf348b538', '0x59f111f1b605d019', '0x923f82a4af194f9b', '0xab1c5ed5da6d8118',\n    '0xd807aa98a3030242', '0x12835b0145706fbe', '0x243185be4ee4b28c', '0x550c7dc3d5ffb4e2',\n    '0x72be5d74f27b896f', '0x80deb1fe3b1696b1', '0x9bdc06a725c71235', '0xc19bf174cf692694',\n    '0xe49b69c19ef14ad2', '0xefbe4786384f25e3', '0x0fc19dc68b8cd5b5', '0x240ca1cc77ac9c65',\n    '0x2de92c6f592b0275', '0x4a7484aa6ea6e483', '0x5cb0a9dcbd41fbd4', '0x76f988da831153b5',\n    '0x983e5152ee66dfab', '0xa831c66d2db43210', '0xb00327c898fb213f', '0xbf597fc7beef0ee4',\n    '0xc6e00bf33da88fc2', '0xd5a79147930aa725', '0x06ca6351e003826f', '0x142929670a0e6e70',\n    '0x27b70a8546d22ffc', '0x2e1b21385c26c926', '0x4d2c6dfc5ac42aed', '0x53380d139d95b3df',\n    '0x650a73548baf63de', '0x766a0abb3c77b2a8', '0x81c2c92e47edaee6', '0x92722c851482353b',\n    '0xa2bfe8a14cf10364', '0xa81a664bbc423001', '0xc24b8b70d0f89791', '0xc76c51a30654be30',\n    '0xd192e819d6ef5218', '0xd69906245565a910', '0xf40e35855771202a', '0x106aa07032bbd1b8',\n    '0x19a4c116b8d2d0c8', '0x1e376c085141ab53', '0x2748774cdf8eeb99', '0x34b0bcb5e19b48a8',\n    '0x391c0cb3c5c95a63', '0x4ed8aa4ae3418acb', '0x5b9cca4f7763e373', '0x682e6ff3d6b2b8a3',\n    '0x748f82ee5defb2fc', '0x78a5636f43172f60', '0x84c87814a1f0ab72', '0x8cc702081a6439ec',\n    '0x90befffa23631e28', '0xa4506cebde82bde9', '0xbef9a3f7b2c67915', '0xc67178f2e372532b',\n    '0xca273eceea26619c', '0xd186b8c721c0c207', '0xeada7dd6cde0eb1e', '0xf57d4f7fee6ed178',\n    '0x06f067aa72176fba', '0x0a637dc5a2c898a6', '0x113f9804bef90dae', '0x1b710b35131c471b',\n    '0x28db77f523047d84', '0x32caab7b40c72493', '0x3c9ebe0a15c9bebc', '0x431d67c49c100d4c',\n    '0x4cc5d4becb3e42b6', '0x597f299cfc657e2a', '0x5fcb6fab3ad6faec', '0x6c44198c4a475817'\n].map(n => BigInt(n))))();\n// Temporary buffer, not used to store anything between runs\nconst SHA512_W_H = /* @__PURE__ */ new Uint32Array(80);\nconst SHA512_W_L = /* @__PURE__ */ new Uint32Array(80);\nexport class SHA512 extends HashMD {\n    constructor() {\n        super(128, 64, 16, false);\n        // We cannot use array here since array allows indexing by variable which means optimizer/compiler cannot use registers.\n        // Also looks cleaner and easier to verify with spec.\n        // Initial state (first 32 bits of the fractional parts of the square roots of the first 8 primes 2..19):\n        // h -- high 32 bits, l -- low 32 bits\n        this.Ah = 0x6a09e667 | 0;\n        this.Al = 0xf3bcc908 | 0;\n        this.Bh = 0xbb67ae85 | 0;\n        this.Bl = 0x84caa73b | 0;\n        this.Ch = 0x3c6ef372 | 0;\n        this.Cl = 0xfe94f82b | 0;\n        this.Dh = 0xa54ff53a | 0;\n        this.Dl = 0x5f1d36f1 | 0;\n        this.Eh = 0x510e527f | 0;\n        this.El = 0xade682d1 | 0;\n        this.Fh = 0x9b05688c | 0;\n        this.Fl = 0x2b3e6c1f | 0;\n        this.Gh = 0x1f83d9ab | 0;\n        this.Gl = 0xfb41bd6b | 0;\n        this.Hh = 0x5be0cd19 | 0;\n        this.Hl = 0x137e2179 | 0;\n    }\n    // prettier-ignore\n    get() {\n        const { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } = this;\n        return [Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl];\n    }\n    // prettier-ignore\n    set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl) {\n        this.Ah = Ah | 0;\n        this.Al = Al | 0;\n        this.Bh = Bh | 0;\n        this.Bl = Bl | 0;\n        this.Ch = Ch | 0;\n        this.Cl = Cl | 0;\n        this.Dh = Dh | 0;\n        this.Dl = Dl | 0;\n        this.Eh = Eh | 0;\n        this.El = El | 0;\n        this.Fh = Fh | 0;\n        this.Fl = Fl | 0;\n        this.Gh = Gh | 0;\n        this.Gl = Gl | 0;\n        this.Hh = Hh | 0;\n        this.Hl = Hl | 0;\n    }\n    process(view, offset) {\n        // Extend the first 16 words into the remaining 64 words w[16..79] of the message schedule array\n        for (let i = 0; i < 16; i++, offset += 4) {\n            SHA512_W_H[i] = view.getUint32(offset);\n            SHA512_W_L[i] = view.getUint32((offset += 4));\n        }\n        for (let i = 16; i < 80; i++) {\n            // s0 := (w[i-15] rightrotate 1) xor (w[i-15] rightrotate 8) xor (w[i-15] rightshift 7)\n            const W15h = SHA512_W_H[i - 15] | 0;\n            const W15l = SHA512_W_L[i - 15] | 0;\n            const s0h = u64.rotrSH(W15h, W15l, 1) ^ u64.rotrSH(W15h, W15l, 8) ^ u64.shrSH(W15h, W15l, 7);\n            const s0l = u64.rotrSL(W15h, W15l, 1) ^ u64.rotrSL(W15h, W15l, 8) ^ u64.shrSL(W15h, W15l, 7);\n            // s1 := (w[i-2] rightrotate 19) xor (w[i-2] rightrotate 61) xor (w[i-2] rightshift 6)\n            const W2h = SHA512_W_H[i - 2] | 0;\n            const W2l = SHA512_W_L[i - 2] | 0;\n            const s1h = u64.rotrSH(W2h, W2l, 19) ^ u64.rotrBH(W2h, W2l, 61) ^ u64.shrSH(W2h, W2l, 6);\n            const s1l = u64.rotrSL(W2h, W2l, 19) ^ u64.rotrBL(W2h, W2l, 61) ^ u64.shrSL(W2h, W2l, 6);\n            // SHA256_W[i] = s0 + s1 + SHA256_W[i - 7] + SHA256_W[i - 16];\n            const SUMl = u64.add4L(s0l, s1l, SHA512_W_L[i - 7], SHA512_W_L[i - 16]);\n            const SUMh = u64.add4H(SUMl, s0h, s1h, SHA512_W_H[i - 7], SHA512_W_H[i - 16]);\n            SHA512_W_H[i] = SUMh | 0;\n            SHA512_W_L[i] = SUMl | 0;\n        }\n        let { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } = this;\n        // Compression function main loop, 80 rounds\n        for (let i = 0; i < 80; i++) {\n            // S1 := (e rightrotate 14) xor (e rightrotate 18) xor (e rightrotate 41)\n            const sigma1h = u64.rotrSH(Eh, El, 14) ^ u64.rotrSH(Eh, El, 18) ^ u64.rotrBH(Eh, El, 41);\n            const sigma1l = u64.rotrSL(Eh, El, 14) ^ u64.rotrSL(Eh, El, 18) ^ u64.rotrBL(Eh, El, 41);\n            //const T1 = (H + sigma1 + Chi(E, F, G) + SHA256_K[i] + SHA256_W[i]) | 0;\n            const CHIh = (Eh & Fh) ^ (~Eh & Gh);\n            const CHIl = (El & Fl) ^ (~El & Gl);\n            // T1 = H + sigma1 + Chi(E, F, G) + SHA512_K[i] + SHA512_W[i]\n            // prettier-ignore\n            const T1ll = u64.add5L(Hl, sigma1l, CHIl, SHA512_Kl[i], SHA512_W_L[i]);\n            const T1h = u64.add5H(T1ll, Hh, sigma1h, CHIh, SHA512_Kh[i], SHA512_W_H[i]);\n            const T1l = T1ll | 0;\n            // S0 := (a rightrotate 28) xor (a rightrotate 34) xor (a rightrotate 39)\n            const sigma0h = u64.rotrSH(Ah, Al, 28) ^ u64.rotrBH(Ah, Al, 34) ^ u64.rotrBH(Ah, Al, 39);\n            const sigma0l = u64.rotrSL(Ah, Al, 28) ^ u64.rotrBL(Ah, Al, 34) ^ u64.rotrBL(Ah, Al, 39);\n            const MAJh = (Ah & Bh) ^ (Ah & Ch) ^ (Bh & Ch);\n            const MAJl = (Al & Bl) ^ (Al & Cl) ^ (Bl & Cl);\n            Hh = Gh | 0;\n            Hl = Gl | 0;\n            Gh = Fh | 0;\n            Gl = Fl | 0;\n            Fh = Eh | 0;\n            Fl = El | 0;\n            ({ h: Eh, l: El } = u64.add(Dh | 0, Dl | 0, T1h | 0, T1l | 0));\n            Dh = Ch | 0;\n            Dl = Cl | 0;\n            Ch = Bh | 0;\n            Cl = Bl | 0;\n            Bh = Ah | 0;\n            Bl = Al | 0;\n            const All = u64.add3L(T1l, sigma0l, MAJl);\n            Ah = u64.add3H(All, T1h, sigma0h, MAJh);\n            Al = All | 0;\n        }\n        // Add the compressed chunk to the current hash value\n        ({ h: Ah, l: Al } = u64.add(this.Ah | 0, this.Al | 0, Ah | 0, Al | 0));\n        ({ h: Bh, l: Bl } = u64.add(this.Bh | 0, this.Bl | 0, Bh | 0, Bl | 0));\n        ({ h: Ch, l: Cl } = u64.add(this.Ch | 0, this.Cl | 0, Ch | 0, Cl | 0));\n        ({ h: Dh, l: Dl } = u64.add(this.Dh | 0, this.Dl | 0, Dh | 0, Dl | 0));\n        ({ h: Eh, l: El } = u64.add(this.Eh | 0, this.El | 0, Eh | 0, El | 0));\n        ({ h: Fh, l: Fl } = u64.add(this.Fh | 0, this.Fl | 0, Fh | 0, Fl | 0));\n        ({ h: Gh, l: Gl } = u64.add(this.Gh | 0, this.Gl | 0, Gh | 0, Gl | 0));\n        ({ h: Hh, l: Hl } = u64.add(this.Hh | 0, this.Hl | 0, Hh | 0, Hl | 0));\n        this.set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl);\n    }\n    roundClean() {\n        SHA512_W_H.fill(0);\n        SHA512_W_L.fill(0);\n    }\n    destroy() {\n        this.buffer.fill(0);\n        this.set(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);\n    }\n}\nexport class SHA512_224 extends SHA512 {\n    constructor() {\n        super();\n        // h -- high 32 bits, l -- low 32 bits\n        this.Ah = 0x8c3d37c8 | 0;\n        this.Al = 0x19544da2 | 0;\n        this.Bh = 0x73e19966 | 0;\n        this.Bl = 0x89dcd4d6 | 0;\n        this.Ch = 0x1dfab7ae | 0;\n        this.Cl = 0x32ff9c82 | 0;\n        this.Dh = 0x679dd514 | 0;\n        this.Dl = 0x582f9fcf | 0;\n        this.Eh = 0x0f6d2b69 | 0;\n        this.El = 0x7bd44da8 | 0;\n        this.Fh = 0x77e36f73 | 0;\n        this.Fl = 0x04c48942 | 0;\n        this.Gh = 0x3f9d85a8 | 0;\n        this.Gl = 0x6a1d36c8 | 0;\n        this.Hh = 0x1112e6ad | 0;\n        this.Hl = 0x91d692a1 | 0;\n        this.outputLen = 28;\n    }\n}\nexport class SHA512_256 extends SHA512 {\n    constructor() {\n        super();\n        // h -- high 32 bits, l -- low 32 bits\n        this.Ah = 0x22312194 | 0;\n        this.Al = 0xfc2bf72c | 0;\n        this.Bh = 0x9f555fa3 | 0;\n        this.Bl = 0xc84c64c2 | 0;\n        this.Ch = 0x2393b86b | 0;\n        this.Cl = 0x6f53b151 | 0;\n        this.Dh = 0x96387719 | 0;\n        this.Dl = 0x5940eabd | 0;\n        this.Eh = 0x96283ee2 | 0;\n        this.El = 0xa88effe3 | 0;\n        this.Fh = 0xbe5e1e25 | 0;\n        this.Fl = 0x53863992 | 0;\n        this.Gh = 0x2b0199fc | 0;\n        this.Gl = 0x2c85b8aa | 0;\n        this.Hh = 0x0eb72ddc | 0;\n        this.Hl = 0x81c52ca2 | 0;\n        this.outputLen = 32;\n    }\n}\nexport class SHA384 extends SHA512 {\n    constructor() {\n        super();\n        // h -- high 32 bits, l -- low 32 bits\n        this.Ah = 0xcbbb9d5d | 0;\n        this.Al = 0xc1059ed8 | 0;\n        this.Bh = 0x629a292a | 0;\n        this.Bl = 0x367cd507 | 0;\n        this.Ch = 0x9159015a | 0;\n        this.Cl = 0x3070dd17 | 0;\n        this.Dh = 0x152fecd8 | 0;\n        this.Dl = 0xf70e5939 | 0;\n        this.Eh = 0x67332667 | 0;\n        this.El = 0xffc00b31 | 0;\n        this.Fh = 0x8eb44a87 | 0;\n        this.Fl = 0x68581511 | 0;\n        this.Gh = 0xdb0c2e0d | 0;\n        this.Gl = 0x64f98fa7 | 0;\n        this.Hh = 0x47b5481d | 0;\n        this.Hl = 0xbefa4fa4 | 0;\n        this.outputLen = 48;\n    }\n}\nexport const sha512 = /* @__PURE__ */ wrapConstructor(() => new SHA512());\nexport const sha512_224 = /* @__PURE__ */ wrapConstructor(() => new SHA512_224());\nexport const sha512_256 = /* @__PURE__ */ wrapConstructor(() => new SHA512_256());\nexport const sha384 = /* @__PURE__ */ wrapConstructor(() => new SHA384());\n//# sourceMappingURL=sha512.js.map","/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */\nimport { sha384 } from '@noble/hashes/sha512';\nimport { createCurve } from './_shortw_utils.js';\nimport { createHasher } from './abstract/hash-to-curve.js';\nimport { Field } from './abstract/modular.js';\nimport { mapToCurveSimpleSWU } from './abstract/weierstrass.js';\n// NIST secp384r1 aka p384\n// https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-384\n// Field over which we'll do calculations.\n// prettier-ignore\nconst P = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff');\nconst Fp = Field(P);\nconst CURVE_A = Fp.create(BigInt('-3'));\n// prettier-ignore\nconst CURVE_B = BigInt('0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef');\n// prettier-ignore\nexport const p384 = createCurve({\n    a: CURVE_A, // Equation params: a, b\n    b: CURVE_B,\n    Fp, // Field: 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n\n    // Curve order, total count of valid points in the field.\n    n: BigInt('0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973'),\n    // Base (generator) point (x, y)\n    Gx: BigInt('0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7'),\n    Gy: BigInt('0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f'),\n    h: BigInt(1),\n    lowS: false,\n}, sha384);\nexport const secp384r1 = p384;\nconst mapSWU = /* @__PURE__ */ (() => mapToCurveSimpleSWU(Fp, {\n    A: CURVE_A,\n    B: CURVE_B,\n    Z: Fp.create(BigInt('-12')),\n}))();\nconst htf = /* @__PURE__ */ (() => createHasher(secp384r1.ProjectivePoint, (scalars) => mapSWU(scalars[0]), {\n    DST: 'P384_XMD:SHA-384_SSWU_RO_',\n    encodeDST: 'P384_XMD:SHA-384_SSWU_NU_',\n    p: Fp.ORDER,\n    m: 1,\n    k: 192,\n    expand: 'xmd',\n    hash: sha384,\n}))();\nexport const hashToCurve = /* @__PURE__ */ (() => htf.hashToCurve)();\nexport const encodeToCurve = /* @__PURE__ */ (() => htf.encodeToCurve)();\n//# sourceMappingURL=p384.js.map","/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */\nimport { sha512 } from '@noble/hashes/sha512';\nimport { createCurve } from './_shortw_utils.js';\nimport { createHasher } from './abstract/hash-to-curve.js';\nimport { Field } from './abstract/modular.js';\nimport { mapToCurveSimpleSWU } from './abstract/weierstrass.js';\n// NIST secp521r1 aka p521\n// Note that it's 521, which differs from 512 of its hash function.\n// https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-521\n// Field over which we'll do calculations.\n// prettier-ignore\nconst P = BigInt('0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');\nconst Fp = Field(P);\nconst CURVE = {\n    a: Fp.create(BigInt('-3')),\n    b: BigInt('0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00'),\n    Fp,\n    n: BigInt('0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409'),\n    Gx: BigInt('0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66'),\n    Gy: BigInt('0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'),\n    h: BigInt(1),\n};\n// prettier-ignore\nexport const p521 = createCurve({\n    a: CURVE.a, // Equation params: a, b\n    b: CURVE.b,\n    Fp, // Field: 2n**521n - 1n\n    // Curve order, total count of valid points in the field\n    n: CURVE.n,\n    Gx: CURVE.Gx, // Base point (x, y) aka generator point\n    Gy: CURVE.Gy,\n    h: CURVE.h,\n    lowS: false,\n    allowedPrivateKeyLengths: [130, 131, 132] // P521 keys are variable-length. Normalize to 132b\n}, sha512);\nexport const secp521r1 = p521;\nconst mapSWU = /* @__PURE__ */ (() => mapToCurveSimpleSWU(Fp, {\n    A: CURVE.a,\n    B: CURVE.b,\n    Z: Fp.create(BigInt('-4')),\n}))();\nconst htf = /* @__PURE__ */ (() => createHasher(secp521r1.ProjectivePoint, (scalars) => mapSWU(scalars[0]), {\n    DST: 'P521_XMD:SHA-512_SSWU_RO_',\n    encodeDST: 'P521_XMD:SHA-512_SSWU_NU_',\n    p: Fp.ORDER,\n    m: 1,\n    k: 256,\n    expand: 'xmd',\n    hash: sha512,\n}))();\nexport const hashToCurve = /* @__PURE__ */ (() => htf.hashToCurve)();\nexport const encodeToCurve = /* @__PURE__ */ (() => htf.encodeToCurve)();\n//# sourceMappingURL=p521.js.map","import { bytes, exists, number, output } from './_assert.js';\nimport { rotlBH, rotlBL, rotlSH, rotlSL, split } from './_u64.js';\nimport { Hash, u32, toBytes, wrapConstructor, wrapXOFConstructorWithOpts, isLE, byteSwap32, } from './utils.js';\n// SHA3 (keccak) is based on a new design: basically, the internal state is bigger than output size.\n// It's called a sponge function.\n// Various per round constants calculations\nconst SHA3_PI = [];\nconst SHA3_ROTL = [];\nconst _SHA3_IOTA = [];\nconst _0n = /* @__PURE__ */ BigInt(0);\nconst _1n = /* @__PURE__ */ BigInt(1);\nconst _2n = /* @__PURE__ */ BigInt(2);\nconst _7n = /* @__PURE__ */ BigInt(7);\nconst _256n = /* @__PURE__ */ BigInt(256);\nconst _0x71n = /* @__PURE__ */ BigInt(0x71);\nfor (let round = 0, R = _1n, x = 1, y = 0; round < 24; round++) {\n    // Pi\n    [x, y] = [y, (2 * x + 3 * y) % 5];\n    SHA3_PI.push(2 * (5 * y + x));\n    // Rotational\n    SHA3_ROTL.push((((round + 1) * (round + 2)) / 2) % 64);\n    // Iota\n    let t = _0n;\n    for (let j = 0; j < 7; j++) {\n        R = ((R << _1n) ^ ((R >> _7n) * _0x71n)) % _256n;\n        if (R & _2n)\n            t ^= _1n << ((_1n << /* @__PURE__ */ BigInt(j)) - _1n);\n    }\n    _SHA3_IOTA.push(t);\n}\nconst [SHA3_IOTA_H, SHA3_IOTA_L] = /* @__PURE__ */ split(_SHA3_IOTA, true);\n// Left rotation (without 0, 32, 64)\nconst rotlH = (h, l, s) => (s > 32 ? rotlBH(h, l, s) : rotlSH(h, l, s));\nconst rotlL = (h, l, s) => (s > 32 ? rotlBL(h, l, s) : rotlSL(h, l, s));\n// Same as keccakf1600, but allows to skip some rounds\nexport function keccakP(s, rounds = 24) {\n    const B = new Uint32Array(5 * 2);\n    // NOTE: all indices are x2 since we store state as u32 instead of u64 (bigints to slow in js)\n    for (let round = 24 - rounds; round < 24; round++) {\n        // Theta θ\n        for (let x = 0; x < 10; x++)\n            B[x] = s[x] ^ s[x + 10] ^ s[x + 20] ^ s[x + 30] ^ s[x + 40];\n        for (let x = 0; x < 10; x += 2) {\n            const idx1 = (x + 8) % 10;\n            const idx0 = (x + 2) % 10;\n            const B0 = B[idx0];\n            const B1 = B[idx0 + 1];\n            const Th = rotlH(B0, B1, 1) ^ B[idx1];\n            const Tl = rotlL(B0, B1, 1) ^ B[idx1 + 1];\n            for (let y = 0; y < 50; y += 10) {\n                s[x + y] ^= Th;\n                s[x + y + 1] ^= Tl;\n            }\n        }\n        // Rho (ρ) and Pi (π)\n        let curH = s[2];\n        let curL = s[3];\n        for (let t = 0; t < 24; t++) {\n            const shift = SHA3_ROTL[t];\n            const Th = rotlH(curH, curL, shift);\n            const Tl = rotlL(curH, curL, shift);\n            const PI = SHA3_PI[t];\n            curH = s[PI];\n            curL = s[PI + 1];\n            s[PI] = Th;\n            s[PI + 1] = Tl;\n        }\n        // Chi (χ)\n        for (let y = 0; y < 50; y += 10) {\n            for (let x = 0; x < 10; x++)\n                B[x] = s[y + x];\n            for (let x = 0; x < 10; x++)\n                s[y + x] ^= ~B[(x + 2) % 10] & B[(x + 4) % 10];\n        }\n        // Iota (ι)\n        s[0] ^= SHA3_IOTA_H[round];\n        s[1] ^= SHA3_IOTA_L[round];\n    }\n    B.fill(0);\n}\nexport class Keccak extends Hash {\n    // NOTE: we accept arguments in bytes instead of bits here.\n    constructor(blockLen, suffix, outputLen, enableXOF = false, rounds = 24) {\n        super();\n        this.blockLen = blockLen;\n        this.suffix = suffix;\n        this.outputLen = outputLen;\n        this.enableXOF = enableXOF;\n        this.rounds = rounds;\n        this.pos = 0;\n        this.posOut = 0;\n        this.finished = false;\n        this.destroyed = false;\n        // Can be passed from user as dkLen\n        number(outputLen);\n        // 1600 = 5x5 matrix of 64bit.  1600 bits === 200 bytes\n        if (0 >= this.blockLen || this.blockLen >= 200)\n            throw new Error('Sha3 supports only keccak-f1600 function');\n        this.state = new Uint8Array(200);\n        this.state32 = u32(this.state);\n    }\n    keccak() {\n        if (!isLE)\n            byteSwap32(this.state32);\n        keccakP(this.state32, this.rounds);\n        if (!isLE)\n            byteSwap32(this.state32);\n        this.posOut = 0;\n        this.pos = 0;\n    }\n    update(data) {\n        exists(this);\n        const { blockLen, state } = this;\n        data = toBytes(data);\n        const len = data.length;\n        for (let pos = 0; pos < len;) {\n            const take = Math.min(blockLen - this.pos, len - pos);\n            for (let i = 0; i < take; i++)\n                state[this.pos++] ^= data[pos++];\n            if (this.pos === blockLen)\n                this.keccak();\n        }\n        return this;\n    }\n    finish() {\n        if (this.finished)\n            return;\n        this.finished = true;\n        const { state, suffix, pos, blockLen } = this;\n        // Do the padding\n        state[pos] ^= suffix;\n        if ((suffix & 0x80) !== 0 && pos === blockLen - 1)\n            this.keccak();\n        state[blockLen - 1] ^= 0x80;\n        this.keccak();\n    }\n    writeInto(out) {\n        exists(this, false);\n        bytes(out);\n        this.finish();\n        const bufferOut = this.state;\n        const { blockLen } = this;\n        for (let pos = 0, len = out.length; pos < len;) {\n            if (this.posOut >= blockLen)\n                this.keccak();\n            const take = Math.min(blockLen - this.posOut, len - pos);\n            out.set(bufferOut.subarray(this.posOut, this.posOut + take), pos);\n            this.posOut += take;\n            pos += take;\n        }\n        return out;\n    }\n    xofInto(out) {\n        // Sha3/Keccak usage with XOF is probably mistake, only SHAKE instances can do XOF\n        if (!this.enableXOF)\n            throw new Error('XOF is not possible for this instance');\n        return this.writeInto(out);\n    }\n    xof(bytes) {\n        number(bytes);\n        return this.xofInto(new Uint8Array(bytes));\n    }\n    digestInto(out) {\n        output(out, this);\n        if (this.finished)\n            throw new Error('digest() was already called');\n        this.writeInto(out);\n        this.destroy();\n        return out;\n    }\n    digest() {\n        return this.digestInto(new Uint8Array(this.outputLen));\n    }\n    destroy() {\n        this.destroyed = true;\n        this.state.fill(0);\n    }\n    _cloneInto(to) {\n        const { blockLen, suffix, outputLen, rounds, enableXOF } = this;\n        to || (to = new Keccak(blockLen, suffix, outputLen, enableXOF, rounds));\n        to.state32.set(this.state32);\n        to.pos = this.pos;\n        to.posOut = this.posOut;\n        to.finished = this.finished;\n        to.rounds = rounds;\n        // Suffix can change in cSHAKE\n        to.suffix = suffix;\n        to.outputLen = outputLen;\n        to.enableXOF = enableXOF;\n        to.destroyed = this.destroyed;\n        return to;\n    }\n}\nconst gen = (suffix, blockLen, outputLen) => wrapConstructor(() => new Keccak(blockLen, suffix, outputLen));\nexport const sha3_224 = /* @__PURE__ */ gen(0x06, 144, 224 / 8);\n/**\n * SHA3-256 hash function\n * @param message - that would be hashed\n */\nexport const sha3_256 = /* @__PURE__ */ gen(0x06, 136, 256 / 8);\nexport const sha3_384 = /* @__PURE__ */ gen(0x06, 104, 384 / 8);\nexport const sha3_512 = /* @__PURE__ */ gen(0x06, 72, 512 / 8);\nexport const keccak_224 = /* @__PURE__ */ gen(0x01, 144, 224 / 8);\n/**\n * keccak-256 hash function. Different from SHA3-256.\n * @param message - that would be hashed\n */\nexport const keccak_256 = /* @__PURE__ */ gen(0x01, 136, 256 / 8);\nexport const keccak_384 = /* @__PURE__ */ gen(0x01, 104, 384 / 8);\nexport const keccak_512 = /* @__PURE__ */ gen(0x01, 72, 512 / 8);\nconst genShake = (suffix, blockLen, outputLen) => wrapXOFConstructorWithOpts((opts = {}) => new Keccak(blockLen, suffix, opts.dkLen === undefined ? outputLen : opts.dkLen, true));\nexport const shake128 = /* @__PURE__ */ genShake(0x1f, 168, 128 / 8);\nexport const shake256 = /* @__PURE__ */ genShake(0x1f, 136, 256 / 8);\n//# sourceMappingURL=sha3.js.map","/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */\n// Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y²\nimport { validateBasic, wNAF, pippenger, } from './curve.js';\nimport { mod, Field } from './modular.js';\nimport * as ut from './utils.js';\nimport { ensureBytes, memoized, abool } from './utils.js';\n// Be friendly to bad ECMAScript parsers by not using bigint literals\n// prettier-ignore\nconst _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _8n = BigInt(8);\n// verification rule is either zip215 or rfc8032 / nist186-5. Consult fromHex:\nconst VERIFY_DEFAULT = { zip215: true };\nfunction validateOpts(curve) {\n    const opts = validateBasic(curve);\n    ut.validateObject(curve, {\n        hash: 'function',\n        a: 'bigint',\n        d: 'bigint',\n        randomBytes: 'function',\n    }, {\n        adjustScalarBytes: 'function',\n        domain: 'function',\n        uvRatio: 'function',\n        mapToCurve: 'function',\n    });\n    // Set defaults\n    return Object.freeze({ ...opts });\n}\n/**\n * Creates Twisted Edwards curve with EdDSA signatures.\n * @example\n * import { Field } from '@noble/curves/abstract/modular';\n * // Before that, define BigInt-s: a, d, p, n, Gx, Gy, h\n * const curve = twistedEdwards({ a, d, Fp: Field(p), n, Gx, Gy, h })\n */\nexport function twistedEdwards(curveDef) {\n    const CURVE = validateOpts(curveDef);\n    const { Fp, n: CURVE_ORDER, prehash: prehash, hash: cHash, randomBytes, nByteLength, h: cofactor, } = CURVE;\n    const MASK = _2n << (BigInt(nByteLength * 8) - _1n);\n    const modP = Fp.create; // Function overrides\n    const Fn = Field(CURVE.n, CURVE.nBitLength);\n    // sqrt(u/v)\n    const uvRatio = CURVE.uvRatio ||\n        ((u, v) => {\n            try {\n                return { isValid: true, value: Fp.sqrt(u * Fp.inv(v)) };\n            }\n            catch (e) {\n                return { isValid: false, value: _0n };\n            }\n        });\n    const adjustScalarBytes = CURVE.adjustScalarBytes || ((bytes) => bytes); // NOOP\n    const domain = CURVE.domain ||\n        ((data, ctx, phflag) => {\n            abool('phflag', phflag);\n            if (ctx.length || phflag)\n                throw new Error('Contexts/pre-hash are not supported');\n            return data;\n        }); // NOOP\n    // 0 <= n < MASK\n    // Coordinates larger than Fp.ORDER are allowed for zip215\n    function aCoordinate(title, n) {\n        ut.aInRange('coordinate ' + title, n, _0n, MASK);\n    }\n    function assertPoint(other) {\n        if (!(other instanceof Point))\n            throw new Error('ExtendedPoint expected');\n    }\n    // Converts Extended point to default (x, y) coordinates.\n    // Can accept precomputed Z^-1 - for example, from invertBatch.\n    const toAffineMemo = memoized((p, iz) => {\n        const { ex: x, ey: y, ez: z } = p;\n        const is0 = p.is0();\n        if (iz == null)\n            iz = is0 ? _8n : Fp.inv(z); // 8 was chosen arbitrarily\n        const ax = modP(x * iz);\n        const ay = modP(y * iz);\n        const zz = modP(z * iz);\n        if (is0)\n            return { x: _0n, y: _1n };\n        if (zz !== _1n)\n            throw new Error('invZ was invalid');\n        return { x: ax, y: ay };\n    });\n    const assertValidMemo = memoized((p) => {\n        const { a, d } = CURVE;\n        if (p.is0())\n            throw new Error('bad point: ZERO'); // TODO: optimize, with vars below?\n        // Equation in affine coordinates: ax² + y² = 1 + dx²y²\n        // Equation in projective coordinates (X/Z, Y/Z, Z):  (aX² + Y²)Z² = Z⁴ + dX²Y²\n        const { ex: X, ey: Y, ez: Z, et: T } = p;\n        const X2 = modP(X * X); // X²\n        const Y2 = modP(Y * Y); // Y²\n        const Z2 = modP(Z * Z); // Z²\n        const Z4 = modP(Z2 * Z2); // Z⁴\n        const aX2 = modP(X2 * a); // aX²\n        const left = modP(Z2 * modP(aX2 + Y2)); // (aX² + Y²)Z²\n        const right = modP(Z4 + modP(d * modP(X2 * Y2))); // Z⁴ + dX²Y²\n        if (left !== right)\n            throw new Error('bad point: equation left != right (1)');\n        // In Extended coordinates we also have T, which is x*y=T/Z: check X*Y == Z*T\n        const XY = modP(X * Y);\n        const ZT = modP(Z * T);\n        if (XY !== ZT)\n            throw new Error('bad point: equation left != right (2)');\n        return true;\n    });\n    // Extended Point works in extended coordinates: (x, y, z, t) ∋ (x=x/z, y=y/z, t=xy).\n    // https://en.wikipedia.org/wiki/Twisted_Edwards_curve#Extended_coordinates\n    class Point {\n        constructor(ex, ey, ez, et) {\n            this.ex = ex;\n            this.ey = ey;\n            this.ez = ez;\n            this.et = et;\n            aCoordinate('x', ex);\n            aCoordinate('y', ey);\n            aCoordinate('z', ez);\n            aCoordinate('t', et);\n            Object.freeze(this);\n        }\n        get x() {\n            return this.toAffine().x;\n        }\n        get y() {\n            return this.toAffine().y;\n        }\n        static fromAffine(p) {\n            if (p instanceof Point)\n                throw new Error('extended point not allowed');\n            const { x, y } = p || {};\n            aCoordinate('x', x);\n            aCoordinate('y', y);\n            return new Point(x, y, _1n, modP(x * y));\n        }\n        static normalizeZ(points) {\n            const toInv = Fp.invertBatch(points.map((p) => p.ez));\n            return points.map((p, i) => p.toAffine(toInv[i])).map(Point.fromAffine);\n        }\n        // Multiscalar Multiplication\n        static msm(points, scalars) {\n            return pippenger(Point, Fn, points, scalars);\n        }\n        // \"Private method\", don't use it directly\n        _setWindowSize(windowSize) {\n            wnaf.setWindowSize(this, windowSize);\n        }\n        // Not required for fromHex(), which always creates valid points.\n        // Could be useful for fromAffine().\n        assertValidity() {\n            assertValidMemo(this);\n        }\n        // Compare one point to another.\n        equals(other) {\n            assertPoint(other);\n            const { ex: X1, ey: Y1, ez: Z1 } = this;\n            const { ex: X2, ey: Y2, ez: Z2 } = other;\n            const X1Z2 = modP(X1 * Z2);\n            const X2Z1 = modP(X2 * Z1);\n            const Y1Z2 = modP(Y1 * Z2);\n            const Y2Z1 = modP(Y2 * Z1);\n            return X1Z2 === X2Z1 && Y1Z2 === Y2Z1;\n        }\n        is0() {\n            return this.equals(Point.ZERO);\n        }\n        negate() {\n            // Flips point sign to a negative one (-x, y in affine coords)\n            return new Point(modP(-this.ex), this.ey, this.ez, modP(-this.et));\n        }\n        // Fast algo for doubling Extended Point.\n        // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#doubling-dbl-2008-hwcd\n        // Cost: 4M + 4S + 1*a + 6add + 1*2.\n        double() {\n            const { a } = CURVE;\n            const { ex: X1, ey: Y1, ez: Z1 } = this;\n            const A = modP(X1 * X1); // A = X12\n            const B = modP(Y1 * Y1); // B = Y12\n            const C = modP(_2n * modP(Z1 * Z1)); // C = 2*Z12\n            const D = modP(a * A); // D = a*A\n            const x1y1 = X1 + Y1;\n            const E = modP(modP(x1y1 * x1y1) - A - B); // E = (X1+Y1)2-A-B\n            const G = D + B; // G = D+B\n            const F = G - C; // F = G-C\n            const H = D - B; // H = D-B\n            const X3 = modP(E * F); // X3 = E*F\n            const Y3 = modP(G * H); // Y3 = G*H\n            const T3 = modP(E * H); // T3 = E*H\n            const Z3 = modP(F * G); // Z3 = F*G\n            return new Point(X3, Y3, Z3, T3);\n        }\n        // Fast algo for adding 2 Extended Points.\n        // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#addition-add-2008-hwcd\n        // Cost: 9M + 1*a + 1*d + 7add.\n        add(other) {\n            assertPoint(other);\n            const { a, d } = CURVE;\n            const { ex: X1, ey: Y1, ez: Z1, et: T1 } = this;\n            const { ex: X2, ey: Y2, ez: Z2, et: T2 } = other;\n            // Faster algo for adding 2 Extended Points when curve's a=-1.\n            // http://hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html#addition-add-2008-hwcd-4\n            // Cost: 8M + 8add + 2*2.\n            // Note: It does not check whether the `other` point is valid.\n            if (a === BigInt(-1)) {\n                const A = modP((Y1 - X1) * (Y2 + X2));\n                const B = modP((Y1 + X1) * (Y2 - X2));\n                const F = modP(B - A);\n                if (F === _0n)\n                    return this.double(); // Same point. Tests say it doesn't affect timing\n                const C = modP(Z1 * _2n * T2);\n                const D = modP(T1 * _2n * Z2);\n                const E = D + C;\n                const G = B + A;\n                const H = D - C;\n                const X3 = modP(E * F);\n                const Y3 = modP(G * H);\n                const T3 = modP(E * H);\n                const Z3 = modP(F * G);\n                return new Point(X3, Y3, Z3, T3);\n            }\n            const A = modP(X1 * X2); // A = X1*X2\n            const B = modP(Y1 * Y2); // B = Y1*Y2\n            const C = modP(T1 * d * T2); // C = T1*d*T2\n            const D = modP(Z1 * Z2); // D = Z1*Z2\n            const E = modP((X1 + Y1) * (X2 + Y2) - A - B); // E = (X1+Y1)*(X2+Y2)-A-B\n            const F = D - C; // F = D-C\n            const G = D + C; // G = D+C\n            const H = modP(B - a * A); // H = B-a*A\n            const X3 = modP(E * F); // X3 = E*F\n            const Y3 = modP(G * H); // Y3 = G*H\n            const T3 = modP(E * H); // T3 = E*H\n            const Z3 = modP(F * G); // Z3 = F*G\n            return new Point(X3, Y3, Z3, T3);\n        }\n        subtract(other) {\n            return this.add(other.negate());\n        }\n        wNAF(n) {\n            return wnaf.wNAFCached(this, n, Point.normalizeZ);\n        }\n        // Constant-time multiplication.\n        multiply(scalar) {\n            const n = scalar;\n            ut.aInRange('scalar', n, _1n, CURVE_ORDER); // 1 <= scalar < L\n            const { p, f } = this.wNAF(n);\n            return Point.normalizeZ([p, f])[0];\n        }\n        // Non-constant-time multiplication. Uses double-and-add algorithm.\n        // It's faster, but should only be used when you don't care about\n        // an exposed private key e.g. sig verification.\n        // Does NOT allow scalars higher than CURVE.n.\n        multiplyUnsafe(scalar) {\n            const n = scalar;\n            ut.aInRange('scalar', n, _0n, CURVE_ORDER); // 0 <= scalar < L\n            if (n === _0n)\n                return I;\n            if (this.equals(I) || n === _1n)\n                return this;\n            if (this.equals(G))\n                return this.wNAF(n).p;\n            return wnaf.unsafeLadder(this, n);\n        }\n        // Checks if point is of small order.\n        // If you add something to small order point, you will have \"dirty\"\n        // point with torsion component.\n        // Multiplies point by cofactor and checks if the result is 0.\n        isSmallOrder() {\n            return this.multiplyUnsafe(cofactor).is0();\n        }\n        // Multiplies point by curve order and checks if the result is 0.\n        // Returns `false` is the point is dirty.\n        isTorsionFree() {\n            return wnaf.unsafeLadder(this, CURVE_ORDER).is0();\n        }\n        // Converts Extended point to default (x, y) coordinates.\n        // Can accept precomputed Z^-1 - for example, from invertBatch.\n        toAffine(iz) {\n            return toAffineMemo(this, iz);\n        }\n        clearCofactor() {\n            const { h: cofactor } = CURVE;\n            if (cofactor === _1n)\n                return this;\n            return this.multiplyUnsafe(cofactor);\n        }\n        // Converts hash string or Uint8Array to Point.\n        // Uses algo from RFC8032 5.1.3.\n        static fromHex(hex, zip215 = false) {\n            const { d, a } = CURVE;\n            const len = Fp.BYTES;\n            hex = ensureBytes('pointHex', hex, len); // copy hex to a new array\n            abool('zip215', zip215);\n            const normed = hex.slice(); // copy again, we'll manipulate it\n            const lastByte = hex[len - 1]; // select last byte\n            normed[len - 1] = lastByte & ~0x80; // clear last bit\n            const y = ut.bytesToNumberLE(normed);\n            // RFC8032 prohibits >= p, but ZIP215 doesn't\n            // zip215=true:  0 <= y < MASK (2^256 for ed25519)\n            // zip215=false: 0 <= y < P (2^255-19 for ed25519)\n            const max = zip215 ? MASK : Fp.ORDER;\n            ut.aInRange('pointHex.y', y, _0n, max);\n            // Ed25519: x² = (y²-1)/(dy²+1) mod p. Ed448: x² = (y²-1)/(dy²-1) mod p. Generic case:\n            // ax²+y²=1+dx²y² => y²-1=dx²y²-ax² => y²-1=x²(dy²-a) => x²=(y²-1)/(dy²-a)\n            const y2 = modP(y * y); // denominator is always non-0 mod p.\n            const u = modP(y2 - _1n); // u = y² - 1\n            const v = modP(d * y2 - a); // v = d y² + 1.\n            let { isValid, value: x } = uvRatio(u, v); // √(u/v)\n            if (!isValid)\n                throw new Error('Point.fromHex: invalid y coordinate');\n            const isXOdd = (x & _1n) === _1n; // There are 2 square roots. Use x_0 bit to select proper\n            const isLastByteOdd = (lastByte & 0x80) !== 0; // x_0, last bit\n            if (!zip215 && x === _0n && isLastByteOdd)\n                // if x=0 and x_0 = 1, fail\n                throw new Error('Point.fromHex: x=0 and x_0=1');\n            if (isLastByteOdd !== isXOdd)\n                x = modP(-x); // if x_0 != x mod 2, set x = p-x\n            return Point.fromAffine({ x, y });\n        }\n        static fromPrivateKey(privKey) {\n            return getExtendedPublicKey(privKey).point;\n        }\n        toRawBytes() {\n            const { x, y } = this.toAffine();\n            const bytes = ut.numberToBytesLE(y, Fp.BYTES); // each y has 2 x values (x, -y)\n            bytes[bytes.length - 1] |= x & _1n ? 0x80 : 0; // when compressing, it's enough to store y\n            return bytes; // and use the last byte to encode sign of x\n        }\n        toHex() {\n            return ut.bytesToHex(this.toRawBytes()); // Same as toRawBytes, but returns string.\n        }\n    }\n    Point.BASE = new Point(CURVE.Gx, CURVE.Gy, _1n, modP(CURVE.Gx * CURVE.Gy));\n    Point.ZERO = new Point(_0n, _1n, _1n, _0n); // 0, 1, 1, 0\n    const { BASE: G, ZERO: I } = Point;\n    const wnaf = wNAF(Point, nByteLength * 8);\n    function modN(a) {\n        return mod(a, CURVE_ORDER);\n    }\n    // Little-endian SHA512 with modulo n\n    function modN_LE(hash) {\n        return modN(ut.bytesToNumberLE(hash));\n    }\n    /** Convenience method that creates public key and other stuff. RFC8032 5.1.5 */\n    function getExtendedPublicKey(key) {\n        const len = nByteLength;\n        key = ensureBytes('private key', key, len);\n        // Hash private key with curve's hash function to produce uniformingly random input\n        // Check byte lengths: ensure(64, h(ensure(32, key)))\n        const hashed = ensureBytes('hashed private key', cHash(key), 2 * len);\n        const head = adjustScalarBytes(hashed.slice(0, len)); // clear first half bits, produce FE\n        const prefix = hashed.slice(len, 2 * len); // second half is called key prefix (5.1.6)\n        const scalar = modN_LE(head); // The actual private scalar\n        const point = G.multiply(scalar); // Point on Edwards curve aka public key\n        const pointBytes = point.toRawBytes(); // Uint8Array representation\n        return { head, prefix, scalar, point, pointBytes };\n    }\n    // Calculates EdDSA pub key. RFC8032 5.1.5. Privkey is hashed. Use first half with 3 bits cleared\n    function getPublicKey(privKey) {\n        return getExtendedPublicKey(privKey).pointBytes;\n    }\n    // int('LE', SHA512(dom2(F, C) || msgs)) mod N\n    function hashDomainToScalar(context = new Uint8Array(), ...msgs) {\n        const msg = ut.concatBytes(...msgs);\n        return modN_LE(cHash(domain(msg, ensureBytes('context', context), !!prehash)));\n    }\n    /** Signs message with privateKey. RFC8032 5.1.6 */\n    function sign(msg, privKey, options = {}) {\n        msg = ensureBytes('message', msg);\n        if (prehash)\n            msg = prehash(msg); // for ed25519ph etc.\n        const { prefix, scalar, pointBytes } = getExtendedPublicKey(privKey);\n        const r = hashDomainToScalar(options.context, prefix, msg); // r = dom2(F, C) || prefix || PH(M)\n        const R = G.multiply(r).toRawBytes(); // R = rG\n        const k = hashDomainToScalar(options.context, R, pointBytes, msg); // R || A || PH(M)\n        const s = modN(r + k * scalar); // S = (r + k * s) mod L\n        ut.aInRange('signature.s', s, _0n, CURVE_ORDER); // 0 <= s < l\n        const res = ut.concatBytes(R, ut.numberToBytesLE(s, Fp.BYTES));\n        return ensureBytes('result', res, nByteLength * 2); // 64-byte signature\n    }\n    const verifyOpts = VERIFY_DEFAULT;\n    function verify(sig, msg, publicKey, options = verifyOpts) {\n        const { context, zip215 } = options;\n        const len = Fp.BYTES; // Verifies EdDSA signature against message and public key. RFC8032 5.1.7.\n        sig = ensureBytes('signature', sig, 2 * len); // An extended group equation is checked.\n        msg = ensureBytes('message', msg);\n        if (zip215 !== undefined)\n            abool('zip215', zip215);\n        if (prehash)\n            msg = prehash(msg); // for ed25519ph, etc\n        const s = ut.bytesToNumberLE(sig.slice(len, 2 * len));\n        // zip215: true is good for consensus-critical apps and allows points < 2^256\n        // zip215: false follows RFC8032 / NIST186-5 and restricts points to CURVE.p\n        let A, R, SB;\n        try {\n            A = Point.fromHex(publicKey, zip215);\n            R = Point.fromHex(sig.slice(0, len), zip215);\n            SB = G.multiplyUnsafe(s); // 0 <= s < l is done inside\n        }\n        catch (error) {\n            return false;\n        }\n        if (!zip215 && A.isSmallOrder())\n            return false;\n        const k = hashDomainToScalar(context, R.toRawBytes(), A.toRawBytes(), msg);\n        const RkA = R.add(A.multiplyUnsafe(k));\n        // [8][S]B = [8]R + [8][k]A'\n        return RkA.subtract(SB).clearCofactor().equals(Point.ZERO);\n    }\n    G._setWindowSize(8); // Enable precomputes. Slows down first publicKey computation by 20ms.\n    const utils = {\n        getExtendedPublicKey,\n        // ed25519 private keys are uniform 32b. No need to check for modulo bias, like in secp256k1.\n        randomPrivateKey: () => randomBytes(Fp.BYTES),\n        /**\n         * We're doing scalar multiplication (used in getPublicKey etc) with precomputed BASE_POINT\n         * values. This slows down first getPublicKey() by milliseconds (see Speed section),\n         * but allows to speed-up subsequent getPublicKey() calls up to 20x.\n         * @param windowSize 2, 4, 8, 16\n         */\n        precompute(windowSize = 8, point = Point.BASE) {\n            point._setWindowSize(windowSize);\n            point.multiply(BigInt(3));\n            return point;\n        },\n    };\n    return {\n        CURVE,\n        getPublicKey,\n        sign,\n        verify,\n        ExtendedPoint: Point,\n        utils,\n    };\n}\n//# sourceMappingURL=edwards.js.map","/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */\nimport { mod, pow } from './modular.js';\nimport { aInRange, bytesToNumberLE, ensureBytes, numberToBytesLE, validateObject, } from './utils.js';\nconst _0n = BigInt(0);\nconst _1n = BigInt(1);\nfunction validateOpts(curve) {\n    validateObject(curve, {\n        a: 'bigint',\n    }, {\n        montgomeryBits: 'isSafeInteger',\n        nByteLength: 'isSafeInteger',\n        adjustScalarBytes: 'function',\n        domain: 'function',\n        powPminus2: 'function',\n        Gu: 'bigint',\n    });\n    // Set defaults\n    return Object.freeze({ ...curve });\n}\n// NOTE: not really montgomery curve, just bunch of very specific methods for X25519/X448 (RFC 7748, https://www.rfc-editor.org/rfc/rfc7748)\n// Uses only one coordinate instead of two\nexport function montgomery(curveDef) {\n    const CURVE = validateOpts(curveDef);\n    const { P } = CURVE;\n    const modP = (n) => mod(n, P);\n    const montgomeryBits = CURVE.montgomeryBits;\n    const montgomeryBytes = Math.ceil(montgomeryBits / 8);\n    const fieldLen = CURVE.nByteLength;\n    const adjustScalarBytes = CURVE.adjustScalarBytes || ((bytes) => bytes);\n    const powPminus2 = CURVE.powPminus2 || ((x) => pow(x, P - BigInt(2), P));\n    // cswap from RFC7748. But it is not from RFC7748!\n    /*\n      cswap(swap, x_2, x_3):\n           dummy = mask(swap) AND (x_2 XOR x_3)\n           x_2 = x_2 XOR dummy\n           x_3 = x_3 XOR dummy\n           Return (x_2, x_3)\n    Where mask(swap) is the all-1 or all-0 word of the same length as x_2\n     and x_3, computed, e.g., as mask(swap) = 0 - swap.\n    */\n    function cswap(swap, x_2, x_3) {\n        const dummy =