app: added helm tgz handle

2026-03-12 16:59:29 +02:00
parent 0d67944966
commit 95ed9ddb97
3182 changed files with 957097 additions and 133 deletions
@@ -31,7 +31,10 @@ type PutFileParams struct {
 }
 type PutFileResult struct{}
-const defaultContentType = "application/octet-stream"
+const (
 	defaultContentType = "application/octet-stream"
 	hcMimeType         = "application/vnd.cncf.helm.chart.content.v1.tar+gzip"
 )
 // TODO: checking catalog and file names conflict
 func (oper *Operator) PutFile(ctx context.Context, operatorID string, params *PutFileParams) (int, *PutFileResult, error) {
@@ -71,6 +74,11 @@ func (oper *Operator) PutFile(ctx context.Context, operatorID string, params *Pu
 		code := http.StatusInternalServerError
 		return code, res, err
 	}
 	var helmHash string
 	var helmMeta string
 	if contentType == hcMimeType {
 		helmHash, helmMeta, err = oper.store.HelmMeta(tmpname)
 	}
 	descrExists, fileDescr, err := oper.mdb.GetFileByCollectionName(ctx, collection, filename)
 	if err != nil {
@@ -85,6 +93,8 @@ func (oper *Operator) PutFile(ctx context.Context, operatorID string, params *Pu
 		fileDescr.UpdatedAt = now
 		fileDescr.Type = contentType
 		fileDescr.UpdatedBy = operatorID
 		fileDescr.HelmMeta = helmMeta
 		fileDescr.HelmHash = helmHash
 		err = oper.mdb.UpdateFileByID(ctx, fileDescr.ID, fileDescr)
 		if err != nil {
 			code := http.StatusInternalServerError
@@ -102,6 +112,8 @@ func (oper *Operator) PutFile(ctx context.Context, operatorID string, params *Pu
 			UpdatedAt:  now,
 			CreatedBy:  operatorID,
 			UpdatedBy:  operatorID,
 			HelmMeta:   helmMeta,
 			HelmHash:   helmHash,
 		}
 		err = oper.mdb.InsertFile(ctx, fileDescr)
 		if err != nil {
@@ -71,7 +71,7 @@ func (oper *Operator) PatchUpload(ctx context.Context, operatorID string, params
 		}
 	}
-	recsize, _, err := oper.store.WriteUpload(params.Reference, params.Reader)
+	recsize, err := oper.store.WriteUpload(params.Reference, params.Reader)
 	if err != nil {
 		return res, http.StatusInternalServerError, err
 	}
@@ -65,7 +65,7 @@ func (oper *Operator) PutUpload(ctx context.Context, operatorID string, params *
 	}
 	if contentLength != 0 {
-		recsize, _, err := oper.store.WriteUpload(params.Reference, params.Reader)
+		recsize, err := oper.store.WriteUpload(params.Reference, params.Reader)
 		if err != nil {
 			return res, http.StatusInternalServerError, err
 		}
@@ -17,10 +17,12 @@ import (
 func (db *Database) InsertFile(ctx context.Context, file *descr.File) error {
 	var err error
-	request := `INSERT INTO files(id, collection, name, type, checksum, size, created_at, updated_at, created_by, updated_by)
+	request := `INSERT INTO files(id, collection, name, type, checksum, size,
-                        VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)`
+                        created_at, updated_at, created_by, updated_by, helm_hash, helm_meta)
                        VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12)`
 	_, err = db.db.Exec(request, file.ID, file.Collection, file.Name, file.Type, file.Checksum, file.Size,
-		file.CreatedAt, file.UpdatedAt, file.CreatedBy, file.UpdatedBy)
+		file.CreatedAt, file.UpdatedAt, file.CreatedBy, file.UpdatedBy,
 		file.HelmHash, file.HelmMeta)
 	if err != nil {
 		return err
 	}
@@ -30,10 +32,12 @@ func (db *Database) InsertFile(ctx context.Context, file *descr.File) error {
 func (db *Database) UpdateFileByID(ctx context.Context, fileID string, file *descr.File) error {
 	var err error
 	request := `UPDATE files SET id = $1, collection = $2, name = $3, type = $4, checksum = $5,
-                          size = $6, updated_at = $7, created_by = $8, updated_by = $9
+                          size = $6, updated_at = $7, created_by = $8, updated_by = $9,
-                          WHERE id = $10`
+                          helm_hash = $10, helm_meta = $11
                          WHERE id = $12`
 	_, err = db.db.Exec(request, file.ID, file.Collection, file.Name, file.Type, file.Checksum,
-		file.Size, file.UpdatedAt, file.CreatedBy, file.UpdatedBy, fileID)
+		file.Size, file.UpdatedAt, file.CreatedBy, file.UpdatedBy,
 		file.HelmHash, file.HelmMeta, fileID)
 	if err != nil {
 		return err
 	}
@@ -20,7 +20,9 @@ const schema = `
        created_at  VARCHAR(255) NOT NULL,
        updated_at  VARCHAR(255) NOT NULL,
        created_by  VARCHAR(255) NOT NULL,
-        updated_by  VARCHAR(255) NOT NULL
+        updated_by  VARCHAR(255) NOT NULL,
        helm_hash   VARCHAR(255) NOT NULL,
        helm_meta   VARCHAR(4096) NOT NULL
    );
    CREATE UNIQUE INDEX IF NOT EXISTS files_index
        ON files(collection, name);
@@ -0,0 +1,32 @@
 package storage
 import (
 	"crypto/sha256"
 	"encoding/hex"
 	"hash"
 	"io"
 )
 type Hasher struct {
 	hasher hash.Hash
 }
 func NewHasher() *Hasher {
 	return &Hasher{
 		hasher: sha256.New(),
 	}
 }
 func (ha *Hasher) Writer() io.Writer {
 	return ha.hasher
 }
 func (ha *Hasher) Hex() string {
 	data := ha.hasher.Sum(nil)
 	res := hex.EncodeToString(data)
 	return "sha256:" + res
 }
 func (ha *Hasher) Verify(hash string) bool {
 	return hash == ha.Hex()
 }
@@ -0,0 +1,28 @@
 package storage
 import (
 	"encoding/json"
 	"helm.sh/helm/v4/pkg/chart/v2/loader"
 	"helm.sh/helm/v4/pkg/provenance"
 )
 func (store *Storage) HelmMeta(filename string) (string, string, error) {
 	var err error
 	var meta string
 	var hash string
 	chart, err := loader.Load(filename)
 	if err != nil {
 		return meta, hash, err
 	}
 	hash, err = provenance.DigestFile(filename)
 	if err != nil {
 		return meta, hash, err
 	}
 	metadata, err := json.Marshal(chart.Metadata)
 	if err != nil {
 		return meta, hash, err
 	}
 	meta = string(metadata)
 	return meta, hash, err
 }
@@ -11,8 +11,6 @@ package storage
 import (
 	"bytes"
 	"crypto/sha256"
 	"encoding/hex"
 	"errors"
 	"fmt"
 	"io"
@@ -25,8 +23,8 @@ import (
 const (
 	sha256prefix = "sha256:"
-	filesubdir   = "files"
+	fileSubdir   = "files"
-	tmpsubdir    = "tmps"
+	tmpSubdir    = "tmps"
 )
 type Storage struct {
@@ -43,23 +41,23 @@ func NewStorage(basepath string) *Storage {
 }
 func (store *Storage) makeCollecionpath(collection string) string {
-	return filepath.Join(store.basepath, filesubdir, collection)
+	return filepath.Join(store.basepath, fileSubdir, collection)
 }
 func (store *Storage) makeFilepath(collection, filename string) string {
-	return filepath.Join(store.basepath, filesubdir, collection, filename)
+	return filepath.Join(store.basepath, fileSubdir, collection, filename)
 }
-func (store *Storage) makeTmppath(tmpname string) string {
+func (store *Storage) makeTmppath(tmpName string) string {
-	return filepath.Join(store.basepath, tmpsubdir, tmpname)
+	return filepath.Join(store.basepath, tmpSubdir, tmpName)
 }
 func (store *Storage) makeTmpsubdir() string {
-	return filepath.Join(store.basepath, tmpsubdir)
+	return filepath.Join(store.basepath, tmpSubdir)
 }
 func (store *Storage) makeFilesubdir(collection, filename string) string {
-	return filepath.Join(store.basepath, filesubdir)
+	return filepath.Join(store.basepath, fileSubdir)
 }
 func (store *Storage) GetFileReader(collection, filename string) (io.ReadCloser, error) {
@@ -80,40 +78,38 @@ func (store *Storage) WriteTempFile(source io.Reader) (string, int64, string, er
 	var size int64
 	var csum string
-	tmpname := fmt.Sprintf("file-%d-%d.tmp", auxuuid.NewUUID(), auxuuid.NewUUID())
+	tmpName := fmt.Sprintf("%d.tmp", auxuuid.NewUUID())
-	tmppath := store.makeTmppath(tmpname)
+	tmpPath := store.makeTmppath(tmpName)
 	tmpdirpath := store.makeTmpsubdir()
 	err = os.MkdirAll(tmpdirpath, 0750)
 	if err != nil {
-		return tmpname, size, csum, err
+		return tmpName, size, csum, err
 	}
-	file, err := os.OpenFile(tmppath, os.O_WRONLY|os.O_CREATE, 0640)
+	file, err := os.OpenFile(tmpPath, os.O_WRONLY|os.O_CREATE, 0640)
 	if err != nil {
-		return tmpname, size, csum, err
+		return tmpName, size, csum, err
 	}
 	defer file.Close()
-	hasher := sha256.New()
+	hasher := NewHasher()
-	writer := io.MultiWriter(file, hasher)
+	mWriter := io.MultiWriter(file, hasher.Writer())
-
+	size, err = io.Copy(mWriter, source)
 	size, err = io.Copy(writer, source)
 	if err != nil {
-		return tmpname, size, csum, err
+		return tmpName, size, csum, err
 	}
-	csum = hex.EncodeToString(hasher.Sum(nil))
+	csum = hasher.Hex()
 	csum = sha256prefix + csum
-	return tmpname, size, csum, err
+	return tmpName, size, csum, err
 }
-func (store *Storage) HardlinkFile(tmpname, collection, filename string) error {
+func (store *Storage) HardlinkFile(tmpName, collection, filename string) error {
 	var err error
 	dirname := store.makeCollecionpath(collection)
 	_, err = os.Stat(dirname)
-	if errors.Is(err, os.ErrNotExist) {
+	if os.IsNotExist(err) {
 		err = os.MkdirAll(dirname, 0750)
 		if err != nil {
 			return err
@@ -122,16 +118,17 @@ func (store *Storage) HardlinkFile(tmpname, collection, filename string) error {
 	if err != nil {
 		return err
 	}
 	filename = store.makeFilepath(collection, filename)
-	os.Remove(filename) // TODO: safe removing
+	_, err = os.Stat(dirname)
-
+	if os.IsExist(err) {
-	tmpname = store.makeTmppath(tmpname)
+		os.Remove(filename) // TODO: safe removing
-	err = os.Link(tmpname, filename)
+	}
 	tmpName = store.makeTmppath(tmpName)
 	err = os.Link(tmpName, filename)
 	if err != nil {
 		return err
 	}
-	err = os.Remove(tmpname)
+	err = os.Remove(tmpName)
 	if err != nil {
 		return err
 	}
@@ -172,45 +169,37 @@ func (store *Storage) makeBlobsubdir() string {
 	return filepath.Join(store.basepath, blobsubdir)
 }
-func (store *Storage) WriteUpload(uploadID string, source io.Reader) (int64, string, error) {
+func (store *Storage) WriteUpload(upID string, source io.Reader) (int64, error) {
 	var err error
 	var recsize int64
 	var recsum string
 	uploadDir := store.makeUpsubdir()
 	_, err = os.Stat(uploadDir)
-	if errors.Is(err, os.ErrNotExist) {
+	if os.IsNotExist(err) {
 		err = os.MkdirAll(uploadDir, 0750)
 		if err != nil {
-			return recsize, recsum, err
+			return recsize, err
 		}
 	}
 	if err != nil {
-		return recsize, recsum, err
+		return recsize, err
 	}
-
+	upPath := store.makeUppath(upID)
-	uploadPath := store.makeUppath(uploadID)
+	upFile, err := os.OpenFile(upPath, os.O_WRONLY|os.O_CREATE, 0644)
 	uploadFile, err := os.OpenFile(uploadPath, os.O_WRONLY|os.O_CREATE, 0644)
 	if err != nil {
-		return recsize, recsum, err
+		return recsize, err
 	}
-	defer uploadFile.Close()
+	defer upFile.Close()
-
+	recsize, err = io.Copy(upFile, source)
 	hasher := sha256.New() // TODO: upload cheking
 	streamWriter := io.MultiWriter(uploadFile, hasher)
 	recsize, err = io.Copy(streamWriter, source)
 	if err != nil {
-		return recsize, recsum, err
+		return recsize, err
 	}
-	recsum = hex.EncodeToString(hasher.Sum(nil))
+	return recsize, err
 	recsum = sha256prefix + recsum
 	return recsize, recsum, err
 }
 func (store *Storage) LinkUpload(reference, digest string) error {
 	var err error
-	uploadPath := store.makeUppath(reference)
+	upPath := store.makeUppath(reference)
 	blobdir := store.makeBlobsubdir()
 	_, err = os.Stat(blobdir)
@@ -231,18 +220,17 @@ func (store *Storage) LinkUpload(reference, digest string) error {
 			return err
 		}
 	}
-	if errors.Is(err, os.ErrNotExist) {
+	if os.IsNotExist(err) {
 		err = nil
 	}
 	if err != nil {
 		return err
 	}
-
+	err = os.Link(upPath, blobPath)
 	err = os.Link(uploadPath, blobPath)
 	if err != nil {
 		return err
 	}
-	err = os.Remove(uploadPath)
+	err = os.Remove(upPath)
 	if err != nil {
 		return err
 	}
@@ -251,8 +239,8 @@ func (store *Storage) LinkUpload(reference, digest string) error {
 func (store *Storage) RemoveUpload(digest string) error {
 	var err error
-	uploadPath := store.makeUppath(digest)
+	upPath := store.makeUppath(digest)
-	err = os.Remove(uploadPath)
+	err = os.Remove(upPath)
 	if err != nil {
 		return err
 	}
@@ -261,88 +249,70 @@ func (store *Storage) RemoveUpload(digest string) error {
 func (st *Storage) UploadExists(name, reference string) (bool, int64, error) {
 	var err error
-	var fileSize int64
+	var size int64
-
+	upPath := st.makeUppath(reference)
-	uploadPath := st.makeUppath(reference)
+	fileStat, err := os.Stat(upPath)
 	fileStat, err := os.Stat(uploadPath)
 	if errors.Is(err, os.ErrNotExist) {
 		return false, 0, nil
 	}
 	if err != nil {
 		return false, 0, err
 	}
-
+	size = fileStat.Size()
-	fileSize = fileStat.Size()
+	return true, size, err
 	return true, fileSize, err
 }
-func (store *Storage) WriteBlob(digest string, source io.Reader) (int64, string, error) {
+func (store *Storage) WriteBlob(digstr string, source io.Reader) (int64, error) {
 	var err error
-	var recsize int64
+	var size int64
-	var recsum string
+	blobDir := store.makeBlobsubdir()
-
+	_, err = os.Stat(blobDir)
-	//defer source.Close()
+	if os.IsNotExist(err) {
-
+		err = os.MkdirAll(blobDir, 0750)
 	blobdir := store.makeBlobsubdir()
 	_, err = os.Stat(blobdir)
 	if errors.Is(err, os.ErrNotExist) {
 		err = os.MkdirAll(blobdir, 0750)
 		if err != nil {
-			return recsize, digest, err
+			return size, err
 		}
 	}
 	if err != nil {
-		return recsize, digest, err
+		return size, err
 	}
-
+	blobPath := store.makeBlobpath(digstr)
-	blobpath := store.makeBlobpath(digest)
+	blobFile, err := os.OpenFile(blobPath, os.O_WRONLY|os.O_CREATE, 0644)
 	blobfile, err := os.OpenFile(blobpath, os.O_WRONLY|os.O_CREATE, 0644)
 	if err != nil {
-		return recsize, digest, err
+		return size, err
 	}
-	defer blobfile.Close()
+	defer blobFile.Close()
-
+	size, err = io.Copy(blobFile, source)
 	hasher := sha256.New() // TODO
 	multiWriter := io.MultiWriter(blobfile, hasher)
 	recsize, err = io.Copy(multiWriter, source)
 	if err != nil {
-		return recsize, digest, err
+		return size, err
 	}
-	recsum = hex.EncodeToString(hasher.Sum(nil))
+	return size, err
 	recsum = sha256prefix + recsum
 	return recsize, recsum, err
 }
 func (st *Storage) BlobExists(digest string) (bool, int64, error) {
 	var err error
-	var fileSize int64
+	var size int64
 	blobPath := st.makeBlobpath(digest)
 	fileStat, err := os.Stat(blobPath)
-	if errors.Is(err, os.ErrNotExist) {
+	if os.IsNotExist(err) {
 		return false, 0, nil
 	}
 	if err != nil {
 		return false, 0, err
 	}
-
+	size = fileStat.Size()
-	fileSize = fileStat.Size()
+	return true, size, err
 	return true, fileSize, err
 }
 func (store *Storage) BlobReader(digest string) (int64, io.ReadCloser, error) {
 	var err error
-	var filesize int64
+	var size int64
-	blobpath := store.makeBlobpath(digest)
+	blobPath := store.makeBlobpath(digest)
-
+	nop := io.NopCloser(bytes.NewReader(nil))
-	emptyReadCloser := io.NopCloser(bytes.NewReader(nil))
+	file, err := os.OpenFile(blobPath, os.O_RDONLY, 0)
 	file, err := os.OpenFile(blobpath, os.O_RDONLY, 0)
 	if err != nil {
-		return filesize, emptyReadCloser, err
+		return size, nop, err
 	}
 	defer func() {
 		if err != nil {
@@ -351,17 +321,17 @@ func (store *Storage) BlobReader(digest string) (int64, io.ReadCloser, error) {
 	}()
 	filestat, err := file.Stat()
 	if err != nil {
-		return filesize, emptyReadCloser, err
+		return size, nop, err
 	}
-	filesize = filestat.Size()
+	size = filestat.Size()
-	return filesize, file, err
+	return size, file, err
 }
 func (store *Storage) DeleteBlob(digest string) error {
 	var err error
-	blobpath := store.makeBlobpath(digest)
+	blobPath := store.makeBlobpath(digest)
-	err = os.Remove(blobpath)
+	err = os.Remove(blobPath)
-	if errors.Is(err, os.ErrNotExist) {
+	if os.IsNotExist(err) {
 		err = nil
 	}
 	if err != nil {
@@ -24,6 +24,8 @@ type File struct {
 	UpdatedAt  string `db:"updated_at"  json:"updatedAt,omitempty"  yaml:"updatedAt,omitempty"`
 	CreatedBy  string `db:"created_by"  json:"createdBy,omitempty"  yaml:"createdBy,omitempty"`
 	UpdatedBy  string `db:"updated_by"  json:"updatedBy,omitempty"  yaml:"updatedBy,omitempty"`
 	HelmHash   string `db:"helm_hash"   json:"helmHash,omitempty"   yaml:"helmHash,omitempty"`
 	HelmMeta   string `db:"helm_meta"   json:"helmMeta,omitempty"   yaml:"helmMeta,omitempty"`
 }
 type Files struct {
@@ -72,8 +72,8 @@ func (cli *Client) PushImage(ctx context.Context, filepath, imagepath string) er
 	dstdir := auxtool.MakeTmpFilename(filepath)
 	err = auxutar.Unarchive(filepath, dstdir)
 	defer os.RemoveAll(dstdir)
 	if err != nil {
 		//os.RemoveAll(dstdir)
 		return err
 	}
 	image, err := imageLoader(dstdir)
@@ -84,10 +84,6 @@ func (cli *Client) PushImage(ctx context.Context, filepath, imagepath string) er
 	if err != nil {
 		return err
 	}
 	err = os.RemoveAll(dstdir)
 	if err != nil {
 		return err
 	}
 	return err
 }
@@ -0,0 +1 @@
 _fuzz/
@@ -0,0 +1,27 @@
 run:
  deadline: 2m
 linters:
  disable-all: true
  enable:
    - misspell
    - govet
    - staticcheck
    - errcheck
    - unparam
    - ineffassign
    - nakedret
    - gocyclo
    - dupl
    - goimports
    - revive
    - gosec
    - gosimple
    - typecheck
    - unused
 linters-settings:
  gofmt:
    simplify: true
  dupl:
    threshold: 600
@@ -0,0 +1,268 @@
 # Changelog
 ## 3.4.0 (2025-06-27)
 ### Added
 - #268: Added property to Constraints to include prereleases for Check and Validate
 ### Changed
 - #263: Updated Go testing for 1.24, 1.23, and 1.22
 - #269: Updated the error message handling for message case and wrapping errors
 - #266: Restore the ability to have leading 0's when parsing with NewVersion.
  Opt-out of this by setting CoerceNewVersion to false.
 ### Fixed
 - #257: Fixed the CodeQL link (thanks @dmitris)
 - #262: Restored detailed errors when failed to parse with NewVersion. Opt-out
  of this by setting DetailedNewVersionErrors to false for faster performance.
 - #267: Handle pre-releases for an "and" group if one constraint includes them
 ## 3.3.1 (2024-11-19)
 ### Fixed
 - #253: Fix for allowing some version that were invalid
 ## 3.3.0 (2024-08-27)
 ### Added
 - #238: Add LessThanEqual and GreaterThanEqual functions (thanks @grosser)
 - #213: nil version equality checking (thanks @KnutZuidema)
 ### Changed
 - #241: Simplify StrictNewVersion parsing (thanks @grosser)
 - Testing support up through Go 1.23
 - Minimum version set to 1.21 as this is what's tested now
 - Fuzz testing now supports caching
 ## 3.2.1 (2023-04-10)
 ### Changed
 - #198: Improved testing around pre-release names
 - #200: Improved code scanning with addition of CodeQL
 - #201: Testing now includes Go 1.20. Go 1.17 has been dropped
 - #202: Migrated Fuzz testing to Go built-in Fuzzing. CI runs daily
 - #203: Docs updated for security details
 ### Fixed
 - #199: Fixed issue with range transformations
 ## 3.2.0 (2022-11-28)
 ### Added
 - #190: Added text marshaling and unmarshaling
 - #167: Added JSON marshalling for constraints (thanks @SimonTheLeg)
 - #173: Implement encoding.TextMarshaler and encoding.TextUnmarshaler on Version (thanks @MarkRosemaker)
 - #179: Added New() version constructor (thanks @kazhuravlev)
 ### Changed
 - #182/#183: Updated CI testing setup
 ### Fixed
 - #186: Fixing issue where validation of constraint section gave false positives
 - #176: Fix constraints check with *-0 (thanks @mtt0)
 - #181: Fixed Caret operator (^) gives unexpected results when the minor version in constraint is 0 (thanks @arshchimni)
 - #161: Fixed godoc (thanks @afirth)
 ## 3.1.1 (2020-11-23)
 ### Fixed
 - #158: Fixed issue with generated regex operation order that could cause problem
 ## 3.1.0 (2020-04-15)
 ### Added
 - #131: Add support for serializing/deserializing SQL (thanks @ryancurrah)
 ### Changed
 - #148: More accurate validation messages on constraints
 ## 3.0.3 (2019-12-13)
 ### Fixed
 - #141: Fixed issue with <= comparison
 ## 3.0.2 (2019-11-14)
 ### Fixed
 - #134: Fixed broken constraint checking with ^0.0 (thanks @krmichelos)
 ## 3.0.1 (2019-09-13)
 ### Fixed
 - #125: Fixes issue with module path for v3
 ## 3.0.0 (2019-09-12)
 This is a major release of the semver package which includes API changes. The Go
 API is compatible with ^1. The Go API was not changed because many people are using
 `go get` without Go modules for their applications and API breaking changes cause
 errors which we have or would need to support.
 The changes in this release are the handling based on the data passed into the
 functions. These are described in the added and changed sections below.
 ### Added
 - StrictNewVersion function. This is similar to NewVersion but will return an
  error if the version passed in is not a strict semantic version. For example,
  1.2.3 would pass but v1.2.3 or 1.2 would fail because they are not strictly
  speaking semantic versions. This function is faster, performs fewer operations,
  and uses fewer allocations than NewVersion.
 - Fuzzing has been performed on NewVersion, StrictNewVersion, and NewConstraint.
  The Makefile contains the operations used. For more information on you can start
  on Wikipedia at https://en.wikipedia.org/wiki/Fuzzing
 - Now using Go modules
 ### Changed
 - NewVersion has proper prerelease and metadata validation with error messages
  to signal an issue with either of them
 - ^ now operates using a similar set of rules to npm/js and Rust/Cargo. If the
  version is >=1 the ^ ranges works the same as v1. For major versions of 0 the
  rules have changed. The minor version is treated as the stable version unless
  a patch is specified and then it is equivalent to =. One difference from npm/js
  is that prereleases there are only to a specific version (e.g. 1.2.3).
  Prereleases here look over multiple versions and follow semantic version
  ordering rules. This pattern now follows along with the expected and requested
  handling of this packaged by numerous users.
 ## 1.5.0 (2019-09-11)
 ### Added
 - #103: Add basic fuzzing for `NewVersion()` (thanks @jesse-c)
 ### Changed
 - #82: Clarify wildcard meaning in range constraints and update tests for it (thanks @greysteil)
 - #83: Clarify caret operator range for pre-1.0.0 dependencies (thanks @greysteil)
 - #72: Adding docs comment pointing to vert for a cli
 - #71: Update the docs on pre-release comparator handling
 - #89: Test with new go versions (thanks @thedevsaddam)
 - #87: Added $ to ValidPrerelease for better validation (thanks @jeremycarroll)
 ### Fixed
 - #78: Fix unchecked error in example code (thanks @ravron)
 - #70: Fix the handling of pre-releases and the 0.0.0 release edge case
 - #97: Fixed copyright file for proper display on GitHub
 - #107: Fix handling prerelease when sorting alphanum and num
 - #109: Fixed where Validate sometimes returns wrong message on error
 ## 1.4.2 (2018-04-10)
 ### Changed
 - #72: Updated the docs to point to vert for a console appliaction
 - #71: Update the docs on pre-release comparator handling
 ### Fixed
 - #70: Fix the handling of pre-releases and the 0.0.0 release edge case
 ## 1.4.1 (2018-04-02)
 ### Fixed
 - Fixed #64: Fix pre-release precedence issue (thanks @uudashr)
 ## 1.4.0 (2017-10-04)
 ### Changed
 - #61: Update NewVersion to parse ints with a 64bit int size (thanks @zknill)
 ## 1.3.1 (2017-07-10)
 ### Fixed
 - Fixed #57: number comparisons in prerelease sometimes inaccurate
 ## 1.3.0 (2017-05-02)
 ### Added
 - #45: Added json (un)marshaling support (thanks @mh-cbon)
 - Stability marker. See https://masterminds.github.io/stability/
 ### Fixed
 - #51: Fix handling of single digit tilde constraint (thanks @dgodd)
 ### Changed
 - #55: The godoc icon moved from png to svg
 ## 1.2.3 (2017-04-03)
 ### Fixed
 - #46: Fixed 0.x.x and 0.0.x in constraints being treated as *
 ## Release 1.2.2 (2016-12-13)
 ### Fixed
 - #34: Fixed issue where hyphen range was not working with pre-release parsing.
 ## Release 1.2.1 (2016-11-28)
 ### Fixed
 - #24: Fixed edge case issue where constraint "> 0" does not handle "0.0.1-alpha"
  properly.
 ## Release 1.2.0 (2016-11-04)
 ### Added
 - #20: Added MustParse function for versions (thanks @adamreese)
 - #15: Added increment methods on versions (thanks @mh-cbon)
 ### Fixed
 - Issue #21: Per the SemVer spec (section 9) a pre-release is unstable and
  might not satisfy the intended compatibility. The change here ignores pre-releases
  on constraint checks (e.g., ~ or ^) when a pre-release is not part of the
  constraint. For example, `^1.2.3` will ignore pre-releases while
  `^1.2.3-alpha` will include them.
 ## Release 1.1.1 (2016-06-30)
 ### Changed
 - Issue #9: Speed up version comparison performance (thanks @sdboyer)
 - Issue #8: Added benchmarks (thanks @sdboyer)
 - Updated Go Report Card URL to new location
 - Updated Readme to add code snippet formatting (thanks @mh-cbon)
 - Updating tagging to v[SemVer] structure for compatibility with other tools.
 ## Release 1.1.0 (2016-03-11)
 - Issue #2: Implemented validation to provide reasons a versions failed a
  constraint.
 ## Release 1.0.1 (2015-12-31)
 - Fixed #1: * constraint failing on valid versions.
 ## Release 1.0.0 (2015-10-20)
 - Initial release
@@ -0,0 +1,19 @@
 Copyright (C) 2014-2019, Matt Butcher and Matt Farina
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in
 all copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
@@ -0,0 +1,274 @@
 # SemVer
 The `semver` package provides the ability to work with [Semantic Versions](http://semver.org) in Go. Specifically it provides the ability to:
 * Parse semantic versions
 * Sort semantic versions
 * Check if a semantic version fits within a set of constraints
 * Optionally work with a `v` prefix
 [![Stability:
 Active](https://masterminds.github.io/stability/active.svg)](https://masterminds.github.io/stability/active.html)
 [![](https://github.com/Masterminds/semver/workflows/Tests/badge.svg)](https://github.com/Masterminds/semver/actions)
 [![GoDoc](https://img.shields.io/static/v1?label=godoc&message=reference&color=blue)](https://pkg.go.dev/github.com/Masterminds/semver/v3)
 [![Go Report Card](https://goreportcard.com/badge/github.com/Masterminds/semver)](https://goreportcard.com/report/github.com/Masterminds/semver)
 ## Package Versions
 Note, import `github.com/Masterminds/semver/v3` to use the latest version.
 There are three major versions fo the `semver` package.
 * 3.x.x is the stable and active version. This version is focused on constraint
  compatibility for range handling in other tools from other languages. It has
  a similar API to the v1 releases. The development of this version is on the master
  branch. The documentation for this version is below.
 * 2.x was developed primarily for [dep](https://github.com/golang/dep). There are
  no tagged releases and the development was performed by [@sdboyer](https://github.com/sdboyer).
  There are API breaking changes from v1. This version lives on the [2.x branch](https://github.com/Masterminds/semver/tree/2.x).
 * 1.x.x is the original release. It is no longer maintained. You should use the
  v3 release instead. You can read the documentation for the 1.x.x release
  [here](https://github.com/Masterminds/semver/blob/release-1/README.md).
 ## Parsing Semantic Versions
 There are two functions that can parse semantic versions. The `StrictNewVersion`
 function only parses valid version 2 semantic versions as outlined in the
 specification. The `NewVersion` function attempts to coerce a version into a
 semantic version and parse it. For example, if there is a leading v or a version
 listed without all 3 parts (e.g. `v1.2`) it will attempt to coerce it into a valid
 semantic version (e.g., 1.2.0). In both cases a `Version` object is returned
 that can be sorted, compared, and used in constraints.
 When parsing a version an error is returned if there is an issue parsing the
 version. For example,
    v, err := semver.NewVersion("1.2.3-beta.1+build345")
 The version object has methods to get the parts of the version, compare it to
 other versions, convert the version back into a string, and get the original
 string. Getting the original string is useful if the semantic version was coerced
 into a valid form.
 There are package level variables that affect how `NewVersion` handles parsing.
 - `CoerceNewVersion` is `true` by default. When set to `true` it coerces non-compliant
  versions into SemVer. For example, allowing a leading 0 in a major, minor, or patch
  part. This enables the use of CalVer in versions even when not compliant with SemVer.
  When set to `false` less coercion work is done.
 - `DetailedNewVersionErrors` provides more detailed errors. It only has an affect when
  `CoerceNewVersion` is set to `false`. When `DetailedNewVersionErrors` is set to `true`
  it can provide some more insight into why a version is invalid. Setting
  `DetailedNewVersionErrors` to `false` is faster on performance but provides less
  detailed error messages if a version fails to parse.
 ## Sorting Semantic Versions
 A set of versions can be sorted using the `sort` package from the standard library.
 For example,
 ```go
 raw := []string{"1.2.3", "1.0", "1.3", "2", "0.4.2",}
 vs := make([]*semver.Version, len(raw))
 for i, r := range raw {
    v, err := semver.NewVersion(r)
    if err != nil {
        t.Errorf("Error parsing version: %s", err)
    }
    vs[i] = v
 }
 sort.Sort(semver.Collection(vs))
 ```
 ## Checking Version Constraints
 There are two methods for comparing versions. One uses comparison methods on
 `Version` instances and the other uses `Constraints`. There are some important
 differences to notes between these two methods of comparison.
 1. When two versions are compared using functions such as `Compare`, `LessThan`,
   and others it will follow the specification and always include pre-releases
   within the comparison. It will provide an answer that is valid with the
   comparison section of the spec at https://semver.org/#spec-item-11
 2. When constraint checking is used for checks or validation it will follow a
   different set of rules that are common for ranges with tools like npm/js
   and Rust/Cargo. This includes considering pre-releases to be invalid if the
   ranges does not include one. If you want to have it include pre-releases a
   simple solution is to include `-0` in your range.
 3. Constraint ranges can have some complex rules including the shorthand use of
   ~ and ^. For more details on those see the options below.
 There are differences between the two methods or checking versions because the
 comparison methods on `Version` follow the specification while comparison ranges
 are not part of the specification. Different packages and tools have taken it
 upon themselves to come up with range rules. This has resulted in differences.
 For example, npm/js and Cargo/Rust follow similar patterns while PHP has a
 different pattern for ^. The comparison features in this package follow the
 npm/js and Cargo/Rust lead because applications using it have followed similar
 patters with their versions.
 Checking a version against version constraints is one of the most featureful
 parts of the package.
 ```go
 c, err := semver.NewConstraint(">= 1.2.3")
 if err != nil {
    // Handle constraint not being parsable.
 }
 v, err := semver.NewVersion("1.3")
 if err != nil {
    // Handle version not being parsable.
 }
 // Check if the version meets the constraints. The variable a will be true.
 a := c.Check(v)
 ```
 ### Basic Comparisons
 There are two elements to the comparisons. First, a comparison string is a list
 of space or comma separated AND comparisons. These are then separated by || (OR)
 comparisons. For example, `">= 1.2 < 3.0.0 || >= 4.2.3"` is looking for a
 comparison that's greater than or equal to 1.2 and less than 3.0.0 or is
 greater than or equal to 4.2.3.
 The basic comparisons are:
 * `=`: equal (aliased to no operator)
 * `!=`: not equal
 * `>`: greater than
 * `<`: less than
 * `>=`: greater than or equal to
 * `<=`: less than or equal to
 ### Working With Prerelease Versions
 Pre-releases, for those not familiar with them, are used for software releases
 prior to stable or generally available releases. Examples of pre-releases include
 development, alpha, beta, and release candidate releases. A pre-release may be
 a version such as `1.2.3-beta.1` while the stable release would be `1.2.3`. In the
 order of precedence, pre-releases come before their associated releases. In this
 example `1.2.3-beta.1 < 1.2.3`.
 According to the Semantic Version specification, pre-releases may not be
 API compliant with their release counterpart. It says,
 > A pre-release version indicates that the version is unstable and might not satisfy the intended compatibility requirements as denoted by its associated normal version.
 SemVer's comparisons using constraints without a pre-release comparator will skip
 pre-release versions. For example, `>=1.2.3` will skip pre-releases when looking
 at a list of releases while `>=1.2.3-0` will evaluate and find pre-releases.
 The reason for the `0` as a pre-release version in the example comparison is
 because pre-releases can only contain ASCII alphanumerics and hyphens (along with
 `.` separators), per the spec. Sorting happens in ASCII sort order, again per the
 spec. The lowest character is a `0` in ASCII sort order
 (see an [ASCII Table](http://www.asciitable.com/))
 Understanding ASCII sort ordering is important because A-Z comes before a-z. That
 means `>=1.2.3-BETA` will return `1.2.3-alpha`. What you might expect from case
 sensitivity doesn't apply here. This is due to ASCII sort ordering which is what
 the spec specifies.
 The `Constraints` instance returned from `semver.NewConstraint()` has a property
 `IncludePrerelease` that, when set to true, will return prerelease versions when calls
 to `Check()` and `Validate()` are made.
 ### Hyphen Range Comparisons
 There are multiple methods to handle ranges and the first is hyphens ranges.
 These look like:
 * `1.2 - 1.4.5` which is equivalent to `>= 1.2 <= 1.4.5`
 * `2.3.4 - 4.5` which is equivalent to `>= 2.3.4 <= 4.5`
 Note that `1.2-1.4.5` without whitespace is parsed completely differently; it's
 parsed as a single constraint `1.2.0` with _prerelease_ `1.4.5`.
 ### Wildcards In Comparisons
 The `x`, `X`, and `*` characters can be used as a wildcard character. This works
 for all comparison operators. When used on the `=` operator it falls
 back to the patch level comparison (see tilde below). For example,
 * `1.2.x` is equivalent to `>= 1.2.0, < 1.3.0`
 * `>= 1.2.x` is equivalent to `>= 1.2.0`
 * `<= 2.x` is equivalent to `< 3`
 * `*` is equivalent to `>= 0.0.0`
 ### Tilde Range Comparisons (Patch)
 The tilde (`~`) comparison operator is for patch level ranges when a minor
 version is specified and major level changes when the minor number is missing.
 For example,
 * `~1.2.3` is equivalent to `>= 1.2.3, < 1.3.0`
 * `~1` is equivalent to `>= 1, < 2`
 * `~2.3` is equivalent to `>= 2.3, < 2.4`
 * `~1.2.x` is equivalent to `>= 1.2.0, < 1.3.0`
 * `~1.x` is equivalent to `>= 1, < 2`
 ### Caret Range Comparisons (Major)
 The caret (`^`) comparison operator is for major level changes once a stable
 (1.0.0) release has occurred. Prior to a 1.0.0 release the minor versions acts
 as the API stability level. This is useful when comparisons of API versions as a
 major change is API breaking. For example,
 * `^1.2.3` is equivalent to `>= 1.2.3, < 2.0.0`
 * `^1.2.x` is equivalent to `>= 1.2.0, < 2.0.0`
 * `^2.3` is equivalent to `>= 2.3, < 3`
 * `^2.x` is equivalent to `>= 2.0.0, < 3`
 * `^0.2.3` is equivalent to `>=0.2.3 <0.3.0`
 * `^0.2` is equivalent to `>=0.2.0 <0.3.0`
 * `^0.0.3` is equivalent to `>=0.0.3 <0.0.4`
 * `^0.0` is equivalent to `>=0.0.0 <0.1.0`
 * `^0` is equivalent to `>=0.0.0 <1.0.0`
 ## Validation
 In addition to testing a version against a constraint, a version can be validated
 against a constraint. When validation fails a slice of errors containing why a
 version didn't meet the constraint is returned. For example,
 ```go
 c, err := semver.NewConstraint("<= 1.2.3, >= 1.4")
 if err != nil {
    // Handle constraint not being parseable.
 }
 v, err := semver.NewVersion("1.3")
 if err != nil {
    // Handle version not being parseable.
 }
 // Validate a version against a constraint.
 a, msgs := c.Validate(v)
 // a is false
 for _, m := range msgs {
    fmt.Println(m)
    // Loops over the errors which would read
    // "1.3 is greater than 1.2.3"
    // "1.3 is less than 1.4"
 }
 ```
 ## Contribute
 If you find an issue or want to contribute please file an [issue](https://github.com/Masterminds/semver/issues)
 or [create a pull request](https://github.com/Masterminds/semver/pulls).
 ## Security
 Security is an important consideration for this project. The project currently
 uses the following tools to help discover security issues:
 * [CodeQL](https://codeql.github.com)
 * [gosec](https://github.com/securego/gosec)
 * Daily Fuzz testing
 If you believe you have found a security vulnerability you can privately disclose
 it through the [GitHub security page](https://github.com/Masterminds/semver/security).
@@ -0,0 +1,19 @@
 # Security Policy
 ## Supported Versions
 The following versions of semver are currently supported:
 | Version | Supported          |
 | ------- | ------------------ |
 | 3.x     | :white_check_mark: |
 | 2.x     | :x:                |
 | 1.x     | :x:                |
 Fixes are only released for the latest minor version in the form of a patch release.
 ## Reporting a Vulnerability
 You can privately disclose a vulnerability through GitHubs
 [private vulnerability reporting](https://github.com/Masterminds/semver/security/advisories)
 mechanism.
@@ -0,0 +1,24 @@
 package semver
 // Collection is a collection of Version instances and implements the sort
 // interface. See the sort package for more details.
 // https://golang.org/pkg/sort/
 type Collection []*Version
 // Len returns the length of a collection. The number of Version instances
 // on the slice.
 func (c Collection) Len() int {
 	return len(c)
 }
 // Less is needed for the sort interface to compare two Version objects on the
 // slice. If checks if one is less than the other.
 func (c Collection) Less(i, j int) bool {
 	return c[i].LessThan(c[j])
 }
 // Swap is needed for the sort interface to replace the Version objects
 // at two different positions in the slice.
 func (c Collection) Swap(i, j int) {
 	c[i], c[j] = c[j], c[i]
 }
@@ -0,0 +1,601 @@
 package semver
 import (
 	"bytes"
 	"errors"
 	"fmt"
 	"regexp"
 	"strings"
 )
 // Constraints is one or more constraint that a semantic version can be
 // checked against.
 type Constraints struct {
 	constraints [][]*constraint
 	containsPre []bool
 	// IncludePrerelease specifies if pre-releases should be included in
 	// the results. Note, if a constraint range has a prerelease than
 	// prereleases will be included for that AND group even if this is
 	// set to false.
 	IncludePrerelease bool
 }
 // NewConstraint returns a Constraints instance that a Version instance can
 // be checked against. If there is a parse error it will be returned.
 func NewConstraint(c string) (*Constraints, error) {
 	// Rewrite - ranges into a comparison operation.
 	c = rewriteRange(c)
 	ors := strings.Split(c, "||")
 	lenors := len(ors)
 	or := make([][]*constraint, lenors)
 	hasPre := make([]bool, lenors)
 	for k, v := range ors {
 		// Validate the segment
 		if !validConstraintRegex.MatchString(v) {
 			return nil, fmt.Errorf("improper constraint: %s", v)
 		}
 		cs := findConstraintRegex.FindAllString(v, -1)
 		if cs == nil {
 			cs = append(cs, v)
 		}
 		result := make([]*constraint, len(cs))
 		for i, s := range cs {
 			pc, err := parseConstraint(s)
 			if err != nil {
 				return nil, err
 			}
 			// If one of the constraints has a prerelease record this.
 			// This information is used when checking all in an "and"
 			// group to ensure they all check for prereleases.
 			if pc.con.pre != "" {
 				hasPre[k] = true
 			}
 			result[i] = pc
 		}
 		or[k] = result
 	}
 	o := &Constraints{
 		constraints: or,
 		containsPre: hasPre,
 	}
 	return o, nil
 }
 // Check tests if a version satisfies the constraints.
 func (cs Constraints) Check(v *Version) bool {
 	// TODO(mattfarina): For v4 of this library consolidate the Check and Validate
 	// functions as the underlying functions make that possible now.
 	// loop over the ORs and check the inner ANDs
 	for i, o := range cs.constraints {
 		joy := true
 		for _, c := range o {
 			if check, _ := c.check(v, (cs.IncludePrerelease || cs.containsPre[i])); !check {
 				joy = false
 				break
 			}
 		}
 		if joy {
 			return true
 		}
 	}
 	return false
 }
 // Validate checks if a version satisfies a constraint. If not a slice of
 // reasons for the failure are returned in addition to a bool.
 func (cs Constraints) Validate(v *Version) (bool, []error) {
 	// loop over the ORs and check the inner ANDs
 	var e []error
 	// Capture the prerelease message only once. When it happens the first time
 	// this var is marked
 	var prerelesase bool
 	for i, o := range cs.constraints {
 		joy := true
 		for _, c := range o {
 			// Before running the check handle the case there the version is
 			// a prerelease and the check is not searching for prereleases.
 			if !(cs.IncludePrerelease || cs.containsPre[i]) && v.pre != "" {
 				if !prerelesase {
 					em := fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
 					e = append(e, em)
 					prerelesase = true
 				}
 				joy = false
 			} else {
 				if _, err := c.check(v, (cs.IncludePrerelease || cs.containsPre[i])); err != nil {
 					e = append(e, err)
 					joy = false
 				}
 			}
 		}
 		if joy {
 			return true, []error{}
 		}
 	}
 	return false, e
 }
 func (cs Constraints) String() string {
 	buf := make([]string, len(cs.constraints))
 	var tmp bytes.Buffer
 	for k, v := range cs.constraints {
 		tmp.Reset()
 		vlen := len(v)
 		for kk, c := range v {
 			tmp.WriteString(c.string())
 			// Space separate the AND conditions
 			if vlen > 1 && kk < vlen-1 {
 				tmp.WriteString(" ")
 			}
 		}
 		buf[k] = tmp.String()
 	}
 	return strings.Join(buf, " || ")
 }
 // UnmarshalText implements the encoding.TextUnmarshaler interface.
 func (cs *Constraints) UnmarshalText(text []byte) error {
 	temp, err := NewConstraint(string(text))
 	if err != nil {
 		return err
 	}
 	*cs = *temp
 	return nil
 }
 // MarshalText implements the encoding.TextMarshaler interface.
 func (cs Constraints) MarshalText() ([]byte, error) {
 	return []byte(cs.String()), nil
 }
 var constraintOps map[string]cfunc
 var constraintRegex *regexp.Regexp
 var constraintRangeRegex *regexp.Regexp
 // Used to find individual constraints within a multi-constraint string
 var findConstraintRegex *regexp.Regexp
 // Used to validate an segment of ANDs is valid
 var validConstraintRegex *regexp.Regexp
 const cvRegex string = `v?([0-9|x|X|\*]+)(\.[0-9|x|X|\*]+)?(\.[0-9|x|X|\*]+)?` +
 	`(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?` +
 	`(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?`
 func init() {
 	constraintOps = map[string]cfunc{
 		"":   constraintTildeOrEqual,
 		"=":  constraintTildeOrEqual,
 		"!=": constraintNotEqual,
 		">":  constraintGreaterThan,
 		"<":  constraintLessThan,
 		">=": constraintGreaterThanEqual,
 		"=>": constraintGreaterThanEqual,
 		"<=": constraintLessThanEqual,
 		"=<": constraintLessThanEqual,
 		"~":  constraintTilde,
 		"~>": constraintTilde,
 		"^":  constraintCaret,
 	}
 	ops := `=||!=|>|<|>=|=>|<=|=<|~|~>|\^`
 	constraintRegex = regexp.MustCompile(fmt.Sprintf(
 		`^\s*(%s)\s*(%s)\s*$`,
 		ops,
 		cvRegex))
 	constraintRangeRegex = regexp.MustCompile(fmt.Sprintf(
 		`\s*(%s)\s+-\s+(%s)\s*`,
 		cvRegex, cvRegex))
 	findConstraintRegex = regexp.MustCompile(fmt.Sprintf(
 		`(%s)\s*(%s)`,
 		ops,
 		cvRegex))
 	// The first time a constraint shows up will look slightly different from
 	// future times it shows up due to a leading space or comma in a given
 	// string.
 	validConstraintRegex = regexp.MustCompile(fmt.Sprintf(
 		`^(\s*(%s)\s*(%s)\s*)((?:\s+|,\s*)(%s)\s*(%s)\s*)*$`,
 		ops,
 		cvRegex,
 		ops,
 		cvRegex))
 }
 // An individual constraint
 type constraint struct {
 	// The version used in the constraint check. For example, if a constraint
 	// is '<= 2.0.0' the con a version instance representing 2.0.0.
 	con *Version
 	// The original parsed version (e.g., 4.x from != 4.x)
 	orig string
 	// The original operator for the constraint
 	origfunc string
 	// When an x is used as part of the version (e.g., 1.x)
 	minorDirty bool
 	dirty      bool
 	patchDirty bool
 }
 // Check if a version meets the constraint
 func (c *constraint) check(v *Version, includePre bool) (bool, error) {
 	return constraintOps[c.origfunc](v, c, includePre)
 }
 // String prints an individual constraint into a string
 func (c *constraint) string() string {
 	return c.origfunc + c.orig
 }
 type cfunc func(v *Version, c *constraint, includePre bool) (bool, error)
 func parseConstraint(c string) (*constraint, error) {
 	if len(c) > 0 {
 		m := constraintRegex.FindStringSubmatch(c)
 		if m == nil {
 			return nil, fmt.Errorf("improper constraint: %s", c)
 		}
 		cs := &constraint{
 			orig:     m[2],
 			origfunc: m[1],
 		}
 		ver := m[2]
 		minorDirty := false
 		patchDirty := false
 		dirty := false
 		if isX(m[3]) || m[3] == "" {
 			ver = fmt.Sprintf("0.0.0%s", m[6])
 			dirty = true
 		} else if isX(strings.TrimPrefix(m[4], ".")) || m[4] == "" {
 			minorDirty = true
 			dirty = true
 			ver = fmt.Sprintf("%s.0.0%s", m[3], m[6])
 		} else if isX(strings.TrimPrefix(m[5], ".")) || m[5] == "" {
 			dirty = true
 			patchDirty = true
 			ver = fmt.Sprintf("%s%s.0%s", m[3], m[4], m[6])
 		}
 		con, err := NewVersion(ver)
 		if err != nil {
 			// The constraintRegex should catch any regex parsing errors. So,
 			// we should never get here.
 			return nil, errors.New("constraint parser error")
 		}
 		cs.con = con
 		cs.minorDirty = minorDirty
 		cs.patchDirty = patchDirty
 		cs.dirty = dirty
 		return cs, nil
 	}
 	// The rest is the special case where an empty string was passed in which
 	// is equivalent to * or >=0.0.0
 	con, err := StrictNewVersion("0.0.0")
 	if err != nil {
 		// The constraintRegex should catch any regex parsing errors. So,
 		// we should never get here.
 		return nil, errors.New("constraint parser error")
 	}
 	cs := &constraint{
 		con:        con,
 		orig:       c,
 		origfunc:   "",
 		minorDirty: false,
 		patchDirty: false,
 		dirty:      true,
 	}
 	return cs, nil
 }
 // Constraint functions
 func constraintNotEqual(v *Version, c *constraint, includePre bool) (bool, error) {
 	// The existence of prereleases is checked at the group level and passed in.
 	// Exit early if the version has a prerelease but those are to be ignored.
 	if v.Prerelease() != "" && !includePre {
 		return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
 	}
 	if c.dirty {
 		if c.con.Major() != v.Major() {
 			return true, nil
 		}
 		if c.con.Minor() != v.Minor() && !c.minorDirty {
 			return true, nil
 		} else if c.minorDirty {
 			return false, fmt.Errorf("%s is equal to %s", v, c.orig)
 		} else if c.con.Patch() != v.Patch() && !c.patchDirty {
 			return true, nil
 		} else if c.patchDirty {
 			// Need to handle prereleases if present
 			if v.Prerelease() != "" || c.con.Prerelease() != "" {
 				eq := comparePrerelease(v.Prerelease(), c.con.Prerelease()) != 0
 				if eq {
 					return true, nil
 				}
 				return false, fmt.Errorf("%s is equal to %s", v, c.orig)
 			}
 			return false, fmt.Errorf("%s is equal to %s", v, c.orig)
 		}
 	}
 	eq := v.Equal(c.con)
 	if eq {
 		return false, fmt.Errorf("%s is equal to %s", v, c.orig)
 	}
 	return true, nil
 }
 func constraintGreaterThan(v *Version, c *constraint, includePre bool) (bool, error) {
 	// The existence of prereleases is checked at the group level and passed in.
 	// Exit early if the version has a prerelease but those are to be ignored.
 	if v.Prerelease() != "" && !includePre {
 		return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
 	}
 	var eq bool
 	if !c.dirty {
 		eq = v.Compare(c.con) == 1
 		if eq {
 			return true, nil
 		}
 		return false, fmt.Errorf("%s is less than or equal to %s", v, c.orig)
 	}
 	if v.Major() > c.con.Major() {
 		return true, nil
 	} else if v.Major() < c.con.Major() {
 		return false, fmt.Errorf("%s is less than or equal to %s", v, c.orig)
 	} else if c.minorDirty {
 		// This is a range case such as >11. When the version is something like
 		// 11.1.0 is it not > 11. For that we would need 12 or higher
 		return false, fmt.Errorf("%s is less than or equal to %s", v, c.orig)
 	} else if c.patchDirty {
 		// This is for ranges such as >11.1. A version of 11.1.1 is not greater
 		// which one of 11.2.1 is greater
 		eq = v.Minor() > c.con.Minor()
 		if eq {
 			return true, nil
 		}
 		return false, fmt.Errorf("%s is less than or equal to %s", v, c.orig)
 	}
 	// If we have gotten here we are not comparing pre-preleases and can use the
 	// Compare function to accomplish that.
 	eq = v.Compare(c.con) == 1
 	if eq {
 		return true, nil
 	}
 	return false, fmt.Errorf("%s is less than or equal to %s", v, c.orig)
 }
 func constraintLessThan(v *Version, c *constraint, includePre bool) (bool, error) {
 	// The existence of prereleases is checked at the group level and passed in.
 	// Exit early if the version has a prerelease but those are to be ignored.
 	if v.Prerelease() != "" && !includePre {
 		return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
 	}
 	eq := v.Compare(c.con) < 0
 	if eq {
 		return true, nil
 	}
 	return false, fmt.Errorf("%s is greater than or equal to %s", v, c.orig)
 }
 func constraintGreaterThanEqual(v *Version, c *constraint, includePre bool) (bool, error) {
 	// The existence of prereleases is checked at the group level and passed in.
 	// Exit early if the version has a prerelease but those are to be ignored.
 	if v.Prerelease() != "" && !includePre {
 		return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
 	}
 	eq := v.Compare(c.con) >= 0
 	if eq {
 		return true, nil
 	}
 	return false, fmt.Errorf("%s is less than %s", v, c.orig)
 }
 func constraintLessThanEqual(v *Version, c *constraint, includePre bool) (bool, error) {
 	// The existence of prereleases is checked at the group level and passed in.
 	// Exit early if the version has a prerelease but those are to be ignored.
 	if v.Prerelease() != "" && !includePre {
 		return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
 	}
 	var eq bool
 	if !c.dirty {
 		eq = v.Compare(c.con) <= 0
 		if eq {
 			return true, nil
 		}
 		return false, fmt.Errorf("%s is greater than %s", v, c.orig)
 	}
 	if v.Major() > c.con.Major() {
 		return false, fmt.Errorf("%s is greater than %s", v, c.orig)
 	} else if v.Major() == c.con.Major() && v.Minor() > c.con.Minor() && !c.minorDirty {
 		return false, fmt.Errorf("%s is greater than %s", v, c.orig)
 	}
 	return true, nil
 }
 // ~*, ~>* --> >= 0.0.0 (any)
 // ~2, ~2.x, ~2.x.x, ~>2, ~>2.x ~>2.x.x --> >=2.0.0, <3.0.0
 // ~2.0, ~2.0.x, ~>2.0, ~>2.0.x --> >=2.0.0, <2.1.0
 // ~1.2, ~1.2.x, ~>1.2, ~>1.2.x --> >=1.2.0, <1.3.0
 // ~1.2.3, ~>1.2.3 --> >=1.2.3, <1.3.0
 // ~1.2.0, ~>1.2.0 --> >=1.2.0, <1.3.0
 func constraintTilde(v *Version, c *constraint, includePre bool) (bool, error) {
 	// The existence of prereleases is checked at the group level and passed in.
 	// Exit early if the version has a prerelease but those are to be ignored.
 	if v.Prerelease() != "" && !includePre {
 		return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
 	}
 	if v.LessThan(c.con) {
 		return false, fmt.Errorf("%s is less than %s", v, c.orig)
 	}
 	// ~0.0.0 is a special case where all constraints are accepted. It's
 	// equivalent to >= 0.0.0.
 	if c.con.Major() == 0 && c.con.Minor() == 0 && c.con.Patch() == 0 &&
 		!c.minorDirty && !c.patchDirty {
 		return true, nil
 	}
 	if v.Major() != c.con.Major() {
 		return false, fmt.Errorf("%s does not have same major version as %s", v, c.orig)
 	}
 	if v.Minor() != c.con.Minor() && !c.minorDirty {
 		return false, fmt.Errorf("%s does not have same major and minor version as %s", v, c.orig)
 	}
 	return true, nil
 }
 // When there is a .x (dirty) status it automatically opts in to ~. Otherwise
 // it's a straight =
 func constraintTildeOrEqual(v *Version, c *constraint, includePre bool) (bool, error) {
 	// The existence of prereleases is checked at the group level and passed in.
 	// Exit early if the version has a prerelease but those are to be ignored.
 	if v.Prerelease() != "" && !includePre {
 		return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
 	}
 	if c.dirty {
 		return constraintTilde(v, c, includePre)
 	}
 	eq := v.Equal(c.con)
 	if eq {
 		return true, nil
 	}
 	return false, fmt.Errorf("%s is not equal to %s", v, c.orig)
 }
 // ^*      -->  (any)
 // ^1.2.3  -->  >=1.2.3 <2.0.0
 // ^1.2    -->  >=1.2.0 <2.0.0
 // ^1      -->  >=1.0.0 <2.0.0
 // ^0.2.3  -->  >=0.2.3 <0.3.0
 // ^0.2    -->  >=0.2.0 <0.3.0
 // ^0.0.3  -->  >=0.0.3 <0.0.4
 // ^0.0    -->  >=0.0.0 <0.1.0
 // ^0      -->  >=0.0.0 <1.0.0
 func constraintCaret(v *Version, c *constraint, includePre bool) (bool, error) {
 	// The existence of prereleases is checked at the group level and passed in.
 	// Exit early if the version has a prerelease but those are to be ignored.
 	if v.Prerelease() != "" && !includePre {
 		return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v)
 	}
 	// This less than handles prereleases
 	if v.LessThan(c.con) {
 		return false, fmt.Errorf("%s is less than %s", v, c.orig)
 	}
 	var eq bool
 	// ^ when the major > 0 is >=x.y.z < x+1
 	if c.con.Major() > 0 || c.minorDirty {
 		// ^ has to be within a major range for > 0. Everything less than was
 		// filtered out with the LessThan call above. This filters out those
 		// that greater but not within the same major range.
 		eq = v.Major() == c.con.Major()
 		if eq {
 			return true, nil
 		}
 		return false, fmt.Errorf("%s does not have same major version as %s", v, c.orig)
 	}
 	// ^ when the major is 0 and minor > 0 is >=0.y.z < 0.y+1
 	if c.con.Major() == 0 && v.Major() > 0 {
 		return false, fmt.Errorf("%s does not have same major version as %s", v, c.orig)
 	}
 	// If the con Minor is > 0 it is not dirty
 	if c.con.Minor() > 0 || c.patchDirty {
 		eq = v.Minor() == c.con.Minor()
 		if eq {
 			return true, nil
 		}
 		return false, fmt.Errorf("%s does not have same minor version as %s. Expected minor versions to match when constraint major version is 0", v, c.orig)
 	}
 	// ^ when the minor is 0 and minor > 0 is =0.0.z
 	if c.con.Minor() == 0 && v.Minor() > 0 {
 		return false, fmt.Errorf("%s does not have same minor version as %s", v, c.orig)
 	}
 	// At this point the major is 0 and the minor is 0 and not dirty. The patch
 	// is not dirty so we need to check if they are equal. If they are not equal
 	eq = c.con.Patch() == v.Patch()
 	if eq {
 		return true, nil
 	}
 	return false, fmt.Errorf("%s does not equal %s. Expect version and constraint to equal when major and minor versions are 0", v, c.orig)
 }
 func isX(x string) bool {
 	switch x {
 	case "x", "*", "X":
 		return true
 	default:
 		return false
 	}
 }
 func rewriteRange(i string) string {
 	m := constraintRangeRegex.FindAllStringSubmatch(i, -1)
 	if m == nil {
 		return i
 	}
 	o := i
 	for _, v := range m {
 		t := fmt.Sprintf(">= %s, <= %s ", v[1], v[11])
 		o = strings.Replace(o, v[0], t, 1)
 	}
 	return o
 }
@@ -0,0 +1,184 @@
 /*
 Package semver provides the ability to work with Semantic Versions (http://semver.org) in Go.
 Specifically it provides the ability to:
  - Parse semantic versions
  - Sort semantic versions
  - Check if a semantic version fits within a set of constraints
  - Optionally work with a `v` prefix
 # Parsing Semantic Versions
 There are two functions that can parse semantic versions. The `StrictNewVersion`
 function only parses valid version 2 semantic versions as outlined in the
 specification. The `NewVersion` function attempts to coerce a version into a
 semantic version and parse it. For example, if there is a leading v or a version
 listed without all 3 parts (e.g. 1.2) it will attempt to coerce it into a valid
 semantic version (e.g., 1.2.0). In both cases a `Version` object is returned
 that can be sorted, compared, and used in constraints.
 When parsing a version an optional error can be returned if there is an issue
 parsing the version. For example,
 	v, err := semver.NewVersion("1.2.3-beta.1+b345")
 The version object has methods to get the parts of the version, compare it to
 other versions, convert the version back into a string, and get the original
 string. For more details please see the documentation
 at https://godoc.org/github.com/Masterminds/semver.
 # Sorting Semantic Versions
 A set of versions can be sorted using the `sort` package from the standard library.
 For example,
 	    raw := []string{"1.2.3", "1.0", "1.3", "2", "0.4.2",}
 	    vs := make([]*semver.Version, len(raw))
 		for i, r := range raw {
 			v, err := semver.NewVersion(r)
 			if err != nil {
 				t.Errorf("Error parsing version: %s", err)
 			}
 			vs[i] = v
 		}
 		sort.Sort(semver.Collection(vs))
 # Checking Version Constraints and Comparing Versions
 There are two methods for comparing versions. One uses comparison methods on
 `Version` instances and the other is using Constraints. There are some important
 differences to notes between these two methods of comparison.
 1. When two versions are compared using functions such as `Compare`, `LessThan`,
    and others it will follow the specification and always include prereleases
    within the comparison. It will provide an answer valid with the comparison
    spec section at https://semver.org/#spec-item-11
 2. When constraint checking is used for checks or validation it will follow a
    different set of rules that are common for ranges with tools like npm/js
    and Rust/Cargo. This includes considering prereleases to be invalid if the
    ranges does not include on. If you want to have it include pre-releases a
    simple solution is to include `-0` in your range.
 3. Constraint ranges can have some complex rules including the shorthard use of
    ~ and ^. For more details on those see the options below.
 There are differences between the two methods or checking versions because the
 comparison methods on `Version` follow the specification while comparison ranges
 are not part of the specification. Different packages and tools have taken it
 upon themselves to come up with range rules. This has resulted in differences.
 For example, npm/js and Cargo/Rust follow similar patterns which PHP has a
 different pattern for ^. The comparison features in this package follow the
 npm/js and Cargo/Rust lead because applications using it have followed similar
 patters with their versions.
 Checking a version against version constraints is one of the most featureful
 parts of the package.
 	c, err := semver.NewConstraint(">= 1.2.3")
 	if err != nil {
 	    // Handle constraint not being parsable.
 	}
 	v, err := semver.NewVersion("1.3")
 	if err != nil {
 	    // Handle version not being parsable.
 	}
 	// Check if the version meets the constraints. The a variable will be true.
 	a := c.Check(v)
 # Basic Comparisons
 There are two elements to the comparisons. First, a comparison string is a list
 of comma or space separated AND comparisons. These are then separated by || (OR)
 comparisons. For example, `">= 1.2 < 3.0.0 || >= 4.2.3"` is looking for a
 comparison that's greater than or equal to 1.2 and less than 3.0.0 or is
 greater than or equal to 4.2.3. This can also be written as
 `">= 1.2, < 3.0.0 || >= 4.2.3"`
 The basic comparisons are:
  - `=`: equal (aliased to no operator)
  - `!=`: not equal
  - `>`: greater than
  - `<`: less than
  - `>=`: greater than or equal to
  - `<=`: less than or equal to
 # Hyphen Range Comparisons
 There are multiple methods to handle ranges and the first is hyphens ranges.
 These look like:
  - `1.2 - 1.4.5` which is equivalent to `>= 1.2, <= 1.4.5`
  - `2.3.4 - 4.5` which is equivalent to `>= 2.3.4 <= 4.5`
 # Wildcards In Comparisons
 The `x`, `X`, and `*` characters can be used as a wildcard character. This works
 for all comparison operators. When used on the `=` operator it falls
 back to the tilde operation. For example,
  - `1.2.x` is equivalent to `>= 1.2.0 < 1.3.0`
  - `>= 1.2.x` is equivalent to `>= 1.2.0`
  - `<= 2.x` is equivalent to `<= 3`
  - `*` is equivalent to `>= 0.0.0`
 Tilde Range Comparisons (Patch)
 The tilde (`~`) comparison operator is for patch level ranges when a minor
 version is specified and major level changes when the minor number is missing.
 For example,
  - `~1.2.3` is equivalent to `>= 1.2.3 < 1.3.0`
  - `~1` is equivalent to `>= 1, < 2`
  - `~2.3` is equivalent to `>= 2.3 < 2.4`
  - `~1.2.x` is equivalent to `>= 1.2.0 < 1.3.0`
  - `~1.x` is equivalent to `>= 1 < 2`
 Caret Range Comparisons (Major)
 The caret (`^`) comparison operator is for major level changes once a stable
 (1.0.0) release has occurred. Prior to a 1.0.0 release the minor versions acts
 as the API stability level. This is useful when comparisons of API versions as a
 major change is API breaking. For example,
  - `^1.2.3` is equivalent to `>= 1.2.3, < 2.0.0`
  - `^1.2.x` is equivalent to `>= 1.2.0, < 2.0.0`
  - `^2.3` is equivalent to `>= 2.3, < 3`
  - `^2.x` is equivalent to `>= 2.0.0, < 3`
  - `^0.2.3` is equivalent to `>=0.2.3 <0.3.0`
  - `^0.2` is equivalent to `>=0.2.0 <0.3.0`
  - `^0.0.3` is equivalent to `>=0.0.3 <0.0.4`
  - `^0.0` is equivalent to `>=0.0.0 <0.1.0`
  - `^0` is equivalent to `>=0.0.0 <1.0.0`
 # Validation
 In addition to testing a version against a constraint, a version can be validated
 against a constraint. When validation fails a slice of errors containing why a
 version didn't meet the constraint is returned. For example,
 	c, err := semver.NewConstraint("<= 1.2.3, >= 1.4")
 	if err != nil {
 	    // Handle constraint not being parseable.
 	}
 	v, _ := semver.NewVersion("1.3")
 	if err != nil {
 	    // Handle version not being parseable.
 	}
 	// Validate a version against a constraint.
 	a, msgs := c.Validate(v)
 	// a is false
 	for _, m := range msgs {
 	    fmt.Println(m)
 	    // Loops over the errors which would read
 	    // "1.3 is greater than 1.2.3"
 	    // "1.3 is less than 1.4"
 	}
 */
 package semver
@@ -0,0 +1,788 @@
 package semver
 import (
 	"bytes"
 	"database/sql/driver"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"regexp"
 	"strconv"
 	"strings"
 )
 // The compiled version of the regex created at init() is cached here so it
 // only needs to be created once.
 var versionRegex *regexp.Regexp
 var looseVersionRegex *regexp.Regexp
 // CoerceNewVersion sets if leading 0's are allowd in the version part. Leading 0's are
 // not allowed in a valid semantic version. When set to true, NewVersion will coerce
 // leading 0's into a valid version.
 var CoerceNewVersion = true
 // DetailedNewVersionErrors specifies if detailed errors are returned from the NewVersion
 // function. This is used when CoerceNewVersion is set to false. If set to false
 // ErrInvalidSemVer is returned for an invalid version. This does not apply to
 // StrictNewVersion. Setting this function to false returns errors more quickly.
 var DetailedNewVersionErrors = true
 var (
 	// ErrInvalidSemVer is returned a version is found to be invalid when
 	// being parsed.
 	ErrInvalidSemVer = errors.New("invalid semantic version")
 	// ErrEmptyString is returned when an empty string is passed in for parsing.
 	ErrEmptyString = errors.New("version string empty")
 	// ErrInvalidCharacters is returned when invalid characters are found as
 	// part of a version
 	ErrInvalidCharacters = errors.New("invalid characters in version")
 	// ErrSegmentStartsZero is returned when a version segment starts with 0.
 	// This is invalid in SemVer.
 	ErrSegmentStartsZero = errors.New("version segment starts with 0")
 	// ErrInvalidMetadata is returned when the metadata is an invalid format
 	ErrInvalidMetadata = errors.New("invalid metadata string")
 	// ErrInvalidPrerelease is returned when the pre-release is an invalid format
 	ErrInvalidPrerelease = errors.New("invalid prerelease string")
 )
 // semVerRegex is the regular expression used to parse a semantic version.
 // This is not the official regex from the semver spec. It has been modified to allow for loose handling
 // where versions like 2.1 are detected.
 const semVerRegex string = `v?(0|[1-9]\d*)(?:\.(0|[1-9]\d*))?(?:\.(0|[1-9]\d*))?` +
 	`(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?` +
 	`(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?`
 // looseSemVerRegex is a regular expression that lets invalid semver expressions through
 // with enough detail that certain errors can be checked for.
 const looseSemVerRegex string = `v?([0-9]+)(\.[0-9]+)?(\.[0-9]+)?` +
 	`(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?` +
 	`(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?`
 // Version represents a single semantic version.
 type Version struct {
 	major, minor, patch uint64
 	pre                 string
 	metadata            string
 	original            string
 }
 func init() {
 	versionRegex = regexp.MustCompile("^" + semVerRegex + "$")
 	looseVersionRegex = regexp.MustCompile("^" + looseSemVerRegex + "$")
 }
 const (
 	num     string = "0123456789"
 	allowed string = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-" + num
 )
 // StrictNewVersion parses a given version and returns an instance of Version or
 // an error if unable to parse the version. Only parses valid semantic versions.
 // Performs checking that can find errors within the version.
 // If you want to coerce a version such as 1 or 1.2 and parse it as the 1.x
 // releases of semver did, use the NewVersion() function.
 func StrictNewVersion(v string) (*Version, error) {
 	// Parsing here does not use RegEx in order to increase performance and reduce
 	// allocations.
 	if len(v) == 0 {
 		return nil, ErrEmptyString
 	}
 	// Split the parts into [0]major, [1]minor, and [2]patch,prerelease,build
 	parts := strings.SplitN(v, ".", 3)
 	if len(parts) != 3 {
 		return nil, ErrInvalidSemVer
 	}
 	sv := &Version{
 		original: v,
 	}
 	// Extract build metadata
 	if strings.Contains(parts[2], "+") {
 		extra := strings.SplitN(parts[2], "+", 2)
 		sv.metadata = extra[1]
 		parts[2] = extra[0]
 		if err := validateMetadata(sv.metadata); err != nil {
 			return nil, err
 		}
 	}
 	// Extract build prerelease
 	if strings.Contains(parts[2], "-") {
 		extra := strings.SplitN(parts[2], "-", 2)
 		sv.pre = extra[1]
 		parts[2] = extra[0]
 		if err := validatePrerelease(sv.pre); err != nil {
 			return nil, err
 		}
 	}
 	// Validate the number segments are valid. This includes only having positive
 	// numbers and no leading 0's.
 	for _, p := range parts {
 		if !containsOnly(p, num) {
 			return nil, ErrInvalidCharacters
 		}
 		if len(p) > 1 && p[0] == '0' {
 			return nil, ErrSegmentStartsZero
 		}
 	}
 	// Extract major, minor, and patch
 	var err error
 	sv.major, err = strconv.ParseUint(parts[0], 10, 64)
 	if err != nil {
 		return nil, err
 	}
 	sv.minor, err = strconv.ParseUint(parts[1], 10, 64)
 	if err != nil {
 		return nil, err
 	}
 	sv.patch, err = strconv.ParseUint(parts[2], 10, 64)
 	if err != nil {
 		return nil, err
 	}
 	return sv, nil
 }
 // NewVersion parses a given version and returns an instance of Version or
 // an error if unable to parse the version. If the version is SemVer-ish it
 // attempts to convert it to SemVer. If you want  to validate it was a strict
 // semantic version at parse time see StrictNewVersion().
 func NewVersion(v string) (*Version, error) {
 	if CoerceNewVersion {
 		return coerceNewVersion(v)
 	}
 	m := versionRegex.FindStringSubmatch(v)
 	if m == nil {
 		// Disabling detailed errors is first so that it is in the fast path.
 		if !DetailedNewVersionErrors {
 			return nil, ErrInvalidSemVer
 		}
 		// Check for specific errors with the semver string and return a more detailed
 		// error.
 		m = looseVersionRegex.FindStringSubmatch(v)
 		if m == nil {
 			return nil, ErrInvalidSemVer
 		}
 		err := validateVersion(m)
 		if err != nil {
 			return nil, err
 		}
 		return nil, ErrInvalidSemVer
 	}
 	sv := &Version{
 		metadata: m[5],
 		pre:      m[4],
 		original: v,
 	}
 	var err error
 	sv.major, err = strconv.ParseUint(m[1], 10, 64)
 	if err != nil {
 		return nil, fmt.Errorf("error parsing version segment: %w", err)
 	}
 	if m[2] != "" {
 		sv.minor, err = strconv.ParseUint(m[2], 10, 64)
 		if err != nil {
 			return nil, fmt.Errorf("error parsing version segment: %w", err)
 		}
 	} else {
 		sv.minor = 0
 	}
 	if m[3] != "" {
 		sv.patch, err = strconv.ParseUint(m[3], 10, 64)
 		if err != nil {
 			return nil, fmt.Errorf("error parsing version segment: %w", err)
 		}
 	} else {
 		sv.patch = 0
 	}
 	// Perform some basic due diligence on the extra parts to ensure they are
 	// valid.
 	if sv.pre != "" {
 		if err = validatePrerelease(sv.pre); err != nil {
 			return nil, err
 		}
 	}
 	if sv.metadata != "" {
 		if err = validateMetadata(sv.metadata); err != nil {
 			return nil, err
 		}
 	}
 	return sv, nil
 }
 func coerceNewVersion(v string) (*Version, error) {
 	m := looseVersionRegex.FindStringSubmatch(v)
 	if m == nil {
 		return nil, ErrInvalidSemVer
 	}
 	sv := &Version{
 		metadata: m[8],
 		pre:      m[5],
 		original: v,
 	}
 	var err error
 	sv.major, err = strconv.ParseUint(m[1], 10, 64)
 	if err != nil {
 		return nil, fmt.Errorf("error parsing version segment: %w", err)
 	}
 	if m[2] != "" {
 		sv.minor, err = strconv.ParseUint(strings.TrimPrefix(m[2], "."), 10, 64)
 		if err != nil {
 			return nil, fmt.Errorf("error parsing version segment: %w", err)
 		}
 	} else {
 		sv.minor = 0
 	}
 	if m[3] != "" {
 		sv.patch, err = strconv.ParseUint(strings.TrimPrefix(m[3], "."), 10, 64)
 		if err != nil {
 			return nil, fmt.Errorf("error parsing version segment: %w", err)
 		}
 	} else {
 		sv.patch = 0
 	}
 	// Perform some basic due diligence on the extra parts to ensure they are
 	// valid.
 	if sv.pre != "" {
 		if err = validatePrerelease(sv.pre); err != nil {
 			return nil, err
 		}
 	}
 	if sv.metadata != "" {
 		if err = validateMetadata(sv.metadata); err != nil {
 			return nil, err
 		}
 	}
 	return sv, nil
 }
 // New creates a new instance of Version with each of the parts passed in as
 // arguments instead of parsing a version string.
 func New(major, minor, patch uint64, pre, metadata string) *Version {
 	v := Version{
 		major:    major,
 		minor:    minor,
 		patch:    patch,
 		pre:      pre,
 		metadata: metadata,
 		original: "",
 	}
 	v.original = v.String()
 	return &v
 }
 // MustParse parses a given version and panics on error.
 func MustParse(v string) *Version {
 	sv, err := NewVersion(v)
 	if err != nil {
 		panic(err)
 	}
 	return sv
 }
 // String converts a Version object to a string.
 // Note, if the original version contained a leading v this version will not.
 // See the Original() method to retrieve the original value. Semantic Versions
 // don't contain a leading v per the spec. Instead it's optional on
 // implementation.
 func (v Version) String() string {
 	var buf bytes.Buffer
 	fmt.Fprintf(&buf, "%d.%d.%d", v.major, v.minor, v.patch)
 	if v.pre != "" {
 		fmt.Fprintf(&buf, "-%s", v.pre)
 	}
 	if v.metadata != "" {
 		fmt.Fprintf(&buf, "+%s", v.metadata)
 	}
 	return buf.String()
 }
 // Original returns the original value passed in to be parsed.
 func (v *Version) Original() string {
 	return v.original
 }
 // Major returns the major version.
 func (v Version) Major() uint64 {
 	return v.major
 }
 // Minor returns the minor version.
 func (v Version) Minor() uint64 {
 	return v.minor
 }
 // Patch returns the patch version.
 func (v Version) Patch() uint64 {
 	return v.patch
 }
 // Prerelease returns the pre-release version.
 func (v Version) Prerelease() string {
 	return v.pre
 }
 // Metadata returns the metadata on the version.
 func (v Version) Metadata() string {
 	return v.metadata
 }
 // originalVPrefix returns the original 'v' prefix if any.
 func (v Version) originalVPrefix() string {
 	// Note, only lowercase v is supported as a prefix by the parser.
 	if v.original != "" && v.original[:1] == "v" {
 		return v.original[:1]
 	}
 	return ""
 }
 // IncPatch produces the next patch version.
 // If the current version does not have prerelease/metadata information,
 // it unsets metadata and prerelease values, increments patch number.
 // If the current version has any of prerelease or metadata information,
 // it unsets both values and keeps current patch value
 func (v Version) IncPatch() Version {
 	vNext := v
 	// according to http://semver.org/#spec-item-9
 	// Pre-release versions have a lower precedence than the associated normal version.
 	// according to http://semver.org/#spec-item-10
 	// Build metadata SHOULD be ignored when determining version precedence.
 	if v.pre != "" {
 		vNext.metadata = ""
 		vNext.pre = ""
 	} else {
 		vNext.metadata = ""
 		vNext.pre = ""
 		vNext.patch = v.patch + 1
 	}
 	vNext.original = v.originalVPrefix() + "" + vNext.String()
 	return vNext
 }
 // IncMinor produces the next minor version.
 // Sets patch to 0.
 // Increments minor number.
 // Unsets metadata.
 // Unsets prerelease status.
 func (v Version) IncMinor() Version {
 	vNext := v
 	vNext.metadata = ""
 	vNext.pre = ""
 	vNext.patch = 0
 	vNext.minor = v.minor + 1
 	vNext.original = v.originalVPrefix() + "" + vNext.String()
 	return vNext
 }
 // IncMajor produces the next major version.
 // Sets patch to 0.
 // Sets minor to 0.
 // Increments major number.
 // Unsets metadata.
 // Unsets prerelease status.
 func (v Version) IncMajor() Version {
 	vNext := v
 	vNext.metadata = ""
 	vNext.pre = ""
 	vNext.patch = 0
 	vNext.minor = 0
 	vNext.major = v.major + 1
 	vNext.original = v.originalVPrefix() + "" + vNext.String()
 	return vNext
 }
 // SetPrerelease defines the prerelease value.
 // Value must not include the required 'hyphen' prefix.
 func (v Version) SetPrerelease(prerelease string) (Version, error) {
 	vNext := v
 	if len(prerelease) > 0 {
 		if err := validatePrerelease(prerelease); err != nil {
 			return vNext, err
 		}
 	}
 	vNext.pre = prerelease
 	vNext.original = v.originalVPrefix() + "" + vNext.String()
 	return vNext, nil
 }
 // SetMetadata defines metadata value.
 // Value must not include the required 'plus' prefix.
 func (v Version) SetMetadata(metadata string) (Version, error) {
 	vNext := v
 	if len(metadata) > 0 {
 		if err := validateMetadata(metadata); err != nil {
 			return vNext, err
 		}
 	}
 	vNext.metadata = metadata
 	vNext.original = v.originalVPrefix() + "" + vNext.String()
 	return vNext, nil
 }
 // LessThan tests if one version is less than another one.
 func (v *Version) LessThan(o *Version) bool {
 	return v.Compare(o) < 0
 }
 // LessThanEqual tests if one version is less or equal than another one.
 func (v *Version) LessThanEqual(o *Version) bool {
 	return v.Compare(o) <= 0
 }
 // GreaterThan tests if one version is greater than another one.
 func (v *Version) GreaterThan(o *Version) bool {
 	return v.Compare(o) > 0
 }
 // GreaterThanEqual tests if one version is greater or equal than another one.
 func (v *Version) GreaterThanEqual(o *Version) bool {
 	return v.Compare(o) >= 0
 }
 // Equal tests if two versions are equal to each other.
 // Note, versions can be equal with different metadata since metadata
 // is not considered part of the comparable version.
 func (v *Version) Equal(o *Version) bool {
 	if v == o {
 		return true
 	}
 	if v == nil || o == nil {
 		return false
 	}
 	return v.Compare(o) == 0
 }
 // Compare compares this version to another one. It returns -1, 0, or 1 if
 // the version smaller, equal, or larger than the other version.
 //
 // Versions are compared by X.Y.Z. Build metadata is ignored. Prerelease is
 // lower than the version without a prerelease. Compare always takes into account
 // prereleases. If you want to work with ranges using typical range syntaxes that
 // skip prereleases if the range is not looking for them use constraints.
 func (v *Version) Compare(o *Version) int {
 	// Compare the major, minor, and patch version for differences. If a
 	// difference is found return the comparison.
 	if d := compareSegment(v.Major(), o.Major()); d != 0 {
 		return d
 	}
 	if d := compareSegment(v.Minor(), o.Minor()); d != 0 {
 		return d
 	}
 	if d := compareSegment(v.Patch(), o.Patch()); d != 0 {
 		return d
 	}
 	// At this point the major, minor, and patch versions are the same.
 	ps := v.pre
 	po := o.Prerelease()
 	if ps == "" && po == "" {
 		return 0
 	}
 	if ps == "" {
 		return 1
 	}
 	if po == "" {
 		return -1
 	}
 	return comparePrerelease(ps, po)
 }
 // UnmarshalJSON implements JSON.Unmarshaler interface.
 func (v *Version) UnmarshalJSON(b []byte) error {
 	var s string
 	if err := json.Unmarshal(b, &s); err != nil {
 		return err
 	}
 	temp, err := NewVersion(s)
 	if err != nil {
 		return err
 	}
 	v.major = temp.major
 	v.minor = temp.minor
 	v.patch = temp.patch
 	v.pre = temp.pre
 	v.metadata = temp.metadata
 	v.original = temp.original
 	return nil
 }
 // MarshalJSON implements JSON.Marshaler interface.
 func (v Version) MarshalJSON() ([]byte, error) {
 	return json.Marshal(v.String())
 }
 // UnmarshalText implements the encoding.TextUnmarshaler interface.
 func (v *Version) UnmarshalText(text []byte) error {
 	temp, err := NewVersion(string(text))
 	if err != nil {
 		return err
 	}
 	*v = *temp
 	return nil
 }
 // MarshalText implements the encoding.TextMarshaler interface.
 func (v Version) MarshalText() ([]byte, error) {
 	return []byte(v.String()), nil
 }
 // Scan implements the SQL.Scanner interface.
 func (v *Version) Scan(value interface{}) error {
 	var s string
 	s, _ = value.(string)
 	temp, err := NewVersion(s)
 	if err != nil {
 		return err
 	}
 	v.major = temp.major
 	v.minor = temp.minor
 	v.patch = temp.patch
 	v.pre = temp.pre
 	v.metadata = temp.metadata
 	v.original = temp.original
 	return nil
 }
 // Value implements the Driver.Valuer interface.
 func (v Version) Value() (driver.Value, error) {
 	return v.String(), nil
 }
 func compareSegment(v, o uint64) int {
 	if v < o {
 		return -1
 	}
 	if v > o {
 		return 1
 	}
 	return 0
 }
 func comparePrerelease(v, o string) int {
 	// split the prelease versions by their part. The separator, per the spec,
 	// is a .
 	sparts := strings.Split(v, ".")
 	oparts := strings.Split(o, ".")
 	// Find the longer length of the parts to know how many loop iterations to
 	// go through.
 	slen := len(sparts)
 	olen := len(oparts)
 	l := slen
 	if olen > slen {
 		l = olen
 	}
 	// Iterate over each part of the prereleases to compare the differences.
 	for i := 0; i < l; i++ {
 		// Since the lentgh of the parts can be different we need to create
 		// a placeholder. This is to avoid out of bounds issues.
 		stemp := ""
 		if i < slen {
 			stemp = sparts[i]
 		}
 		otemp := ""
 		if i < olen {
 			otemp = oparts[i]
 		}
 		d := comparePrePart(stemp, otemp)
 		if d != 0 {
 			return d
 		}
 	}
 	// Reaching here means two versions are of equal value but have different
 	// metadata (the part following a +). They are not identical in string form
 	// but the version comparison finds them to be equal.
 	return 0
 }
 func comparePrePart(s, o string) int {
 	// Fastpath if they are equal
 	if s == o {
 		return 0
 	}
 	// When s or o are empty we can use the other in an attempt to determine
 	// the response.
 	if s == "" {
 		if o != "" {
 			return -1
 		}
 		return 1
 	}
 	if o == "" {
 		if s != "" {
 			return 1
 		}
 		return -1
 	}
 	// When comparing strings "99" is greater than "103". To handle
 	// cases like this we need to detect numbers and compare them. According
 	// to the semver spec, numbers are always positive. If there is a - at the
 	// start like -99 this is to be evaluated as an alphanum. numbers always
 	// have precedence over alphanum. Parsing as Uints because negative numbers
 	// are ignored.
 	oi, n1 := strconv.ParseUint(o, 10, 64)
 	si, n2 := strconv.ParseUint(s, 10, 64)
 	// The case where both are strings compare the strings
 	if n1 != nil && n2 != nil {
 		if s > o {
 			return 1
 		}
 		return -1
 	} else if n1 != nil {
 		// o is a string and s is a number
 		return -1
 	} else if n2 != nil {
 		// s is a string and o is a number
 		return 1
 	}
 	// Both are numbers
 	if si > oi {
 		return 1
 	}
 	return -1
 }
 // Like strings.ContainsAny but does an only instead of any.
 func containsOnly(s string, comp string) bool {
 	return strings.IndexFunc(s, func(r rune) bool {
 		return !strings.ContainsRune(comp, r)
 	}) == -1
 }
 // From the spec, "Identifiers MUST comprise only
 // ASCII alphanumerics and hyphen [0-9A-Za-z-]. Identifiers MUST NOT be empty.
 // Numeric identifiers MUST NOT include leading zeroes.". These segments can
 // be dot separated.
 func validatePrerelease(p string) error {
 	eparts := strings.Split(p, ".")
 	for _, p := range eparts {
 		if p == "" {
 			return ErrInvalidPrerelease
 		} else if containsOnly(p, num) {
 			if len(p) > 1 && p[0] == '0' {
 				return ErrSegmentStartsZero
 			}
 		} else if !containsOnly(p, allowed) {
 			return ErrInvalidPrerelease
 		}
 	}
 	return nil
 }
 // From the spec, "Build metadata MAY be denoted by
 // appending a plus sign and a series of dot separated identifiers immediately
 // following the patch or pre-release version. Identifiers MUST comprise only
 // ASCII alphanumerics and hyphen [0-9A-Za-z-]. Identifiers MUST NOT be empty."
 func validateMetadata(m string) error {
 	eparts := strings.Split(m, ".")
 	for _, p := range eparts {
 		if p == "" {
 			return ErrInvalidMetadata
 		} else if !containsOnly(p, allowed) {
 			return ErrInvalidMetadata
 		}
 	}
 	return nil
 }
 // validateVersion checks for common validation issues but may not catch all errors
 func validateVersion(m []string) error {
 	var err error
 	var v string
 	if m[1] != "" {
 		if len(m[1]) > 1 && m[1][0] == '0' {
 			return ErrSegmentStartsZero
 		}
 		_, err = strconv.ParseUint(m[1], 10, 64)
 		if err != nil {
 			return fmt.Errorf("error parsing version segment: %w", err)
 		}
 	}
 	if m[2] != "" {
 		v = strings.TrimPrefix(m[2], ".")
 		if len(v) > 1 && v[0] == '0' {
 			return ErrSegmentStartsZero
 		}
 		_, err = strconv.ParseUint(v, 10, 64)
 		if err != nil {
 			return fmt.Errorf("error parsing version segment: %w", err)
 		}
 	}
 	if m[3] != "" {
 		v = strings.TrimPrefix(m[3], ".")
 		if len(v) > 1 && v[0] == '0' {
 			return ErrSegmentStartsZero
 		}
 		_, err = strconv.ParseUint(v, 10, 64)
 		if err != nil {
 			return fmt.Errorf("error parsing version segment: %w", err)
 		}
 	}
 	if m[5] != "" {
 		if err = validatePrerelease(m[5]); err != nil {
 			return err
 		}
 	}
 	if m[8] != "" {
 		if err = validateMetadata(m[8]); err != nil {
 			return err
 		}
 	}
 	return nil
 }
@@ -0,0 +1,3 @@
 # This source code refers to The Go Authors for copyright purposes.
 # The master list of authors is in the main Go distribution,
 # visible at https://tip.golang.org/AUTHORS.
@@ -0,0 +1,3 @@
 # This source code was written by the Go contributors.
 # The master list of contributors is in the main Go distribution,
 # visible at https://tip.golang.org/CONTRIBUTORS.
@@ -0,0 +1,27 @@
 Copyright (c) 2009 The Go Authors. All rights reserved.
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
 met:
   * Redistributions of source code must retain the above copyright
 notice, this list of conditions and the following disclaimer.
   * Redistributions in binary form must reproduce the above
 copyright notice, this list of conditions and the following disclaimer
 in the documentation and/or other materials provided with the
 distribution.
   * Neither the name of Google Inc. nor the names of its
 contributors may be used to endorse or promote products derived from
 this software without specific prior written permission.
 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
@@ -0,0 +1,22 @@
 Additional IP Rights Grant (Patents)
 "This implementation" means the copyrightable works distributed by
 Google as part of the Go project.
 Google hereby grants to You a perpetual, worldwide, non-exclusive,
 no-charge, royalty-free, irrevocable (except as stated in this section)
 patent license to make, have made, use, offer to sell, sell, import,
 transfer and otherwise run, modify and propagate the contents of this
 implementation of Go, where such license applies only to those patent
 claims, both currently owned or controlled by Google and acquired in
 the future, licensable by Google that are necessarily infringed by this
 implementation of Go.  This grant does not include claims that would be
 infringed only as a consequence of further modification of this
 implementation.  If you or your agent or exclusive licensee institute or
 order or agree to the institution of patent litigation against any
 entity (including a cross-claim or counterclaim in a lawsuit) alleging
 that this implementation of Go or any code incorporated within this
 implementation of Go constitutes direct or contributory patent
 infringement, or inducement of patent infringement, then any patent
 rights granted to you under this License for this implementation of Go
 shall terminate as of the date such litigation is filed.
@@ -0,0 +1,381 @@
 package bitcurves
 // Copyright 2010 The Go Authors. All rights reserved.
 // Copyright 2011 ThePiachu. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // Package bitelliptic implements several Koblitz elliptic curves over prime
 // fields.
 // This package operates, internally, on Jacobian coordinates. For a given
 // (x, y) position on the curve, the Jacobian coordinates are (x1, y1, z1)
 // where x = x1/z1² and y = y1/z1³. The greatest speedups come when the whole
 // calculation can be performed within the transform (as in ScalarMult and
 // ScalarBaseMult). But even for Add and Double, it's faster to apply and
 // reverse the transform than to operate in affine coordinates.
 import (
 	"crypto/elliptic"
 	"io"
 	"math/big"
 	"sync"
 )
 // A BitCurve represents a Koblitz Curve with a=0.
 // See http://www.hyperelliptic.org/EFD/g1p/auto-shortw.html
 type BitCurve struct {
 	Name    string
 	P       *big.Int // the order of the underlying field
 	N       *big.Int // the order of the base point
 	B       *big.Int // the constant of the BitCurve equation
 	Gx, Gy  *big.Int // (x,y) of the base point
 	BitSize int      // the size of the underlying field
 }
 // Params returns the parameters of the given BitCurve (see BitCurve struct)
 func (bitCurve *BitCurve) Params() (cp *elliptic.CurveParams) {
 	cp = new(elliptic.CurveParams)
 	cp.Name = bitCurve.Name
 	cp.P = bitCurve.P
 	cp.N = bitCurve.N
 	cp.Gx = bitCurve.Gx
 	cp.Gy = bitCurve.Gy
 	cp.BitSize = bitCurve.BitSize
 	return cp
 }
 // IsOnCurve returns true if the given (x,y) lies on the BitCurve.
 func (bitCurve *BitCurve) IsOnCurve(x, y *big.Int) bool {
 	// y² = x³ + b
 	y2 := new(big.Int).Mul(y, y) //y²
 	y2.Mod(y2, bitCurve.P)       //y²%P
 	x3 := new(big.Int).Mul(x, x) //x²
 	x3.Mul(x3, x)                //x³
 	x3.Add(x3, bitCurve.B) //x³+B
 	x3.Mod(x3, bitCurve.P) //(x³+B)%P
 	return x3.Cmp(y2) == 0
 }
 // affineFromJacobian reverses the Jacobian transform. See the comment at the
 // top of the file.
 func (bitCurve *BitCurve) affineFromJacobian(x, y, z *big.Int) (xOut, yOut *big.Int) {
 	if z.Cmp(big.NewInt(0)) == 0 {
 		panic("bitcurve: Can't convert to affine with Jacobian Z = 0")
 	}
 	// x = YZ^2 mod P
 	zinv := new(big.Int).ModInverse(z, bitCurve.P)
 	zinvsq := new(big.Int).Mul(zinv, zinv)
 	xOut = new(big.Int).Mul(x, zinvsq)
 	xOut.Mod(xOut, bitCurve.P)
 	// y = YZ^3 mod P
 	zinvsq.Mul(zinvsq, zinv)
 	yOut = new(big.Int).Mul(y, zinvsq)
 	yOut.Mod(yOut, bitCurve.P)
 	return xOut, yOut
 }
 // Add returns the sum of (x1,y1) and (x2,y2)
 func (bitCurve *BitCurve) Add(x1, y1, x2, y2 *big.Int) (*big.Int, *big.Int) {
 	z := new(big.Int).SetInt64(1)
 	x, y, z := bitCurve.addJacobian(x1, y1, z, x2, y2, z)
 	return bitCurve.affineFromJacobian(x, y, z)
 }
 // addJacobian takes two points in Jacobian coordinates, (x1, y1, z1) and
 // (x2, y2, z2) and returns their sum, also in Jacobian form.
 func (bitCurve *BitCurve) addJacobian(x1, y1, z1, x2, y2, z2 *big.Int) (*big.Int, *big.Int, *big.Int) {
 	// See http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-add-2007-bl
 	z1z1 := new(big.Int).Mul(z1, z1)
 	z1z1.Mod(z1z1, bitCurve.P)
 	z2z2 := new(big.Int).Mul(z2, z2)
 	z2z2.Mod(z2z2, bitCurve.P)
 	u1 := new(big.Int).Mul(x1, z2z2)
 	u1.Mod(u1, bitCurve.P)
 	u2 := new(big.Int).Mul(x2, z1z1)
 	u2.Mod(u2, bitCurve.P)
 	h := new(big.Int).Sub(u2, u1)
 	if h.Sign() == -1 {
 		h.Add(h, bitCurve.P)
 	}
 	i := new(big.Int).Lsh(h, 1)
 	i.Mul(i, i)
 	j := new(big.Int).Mul(h, i)
 	s1 := new(big.Int).Mul(y1, z2)
 	s1.Mul(s1, z2z2)
 	s1.Mod(s1, bitCurve.P)
 	s2 := new(big.Int).Mul(y2, z1)
 	s2.Mul(s2, z1z1)
 	s2.Mod(s2, bitCurve.P)
 	r := new(big.Int).Sub(s2, s1)
 	if r.Sign() == -1 {
 		r.Add(r, bitCurve.P)
 	}
 	r.Lsh(r, 1)
 	v := new(big.Int).Mul(u1, i)
 	x3 := new(big.Int).Set(r)
 	x3.Mul(x3, x3)
 	x3.Sub(x3, j)
 	x3.Sub(x3, v)
 	x3.Sub(x3, v)
 	x3.Mod(x3, bitCurve.P)
 	y3 := new(big.Int).Set(r)
 	v.Sub(v, x3)
 	y3.Mul(y3, v)
 	s1.Mul(s1, j)
 	s1.Lsh(s1, 1)
 	y3.Sub(y3, s1)
 	y3.Mod(y3, bitCurve.P)
 	z3 := new(big.Int).Add(z1, z2)
 	z3.Mul(z3, z3)
 	z3.Sub(z3, z1z1)
 	if z3.Sign() == -1 {
 		z3.Add(z3, bitCurve.P)
 	}
 	z3.Sub(z3, z2z2)
 	if z3.Sign() == -1 {
 		z3.Add(z3, bitCurve.P)
 	}
 	z3.Mul(z3, h)
 	z3.Mod(z3, bitCurve.P)
 	return x3, y3, z3
 }
 // Double returns 2*(x,y)
 func (bitCurve *BitCurve) Double(x1, y1 *big.Int) (*big.Int, *big.Int) {
 	z1 := new(big.Int).SetInt64(1)
 	return bitCurve.affineFromJacobian(bitCurve.doubleJacobian(x1, y1, z1))
 }
 // doubleJacobian takes a point in Jacobian coordinates, (x, y, z), and
 // returns its double, also in Jacobian form.
 func (bitCurve *BitCurve) doubleJacobian(x, y, z *big.Int) (*big.Int, *big.Int, *big.Int) {
 	// See http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#doubling-dbl-2009-l
 	a := new(big.Int).Mul(x, x) //X1²
 	b := new(big.Int).Mul(y, y) //Y1²
 	c := new(big.Int).Mul(b, b) //B²
 	d := new(big.Int).Add(x, b) //X1+B
 	d.Mul(d, d)                 //(X1+B)²
 	d.Sub(d, a)                 //(X1+B)²-A
 	d.Sub(d, c)                 //(X1+B)²-A-C
 	d.Mul(d, big.NewInt(2))     //2*((X1+B)²-A-C)
 	e := new(big.Int).Mul(big.NewInt(3), a) //3*A
 	f := new(big.Int).Mul(e, e)             //E²
 	x3 := new(big.Int).Mul(big.NewInt(2), d) //2*D
 	x3.Sub(f, x3)                            //F-2*D
 	x3.Mod(x3, bitCurve.P)
 	y3 := new(big.Int).Sub(d, x3)                  //D-X3
 	y3.Mul(e, y3)                                  //E*(D-X3)
 	y3.Sub(y3, new(big.Int).Mul(big.NewInt(8), c)) //E*(D-X3)-8*C
 	y3.Mod(y3, bitCurve.P)
 	z3 := new(big.Int).Mul(y, z) //Y1*Z1
 	z3.Mul(big.NewInt(2), z3)    //3*Y1*Z1
 	z3.Mod(z3, bitCurve.P)
 	return x3, y3, z3
 }
 // TODO: double check if it is okay
 // ScalarMult returns k*(Bx,By) where k is a number in big-endian form.
 func (bitCurve *BitCurve) ScalarMult(Bx, By *big.Int, k []byte) (*big.Int, *big.Int) {
 	// We have a slight problem in that the identity of the group (the
 	// point at infinity) cannot be represented in (x, y) form on a finite
 	// machine. Thus the standard add/double algorithm has to be tweaked
 	// slightly: our initial state is not the identity, but x, and we
 	// ignore the first true bit in |k|.  If we don't find any true bits in
 	// |k|, then we return nil, nil, because we cannot return the identity
 	// element.
 	Bz := new(big.Int).SetInt64(1)
 	x := Bx
 	y := By
 	z := Bz
 	seenFirstTrue := false
 	for _, byte := range k {
 		for bitNum := 0; bitNum < 8; bitNum++ {
 			if seenFirstTrue {
 				x, y, z = bitCurve.doubleJacobian(x, y, z)
 			}
 			if byte&0x80 == 0x80 {
 				if !seenFirstTrue {
 					seenFirstTrue = true
 				} else {
 					x, y, z = bitCurve.addJacobian(Bx, By, Bz, x, y, z)
 				}
 			}
 			byte <<= 1
 		}
 	}
 	if !seenFirstTrue {
 		return nil, nil
 	}
 	return bitCurve.affineFromJacobian(x, y, z)
 }
 // ScalarBaseMult returns k*G, where G is the base point of the group and k is
 // an integer in big-endian form.
 func (bitCurve *BitCurve) ScalarBaseMult(k []byte) (*big.Int, *big.Int) {
 	return bitCurve.ScalarMult(bitCurve.Gx, bitCurve.Gy, k)
 }
 var mask = []byte{0xff, 0x1, 0x3, 0x7, 0xf, 0x1f, 0x3f, 0x7f}
 // TODO: double check if it is okay
 // GenerateKey returns a public/private key pair. The private key is generated
 // using the given reader, which must return random data.
 func (bitCurve *BitCurve) GenerateKey(rand io.Reader) (priv []byte, x, y *big.Int, err error) {
 	byteLen := (bitCurve.BitSize + 7) >> 3
 	priv = make([]byte, byteLen)
 	for x == nil {
 		_, err = io.ReadFull(rand, priv)
 		if err != nil {
 			return
 		}
 		// We have to mask off any excess bits in the case that the size of the
 		// underlying field is not a whole number of bytes.
 		priv[0] &= mask[bitCurve.BitSize%8]
 		// This is because, in tests, rand will return all zeros and we don't
 		// want to get the point at infinity and loop forever.
 		priv[1] ^= 0x42
 		x, y = bitCurve.ScalarBaseMult(priv)
 	}
 	return
 }
 // Marshal converts a point into the form specified in section 4.3.6 of ANSI
 // X9.62.
 func (bitCurve *BitCurve) Marshal(x, y *big.Int) []byte {
 	byteLen := (bitCurve.BitSize + 7) >> 3
 	ret := make([]byte, 1+2*byteLen)
 	ret[0] = 4 // uncompressed point
 	xBytes := x.Bytes()
 	copy(ret[1+byteLen-len(xBytes):], xBytes)
 	yBytes := y.Bytes()
 	copy(ret[1+2*byteLen-len(yBytes):], yBytes)
 	return ret
 }
 // Unmarshal converts a point, serialised by Marshal, into an x, y pair. On
 // error, x = nil.
 func (bitCurve *BitCurve) Unmarshal(data []byte) (x, y *big.Int) {
 	byteLen := (bitCurve.BitSize + 7) >> 3
 	if len(data) != 1+2*byteLen {
 		return
 	}
 	if data[0] != 4 { // uncompressed form
 		return
 	}
 	x = new(big.Int).SetBytes(data[1 : 1+byteLen])
 	y = new(big.Int).SetBytes(data[1+byteLen:])
 	return
 }
 //curve parameters taken from:
 //http://www.secg.org/collateral/sec2_final.pdf
 var initonce sync.Once
 var secp160k1 *BitCurve
 var secp192k1 *BitCurve
 var secp224k1 *BitCurve
 var secp256k1 *BitCurve
 func initAll() {
 	initS160()
 	initS192()
 	initS224()
 	initS256()
 }
 func initS160() {
 	// See SEC 2 section 2.4.1
 	secp160k1 = new(BitCurve)
 	secp160k1.Name = "secp160k1"
 	secp160k1.P, _ = new(big.Int).SetString("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC73", 16)
 	secp160k1.N, _ = new(big.Int).SetString("0100000000000000000001B8FA16DFAB9ACA16B6B3", 16)
 	secp160k1.B, _ = new(big.Int).SetString("0000000000000000000000000000000000000007", 16)
 	secp160k1.Gx, _ = new(big.Int).SetString("3B4C382CE37AA192A4019E763036F4F5DD4D7EBB", 16)
 	secp160k1.Gy, _ = new(big.Int).SetString("938CF935318FDCED6BC28286531733C3F03C4FEE", 16)
 	secp160k1.BitSize = 160
 }
 func initS192() {
 	// See SEC 2 section 2.5.1
 	secp192k1 = new(BitCurve)
 	secp192k1.Name = "secp192k1"
 	secp192k1.P, _ = new(big.Int).SetString("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFEE37", 16)
 	secp192k1.N, _ = new(big.Int).SetString("FFFFFFFFFFFFFFFFFFFFFFFE26F2FC170F69466A74DEFD8D", 16)
 	secp192k1.B, _ = new(big.Int).SetString("000000000000000000000000000000000000000000000003", 16)
 	secp192k1.Gx, _ = new(big.Int).SetString("DB4FF10EC057E9AE26B07D0280B7F4341DA5D1B1EAE06C7D", 16)
 	secp192k1.Gy, _ = new(big.Int).SetString("9B2F2F6D9C5628A7844163D015BE86344082AA88D95E2F9D", 16)
 	secp192k1.BitSize = 192
 }
 func initS224() {
 	// See SEC 2 section 2.6.1
 	secp224k1 = new(BitCurve)
 	secp224k1.Name = "secp224k1"
 	secp224k1.P, _ = new(big.Int).SetString("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFE56D", 16)
 	secp224k1.N, _ = new(big.Int).SetString("010000000000000000000000000001DCE8D2EC6184CAF0A971769FB1F7", 16)
 	secp224k1.B, _ = new(big.Int).SetString("00000000000000000000000000000000000000000000000000000005", 16)
 	secp224k1.Gx, _ = new(big.Int).SetString("A1455B334DF099DF30FC28A169A467E9E47075A90F7E650EB6B7A45C", 16)
 	secp224k1.Gy, _ = new(big.Int).SetString("7E089FED7FBA344282CAFBD6F7E319F7C0B0BD59E2CA4BDB556D61A5", 16)
 	secp224k1.BitSize = 224
 }
 func initS256() {
 	// See SEC 2 section 2.7.1
 	secp256k1 = new(BitCurve)
 	secp256k1.Name = "secp256k1"
 	secp256k1.P, _ = new(big.Int).SetString("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F", 16)
 	secp256k1.N, _ = new(big.Int).SetString("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141", 16)
 	secp256k1.B, _ = new(big.Int).SetString("0000000000000000000000000000000000000000000000000000000000000007", 16)
 	secp256k1.Gx, _ = new(big.Int).SetString("79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798", 16)
 	secp256k1.Gy, _ = new(big.Int).SetString("483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8", 16)
 	secp256k1.BitSize = 256
 }
 // S160 returns a BitCurve which implements secp160k1 (see SEC 2 section 2.4.1)
 func S160() *BitCurve {
 	initonce.Do(initAll)
 	return secp160k1
 }
 // S192 returns a BitCurve which implements secp192k1 (see SEC 2 section 2.5.1)
 func S192() *BitCurve {
 	initonce.Do(initAll)
 	return secp192k1
 }
 // S224 returns a BitCurve which implements secp224k1 (see SEC 2 section 2.6.1)
 func S224() *BitCurve {
 	initonce.Do(initAll)
 	return secp224k1
 }
 // S256 returns a BitCurve which implements bitcurves (see SEC 2 section 2.7.1)
 func S256() *BitCurve {
 	initonce.Do(initAll)
 	return secp256k1
 }
@@ -0,0 +1,134 @@
 // Package brainpool implements Brainpool elliptic curves.
 // Implementation of rcurves is from github.com/ebfe/brainpool
 // Note that these curves are implemented with naive, non-constant time operations
 // and are likely not suitable for environments where timing attacks are a concern.
 package brainpool
 import (
 	"crypto/elliptic"
 	"math/big"
 	"sync"
 )
 var (
 	once                   sync.Once
 	p256t1, p384t1, p512t1 *elliptic.CurveParams
 	p256r1, p384r1, p512r1 *rcurve
 )
 func initAll() {
 	initP256t1()
 	initP384t1()
 	initP512t1()
 	initP256r1()
 	initP384r1()
 	initP512r1()
 }
 func initP256t1() {
 	p256t1 = &elliptic.CurveParams{Name: "brainpoolP256t1"}
 	p256t1.P, _ = new(big.Int).SetString("A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377", 16)
 	p256t1.N, _ = new(big.Int).SetString("A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7", 16)
 	p256t1.B, _ = new(big.Int).SetString("662C61C430D84EA4FE66A7733D0B76B7BF93EBC4AF2F49256AE58101FEE92B04", 16)
 	p256t1.Gx, _ = new(big.Int).SetString("A3E8EB3CC1CFE7B7732213B23A656149AFA142C47AAFBC2B79A191562E1305F4", 16)
 	p256t1.Gy, _ = new(big.Int).SetString("2D996C823439C56D7F7B22E14644417E69BCB6DE39D027001DABE8F35B25C9BE", 16)
 	p256t1.BitSize = 256
 }
 func initP256r1() {
 	twisted := p256t1
 	params := &elliptic.CurveParams{
 		Name:    "brainpoolP256r1",
 		P:       twisted.P,
 		N:       twisted.N,
 		BitSize: twisted.BitSize,
 	}
 	params.Gx, _ = new(big.Int).SetString("8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262", 16)
 	params.Gy, _ = new(big.Int).SetString("547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997", 16)
 	z, _ := new(big.Int).SetString("3E2D4BD9597B58639AE7AA669CAB9837CF5CF20A2C852D10F655668DFC150EF0", 16)
 	p256r1 = newrcurve(twisted, params, z)
 }
 func initP384t1() {
 	p384t1 = &elliptic.CurveParams{Name: "brainpoolP384t1"}
 	p384t1.P, _ = new(big.Int).SetString("8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB71123ACD3A729901D1A71874700133107EC53", 16)
 	p384t1.N, _ = new(big.Int).SetString("8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425A7CF3AB6AF6B7FC3103B883202E9046565", 16)
 	p384t1.B, _ = new(big.Int).SetString("7F519EADA7BDA81BD826DBA647910F8C4B9346ED8CCDC64E4B1ABD11756DCE1D2074AA263B88805CED70355A33B471EE", 16)
 	p384t1.Gx, _ = new(big.Int).SetString("18DE98B02DB9A306F2AFCD7235F72A819B80AB12EBD653172476FECD462AABFFC4FF191B946A5F54D8D0AA2F418808CC", 16)
 	p384t1.Gy, _ = new(big.Int).SetString("25AB056962D30651A114AFD2755AD336747F93475B7A1FCA3B88F2B6A208CCFE469408584DC2B2912675BF5B9E582928", 16)
 	p384t1.BitSize = 384
 }
 func initP384r1() {
 	twisted := p384t1
 	params := &elliptic.CurveParams{
 		Name:    "brainpoolP384r1",
 		P:       twisted.P,
 		N:       twisted.N,
 		BitSize: twisted.BitSize,
 	}
 	params.Gx, _ = new(big.Int).SetString("1D1C64F068CF45FFA2A63A81B7C13F6B8847A3E77EF14FE3DB7FCAFE0CBD10E8E826E03436D646AAEF87B2E247D4AF1E", 16)
 	params.Gy, _ = new(big.Int).SetString("8ABE1D7520F9C2A45CB1EB8E95CFD55262B70B29FEEC5864E19C054FF99129280E4646217791811142820341263C5315", 16)
 	z, _ := new(big.Int).SetString("41DFE8DD399331F7166A66076734A89CD0D2BCDB7D068E44E1F378F41ECBAE97D2D63DBC87BCCDDCCC5DA39E8589291C", 16)
 	p384r1 = newrcurve(twisted, params, z)
 }
 func initP512t1() {
 	p512t1 = &elliptic.CurveParams{Name: "brainpoolP512t1"}
 	p512t1.P, _ = new(big.Int).SetString("AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F3", 16)
 	p512t1.N, _ = new(big.Int).SetString("AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330870553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069", 16)
 	p512t1.B, _ = new(big.Int).SetString("7CBBBCF9441CFAB76E1890E46884EAE321F70C0BCB4981527897504BEC3E36A62BCDFA2304976540F6450085F2DAE145C22553B465763689180EA2571867423E", 16)
 	p512t1.Gx, _ = new(big.Int).SetString("640ECE5C12788717B9C1BA06CBC2A6FEBA85842458C56DDE9DB1758D39C0313D82BA51735CDB3EA499AA77A7D6943A64F7A3F25FE26F06B51BAA2696FA9035DA", 16)
 	p512t1.Gy, _ = new(big.Int).SetString("5B534BD595F5AF0FA2C892376C84ACE1BB4E3019B71634C01131159CAE03CEE9D9932184BEEF216BD71DF2DADF86A627306ECFF96DBB8BACE198B61E00F8B332", 16)
 	p512t1.BitSize = 512
 }
 func initP512r1() {
 	twisted := p512t1
 	params := &elliptic.CurveParams{
 		Name:    "brainpoolP512r1",
 		P:       twisted.P,
 		N:       twisted.N,
 		BitSize: twisted.BitSize,
 	}
 	params.Gx, _ = new(big.Int).SetString("81AEE4BDD82ED9645A21322E9C4C6A9385ED9F70B5D916C1B43B62EEF4D0098EFF3B1F78E2D0D48D50D1687B93B97D5F7C6D5047406A5E688B352209BCB9F822", 16)
 	params.Gy, _ = new(big.Int).SetString("7DDE385D566332ECC0EABFA9CF7822FDF209F70024A57B1AA000C55B881F8111B2DCDE494A5F485E5BCA4BD88A2763AED1CA2B2FA8F0540678CD1E0F3AD80892", 16)
 	z, _ := new(big.Int).SetString("12EE58E6764838B69782136F0F2D3BA06E27695716054092E60A80BEDB212B64E585D90BCE13761F85C3F1D2A64E3BE8FEA2220F01EBA5EEB0F35DBD29D922AB", 16)
 	p512r1 = newrcurve(twisted, params, z)
 }
 // P256t1 returns a Curve which implements Brainpool P256t1 (see RFC 5639, section 3.4)
 func P256t1() elliptic.Curve {
 	once.Do(initAll)
 	return p256t1
 }
 // P256r1 returns a Curve which implements Brainpool P256r1 (see RFC 5639, section 3.4)
 func P256r1() elliptic.Curve {
 	once.Do(initAll)
 	return p256r1
 }
 // P384t1 returns a Curve which implements Brainpool P384t1 (see RFC 5639, section 3.6)
 func P384t1() elliptic.Curve {
 	once.Do(initAll)
 	return p384t1
 }
 // P384r1 returns a Curve which implements Brainpool P384r1 (see RFC 5639, section 3.6)
 func P384r1() elliptic.Curve {
 	once.Do(initAll)
 	return p384r1
 }
 // P512t1 returns a Curve which implements Brainpool P512t1 (see RFC 5639, section 3.7)
 func P512t1() elliptic.Curve {
 	once.Do(initAll)
 	return p512t1
 }
 // P512r1 returns a Curve which implements Brainpool P512r1 (see RFC 5639, section 3.7)
 func P512r1() elliptic.Curve {
 	once.Do(initAll)
 	return p512r1
 }
@@ -0,0 +1,83 @@
 package brainpool
 import (
 	"crypto/elliptic"
 	"math/big"
 )
 var _ elliptic.Curve = (*rcurve)(nil)
 type rcurve struct {
 	twisted elliptic.Curve
 	params  *elliptic.CurveParams
 	z       *big.Int
 	zinv    *big.Int
 	z2      *big.Int
 	z3      *big.Int
 	zinv2   *big.Int
 	zinv3   *big.Int
 }
 var (
 	two   = big.NewInt(2)
 	three = big.NewInt(3)
 )
 func newrcurve(twisted elliptic.Curve, params *elliptic.CurveParams, z *big.Int) *rcurve {
 	zinv := new(big.Int).ModInverse(z, params.P)
 	return &rcurve{
 		twisted: twisted,
 		params:  params,
 		z:       z,
 		zinv:    zinv,
 		z2:      new(big.Int).Exp(z, two, params.P),
 		z3:      new(big.Int).Exp(z, three, params.P),
 		zinv2:   new(big.Int).Exp(zinv, two, params.P),
 		zinv3:   new(big.Int).Exp(zinv, three, params.P),
 	}
 }
 func (curve *rcurve) toTwisted(x, y *big.Int) (*big.Int, *big.Int) {
 	var tx, ty big.Int
 	tx.Mul(x, curve.z2)
 	tx.Mod(&tx, curve.params.P)
 	ty.Mul(y, curve.z3)
 	ty.Mod(&ty, curve.params.P)
 	return &tx, &ty
 }
 func (curve *rcurve) fromTwisted(tx, ty *big.Int) (*big.Int, *big.Int) {
 	var x, y big.Int
 	x.Mul(tx, curve.zinv2)
 	x.Mod(&x, curve.params.P)
 	y.Mul(ty, curve.zinv3)
 	y.Mod(&y, curve.params.P)
 	return &x, &y
 }
 func (curve *rcurve) Params() *elliptic.CurveParams {
 	return curve.params
 }
 func (curve *rcurve) IsOnCurve(x, y *big.Int) bool {
 	return curve.twisted.IsOnCurve(curve.toTwisted(x, y))
 }
 func (curve *rcurve) Add(x1, y1, x2, y2 *big.Int) (x, y *big.Int) {
 	tx1, ty1 := curve.toTwisted(x1, y1)
 	tx2, ty2 := curve.toTwisted(x2, y2)
 	return curve.fromTwisted(curve.twisted.Add(tx1, ty1, tx2, ty2))
 }
 func (curve *rcurve) Double(x1, y1 *big.Int) (x, y *big.Int) {
 	return curve.fromTwisted(curve.twisted.Double(curve.toTwisted(x1, y1)))
 }
 func (curve *rcurve) ScalarMult(x1, y1 *big.Int, scalar []byte) (x, y *big.Int) {
 	tx1, ty1 := curve.toTwisted(x1, y1)
 	return curve.fromTwisted(curve.twisted.ScalarMult(tx1, ty1, scalar))
 }
 func (curve *rcurve) ScalarBaseMult(scalar []byte) (x, y *big.Int) {
 	return curve.fromTwisted(curve.twisted.ScalarBaseMult(scalar))
 }
@@ -0,0 +1,162 @@
 // Copyright (C) 2019 ProtonTech AG
 // Package eax provides an implementation of the EAX
 // (encrypt-authenticate-translate) mode of operation, as described in
 // Bellare, Rogaway, and Wagner "THE EAX MODE OF OPERATION: A TWO-PASS
 // AUTHENTICATED-ENCRYPTION SCHEME OPTIMIZED FOR SIMPLICITY AND EFFICIENCY."
 // In FSE'04, volume 3017 of LNCS, 2004
 package eax
 import (
 	"crypto/cipher"
 	"crypto/subtle"
 	"errors"
 	"github.com/ProtonMail/go-crypto/internal/byteutil"
 )
 const (
 	defaultTagSize   = 16
 	defaultNonceSize = 16
 )
 type eax struct {
 	block     cipher.Block // Only AES-{128, 192, 256} supported
 	tagSize   int          // At least 12 bytes recommended
 	nonceSize int
 }
 func (e *eax) NonceSize() int {
 	return e.nonceSize
 }
 func (e *eax) Overhead() int {
 	return e.tagSize
 }
 // NewEAX returns an EAX instance with AES-{KEYLENGTH} and default nonce and
 // tag lengths. Supports {128, 192, 256}- bit key length.
 func NewEAX(block cipher.Block) (cipher.AEAD, error) {
 	return NewEAXWithNonceAndTagSize(block, defaultNonceSize, defaultTagSize)
 }
 // NewEAXWithNonceAndTagSize returns an EAX instance with AES-{keyLength} and
 // given nonce and tag lengths in bytes. Panics on zero nonceSize and
 // exceedingly long tags.
 //
 // It is recommended to use at least 12 bytes as tag length (see, for instance,
 // NIST SP 800-38D).
 //
 // Only to be used for compatibility with existing cryptosystems with
 // non-standard parameters. For all other cases, prefer NewEAX.
 func NewEAXWithNonceAndTagSize(
 	block cipher.Block, nonceSize, tagSize int) (cipher.AEAD, error) {
 	if nonceSize < 1 {
 		return nil, eaxError("Cannot initialize EAX with nonceSize = 0")
 	}
 	if tagSize > block.BlockSize() {
 		return nil, eaxError("Custom tag length exceeds blocksize")
 	}
 	return &eax{
 		block:     block,
 		tagSize:   tagSize,
 		nonceSize: nonceSize,
 	}, nil
 }
 func (e *eax) Seal(dst, nonce, plaintext, adata []byte) []byte {
 	if len(nonce) > e.nonceSize {
 		panic("crypto/eax: Nonce too long for this instance")
 	}
 	ret, out := byteutil.SliceForAppend(dst, len(plaintext)+e.tagSize)
 	omacNonce := e.omacT(0, nonce)
 	omacAdata := e.omacT(1, adata)
 	// Encrypt message using CTR mode and omacNonce as IV
 	ctr := cipher.NewCTR(e.block, omacNonce)
 	ciphertextData := out[:len(plaintext)]
 	ctr.XORKeyStream(ciphertextData, plaintext)
 	omacCiphertext := e.omacT(2, ciphertextData)
 	tag := out[len(plaintext):]
 	for i := 0; i < e.tagSize; i++ {
 		tag[i] = omacCiphertext[i] ^ omacNonce[i] ^ omacAdata[i]
 	}
 	return ret
 }
 func (e *eax) Open(dst, nonce, ciphertext, adata []byte) ([]byte, error) {
 	if len(nonce) > e.nonceSize {
 		panic("crypto/eax: Nonce too long for this instance")
 	}
 	if len(ciphertext) < e.tagSize {
 		return nil, eaxError("Ciphertext shorter than tag length")
 	}
 	sep := len(ciphertext) - e.tagSize
 	// Compute tag
 	omacNonce := e.omacT(0, nonce)
 	omacAdata := e.omacT(1, adata)
 	omacCiphertext := e.omacT(2, ciphertext[:sep])
 	tag := make([]byte, e.tagSize)
 	for i := 0; i < e.tagSize; i++ {
 		tag[i] = omacCiphertext[i] ^ omacNonce[i] ^ omacAdata[i]
 	}
 	// Compare tags
 	if subtle.ConstantTimeCompare(ciphertext[sep:], tag) != 1 {
 		return nil, eaxError("Tag authentication failed")
 	}
 	// Decrypt ciphertext
 	ret, out := byteutil.SliceForAppend(dst, len(ciphertext))
 	ctr := cipher.NewCTR(e.block, omacNonce)
 	ctr.XORKeyStream(out, ciphertext[:sep])
 	return ret[:sep], nil
 }
 // Tweakable OMAC - Calls OMAC_K([t]_n || plaintext)
 func (e *eax) omacT(t byte, plaintext []byte) []byte {
 	blockSize := e.block.BlockSize()
 	byteT := make([]byte, blockSize)
 	byteT[blockSize-1] = t
 	concat := append(byteT, plaintext...)
 	return e.omac(concat)
 }
 func (e *eax) omac(plaintext []byte) []byte {
 	blockSize := e.block.BlockSize()
 	// L ← E_K(0^n); B ← 2L; P ← 4L
 	L := make([]byte, blockSize)
 	e.block.Encrypt(L, L)
 	B := byteutil.GfnDouble(L)
 	P := byteutil.GfnDouble(B)
 	// CBC with IV = 0
 	cbc := cipher.NewCBCEncrypter(e.block, make([]byte, blockSize))
 	padded := e.pad(plaintext, B, P)
 	cbcCiphertext := make([]byte, len(padded))
 	cbc.CryptBlocks(cbcCiphertext, padded)
 	return cbcCiphertext[len(cbcCiphertext)-blockSize:]
 }
 func (e *eax) pad(plaintext, B, P []byte) []byte {
 	// if |M| in {n, 2n, 3n, ...}
 	blockSize := e.block.BlockSize()
 	if len(plaintext) != 0 && len(plaintext)%blockSize == 0 {
 		return byteutil.RightXor(plaintext, B)
 	}
 	// else return (M || 1 || 0^(n−1−(|M| % n))) xor→ P
 	ending := make([]byte, blockSize-len(plaintext)%blockSize)
 	ending[0] = 0x80
 	padded := append(plaintext, ending...)
 	return byteutil.RightXor(padded, P)
 }
 func eaxError(err string) error {
 	return errors.New("crypto/eax: " + err)
 }
@@ -0,0 +1,58 @@
 package eax
 // Test vectors from
 // https://web.cs.ucdavis.edu/~rogaway/papers/eax.pdf
 var testVectors = []struct {
 	msg, key, nonce, header, ciphertext string
 }{
 	{"",
 		"233952DEE4D5ED5F9B9C6D6FF80FF478",
 		"62EC67F9C3A4A407FCB2A8C49031A8B3",
 		"6BFB914FD07EAE6B",
 		"E037830E8389F27B025A2D6527E79D01"},
 	{"F7FB",
 		"91945D3F4DCBEE0BF45EF52255F095A4",
 		"BECAF043B0A23D843194BA972C66DEBD",
 		"FA3BFD4806EB53FA",
 		"19DD5C4C9331049D0BDAB0277408F67967E5"},
 	{"1A47CB4933",
 		"01F74AD64077F2E704C0F60ADA3DD523",
 		"70C3DB4F0D26368400A10ED05D2BFF5E",
 		"234A3463C1264AC6",
 		"D851D5BAE03A59F238A23E39199DC9266626C40F80"},
 	{"481C9E39B1",
 		"D07CF6CBB7F313BDDE66B727AFD3C5E8",
 		"8408DFFF3C1A2B1292DC199E46B7D617",
 		"33CCE2EABFF5A79D",
 		"632A9D131AD4C168A4225D8E1FF755939974A7BEDE"},
 	{"40D0C07DA5E4",
 		"35B6D0580005BBC12B0587124557D2C2",
 		"FDB6B06676EEDC5C61D74276E1F8E816",
 		"AEB96EAEBE2970E9",
 		"071DFE16C675CB0677E536F73AFE6A14B74EE49844DD"},
 	{"4DE3B35C3FC039245BD1FB7D",
 		"BD8E6E11475E60B268784C38C62FEB22",
 		"6EAC5C93072D8E8513F750935E46DA1B",
 		"D4482D1CA78DCE0F",
 		"835BB4F15D743E350E728414ABB8644FD6CCB86947C5E10590210A4F"},
 	{"8B0A79306C9CE7ED99DAE4F87F8DD61636",
 		"7C77D6E813BED5AC98BAA417477A2E7D",
 		"1A8C98DCD73D38393B2BF1569DEEFC19",
 		"65D2017990D62528",
 		"02083E3979DA014812F59F11D52630DA30137327D10649B0AA6E1C181DB617D7F2"},
 	{"1BDA122BCE8A8DBAF1877D962B8592DD2D56",
 		"5FFF20CAFAB119CA2FC73549E20F5B0D",
 		"DDE59B97D722156D4D9AFF2BC7559826",
 		"54B9F04E6A09189A",
 		"2EC47B2C4954A489AFC7BA4897EDCDAE8CC33B60450599BD02C96382902AEF7F832A"},
 	{"6CF36720872B8513F6EAB1A8A44438D5EF11",
 		"A4A4782BCFFD3EC5E7EF6D8C34A56123",
 		"B781FCF2F75FA5A8DE97A9CA48E522EC",
 		"899A175897561D7E",
 		"0DE18FD0FDD91E7AF19F1D8EE8733938B1E8E7F6D2231618102FDB7FE55FF1991700"},
 	{"CA40D7446E545FFAED3BD12A740A659FFBBB3CEAB7",
 		"8395FCF1E95BEBD697BD010BC766AAC3",
 		"22E7ADD93CFC6393C57EC0B3C17D6B44",
 		"126735FCC320D25A",
 		"CB8920F87A6C75CFF39627B56E3ED197C552D295A7CFC46AFC253B4652B1AF3795B124AB6E"},
 }
@@ -0,0 +1,131 @@
 // These vectors include key length in {128, 192, 256}, tag size 128, and
 // random nonce, header, and plaintext lengths.
 // This file was automatically generated.
 package eax
 var randomVectors = []struct {
 	key, nonce, header, plaintext, ciphertext string
 }{
 	{"DFDE093F36B0356E5A81F609786982E3",
 		"1D8AC604419001816905BA72B14CED7E",
 		"152A1517A998D7A24163FCDD146DE81AC347C8B97088F502093C1ABB8F6E33D9A219C34D7603A18B1F5ABE02E56661B7D7F67E81EC08C1302EF38D80A859486D450E94A4F26AD9E68EEBBC0C857A0FC5CF9E641D63D565A7E361BC8908F5A8DC8FD6",
 		"1C8EAAB71077FE18B39730A3156ADE29C5EE824C7EE86ED2A253B775603FB237116E654F6FEC588DD27F523A0E01246FE73FE348491F2A8E9ABC6CA58D663F71CDBCF4AD798BE46C42AE6EE8B599DB44A1A48D7BBBBA0F7D2750181E1C5E66967F7D57CBD30AFBDA5727",
 		"79E7E150934BBEBF7013F61C60462A14D8B15AF7A248AFB8A344EF021C1500E16666891D6E973D8BB56B71A371F12CA34660C4410C016982B20F547E3762A58B7BF4F20236CADCF559E2BE7D783B13723B2741FC7CDC8997D839E39A3DDD2BADB96743DD7049F1BDB0516A262869915B3F70498AFB7B191BF960"},
 	{"F10619EF02E5D94D7550EB84ED364A21",
 		"8DC0D4F2F745BBAE835CC5574B942D20",
 		"FE561358F2E8DF7E1024FF1AE9A8D36EBD01352214505CB99D644777A8A1F6027FA2BDBFC529A9B91136D5F2416CFC5F0F4EC3A1AFD32BDDA23CA504C5A5CB451785FABF4DFE4CD50D817491991A60615B30286361C100A95D1712F2A45F8E374461F4CA2B",
 		"D7B5A971FC219631D30EFC3664AE3127D9CF3097DAD9C24AC7905D15E8D9B25B026B31D68CAE00975CDB81EB1FD96FD5E1A12E2BB83FA25F1B1D91363457657FC03875C27F2946C5",
 		"2F336ED42D3CC38FC61660C4CD60BA4BD438B05F5965D8B7B399D2E7167F5D34F792D318F94DB15D67463AC449E13D568CC09BFCE32A35EE3EE96A041927680AE329811811E27F2D1E8E657707AF99BA96D13A478D695D59"},
 	{"429F514EFC64D98A698A9247274CFF45",
 		"976AA5EB072F912D126ACEBC954FEC38",
 		"A71D89DC5B6CEDBB7451A27C3C2CAE09126DB4C421",
 		"5632FE62AB1DC549D54D3BC3FC868ACCEDEFD9ECF5E9F8",
 		"848AE4306CA8C7F416F8707625B7F55881C0AB430353A5C967CDA2DA787F581A70E34DBEBB2385"},
 	{"398138F309085F47F8457CDF53895A63",
 		"F8A8A7F2D28E5FFF7BBC2F24353F7A36",
 		"5D633C21BA7764B8855CAB586F3746E236AD486039C83C6B56EFA9C651D38A41D6B20DAEE3418BFEA44B8BD6",
 		"A3BBAA91920AF5E10659818B1B3B300AC79BFC129C8329E75251F73A66D3AE0128EB91D5031E0A65C329DB7D1E9C0493E268",
 		"D078097267606E5FB07CFB7E2B4B718172A82C6A4CEE65D549A4DFB9838003BD2FBF64A7A66988AC1A632FD88F9E9FBB57C5A78AD2E086EACBA3DB68511D81C2970A"},
 	{"7A4151EBD3901B42CBA45DAFB2E931BA",
 		"0FC88ACEE74DD538040321C330974EB8",
 		"250464FB04733BAB934C59E6AD2D6AE8D662CBCFEFBE61E5A308D4211E58C4C25935B72C69107722E946BFCBF416796600542D76AEB73F2B25BF53BAF97BDEB36ED3A7A51C31E7F170EB897457E7C17571D1BA0A908954E9",
 		"88C41F3EBEC23FAB8A362D969CAC810FAD4F7CA6A7F7D0D44F060F92E37E1183768DD4A8C733F71C96058D362A39876D183B86C103DE",
 		"74A25B2182C51096D48A870D80F18E1CE15867778E34FCBA6BD7BFB3739FDCD42AD0F2D9F4EBA29085285C6048C15BCE5E5166F1F962D3337AA88E6062F05523029D0A7F0BF9"},
 	{"BFB147E1CD5459424F8C0271FC0E0DC5",
 		"EABCC126442BF373969EA3015988CC45",
 		"4C0880E1D71AA2C7",
 		"BE1B5EC78FBF73E7A6682B21BA7E0E5D2D1C7ABE",
 		"5660D7C1380E2F306895B1402CB2D6C37876504276B414D120F4CF92FDDDBB293A238EA0"},
 	{"595DD6F52D18BC2CA8EB4EDAA18D9FA3",
 		"0F84B5D36CF4BC3B863313AF3B4D2E97",
 		"30AE6CC5F99580F12A779D98BD379A60948020C0B6FBD5746B30BA3A15C6CD33DAF376C70A9F15B6C0EB410A93161F7958AE23",
 		"8EF3687A1642B070970B0B91462229D1D76ABC154D18211F7152AA9FF368",
 		"317C1DDB11417E5A9CC4DDE7FDFF6659A5AC4B31DE025212580A05CDAC6024D3E4AE7C2966E52B9129E9ECDBED86"},
 	{"44E6F2DC8FDC778AD007137D11410F50",
 		"270A237AD977F7187AA6C158A0BAB24F",
 		"509B0F0EB12E2AA5C5BA2DE553C07FAF4CE0C9E926531AA709A3D6224FCB783ACCF1559E10B1123EBB7D52E8AB54E6B5352A9ED0D04124BF0E9D9BACFD7E32B817B2E625F5EE94A64EDE9E470DE7FE6886C19B294F9F828209FE257A78",
 		"8B3D7815DF25618A5D0C55A601711881483878F113A12EC36CF64900549A3199555528559DC118F789788A55FAFD944E6E99A9CA3F72F238CD3F4D88223F7A745992B3FAED1848",
 		"1CC00D79F7AD82FDA71B58D286E5F34D0CC4CEF30704E771CC1E50746BDF83E182B078DB27149A42BAE619DF0F85B0B1090AD55D3B4471B0D6F6ECCD09C8F876B30081F0E7537A9624F8AAF29DA85E324122EFB4D68A56"},
 	{"BB7BC352A03044B4428D8DBB4B0701FDEC4649FD17B81452",
 		"8B4BBE26CCD9859DCD84884159D6B0A4",
 		"2212BEB0E78E0F044A86944CF33C8D5C80D9DBE1034BF3BCF73611835C7D3A52F5BD2D81B68FD681B68540A496EE5DA16FD8AC8824E60E1EC2042BE28FB0BFAD4E4B03596446BDD8C37D936D9B3D5295BE19F19CF5ACE1D33A46C952CE4DE5C12F92C1DD051E04AEED",
 		"9037234CC44FFF828FABED3A7084AF40FA7ABFF8E0C0EFB57A1CC361E18FC4FAC1AB54F3ABFE9FF77263ACE16C3A",
 		"A9391B805CCD956081E0B63D282BEA46E7025126F1C1631239C33E92AA6F92CD56E5A4C56F00FF9658E93D48AF4EF0EF81628E34AD4DB0CDAEDCD2A17EE7"},
 	{"99C0AD703196D2F60A74E6B378B838B31F82EA861F06FC4E",
 		"92745C018AA708ECFEB1667E9F3F1B01",
 		"828C69F376C0C0EC651C67749C69577D589EE39E51404D80EBF70C8660A8F5FD375473F4A7C611D59CB546A605D67446CE2AA844135FCD78BB5FBC90222A00D42920BB1D7EEDFB0C4672554F583EF23184F89063CDECBE482367B5F9AF3ACBC3AF61392BD94CBCD9B64677",
 		"A879214658FD0A5B0E09836639BF82E05EC7A5EF71D4701934BDA228435C68AC3D5CEB54997878B06A655EEACEFB1345C15867E7FE6C6423660C8B88DF128EBD6BCD85118DBAE16E9252FFB204324E5C8F38CA97759BDBF3CB0083",
 		"51FE87996F194A2585E438B023B345439EA60D1AEBED4650CDAF48A4D4EEC4FC77DC71CC4B09D3BEEF8B7B7AF716CE2B4EFFB3AC9E6323C18AC35E0AA6E2BBBC8889490EB6226C896B0D105EAB42BFE7053CCF00ED66BA94C1BA09A792AA873F0C3B26C5C5F9A936E57B25"},
 	{"7086816D00D648FB8304AA8C9E552E1B69A9955FB59B25D1",
 		"0F45CF7F0BF31CCEB85D9DA10F4D749F",
 		"93F27C60A417D9F0669E86ACC784FC8917B502DAF30A6338F11B30B94D74FEFE2F8BE1BBE2EAD10FAB7EED3C6F72B7C3ECEE1937C32ED4970A6404E139209C05",
 		"877F046601F3CBE4FB1491943FA29487E738F94B99AF206262A1D6FF856C9AA0B8D4D08A54370C98F8E88FA3DCC2B14C1F76D71B2A4C7963AEE8AF960464C5BEC8357AD00DC8",
 		"FE96906B895CE6A8E72BC72344E2C8BB3C63113D70EAFA26C299BAFE77A8A6568172EB447FB3E86648A0AF3512DEB1AAC0819F3EC553903BF28A9FB0F43411237A774BF9EE03E445D280FBB9CD12B9BAAB6EF5E52691"},
 	{"062F65A896D5BF1401BADFF70E91B458E1F9BD4888CB2E4D",
 		"5B11EA1D6008EBB41CF892FCA5B943D1",
 		"BAF4FF5C8242",
 		"A8870E091238355984EB2F7D61A865B9170F440BFF999A5993DD41A10F4440D21FF948DDA2BF663B2E03AC3324492DC5E40262ECC6A65C07672353BE23E7FB3A9D79FF6AA38D97960905A38DECC312CB6A59E5467ECF06C311CD43ADC0B543EDF34FE8BE611F176460D5627CA51F8F8D9FED71F55C",
 		"B10E127A632172CF8AA7539B140D2C9C2590E6F28C3CB892FC498FCE56A34F732FBFF32E79C7B9747D9094E8635A0C084D6F0247F9768FB5FF83493799A9BEC6C39572120C40E9292C8C947AE8573462A9108C36D9D7112E6995AE5867E6C8BB387D1C5D4BEF524F391B9FD9F0A3B4BFA079E915BCD920185CFD38D114C558928BD7D47877"},
 	{"38A8E45D6D705A11AF58AED5A1344896998EACF359F2E26A",
 		"FD82B5B31804FF47D44199B533D0CF84",
 		"DE454D4E62FE879F2050EE3E25853623D3E9AC52EEC1A1779A48CFAF5ECA0BFDE44749391866D1",
 		"B804",
 		"164BB965C05EBE0931A1A63293EDF9C38C27"},
 	{"34C33C97C6D7A0850DA94D78A58DC61EC717CD7574833068",
 		"343BE00DA9483F05C14F2E9EB8EA6AE8",
 		"78312A43EFDE3CAE34A65796FF059A3FE15304EEA5CF1D9306949FE5BF3349D4977D4EBE76C040FE894C5949E4E4D6681153DA87FB9AC5062063CA2EA183566343362370944CE0362D25FC195E124FD60E8682E665D13F2229DDA3E4B2CB1DCA",
 		"CC11BB284B1153578E4A5ED9D937B869DAF00F5B1960C23455CA9CC43F486A3BE0B66254F1041F04FDF459C8640465B6E1D2CF899A381451E8E7FCB50CF87823BE77E24B132BBEEDC72E53369B275E1D8F49ECE59F4F215230AC4FE133FC80E4F634EE80BA4682B62C86",
 		"E7F703DC31A95E3A4919FF957836CB76C063D81702AEA4703E1C2BF30831E58C4609D626EC6810E12EAA5B930F049FF9EFC22C3E3F1EBD4A1FB285CB02A1AC5AD46B425199FC0A85670A5C4E3DAA9636C8F64C199F42F18AAC8EA7457FD377F322DD7752D7D01B946C8F0A97E6113F0D50106F319AFD291AAACE"},
 	{"C6ECF7F053573E403E61B83052A343D93CBCC179D1E835BE",
 		"E280E13D7367042E3AA09A80111B6184",
 		"21486C9D7A9647",
 		"5F2639AFA6F17931853791CD8C92382BBB677FD72D0AB1A080D0E49BFAA21810E963E4FACD422E92F65CBFAD5884A60CD94740DF31AF02F95AA57DA0C4401B0ED906",
 		"5C51DB20755302070C45F52E50128A67C8B2E4ED0EACB7E29998CCE2E8C289DD5655913EC1A51CC3AABE5CDC2402B2BE7D6D4BF6945F266FBD70BA9F37109067157AE7530678B45F64475D4EBFCB5FFF46A5"},
 	{"5EC6CF7401BC57B18EF154E8C38ACCA8959E57D2F3975FF5",
 		"656B41CB3F9CF8C08BAD7EBFC80BD225",
 		"6B817C2906E2AF425861A7EF59BA5801F143EE2A139EE72697CDE168B4",
 		"2C0E1DDC9B1E5389BA63845B18B1F8A1DB062037151BCC56EF7C21C0BB4DAE366636BBA975685D7CC5A94AFBE89C769016388C56FB7B57CE750A12B718A8BDCF70E80E8659A8330EFC8F86640F21735E8C80E23FE43ABF23507CE3F964AE4EC99D",
 		"ED780CF911E6D1AA8C979B889B0B9DC1ABE261832980BDBFB576901D9EF5AB8048998E31A15BE54B3E5845A4D136AD24D0BDA1C3006168DF2F8AC06729CB0818867398150020131D8F04EDF1923758C9EABB5F735DE5EA1758D4BC0ACFCA98AFD202E9839B8720253693B874C65586C6F0"},
 	{"C92F678EB2208662F5BCF3403EC05F5961E957908A3E79421E1D25FC19054153",
 		"DA0F3A40983D92F2D4C01FED33C7A192",
 		"2B6E9D26DB406A0FAB47608657AA10EFC2B4AA5F459B29FF85AC9A40BFFE7AEB04F77E9A11FAAA116D7F6D4DA417671A9AB02C588E0EF59CB1BFB4B1CC931B63A3B3A159FCEC97A04D1E6F0C7E6A9CEF6B0ABB04758A69F1FE754DF4C2610E8C46B6CF413BDB31351D55BEDCB7B4A13A1C98E10984475E0F2F957853",
 		"F37326A80E08",
 		"83519E53E321D334F7C10B568183775C0E9AAE55F806"},
 	{"6847E0491BE57E72995D186D50094B0B3593957A5146798FCE68B287B2FB37B5",
 		"3EE1182AEBB19A02B128F28E1D5F7F99",
 		"D9F35ABB16D776CE",
 		"DB7566ED8EA95BDF837F23DB277BAFBC5E70D1105ADFD0D9EF15475051B1EF94709C67DCA9F8D5",
 		"2CDCED0C9EBD6E2A508822A685F7DCD1CDD99E7A5FCA786C234E7F7F1D27EC49751AD5DCFA30C5EDA87C43CAE3B919B6BBCFE34C8EDA59"},
 	{"82B019673642C08388D3E42075A4D5D587558C229E4AB8F660E37650C4C41A0A",
 		"336F5D681E0410FAE7B607246092C6DC",
 		"D430CBD8FE435B64214E9E9CDC5DE99D31CFCFB8C10AA0587A49DF276611",
 		"998404153AD77003E1737EDE93ED79859EE6DCCA93CB40C4363AA817ABF2DBBD46E42A14A7183B6CC01E12A577888141363D0AE011EB6E8D28C0B235",
 		"9BEF69EEB60BD3D6065707B7557F25292A8872857CFBD24F2F3C088E4450995333088DA50FD9121221C504DF1D0CD5EFE6A12666C5D5BB12282CF4C19906E9CFAB97E9BDF7F49DC17CFC384B"},
 	{"747B2E269B1859F0622C15C8BAD6A725028B1F94B8DB7326948D1E6ED663A8BC",
 		"AB91F7245DDCE3F1C747872D47BE0A8A",
 		"3B03F786EF1DDD76E1D42646DA4CD2A5165DC5383CE86D1A0B5F13F910DC278A4E451EE0192CBA178E13B3BA27FDC7840DF73D2E104B",
 		"6B803F4701114F3E5FE21718845F8416F70F626303F545BE197189E0A2BA396F37CE06D389EB2658BC7D56D67868708F6D0D32",
 		"1570DDB0BCE75AA25D1957A287A2C36B1A5F2270186DA81BA6112B7F43B0F3D1D0ED072591DCF1F1C99BBB25621FC39B896FF9BD9413A2845363A9DCD310C32CF98E57"},
 	{"02E59853FB29AEDA0FE1C5F19180AD99A12FF2F144670BB2B8BADF09AD812E0A",
 		"C691294EF67CD04D1B9242AF83DD1421",
 		"879334DAE3",
 		"1E17F46A98FEF5CBB40759D95354",
 		"FED8C3FF27DDF6313AED444A2985B36CBA268AAD6AAC563C0BA28F6DB5DB"},
 	{"F6C1FB9B4188F2288FF03BD716023198C3582CF2A037FC2F29760916C2B7FCDB",
 		"4228DA0678CA3534588859E77DFF014C",
 		"D8153CAF35539A61DD8D05B3C9B44F01E564FB9348BCD09A1C23B84195171308861058F0A3CD2A55B912A3AAEE06FF4D356C77275828F2157C2FC7C115DA39E443210CCC56BEDB0CC99BBFB227ABD5CC454F4E7F547C7378A659EEB6A7E809101A84F866503CB18D4484E1FA09B3EC7FC75EB2E35270800AA7",
 		"23B660A779AD285704B12EC1C580387A47BEC7B00D452C6570",
 		"5AA642BBABA8E49849002A2FAF31DB8FC7773EFDD656E469CEC19B3206D4174C9A263D0A05484261F6"},
 	{"8FF6086F1FADB9A3FBE245EAC52640C43B39D43F89526BB5A6EBA47710931446",
 		"943188480C99437495958B0AE4831AA9",
 		"AD5CD0BDA426F6EBA23C8EB23DC73FF9FEC173355EDBD6C9344C4C4383F211888F7CE6B29899A6801DF6B38651A7C77150941A",
 		"80CD5EA8D7F81DDF5070B934937912E8F541A5301877528EB41AB60C020968D459960ED8FB73083329841A",
 		"ABAE8EB7F36FCA2362551E72DAC890BA1BB6794797E0FC3B67426EC9372726ED4725D379EA0AC9147E48DCD0005C502863C2C5358A38817C8264B5"},
 	{"A083B54E6B1FE01B65D42FCD248F97BB477A41462BBFE6FD591006C022C8FD84",
 		"B0490F5BD68A52459556B3749ACDF40E",
 		"8892E047DA5CFBBDF7F3CFCBD1BD21C6D4C80774B1826999234394BD3E513CC7C222BB40E1E3140A152F19B3802F0D036C24A590512AD0E8",
 		"D7B15752789DC94ED0F36778A5C7BBB207BEC32BAC66E702B39966F06E381E090C6757653C3D26A81EC6AD6C364D66867A334C91BB0B8A8A4B6EACDF0783D09010AEBA2DD2062308FE99CC1F",
 		"C071280A732ADC93DF272BF1E613B2BB7D46FC6665EF2DC1671F3E211D6BDE1D6ADDD28DF3AA2E47053FC8BB8AE9271EC8BC8B2CFFA320D225B451685B6D23ACEFDD241FE284F8ADC8DB07F456985B14330BBB66E0FB212213E05B3E"},
 }
@@ -0,0 +1,90 @@
 // Copyright (C) 2019 ProtonTech AG
 // This file contains necessary tools for the aex and ocb packages.
 //
 // These functions SHOULD NOT be used elsewhere, since they are optimized for
 // specific input nature in the EAX and OCB modes of operation.
 package byteutil
 // GfnDouble computes 2 * input in the field of 2^n elements.
 // The irreducible polynomial in the finite field for n=128 is
 // x^128 + x^7 + x^2 + x + 1 (equals 0x87)
 // Constant-time execution in order to avoid side-channel attacks
 func GfnDouble(input []byte) []byte {
 	if len(input) != 16 {
 		panic("Doubling in GFn only implemented for n = 128")
 	}
 	// If the first bit is zero, return 2L = L << 1
 	// Else return (L << 1) xor 0^120 10000111
 	shifted := ShiftBytesLeft(input)
 	shifted[15] ^= ((input[0] >> 7) * 0x87)
 	return shifted
 }
 // ShiftBytesLeft outputs the byte array corresponding to x << 1 in binary.
 func ShiftBytesLeft(x []byte) []byte {
 	l := len(x)
 	dst := make([]byte, l)
 	for i := 0; i < l-1; i++ {
 		dst[i] = (x[i] << 1) | (x[i+1] >> 7)
 	}
 	dst[l-1] = x[l-1] << 1
 	return dst
 }
 // ShiftNBytesLeft puts in dst the byte array corresponding to x << n in binary.
 func ShiftNBytesLeft(dst, x []byte, n int) {
 	// Erase first n / 8 bytes
 	copy(dst, x[n/8:])
 	// Shift the remaining n % 8 bits
 	bits := uint(n % 8)
 	l := len(dst)
 	for i := 0; i < l-1; i++ {
 		dst[i] = (dst[i] << bits) | (dst[i+1] >> uint(8-bits))
 	}
 	dst[l-1] = dst[l-1] << bits
 	// Append trailing zeroes
 	dst = append(dst, make([]byte, n/8)...)
 }
 // XorBytesMut replaces X with X XOR Y. len(X) must be >= len(Y).
 func XorBytesMut(X, Y []byte) {
 	for i := 0; i < len(Y); i++ {
 		X[i] ^= Y[i]
 	}
 }
 // XorBytes puts X XOR Y into Z. len(Z) and len(X) must be >= len(Y).
 func XorBytes(Z, X, Y []byte) {
 	for i := 0; i < len(Y); i++ {
 		Z[i] = X[i] ^ Y[i]
 	}
 }
 // RightXor XORs smaller input (assumed Y) at the right of the larger input (assumed X)
 func RightXor(X, Y []byte) []byte {
 	offset := len(X) - len(Y)
 	xored := make([]byte, len(X))
 	copy(xored, X)
 	for i := 0; i < len(Y); i++ {
 		xored[offset+i] ^= Y[i]
 	}
 	return xored
 }
 // SliceForAppend takes a slice and a requested number of bytes. It returns a
 // slice with the contents of the given slice followed by that many bytes and a
 // second slice that aliases into it and contains only the extra bytes. If the
 // original slice has sufficient capacity then no allocation is performed.
 func SliceForAppend(in []byte, n int) (head, tail []byte) {
 	if total := len(in) + n; cap(in) >= total {
 		head = in[:total]
 	} else {
 		head = make([]byte, total)
 		copy(head, in)
 	}
 	tail = head[len(in):]
 	return
 }
@@ -0,0 +1,313 @@
 // Copyright (C) 2019 ProtonTech AG
 // Package ocb provides an implementation of the OCB (offset codebook) mode of
 // operation, as described in RFC-7253 of the IRTF and in Rogaway, Bellare,
 // Black and Krovetz - OCB: A BLOCK-CIPHER MODE OF OPERATION FOR EFFICIENT
 // AUTHENTICATED ENCRYPTION (2003).
 // Security considerations (from RFC-7253): A private key MUST NOT be used to
 // encrypt more than 2^48 blocks. Tag length should be at least 12 bytes (a
 // brute-force forging adversary succeeds after 2^{tag length} attempts). A
 // single key SHOULD NOT be used to decrypt ciphertext with different tag
 // lengths. Nonces need not be secret, but MUST NOT be reused.
 // This package only supports underlying block ciphers with 128-bit blocks,
 // such as AES-{128, 192, 256}, but may be extended to other sizes.
 package ocb
 import (
 	"bytes"
 	"crypto/cipher"
 	"crypto/subtle"
 	"errors"
 	"math/bits"
 	"github.com/ProtonMail/go-crypto/internal/byteutil"
 )
 type ocb struct {
 	block     cipher.Block
 	tagSize   int
 	nonceSize int
 	mask      mask
 	// Optimized en/decrypt: For each nonce N used to en/decrypt, the 'Ktop'
 	// internal variable can be reused for en/decrypting with nonces sharing
 	// all but the last 6 bits with N. The prefix of the first nonce used to
 	// compute the new Ktop, and the Ktop value itself, are stored in
 	// reusableKtop. If using incremental nonces, this saves one block cipher
 	// call every 63 out of 64 OCB encryptions, and stores one nonce and one
 	// output of the block cipher in memory only.
 	reusableKtop reusableKtop
 }
 type mask struct {
 	// L_*, L_$, (L_i)_{i ∈ N}
 	lAst []byte
 	lDol []byte
 	L    [][]byte
 }
 type reusableKtop struct {
 	noncePrefix []byte
 	Ktop        []byte
 }
 const (
 	defaultTagSize   = 16
 	defaultNonceSize = 15
 )
 const (
 	enc = iota
 	dec
 )
 func (o *ocb) NonceSize() int {
 	return o.nonceSize
 }
 func (o *ocb) Overhead() int {
 	return o.tagSize
 }
 // NewOCB returns an OCB instance with the given block cipher and default
 // tag and nonce sizes.
 func NewOCB(block cipher.Block) (cipher.AEAD, error) {
 	return NewOCBWithNonceAndTagSize(block, defaultNonceSize, defaultTagSize)
 }
 // NewOCBWithNonceAndTagSize returns an OCB instance with the given block
 // cipher, nonce length, and tag length. Panics on zero nonceSize and
 // exceedingly long tag size.
 //
 // It is recommended to use at least 12 bytes as tag length.
 func NewOCBWithNonceAndTagSize(
 	block cipher.Block, nonceSize, tagSize int) (cipher.AEAD, error) {
 	if block.BlockSize() != 16 {
 		return nil, ocbError("Block cipher must have 128-bit blocks")
 	}
 	if nonceSize < 1 {
 		return nil, ocbError("Incorrect nonce length")
 	}
 	if nonceSize >= block.BlockSize() {
 		return nil, ocbError("Nonce length exceeds blocksize - 1")
 	}
 	if tagSize > block.BlockSize() {
 		return nil, ocbError("Custom tag length exceeds blocksize")
 	}
 	return &ocb{
 		block:     block,
 		tagSize:   tagSize,
 		nonceSize: nonceSize,
 		mask:      initializeMaskTable(block),
 		reusableKtop: reusableKtop{
 			noncePrefix: nil,
 			Ktop:        nil,
 		},
 	}, nil
 }
 func (o *ocb) Seal(dst, nonce, plaintext, adata []byte) []byte {
 	if len(nonce) > o.nonceSize {
 		panic("crypto/ocb: Incorrect nonce length given to OCB")
 	}
 	sep := len(plaintext)
 	ret, out := byteutil.SliceForAppend(dst, sep+o.tagSize)
 	tag := o.crypt(enc, out[:sep], nonce, adata, plaintext)
 	copy(out[sep:], tag)
 	return ret
 }
 func (o *ocb) Open(dst, nonce, ciphertext, adata []byte) ([]byte, error) {
 	if len(nonce) > o.nonceSize {
 		panic("Nonce too long for this instance")
 	}
 	if len(ciphertext) < o.tagSize {
 		return nil, ocbError("Ciphertext shorter than tag length")
 	}
 	sep := len(ciphertext) - o.tagSize
 	ret, out := byteutil.SliceForAppend(dst, sep)
 	ciphertextData := ciphertext[:sep]
 	tag := o.crypt(dec, out, nonce, adata, ciphertextData)
 	if subtle.ConstantTimeCompare(tag, ciphertext[sep:]) == 1 {
 		return ret, nil
 	}
 	for i := range out {
 		out[i] = 0
 	}
 	return nil, ocbError("Tag authentication failed")
 }
 // On instruction enc (resp. dec), crypt is the encrypt (resp. decrypt)
 // function. It writes the resulting plain/ciphertext into Y and returns
 // the tag.
 func (o *ocb) crypt(instruction int, Y, nonce, adata, X []byte) []byte {
 	//
 	// Consider X as a sequence of 128-bit blocks
 	//
 	// Note: For encryption (resp. decryption), X is the plaintext (resp., the
 	// ciphertext without the tag).
 	blockSize := o.block.BlockSize()
 	//
 	// Nonce-dependent and per-encryption variables
 	//
 	// Zero out the last 6 bits of the nonce into truncatedNonce to see if Ktop
 	// is already computed.
 	truncatedNonce := make([]byte, len(nonce))
 	copy(truncatedNonce, nonce)
 	truncatedNonce[len(truncatedNonce)-1] &= 192
 	var Ktop []byte
 	if bytes.Equal(truncatedNonce, o.reusableKtop.noncePrefix) {
 		Ktop = o.reusableKtop.Ktop
 	} else {
 		// Nonce = num2str(TAGLEN mod 128, 7) || zeros(120 - bitlen(N)) || 1 || N
 		paddedNonce := append(make([]byte, blockSize-1-len(nonce)), 1)
 		paddedNonce = append(paddedNonce, truncatedNonce...)
 		paddedNonce[0] |= byte(((8 * o.tagSize) % (8 * blockSize)) << 1)
 		// Last 6 bits of paddedNonce are already zero. Encrypt into Ktop
 		paddedNonce[blockSize-1] &= 192
 		Ktop = paddedNonce
 		o.block.Encrypt(Ktop, Ktop)
 		o.reusableKtop.noncePrefix = truncatedNonce
 		o.reusableKtop.Ktop = Ktop
 	}
 	// Stretch = Ktop || ((lower half of Ktop) XOR (lower half of Ktop << 8))
 	xorHalves := make([]byte, blockSize/2)
 	byteutil.XorBytes(xorHalves, Ktop[:blockSize/2], Ktop[1:1+blockSize/2])
 	stretch := append(Ktop, xorHalves...)
 	bottom := int(nonce[len(nonce)-1] & 63)
 	offset := make([]byte, len(stretch))
 	byteutil.ShiftNBytesLeft(offset, stretch, bottom)
 	offset = offset[:blockSize]
 	//
 	// Process any whole blocks
 	//
 	// Note: For encryption Y is ciphertext || tag, for decryption Y is
 	// plaintext || tag.
 	checksum := make([]byte, blockSize)
 	m := len(X) / blockSize
 	for i := 0; i < m; i++ {
 		index := bits.TrailingZeros(uint(i + 1))
 		if len(o.mask.L)-1 < index {
 			o.mask.extendTable(index)
 		}
 		byteutil.XorBytesMut(offset, o.mask.L[bits.TrailingZeros(uint(i+1))])
 		blockX := X[i*blockSize : (i+1)*blockSize]
 		blockY := Y[i*blockSize : (i+1)*blockSize]
 		switch instruction {
 		case enc:
 			byteutil.XorBytesMut(checksum, blockX)
 			byteutil.XorBytes(blockY, blockX, offset)
 			o.block.Encrypt(blockY, blockY)
 			byteutil.XorBytesMut(blockY, offset)
 		case dec:
 			byteutil.XorBytes(blockY, blockX, offset)
 			o.block.Decrypt(blockY, blockY)
 			byteutil.XorBytesMut(blockY, offset)
 			byteutil.XorBytesMut(checksum, blockY)
 		}
 	}
 	//
 	// Process any final partial block and compute raw tag
 	//
 	tag := make([]byte, blockSize)
 	if len(X)%blockSize != 0 {
 		byteutil.XorBytesMut(offset, o.mask.lAst)
 		pad := make([]byte, blockSize)
 		o.block.Encrypt(pad, offset)
 		chunkX := X[blockSize*m:]
 		chunkY := Y[blockSize*m : len(X)]
 		switch instruction {
 		case enc:
 			byteutil.XorBytesMut(checksum, chunkX)
 			checksum[len(chunkX)] ^= 128
 			byteutil.XorBytes(chunkY, chunkX, pad[:len(chunkX)])
 			// P_* || bit(1) || zeroes(127) - len(P_*)
 		case dec:
 			byteutil.XorBytes(chunkY, chunkX, pad[:len(chunkX)])
 			// P_* || bit(1) || zeroes(127) - len(P_*)
 			byteutil.XorBytesMut(checksum, chunkY)
 			checksum[len(chunkY)] ^= 128
 		}
 	}
 	byteutil.XorBytes(tag, checksum, offset)
 	byteutil.XorBytesMut(tag, o.mask.lDol)
 	o.block.Encrypt(tag, tag)
 	byteutil.XorBytesMut(tag, o.hash(adata))
 	return tag[:o.tagSize]
 }
 // This hash function is used to compute the tag. Per design, on empty input it
 // returns a slice of zeros, of the same length as the underlying block cipher
 // block size.
 func (o *ocb) hash(adata []byte) []byte {
 	//
 	// Consider A as a sequence of 128-bit blocks
 	//
 	A := make([]byte, len(adata))
 	copy(A, adata)
 	blockSize := o.block.BlockSize()
 	//
 	// Process any whole blocks
 	//
 	sum := make([]byte, blockSize)
 	offset := make([]byte, blockSize)
 	m := len(A) / blockSize
 	for i := 0; i < m; i++ {
 		chunk := A[blockSize*i : blockSize*(i+1)]
 		index := bits.TrailingZeros(uint(i + 1))
 		// If the mask table is too short
 		if len(o.mask.L)-1 < index {
 			o.mask.extendTable(index)
 		}
 		byteutil.XorBytesMut(offset, o.mask.L[index])
 		byteutil.XorBytesMut(chunk, offset)
 		o.block.Encrypt(chunk, chunk)
 		byteutil.XorBytesMut(sum, chunk)
 	}
 	//
 	// Process any final partial block; compute final hash value
 	//
 	if len(A)%blockSize != 0 {
 		byteutil.XorBytesMut(offset, o.mask.lAst)
 		// Pad block with 1 || 0 ^ 127 - bitlength(a)
 		ending := make([]byte, blockSize-len(A)%blockSize)
 		ending[0] = 0x80
 		encrypted := append(A[blockSize*m:], ending...)
 		byteutil.XorBytesMut(encrypted, offset)
 		o.block.Encrypt(encrypted, encrypted)
 		byteutil.XorBytesMut(sum, encrypted)
 	}
 	return sum
 }
 func initializeMaskTable(block cipher.Block) mask {
 	//
 	// Key-dependent variables
 	//
 	lAst := make([]byte, block.BlockSize())
 	block.Encrypt(lAst, lAst)
 	lDol := byteutil.GfnDouble(lAst)
 	L := make([][]byte, 1)
 	L[0] = byteutil.GfnDouble(lDol)
 	return mask{
 		lAst: lAst,
 		lDol: lDol,
 		L:    L,
 	}
 }
 // Extends the L array of mask m up to L[limit], with L[i] = GfnDouble(L[i-1])
 func (m *mask) extendTable(limit int) {
 	for i := len(m.L); i <= limit; i++ {
 		m.L = append(m.L, byteutil.GfnDouble(m.L[i-1]))
 	}
 }
 func ocbError(err string) error {
 	return errors.New("crypto/ocb: " + err)
 }
@@ -0,0 +1,136 @@
 // In the test vectors provided by RFC 7253, the "bottom"
 // internal variable, which defines "offset" for the first time, does not
 // exceed 15. However, it can attain values up to 63.
 // These vectors include key length in {128, 192, 256}, tag size 128, and
 // random nonce, header, and plaintext lengths.
 // This file was automatically generated.
 package ocb
 var randomVectors = []struct {
 	key, nonce, header, plaintext, ciphertext string
 }{
 	{"9438C5D599308EAF13F800D2D31EA7F0",
 		"C38EE4801BEBFFA1CD8635BE",
 		"0E507B7DADD8A98CDFE272D3CB6B3E8332B56AE583FB049C0874D4200BED16BD1A044182434E9DA0E841F182DFD5B3016B34641CED0784F1745F63AB3D0DA22D3351C9EF9A658B8081E24498EBF61FCE40DA6D8E184536",
 		"962D227786FB8913A8BAD5DC3250",
 		"EEDEF5FFA5986D1E3BF86DDD33EF9ADC79DCA06E215FA772CCBA814F63AD"},
 	{"BA7DE631C7D6712167C6724F5B9A2B1D",
 		"35263EBDA05765DC0E71F1F5",
 		"0103257B4224507C0242FEFE821EA7FA42E0A82863E5F8B68F7D881B4B44FA428A2B6B21D2F591260802D8AB6D83",
 		"9D6D1FC93AE8A64E7889B7B2E3521EFA9B920A8DDB692E6F833DDC4A38AFA535E5E2A3ED82CB7E26404AB86C54D01C4668F28398C2DF33D5D561CBA1C8DCFA7A912F5048E545B59483C0E3221F54B14DAA2E4EB657B3BEF9554F34CAD69B2724AE962D3D8A",
 		"E93852D1985C5E775655E937FA79CE5BF28A585F2AF53A5018853B9634BE3C84499AC0081918FDCE0624494D60E25F76ACD6853AC7576E3C350F332249BFCABD4E73CEABC36BE4EDDA40914E598AE74174A0D7442149B26990899491BDDFE8FC54D6C18E83AE9E9A6FFBF5D376565633862EEAD88D"},
 	{"2E74B25289F6FD3E578C24866E9C72A5",
 		"FD912F15025AF8414642BA1D1D",
 		"FB5FB8C26F365EEDAB5FE260C6E3CCD27806729C8335F146063A7F9EA93290E56CF84576EB446350D22AD730547C267B1F0BBB97EB34E1E2C41A",
 		"6C092EBF78F76EE8C1C6E592277D9545BA16EDB67BC7D8480B9827702DC2F8A129E2B08A2CE710CA7E1DA45CE162BB6CD4B512E632116E2211D3C90871EFB06B8D4B902681C7FB",
 		"6AC0A77F26531BF4F354A1737F99E49BE32ECD909A7A71AD69352906F54B08A9CE9B8CA5D724CBFFC5673437F23F630697F3B84117A1431D6FA8CC13A974FB4AD360300522E09511B99E71065D5AC4BBCB1D791E864EF4"},
 	{"E7EC507C802528F790AFF5303A017B17",
 		"4B97A7A568940A9E3CE7A99E93031E",
 		"28349BDC5A09390C480F9B8AA3EDEA3DDB8B9D64BCA322C570B8225DF0E31190DAB25A4014BA39519E02ABFB12B89AA28BBFD29E486E7FB28734258C817B63CED9912DBAFEBB93E2798AB2890DE3B0ACFCFF906AB15563EF7823CE83D27CDB251195E22BD1337BCBDE65E7C2C427321C463C2777BFE5AEAA",
 		"9455B3EA706B74",
 		"7F33BA3EA848D48A96B9530E26888F43EBD4463C9399B6"},
 	{"6C928AA3224736F28EE7378DE0090191",
 		"8936138E2E4C6A13280017A1622D",
 		"6202717F2631565BDCDC57C6584543E72A7C8BD444D0D108ED35069819633C",
 		"DA0691439E5F035F3E455269D14FE5C201C8C9B0A3FE2D3F86BCC59387C868FE65733D388360B31E3CE28B4BF6A8BE636706B536D5720DB66B47CF1C7A5AFD6F61E0EF90F1726D6B0E169F9A768B2B7AE4EE00A17F630AC905FCAAA1B707FFF25B3A1AAE83B504837C64A5639B2A34002B300EC035C9B43654DA55",
 		"B8804D182AB0F0EEB464FA7BD1329AD6154F982013F3765FEDFE09E26DAC078C9C1439BFC1159D6C02A25E3FF83EF852570117B315852AD5EE20E0FA3AA0A626B0E43BC0CEA38B44579DD36803455FB46989B90E6D229F513FD727AF8372517E9488384C515D6067704119C931299A0982EDDFB9C2E86A90C450C077EB222511EC9CCABC9FCFDB19F70088"},
 	{"ECEA315CA4B3F425B0C9957A17805EA4",
 		"664CDAE18403F4F9BA13015A44FC",
 		"642AFB090D6C6DB46783F08B01A3EF2A8FEB5736B531EAC226E7888FCC8505F396818F83105065FACB3267485B9E5E4A0261F621041C08FCCB2A809A49AB5252A91D0971BCC620B9D614BD77E57A0EED2FA5",
 		"6852C31F8083E20E364CEA21BB7854D67CEE812FE1C9ED2425C0932A90D3780728D1BB",
 		"2ECEF962A9695A463ADABB275BDA9FF8B2BA57AEC2F52EFFB700CD9271A74D2A011C24AEA946051BD6291776429B7E681BA33E"},
 	{"4EE616C4A58AAA380878F71A373461F6",
 		"91B8C9C176D9C385E9C47E52",
 		"CDA440B7F9762C572A718AC754EDEECC119E5EE0CCB9FEA4FFB22EEE75087C032EBF3DA9CDD8A28CC010B99ED45143B41A4BA50EA2A005473F89639237838867A57F23B0F0ED3BF22490E4501DAC9C658A9B9F",
 		"D6E645FA9AE410D15B8123FD757FA356A8DBE9258DDB5BE88832E615910993F497EC",
 		"B70ED7BF959FB2AAED4F36174A2A99BFB16992C8CDF369C782C4DB9C73DE78C5DB8E0615F647243B97ACDB24503BC9CADC48"},
 	{"DCD475773136C830D5E3D0C5FE05B7FF",
 		"BB8E1FBB483BE7616A922C4A",
 		"36FEF2E1CB29E76A6EA663FC3AF66ECD7404F466382F7B040AABED62293302B56E8783EF7EBC21B4A16C3E78A7483A0A403F253A2CDC5BBF79DC3DAE6C73F39A961D8FBBE8D41B",
 		"441E886EA38322B2437ECA7DEB5282518865A66780A454E510878E61BFEC3106A3CD93D2A02052E6F9E1832F9791053E3B76BF4C07EFDD6D4106E3027FABB752E60C1AA425416A87D53938163817A1051EBA1D1DEEB4B9B25C7E97368B52E5911A31810B0EC5AF547559B6142D9F4C4A6EF24A4CF75271BF9D48F62B",
 		"1BE4DD2F4E25A6512C2CC71D24BBB07368589A94C2714962CD0ACE5605688F06342587521E75F0ACAFFD86212FB5C34327D238DB36CF2B787794B9A4412E7CD1410EA5DDD2450C265F29CF96013CD213FD2880657694D718558964BC189B4A84AFCF47EB012935483052399DBA5B088B0A0477F20DFE0E85DCB735E21F22A439FB837DD365A93116D063E607"},
 	{"3FBA2B3D30177FFE15C1C59ED2148BB2C091F5615FBA7C07",
 		"FACF804A4BEBF998505FF9DE",
 		"8213B9263B2971A5BDA18DBD02208EE1",
 		"15B323926993B326EA19F892D704439FC478828322AF72118748284A1FD8A6D814E641F70512FD706980337379F31DC63355974738D7FEA87AD2858C0C2EBBFBE74371C21450072373C7B651B334D7C4D43260B9D7CCD3AF9EDB",
 		"6D35DC1469B26E6AAB26272A41B46916397C24C485B61162E640A062D9275BC33DDCFD3D9E1A53B6C8F51AC89B66A41D59B3574197A40D9B6DCF8A4E2A001409C8112F16B9C389E0096179DB914E05D6D11ED0005AD17E1CE105A2F0BAB8F6B1540DEB968B7A5428FF44"},
 	{"53B52B8D4D748BCDF1DDE68857832FA46227FA6E2F32EFA1",
 		"0B0EF53D4606B28D1398355F",
 		"F23882436349094AF98BCACA8218E81581A043B19009E28EFBF2DE37883E04864148CC01D240552CA8844EC1456F42034653067DA67E80F87105FD06E14FF771246C9612867BE4D215F6D761",
 		"F15030679BD4088D42CAC9BF2E9606EAD4798782FA3ED8C57EBE7F84A53236F51B25967C6489D0CD20C9EEA752F9BC",
 		"67B96E2D67C3729C96DAEAEDF821D61C17E648643A2134C5621FEC621186915AD80864BFD1EB5B238BF526A679385E012A457F583AFA78134242E9D9C1B4E4"},
 	{"0272DD80F23399F49BFC320381A5CD8225867245A49A7D41",
 		"5C83F4896D0738E1366B1836",
 		"69B0337289B19F73A12BAEEA857CCAF396C11113715D9500CCCF48BA08CFF12BC8B4BADB3084E63B85719DB5058FA7C2C11DEB096D7943CFA7CAF5",
 		"C01AD10FC8B562CD17C7BC2FAB3E26CBDFF8D7F4DEA816794BBCC12336991712972F52816AABAB244EB43B0137E2BAC1DD413CE79531E78BEF782E6B439612BB3AEF154DE3502784F287958EBC159419F9EBA27916A28D6307324129F506B1DE80C1755A929F87",
 		"FEFE52DD7159C8DD6E8EC2D3D3C0F37AB6CB471A75A071D17EC4ACDD8F3AA4D7D4F7BB559F3C09099E3D9003E5E8AA1F556B79CECDE66F85B08FA5955E6976BF2695EA076388A62D2AD5BAB7CBF1A7F3F4C8D5CDF37CDE99BD3E30B685D9E5EEE48C7C89118EF4878EB89747F28271FA2CC45F8E9E7601"},
 	{"3EEAED04A455D6E5E5AB53CFD5AFD2F2BC625C7BF4BE49A5",
 		"36B88F63ADBB5668588181D774",
 		"D367E3CB3703E762D23C6533188EF7028EFF9D935A3977150361997EC9DEAF1E4794BDE26AA8B53C124980B1362EC86FCDDFC7A90073171C1BAEE351A53234B86C66E8AB92FAE99EC6967A6D3428892D80",
 		"573454C719A9A55E04437BF7CBAAF27563CCCD92ADD5E515CD63305DFF0687E5EEF790C5DCA5C0033E9AB129505E2775438D92B38F08F3B0356BA142C6F694",
 		"E9F79A5B432D9E682C9AAA5661CFC2E49A0FCB81A431E54B42EB73DD3BED3F377FEC556ABA81624BA64A5D739AD41467460088F8D4F442180A9382CA635745473794C382FCDDC49BA4EB6D8A44AE3C"},
 	{"B695C691538F8CBD60F039D0E28894E3693CC7C36D92D79D",
 		"BC099AEB637361BAC536B57618",
 		"BFFF1A65AE38D1DC142C71637319F5F6508E2CB33C9DCB94202B359ED5A5ED8042E7F4F09231D32A7242976677E6F4C549BF65FADC99E5AF43F7A46FD95E16C2",
 		"081DF3FD85B415D803F0BE5AC58CFF0023FDDED99788296C3731D8",
 		"E50C64E3614D94FE69C47092E46ACC9957C6FEA2CCBF96BC62FBABE7424753C75F9C147C42AE26FE171531"},
 	{"C9ACBD2718F0689A1BE9802A551B6B8D9CF5614DAF5E65ED",
 		"B1B0AAF373B8B026EB80422051D8",
 		"6648C0E61AC733C76119D23FB24548D637751387AA2EAE9D80E912B7BD486CAAD9EAF4D7A5FE2B54AAD481E8EC94BB4D558000896E2010462B70C9FED1E7273080D1",
 		"189F591F6CB6D59AFEDD14C341741A8F1037DC0DF00FC57CE65C30F49E860255CEA5DC6019380CC0FE8880BC1A9E685F41C239C38F36E3F2A1388865C5C311059C0A",
 		"922A5E949B61D03BE34AB5F4E58607D4504EA14017BB363DAE3C873059EA7A1C77A746FB78981671D26C2CF6D9F24952D510044CE02A10177E9DB42D0145211DFE6E84369C5E3BC2669EAB4147B2822895F9"},
 	{"7A832BD2CF5BF4919F353CE2A8C86A5E406DA2D52BE16A72",
 		"2F2F17CECF7E5A756D10785A3CB9DB",
 		"61DA05E3788CC2D8405DBA70C7A28E5AF699863C9F72E6C6770126929F5D6FA267F005EBCF49495CB46400958A3AE80D1289D1C671",
 		"44E91121195A41AF14E8CFDBD39A4B517BE0DF1A72977ED8A3EEF8EEDA1166B2EB6DB2C4AE2E74FA0F0C74537F659BFBD141E5DDEC67E64EDA85AABD3F52C85A785B9FB3CECD70E7DF",
 		"BEDF596EA21288D2B84901E188F6EE1468B14D5161D3802DBFE00D60203A24E2AB62714BF272A45551489838C3A7FEAADC177B591836E73684867CCF4E12901DCF2064058726BBA554E84ADC5136F507E961188D4AF06943D3"},
 	{"1508E8AE9079AA15F1CEC4F776B4D11BCCB061B58AA56C18",
 		"BCA625674F41D1E3AB47672DC0C3",
 		"8B12CF84F16360F0EAD2A41BC021530FFCEC7F3579CAE658E10E2D3D81870F65AFCED0C77C6C4C6E6BA424FF23088C796BA6195ABA35094BF1829E089662E7A95FC90750AE16D0C8AFA55DAC789D7735B970B58D4BE7CEC7341DA82A0179A01929C27A59C5063215B859EA43",
 		"E525422519ECE070E82C",
 		"B47BC07C3ED1C0A43BA52C43CBACBCDBB29CAF1001E09FDF7107"},
 	{"7550C2761644E911FE9ADD119BAC07376BEA442845FEAD876D7E7AC1B713E464",
 		"36D2EC25ADD33CDEDF495205BBC923",
 		"7FCFE81A3790DE97FFC3DE160C470847EA7E841177C2F759571CBD837EA004A6CA8C6F4AEBFF2E9FD552D73EB8A30705D58D70C0B67AEEA280CBBF0A477358ACEF1E7508F2735CD9A0E4F9AC92B8C008F575D3B6278F1C18BD01227E3502E5255F3AB1893632AD00C717C588EF652A51A43209E7EE90",
 		"2B1A62F8FDFAA3C16470A21AD307C9A7D03ADE8EF72C69B06F8D738CDE578D7AEFD0D40BD9C022FB9F580DF5394C998ACCCEFC5471A3996FB8F1045A81FDC6F32D13502EA65A211390C8D882B8E0BEFD8DD8CBEF51D1597B124E9F7F",
 		"C873E02A22DB89EB0787DB6A60B99F7E4A0A085D5C4232A81ADCE2D60AA36F92DDC33F93DD8640AC0E08416B187FB382B3EC3EE85A64B0E6EE41C1366A5AD2A282F66605E87031CCBA2FA7B2DA201D975994AADE3DD1EE122AE09604AD489B84BF0C1AB7129EE16C6934850E"},
 	{"A51300285E554FDBDE7F771A9A9A80955639DD87129FAEF74987C91FB9687C71",
 		"81691D5D20EC818FCFF24B33DECC",
 		"C948093218AA9EB2A8E44A87EEA73FC8B6B75A196819A14BD83709EA323E8DF8B491045220E1D88729A38DBCFFB60D3056DAD4564498FD6574F74512945DEB34B69329ACED9FFC05D5D59DFCD5B973E2ACAFE6AD1EF8BBBC49351A2DD12508ED89ED",
 		"EB861165DAF7625F827C6B574ED703F03215",
 		"C6CD1CE76D2B3679C1B5AA1CFD67CCB55444B6BFD3E22C81CBC9BB738796B83E54E3"},
 	{"8CE0156D26FAEB7E0B9B800BBB2E9D4075B5EAC5C62358B0E7F6FCE610223282",
 		"D2A7B94DD12CDACA909D3AD7",
 		"E021A78F374FC271389AB9A3E97077D755",
 		"7C26000B58929F5095E1CEE154F76C2A299248E299F9B5ADE6C403AA1FD4A67FD4E0232F214CE7B919EE7A1027D2B76C57475715CD078461",
 		"C556FB38DF069B56F337B5FF5775CE6EAA16824DFA754F20B78819028EA635C3BB7AA731DE8776B2DCB67DCA2D33EEDF3C7E52EA450013722A41755A0752433ED17BDD5991AAE77A"},
 	{"1E8000A2CE00A561C9920A30BF0D7B983FEF8A1014C8F04C35CA6970E6BA02BD",
 		"65ED3D63F79F90BBFD19775E",
 		"336A8C0B7243582A46B221AA677647FCAE91",
 		"134A8B34824A290E7B",
 		"914FBEF80D0E6E17F8BDBB6097EBF5FBB0554952DC2B9E5151"},
 	{"53D5607BBE690B6E8D8F6D97F3DF2BA853B682597A214B8AA0EA6E598650AF15",
 		"C391A856B9FE234E14BA1AC7BB40FF",
 		"479682BC21349C4BE1641D5E78FE2C79EC1B9CF5470936DCAD9967A4DCD7C4EFADA593BC9EDE71E6A08829B8580901B61E274227E9D918502DE3",
 		"EAD154DC09C5E26C5D26FF33ED148B27120C7F2C23225CC0D0631B03E1F6C6D96FEB88C1A4052ACB4CE746B884B6502931F407021126C6AAB8C514C077A5A38438AE88EE",
 		"938821286EBB671D999B87C032E1D6055392EB564E57970D55E545FC5E8BAB90E6E3E3C0913F6320995FC636D72CD9919657CC38BD51552F4A502D8D1FE56DB33EBAC5092630E69EBB986F0E15CEE9FC8C052501"},
 	{"294362FCC984F440CEA3E9F7D2C06AF20C53AAC1B3738CA2186C914A6E193ABB",
 		"B15B61C8BB39261A8F55AB178EC3",
 		"D0729B6B75BB",
 		"2BD089ADCE9F334BAE3B065996C7D616DD0C27DF4218DCEEA0FBCA0F968837CE26B0876083327E25681FDDD620A32EC0DA12F73FAE826CC94BFF2B90A54D2651",
 		"AC94B25E4E21DE2437B806966CCD5D9385EF0CD4A51AB9FA6DE675C7B8952D67802E9FEC1FDE9F5D1EAB06057498BC0EEA454804FC9D2068982A3E24182D9AC2E7AB9994DDC899A604264583F63D066B"},
 	{"959DBFEB039B1A5B8CE6A44649B602AAA5F98A906DB96143D202CD2024F749D9",
 		"01D7BDB1133E9C347486C1EFA6",
 		"F3843955BD741F379DD750585EDC55E2CDA05CCBA8C1F4622AC2FE35214BC3A019B8BD12C4CC42D9213D1E1556941E8D8450830287FFB3B763A13722DD4140ED9846FB5FFF745D7B0B967D810A068222E10B259AF1D392035B0D83DC1498A6830B11B2418A840212599171E0258A1C203B05362978",
 		"A21811232C950FA8B12237C2EBD6A7CD2C3A155905E9E0C7C120",
 		"63C1CE397B22F1A03F1FA549B43178BC405B152D3C95E977426D519B3DFCA28498823240592B6EEE7A14"},
 	{"096AE499F5294173F34FF2B375F0E5D5AB79D0D03B33B1A74D7D576826345DF4",
 		"0C52B3D11D636E5910A4DD76D32C",
 		"229E9ECA3053789E937447BC719467075B6138A142DA528DA8F0CF8DDF022FD9AF8E74779BA3AC306609",
 		"8B7A00038783E8BAF6EDEAE0C4EAB48FC8FD501A588C7E4A4DB71E3604F2155A97687D3D2FFF8569261375A513CF4398CE0F87CA1658A1050F6EF6C4EA3E25",
 		"C20B6CF8D3C8241825FD90B2EDAC7593600646E579A8D8DAAE9E2E40C3835FE801B2BE4379131452BC5182C90307B176DFBE2049544222FE7783147B690774F6D9D7CEF52A91E61E298E9AA15464AC"},
 }
@@ -0,0 +1,78 @@
 package ocb
 import (
 	"encoding/hex"
 )
 // Test vectors from https://tools.ietf.org/html/rfc7253. Note that key is
 // shared across tests.
 var testKey, _ = hex.DecodeString("000102030405060708090A0B0C0D0E0F")
 var rfc7253testVectors = []struct {
 	nonce, header, plaintext, ciphertext string
 }{
 	{"BBAA99887766554433221100",
 		"",
 		"",
 		"785407BFFFC8AD9EDCC5520AC9111EE6"},
 	{"BBAA99887766554433221101",
 		"0001020304050607",
 		"0001020304050607",
 		"6820B3657B6F615A5725BDA0D3B4EB3A257C9AF1F8F03009"},
 	{"BBAA99887766554433221102",
 		"0001020304050607",
 		"",
 		"81017F8203F081277152FADE694A0A00"},
 	{"BBAA99887766554433221103",
 		"",
 		"0001020304050607",
 		"45DD69F8F5AAE72414054CD1F35D82760B2CD00D2F99BFA9"},
 	{"BBAA99887766554433221104",
 		"000102030405060708090A0B0C0D0E0F",
 		"000102030405060708090A0B0C0D0E0F",
 		"571D535B60B277188BE5147170A9A22C3AD7A4FF3835B8C5701C1CCEC8FC3358"},
 	{"BBAA99887766554433221105",
 		"000102030405060708090A0B0C0D0E0F",
 		"",
 		"8CF761B6902EF764462AD86498CA6B97"},
 	{"BBAA99887766554433221106",
 		"",
 		"000102030405060708090A0B0C0D0E0F",
 		"5CE88EC2E0692706A915C00AEB8B2396F40E1C743F52436BDF06D8FA1ECA343D"},
 	{"BBAA99887766554433221107",
 		"000102030405060708090A0B0C0D0E0F1011121314151617",
 		"000102030405060708090A0B0C0D0E0F1011121314151617",
 		"1CA2207308C87C010756104D8840CE1952F09673A448A122C92C62241051F57356D7F3C90BB0E07F"},
 	{"BBAA99887766554433221108",
 		"000102030405060708090A0B0C0D0E0F1011121314151617",
 		"",
 		"6DC225A071FC1B9F7C69F93B0F1E10DE"},
 	{"BBAA99887766554433221109",
 		"",
 		"000102030405060708090A0B0C0D0E0F1011121314151617",
 		"221BD0DE7FA6FE993ECCD769460A0AF2D6CDED0C395B1C3CE725F32494B9F914D85C0B1EB38357FF"},
 	{"BBAA9988776655443322110A",
 		"000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F",
 		"000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F",
 		"BD6F6C496201C69296C11EFD138A467ABD3C707924B964DEAFFC40319AF5A48540FBBA186C5553C68AD9F592A79A4240"},
 	{"BBAA9988776655443322110B",
 		"000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F",
 		"",
 		"FE80690BEE8A485D11F32965BC9D2A32"},
 	{"BBAA9988776655443322110C",
 		"",
 		"000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F",
 		"2942BFC773BDA23CABC6ACFD9BFD5835BD300F0973792EF46040C53F1432BCDFB5E1DDE3BC18A5F840B52E653444D5DF"},
 	{"BBAA9988776655443322110D",
 		"000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627",
 		"000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627",
 		"D5CA91748410C1751FF8A2F618255B68A0A12E093FF454606E59F9C1D0DDC54B65E8628E568BAD7AED07BA06A4A69483A7035490C5769E60"},
 	{"BBAA9988776655443322110E",
 		"000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627",
 		"",
 		"C5CD9D1850C141E358649994EE701B68"},
 	{"BBAA9988776655443322110F",
 		"",
 		"000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627",
 		"4412923493C57D5DE0D700F753CCE0D1D2D95060122E9F15A5DDBFC5787E50B5CC55EE507BCB084E479AD363AC366B95A98CA5F3000B1479"},
 }
@@ -0,0 +1,25 @@
 package ocb
 // Second set of test vectors from https://tools.ietf.org/html/rfc7253
 var rfc7253TestVectorTaglen96 = struct {
 	key, nonce, header, plaintext, ciphertext string
 }{"0F0E0D0C0B0A09080706050403020100",
 	"BBAA9988776655443322110D",
 	"000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627",
 	"000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627",
 	"1792A4E31E0755FB03E31B22116E6C2DDF9EFD6E33D536F1A0124B0A55BAE884ED93481529C76B6AD0C515F4D1CDD4FDAC4F02AA"}
 var rfc7253AlgorithmTest = []struct {
 	KEYLEN, TAGLEN int
 	OUTPUT         string
 }{
 	{128, 128, "67E944D23256C5E0B6C61FA22FDF1EA2"},
 	{192, 128, "F673F2C3E7174AAE7BAE986CA9F29E17"},
 	{256, 128, "D90EB8E9C977C88B79DD793D7FFA161C"},
 	{128, 96, "77A3D8E73589158D25D01209"},
 	{192, 96, "05D56EAD2752C86BE6932C5E"},
 	{256, 96, "5458359AC23B0CBA9E6330DD"},
 	{128, 64, "192C9B7BD90BA06A"},
 	{192, 64, "0066BC6E0EF34E24"},
 	{256, 64, "7D4EA5D445501CBE"},
 }
@@ -0,0 +1,153 @@
 // Copyright 2014 Matthew Endsley
 // All rights reserved
 //
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted providing that the following conditions
 // are met:
 // 1. Redistributions of source code must retain the above copyright
 //    notice, this list of conditions and the following disclaimer.
 // 2. Redistributions in binary form must reproduce the above copyright
 //    notice, this list of conditions and the following disclaimer in the
 //    documentation and/or other materials provided with the distribution.
 //
 // THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 // WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 // ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
 // DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 // DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 // OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
 // IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 // POSSIBILITY OF SUCH DAMAGE.
 // Package keywrap is an implementation of the RFC 3394 AES key wrapping
 // algorithm. This is used in OpenPGP with elliptic curve keys.
 package keywrap
 import (
 	"crypto/aes"
 	"encoding/binary"
 	"errors"
 )
 var (
 	// ErrWrapPlaintext is returned if the plaintext is not a multiple
 	// of 64 bits.
 	ErrWrapPlaintext = errors.New("keywrap: plainText must be a multiple of 64 bits")
 	// ErrUnwrapCiphertext is returned if the ciphertext is not a
 	// multiple of 64 bits.
 	ErrUnwrapCiphertext = errors.New("keywrap: cipherText must by a multiple of 64 bits")
 	// ErrUnwrapFailed is returned if unwrapping a key fails.
 	ErrUnwrapFailed = errors.New("keywrap: failed to unwrap key")
 	// NB: the AES NewCipher call only fails if the key is an invalid length.
 	// ErrInvalidKey is returned when the AES key is invalid.
 	ErrInvalidKey = errors.New("keywrap: invalid AES key")
 )
 // Wrap a key using the RFC 3394 AES Key Wrap Algorithm.
 func Wrap(key, plainText []byte) ([]byte, error) {
 	if len(plainText)%8 != 0 {
 		return nil, ErrWrapPlaintext
 	}
 	c, err := aes.NewCipher(key)
 	if err != nil {
 		return nil, ErrInvalidKey
 	}
 	nblocks := len(plainText) / 8
 	// 1) Initialize variables.
 	var block [aes.BlockSize]byte
 	// - Set A = IV, an initial value (see 2.2.3)
 	for ii := 0; ii < 8; ii++ {
 		block[ii] = 0xA6
 	}
 	// - For i = 1 to n
 	// -   Set R[i] = P[i]
 	intermediate := make([]byte, len(plainText))
 	copy(intermediate, plainText)
 	// 2) Calculate intermediate values.
 	for ii := 0; ii < 6; ii++ {
 		for jj := 0; jj < nblocks; jj++ {
 			// - B = AES(K, A | R[i])
 			copy(block[8:], intermediate[jj*8:jj*8+8])
 			c.Encrypt(block[:], block[:])
 			// - A = MSB(64, B) ^ t where t = (n*j)+1
 			t := uint64(ii*nblocks + jj + 1)
 			val := binary.BigEndian.Uint64(block[:8]) ^ t
 			binary.BigEndian.PutUint64(block[:8], val)
 			// - R[i] = LSB(64, B)
 			copy(intermediate[jj*8:jj*8+8], block[8:])
 		}
 	}
 	// 3) Output results.
 	// - Set C[0] = A
 	// - For i = 1 to n
 	// -   C[i] = R[i]
 	return append(block[:8], intermediate...), nil
 }
 // Unwrap a key using the RFC 3394 AES Key Wrap Algorithm.
 func Unwrap(key, cipherText []byte) ([]byte, error) {
 	if len(cipherText)%8 != 0 {
 		return nil, ErrUnwrapCiphertext
 	}
 	c, err := aes.NewCipher(key)
 	if err != nil {
 		return nil, ErrInvalidKey
 	}
 	nblocks := len(cipherText)/8 - 1
 	// 1) Initialize variables.
 	var block [aes.BlockSize]byte
 	// - Set A = C[0]
 	copy(block[:8], cipherText[:8])
 	// - For i = 1 to n
 	// -   Set R[i] = C[i]
 	intermediate := make([]byte, len(cipherText)-8)
 	copy(intermediate, cipherText[8:])
 	// 2) Compute intermediate values.
 	for jj := 5; jj >= 0; jj-- {
 		for ii := nblocks - 1; ii >= 0; ii-- {
 			// - B = AES-1(K, (A ^ t) | R[i]) where t = n*j+1
 			// - A = MSB(64, B)
 			t := uint64(jj*nblocks + ii + 1)
 			val := binary.BigEndian.Uint64(block[:8]) ^ t
 			binary.BigEndian.PutUint64(block[:8], val)
 			copy(block[8:], intermediate[ii*8:ii*8+8])
 			c.Decrypt(block[:], block[:])
 			// - R[i] = LSB(B, 64)
 			copy(intermediate[ii*8:ii*8+8], block[8:])
 		}
 	}
 	// 3) Output results.
 	// - If A is an appropriate initial value (see 2.2.3),
 	for ii := 0; ii < 8; ii++ {
 		if block[ii] != 0xA6 {
 			return nil, ErrUnwrapFailed
 		}
 	}
 	// - For i = 1 to n
 	// -   P[i] = R[i]
 	return intermediate, nil
 }
@@ -0,0 +1,183 @@
 // Copyright 2010 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // Package armor implements OpenPGP ASCII Armor, see RFC 4880. OpenPGP Armor is
 // very similar to PEM except that it has an additional CRC checksum.
 package armor // import "github.com/ProtonMail/go-crypto/openpgp/armor"
 import (
 	"bufio"
 	"bytes"
 	"encoding/base64"
 	"io"
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 )
 // A Block represents an OpenPGP armored structure.
 //
 // The encoded form is:
 //
 //	-----BEGIN Type-----
 //	Headers
 //
 //	base64-encoded Bytes
 //	'=' base64 encoded checksum (optional) not checked anymore
 //	-----END Type-----
 //
 // where Headers is a possibly empty sequence of Key: Value lines.
 //
 // Since the armored data can be very large, this package presents a streaming
 // interface.
 type Block struct {
 	Type    string            // The type, taken from the preamble (i.e. "PGP SIGNATURE").
 	Header  map[string]string // Optional headers.
 	Body    io.Reader         // A Reader from which the contents can be read
 	lReader lineReader
 	oReader openpgpReader
 }
 var ArmorCorrupt error = errors.StructuralError("armor invalid")
 var armorStart = []byte("-----BEGIN ")
 var armorEnd = []byte("-----END ")
 var armorEndOfLine = []byte("-----")
 // lineReader wraps a line based reader. It watches for the end of an armor block
 type lineReader struct {
 	in  *bufio.Reader
 	buf []byte
 	eof bool
 }
 func (l *lineReader) Read(p []byte) (n int, err error) {
 	if l.eof {
 		return 0, io.EOF
 	}
 	if len(l.buf) > 0 {
 		n = copy(p, l.buf)
 		l.buf = l.buf[n:]
 		return
 	}
 	line, isPrefix, err := l.in.ReadLine()
 	if err != nil {
 		return
 	}
 	if isPrefix {
 		return 0, ArmorCorrupt
 	}
 	if bytes.HasPrefix(line, armorEnd) {
 		l.eof = true
 		return 0, io.EOF
 	}
 	if len(line) == 5 && line[0] == '=' {
 		// This is the checksum line
 		// Don't check the checksum
 		l.eof = true
 		return 0, io.EOF
 	}
 	if len(line) > 96 {
 		return 0, ArmorCorrupt
 	}
 	n = copy(p, line)
 	bytesToSave := len(line) - n
 	if bytesToSave > 0 {
 		if cap(l.buf) < bytesToSave {
 			l.buf = make([]byte, 0, bytesToSave)
 		}
 		l.buf = l.buf[0:bytesToSave]
 		copy(l.buf, line[n:])
 	}
 	return
 }
 // openpgpReader passes Read calls to the underlying base64 decoder.
 type openpgpReader struct {
 	lReader   *lineReader
 	b64Reader io.Reader
 }
 func (r *openpgpReader) Read(p []byte) (n int, err error) {
 	n, err = r.b64Reader.Read(p)
 	return
 }
 // Decode reads a PGP armored block from the given Reader. It will ignore
 // leading garbage. If it doesn't find a block, it will return nil, io.EOF. The
 // given Reader is not usable after calling this function: an arbitrary amount
 // of data may have been read past the end of the block.
 func Decode(in io.Reader) (p *Block, err error) {
 	r := bufio.NewReaderSize(in, 100)
 	var line []byte
 	ignoreNext := false
 TryNextBlock:
 	p = nil
 	// Skip leading garbage
 	for {
 		ignoreThis := ignoreNext
 		line, ignoreNext, err = r.ReadLine()
 		if err != nil {
 			return
 		}
 		if ignoreNext || ignoreThis {
 			continue
 		}
 		line = bytes.TrimSpace(line)
 		if len(line) > len(armorStart)+len(armorEndOfLine) && bytes.HasPrefix(line, armorStart) {
 			break
 		}
 	}
 	p = new(Block)
 	p.Type = string(line[len(armorStart) : len(line)-len(armorEndOfLine)])
 	p.Header = make(map[string]string)
 	nextIsContinuation := false
 	var lastKey string
 	// Read headers
 	for {
 		isContinuation := nextIsContinuation
 		line, nextIsContinuation, err = r.ReadLine()
 		if err != nil {
 			p = nil
 			return
 		}
 		if isContinuation {
 			p.Header[lastKey] += string(line)
 			continue
 		}
 		line = bytes.TrimSpace(line)
 		if len(line) == 0 {
 			break
 		}
 		i := bytes.Index(line, []byte(":"))
 		if i == -1 {
 			goto TryNextBlock
 		}
 		lastKey = string(line[:i])
 		var value string
 		if len(line) > i+2 {
 			value = string(line[i+2:])
 		}
 		p.Header[lastKey] = value
 	}
 	p.lReader.in = r
 	p.oReader.lReader = &p.lReader
 	p.oReader.b64Reader = base64.NewDecoder(base64.StdEncoding, &p.lReader)
 	p.Body = &p.oReader
 	return
 }
@@ -0,0 +1,206 @@
 // Copyright 2010 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package armor
 import (
 	"encoding/base64"
 	"io"
 	"sort"
 )
 var armorHeaderSep = []byte(": ")
 var blockEnd = []byte("\n=")
 var newline = []byte("\n")
 var armorEndOfLineOut = []byte("-----\n")
 const crc24Init = 0xb704ce
 const crc24Poly = 0x1864cfb
 // crc24 calculates the OpenPGP checksum as specified in RFC 4880, section 6.1
 func crc24(crc uint32, d []byte) uint32 {
 	for _, b := range d {
 		crc ^= uint32(b) << 16
 		for i := 0; i < 8; i++ {
 			crc <<= 1
 			if crc&0x1000000 != 0 {
 				crc ^= crc24Poly
 			}
 		}
 	}
 	return crc
 }
 // writeSlices writes its arguments to the given Writer.
 func writeSlices(out io.Writer, slices ...[]byte) (err error) {
 	for _, s := range slices {
 		_, err = out.Write(s)
 		if err != nil {
 			return err
 		}
 	}
 	return
 }
 // lineBreaker breaks data across several lines, all of the same byte length
 // (except possibly the last). Lines are broken with a single '\n'.
 type lineBreaker struct {
 	lineLength  int
 	line        []byte
 	used        int
 	out         io.Writer
 	haveWritten bool
 }
 func newLineBreaker(out io.Writer, lineLength int) *lineBreaker {
 	return &lineBreaker{
 		lineLength: lineLength,
 		line:       make([]byte, lineLength),
 		used:       0,
 		out:        out,
 	}
 }
 func (l *lineBreaker) Write(b []byte) (n int, err error) {
 	n = len(b)
 	if n == 0 {
 		return
 	}
 	if l.used == 0 && l.haveWritten {
 		_, err = l.out.Write([]byte{'\n'})
 		if err != nil {
 			return
 		}
 	}
 	if l.used+len(b) < l.lineLength {
 		l.used += copy(l.line[l.used:], b)
 		return
 	}
 	l.haveWritten = true
 	_, err = l.out.Write(l.line[0:l.used])
 	if err != nil {
 		return
 	}
 	excess := l.lineLength - l.used
 	l.used = 0
 	_, err = l.out.Write(b[0:excess])
 	if err != nil {
 		return
 	}
 	_, err = l.Write(b[excess:])
 	return
 }
 func (l *lineBreaker) Close() (err error) {
 	if l.used > 0 {
 		_, err = l.out.Write(l.line[0:l.used])
 		if err != nil {
 			return
 		}
 	}
 	return
 }
 // encoding keeps track of a running CRC24 over the data which has been written
 // to it and outputs a OpenPGP checksum when closed, followed by an armor
 // trailer.
 //
 // It's built into a stack of io.Writers:
 //
 //	encoding -> base64 encoder -> lineBreaker -> out
 type encoding struct {
 	out        io.Writer
 	breaker    *lineBreaker
 	b64        io.WriteCloser
 	crc        uint32
 	crcEnabled bool
 	blockType  []byte
 }
 func (e *encoding) Write(data []byte) (n int, err error) {
 	if e.crcEnabled {
 		e.crc = crc24(e.crc, data)
 	}
 	return e.b64.Write(data)
 }
 func (e *encoding) Close() (err error) {
 	err = e.b64.Close()
 	if err != nil {
 		return
 	}
 	e.breaker.Close()
 	if e.crcEnabled {
 		var checksumBytes [3]byte
 		checksumBytes[0] = byte(e.crc >> 16)
 		checksumBytes[1] = byte(e.crc >> 8)
 		checksumBytes[2] = byte(e.crc)
 		var b64ChecksumBytes [4]byte
 		base64.StdEncoding.Encode(b64ChecksumBytes[:], checksumBytes[:])
 		return writeSlices(e.out, blockEnd, b64ChecksumBytes[:], newline, armorEnd, e.blockType, armorEndOfLine)
 	}
 	return writeSlices(e.out, newline, armorEnd, e.blockType, armorEndOfLine)
 }
 func encode(out io.Writer, blockType string, headers map[string]string, checksum bool) (w io.WriteCloser, err error) {
 	bType := []byte(blockType)
 	err = writeSlices(out, armorStart, bType, armorEndOfLineOut)
 	if err != nil {
 		return
 	}
 	keys := make([]string, len(headers))
 	i := 0
 	for k := range headers {
 		keys[i] = k
 		i++
 	}
 	sort.Strings(keys)
 	for _, k := range keys {
 		err = writeSlices(out, []byte(k), armorHeaderSep, []byte(headers[k]), newline)
 		if err != nil {
 			return
 		}
 	}
 	_, err = out.Write(newline)
 	if err != nil {
 		return
 	}
 	e := &encoding{
 		out:        out,
 		breaker:    newLineBreaker(out, 64),
 		blockType:  bType,
 		crc:        crc24Init,
 		crcEnabled: checksum,
 	}
 	e.b64 = base64.NewEncoder(base64.StdEncoding, e.breaker)
 	return e, nil
 }
 // Encode returns a WriteCloser which will encode the data written to it in
 // OpenPGP armor.
 func Encode(out io.Writer, blockType string, headers map[string]string) (w io.WriteCloser, err error) {
 	return encode(out, blockType, headers, true)
 }
 // EncodeWithChecksumOption returns a WriteCloser which will encode the data written to it in
 // OpenPGP armor and provides the option to include a checksum.
 // When forming ASCII Armor, the CRC24 footer SHOULD NOT be generated,
 // unless interoperability with implementations that require the CRC24 footer
 // to be present is a concern.
 func EncodeWithChecksumOption(out io.Writer, blockType string, headers map[string]string, doChecksum bool) (w io.WriteCloser, err error) {
 	return encode(out, blockType, headers, doChecksum)
 }
@@ -0,0 +1,71 @@
 // Copyright 2011 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package openpgp
 import (
 	"hash"
 	"io"
 )
 // NewCanonicalTextHash reformats text written to it into the canonical
 // form and then applies the hash h.  See RFC 4880, section 5.2.1.
 func NewCanonicalTextHash(h hash.Hash) hash.Hash {
 	return &canonicalTextHash{h, 0}
 }
 type canonicalTextHash struct {
 	h hash.Hash
 	s int
 }
 var newline = []byte{'\r', '\n'}
 func writeCanonical(cw io.Writer, buf []byte, s *int) (int, error) {
 	start := 0
 	for i, c := range buf {
 		switch *s {
 		case 0:
 			if c == '\r' {
 				*s = 1
 			} else if c == '\n' {
 				if _, err := cw.Write(buf[start:i]); err != nil {
 					return 0, err
 				}
 				if _, err := cw.Write(newline); err != nil {
 					return 0, err
 				}
 				start = i + 1
 			}
 		case 1:
 			*s = 0
 		}
 	}
 	if _, err := cw.Write(buf[start:]); err != nil {
 		return 0, err
 	}
 	return len(buf), nil
 }
 func (cth *canonicalTextHash) Write(buf []byte) (int, error) {
 	return writeCanonical(cth.h, buf, &cth.s)
 }
 func (cth *canonicalTextHash) Sum(in []byte) []byte {
 	return cth.h.Sum(in)
 }
 func (cth *canonicalTextHash) Reset() {
 	cth.h.Reset()
 	cth.s = 0
 }
 func (cth *canonicalTextHash) Size() int {
 	return cth.h.Size()
 }
 func (cth *canonicalTextHash) BlockSize() int {
 	return cth.h.BlockSize()
 }
@@ -0,0 +1,561 @@
 // Copyright 2012 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // Package clearsign generates and processes OpenPGP, clear-signed data. See
 // RFC 4880, section 7.
 //
 // Clearsigned messages are cryptographically signed, but the contents of the
 // message are kept in plaintext so that it can be read without special tools.
 package clearsign // import "github.com/ProtonMail/go-crypto/openpgp/clearsign"
 import (
 	"bufio"
 	"bytes"
 	"crypto"
 	"fmt"
 	"hash"
 	"io"
 	"net/textproto"
 	"strconv"
 	"strings"
 	"github.com/ProtonMail/go-crypto/openpgp"
 	"github.com/ProtonMail/go-crypto/openpgp/armor"
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 	"github.com/ProtonMail/go-crypto/openpgp/packet"
 )
 // A Block represents a clearsigned message. A signature on a Block can
 // be checked by calling Block.VerifySignature.
 type Block struct {
 	Headers          textproto.MIMEHeader // Optional unverified Hash headers
 	Plaintext        []byte               // The original message text
 	Bytes            []byte               // The signed message
 	ArmoredSignature *armor.Block         // The signature block
 }
 // start is the marker which denotes the beginning of a clearsigned message.
 var start = []byte("\n-----BEGIN PGP SIGNED MESSAGE-----")
 // dashEscape is prefixed to any lines that begin with a hyphen so that they
 // can't be confused with endText.
 var dashEscape = []byte("- ")
 // endText is a marker which denotes the end of the message and the start of
 // an armored signature.
 var endText = []byte("-----BEGIN PGP SIGNATURE-----")
 // end is a marker which denotes the end of the armored signature.
 var end = []byte("\n-----END PGP SIGNATURE-----")
 var crlf = []byte("\r\n")
 var lf = byte('\n')
 const hashHeader string = "Hash"
 // getLine returns the first \r\n or \n delineated line from the given byte
 // array. The line does not include the \r\n or \n. The remainder of the byte
 // array (also not including the new line bytes) is also returned and this will
 // always be smaller than the original argument.
 func getLine(data []byte) (line, rest []byte) {
 	i := bytes.Index(data, []byte{'\n'})
 	var j int
 	if i < 0 {
 		i = len(data)
 		j = i
 	} else {
 		j = i + 1
 		if i > 0 && data[i-1] == '\r' {
 			i--
 		}
 	}
 	return data[0:i], data[j:]
 }
 // Decode finds the first clearsigned message in data and returns it, as well as
 // the suffix of data which remains after the message. Any prefix data is
 // discarded.
 //
 // If no message is found, or if the message is invalid, Decode returns nil and
 // the whole data slice. The only allowed header type is Hash, and it is not
 // verified against the signature hash.
 func Decode(data []byte) (b *Block, rest []byte) {
 	// start begins with a newline. However, at the very beginning of
 	// the byte array, we'll accept the start string without it.
 	rest = data
 	if bytes.HasPrefix(data, start[1:]) {
 		rest = rest[len(start)-1:]
 	} else if i := bytes.Index(data, start); i >= 0 {
 		rest = rest[i+len(start):]
 	} else {
 		return nil, data
 	}
 	// Consume the start line and check it does not have a suffix.
 	suffix, rest := getLine(rest)
 	if len(suffix) != 0 {
 		return nil, data
 	}
 	var line []byte
 	b = &Block{
 		Headers: make(textproto.MIMEHeader),
 	}
 	// Next come a series of header lines.
 	for {
 		// This loop terminates because getLine's second result is
 		// always smaller than its argument.
 		if len(rest) == 0 {
 			return nil, data
 		}
 		// An empty line marks the end of the headers.
 		if line, rest = getLine(rest); len(strings.TrimSpace(string(line))) == 0 {
 			break
 		}
 		// Reject headers with control or Unicode characters.
 		if i := bytes.IndexFunc(line, func(r rune) bool {
 			return r < 0x20 || r > 0x7e
 		}); i != -1 {
 			return nil, data
 		}
 		i := bytes.Index(line, []byte{':'})
 		if i == -1 {
 			return nil, data
 		}
 		key, val := string(line[0:i]), string(line[i+1:])
 		key = strings.TrimSpace(key)
 		if key == hashHeader {
 			for _, val := range strings.Split(val, ",") {
 				val = strings.TrimSpace(val)
 				b.Headers.Add(key, val)
 			}
 		} else {
 			// Only "Hash" headers are allowed.
 			return nil, data
 		}
 	}
 	firstLine := true
 	for {
 		start := rest
 		line, rest = getLine(rest)
 		if len(line) == 0 && len(rest) == 0 {
 			// No armored data was found, so this isn't a complete message.
 			return nil, data
 		}
 		if bytes.Equal(line, endText) {
 			// Back up to the start of the line because armor expects to see the
 			// header line.
 			rest = start
 			break
 		}
 		// The final CRLF isn't included in the hash so we don't write it until
 		// we've seen the next line.
 		if firstLine {
 			firstLine = false
 		} else {
 			b.Bytes = append(b.Bytes, crlf...)
 		}
 		if bytes.HasPrefix(line, dashEscape) {
 			line = line[2:]
 		}
 		line = bytes.TrimRight(line, " \t")
 		b.Bytes = append(b.Bytes, line...)
 		b.Plaintext = append(b.Plaintext, line...)
 		b.Plaintext = append(b.Plaintext, lf)
 	}
 	b.Plaintext = b.Plaintext[:len(b.Plaintext)-1]
 	// We want to find the extent of the armored data (including any newlines at
 	// the end).
 	i := bytes.Index(rest, end)
 	if i == -1 {
 		return nil, data
 	}
 	i += len(end)
 	for i < len(rest) && (rest[i] == '\r' || rest[i] == '\n') {
 		i++
 	}
 	armored := rest[:i]
 	rest = rest[i:]
 	var err error
 	b.ArmoredSignature, err = armor.Decode(bytes.NewBuffer(armored))
 	if err != nil {
 		return nil, data
 	}
 	return b, rest
 }
 // A dashEscaper is an io.WriteCloser which processes the body of a clear-signed
 // message. The clear-signed message is written to buffered and a hash, suitable
 // for signing, is maintained in h.
 //
 // When closed, an armored signature is created and written to complete the
 // message.
 type dashEscaper struct {
 	buffered    *bufio.Writer
 	hashers     []hash.Hash // one per key in privateKeys
 	hashTypes   []crypto.Hash
 	toHash      io.Writer         // writes to all the hashes in hashers
 	salts       [][]byte          // salts for the signatures if v6
 	armorHeader map[string]string // Armor headers
 	atBeginningOfLine bool
 	isFirstLine       bool
 	whitespace []byte
 	byteBuf    []byte // a one byte buffer to save allocations
 	privateKeys []*packet.PrivateKey
 	config      *packet.Config
 }
 func (d *dashEscaper) Write(data []byte) (n int, err error) {
 	for _, b := range data {
 		d.byteBuf[0] = b
 		if d.atBeginningOfLine {
 			// The final CRLF isn't included in the hash so we have to wait
 			// until this point (the start of the next line) before writing it.
 			if !d.isFirstLine {
 				if _, err = d.toHash.Write(crlf); err != nil {
 					return
 				}
 			}
 			d.isFirstLine = false
 		}
 		// Any whitespace at the end of the line has to be removed so we
 		// buffer it until we find out whether there's more on this line.
 		if b == ' ' || b == '\t' || b == '\r' {
 			d.whitespace = append(d.whitespace, b)
 			d.atBeginningOfLine = false
 			continue
 		}
 		if d.atBeginningOfLine {
 			// At the beginning of a line, hyphens have to be escaped.
 			if b == '-' {
 				// The signature isn't calculated over the dash-escaped text so
 				// the escape is only written to buffered.
 				if _, err = d.buffered.Write(dashEscape); err != nil {
 					return
 				}
 				if _, err = d.toHash.Write(d.byteBuf); err != nil {
 					return
 				}
 				d.atBeginningOfLine = false
 			} else if b == '\n' {
 				// Nothing to do because we delay writing CRLF to the hash.
 			} else {
 				if _, err = d.toHash.Write(d.byteBuf); err != nil {
 					return
 				}
 				d.atBeginningOfLine = false
 			}
 			if err = d.buffered.WriteByte(b); err != nil {
 				return
 			}
 		} else {
 			if b == '\n' {
 				// We got a raw \n. Drop any trailing whitespace and write a
 				// CRLF.
 				d.whitespace = d.whitespace[:0]
 				// We delay writing CRLF to the hash until the start of the
 				// next line.
 				if err = d.buffered.WriteByte(b); err != nil {
 					return
 				}
 				d.atBeginningOfLine = true
 			} else {
 				// Any buffered whitespace wasn't at the end of the line so
 				// we need to write it out.
 				if len(d.whitespace) > 0 {
 					if _, err = d.toHash.Write(d.whitespace); err != nil {
 						return
 					}
 					if _, err = d.buffered.Write(d.whitespace); err != nil {
 						return
 					}
 					d.whitespace = d.whitespace[:0]
 				}
 				if _, err = d.toHash.Write(d.byteBuf); err != nil {
 					return
 				}
 				if err = d.buffered.WriteByte(b); err != nil {
 					return
 				}
 			}
 		}
 	}
 	n = len(data)
 	return
 }
 func (d *dashEscaper) Close() (err error) {
 	if d.atBeginningOfLine {
 		if !d.isFirstLine {
 			if _, err := d.toHash.Write(crlf); err != nil {
 				return err
 			}
 		}
 	}
 	if err = d.buffered.WriteByte(lf); err != nil {
 		return
 	}
 	out, err := armor.EncodeWithChecksumOption(d.buffered, "PGP SIGNATURE", d.armorHeader, false)
 	if err != nil {
 		return
 	}
 	t := d.config.Now()
 	indexSalt := 0
 	for i, k := range d.privateKeys {
 		sig := new(packet.Signature)
 		sig.Version = k.Version
 		sig.SigType = packet.SigTypeText
 		sig.PubKeyAlgo = k.PubKeyAlgo
 		sig.Hash = d.hashTypes[i]
 		sig.CreationTime = t
 		sig.IssuerKeyId = &k.KeyId
 		sig.IssuerFingerprint = k.Fingerprint
 		sig.Notations = d.config.Notations()
 		sigLifetimeSecs := d.config.SigLifetime()
 		sig.SigLifetimeSecs = &sigLifetimeSecs
 		if k.Version == 6 {
 			if err = sig.SetSalt(d.salts[indexSalt]); err != nil {
 				return
 			}
 			indexSalt++
 		}
 		if err = sig.Sign(d.hashers[i], k, d.config); err != nil {
 			return
 		}
 		if err = sig.Serialize(out); err != nil {
 			return
 		}
 	}
 	if err = out.Close(); err != nil {
 		return
 	}
 	if err = d.buffered.Flush(); err != nil {
 		return
 	}
 	return
 }
 // Encode returns a WriteCloser which will clear-sign a message with privateKey
 // and write it to w. If config is nil, sensible defaults are used.
 func Encode(w io.Writer, privateKey *packet.PrivateKey, config *packet.Config) (plaintext io.WriteCloser, err error) {
 	return EncodeMulti(w, []*packet.PrivateKey{privateKey}, config)
 }
 // EncodeWithHeader returns a WriteCloser which will clear-sign a message with privateKey
 // and write it to w. If config is nil, sensible defaults are used.
 // Additionally provides a headers argument for custom headers.
 func EncodeWithHeader(w io.Writer, privateKey *packet.PrivateKey, config *packet.Config, headers map[string]string) (plaintext io.WriteCloser, err error) {
 	return EncodeMultiWithHeader(w, []*packet.PrivateKey{privateKey}, config, headers)
 }
 // EncodeMulti returns a WriteCloser which will clear-sign a message with all the
 // private keys indicated and write it to w. If config is nil, sensible defaults
 // are used.
 func EncodeMulti(w io.Writer, privateKeys []*packet.PrivateKey, config *packet.Config) (plaintext io.WriteCloser, err error) {
 	return EncodeMultiWithHeader(w, privateKeys, config, nil)
 }
 // EncodeMultiWithHeader returns a WriteCloser which will clear-sign a message with all the
 // private keys indicated and write it to w. If config is nil, sensible defaults
 // are used.
 // Additionally provides a headers argument for custom headers.
 func EncodeMultiWithHeader(w io.Writer, privateKeys []*packet.PrivateKey, config *packet.Config, headers map[string]string) (plaintext io.WriteCloser, err error) {
 	for _, k := range privateKeys {
 		if k.Encrypted {
 			return nil, errors.InvalidArgumentError(fmt.Sprintf("signing key %s is encrypted", k.KeyIdString()))
 		}
 	}
 	hashType := config.Hash()
 	var hashers []hash.Hash
 	var hashTypes []crypto.Hash
 	var ws []io.Writer
 	var salts [][]byte
 	for _, sk := range privateKeys {
 		acceptedHashes := acceptableHashesToWrite(&sk.PublicKey)
 		// acceptedHashes contains at least one hash
 		selectedHashType := acceptedHashes[0]
 		for _, acceptedHash := range acceptedHashes {
 			if hashType == acceptedHash {
 				selectedHashType = hashType
 				break
 			}
 		}
 		h := selectedHashType.New()
 		if sk.Version == 6 {
 			// generate salt
 			var salt []byte
 			salt, err = packet.SignatureSaltForHash(hashType, config.Random())
 			if err != nil {
 				return
 			}
 			if _, err = h.Write(salt); err != nil {
 				return
 			}
 			salts = append(salts, salt)
 		}
 		hashers = append(hashers, h)
 		hashTypes = append(hashTypes, selectedHashType)
 		ws = append(ws, h)
 	}
 	toHash := io.MultiWriter(ws...)
 	buffered := bufio.NewWriter(w)
 	// start has a \n at the beginning that we don't want here.
 	if _, err = buffered.Write(start[1:]); err != nil {
 		return
 	}
 	if err = buffered.WriteByte(lf); err != nil {
 		return
 	}
 	// write headers
 	nonV6 := len(salts) < len(hashers)
 	// Crypto refresh: Headers SHOULD NOT be emitted
 	if nonV6 { // Emit header if non v6 signatures are present for compatibility
 		if err := writeHashHeader(buffered, hashTypes); err != nil {
 			return nil, err
 		}
 	}
 	if err = buffered.WriteByte(lf); err != nil {
 		return
 	}
 	plaintext = &dashEscaper{
 		buffered:    buffered,
 		hashers:     hashers,
 		hashTypes:   hashTypes,
 		toHash:      toHash,
 		salts:       salts,
 		armorHeader: headers,
 		atBeginningOfLine: true,
 		isFirstLine:       true,
 		byteBuf: make([]byte, 1),
 		privateKeys: privateKeys,
 		config:      config,
 	}
 	return
 }
 // VerifySignature checks a clearsigned message signature, and checks that the
 // hash algorithm in the header matches the hash algorithm in the signature.
 func (b *Block) VerifySignature(keyring openpgp.KeyRing, config *packet.Config) (signer *openpgp.Entity, err error) {
 	_, signer, err = openpgp.VerifyDetachedSignature(keyring, bytes.NewBuffer(b.Bytes), b.ArmoredSignature.Body, config)
 	return
 }
 // writeHashHeader writes the legacy cleartext hash header to buffered.
 func writeHashHeader(buffered *bufio.Writer, hashTypes []crypto.Hash) error {
 	seen := make(map[string]bool, len(hashTypes))
 	if _, err := buffered.WriteString(fmt.Sprintf("%s: ", hashHeader)); err != nil {
 		return err
 	}
 	for index, sigHashType := range hashTypes {
 		first := index == 0
 		name := nameOfHash(sigHashType)
 		if len(name) == 0 {
 			return errors.UnsupportedError("unknown hash type: " + strconv.Itoa(int(sigHashType)))
 		}
 		switch {
 		case !seen[name] && first:
 			if _, err := buffered.WriteString(name); err != nil {
 				return err
 			}
 		case !seen[name]:
 			if _, err := buffered.WriteString(fmt.Sprintf(",%s", name)); err != nil {
 				return err
 			}
 		}
 		seen[name] = true
 	}
 	if err := buffered.WriteByte(lf); err != nil {
 		return err
 	}
 	return nil
 }
 // nameOfHash returns the OpenPGP name for the given hash, or the empty string
 // if the name isn't known. See RFC 4880, section 9.4.
 func nameOfHash(h crypto.Hash) string {
 	switch h {
 	case crypto.SHA224:
 		return "SHA224"
 	case crypto.SHA256:
 		return "SHA256"
 	case crypto.SHA384:
 		return "SHA384"
 	case crypto.SHA512:
 		return "SHA512"
 	case crypto.SHA3_256:
 		return "SHA3-256"
 	case crypto.SHA3_512:
 		return "SHA3-512"
 	}
 	return ""
 }
 func acceptableHashesToWrite(singingKey *packet.PublicKey) []crypto.Hash {
 	switch singingKey.PubKeyAlgo {
 	case packet.PubKeyAlgoEd448:
 		return []crypto.Hash{
 			crypto.SHA512,
 			crypto.SHA3_512,
 		}
 	case packet.PubKeyAlgoECDSA, packet.PubKeyAlgoEdDSA:
 		if curve, err := singingKey.Curve(); err == nil {
 			if curve == packet.Curve448 ||
 				curve == packet.CurveNistP521 ||
 				curve == packet.CurveBrainpoolP512 {
 				return []crypto.Hash{
 					crypto.SHA512,
 					crypto.SHA3_512,
 				}
 			} else if curve == packet.CurveBrainpoolP384 ||
 				curve == packet.CurveNistP384 {
 				return []crypto.Hash{
 					crypto.SHA384,
 					crypto.SHA512,
 					crypto.SHA3_512,
 				}
 			}
 		}
 	}
 	return []crypto.Hash{
 		crypto.SHA256,
 		crypto.SHA384,
 		crypto.SHA512,
 		crypto.SHA3_256,
 		crypto.SHA3_512,
 	}
 }
@@ -0,0 +1,206 @@
 // Copyright 2017 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // Package ecdh implements ECDH encryption, suitable for OpenPGP,
 // as specified in RFC 6637, section 8.
 package ecdh
 import (
 	"bytes"
 	"errors"
 	"io"
 	"github.com/ProtonMail/go-crypto/openpgp/aes/keywrap"
 	"github.com/ProtonMail/go-crypto/openpgp/internal/algorithm"
 	"github.com/ProtonMail/go-crypto/openpgp/internal/ecc"
 )
 type KDF struct {
 	Hash   algorithm.Hash
 	Cipher algorithm.Cipher
 }
 type PublicKey struct {
 	curve ecc.ECDHCurve
 	Point []byte
 	KDF
 }
 type PrivateKey struct {
 	PublicKey
 	D []byte
 }
 func NewPublicKey(curve ecc.ECDHCurve, kdfHash algorithm.Hash, kdfCipher algorithm.Cipher) *PublicKey {
 	return &PublicKey{
 		curve: curve,
 		KDF: KDF{
 			Hash:   kdfHash,
 			Cipher: kdfCipher,
 		},
 	}
 }
 func NewPrivateKey(key PublicKey) *PrivateKey {
 	return &PrivateKey{
 		PublicKey: key,
 	}
 }
 func (pk *PublicKey) GetCurve() ecc.ECDHCurve {
 	return pk.curve
 }
 func (pk *PublicKey) MarshalPoint() []byte {
 	return pk.curve.MarshalBytePoint(pk.Point)
 }
 func (pk *PublicKey) UnmarshalPoint(p []byte) error {
 	pk.Point = pk.curve.UnmarshalBytePoint(p)
 	if pk.Point == nil {
 		return errors.New("ecdh: failed to parse EC point")
 	}
 	return nil
 }
 func (sk *PrivateKey) MarshalByteSecret() []byte {
 	return sk.curve.MarshalByteSecret(sk.D)
 }
 func (sk *PrivateKey) UnmarshalByteSecret(d []byte) error {
 	sk.D = sk.curve.UnmarshalByteSecret(d)
 	if sk.D == nil {
 		return errors.New("ecdh: failed to parse scalar")
 	}
 	return nil
 }
 func GenerateKey(rand io.Reader, c ecc.ECDHCurve, kdf KDF) (priv *PrivateKey, err error) {
 	priv = new(PrivateKey)
 	priv.PublicKey.curve = c
 	priv.PublicKey.KDF = kdf
 	priv.PublicKey.Point, priv.D, err = c.GenerateECDH(rand)
 	return
 }
 func Encrypt(random io.Reader, pub *PublicKey, msg, curveOID, fingerprint []byte) (vsG, c []byte, err error) {
 	if len(msg) > 40 {
 		return nil, nil, errors.New("ecdh: message too long")
 	}
 	// the sender MAY use 21, 13, and 5 bytes of padding for AES-128,
 	// AES-192, and AES-256, respectively, to provide the same number of
 	// octets, 40 total, as an input to the key wrapping method.
 	padding := make([]byte, 40-len(msg))
 	for i := range padding {
 		padding[i] = byte(40 - len(msg))
 	}
 	m := append(msg, padding...)
 	ephemeral, zb, err := pub.curve.Encaps(random, pub.Point)
 	if err != nil {
 		return nil, nil, err
 	}
 	vsG = pub.curve.MarshalBytePoint(ephemeral)
 	z, err := buildKey(pub, zb, curveOID, fingerprint, false, false)
 	if err != nil {
 		return nil, nil, err
 	}
 	if c, err = keywrap.Wrap(z, m); err != nil {
 		return nil, nil, err
 	}
 	return vsG, c, nil
 }
 func Decrypt(priv *PrivateKey, vsG, c, curveOID, fingerprint []byte) (msg []byte, err error) {
 	var m []byte
 	zb, err := priv.PublicKey.curve.Decaps(priv.curve.UnmarshalBytePoint(vsG), priv.D)
 	// Try buildKey three times to workaround an old bug, see comments in buildKey.
 	for i := 0; i < 3; i++ {
 		var z []byte
 		// RFC6637 §8: "Compute Z = KDF( S, Z_len, Param );"
 		z, err = buildKey(&priv.PublicKey, zb, curveOID, fingerprint, i == 1, i == 2)
 		if err != nil {
 			return nil, err
 		}
 		// RFC6637 §8: "Compute C = AESKeyWrap( Z, c ) as per [RFC3394]"
 		m, err = keywrap.Unwrap(z, c)
 		if err == nil {
 			break
 		}
 	}
 	// Only return an error after we've tried all (required) variants of buildKey.
 	if err != nil {
 		return nil, err
 	}
 	// RFC6637 §8: "m = symm_alg_ID || session key || checksum || pkcs5_padding"
 	// The last byte should be the length of the padding, as per PKCS5; strip it off.
 	return m[:len(m)-int(m[len(m)-1])], nil
 }
 func buildKey(pub *PublicKey, zb []byte, curveOID, fingerprint []byte, stripLeading, stripTrailing bool) ([]byte, error) {
 	// Param = curve_OID_len || curve_OID || public_key_alg_ID || 03
 	//         || 01 || KDF_hash_ID || KEK_alg_ID for AESKeyWrap
 	//         || "Anonymous Sender    " || recipient_fingerprint;
 	param := new(bytes.Buffer)
 	if _, err := param.Write(curveOID); err != nil {
 		return nil, err
 	}
 	algKDF := []byte{18, 3, 1, pub.KDF.Hash.Id(), pub.KDF.Cipher.Id()}
 	if _, err := param.Write(algKDF); err != nil {
 		return nil, err
 	}
 	if _, err := param.Write([]byte("Anonymous Sender    ")); err != nil {
 		return nil, err
 	}
 	if _, err := param.Write(fingerprint[:]); err != nil {
 		return nil, err
 	}
 	// MB = Hash ( 00 || 00 || 00 || 01 || ZB || Param );
 	h := pub.KDF.Hash.New()
 	if _, err := h.Write([]byte{0x0, 0x0, 0x0, 0x1}); err != nil {
 		return nil, err
 	}
 	zbLen := len(zb)
 	i := 0
 	j := zbLen - 1
 	if stripLeading {
 		// Work around old go crypto bug where the leading zeros are missing.
 		for i < zbLen && zb[i] == 0 {
 			i++
 		}
 	}
 	if stripTrailing {
 		// Work around old OpenPGP.js bug where insignificant trailing zeros in
 		// this little-endian number are missing.
 		// (See https://github.com/openpgpjs/openpgpjs/pull/853.)
 		for j >= 0 && zb[j] == 0 {
 			j--
 		}
 	}
 	if _, err := h.Write(zb[i : j+1]); err != nil {
 		return nil, err
 	}
 	if _, err := h.Write(param.Bytes()); err != nil {
 		return nil, err
 	}
 	mb := h.Sum(nil)
 	return mb[:pub.KDF.Cipher.KeySize()], nil // return oBits leftmost bits of MB.
 }
 func Validate(priv *PrivateKey) error {
 	return priv.curve.ValidateECDH(priv.Point, priv.D)
 }
@@ -0,0 +1,80 @@
 // Package ecdsa implements ECDSA signature, suitable for OpenPGP,
 // as specified in RFC 6637, section 5.
 package ecdsa
 import (
 	"errors"
 	"github.com/ProtonMail/go-crypto/openpgp/internal/ecc"
 	"io"
 	"math/big"
 )
 type PublicKey struct {
 	X, Y  *big.Int
 	curve ecc.ECDSACurve
 }
 type PrivateKey struct {
 	PublicKey
 	D *big.Int
 }
 func NewPublicKey(curve ecc.ECDSACurve) *PublicKey {
 	return &PublicKey{
 		curve: curve,
 	}
 }
 func NewPrivateKey(key PublicKey) *PrivateKey {
 	return &PrivateKey{
 		PublicKey: key,
 	}
 }
 func (pk *PublicKey) GetCurve() ecc.ECDSACurve {
 	return pk.curve
 }
 func (pk *PublicKey) MarshalPoint() []byte {
 	return pk.curve.MarshalIntegerPoint(pk.X, pk.Y)
 }
 func (pk *PublicKey) UnmarshalPoint(p []byte) error {
 	pk.X, pk.Y = pk.curve.UnmarshalIntegerPoint(p)
 	if pk.X == nil {
 		return errors.New("ecdsa: failed to parse EC point")
 	}
 	return nil
 }
 func (sk *PrivateKey) MarshalIntegerSecret() []byte {
 	return sk.curve.MarshalIntegerSecret(sk.D)
 }
 func (sk *PrivateKey) UnmarshalIntegerSecret(d []byte) error {
 	sk.D = sk.curve.UnmarshalIntegerSecret(d)
 	if sk.D == nil {
 		return errors.New("ecdsa: failed to parse scalar")
 	}
 	return nil
 }
 func GenerateKey(rand io.Reader, c ecc.ECDSACurve) (priv *PrivateKey, err error) {
 	priv = new(PrivateKey)
 	priv.PublicKey.curve = c
 	priv.PublicKey.X, priv.PublicKey.Y, priv.D, err = c.GenerateECDSA(rand)
 	return
 }
 func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err error) {
 	return priv.PublicKey.curve.Sign(rand, priv.X, priv.Y, priv.D, hash)
 }
 func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool {
 	return pub.curve.Verify(pub.X, pub.Y, hash, r, s)
 }
 func Validate(priv *PrivateKey) error {
 	return priv.curve.ValidateECDSA(priv.X, priv.Y, priv.D.Bytes())
 }
@@ -0,0 +1,115 @@
 // Package ed25519 implements the ed25519 signature algorithm for OpenPGP
 // as defined in the Open PGP crypto refresh.
 package ed25519
 import (
 	"crypto/subtle"
 	"io"
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 	ed25519lib "github.com/cloudflare/circl/sign/ed25519"
 )
 const (
 	// PublicKeySize is the size, in bytes, of public keys in this package.
 	PublicKeySize = ed25519lib.PublicKeySize
 	// SeedSize is the size, in bytes, of private key seeds.
 	// The private key representation used by RFC 8032.
 	SeedSize = ed25519lib.SeedSize
 	// SignatureSize is the size, in bytes, of signatures generated and verified by this package.
 	SignatureSize = ed25519lib.SignatureSize
 )
 type PublicKey struct {
 	// Point represents the elliptic curve point of the public key.
 	Point []byte
 }
 type PrivateKey struct {
 	PublicKey
 	// Key the private key representation by RFC 8032,
 	// encoded as seed | pub key point.
 	Key []byte
 }
 // NewPublicKey creates a new empty ed25519 public key.
 func NewPublicKey() *PublicKey {
 	return &PublicKey{}
 }
 // NewPrivateKey creates a new empty private key referencing the public key.
 func NewPrivateKey(key PublicKey) *PrivateKey {
 	return &PrivateKey{
 		PublicKey: key,
 	}
 }
 // Seed returns the ed25519 private key secret seed.
 // The private key representation by RFC 8032.
 func (pk *PrivateKey) Seed() []byte {
 	return pk.Key[:SeedSize]
 }
 // MarshalByteSecret returns the underlying 32 byte seed of the private key.
 func (pk *PrivateKey) MarshalByteSecret() []byte {
 	return pk.Seed()
 }
 // UnmarshalByteSecret computes the private key from the secret seed
 // and stores it in the private key object.
 func (sk *PrivateKey) UnmarshalByteSecret(seed []byte) error {
 	sk.Key = ed25519lib.NewKeyFromSeed(seed)
 	return nil
 }
 // GenerateKey generates a fresh private key with the provided randomness source.
 func GenerateKey(rand io.Reader) (*PrivateKey, error) {
 	publicKey, privateKey, err := ed25519lib.GenerateKey(rand)
 	if err != nil {
 		return nil, err
 	}
 	privateKeyOut := new(PrivateKey)
 	privateKeyOut.PublicKey.Point = publicKey[:]
 	privateKeyOut.Key = privateKey[:]
 	return privateKeyOut, nil
 }
 // Sign signs a message with the ed25519 algorithm.
 // priv MUST be a valid key! Check this with Validate() before use.
 func Sign(priv *PrivateKey, message []byte) ([]byte, error) {
 	return ed25519lib.Sign(priv.Key, message), nil
 }
 // Verify verifies an ed25519 signature.
 func Verify(pub *PublicKey, message []byte, signature []byte) bool {
 	return ed25519lib.Verify(pub.Point, message, signature)
 }
 // Validate checks if the ed25519 private key is valid.
 func Validate(priv *PrivateKey) error {
 	expectedPrivateKey := ed25519lib.NewKeyFromSeed(priv.Seed())
 	if subtle.ConstantTimeCompare(priv.Key, expectedPrivateKey) == 0 {
 		return errors.KeyInvalidError("ed25519: invalid ed25519 secret")
 	}
 	if subtle.ConstantTimeCompare(priv.PublicKey.Point, expectedPrivateKey[SeedSize:]) == 0 {
 		return errors.KeyInvalidError("ed25519: invalid ed25519 public key")
 	}
 	return nil
 }
 // ENCODING/DECODING signature:
 // WriteSignature encodes and writes an ed25519 signature to writer.
 func WriteSignature(writer io.Writer, signature []byte) error {
 	_, err := writer.Write(signature)
 	return err
 }
 // ReadSignature decodes an ed25519 signature from a reader.
 func ReadSignature(reader io.Reader) ([]byte, error) {
 	signature := make([]byte, SignatureSize)
 	if _, err := io.ReadFull(reader, signature); err != nil {
 		return nil, err
 	}
 	return signature, nil
 }
@@ -0,0 +1,119 @@
 // Package ed448 implements the ed448 signature algorithm for OpenPGP
 // as defined in the Open PGP crypto refresh.
 package ed448
 import (
 	"crypto/subtle"
 	"io"
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 	ed448lib "github.com/cloudflare/circl/sign/ed448"
 )
 const (
 	// PublicKeySize is the size, in bytes, of public keys in this package.
 	PublicKeySize = ed448lib.PublicKeySize
 	// SeedSize is the size, in bytes, of private key seeds.
 	// The private key representation used by RFC 8032.
 	SeedSize = ed448lib.SeedSize
 	// SignatureSize is the size, in bytes, of signatures generated and verified by this package.
 	SignatureSize = ed448lib.SignatureSize
 )
 type PublicKey struct {
 	// Point represents the elliptic curve point of the public key.
 	Point []byte
 }
 type PrivateKey struct {
 	PublicKey
 	// Key the private key representation by RFC 8032,
 	// encoded as seed | public key point.
 	Key []byte
 }
 // NewPublicKey creates a new empty ed448 public key.
 func NewPublicKey() *PublicKey {
 	return &PublicKey{}
 }
 // NewPrivateKey creates a new empty private key referencing the public key.
 func NewPrivateKey(key PublicKey) *PrivateKey {
 	return &PrivateKey{
 		PublicKey: key,
 	}
 }
 // Seed returns the ed448 private key secret seed.
 // The private key representation by RFC 8032.
 func (pk *PrivateKey) Seed() []byte {
 	return pk.Key[:SeedSize]
 }
 // MarshalByteSecret returns the underlying seed of the private key.
 func (pk *PrivateKey) MarshalByteSecret() []byte {
 	return pk.Seed()
 }
 // UnmarshalByteSecret computes the private key from the secret seed
 // and stores it in the private key object.
 func (sk *PrivateKey) UnmarshalByteSecret(seed []byte) error {
 	sk.Key = ed448lib.NewKeyFromSeed(seed)
 	return nil
 }
 // GenerateKey generates a fresh private key with the provided randomness source.
 func GenerateKey(rand io.Reader) (*PrivateKey, error) {
 	publicKey, privateKey, err := ed448lib.GenerateKey(rand)
 	if err != nil {
 		return nil, err
 	}
 	privateKeyOut := new(PrivateKey)
 	privateKeyOut.PublicKey.Point = publicKey[:]
 	privateKeyOut.Key = privateKey[:]
 	return privateKeyOut, nil
 }
 // Sign signs a message with the ed448 algorithm.
 // priv MUST be a valid key! Check this with Validate() before use.
 func Sign(priv *PrivateKey, message []byte) ([]byte, error) {
 	// Ed448 is used with the empty string as a context string.
 	// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-08#section-13.7
 	return ed448lib.Sign(priv.Key, message, ""), nil
 }
 // Verify verifies a ed448 signature
 func Verify(pub *PublicKey, message []byte, signature []byte) bool {
 	// Ed448 is used with the empty string as a context string.
 	// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-08#section-13.7
 	return ed448lib.Verify(pub.Point, message, signature, "")
 }
 // Validate checks if the ed448 private key is valid
 func Validate(priv *PrivateKey) error {
 	expectedPrivateKey := ed448lib.NewKeyFromSeed(priv.Seed())
 	if subtle.ConstantTimeCompare(priv.Key, expectedPrivateKey) == 0 {
 		return errors.KeyInvalidError("ed448: invalid ed448 secret")
 	}
 	if subtle.ConstantTimeCompare(priv.PublicKey.Point, expectedPrivateKey[SeedSize:]) == 0 {
 		return errors.KeyInvalidError("ed448: invalid ed448 public key")
 	}
 	return nil
 }
 // ENCODING/DECODING signature:
 // WriteSignature encodes and writes an ed448 signature to writer.
 func WriteSignature(writer io.Writer, signature []byte) error {
 	_, err := writer.Write(signature)
 	return err
 }
 // ReadSignature decodes an ed448 signature from a reader.
 func ReadSignature(reader io.Reader) ([]byte, error) {
 	signature := make([]byte, SignatureSize)
 	if _, err := io.ReadFull(reader, signature); err != nil {
 		return nil, err
 	}
 	return signature, nil
 }
@@ -0,0 +1,91 @@
 // Package eddsa implements EdDSA signature, suitable for OpenPGP, as specified in
 // https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-13.7
 package eddsa
 import (
 	"errors"
 	"github.com/ProtonMail/go-crypto/openpgp/internal/ecc"
 	"io"
 )
 type PublicKey struct {
 	X     []byte
 	curve ecc.EdDSACurve
 }
 type PrivateKey struct {
 	PublicKey
 	D []byte
 }
 func NewPublicKey(curve ecc.EdDSACurve) *PublicKey {
 	return &PublicKey{
 		curve: curve,
 	}
 }
 func NewPrivateKey(key PublicKey) *PrivateKey {
 	return &PrivateKey{
 		PublicKey: key,
 	}
 }
 func (pk *PublicKey) GetCurve() ecc.EdDSACurve {
 	return pk.curve
 }
 func (pk *PublicKey) MarshalPoint() []byte {
 	return pk.curve.MarshalBytePoint(pk.X)
 }
 func (pk *PublicKey) UnmarshalPoint(x []byte) error {
 	pk.X = pk.curve.UnmarshalBytePoint(x)
 	if pk.X == nil {
 		return errors.New("eddsa: failed to parse EC point")
 	}
 	return nil
 }
 func (sk *PrivateKey) MarshalByteSecret() []byte {
 	return sk.curve.MarshalByteSecret(sk.D)
 }
 func (sk *PrivateKey) UnmarshalByteSecret(d []byte) error {
 	sk.D = sk.curve.UnmarshalByteSecret(d)
 	if sk.D == nil {
 		return errors.New("eddsa: failed to parse scalar")
 	}
 	return nil
 }
 func GenerateKey(rand io.Reader, c ecc.EdDSACurve) (priv *PrivateKey, err error) {
 	priv = new(PrivateKey)
 	priv.PublicKey.curve = c
 	priv.PublicKey.X, priv.D, err = c.GenerateEdDSA(rand)
 	return
 }
 func Sign(priv *PrivateKey, message []byte) (r, s []byte, err error) {
 	sig, err := priv.PublicKey.curve.Sign(priv.PublicKey.X, priv.D, message)
 	if err != nil {
 		return nil, nil, err
 	}
 	r, s = priv.PublicKey.curve.MarshalSignature(sig)
 	return
 }
 func Verify(pub *PublicKey, message, r, s []byte) bool {
 	sig := pub.curve.UnmarshalSignature(r, s)
 	if sig == nil {
 		return false
 	}
 	return pub.curve.Verify(pub.X, message, sig)
 }
 func Validate(priv *PrivateKey) error {
 	return priv.curve.ValidateEdDSA(priv.PublicKey.X, priv.D)
 }
@@ -0,0 +1,124 @@
 // Copyright 2011 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // Package elgamal implements ElGamal encryption, suitable for OpenPGP,
 // as specified in "A Public-Key Cryptosystem and a Signature Scheme Based on
 // Discrete Logarithms," IEEE Transactions on Information Theory, v. IT-31,
 // n. 4, 1985, pp. 469-472.
 //
 // This form of ElGamal embeds PKCS#1 v1.5 padding, which may make it
 // unsuitable for other protocols. RSA should be used in preference in any
 // case.
 package elgamal // import "github.com/ProtonMail/go-crypto/openpgp/elgamal"
 import (
 	"crypto/rand"
 	"crypto/subtle"
 	"errors"
 	"io"
 	"math/big"
 )
 // PublicKey represents an ElGamal public key.
 type PublicKey struct {
 	G, P, Y *big.Int
 }
 // PrivateKey represents an ElGamal private key.
 type PrivateKey struct {
 	PublicKey
 	X *big.Int
 }
 // Encrypt encrypts the given message to the given public key. The result is a
 // pair of integers. Errors can result from reading random, or because msg is
 // too large to be encrypted to the public key.
 func Encrypt(random io.Reader, pub *PublicKey, msg []byte) (c1, c2 *big.Int, err error) {
 	pLen := (pub.P.BitLen() + 7) / 8
 	if len(msg) > pLen-11 {
 		err = errors.New("elgamal: message too long")
 		return
 	}
 	// EM = 0x02 || PS || 0x00 || M
 	em := make([]byte, pLen-1)
 	em[0] = 2
 	ps, mm := em[1:len(em)-len(msg)-1], em[len(em)-len(msg):]
 	err = nonZeroRandomBytes(ps, random)
 	if err != nil {
 		return
 	}
 	em[len(em)-len(msg)-1] = 0
 	copy(mm, msg)
 	m := new(big.Int).SetBytes(em)
 	k, err := rand.Int(random, pub.P)
 	if err != nil {
 		return
 	}
 	c1 = new(big.Int).Exp(pub.G, k, pub.P)
 	s := new(big.Int).Exp(pub.Y, k, pub.P)
 	c2 = s.Mul(s, m)
 	c2.Mod(c2, pub.P)
 	return
 }
 // Decrypt takes two integers, resulting from an ElGamal encryption, and
 // returns the plaintext of the message. An error can result only if the
 // ciphertext is invalid. Users should keep in mind that this is a padding
 // oracle and thus, if exposed to an adaptive chosen ciphertext attack, can
 // be used to break the cryptosystem.  See “Chosen Ciphertext Attacks
 // Against Protocols Based on the RSA Encryption Standard PKCS #1”, Daniel
 // Bleichenbacher, Advances in Cryptology (Crypto '98),
 func Decrypt(priv *PrivateKey, c1, c2 *big.Int) (msg []byte, err error) {
 	s := new(big.Int).Exp(c1, priv.X, priv.P)
 	if s.ModInverse(s, priv.P) == nil {
 		return nil, errors.New("elgamal: invalid private key")
 	}
 	s.Mul(s, c2)
 	s.Mod(s, priv.P)
 	em := s.Bytes()
 	firstByteIsTwo := subtle.ConstantTimeByteEq(em[0], 2)
 	// The remainder of the plaintext must be a string of non-zero random
 	// octets, followed by a 0, followed by the message.
 	//   lookingForIndex: 1 iff we are still looking for the zero.
 	//   index: the offset of the first zero byte.
 	var lookingForIndex, index int
 	lookingForIndex = 1
 	for i := 1; i < len(em); i++ {
 		equals0 := subtle.ConstantTimeByteEq(em[i], 0)
 		index = subtle.ConstantTimeSelect(lookingForIndex&equals0, i, index)
 		lookingForIndex = subtle.ConstantTimeSelect(equals0, 0, lookingForIndex)
 	}
 	if firstByteIsTwo != 1 || lookingForIndex != 0 || index < 9 {
 		return nil, errors.New("elgamal: decryption error")
 	}
 	return em[index+1:], nil
 }
 // nonZeroRandomBytes fills the given slice with non-zero random octets.
 func nonZeroRandomBytes(s []byte, rand io.Reader) (err error) {
 	_, err = io.ReadFull(rand, s)
 	if err != nil {
 		return
 	}
 	for i := 0; i < len(s); i++ {
 		for s[i] == 0 {
 			_, err = io.ReadFull(rand, s[i:i+1])
 			if err != nil {
 				return
 			}
 		}
 	}
 	return
 }
@@ -0,0 +1,210 @@
 // Copyright 2010 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // Package errors contains common error types for the OpenPGP packages.
 package errors // import "github.com/ProtonMail/go-crypto/openpgp/errors"
 import (
 	"fmt"
 	"strconv"
 )
 var (
 	// ErrDecryptSessionKeyParsing is a generic error message for parsing errors in decrypted data
 	// to reduce the risk of oracle attacks.
 	ErrDecryptSessionKeyParsing = DecryptWithSessionKeyError("parsing error")
 	// ErrAEADTagVerification is returned if one of the tag verifications in SEIPDv2 fails
 	ErrAEADTagVerification error = DecryptWithSessionKeyError("AEAD tag verification failed")
 	// ErrMDCHashMismatch
 	ErrMDCHashMismatch error = SignatureError("MDC hash mismatch")
 	// ErrMDCMissing
 	ErrMDCMissing error = SignatureError("MDC packet not found")
 )
 // A StructuralError is returned when OpenPGP data is found to be syntactically
 // invalid.
 type StructuralError string
 func (s StructuralError) Error() string {
 	return "openpgp: invalid data: " + string(s)
 }
 // A DecryptWithSessionKeyError is returned when a failure occurs when reading from symmetrically decrypted data or
 // an authentication tag verification fails.
 // Such an error indicates that the supplied session key is likely wrong or the data got corrupted.
 type DecryptWithSessionKeyError string
 func (s DecryptWithSessionKeyError) Error() string {
 	return "openpgp: decryption with session key failed: " + string(s)
 }
 // HandleSensitiveParsingError handles parsing errors when reading data from potentially decrypted data.
 // The function makes parsing errors generic to reduce the risk of oracle attacks in SEIPDv1.
 func HandleSensitiveParsingError(err error, decrypted bool) error {
 	if !decrypted {
 		// Data was not encrypted so we return the inner error.
 		return err
 	}
 	// The data is read from a stream that decrypts using a session key;
 	// therefore, we need to handle parsing errors appropriately.
 	// This is essential to mitigate the risk of oracle attacks.
 	if decError, ok := err.(*DecryptWithSessionKeyError); ok {
 		return decError
 	}
 	if decError, ok := err.(DecryptWithSessionKeyError); ok {
 		return decError
 	}
 	return ErrDecryptSessionKeyParsing
 }
 // UnsupportedError indicates that, although the OpenPGP data is valid, it
 // makes use of currently unimplemented features.
 type UnsupportedError string
 func (s UnsupportedError) Error() string {
 	return "openpgp: unsupported feature: " + string(s)
 }
 // InvalidArgumentError indicates that the caller is in error and passed an
 // incorrect value.
 type InvalidArgumentError string
 func (i InvalidArgumentError) Error() string {
 	return "openpgp: invalid argument: " + string(i)
 }
 // SignatureError indicates that a syntactically valid signature failed to
 // validate.
 type SignatureError string
 func (b SignatureError) Error() string {
 	return "openpgp: invalid signature: " + string(b)
 }
 type signatureExpiredError int
 func (se signatureExpiredError) Error() string {
 	return "openpgp: signature expired"
 }
 var ErrSignatureExpired error = signatureExpiredError(0)
 type keyExpiredError int
 func (ke keyExpiredError) Error() string {
 	return "openpgp: key expired"
 }
 var ErrSignatureOlderThanKey error = signatureOlderThanKeyError(0)
 type signatureOlderThanKeyError int
 func (ske signatureOlderThanKeyError) Error() string {
 	return "openpgp: signature is older than the key"
 }
 var ErrKeyExpired error = keyExpiredError(0)
 type keyIncorrectError int
 func (ki keyIncorrectError) Error() string {
 	return "openpgp: incorrect key"
 }
 var ErrKeyIncorrect error = keyIncorrectError(0)
 // KeyInvalidError indicates that the public key parameters are invalid
 // as they do not match the private ones
 type KeyInvalidError string
 func (e KeyInvalidError) Error() string {
 	return "openpgp: invalid key: " + string(e)
 }
 type unknownIssuerError int
 func (unknownIssuerError) Error() string {
 	return "openpgp: signature made by unknown entity"
 }
 var ErrUnknownIssuer error = unknownIssuerError(0)
 type keyRevokedError int
 func (keyRevokedError) Error() string {
 	return "openpgp: signature made by revoked key"
 }
 var ErrKeyRevoked error = keyRevokedError(0)
 type WeakAlgorithmError string
 func (e WeakAlgorithmError) Error() string {
 	return "openpgp: weak algorithms are rejected: " + string(e)
 }
 type UnknownPacketTypeError uint8
 func (upte UnknownPacketTypeError) Error() string {
 	return "openpgp: unknown packet type: " + strconv.Itoa(int(upte))
 }
 type CriticalUnknownPacketTypeError uint8
 func (upte CriticalUnknownPacketTypeError) Error() string {
 	return "openpgp: unknown critical packet type: " + strconv.Itoa(int(upte))
 }
 // AEADError indicates that there is a problem when initializing or using a
 // AEAD instance, configuration struct, nonces or index values.
 type AEADError string
 func (ae AEADError) Error() string {
 	return "openpgp: aead error: " + string(ae)
 }
 // ErrDummyPrivateKey results when operations are attempted on a private key
 // that is just a dummy key. See
 // https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=doc/DETAILS;h=fe55ae16ab4e26d8356dc574c9e8bc935e71aef1;hb=23191d7851eae2217ecdac6484349849a24fd94a#l1109
 type ErrDummyPrivateKey string
 func (dke ErrDummyPrivateKey) Error() string {
 	return "openpgp: s2k GNU dummy key: " + string(dke)
 }
 // ErrMalformedMessage results when the packet sequence is incorrect
 type ErrMalformedMessage string
 func (dke ErrMalformedMessage) Error() string {
 	return "openpgp: malformed message " + string(dke)
 }
 type messageTooLargeError int
 func (e messageTooLargeError) Error() string {
 	return "openpgp: decompressed message size exceeds provided limit"
 }
 // ErrMessageTooLarge is returned if the read data from
 // a compressed packet exceeds the provided limit.
 var ErrMessageTooLarge error = messageTooLargeError(0)
 // ErrEncryptionKeySelection is returned if encryption key selection fails (v2 API).
 type ErrEncryptionKeySelection struct {
 	PrimaryKeyId      string
 	PrimaryKeyErr     error
 	EncSelectionKeyId *string
 	EncSelectionErr   error
 }
 func (eks ErrEncryptionKeySelection) Error() string {
 	prefix := fmt.Sprintf("openpgp: key selection for primary key %s:", eks.PrimaryKeyId)
 	if eks.PrimaryKeyErr != nil {
 		return fmt.Sprintf("%s invalid primary key: %s", prefix, eks.PrimaryKeyErr)
 	}
 	if eks.EncSelectionKeyId != nil {
 		return fmt.Sprintf("%s invalid encryption key %s: %s", prefix, *eks.EncSelectionKeyId, eks.EncSelectionErr)
 	}
 	return fmt.Sprintf("%s no encryption key: %s", prefix, eks.EncSelectionErr)
 }
@@ -0,0 +1,24 @@
 package openpgp
 import (
 	"crypto"
 	"github.com/ProtonMail/go-crypto/openpgp/internal/algorithm"
 )
 // HashIdToHash returns a crypto.Hash which corresponds to the given OpenPGP
 // hash id.
 func HashIdToHash(id byte) (h crypto.Hash, ok bool) {
 	return algorithm.HashIdToHash(id)
 }
 // HashIdToString returns the name of the hash function corresponding to the
 // given OpenPGP hash id.
 func HashIdToString(id byte) (name string, ok bool) {
 	return algorithm.HashIdToString(id)
 }
 // HashToHashId returns an OpenPGP hash id which corresponds the given Hash.
 func HashToHashId(h crypto.Hash) (id byte, ok bool) {
 	return algorithm.HashToHashId(h)
 }
@@ -0,0 +1,65 @@
 // Copyright (C) 2019 ProtonTech AG
 package algorithm
 import (
 	"crypto/cipher"
 	"github.com/ProtonMail/go-crypto/eax"
 	"github.com/ProtonMail/go-crypto/ocb"
 )
 // AEADMode defines the Authenticated Encryption with Associated Data mode of
 // operation.
 type AEADMode uint8
 // Supported modes of operation (see RFC4880bis [EAX] and RFC7253)
 const (
 	AEADModeEAX = AEADMode(1)
 	AEADModeOCB = AEADMode(2)
 	AEADModeGCM = AEADMode(3)
 )
 // TagLength returns the length in bytes of authentication tags.
 func (mode AEADMode) TagLength() int {
 	switch mode {
 	case AEADModeEAX:
 		return 16
 	case AEADModeOCB:
 		return 16
 	case AEADModeGCM:
 		return 16
 	default:
 		return 0
 	}
 }
 // NonceLength returns the length in bytes of nonces.
 func (mode AEADMode) NonceLength() int {
 	switch mode {
 	case AEADModeEAX:
 		return 16
 	case AEADModeOCB:
 		return 15
 	case AEADModeGCM:
 		return 12
 	default:
 		return 0
 	}
 }
 // New returns a fresh instance of the given mode
 func (mode AEADMode) New(block cipher.Block) (alg cipher.AEAD) {
 	var err error
 	switch mode {
 	case AEADModeEAX:
 		alg, err = eax.NewEAX(block)
 	case AEADModeOCB:
 		alg, err = ocb.NewOCB(block)
 	case AEADModeGCM:
 		alg, err = cipher.NewGCM(block)
 	}
 	if err != nil {
 		panic(err.Error())
 	}
 	return alg
 }
@@ -0,0 +1,97 @@
 // Copyright 2017 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package algorithm
 import (
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/des"
 	"golang.org/x/crypto/cast5"
 )
 // Cipher is an official symmetric key cipher algorithm. See RFC 4880,
 // section 9.2.
 type Cipher interface {
 	// Id returns the algorithm ID, as a byte, of the cipher.
 	Id() uint8
 	// KeySize returns the key size, in bytes, of the cipher.
 	KeySize() int
 	// BlockSize returns the block size, in bytes, of the cipher.
 	BlockSize() int
 	// New returns a fresh instance of the given cipher.
 	New(key []byte) cipher.Block
 }
 // The following constants mirror the OpenPGP standard (RFC 4880).
 const (
 	TripleDES = CipherFunction(2)
 	CAST5     = CipherFunction(3)
 	AES128    = CipherFunction(7)
 	AES192    = CipherFunction(8)
 	AES256    = CipherFunction(9)
 )
 // CipherById represents the different block ciphers specified for OpenPGP. See
 // http://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-13
 var CipherById = map[uint8]Cipher{
 	TripleDES.Id(): TripleDES,
 	CAST5.Id():     CAST5,
 	AES128.Id():    AES128,
 	AES192.Id():    AES192,
 	AES256.Id():    AES256,
 }
 type CipherFunction uint8
 // ID returns the algorithm Id, as a byte, of cipher.
 func (sk CipherFunction) Id() uint8 {
 	return uint8(sk)
 }
 // KeySize returns the key size, in bytes, of cipher.
 func (cipher CipherFunction) KeySize() int {
 	switch cipher {
 	case CAST5:
 		return cast5.KeySize
 	case AES128:
 		return 16
 	case AES192, TripleDES:
 		return 24
 	case AES256:
 		return 32
 	}
 	return 0
 }
 // BlockSize returns the block size, in bytes, of cipher.
 func (cipher CipherFunction) BlockSize() int {
 	switch cipher {
 	case TripleDES:
 		return des.BlockSize
 	case CAST5:
 		return 8
 	case AES128, AES192, AES256:
 		return 16
 	}
 	return 0
 }
 // New returns a fresh instance of the given cipher.
 func (cipher CipherFunction) New(key []byte) (block cipher.Block) {
 	var err error
 	switch cipher {
 	case TripleDES:
 		block, err = des.NewTripleDESCipher(key)
 	case CAST5:
 		block, err = cast5.NewCipher(key)
 	case AES128, AES192, AES256:
 		block, err = aes.NewCipher(key)
 	}
 	if err != nil {
 		panic(err.Error())
 	}
 	return
 }
@@ -0,0 +1,143 @@
 // Copyright 2017 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package algorithm
 import (
 	"crypto"
 	"fmt"
 	"hash"
 )
 // Hash is an official hash function algorithm. See RFC 4880, section 9.4.
 type Hash interface {
 	// Id returns the algorithm ID, as a byte, of Hash.
 	Id() uint8
 	// Available reports whether the given hash function is linked into the binary.
 	Available() bool
 	// HashFunc simply returns the value of h so that Hash implements SignerOpts.
 	HashFunc() crypto.Hash
 	// New returns a new hash.Hash calculating the given hash function. New
 	// panics if the hash function is not linked into the binary.
 	New() hash.Hash
 	// Size returns the length, in bytes, of a digest resulting from the given
 	// hash function. It doesn't require that the hash function in question be
 	// linked into the program.
 	Size() int
 	// String is the name of the hash function corresponding to the given
 	// OpenPGP hash id.
 	String() string
 }
 // The following vars mirror the crypto/Hash supported hash functions.
 var (
 	SHA1     Hash = cryptoHash{2, crypto.SHA1}
 	SHA256   Hash = cryptoHash{8, crypto.SHA256}
 	SHA384   Hash = cryptoHash{9, crypto.SHA384}
 	SHA512   Hash = cryptoHash{10, crypto.SHA512}
 	SHA224   Hash = cryptoHash{11, crypto.SHA224}
 	SHA3_256 Hash = cryptoHash{12, crypto.SHA3_256}
 	SHA3_512 Hash = cryptoHash{14, crypto.SHA3_512}
 )
 // HashById represents the different hash functions specified for OpenPGP. See
 // http://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-14
 var (
 	HashById = map[uint8]Hash{
 		SHA256.Id():   SHA256,
 		SHA384.Id():   SHA384,
 		SHA512.Id():   SHA512,
 		SHA224.Id():   SHA224,
 		SHA3_256.Id(): SHA3_256,
 		SHA3_512.Id(): SHA3_512,
 	}
 )
 // cryptoHash contains pairs relating OpenPGP's hash identifier with
 // Go's crypto.Hash type. See RFC 4880, section 9.4.
 type cryptoHash struct {
 	id uint8
 	crypto.Hash
 }
 // Id returns the algorithm ID, as a byte, of cryptoHash.
 func (h cryptoHash) Id() uint8 {
 	return h.id
 }
 var hashNames = map[uint8]string{
 	SHA256.Id():   "SHA256",
 	SHA384.Id():   "SHA384",
 	SHA512.Id():   "SHA512",
 	SHA224.Id():   "SHA224",
 	SHA3_256.Id(): "SHA3-256",
 	SHA3_512.Id(): "SHA3-512",
 }
 func (h cryptoHash) String() string {
 	s, ok := hashNames[h.id]
 	if !ok {
 		panic(fmt.Sprintf("Unsupported hash function %d", h.id))
 	}
 	return s
 }
 // HashIdToHash returns a crypto.Hash which corresponds to the given OpenPGP
 // hash id.
 func HashIdToHash(id byte) (h crypto.Hash, ok bool) {
 	if hash, ok := HashById[id]; ok {
 		return hash.HashFunc(), true
 	}
 	return 0, false
 }
 // HashIdToHashWithSha1 returns a crypto.Hash which corresponds to the given OpenPGP
 // hash id, allowing sha1.
 func HashIdToHashWithSha1(id byte) (h crypto.Hash, ok bool) {
 	if hash, ok := HashById[id]; ok {
 		return hash.HashFunc(), true
 	}
 	if id == SHA1.Id() {
 		return SHA1.HashFunc(), true
 	}
 	return 0, false
 }
 // HashIdToString returns the name of the hash function corresponding to the
 // given OpenPGP hash id.
 func HashIdToString(id byte) (name string, ok bool) {
 	if hash, ok := HashById[id]; ok {
 		return hash.String(), true
 	}
 	return "", false
 }
 // HashToHashId returns an OpenPGP hash id which corresponds the given Hash.
 func HashToHashId(h crypto.Hash) (id byte, ok bool) {
 	for id, hash := range HashById {
 		if hash.HashFunc() == h {
 			return id, true
 		}
 	}
 	return 0, false
 }
 // HashToHashIdWithSha1 returns an OpenPGP hash id which corresponds the given Hash,
 // allowing instances of SHA1
 func HashToHashIdWithSha1(h crypto.Hash) (id byte, ok bool) {
 	for id, hash := range HashById {
 		if hash.HashFunc() == h {
 			return id, true
 		}
 	}
 	if h == SHA1.HashFunc() {
 		return SHA1.Id(), true
 	}
 	return 0, false
 }
@@ -0,0 +1,171 @@
 // Package ecc implements a generic interface for ECDH, ECDSA, and EdDSA.
 package ecc
 import (
 	"crypto/subtle"
 	"io"
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 	x25519lib "github.com/cloudflare/circl/dh/x25519"
 )
 type curve25519 struct{}
 func NewCurve25519() *curve25519 {
 	return &curve25519{}
 }
 func (c *curve25519) GetCurveName() string {
 	return "curve25519"
 }
 // MarshalBytePoint encodes the public point from native format, adding the prefix.
 // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.6
 func (c *curve25519) MarshalBytePoint(point []byte) []byte {
 	return append([]byte{0x40}, point...)
 }
 // UnmarshalBytePoint decodes the public point to native format, removing the prefix.
 // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.6
 func (c *curve25519) UnmarshalBytePoint(point []byte) []byte {
 	if len(point) != x25519lib.Size+1 {
 		return nil
 	}
 	// Remove prefix
 	return point[1:]
 }
 // MarshalByteSecret encodes the secret scalar from native format.
 // Note that the EC secret scalar differs from the definition of public keys in
 // [Curve25519] in two ways: (1) the byte-ordering is big-endian, which is
 // more uniform with how big integers are represented in OpenPGP, and (2) the
 // leading zeros are truncated.
 // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.6.1.1
 // Note that leading zero bytes are stripped later when encoding as an MPI.
 func (c *curve25519) MarshalByteSecret(secret []byte) []byte {
 	d := make([]byte, x25519lib.Size)
 	copyReversed(d, secret)
 	// The following ensures that the private key is a number of the form
 	// 2^{254} + 8 * [0, 2^{251}), in order to avoid the small subgroup of
 	// the curve.
 	//
 	// This masking is done internally in the underlying lib and so is unnecessary
 	// for security, but OpenPGP implementations require that private keys be
 	// pre-masked.
 	d[0] &= 127
 	d[0] |= 64
 	d[31] &= 248
 	return d
 }
 // UnmarshalByteSecret decodes the secret scalar from native format.
 // Note that the EC secret scalar differs from the definition of public keys in
 // [Curve25519] in two ways: (1) the byte-ordering is big-endian, which is
 // more uniform with how big integers are represented in OpenPGP, and (2) the
 // leading zeros are truncated.
 // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.6.1.1
 func (c *curve25519) UnmarshalByteSecret(d []byte) []byte {
 	if len(d) > x25519lib.Size {
 		return nil
 	}
 	// Ensure truncated leading bytes are re-added
 	secret := make([]byte, x25519lib.Size)
 	copyReversed(secret, d)
 	return secret
 }
 // generateKeyPairBytes Generates a private-public key-pair.
 // 'priv' is a private key; a little-endian scalar belonging to the set
 // 2^{254} + 8 * [0, 2^{251}), in order to avoid the small subgroup of the
 // curve. 'pub' is simply 'priv' * G where G is the base point.
 // See https://cr.yp.to/ecdh.html and RFC7748, sec 5.
 func (c *curve25519) generateKeyPairBytes(rand io.Reader) (priv, pub x25519lib.Key, err error) {
 	_, err = io.ReadFull(rand, priv[:])
 	if err != nil {
 		return
 	}
 	x25519lib.KeyGen(&pub, &priv)
 	return
 }
 func (c *curve25519) GenerateECDH(rand io.Reader) (point []byte, secret []byte, err error) {
 	priv, pub, err := c.generateKeyPairBytes(rand)
 	if err != nil {
 		return
 	}
 	return pub[:], priv[:], nil
 }
 func (c *genericCurve) MaskSecret(secret []byte) []byte {
 	return secret
 }
 func (c *curve25519) Encaps(rand io.Reader, point []byte) (ephemeral, sharedSecret []byte, err error) {
 	// RFC6637 §8: "Generate an ephemeral key pair {v, V=vG}"
 	// ephemeralPrivate corresponds to `v`.
 	// ephemeralPublic corresponds to `V`.
 	ephemeralPrivate, ephemeralPublic, err := c.generateKeyPairBytes(rand)
 	if err != nil {
 		return nil, nil, err
 	}
 	// RFC6637 §8: "Obtain the authenticated recipient public key R"
 	// pubKey corresponds to `R`.
 	var pubKey x25519lib.Key
 	copy(pubKey[:], point)
 	// RFC6637 §8: "Compute the shared point S = vR"
 	//	"VB = convert point V to the octet string"
 	// sharedPoint corresponds to `VB`.
 	var sharedPoint x25519lib.Key
 	x25519lib.Shared(&sharedPoint, &ephemeralPrivate, &pubKey)
 	return ephemeralPublic[:], sharedPoint[:], nil
 }
 func (c *curve25519) Decaps(vsG, secret []byte) (sharedSecret []byte, err error) {
 	var ephemeralPublic, decodedPrivate, sharedPoint x25519lib.Key
 	// RFC6637 §8: "The decryption is the inverse of the method given."
 	// All quoted descriptions in comments below describe encryption, and
 	// the reverse is performed.
 	// vsG corresponds to `VB` in RFC6637 §8 .
 	// RFC6637 §8: "VB = convert point V to the octet string"
 	copy(ephemeralPublic[:], vsG)
 	// decodedPrivate corresponds to `r` in RFC6637 §8 .
 	copy(decodedPrivate[:], secret)
 	// RFC6637 §8: "Note that the recipient obtains the shared secret by calculating
 	//   S = rV = rvG, where (r,R) is the recipient's key pair."
 	// sharedPoint corresponds to `S`.
 	x25519lib.Shared(&sharedPoint, &decodedPrivate, &ephemeralPublic)
 	return sharedPoint[:], nil
 }
 func (c *curve25519) ValidateECDH(point []byte, secret []byte) (err error) {
 	var pk, sk x25519lib.Key
 	copy(sk[:], secret)
 	x25519lib.KeyGen(&pk, &sk)
 	if subtle.ConstantTimeCompare(point, pk[:]) == 0 {
 		return errors.KeyInvalidError("ecc: invalid curve25519 public point")
 	}
 	return nil
 }
 func copyReversed(out []byte, in []byte) {
 	l := len(in)
 	for i := 0; i < l; i++ {
 		out[i] = in[l-i-1]
 	}
 }
@@ -0,0 +1,143 @@
 // Package ecc implements a generic interface for ECDH, ECDSA, and EdDSA.
 package ecc
 import (
 	"bytes"
 	"crypto/elliptic"
 	"github.com/ProtonMail/go-crypto/bitcurves"
 	"github.com/ProtonMail/go-crypto/brainpool"
 	"github.com/ProtonMail/go-crypto/openpgp/internal/encoding"
 )
 const Curve25519GenName = "Curve25519"
 type CurveInfo struct {
 	GenName string
 	Oid     *encoding.OID
 	Curve   Curve
 }
 var Curves = []CurveInfo{
 	{
 		// NIST P-256
 		GenName: "P256",
 		Oid:     encoding.NewOID([]byte{0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07}),
 		Curve:   NewGenericCurve(elliptic.P256()),
 	},
 	{
 		// NIST P-384
 		GenName: "P384",
 		Oid:     encoding.NewOID([]byte{0x2B, 0x81, 0x04, 0x00, 0x22}),
 		Curve:   NewGenericCurve(elliptic.P384()),
 	},
 	{
 		// NIST P-521
 		GenName: "P521",
 		Oid:     encoding.NewOID([]byte{0x2B, 0x81, 0x04, 0x00, 0x23}),
 		Curve:   NewGenericCurve(elliptic.P521()),
 	},
 	{
 		// SecP256k1
 		GenName: "SecP256k1",
 		Oid:     encoding.NewOID([]byte{0x2B, 0x81, 0x04, 0x00, 0x0A}),
 		Curve:   NewGenericCurve(bitcurves.S256()),
 	},
 	{
 		// Curve25519
 		GenName: Curve25519GenName,
 		Oid:     encoding.NewOID([]byte{0x2B, 0x06, 0x01, 0x04, 0x01, 0x97, 0x55, 0x01, 0x05, 0x01}),
 		Curve:   NewCurve25519(),
 	},
 	{
 		// x448
 		GenName: "Curve448",
 		Oid:     encoding.NewOID([]byte{0x2B, 0x65, 0x6F}),
 		Curve:   NewX448(),
 	},
 	{
 		// Ed25519
 		GenName: Curve25519GenName,
 		Oid:     encoding.NewOID([]byte{0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01}),
 		Curve:   NewEd25519(),
 	},
 	{
 		// Ed448
 		GenName: "Curve448",
 		Oid:     encoding.NewOID([]byte{0x2B, 0x65, 0x71}),
 		Curve:   NewEd448(),
 	},
 	{
 		// BrainpoolP256r1
 		GenName: "BrainpoolP256",
 		Oid:     encoding.NewOID([]byte{0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x07}),
 		Curve:   NewGenericCurve(brainpool.P256r1()),
 	},
 	{
 		// BrainpoolP384r1
 		GenName: "BrainpoolP384",
 		Oid:     encoding.NewOID([]byte{0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x0B}),
 		Curve:   NewGenericCurve(brainpool.P384r1()),
 	},
 	{
 		// BrainpoolP512r1
 		GenName: "BrainpoolP512",
 		Oid:     encoding.NewOID([]byte{0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x0D}),
 		Curve:   NewGenericCurve(brainpool.P512r1()),
 	},
 }
 func FindByCurve(curve Curve) *CurveInfo {
 	for _, curveInfo := range Curves {
 		if curveInfo.Curve.GetCurveName() == curve.GetCurveName() {
 			return &curveInfo
 		}
 	}
 	return nil
 }
 func FindByOid(oid encoding.Field) *CurveInfo {
 	var rawBytes = oid.Bytes()
 	for _, curveInfo := range Curves {
 		if bytes.Equal(curveInfo.Oid.Bytes(), rawBytes) {
 			return &curveInfo
 		}
 	}
 	return nil
 }
 func FindEdDSAByGenName(curveGenName string) EdDSACurve {
 	for _, curveInfo := range Curves {
 		if curveInfo.GenName == curveGenName {
 			curve, ok := curveInfo.Curve.(EdDSACurve)
 			if ok {
 				return curve
 			}
 		}
 	}
 	return nil
 }
 func FindECDSAByGenName(curveGenName string) ECDSACurve {
 	for _, curveInfo := range Curves {
 		if curveInfo.GenName == curveGenName {
 			curve, ok := curveInfo.Curve.(ECDSACurve)
 			if ok {
 				return curve
 			}
 		}
 	}
 	return nil
 }
 func FindECDHByGenName(curveGenName string) ECDHCurve {
 	for _, curveInfo := range Curves {
 		if curveInfo.GenName == curveGenName {
 			curve, ok := curveInfo.Curve.(ECDHCurve)
 			if ok {
 				return curve
 			}
 		}
 	}
 	return nil
 }
@@ -0,0 +1,48 @@
 // Package ecc implements a generic interface for ECDH, ECDSA, and EdDSA.
 package ecc
 import (
 	"io"
 	"math/big"
 )
 type Curve interface {
 	GetCurveName() string
 }
 type ECDSACurve interface {
 	Curve
 	MarshalIntegerPoint(x, y *big.Int) []byte
 	UnmarshalIntegerPoint([]byte) (x, y *big.Int)
 	MarshalIntegerSecret(d *big.Int) []byte
 	UnmarshalIntegerSecret(d []byte) *big.Int
 	GenerateECDSA(rand io.Reader) (x, y, secret *big.Int, err error)
 	Sign(rand io.Reader, x, y, d *big.Int, hash []byte) (r, s *big.Int, err error)
 	Verify(x, y *big.Int, hash []byte, r, s *big.Int) bool
 	ValidateECDSA(x, y *big.Int, secret []byte) error
 }
 type EdDSACurve interface {
 	Curve
 	MarshalBytePoint(x []byte) []byte
 	UnmarshalBytePoint([]byte) (x []byte)
 	MarshalByteSecret(d []byte) []byte
 	UnmarshalByteSecret(d []byte) []byte
 	MarshalSignature(sig []byte) (r, s []byte)
 	UnmarshalSignature(r, s []byte) (sig []byte)
 	GenerateEdDSA(rand io.Reader) (pub, priv []byte, err error)
 	Sign(publicKey, privateKey, message []byte) (sig []byte, err error)
 	Verify(publicKey, message, sig []byte) bool
 	ValidateEdDSA(publicKey, privateKey []byte) (err error)
 }
 type ECDHCurve interface {
 	Curve
 	MarshalBytePoint([]byte) (encoded []byte)
 	UnmarshalBytePoint(encoded []byte) []byte
 	MarshalByteSecret(d []byte) []byte
 	UnmarshalByteSecret(d []byte) []byte
 	GenerateECDH(rand io.Reader) (point []byte, secret []byte, err error)
 	Encaps(rand io.Reader, point []byte) (ephemeral, sharedSecret []byte, err error)
 	Decaps(ephemeral, secret []byte) (sharedSecret []byte, err error)
 	ValidateECDH(public []byte, secret []byte) error
 }
@@ -0,0 +1,120 @@
 // Package ecc implements a generic interface for ECDH, ECDSA, and EdDSA.
 package ecc
 import (
 	"bytes"
 	"crypto/subtle"
 	"io"
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 	ed25519lib "github.com/cloudflare/circl/sign/ed25519"
 )
 const ed25519Size = 32
 type ed25519 struct{}
 func NewEd25519() *ed25519 {
 	return &ed25519{}
 }
 func (c *ed25519) GetCurveName() string {
 	return "ed25519"
 }
 // MarshalBytePoint encodes the public point from native format, adding the prefix.
 // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.5
 func (c *ed25519) MarshalBytePoint(x []byte) []byte {
 	return append([]byte{0x40}, x...)
 }
 // UnmarshalBytePoint decodes a point from prefixed format to native.
 // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.5
 func (c *ed25519) UnmarshalBytePoint(point []byte) (x []byte) {
 	if len(point) != ed25519lib.PublicKeySize+1 {
 		return nil
 	}
 	// Return unprefixed
 	return point[1:]
 }
 // MarshalByteSecret encodes a scalar in native format.
 // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.5
 func (c *ed25519) MarshalByteSecret(d []byte) []byte {
 	return d
 }
 // UnmarshalByteSecret decodes a scalar in native format and re-adds the stripped leading zeroes
 // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.5
 func (c *ed25519) UnmarshalByteSecret(s []byte) (d []byte) {
 	if len(s) > ed25519lib.SeedSize {
 		return nil
 	}
 	// Handle stripped leading zeroes
 	d = make([]byte, ed25519lib.SeedSize)
 	copy(d[ed25519lib.SeedSize-len(s):], s)
 	return
 }
 // MarshalSignature splits a signature in R and S.
 // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.2.3.3.1
 func (c *ed25519) MarshalSignature(sig []byte) (r, s []byte) {
 	return sig[:ed25519Size], sig[ed25519Size:]
 }
 // UnmarshalSignature decodes R and S in the native format, re-adding the stripped leading zeroes
 // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.2.3.3.1
 func (c *ed25519) UnmarshalSignature(r, s []byte) (sig []byte) {
 	// Check size
 	if len(r) > 32 || len(s) > 32 {
 		return nil
 	}
 	sig = make([]byte, ed25519lib.SignatureSize)
 	// Handle stripped leading zeroes
 	copy(sig[ed25519Size-len(r):ed25519Size], r)
 	copy(sig[ed25519lib.SignatureSize-len(s):], s)
 	return sig
 }
 func (c *ed25519) GenerateEdDSA(rand io.Reader) (pub, priv []byte, err error) {
 	pk, sk, err := ed25519lib.GenerateKey(rand)
 	if err != nil {
 		return nil, nil, err
 	}
 	return pk, sk[:ed25519lib.SeedSize], nil
 }
 func getEd25519Sk(publicKey, privateKey []byte) ed25519lib.PrivateKey {
 	privateKeyCap, privateKeyLen, publicKeyLen := cap(privateKey), len(privateKey), len(publicKey)
 	if privateKeyCap >= privateKeyLen+publicKeyLen &&
 		bytes.Equal(privateKey[privateKeyLen:privateKeyLen+publicKeyLen], publicKey) {
 		return privateKey[:privateKeyLen+publicKeyLen]
 	}
 	return append(privateKey[:privateKeyLen:privateKeyLen], publicKey...)
 }
 func (c *ed25519) Sign(publicKey, privateKey, message []byte) (sig []byte, err error) {
 	sig = ed25519lib.Sign(getEd25519Sk(publicKey, privateKey), message)
 	return sig, nil
 }
 func (c *ed25519) Verify(publicKey, message, sig []byte) bool {
 	return ed25519lib.Verify(publicKey, message, sig)
 }
 func (c *ed25519) ValidateEdDSA(publicKey, privateKey []byte) (err error) {
 	priv := getEd25519Sk(publicKey, privateKey)
 	expectedPriv := ed25519lib.NewKeyFromSeed(priv.Seed())
 	if subtle.ConstantTimeCompare(priv, expectedPriv) == 0 {
 		return errors.KeyInvalidError("ecc: invalid ed25519 secret")
 	}
 	return nil
 }
@@ -0,0 +1,119 @@
 // Package ecc implements a generic interface for ECDH, ECDSA, and EdDSA.
 package ecc
 import (
 	"bytes"
 	"crypto/subtle"
 	"io"
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 	ed448lib "github.com/cloudflare/circl/sign/ed448"
 )
 type ed448 struct{}
 func NewEd448() *ed448 {
 	return &ed448{}
 }
 func (c *ed448) GetCurveName() string {
 	return "ed448"
 }
 // MarshalBytePoint encodes the public point from native format, adding the prefix.
 // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.5
 func (c *ed448) MarshalBytePoint(x []byte) []byte {
 	// Return prefixed
 	return append([]byte{0x40}, x...)
 }
 // UnmarshalBytePoint decodes a point from prefixed format to native.
 // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.5
 func (c *ed448) UnmarshalBytePoint(point []byte) (x []byte) {
 	if len(point) != ed448lib.PublicKeySize+1 {
 		return nil
 	}
 	// Strip prefix
 	return point[1:]
 }
 // MarshalByteSecret encoded a scalar from native format to prefixed.
 // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.5
 func (c *ed448) MarshalByteSecret(d []byte) []byte {
 	// Return prefixed
 	return append([]byte{0x40}, d...)
 }
 // UnmarshalByteSecret decodes a scalar from prefixed format to native.
 // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.5
 func (c *ed448) UnmarshalByteSecret(s []byte) (d []byte) {
 	// Check prefixed size
 	if len(s) != ed448lib.SeedSize+1 {
 		return nil
 	}
 	// Strip prefix
 	return s[1:]
 }
 // MarshalSignature splits a signature in R and S, where R is in prefixed native format and
 // S is an MPI with value zero.
 // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.2.3.3.2
 func (c *ed448) MarshalSignature(sig []byte) (r, s []byte) {
 	return append([]byte{0x40}, sig...), []byte{}
 }
 // UnmarshalSignature decodes R and S in the native format. Only R is used, in prefixed native format.
 // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.2.3.3.2
 func (c *ed448) UnmarshalSignature(r, s []byte) (sig []byte) {
 	if len(r) != ed448lib.SignatureSize+1 {
 		return nil
 	}
 	return r[1:]
 }
 func (c *ed448) GenerateEdDSA(rand io.Reader) (pub, priv []byte, err error) {
 	pk, sk, err := ed448lib.GenerateKey(rand)
 	if err != nil {
 		return nil, nil, err
 	}
 	return pk, sk[:ed448lib.SeedSize], nil
 }
 func getEd448Sk(publicKey, privateKey []byte) ed448lib.PrivateKey {
 	privateKeyCap, privateKeyLen, publicKeyLen := cap(privateKey), len(privateKey), len(publicKey)
 	if privateKeyCap >= privateKeyLen+publicKeyLen &&
 		bytes.Equal(privateKey[privateKeyLen:privateKeyLen+publicKeyLen], publicKey) {
 		return privateKey[:privateKeyLen+publicKeyLen]
 	}
 	return append(privateKey[:privateKeyLen:privateKeyLen], publicKey...)
 }
 func (c *ed448) Sign(publicKey, privateKey, message []byte) (sig []byte, err error) {
 	// Ed448 is used with the empty string as a context string.
 	// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-13.7
 	sig = ed448lib.Sign(getEd448Sk(publicKey, privateKey), message, "")
 	return sig, nil
 }
 func (c *ed448) Verify(publicKey, message, sig []byte) bool {
 	// Ed448 is used with the empty string as a context string.
 	// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-13.7
 	return ed448lib.Verify(publicKey, message, sig, "")
 }
 func (c *ed448) ValidateEdDSA(publicKey, privateKey []byte) (err error) {
 	priv := getEd448Sk(publicKey, privateKey)
 	expectedPriv := ed448lib.NewKeyFromSeed(priv.Seed())
 	if subtle.ConstantTimeCompare(priv, expectedPriv) == 0 {
 		return errors.KeyInvalidError("ecc: invalid ed448 secret")
 	}
 	return nil
 }
@@ -0,0 +1,149 @@
 // Package ecc implements a generic interface for ECDH, ECDSA, and EdDSA.
 package ecc
 import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"fmt"
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 	"io"
 	"math/big"
 )
 type genericCurve struct {
 	Curve elliptic.Curve
 }
 func NewGenericCurve(c elliptic.Curve) *genericCurve {
 	return &genericCurve{
 		Curve: c,
 	}
 }
 func (c *genericCurve) GetCurveName() string {
 	return c.Curve.Params().Name
 }
 func (c *genericCurve) MarshalBytePoint(point []byte) []byte {
 	return point
 }
 func (c *genericCurve) UnmarshalBytePoint(point []byte) []byte {
 	return point
 }
 func (c *genericCurve) MarshalIntegerPoint(x, y *big.Int) []byte {
 	return elliptic.Marshal(c.Curve, x, y)
 }
 func (c *genericCurve) UnmarshalIntegerPoint(point []byte) (x, y *big.Int) {
 	return elliptic.Unmarshal(c.Curve, point)
 }
 func (c *genericCurve) MarshalByteSecret(d []byte) []byte {
 	return d
 }
 func (c *genericCurve) UnmarshalByteSecret(d []byte) []byte {
 	return d
 }
 func (c *genericCurve) MarshalIntegerSecret(d *big.Int) []byte {
 	return d.Bytes()
 }
 func (c *genericCurve) UnmarshalIntegerSecret(d []byte) *big.Int {
 	return new(big.Int).SetBytes(d)
 }
 func (c *genericCurve) GenerateECDH(rand io.Reader) (point, secret []byte, err error) {
 	secret, x, y, err := elliptic.GenerateKey(c.Curve, rand)
 	if err != nil {
 		return nil, nil, err
 	}
 	point = elliptic.Marshal(c.Curve, x, y)
 	return point, secret, nil
 }
 func (c *genericCurve) GenerateECDSA(rand io.Reader) (x, y, secret *big.Int, err error) {
 	priv, err := ecdsa.GenerateKey(c.Curve, rand)
 	if err != nil {
 		return
 	}
 	return priv.X, priv.Y, priv.D, nil
 }
 func (c *genericCurve) Encaps(rand io.Reader, point []byte) (ephemeral, sharedSecret []byte, err error) {
 	xP, yP := elliptic.Unmarshal(c.Curve, point)
 	if xP == nil {
 		panic("invalid point")
 	}
 	d, x, y, err := elliptic.GenerateKey(c.Curve, rand)
 	if err != nil {
 		return nil, nil, err
 	}
 	vsG := elliptic.Marshal(c.Curve, x, y)
 	zbBig, _ := c.Curve.ScalarMult(xP, yP, d)
 	byteLen := (c.Curve.Params().BitSize + 7) >> 3
 	zb := make([]byte, byteLen)
 	zbBytes := zbBig.Bytes()
 	copy(zb[byteLen-len(zbBytes):], zbBytes)
 	return vsG, zb, nil
 }
 func (c *genericCurve) Decaps(ephemeral, secret []byte) (sharedSecret []byte, err error) {
 	x, y := elliptic.Unmarshal(c.Curve, ephemeral)
 	zbBig, _ := c.Curve.ScalarMult(x, y, secret)
 	byteLen := (c.Curve.Params().BitSize + 7) >> 3
 	zb := make([]byte, byteLen)
 	zbBytes := zbBig.Bytes()
 	copy(zb[byteLen-len(zbBytes):], zbBytes)
 	return zb, nil
 }
 func (c *genericCurve) Sign(rand io.Reader, x, y, d *big.Int, hash []byte) (r, s *big.Int, err error) {
 	priv := &ecdsa.PrivateKey{D: d, PublicKey: ecdsa.PublicKey{X: x, Y: y, Curve: c.Curve}}
 	return ecdsa.Sign(rand, priv, hash)
 }
 func (c *genericCurve) Verify(x, y *big.Int, hash []byte, r, s *big.Int) bool {
 	pub := &ecdsa.PublicKey{X: x, Y: y, Curve: c.Curve}
 	return ecdsa.Verify(pub, hash, r, s)
 }
 func (c *genericCurve) validate(xP, yP *big.Int, secret []byte) error {
 	// the public point should not be at infinity (0,0)
 	zero := new(big.Int)
 	if xP.Cmp(zero) == 0 && yP.Cmp(zero) == 0 {
 		return errors.KeyInvalidError(fmt.Sprintf("ecc (%s): infinity point", c.Curve.Params().Name))
 	}
 	// re-derive the public point Q' = (X,Y) = dG
 	// to compare to declared Q in public key
 	expectedX, expectedY := c.Curve.ScalarBaseMult(secret)
 	if xP.Cmp(expectedX) != 0 || yP.Cmp(expectedY) != 0 {
 		return errors.KeyInvalidError(fmt.Sprintf("ecc (%s): invalid point", c.Curve.Params().Name))
 	}
 	return nil
 }
 func (c *genericCurve) ValidateECDSA(xP, yP *big.Int, secret []byte) error {
 	return c.validate(xP, yP, secret)
 }
 func (c *genericCurve) ValidateECDH(point []byte, secret []byte) error {
 	xP, yP := elliptic.Unmarshal(c.Curve, point)
 	if xP == nil {
 		return errors.KeyInvalidError(fmt.Sprintf("ecc (%s): invalid point", c.Curve.Params().Name))
 	}
 	return c.validate(xP, yP, secret)
 }
@@ -0,0 +1,107 @@
 // Package ecc implements a generic interface for ECDH, ECDSA, and EdDSA.
 package ecc
 import (
 	"crypto/subtle"
 	"io"
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 	x448lib "github.com/cloudflare/circl/dh/x448"
 )
 type x448 struct{}
 func NewX448() *x448 {
 	return &x448{}
 }
 func (c *x448) GetCurveName() string {
 	return "x448"
 }
 // MarshalBytePoint encodes the public point from native format, adding the prefix.
 // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.6
 func (c *x448) MarshalBytePoint(point []byte) []byte {
 	return append([]byte{0x40}, point...)
 }
 // UnmarshalBytePoint decodes a point from prefixed format to native.
 // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.6
 func (c *x448) UnmarshalBytePoint(point []byte) []byte {
 	if len(point) != x448lib.Size+1 {
 		return nil
 	}
 	return point[1:]
 }
 // MarshalByteSecret encoded a scalar from native format to prefixed.
 // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.6.1.2
 func (c *x448) MarshalByteSecret(d []byte) []byte {
 	return append([]byte{0x40}, d...)
 }
 // UnmarshalByteSecret decodes a scalar from prefixed format to native.
 // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.6.1.2
 func (c *x448) UnmarshalByteSecret(d []byte) []byte {
 	if len(d) != x448lib.Size+1 {
 		return nil
 	}
 	// Store without prefix
 	return d[1:]
 }
 func (c *x448) generateKeyPairBytes(rand io.Reader) (sk, pk x448lib.Key, err error) {
 	if _, err = rand.Read(sk[:]); err != nil {
 		return
 	}
 	x448lib.KeyGen(&pk, &sk)
 	return
 }
 func (c *x448) GenerateECDH(rand io.Reader) (point []byte, secret []byte, err error) {
 	priv, pub, err := c.generateKeyPairBytes(rand)
 	if err != nil {
 		return
 	}
 	return pub[:], priv[:], nil
 }
 func (c *x448) Encaps(rand io.Reader, point []byte) (ephemeral, sharedSecret []byte, err error) {
 	var pk, ss x448lib.Key
 	seed, e, err := c.generateKeyPairBytes(rand)
 	if err != nil {
 		return nil, nil, err
 	}
 	copy(pk[:], point)
 	x448lib.Shared(&ss, &seed, &pk)
 	return e[:], ss[:], nil
 }
 func (c *x448) Decaps(ephemeral, secret []byte) (sharedSecret []byte, err error) {
 	var ss, sk, e x448lib.Key
 	copy(sk[:], secret)
 	copy(e[:], ephemeral)
 	x448lib.Shared(&ss, &sk, &e)
 	return ss[:], nil
 }
 func (c *x448) ValidateECDH(point []byte, secret []byte) error {
 	var sk, pk, expectedPk x448lib.Key
 	copy(pk[:], point)
 	copy(sk[:], secret)
 	x448lib.KeyGen(&expectedPk, &sk)
 	if subtle.ConstantTimeCompare(expectedPk[:], pk[:]) == 0 {
 		return errors.KeyInvalidError("ecc: invalid curve25519 public point")
 	}
 	return nil
 }
@@ -0,0 +1,27 @@
 // Copyright 2017 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // Package encoding implements openpgp packet field encodings as specified in
 // RFC 4880 and 6637.
 package encoding
 import "io"
 // Field is an encoded field of an openpgp packet.
 type Field interface {
 	// Bytes returns the decoded data.
 	Bytes() []byte
 	// BitLength is the size in bits of the decoded data.
 	BitLength() uint16
 	// EncodedBytes returns the encoded data.
 	EncodedBytes() []byte
 	// EncodedLength is the size in bytes of the encoded data.
 	EncodedLength() uint16
 	// ReadFrom reads the next Field from r.
 	ReadFrom(r io.Reader) (int64, error)
 }
@@ -0,0 +1,91 @@
 // Copyright 2017 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package encoding
 import (
 	"io"
 	"math/big"
 	"math/bits"
 )
 // An MPI is used to store the contents of a big integer, along with the bit
 // length that was specified in the original input. This allows the MPI to be
 // reserialized exactly.
 type MPI struct {
 	bytes     []byte
 	bitLength uint16
 }
 // NewMPI returns a MPI initialized with bytes.
 func NewMPI(bytes []byte) *MPI {
 	for len(bytes) != 0 && bytes[0] == 0 {
 		bytes = bytes[1:]
 	}
 	if len(bytes) == 0 {
 		bitLength := uint16(0)
 		return &MPI{bytes, bitLength}
 	}
 	bitLength := 8*uint16(len(bytes)-1) + uint16(bits.Len8(bytes[0]))
 	return &MPI{bytes, bitLength}
 }
 // Bytes returns the decoded data.
 func (m *MPI) Bytes() []byte {
 	return m.bytes
 }
 // BitLength is the size in bits of the decoded data.
 func (m *MPI) BitLength() uint16 {
 	return m.bitLength
 }
 // EncodedBytes returns the encoded data.
 func (m *MPI) EncodedBytes() []byte {
 	return append([]byte{byte(m.bitLength >> 8), byte(m.bitLength)}, m.bytes...)
 }
 // EncodedLength is the size in bytes of the encoded data.
 func (m *MPI) EncodedLength() uint16 {
 	return uint16(2 + len(m.bytes))
 }
 // ReadFrom reads into m the next MPI from r.
 func (m *MPI) ReadFrom(r io.Reader) (int64, error) {
 	var buf [2]byte
 	n, err := io.ReadFull(r, buf[0:])
 	if err != nil {
 		if err == io.EOF {
 			err = io.ErrUnexpectedEOF
 		}
 		return int64(n), err
 	}
 	m.bitLength = uint16(buf[0])<<8 | uint16(buf[1])
 	m.bytes = make([]byte, (int(m.bitLength)+7)/8)
 	nn, err := io.ReadFull(r, m.bytes)
 	if err == io.EOF {
 		err = io.ErrUnexpectedEOF
 	}
 	// remove leading zero bytes from malformed GnuPG encoded MPIs:
 	// https://bugs.gnupg.org/gnupg/issue1853
 	// for _, b := range m.bytes {
 	// 	if b != 0 {
 	// 		break
 	// 	}
 	// 	m.bytes = m.bytes[1:]
 	// 	m.bitLength -= 8
 	// }
 	return int64(n) + int64(nn), err
 }
 // SetBig initializes m with the bits from n.
 func (m *MPI) SetBig(n *big.Int) *MPI {
 	m.bytes = n.Bytes()
 	m.bitLength = uint16(n.BitLen())
 	return m
 }
@@ -0,0 +1,88 @@
 // Copyright 2017 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package encoding
 import (
 	"io"
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 )
 // OID is used to store a variable-length field with a one-octet size
 // prefix. See https://tools.ietf.org/html/rfc6637#section-9.
 type OID struct {
 	bytes []byte
 }
 const (
 	// maxOID is the maximum number of bytes in a OID.
 	maxOID = 254
 	// reservedOIDLength1 and reservedOIDLength2 are OID lengths that the RFC
 	// specifies are reserved.
 	reservedOIDLength1 = 0
 	reservedOIDLength2 = 0xff
 )
 // NewOID returns a OID initialized with bytes.
 func NewOID(bytes []byte) *OID {
 	switch len(bytes) {
 	case reservedOIDLength1, reservedOIDLength2:
 		panic("encoding: NewOID argument length is reserved")
 	default:
 		if len(bytes) > maxOID {
 			panic("encoding: NewOID argument too large")
 		}
 	}
 	return &OID{
 		bytes: bytes,
 	}
 }
 // Bytes returns the decoded data.
 func (o *OID) Bytes() []byte {
 	return o.bytes
 }
 // BitLength is the size in bits of the decoded data.
 func (o *OID) BitLength() uint16 {
 	return uint16(len(o.bytes) * 8)
 }
 // EncodedBytes returns the encoded data.
 func (o *OID) EncodedBytes() []byte {
 	return append([]byte{byte(len(o.bytes))}, o.bytes...)
 }
 // EncodedLength is the size in bytes of the encoded data.
 func (o *OID) EncodedLength() uint16 {
 	return uint16(1 + len(o.bytes))
 }
 // ReadFrom reads into b the next OID from r.
 func (o *OID) ReadFrom(r io.Reader) (int64, error) {
 	var buf [1]byte
 	n, err := io.ReadFull(r, buf[:])
 	if err != nil {
 		if err == io.EOF {
 			err = io.ErrUnexpectedEOF
 		}
 		return int64(n), err
 	}
 	switch buf[0] {
 	case reservedOIDLength1, reservedOIDLength2:
 		return int64(n), errors.UnsupportedError("reserved for future extensions")
 	}
 	o.bytes = make([]byte, buf[0])
 	nn, err := io.ReadFull(r, o.bytes)
 	if err == io.EOF {
 		err = io.ErrUnexpectedEOF
 	}
 	return int64(n) + int64(nn), err
 }
@@ -0,0 +1,456 @@
 // Copyright 2011 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package openpgp
 import (
 	"crypto"
 	"crypto/rand"
 	"crypto/rsa"
 	goerrors "errors"
 	"io"
 	"math/big"
 	"time"
 	"github.com/ProtonMail/go-crypto/openpgp/ecdh"
 	"github.com/ProtonMail/go-crypto/openpgp/ecdsa"
 	"github.com/ProtonMail/go-crypto/openpgp/ed25519"
 	"github.com/ProtonMail/go-crypto/openpgp/ed448"
 	"github.com/ProtonMail/go-crypto/openpgp/eddsa"
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 	"github.com/ProtonMail/go-crypto/openpgp/internal/algorithm"
 	"github.com/ProtonMail/go-crypto/openpgp/internal/ecc"
 	"github.com/ProtonMail/go-crypto/openpgp/packet"
 	"github.com/ProtonMail/go-crypto/openpgp/x25519"
 	"github.com/ProtonMail/go-crypto/openpgp/x448"
 )
 // NewEntity returns an Entity that contains a fresh RSA/RSA keypair with a
 // single identity composed of the given full name, comment and email, any of
 // which may be empty but must not contain any of "()<>\x00".
 // If config is nil, sensible defaults will be used.
 func NewEntity(name, comment, email string, config *packet.Config) (*Entity, error) {
 	creationTime := config.Now()
 	keyLifetimeSecs := config.KeyLifetime()
 	// Generate a primary signing key
 	primaryPrivRaw, err := newSigner(config)
 	if err != nil {
 		return nil, err
 	}
 	primary := packet.NewSignerPrivateKey(creationTime, primaryPrivRaw)
 	if config.V6() {
 		if err := primary.UpgradeToV6(); err != nil {
 			return nil, err
 		}
 	}
 	e := &Entity{
 		PrimaryKey: &primary.PublicKey,
 		PrivateKey: primary,
 		Identities: make(map[string]*Identity),
 		Subkeys:    []Subkey{},
 		Signatures: []*packet.Signature{},
 	}
 	if config.V6() {
 		// In v6 keys algorithm preferences should be stored in direct key signatures
 		selfSignature := createSignaturePacket(&primary.PublicKey, packet.SigTypeDirectSignature, config)
 		err = writeKeyProperties(selfSignature, creationTime, keyLifetimeSecs, config)
 		if err != nil {
 			return nil, err
 		}
 		err = selfSignature.SignDirectKeyBinding(&primary.PublicKey, primary, config)
 		if err != nil {
 			return nil, err
 		}
 		e.Signatures = append(e.Signatures, selfSignature)
 		e.SelfSignature = selfSignature
 	}
 	err = e.addUserId(name, comment, email, config, creationTime, keyLifetimeSecs, !config.V6())
 	if err != nil {
 		return nil, err
 	}
 	// NOTE: No key expiry here, but we will not return this subkey in EncryptionKey()
 	// if the primary/master key has expired.
 	err = e.addEncryptionSubkey(config, creationTime, 0)
 	if err != nil {
 		return nil, err
 	}
 	return e, nil
 }
 func (t *Entity) AddUserId(name, comment, email string, config *packet.Config) error {
 	creationTime := config.Now()
 	keyLifetimeSecs := config.KeyLifetime()
 	return t.addUserId(name, comment, email, config, creationTime, keyLifetimeSecs, !config.V6())
 }
 func writeKeyProperties(selfSignature *packet.Signature, creationTime time.Time, keyLifetimeSecs uint32, config *packet.Config) error {
 	advertiseAead := config.AEAD() != nil
 	selfSignature.CreationTime = creationTime
 	selfSignature.KeyLifetimeSecs = &keyLifetimeSecs
 	selfSignature.FlagsValid = true
 	selfSignature.FlagSign = true
 	selfSignature.FlagCertify = true
 	selfSignature.SEIPDv1 = true // true by default, see 5.8 vs. 5.14
 	selfSignature.SEIPDv2 = advertiseAead
 	// Set the PreferredHash for the SelfSignature from the packet.Config.
 	// If it is not the must-implement algorithm from rfc4880bis, append that.
 	hash, ok := algorithm.HashToHashId(config.Hash())
 	if !ok {
 		return errors.UnsupportedError("unsupported preferred hash function")
 	}
 	selfSignature.PreferredHash = []uint8{hash}
 	if config.Hash() != crypto.SHA256 {
 		selfSignature.PreferredHash = append(selfSignature.PreferredHash, hashToHashId(crypto.SHA256))
 	}
 	// Likewise for DefaultCipher.
 	selfSignature.PreferredSymmetric = []uint8{uint8(config.Cipher())}
 	if config.Cipher() != packet.CipherAES128 {
 		selfSignature.PreferredSymmetric = append(selfSignature.PreferredSymmetric, uint8(packet.CipherAES128))
 	}
 	// We set CompressionNone as the preferred compression algorithm because
 	// of compression side channel attacks, then append the configured
 	// DefaultCompressionAlgo if any is set (to signal support for cases
 	// where the application knows that using compression is safe).
 	selfSignature.PreferredCompression = []uint8{uint8(packet.CompressionNone)}
 	if config.Compression() != packet.CompressionNone {
 		selfSignature.PreferredCompression = append(selfSignature.PreferredCompression, uint8(config.Compression()))
 	}
 	if advertiseAead {
 		// Get the preferred AEAD mode from the packet.Config.
 		// If it is not the must-implement algorithm from rfc9580, append that.
 		modes := []uint8{uint8(config.AEAD().Mode())}
 		if config.AEAD().Mode() != packet.AEADModeOCB {
 			modes = append(modes, uint8(packet.AEADModeOCB))
 		}
 		// For preferred (AES256, GCM), we'll generate (AES256, GCM), (AES256, OCB), (AES128, GCM), (AES128, OCB)
 		for _, cipher := range selfSignature.PreferredSymmetric {
 			for _, mode := range modes {
 				selfSignature.PreferredCipherSuites = append(selfSignature.PreferredCipherSuites, [2]uint8{cipher, mode})
 			}
 		}
 	}
 	return nil
 }
 func (t *Entity) addUserId(name, comment, email string, config *packet.Config, creationTime time.Time, keyLifetimeSecs uint32, writeProperties bool) error {
 	uid := packet.NewUserId(name, comment, email)
 	if uid == nil {
 		return errors.InvalidArgumentError("user id field contained invalid characters")
 	}
 	if _, ok := t.Identities[uid.Id]; ok {
 		return errors.InvalidArgumentError("user id exist")
 	}
 	primary := t.PrivateKey
 	isPrimaryId := len(t.Identities) == 0
 	selfSignature := createSignaturePacket(&primary.PublicKey, packet.SigTypePositiveCert, config)
 	if writeProperties {
 		err := writeKeyProperties(selfSignature, creationTime, keyLifetimeSecs, config)
 		if err != nil {
 			return err
 		}
 	}
 	selfSignature.IsPrimaryId = &isPrimaryId
 	// User ID binding signature
 	err := selfSignature.SignUserId(uid.Id, &primary.PublicKey, primary, config)
 	if err != nil {
 		return err
 	}
 	t.Identities[uid.Id] = &Identity{
 		Name:          uid.Id,
 		UserId:        uid,
 		SelfSignature: selfSignature,
 		Signatures:    []*packet.Signature{selfSignature},
 	}
 	return nil
 }
 // AddSigningSubkey adds a signing keypair as a subkey to the Entity.
 // If config is nil, sensible defaults will be used.
 func (e *Entity) AddSigningSubkey(config *packet.Config) error {
 	creationTime := config.Now()
 	keyLifetimeSecs := config.KeyLifetime()
 	subPrivRaw, err := newSigner(config)
 	if err != nil {
 		return err
 	}
 	sub := packet.NewSignerPrivateKey(creationTime, subPrivRaw)
 	sub.IsSubkey = true
 	if config.V6() {
 		if err := sub.UpgradeToV6(); err != nil {
 			return err
 		}
 	}
 	subkey := Subkey{
 		PublicKey:  &sub.PublicKey,
 		PrivateKey: sub,
 	}
 	subkey.Sig = createSignaturePacket(e.PrimaryKey, packet.SigTypeSubkeyBinding, config)
 	subkey.Sig.CreationTime = creationTime
 	subkey.Sig.KeyLifetimeSecs = &keyLifetimeSecs
 	subkey.Sig.FlagsValid = true
 	subkey.Sig.FlagSign = true
 	subkey.Sig.EmbeddedSignature = createSignaturePacket(subkey.PublicKey, packet.SigTypePrimaryKeyBinding, config)
 	subkey.Sig.EmbeddedSignature.CreationTime = creationTime
 	err = subkey.Sig.EmbeddedSignature.CrossSignKey(subkey.PublicKey, e.PrimaryKey, subkey.PrivateKey, config)
 	if err != nil {
 		return err
 	}
 	err = subkey.Sig.SignKey(subkey.PublicKey, e.PrivateKey, config)
 	if err != nil {
 		return err
 	}
 	e.Subkeys = append(e.Subkeys, subkey)
 	return nil
 }
 // AddEncryptionSubkey adds an encryption keypair as a subkey to the Entity.
 // If config is nil, sensible defaults will be used.
 func (e *Entity) AddEncryptionSubkey(config *packet.Config) error {
 	creationTime := config.Now()
 	keyLifetimeSecs := config.KeyLifetime()
 	return e.addEncryptionSubkey(config, creationTime, keyLifetimeSecs)
 }
 func (e *Entity) addEncryptionSubkey(config *packet.Config, creationTime time.Time, keyLifetimeSecs uint32) error {
 	subPrivRaw, err := newDecrypter(config)
 	if err != nil {
 		return err
 	}
 	sub := packet.NewDecrypterPrivateKey(creationTime, subPrivRaw)
 	sub.IsSubkey = true
 	if config.V6() {
 		if err := sub.UpgradeToV6(); err != nil {
 			return err
 		}
 	}
 	subkey := Subkey{
 		PublicKey:  &sub.PublicKey,
 		PrivateKey: sub,
 	}
 	subkey.Sig = createSignaturePacket(e.PrimaryKey, packet.SigTypeSubkeyBinding, config)
 	subkey.Sig.CreationTime = creationTime
 	subkey.Sig.KeyLifetimeSecs = &keyLifetimeSecs
 	subkey.Sig.FlagsValid = true
 	subkey.Sig.FlagEncryptStorage = true
 	subkey.Sig.FlagEncryptCommunications = true
 	err = subkey.Sig.SignKey(subkey.PublicKey, e.PrivateKey, config)
 	if err != nil {
 		return err
 	}
 	e.Subkeys = append(e.Subkeys, subkey)
 	return nil
 }
 // Generates a signing key
 func newSigner(config *packet.Config) (signer interface{}, err error) {
 	switch config.PublicKeyAlgorithm() {
 	case packet.PubKeyAlgoRSA:
 		bits := config.RSAModulusBits()
 		if bits < 1024 {
 			return nil, errors.InvalidArgumentError("bits must be >= 1024")
 		}
 		if config != nil && len(config.RSAPrimes) >= 2 {
 			primes := config.RSAPrimes[0:2]
 			config.RSAPrimes = config.RSAPrimes[2:]
 			return generateRSAKeyWithPrimes(config.Random(), 2, bits, primes)
 		}
 		return rsa.GenerateKey(config.Random(), bits)
 	case packet.PubKeyAlgoEdDSA:
 		if config.V6() {
 			// Implementations MUST NOT accept or generate v6 key material
 			// using the deprecated OIDs.
 			return nil, errors.InvalidArgumentError("EdDSALegacy cannot be used for v6 keys")
 		}
 		curve := ecc.FindEdDSAByGenName(string(config.CurveName()))
 		if curve == nil {
 			return nil, errors.InvalidArgumentError("unsupported curve")
 		}
 		priv, err := eddsa.GenerateKey(config.Random(), curve)
 		if err != nil {
 			return nil, err
 		}
 		return priv, nil
 	case packet.PubKeyAlgoECDSA:
 		curve := ecc.FindECDSAByGenName(string(config.CurveName()))
 		if curve == nil {
 			return nil, errors.InvalidArgumentError("unsupported curve")
 		}
 		priv, err := ecdsa.GenerateKey(config.Random(), curve)
 		if err != nil {
 			return nil, err
 		}
 		return priv, nil
 	case packet.PubKeyAlgoEd25519:
 		priv, err := ed25519.GenerateKey(config.Random())
 		if err != nil {
 			return nil, err
 		}
 		return priv, nil
 	case packet.PubKeyAlgoEd448:
 		priv, err := ed448.GenerateKey(config.Random())
 		if err != nil {
 			return nil, err
 		}
 		return priv, nil
 	default:
 		return nil, errors.InvalidArgumentError("unsupported public key algorithm")
 	}
 }
 // Generates an encryption/decryption key
 func newDecrypter(config *packet.Config) (decrypter interface{}, err error) {
 	switch config.PublicKeyAlgorithm() {
 	case packet.PubKeyAlgoRSA:
 		bits := config.RSAModulusBits()
 		if bits < 1024 {
 			return nil, errors.InvalidArgumentError("bits must be >= 1024")
 		}
 		if config != nil && len(config.RSAPrimes) >= 2 {
 			primes := config.RSAPrimes[0:2]
 			config.RSAPrimes = config.RSAPrimes[2:]
 			return generateRSAKeyWithPrimes(config.Random(), 2, bits, primes)
 		}
 		return rsa.GenerateKey(config.Random(), bits)
 	case packet.PubKeyAlgoEdDSA, packet.PubKeyAlgoECDSA:
 		fallthrough // When passing EdDSA or ECDSA, we generate an ECDH subkey
 	case packet.PubKeyAlgoECDH:
 		if config.V6() &&
 			(config.CurveName() == packet.Curve25519 ||
 				config.CurveName() == packet.Curve448) {
 			// Implementations MUST NOT accept or generate v6 key material
 			// using the deprecated OIDs.
 			return nil, errors.InvalidArgumentError("ECDH with Curve25519/448 legacy cannot be used for v6 keys")
 		}
 		var kdf = ecdh.KDF{
 			Hash:   algorithm.SHA512,
 			Cipher: algorithm.AES256,
 		}
 		curve := ecc.FindECDHByGenName(string(config.CurveName()))
 		if curve == nil {
 			return nil, errors.InvalidArgumentError("unsupported curve")
 		}
 		return ecdh.GenerateKey(config.Random(), curve, kdf)
 	case packet.PubKeyAlgoEd25519, packet.PubKeyAlgoX25519: // When passing Ed25519, we generate an x25519 subkey
 		return x25519.GenerateKey(config.Random())
 	case packet.PubKeyAlgoEd448, packet.PubKeyAlgoX448: // When passing Ed448, we generate an x448 subkey
 		return x448.GenerateKey(config.Random())
 	default:
 		return nil, errors.InvalidArgumentError("unsupported public key algorithm")
 	}
 }
 var bigOne = big.NewInt(1)
 // generateRSAKeyWithPrimes generates a multi-prime RSA keypair of the
 // given bit size, using the given random source and pre-populated primes.
 func generateRSAKeyWithPrimes(random io.Reader, nprimes int, bits int, prepopulatedPrimes []*big.Int) (*rsa.PrivateKey, error) {
 	priv := new(rsa.PrivateKey)
 	priv.E = 65537
 	if nprimes < 2 {
 		return nil, goerrors.New("generateRSAKeyWithPrimes: nprimes must be >= 2")
 	}
 	if bits < 1024 {
 		return nil, goerrors.New("generateRSAKeyWithPrimes: bits must be >= 1024")
 	}
 	primes := make([]*big.Int, nprimes)
 NextSetOfPrimes:
 	for {
 		todo := bits
 		// crypto/rand should set the top two bits in each prime.
 		// Thus each prime has the form
 		//   p_i = 2^bitlen(p_i) × 0.11... (in base 2).
 		// And the product is:
 		//   P = 2^todo × α
 		// where α is the product of nprimes numbers of the form 0.11...
 		//
 		// If α < 1/2 (which can happen for nprimes > 2), we need to
 		// shift todo to compensate for lost bits: the mean value of 0.11...
 		// is 7/8, so todo + shift - nprimes * log2(7/8) ~= bits - 1/2
 		// will give good results.
 		if nprimes >= 7 {
 			todo += (nprimes - 2) / 5
 		}
 		for i := 0; i < nprimes; i++ {
 			var err error
 			if len(prepopulatedPrimes) == 0 {
 				primes[i], err = rand.Prime(random, todo/(nprimes-i))
 				if err != nil {
 					return nil, err
 				}
 			} else {
 				primes[i] = prepopulatedPrimes[0]
 				prepopulatedPrimes = prepopulatedPrimes[1:]
 			}
 			todo -= primes[i].BitLen()
 		}
 		// Make sure that primes is pairwise unequal.
 		for i, prime := range primes {
 			for j := 0; j < i; j++ {
 				if prime.Cmp(primes[j]) == 0 {
 					continue NextSetOfPrimes
 				}
 			}
 		}
 		n := new(big.Int).Set(bigOne)
 		totient := new(big.Int).Set(bigOne)
 		pminus1 := new(big.Int)
 		for _, prime := range primes {
 			n.Mul(n, prime)
 			pminus1.Sub(prime, bigOne)
 			totient.Mul(totient, pminus1)
 		}
 		if n.BitLen() != bits {
 			// This should never happen for nprimes == 2 because
 			// crypto/rand should set the top two bits in each prime.
 			// For nprimes > 2 we hope it does not happen often.
 			continue NextSetOfPrimes
 		}
 		priv.D = new(big.Int)
 		e := big.NewInt(int64(priv.E))
 		ok := priv.D.ModInverse(e, totient)
 		if ok != nil {
 			priv.Primes = primes
 			priv.N = n
 			break
 		}
 	}
 	priv.Precompute()
 	return priv, nil
 }
@@ -0,0 +1,901 @@
 // Copyright 2011 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package openpgp
 import (
 	goerrors "errors"
 	"fmt"
 	"io"
 	"time"
 	"github.com/ProtonMail/go-crypto/openpgp/armor"
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 	"github.com/ProtonMail/go-crypto/openpgp/packet"
 )
 // PublicKeyType is the armor type for a PGP public key.
 var PublicKeyType = "PGP PUBLIC KEY BLOCK"
 // PrivateKeyType is the armor type for a PGP private key.
 var PrivateKeyType = "PGP PRIVATE KEY BLOCK"
 // An Entity represents the components of an OpenPGP key: a primary public key
 // (which must be a signing key), one or more identities claimed by that key,
 // and zero or more subkeys, which may be encryption keys.
 type Entity struct {
 	PrimaryKey    *packet.PublicKey
 	PrivateKey    *packet.PrivateKey
 	Identities    map[string]*Identity // indexed by Identity.Name
 	Revocations   []*packet.Signature
 	Subkeys       []Subkey
 	SelfSignature *packet.Signature   // Direct-key self signature of the PrimaryKey (contains primary key properties in v6)
 	Signatures    []*packet.Signature // all (potentially unverified) self-signatures, revocations, and third-party signatures
 }
 // An Identity represents an identity claimed by an Entity and zero or more
 // assertions by other entities about that claim.
 type Identity struct {
 	Name          string // by convention, has the form "Full Name (comment) <email@example.com>"
 	UserId        *packet.UserId
 	SelfSignature *packet.Signature
 	Revocations   []*packet.Signature
 	Signatures    []*packet.Signature // all (potentially unverified) self-signatures, revocations, and third-party signatures
 }
 // A Subkey is an additional public key in an Entity. Subkeys can be used for
 // encryption.
 type Subkey struct {
 	PublicKey   *packet.PublicKey
 	PrivateKey  *packet.PrivateKey
 	Sig         *packet.Signature
 	Revocations []*packet.Signature
 }
 // A Key identifies a specific public key in an Entity. This is either the
 // Entity's primary key or a subkey.
 type Key struct {
 	Entity        *Entity
 	PublicKey     *packet.PublicKey
 	PrivateKey    *packet.PrivateKey
 	SelfSignature *packet.Signature
 	Revocations   []*packet.Signature
 }
 // A KeyRing provides access to public and private keys.
 type KeyRing interface {
 	// KeysById returns the set of keys that have the given key id.
 	KeysById(id uint64) []Key
 	// KeysByIdAndUsage returns the set of keys with the given id
 	// that also meet the key usage given by requiredUsage.
 	// The requiredUsage is expressed as the bitwise-OR of
 	// packet.KeyFlag* values.
 	KeysByIdUsage(id uint64, requiredUsage byte) []Key
 	// DecryptionKeys returns all private keys that are valid for
 	// decryption.
 	DecryptionKeys() []Key
 }
 // PrimaryIdentity returns an Identity, preferring non-revoked identities,
 // identities marked as primary, or the latest-created identity, in that order.
 func (e *Entity) PrimaryIdentity() *Identity {
 	var primaryIdentity *Identity
 	for _, ident := range e.Identities {
 		if shouldPreferIdentity(primaryIdentity, ident) {
 			primaryIdentity = ident
 		}
 	}
 	return primaryIdentity
 }
 func shouldPreferIdentity(existingId, potentialNewId *Identity) bool {
 	if existingId == nil {
 		return true
 	}
 	if len(existingId.Revocations) > len(potentialNewId.Revocations) {
 		return true
 	}
 	if len(existingId.Revocations) < len(potentialNewId.Revocations) {
 		return false
 	}
 	if existingId.SelfSignature == nil {
 		return true
 	}
 	if existingId.SelfSignature.IsPrimaryId != nil && *existingId.SelfSignature.IsPrimaryId &&
 		!(potentialNewId.SelfSignature.IsPrimaryId != nil && *potentialNewId.SelfSignature.IsPrimaryId) {
 		return false
 	}
 	if !(existingId.SelfSignature.IsPrimaryId != nil && *existingId.SelfSignature.IsPrimaryId) &&
 		potentialNewId.SelfSignature.IsPrimaryId != nil && *potentialNewId.SelfSignature.IsPrimaryId {
 		return true
 	}
 	return potentialNewId.SelfSignature.CreationTime.After(existingId.SelfSignature.CreationTime)
 }
 // EncryptionKey returns the best candidate Key for encrypting a message to the
 // given Entity.
 func (e *Entity) EncryptionKey(now time.Time) (Key, bool) {
 	// Fail to find any encryption key if the...
 	primarySelfSignature, primaryIdentity := e.PrimarySelfSignature()
 	if primarySelfSignature == nil || // no self-signature found
 		e.PrimaryKey.KeyExpired(primarySelfSignature, now) || // primary key has expired
 		e.Revoked(now) || // primary key has been revoked
 		primarySelfSignature.SigExpired(now) || // user ID or or direct self-signature has expired
 		(primaryIdentity != nil && primaryIdentity.Revoked(now)) { // user ID has been revoked (for v4 keys)
 		return Key{}, false
 	}
 	// Iterate the keys to find the newest, unexpired one
 	candidateSubkey := -1
 	var maxTime time.Time
 	for i, subkey := range e.Subkeys {
 		if subkey.Sig.FlagsValid &&
 			subkey.Sig.FlagEncryptCommunications &&
 			subkey.PublicKey.PubKeyAlgo.CanEncrypt() &&
 			!subkey.PublicKey.KeyExpired(subkey.Sig, now) &&
 			!subkey.Sig.SigExpired(now) &&
 			!subkey.Revoked(now) &&
 			(maxTime.IsZero() || subkey.Sig.CreationTime.After(maxTime)) {
 			candidateSubkey = i
 			maxTime = subkey.Sig.CreationTime
 		}
 	}
 	if candidateSubkey != -1 {
 		subkey := e.Subkeys[candidateSubkey]
 		return Key{e, subkey.PublicKey, subkey.PrivateKey, subkey.Sig, subkey.Revocations}, true
 	}
 	// If we don't have any subkeys for encryption and the primary key
 	// is marked as OK to encrypt with, then we can use it.
 	if primarySelfSignature.FlagsValid && primarySelfSignature.FlagEncryptCommunications &&
 		e.PrimaryKey.PubKeyAlgo.CanEncrypt() {
 		return Key{e, e.PrimaryKey, e.PrivateKey, primarySelfSignature, e.Revocations}, true
 	}
 	return Key{}, false
 }
 // CertificationKey return the best candidate Key for certifying a key with this
 // Entity.
 func (e *Entity) CertificationKey(now time.Time) (Key, bool) {
 	return e.CertificationKeyById(now, 0)
 }
 // CertificationKeyById return the Key for key certification with this
 // Entity and keyID.
 func (e *Entity) CertificationKeyById(now time.Time, id uint64) (Key, bool) {
 	return e.signingKeyByIdUsage(now, id, packet.KeyFlagCertify)
 }
 // SigningKey return the best candidate Key for signing a message with this
 // Entity.
 func (e *Entity) SigningKey(now time.Time) (Key, bool) {
 	return e.SigningKeyById(now, 0)
 }
 // SigningKeyById return the Key for signing a message with this
 // Entity and keyID.
 func (e *Entity) SigningKeyById(now time.Time, id uint64) (Key, bool) {
 	return e.signingKeyByIdUsage(now, id, packet.KeyFlagSign)
 }
 func (e *Entity) signingKeyByIdUsage(now time.Time, id uint64, flags int) (Key, bool) {
 	// Fail to find any signing key if the...
 	primarySelfSignature, primaryIdentity := e.PrimarySelfSignature()
 	if primarySelfSignature == nil || // no self-signature found
 		e.PrimaryKey.KeyExpired(primarySelfSignature, now) || // primary key has expired
 		e.Revoked(now) || // primary key has been revoked
 		primarySelfSignature.SigExpired(now) || // user ID or direct self-signature has expired
 		(primaryIdentity != nil && primaryIdentity.Revoked(now)) { // user ID has been revoked (for v4 keys)
 		return Key{}, false
 	}
 	// Iterate the keys to find the newest, unexpired one
 	candidateSubkey := -1
 	var maxTime time.Time
 	for idx, subkey := range e.Subkeys {
 		if subkey.Sig.FlagsValid &&
 			(flags&packet.KeyFlagCertify == 0 || subkey.Sig.FlagCertify) &&
 			(flags&packet.KeyFlagSign == 0 || subkey.Sig.FlagSign) &&
 			subkey.PublicKey.PubKeyAlgo.CanSign() &&
 			!subkey.PublicKey.KeyExpired(subkey.Sig, now) &&
 			!subkey.Sig.SigExpired(now) &&
 			!subkey.Revoked(now) &&
 			(maxTime.IsZero() || subkey.Sig.CreationTime.After(maxTime)) &&
 			(id == 0 || subkey.PublicKey.KeyId == id) {
 			candidateSubkey = idx
 			maxTime = subkey.Sig.CreationTime
 		}
 	}
 	if candidateSubkey != -1 {
 		subkey := e.Subkeys[candidateSubkey]
 		return Key{e, subkey.PublicKey, subkey.PrivateKey, subkey.Sig, subkey.Revocations}, true
 	}
 	// If we don't have any subkeys for signing and the primary key
 	// is marked as OK to sign with, then we can use it.
 	if primarySelfSignature.FlagsValid &&
 		(flags&packet.KeyFlagCertify == 0 || primarySelfSignature.FlagCertify) &&
 		(flags&packet.KeyFlagSign == 0 || primarySelfSignature.FlagSign) &&
 		e.PrimaryKey.PubKeyAlgo.CanSign() &&
 		(id == 0 || e.PrimaryKey.KeyId == id) {
 		return Key{e, e.PrimaryKey, e.PrivateKey, primarySelfSignature, e.Revocations}, true
 	}
 	// No keys with a valid Signing Flag or no keys matched the id passed in
 	return Key{}, false
 }
 func revoked(revocations []*packet.Signature, now time.Time) bool {
 	for _, revocation := range revocations {
 		if revocation.RevocationReason != nil && *revocation.RevocationReason == packet.KeyCompromised {
 			// If the key is compromised, the key is considered revoked even before the revocation date.
 			return true
 		}
 		if !revocation.SigExpired(now) {
 			return true
 		}
 	}
 	return false
 }
 // Revoked returns whether the entity has any direct key revocation signatures.
 // Note that third-party revocation signatures are not supported.
 // Note also that Identity and Subkey revocation should be checked separately.
 func (e *Entity) Revoked(now time.Time) bool {
 	return revoked(e.Revocations, now)
 }
 // EncryptPrivateKeys encrypts all non-encrypted keys in the entity with the same key
 // derived from the provided passphrase. Public keys and dummy keys are ignored,
 // and don't cause an error to be returned.
 func (e *Entity) EncryptPrivateKeys(passphrase []byte, config *packet.Config) error {
 	var keysToEncrypt []*packet.PrivateKey
 	// Add entity private key to encrypt.
 	if e.PrivateKey != nil && !e.PrivateKey.Dummy() && !e.PrivateKey.Encrypted {
 		keysToEncrypt = append(keysToEncrypt, e.PrivateKey)
 	}
 	// Add subkeys to encrypt.
 	for _, sub := range e.Subkeys {
 		if sub.PrivateKey != nil && !sub.PrivateKey.Dummy() && !sub.PrivateKey.Encrypted {
 			keysToEncrypt = append(keysToEncrypt, sub.PrivateKey)
 		}
 	}
 	return packet.EncryptPrivateKeys(keysToEncrypt, passphrase, config)
 }
 // DecryptPrivateKeys decrypts all encrypted keys in the entity with the given passphrase.
 // Avoids recomputation of similar s2k key derivations. Public keys and dummy keys are ignored,
 // and don't cause an error to be returned.
 func (e *Entity) DecryptPrivateKeys(passphrase []byte) error {
 	var keysToDecrypt []*packet.PrivateKey
 	// Add entity private key to decrypt.
 	if e.PrivateKey != nil && !e.PrivateKey.Dummy() && e.PrivateKey.Encrypted {
 		keysToDecrypt = append(keysToDecrypt, e.PrivateKey)
 	}
 	// Add subkeys to decrypt.
 	for _, sub := range e.Subkeys {
 		if sub.PrivateKey != nil && !sub.PrivateKey.Dummy() && sub.PrivateKey.Encrypted {
 			keysToDecrypt = append(keysToDecrypt, sub.PrivateKey)
 		}
 	}
 	return packet.DecryptPrivateKeys(keysToDecrypt, passphrase)
 }
 // Revoked returns whether the identity has been revoked by a self-signature.
 // Note that third-party revocation signatures are not supported.
 func (i *Identity) Revoked(now time.Time) bool {
 	return revoked(i.Revocations, now)
 }
 // Revoked returns whether the subkey has been revoked by a self-signature.
 // Note that third-party revocation signatures are not supported.
 func (s *Subkey) Revoked(now time.Time) bool {
 	return revoked(s.Revocations, now)
 }
 // Revoked returns whether the key or subkey has been revoked by a self-signature.
 // Note that third-party revocation signatures are not supported.
 // Note also that Identity revocation should be checked separately.
 // Normally, it's not necessary to call this function, except on keys returned by
 // KeysById or KeysByIdUsage.
 func (key *Key) Revoked(now time.Time) bool {
 	return revoked(key.Revocations, now)
 }
 // An EntityList contains one or more Entities.
 type EntityList []*Entity
 // KeysById returns the set of keys that have the given key id.
 func (el EntityList) KeysById(id uint64) (keys []Key) {
 	for _, e := range el {
 		if e.PrimaryKey.KeyId == id {
 			selfSig, _ := e.PrimarySelfSignature()
 			keys = append(keys, Key{e, e.PrimaryKey, e.PrivateKey, selfSig, e.Revocations})
 		}
 		for _, subKey := range e.Subkeys {
 			if subKey.PublicKey.KeyId == id {
 				keys = append(keys, Key{e, subKey.PublicKey, subKey.PrivateKey, subKey.Sig, subKey.Revocations})
 			}
 		}
 	}
 	return
 }
 // KeysByIdAndUsage returns the set of keys with the given id that also meet
 // the key usage given by requiredUsage.  The requiredUsage is expressed as
 // the bitwise-OR of packet.KeyFlag* values.
 func (el EntityList) KeysByIdUsage(id uint64, requiredUsage byte) (keys []Key) {
 	for _, key := range el.KeysById(id) {
 		if requiredUsage != 0 {
 			if key.SelfSignature == nil || !key.SelfSignature.FlagsValid {
 				continue
 			}
 			var usage byte
 			if key.SelfSignature.FlagCertify {
 				usage |= packet.KeyFlagCertify
 			}
 			if key.SelfSignature.FlagSign {
 				usage |= packet.KeyFlagSign
 			}
 			if key.SelfSignature.FlagEncryptCommunications {
 				usage |= packet.KeyFlagEncryptCommunications
 			}
 			if key.SelfSignature.FlagEncryptStorage {
 				usage |= packet.KeyFlagEncryptStorage
 			}
 			if usage&requiredUsage != requiredUsage {
 				continue
 			}
 		}
 		keys = append(keys, key)
 	}
 	return
 }
 // DecryptionKeys returns all private keys that are valid for decryption.
 func (el EntityList) DecryptionKeys() (keys []Key) {
 	for _, e := range el {
 		for _, subKey := range e.Subkeys {
 			if subKey.PrivateKey != nil && subKey.Sig.FlagsValid && (subKey.Sig.FlagEncryptStorage || subKey.Sig.FlagEncryptCommunications) {
 				keys = append(keys, Key{e, subKey.PublicKey, subKey.PrivateKey, subKey.Sig, subKey.Revocations})
 			}
 		}
 	}
 	return
 }
 // ReadArmoredKeyRing reads one or more public/private keys from an armor keyring file.
 func ReadArmoredKeyRing(r io.Reader) (EntityList, error) {
 	block, err := armor.Decode(r)
 	if err == io.EOF {
 		return nil, errors.InvalidArgumentError("no armored data found")
 	}
 	if err != nil {
 		return nil, err
 	}
 	if block.Type != PublicKeyType && block.Type != PrivateKeyType {
 		return nil, errors.InvalidArgumentError("expected public or private key block, got: " + block.Type)
 	}
 	return ReadKeyRing(block.Body)
 }
 // ReadKeyRing reads one or more public/private keys. Unsupported keys are
 // ignored as long as at least a single valid key is found.
 func ReadKeyRing(r io.Reader) (el EntityList, err error) {
 	packets := packet.NewReader(r)
 	var lastUnsupportedError error
 	for {
 		var e *Entity
 		e, err = ReadEntity(packets)
 		if err != nil {
 			// TODO: warn about skipped unsupported/unreadable keys
 			if _, ok := err.(errors.UnsupportedError); ok {
 				lastUnsupportedError = err
 				err = readToNextPublicKey(packets)
 			} else if _, ok := err.(errors.StructuralError); ok {
 				// Skip unreadable, badly-formatted keys
 				lastUnsupportedError = err
 				err = readToNextPublicKey(packets)
 			}
 			if err == io.EOF {
 				err = nil
 				break
 			}
 			if err != nil {
 				el = nil
 				break
 			}
 		} else {
 			el = append(el, e)
 		}
 	}
 	if len(el) == 0 && err == nil {
 		err = lastUnsupportedError
 	}
 	return
 }
 // readToNextPublicKey reads packets until the start of the entity and leaves
 // the first packet of the new entity in the Reader.
 func readToNextPublicKey(packets *packet.Reader) (err error) {
 	var p packet.Packet
 	for {
 		p, err = packets.Next()
 		if err == io.EOF {
 			return
 		} else if err != nil {
 			if _, ok := err.(errors.UnsupportedError); ok {
 				continue
 			}
 			return
 		}
 		if pk, ok := p.(*packet.PublicKey); ok && !pk.IsSubkey {
 			packets.Unread(p)
 			return
 		}
 	}
 }
 // ReadEntity reads an entity (public key, identities, subkeys etc) from the
 // given Reader.
 func ReadEntity(packets *packet.Reader) (*Entity, error) {
 	e := new(Entity)
 	e.Identities = make(map[string]*Identity)
 	p, err := packets.Next()
 	if err != nil {
 		return nil, err
 	}
 	var ok bool
 	if e.PrimaryKey, ok = p.(*packet.PublicKey); !ok {
 		if e.PrivateKey, ok = p.(*packet.PrivateKey); !ok {
 			packets.Unread(p)
 			return nil, errors.StructuralError("first packet was not a public/private key")
 		}
 		e.PrimaryKey = &e.PrivateKey.PublicKey
 	}
 	if !e.PrimaryKey.PubKeyAlgo.CanSign() {
 		return nil, errors.StructuralError("primary key cannot be used for signatures")
 	}
 	var revocations []*packet.Signature
 	var directSignatures []*packet.Signature
 EachPacket:
 	for {
 		p, err := packets.Next()
 		if err == io.EOF {
 			break
 		} else if err != nil {
 			return nil, err
 		}
 		switch pkt := p.(type) {
 		case *packet.UserId:
 			if err := addUserID(e, packets, pkt); err != nil {
 				return nil, err
 			}
 		case *packet.Signature:
 			if pkt.SigType == packet.SigTypeKeyRevocation {
 				revocations = append(revocations, pkt)
 			} else if pkt.SigType == packet.SigTypeDirectSignature {
 				directSignatures = append(directSignatures, pkt)
 			}
 			// Else, ignoring the signature as it does not follow anything
 			// we would know to attach it to.
 		case *packet.PrivateKey:
 			if !pkt.IsSubkey {
 				packets.Unread(p)
 				break EachPacket
 			}
 			err = addSubkey(e, packets, &pkt.PublicKey, pkt)
 			if err != nil {
 				return nil, err
 			}
 		case *packet.PublicKey:
 			if !pkt.IsSubkey {
 				packets.Unread(p)
 				break EachPacket
 			}
 			err = addSubkey(e, packets, pkt, nil)
 			if err != nil {
 				return nil, err
 			}
 		default:
 			// we ignore unknown packets.
 		}
 	}
 	if len(e.Identities) == 0 && e.PrimaryKey.Version < 6 {
 		return nil, errors.StructuralError(fmt.Sprintf("v%d entity without any identities", e.PrimaryKey.Version))
 	}
 	// An implementation MUST ensure that a valid direct-key signature is present before using a v6 key.
 	if e.PrimaryKey.Version == 6 {
 		if len(directSignatures) == 0 {
 			return nil, errors.StructuralError("v6 entity without a valid direct-key signature")
 		}
 		// Select main direct key signature.
 		var mainDirectKeySelfSignature *packet.Signature
 		for _, directSignature := range directSignatures {
 			if directSignature.SigType == packet.SigTypeDirectSignature &&
 				directSignature.CheckKeyIdOrFingerprint(e.PrimaryKey) &&
 				(mainDirectKeySelfSignature == nil ||
 					directSignature.CreationTime.After(mainDirectKeySelfSignature.CreationTime)) {
 				mainDirectKeySelfSignature = directSignature
 			}
 		}
 		if mainDirectKeySelfSignature == nil {
 			return nil, errors.StructuralError("no valid direct-key self-signature for v6 primary key found")
 		}
 		// Check that the main self-signature is valid.
 		err = e.PrimaryKey.VerifyDirectKeySignature(mainDirectKeySelfSignature)
 		if err != nil {
 			return nil, errors.StructuralError("invalid direct-key self-signature for v6 primary key")
 		}
 		e.SelfSignature = mainDirectKeySelfSignature
 		e.Signatures = directSignatures
 	}
 	for _, revocation := range revocations {
 		err = e.PrimaryKey.VerifyRevocationSignature(revocation)
 		if err == nil {
 			e.Revocations = append(e.Revocations, revocation)
 		} else {
 			// TODO: RFC 4880 5.2.3.15 defines revocation keys.
 			return nil, errors.StructuralError("revocation signature signed by alternate key")
 		}
 	}
 	return e, nil
 }
 func addUserID(e *Entity, packets *packet.Reader, pkt *packet.UserId) error {
 	// Make a new Identity object, that we might wind up throwing away.
 	// We'll only add it if we get a valid self-signature over this
 	// userID.
 	identity := new(Identity)
 	identity.Name = pkt.Id
 	identity.UserId = pkt
 	for {
 		p, err := packets.Next()
 		if err == io.EOF {
 			break
 		} else if err != nil {
 			return err
 		}
 		sig, ok := p.(*packet.Signature)
 		if !ok {
 			packets.Unread(p)
 			break
 		}
 		if sig.SigType != packet.SigTypeGenericCert &&
 			sig.SigType != packet.SigTypePersonaCert &&
 			sig.SigType != packet.SigTypeCasualCert &&
 			sig.SigType != packet.SigTypePositiveCert &&
 			sig.SigType != packet.SigTypeCertificationRevocation {
 			return errors.StructuralError("user ID signature with wrong type")
 		}
 		if sig.CheckKeyIdOrFingerprint(e.PrimaryKey) {
 			if err = e.PrimaryKey.VerifyUserIdSignature(pkt.Id, e.PrimaryKey, sig); err != nil {
 				return errors.StructuralError("user ID self-signature invalid: " + err.Error())
 			}
 			if sig.SigType == packet.SigTypeCertificationRevocation {
 				identity.Revocations = append(identity.Revocations, sig)
 			} else if identity.SelfSignature == nil || sig.CreationTime.After(identity.SelfSignature.CreationTime) {
 				identity.SelfSignature = sig
 			}
 			identity.Signatures = append(identity.Signatures, sig)
 			e.Identities[pkt.Id] = identity
 		} else {
 			identity.Signatures = append(identity.Signatures, sig)
 		}
 	}
 	return nil
 }
 func addSubkey(e *Entity, packets *packet.Reader, pub *packet.PublicKey, priv *packet.PrivateKey) error {
 	var subKey Subkey
 	subKey.PublicKey = pub
 	subKey.PrivateKey = priv
 	for {
 		p, err := packets.Next()
 		if err == io.EOF {
 			break
 		} else if err != nil {
 			return errors.StructuralError("subkey signature invalid: " + err.Error())
 		}
 		sig, ok := p.(*packet.Signature)
 		if !ok {
 			packets.Unread(p)
 			break
 		}
 		if sig.SigType != packet.SigTypeSubkeyBinding && sig.SigType != packet.SigTypeSubkeyRevocation {
 			return errors.StructuralError("subkey signature with wrong type")
 		}
 		if err := e.PrimaryKey.VerifyKeySignature(subKey.PublicKey, sig); err != nil {
 			return errors.StructuralError("subkey signature invalid: " + err.Error())
 		}
 		switch sig.SigType {
 		case packet.SigTypeSubkeyRevocation:
 			subKey.Revocations = append(subKey.Revocations, sig)
 		case packet.SigTypeSubkeyBinding:
 			if subKey.Sig == nil || sig.CreationTime.After(subKey.Sig.CreationTime) {
 				subKey.Sig = sig
 			}
 		}
 	}
 	if subKey.Sig == nil {
 		return errors.StructuralError("subkey packet not followed by signature")
 	}
 	e.Subkeys = append(e.Subkeys, subKey)
 	return nil
 }
 // SerializePrivate serializes an Entity, including private key material, but
 // excluding signatures from other entities, to the given Writer.
 // Identities and subkeys are re-signed in case they changed since NewEntry.
 // If config is nil, sensible defaults will be used.
 func (e *Entity) SerializePrivate(w io.Writer, config *packet.Config) (err error) {
 	if e.PrivateKey.Dummy() {
 		return errors.ErrDummyPrivateKey("dummy private key cannot re-sign identities")
 	}
 	return e.serializePrivate(w, config, true)
 }
 // SerializePrivateWithoutSigning serializes an Entity, including private key
 // material, but excluding signatures from other entities, to the given Writer.
 // Self-signatures of identities and subkeys are not re-signed. This is useful
 // when serializing GNU dummy keys, among other things.
 // If config is nil, sensible defaults will be used.
 func (e *Entity) SerializePrivateWithoutSigning(w io.Writer, config *packet.Config) (err error) {
 	return e.serializePrivate(w, config, false)
 }
 func (e *Entity) serializePrivate(w io.Writer, config *packet.Config, reSign bool) (err error) {
 	if e.PrivateKey == nil {
 		return goerrors.New("openpgp: private key is missing")
 	}
 	err = e.PrivateKey.Serialize(w)
 	if err != nil {
 		return
 	}
 	for _, revocation := range e.Revocations {
 		err := revocation.Serialize(w)
 		if err != nil {
 			return err
 		}
 	}
 	for _, directSignature := range e.Signatures {
 		err := directSignature.Serialize(w)
 		if err != nil {
 			return err
 		}
 	}
 	for _, ident := range e.Identities {
 		err = ident.UserId.Serialize(w)
 		if err != nil {
 			return
 		}
 		if reSign {
 			if ident.SelfSignature == nil {
 				return goerrors.New("openpgp: can't re-sign identity without valid self-signature")
 			}
 			err = ident.SelfSignature.SignUserId(ident.UserId.Id, e.PrimaryKey, e.PrivateKey, config)
 			if err != nil {
 				return
 			}
 		}
 		for _, sig := range ident.Signatures {
 			err = sig.Serialize(w)
 			if err != nil {
 				return err
 			}
 		}
 	}
 	for _, subkey := range e.Subkeys {
 		err = subkey.PrivateKey.Serialize(w)
 		if err != nil {
 			return
 		}
 		if reSign {
 			err = subkey.Sig.SignKey(subkey.PublicKey, e.PrivateKey, config)
 			if err != nil {
 				return
 			}
 			if subkey.Sig.EmbeddedSignature != nil {
 				err = subkey.Sig.EmbeddedSignature.CrossSignKey(subkey.PublicKey, e.PrimaryKey,
 					subkey.PrivateKey, config)
 				if err != nil {
 					return
 				}
 			}
 		}
 		for _, revocation := range subkey.Revocations {
 			err := revocation.Serialize(w)
 			if err != nil {
 				return err
 			}
 		}
 		err = subkey.Sig.Serialize(w)
 		if err != nil {
 			return
 		}
 	}
 	return nil
 }
 // Serialize writes the public part of the given Entity to w, including
 // signatures from other entities. No private key material will be output.
 func (e *Entity) Serialize(w io.Writer) error {
 	err := e.PrimaryKey.Serialize(w)
 	if err != nil {
 		return err
 	}
 	for _, revocation := range e.Revocations {
 		err := revocation.Serialize(w)
 		if err != nil {
 			return err
 		}
 	}
 	for _, directSignature := range e.Signatures {
 		err := directSignature.Serialize(w)
 		if err != nil {
 			return err
 		}
 	}
 	for _, ident := range e.Identities {
 		err = ident.UserId.Serialize(w)
 		if err != nil {
 			return err
 		}
 		for _, sig := range ident.Signatures {
 			err = sig.Serialize(w)
 			if err != nil {
 				return err
 			}
 		}
 	}
 	for _, subkey := range e.Subkeys {
 		err = subkey.PublicKey.Serialize(w)
 		if err != nil {
 			return err
 		}
 		for _, revocation := range subkey.Revocations {
 			err := revocation.Serialize(w)
 			if err != nil {
 				return err
 			}
 		}
 		err = subkey.Sig.Serialize(w)
 		if err != nil {
 			return err
 		}
 	}
 	return nil
 }
 // SignIdentity adds a signature to e, from signer, attesting that identity is
 // associated with e. The provided identity must already be an element of
 // e.Identities and the private key of signer must have been decrypted if
 // necessary.
 // If config is nil, sensible defaults will be used.
 func (e *Entity) SignIdentity(identity string, signer *Entity, config *packet.Config) error {
 	certificationKey, ok := signer.CertificationKey(config.Now())
 	if !ok {
 		return errors.InvalidArgumentError("no valid certification key found")
 	}
 	if certificationKey.PrivateKey.Encrypted {
 		return errors.InvalidArgumentError("signing Entity's private key must be decrypted")
 	}
 	ident, ok := e.Identities[identity]
 	if !ok {
 		return errors.InvalidArgumentError("given identity string not found in Entity")
 	}
 	sig := createSignaturePacket(certificationKey.PublicKey, packet.SigTypeGenericCert, config)
 	signingUserID := config.SigningUserId()
 	if signingUserID != "" {
 		if _, ok := signer.Identities[signingUserID]; !ok {
 			return errors.InvalidArgumentError("signer identity string not found in signer Entity")
 		}
 		sig.SignerUserId = &signingUserID
 	}
 	if err := sig.SignUserId(identity, e.PrimaryKey, certificationKey.PrivateKey, config); err != nil {
 		return err
 	}
 	ident.Signatures = append(ident.Signatures, sig)
 	return nil
 }
 // RevokeKey generates a key revocation signature (packet.SigTypeKeyRevocation) with the
 // specified reason code and text (RFC4880 section-5.2.3.23).
 // If config is nil, sensible defaults will be used.
 func (e *Entity) RevokeKey(reason packet.ReasonForRevocation, reasonText string, config *packet.Config) error {
 	revSig := createSignaturePacket(e.PrimaryKey, packet.SigTypeKeyRevocation, config)
 	revSig.RevocationReason = &reason
 	revSig.RevocationReasonText = reasonText
 	if err := revSig.RevokeKey(e.PrimaryKey, e.PrivateKey, config); err != nil {
 		return err
 	}
 	e.Revocations = append(e.Revocations, revSig)
 	return nil
 }
 // RevokeSubkey generates a subkey revocation signature (packet.SigTypeSubkeyRevocation) for
 // a subkey with the specified reason code and text (RFC4880 section-5.2.3.23).
 // If config is nil, sensible defaults will be used.
 func (e *Entity) RevokeSubkey(sk *Subkey, reason packet.ReasonForRevocation, reasonText string, config *packet.Config) error {
 	if err := e.PrimaryKey.VerifyKeySignature(sk.PublicKey, sk.Sig); err != nil {
 		return errors.InvalidArgumentError("given subkey is not associated with this key")
 	}
 	revSig := createSignaturePacket(e.PrimaryKey, packet.SigTypeSubkeyRevocation, config)
 	revSig.RevocationReason = &reason
 	revSig.RevocationReasonText = reasonText
 	if err := revSig.RevokeSubkey(sk.PublicKey, e.PrivateKey, config); err != nil {
 		return err
 	}
 	sk.Revocations = append(sk.Revocations, revSig)
 	return nil
 }
 func (e *Entity) primaryDirectSignature() *packet.Signature {
 	return e.SelfSignature
 }
 // PrimarySelfSignature searches the entity for the self-signature that stores key preferences.
 // For V4 keys, returns the self-signature of the primary identity, and the identity.
 // For V6 keys, returns the latest valid direct-key self-signature, and no identity (nil).
 // This self-signature is to be used to check the key expiration,
 // algorithm preferences, and so on.
 func (e *Entity) PrimarySelfSignature() (*packet.Signature, *Identity) {
 	if e.PrimaryKey.Version == 6 {
 		return e.primaryDirectSignature(), nil
 	}
 	primaryIdentity := e.PrimaryIdentity()
 	if primaryIdentity == nil {
 		return nil, nil
 	}
 	return primaryIdentity.SelfSignature, primaryIdentity
 }
@@ -0,0 +1,67 @@
 // Copyright (C) 2019 ProtonTech AG
 package packet
 import "math/bits"
 // CipherSuite contains a combination of Cipher and Mode
 type CipherSuite struct {
 	// The cipher function
 	Cipher CipherFunction
 	// The AEAD mode of operation.
 	Mode AEADMode
 }
 // AEADConfig collects a number of AEAD parameters along with sensible defaults.
 // A nil AEADConfig is valid and results in all default values.
 type AEADConfig struct {
 	// The AEAD mode of operation.
 	DefaultMode AEADMode
 	// Amount of octets in each chunk of data
 	ChunkSize uint64
 }
 // Mode returns the AEAD mode of operation.
 func (conf *AEADConfig) Mode() AEADMode {
 	// If no preference is specified, OCB is used (which is mandatory to implement).
 	if conf == nil || conf.DefaultMode == 0 {
 		return AEADModeOCB
 	}
 	mode := conf.DefaultMode
 	if mode != AEADModeEAX && mode != AEADModeOCB && mode != AEADModeGCM {
 		panic("AEAD mode unsupported")
 	}
 	return mode
 }
 // ChunkSizeByte returns the byte indicating the chunk size. The effective
 // chunk size is computed with the formula uint64(1) << (chunkSizeByte + 6)
 // limit chunkSizeByte to 16 which equals to 2^22 = 4 MiB
 // https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#section-5.13.2
 func (conf *AEADConfig) ChunkSizeByte() byte {
 	if conf == nil || conf.ChunkSize == 0 {
 		return 12 // 1 << (12 + 6) == 262144 bytes
 	}
 	chunkSize := conf.ChunkSize
 	exponent := bits.Len64(chunkSize) - 1
 	switch {
 	case exponent < 6:
 		exponent = 6
 	case exponent > 22:
 		exponent = 22
 	}
 	return byte(exponent - 6)
 }
 // decodeAEADChunkSize returns the effective chunk size. In 32-bit systems, the
 // maximum returned value is 1 << 30.
 func decodeAEADChunkSize(c byte) int {
 	size := uint64(1 << (c + 6))
 	if size != uint64(int(size)) {
 		return 1 << 30
 	}
 	return int(size)
 }
@@ -0,0 +1,250 @@
 // Copyright (C) 2019 ProtonTech AG
 package packet
 import (
 	"crypto/cipher"
 	"encoding/binary"
 	"io"
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 )
 // aeadCrypter is an AEAD opener/sealer, its configuration, and data for en/decryption.
 type aeadCrypter struct {
 	aead           cipher.AEAD
 	chunkSize      int
 	nonce          []byte
 	associatedData []byte       // Chunk-independent associated data
 	chunkIndex     []byte       // Chunk counter
 	packetTag      packetType   // SEIP packet (v2) or AEAD Encrypted Data packet
 	bytesProcessed int          // Amount of plaintext bytes encrypted/decrypted
 }
 // computeNonce takes the incremental index and computes an eXclusive OR with
 // the least significant 8 bytes of the receivers' initial nonce (see sec.
 // 5.16.1 and 5.16.2). It returns the resulting nonce.
 func (wo *aeadCrypter) computeNextNonce() (nonce []byte) {
 	if wo.packetTag == packetTypeSymmetricallyEncryptedIntegrityProtected {
 		return wo.nonce
 	}
 	nonce = make([]byte, len(wo.nonce))
 	copy(nonce, wo.nonce)
 	offset := len(wo.nonce) - 8
 	for i := 0; i < 8; i++ {
 		nonce[i+offset] ^= wo.chunkIndex[i]
 	}
 	return
 }
 // incrementIndex performs an integer increment by 1 of the integer represented by the
 // slice, modifying it accordingly.
 func (wo *aeadCrypter) incrementIndex() error {
 	index := wo.chunkIndex
 	if len(index) == 0 {
 		return errors.AEADError("Index has length 0")
 	}
 	for i := len(index) - 1; i >= 0; i-- {
 		if index[i] < 255 {
 			index[i]++
 			return nil
 		}
 		index[i] = 0
 	}
 	return errors.AEADError("cannot further increment index")
 }
 // aeadDecrypter reads and decrypts bytes. It buffers extra decrypted bytes when
 // necessary, similar to aeadEncrypter.
 type aeadDecrypter struct {
 	aeadCrypter           // Embedded ciphertext opener
 	reader      io.Reader // 'reader' is a partialLengthReader
 	chunkBytes  []byte
 	peekedBytes []byte    // Used to detect last chunk
 	buffer      []byte    // Buffered decrypted bytes
 }
 // Read decrypts bytes and reads them into dst. It decrypts when necessary and
 // buffers extra decrypted bytes. It returns the number of bytes copied into dst
 // and an error.
 func (ar *aeadDecrypter) Read(dst []byte) (n int, err error) {
 	// Return buffered plaintext bytes from previous calls
 	if len(ar.buffer) > 0 {
 		n = copy(dst, ar.buffer)
 		ar.buffer = ar.buffer[n:]
 		return
 	}
 	// Read a chunk
 	tagLen := ar.aead.Overhead()
 	copy(ar.chunkBytes, ar.peekedBytes) // Copy bytes peeked in previous chunk or in initialization
 	bytesRead, errRead := io.ReadFull(ar.reader, ar.chunkBytes[tagLen:])
 	if errRead != nil && errRead != io.EOF && errRead != io.ErrUnexpectedEOF {
 		return 0, errRead
 	}
 	if bytesRead > 0 {
 		ar.peekedBytes = ar.chunkBytes[bytesRead:bytesRead+tagLen]
 		decrypted, errChunk := ar.openChunk(ar.chunkBytes[:bytesRead])
 		if errChunk != nil {
 			return 0, errChunk
 		}
 		// Return decrypted bytes, buffering if necessary
 		n = copy(dst, decrypted)
 		ar.buffer = decrypted[n:]
 		return
 	}
 	return 0, io.EOF
 }
 // Close checks the final authentication tag of the stream.
 // In the future, this function could also be used to wipe the reader
 // and peeked & decrypted bytes, if necessary.
 func (ar *aeadDecrypter) Close() (err error) {
 	errChunk := ar.validateFinalTag(ar.peekedBytes)
 	if errChunk != nil {
 		return errChunk
 	}
 	return nil
 }
 // openChunk decrypts and checks integrity of an encrypted chunk, returning
 // the underlying plaintext and an error. It accesses peeked bytes from next
 // chunk, to identify the last chunk and decrypt/validate accordingly.
 func (ar *aeadDecrypter) openChunk(data []byte) ([]byte, error) {
 	adata := ar.associatedData
 	if ar.aeadCrypter.packetTag == packetTypeAEADEncrypted {
 		adata = append(ar.associatedData, ar.chunkIndex...)
 	}
 	nonce := ar.computeNextNonce()
 	plainChunk, err := ar.aead.Open(data[:0:len(data)], nonce, data, adata)
 	if err != nil {
 		return nil, errors.ErrAEADTagVerification
 	}
 	ar.bytesProcessed += len(plainChunk)
 	if err = ar.aeadCrypter.incrementIndex(); err != nil {
 		return nil, err
 	}
 	return plainChunk, nil
 }
 // Checks the summary tag. It takes into account the total decrypted bytes into
 // the associated data. It returns an error, or nil if the tag is valid.
 func (ar *aeadDecrypter) validateFinalTag(tag []byte) error {
 	// Associated: tag, version, cipher, aead, chunk size, ...
 	amountBytes := make([]byte, 8)
 	binary.BigEndian.PutUint64(amountBytes, uint64(ar.bytesProcessed))
 	adata := ar.associatedData
 	if ar.aeadCrypter.packetTag == packetTypeAEADEncrypted {
 		// ... index ...
 		adata = append(ar.associatedData, ar.chunkIndex...)
 	}
 	// ... and total number of encrypted octets
 	adata = append(adata, amountBytes...)
 	nonce := ar.computeNextNonce()
 	if _, err := ar.aead.Open(nil, nonce, tag, adata); err != nil {
 		return errors.ErrAEADTagVerification
 	}
 	return nil
 }
 // aeadEncrypter encrypts and writes bytes. It encrypts when necessary according
 // to the AEAD block size, and buffers the extra encrypted bytes for next write.
 type aeadEncrypter struct {
 	aeadCrypter                // Embedded plaintext sealer
 	writer      io.WriteCloser // 'writer' is a partialLengthWriter
 	chunkBytes  []byte
 	offset      int
 }
 // Write encrypts and writes bytes. It encrypts when necessary and buffers extra
 // plaintext bytes for next call. When the stream is finished, Close() MUST be
 // called to append the final tag.
 func (aw *aeadEncrypter) Write(plaintextBytes []byte) (n int, err error) {
 	for n != len(plaintextBytes) {
 		copied := copy(aw.chunkBytes[aw.offset:aw.chunkSize], plaintextBytes[n:])
 		n += copied
 		aw.offset += copied
 		if aw.offset == aw.chunkSize {
 			encryptedChunk, err := aw.sealChunk(aw.chunkBytes[:aw.offset])
 			if err != nil {
 				return n, err
 			}
 			_, err = aw.writer.Write(encryptedChunk)
 			if err != nil {
 				return n, err
 			}
 			aw.offset = 0
 		}
 	}
 	return
 }
 // Close encrypts and writes the remaining buffered plaintext if any, appends
 // the final authentication tag, and closes the embedded writer. This function
 // MUST be called at the end of a stream.
 func (aw *aeadEncrypter) Close() (err error) {
 	// Encrypt and write a chunk if there's buffered data left, or if we haven't
 	// written any chunks yet.
 	if aw.offset > 0 || aw.bytesProcessed == 0 {
 		lastEncryptedChunk, err := aw.sealChunk(aw.chunkBytes[:aw.offset])
 		if err != nil {
 			return err
 		}
 		_, err = aw.writer.Write(lastEncryptedChunk)
 		if err != nil {
 			return err
 		}
 	}
 	// Compute final tag (associated data: packet tag, version, cipher, aead,
 	// chunk size...
 	adata := aw.associatedData
 	if aw.aeadCrypter.packetTag == packetTypeAEADEncrypted {
 		// ... index ...
 		adata = append(aw.associatedData, aw.chunkIndex...)
 	}
 	// ... and total number of encrypted octets
 	amountBytes := make([]byte, 8)
 	binary.BigEndian.PutUint64(amountBytes, uint64(aw.bytesProcessed))
 	adata = append(adata, amountBytes...)
 	nonce := aw.computeNextNonce()
 	finalTag := aw.aead.Seal(nil, nonce, nil, adata)
 	_, err = aw.writer.Write(finalTag)
 	if err != nil {
 		return err
 	}
 	return aw.writer.Close()
 }
 // sealChunk Encrypts and authenticates the given chunk.
 func (aw *aeadEncrypter) sealChunk(data []byte) ([]byte, error) {
 	if len(data) > aw.chunkSize {
 		return nil, errors.AEADError("chunk exceeds maximum length")
 	}
 	if aw.associatedData == nil {
 		return nil, errors.AEADError("can't seal without headers")
 	}
 	adata := aw.associatedData
 	if aw.aeadCrypter.packetTag == packetTypeAEADEncrypted {
 		adata = append(aw.associatedData, aw.chunkIndex...)
 	}
 	nonce := aw.computeNextNonce()
 	encrypted := aw.aead.Seal(data[:0], nonce, data, adata)
 	aw.bytesProcessed += len(data)
 	if err := aw.aeadCrypter.incrementIndex(); err != nil {
 		return nil, err
 	}
 	return encrypted, nil
 }
@@ -0,0 +1,100 @@
 // Copyright (C) 2019 ProtonTech AG
 package packet
 import (
 	"io"
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 	"github.com/ProtonMail/go-crypto/openpgp/internal/algorithm"
 )
 // AEADEncrypted represents an AEAD Encrypted Packet.
 // See https://www.ietf.org/archive/id/draft-koch-openpgp-2015-rfc4880bis-00.html#name-aead-encrypted-data-packet-t
 type AEADEncrypted struct {
 	cipher        CipherFunction
 	mode          AEADMode
 	chunkSizeByte byte
 	Contents      io.Reader // Encrypted chunks and tags
 	initialNonce  []byte    // Referred to as IV in RFC4880-bis
 }
 // Only currently defined version
 const aeadEncryptedVersion = 1
 func (ae *AEADEncrypted) parse(buf io.Reader) error {
 	headerData := make([]byte, 4)
 	if n, err := io.ReadFull(buf, headerData); n < 4 {
 		return errors.AEADError("could not read aead header:" + err.Error())
 	}
 	// Read initial nonce
 	mode := AEADMode(headerData[2])
 	nonceLen := mode.IvLength()
 	// This packet supports only EAX and OCB
 	// https://www.ietf.org/archive/id/draft-koch-openpgp-2015-rfc4880bis-00.html#name-aead-encrypted-data-packet-t
 	if nonceLen == 0 || mode > AEADModeOCB {
 		return errors.AEADError("unknown mode")
 	}
 	initialNonce := make([]byte, nonceLen)
 	if n, err := io.ReadFull(buf, initialNonce); n < nonceLen {
 		return errors.AEADError("could not read aead nonce:" + err.Error())
 	}
 	ae.Contents = buf
 	ae.initialNonce = initialNonce
 	c := headerData[1]
 	if _, ok := algorithm.CipherById[c]; !ok {
 		return errors.UnsupportedError("unknown cipher: " + string(c))
 	}
 	ae.cipher = CipherFunction(c)
 	ae.mode = mode
 	ae.chunkSizeByte = headerData[3]
 	return nil
 }
 // Decrypt returns a io.ReadCloser from which decrypted bytes can be read, or
 // an error.
 func (ae *AEADEncrypted) Decrypt(ciph CipherFunction, key []byte) (io.ReadCloser, error) {
 	return ae.decrypt(key)
 }
 // decrypt prepares an aeadCrypter and returns a ReadCloser from which
 // decrypted bytes can be read (see aeadDecrypter.Read()).
 func (ae *AEADEncrypted) decrypt(key []byte) (io.ReadCloser, error) {
 	blockCipher := ae.cipher.new(key)
 	aead := ae.mode.new(blockCipher)
 	// Carry the first tagLen bytes
 	chunkSize := decodeAEADChunkSize(ae.chunkSizeByte)
 	tagLen := ae.mode.TagLength()
 	chunkBytes := make([]byte, chunkSize+tagLen*2)
 	peekedBytes := chunkBytes[chunkSize+tagLen:]
 	n, err := io.ReadFull(ae.Contents, peekedBytes)
 	if n < tagLen || (err != nil && err != io.EOF) {
 		return nil, errors.AEADError("Not enough data to decrypt:" + err.Error())
 	}
 	return &aeadDecrypter{
 		aeadCrypter: aeadCrypter{
 			aead:           aead,
 			chunkSize:      chunkSize,
 			nonce:          ae.initialNonce,
 			associatedData: ae.associatedData(),
 			chunkIndex:     make([]byte, 8),
 			packetTag:      packetTypeAEADEncrypted,
 		},
 		reader:      ae.Contents,
 		chunkBytes:  chunkBytes,
 		peekedBytes: peekedBytes,
 	}, nil
 }
 // associatedData for chunks: tag, version, cipher, mode, chunk size byte
 func (ae *AEADEncrypted) associatedData() []byte {
 	return []byte{
 		0xD4,
 		aeadEncryptedVersion,
 		byte(ae.cipher),
 		byte(ae.mode),
 		ae.chunkSizeByte}
 }
@@ -0,0 +1,192 @@
 // Copyright 2011 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package packet
 import (
 	"compress/bzip2"
 	"compress/flate"
 	"compress/zlib"
 	"io"
 	"strconv"
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 )
 // Compressed represents a compressed OpenPGP packet. The decompressed contents
 // will contain more OpenPGP packets. See RFC 4880, section 5.6.
 type Compressed struct {
 	Body io.Reader
 }
 const (
 	NoCompression      = flate.NoCompression
 	BestSpeed          = flate.BestSpeed
 	BestCompression    = flate.BestCompression
 	DefaultCompression = flate.DefaultCompression
 )
 // CompressionConfig contains compressor configuration settings.
 type CompressionConfig struct {
 	// Level is the compression level to use. It must be set to
 	// between -1 and 9, with -1 causing the compressor to use the
 	// default compression level, 0 causing the compressor to use
 	// no compression and 1 to 9 representing increasing (better,
 	// slower) compression levels. If Level is less than -1 or
 	// more then 9, a non-nil error will be returned during
 	// encryption. See the constants above for convenient common
 	// settings for Level.
 	Level int
 }
 // decompressionReader ensures that the whole compression packet is read.
 type decompressionReader struct {
 	compressed   io.Reader
 	decompressed io.ReadCloser
 	readAll      bool
 }
 func newDecompressionReader(r io.Reader, decompressor io.ReadCloser) *decompressionReader {
 	return &decompressionReader{
 		compressed:   r,
 		decompressed: decompressor,
 	}
 }
 func (dr *decompressionReader) Read(data []byte) (n int, err error) {
 	if dr.readAll {
 		return 0, io.EOF
 	}
 	n, err = dr.decompressed.Read(data)
 	if err == io.EOF {
 		dr.readAll = true
 		// Close the decompressor.
 		if errDec := dr.decompressed.Close(); errDec != nil {
 			return n, errDec
 		}
 		// Consume all remaining data from the compressed packet.
 		consumeAll(dr.compressed)
 	}
 	return n, err
 }
 func (c *Compressed) parse(r io.Reader) error {
 	var buf [1]byte
 	_, err := readFull(r, buf[:])
 	if err != nil {
 		return err
 	}
 	switch buf[0] {
 	case 0:
 		c.Body = r
 	case 1:
 		c.Body = newDecompressionReader(r, flate.NewReader(r))
 	case 2:
 		decompressor, err := zlib.NewReader(r)
 		if err != nil {
 			return err
 		}
 		c.Body = newDecompressionReader(r, decompressor)
 	case 3:
 		c.Body = newDecompressionReader(r, io.NopCloser(bzip2.NewReader(r)))
 	default:
 		err = errors.UnsupportedError("unknown compression algorithm: " + strconv.Itoa(int(buf[0])))
 	}
 	return err
 }
 // LimitedBodyReader wraps the provided body reader with a limiter that restricts
 // the number of bytes read to the specified limit.
 // If limit is nil, the reader is unbounded.
 func (c *Compressed) LimitedBodyReader(limit *int64) io.Reader {
 	if limit == nil {
 		return c.Body
 	}
 	return &LimitReader{R: c.Body, N: *limit}
 }
 // compressedWriterCloser represents the serialized compression stream
 // header and the compressor. Its Close() method ensures that both the
 // compressor and serialized stream header are closed. Its Write()
 // method writes to the compressor.
 type compressedWriteCloser struct {
 	sh io.Closer      // Stream Header
 	c  io.WriteCloser // Compressor
 }
 func (cwc compressedWriteCloser) Write(p []byte) (int, error) {
 	return cwc.c.Write(p)
 }
 func (cwc compressedWriteCloser) Close() (err error) {
 	err = cwc.c.Close()
 	if err != nil {
 		return err
 	}
 	return cwc.sh.Close()
 }
 // SerializeCompressed serializes a compressed data packet to w and
 // returns a WriteCloser to which the literal data packets themselves
 // can be written and which MUST be closed on completion. If cc is
 // nil, sensible defaults will be used to configure the compression
 // algorithm.
 func SerializeCompressed(w io.WriteCloser, algo CompressionAlgo, cc *CompressionConfig) (literaldata io.WriteCloser, err error) {
 	compressed, err := serializeStreamHeader(w, packetTypeCompressed)
 	if err != nil {
 		return
 	}
 	_, err = compressed.Write([]byte{uint8(algo)})
 	if err != nil {
 		return
 	}
 	level := DefaultCompression
 	if cc != nil {
 		level = cc.Level
 	}
 	var compressor io.WriteCloser
 	switch algo {
 	case CompressionZIP:
 		compressor, err = flate.NewWriter(compressed, level)
 	case CompressionZLIB:
 		compressor, err = zlib.NewWriterLevel(compressed, level)
 	default:
 		s := strconv.Itoa(int(algo))
 		err = errors.UnsupportedError("Unsupported compression algorithm: " + s)
 	}
 	if err != nil {
 		return
 	}
 	literaldata = compressedWriteCloser{compressed, compressor}
 	return
 }
 // LimitReader is an io.Reader that fails with MessageToLarge if read bytes exceed N.
 type LimitReader struct {
 	R io.Reader // underlying reader
 	N int64     // max bytes allowed
 }
 func (l *LimitReader) Read(p []byte) (int, error) {
 	if l.N <= 0 {
 		return 0, errors.ErrMessageTooLarge
 	}
 	n, err := l.R.Read(p)
 	l.N -= int64(n)
 	if err == nil && l.N <= 0 {
 		err = errors.ErrMessageTooLarge
 	}
 	return n, err
 }
@@ -0,0 +1,434 @@
 // Copyright 2012 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package packet
 import (
 	"crypto"
 	"crypto/rand"
 	"io"
 	"math/big"
 	"time"
 	"github.com/ProtonMail/go-crypto/openpgp/s2k"
 )
 var (
 	defaultRejectPublicKeyAlgorithms = map[PublicKeyAlgorithm]bool{
 		PubKeyAlgoElGamal: true,
 		PubKeyAlgoDSA:     true,
 	}
 	defaultRejectHashAlgorithms = map[crypto.Hash]bool{
 		crypto.MD5:       true,
 		crypto.RIPEMD160: true,
 	}
 	defaultRejectMessageHashAlgorithms = map[crypto.Hash]bool{
 		crypto.SHA1:      true,
 		crypto.MD5:       true,
 		crypto.RIPEMD160: true,
 	}
 	defaultRejectCurves = map[Curve]bool{
 		CurveSecP256k1: true,
 	}
 )
 // A global feature flag to indicate v5 support.
 // Can be set via a build tag, e.g.: `go build -tags v5 ./...`
 // If the build tag is missing config_v5.go will set it to true.
 //
 // Disables parsing of v5 keys and v5 signatures.
 // These are non-standard entities, which in the crypto-refresh have been superseded
 // by v6 keys, v6 signatures and SEIPDv2 encrypted data, respectively.
 var V5Disabled = false
 // Config collects a number of parameters along with sensible defaults.
 // A nil *Config is valid and results in all default values.
 type Config struct {
 	// Rand provides the source of entropy.
 	// If nil, the crypto/rand Reader is used.
 	Rand io.Reader
 	// DefaultHash is the default hash function to be used.
 	// If zero, SHA-256 is used.
 	DefaultHash crypto.Hash
 	// DefaultCipher is the cipher to be used.
 	// If zero, AES-128 is used.
 	DefaultCipher CipherFunction
 	// Time returns the current time as the number of seconds since the
 	// epoch. If Time is nil, time.Now is used.
 	Time func() time.Time
 	// DefaultCompressionAlgo is the compression algorithm to be
 	// applied to the plaintext before encryption. If zero, no
 	// compression is done.
 	DefaultCompressionAlgo CompressionAlgo
 	// CompressionConfig configures the compression settings.
 	CompressionConfig *CompressionConfig
 	// S2K (String to Key) config, used for key derivation in the context of secret key encryption
 	// and password-encrypted data.
 	// If nil, the default configuration is used
 	S2KConfig *s2k.Config
 	// Iteration count for Iterated S2K (String to Key).
 	// Only used if sk2.Mode is nil.
 	// This value is duplicated here from s2k.Config for backwards compatibility.
 	// It determines the strength of the passphrase stretching when
 	// the said passphrase is hashed to produce a key. S2KCount
 	// should be between 65536 and 65011712, inclusive. If Config
 	// is nil or S2KCount is 0, the value 16777216 used. Not all
 	// values in the above range can be represented. S2KCount will
 	// be rounded up to the next representable value if it cannot
 	// be encoded exactly. When set, it is strongly encrouraged to
 	// use a value that is at least 65536. See RFC 4880 Section
 	// 3.7.1.3.
 	//
 	// Deprecated: SK2Count should be configured in S2KConfig instead.
 	S2KCount int
 	// RSABits is the number of bits in new RSA keys made with NewEntity.
 	// If zero, then 2048 bit keys are created.
 	RSABits int
 	// The public key algorithm to use - will always create a signing primary
 	// key and encryption subkey.
 	Algorithm PublicKeyAlgorithm
 	// Some known primes that are optionally prepopulated by the caller
 	RSAPrimes []*big.Int
 	// Curve configures the desired packet.Curve if the Algorithm is PubKeyAlgoECDSA,
 	// PubKeyAlgoEdDSA, or PubKeyAlgoECDH. If empty Curve25519 is used.
 	Curve Curve
 	// AEADConfig configures the use of the new AEAD Encrypted Data Packet,
 	// defined in the draft of the next version of the OpenPGP specification.
 	// If a non-nil AEADConfig is passed, usage of this packet is enabled. By
 	// default, it is disabled. See the documentation of AEADConfig for more
 	// configuration options related to AEAD.
 	// **Note: using this option may break compatibility with other OpenPGP
 	// implementations, as well as future versions of this library.**
 	AEADConfig *AEADConfig
 	// V6Keys configures version 6 key generation. If false, this package still
 	// supports version 6 keys, but produces version 4 keys.
 	V6Keys bool
 	// Minimum RSA key size allowed for key generation and message signing, verification and encryption.
 	MinRSABits uint16
 	// Reject insecure algorithms, only works with v2 api
 	RejectPublicKeyAlgorithms   map[PublicKeyAlgorithm]bool
 	RejectHashAlgorithms        map[crypto.Hash]bool
 	RejectMessageHashAlgorithms map[crypto.Hash]bool
 	RejectCurves                map[Curve]bool
 	// "The validity period of the key.  This is the number of seconds after
 	// the key creation time that the key expires.  If this is not present
 	// or has a value of zero, the key never expires.  This is found only on
 	// a self-signature.""
 	// https://tools.ietf.org/html/rfc4880#section-5.2.3.6
 	KeyLifetimeSecs uint32
 	// "The validity period of the signature.  This is the number of seconds
 	// after the signature creation time that the signature expires.  If
 	// this is not present or has a value of zero, it never expires."
 	// https://tools.ietf.org/html/rfc4880#section-5.2.3.10
 	SigLifetimeSecs uint32
 	// SigningKeyId is used to specify the signing key to use (by Key ID).
 	// By default, the signing key is selected automatically, preferring
 	// signing subkeys if available.
 	SigningKeyId uint64
 	// SigningIdentity is used to specify a user ID (packet Signer's User ID, type 28)
 	// when producing a generic certification signature onto an existing user ID.
 	// The identity must be present in the signer Entity.
 	SigningIdentity string
 	// InsecureAllowUnauthenticatedMessages controls, whether it is tolerated to read
 	// encrypted messages without Modification Detection Code (MDC).
 	// MDC is mandated by the IETF OpenPGP Crypto Refresh draft and has long been implemented
 	// in most OpenPGP implementations. Messages without MDC are considered unnecessarily
 	// insecure and should be prevented whenever possible.
 	// In case one needs to deal with messages from very old OpenPGP implementations, there
 	// might be no other way than to tolerate the missing MDC. Setting this flag, allows this
 	// mode of operation. It should be considered a measure of last resort.
 	InsecureAllowUnauthenticatedMessages bool
 	// InsecureAllowDecryptionWithSigningKeys allows decryption with keys marked as signing keys in the v2 API.
 	// This setting is potentially insecure, but it is needed as some libraries
 	// ignored key flags when selecting a key for encryption.
 	// Not relevant for the v1 API, as all keys were allowed in decryption.
 	InsecureAllowDecryptionWithSigningKeys bool
 	// KnownNotations is a map of Notation Data names to bools, which controls
 	// the notation names that are allowed to be present in critical Notation Data
 	// signature subpackets.
 	KnownNotations map[string]bool
 	// SignatureNotations is a list of Notations to be added to any signatures.
 	SignatureNotations []*Notation
 	// CheckIntendedRecipients controls, whether the OpenPGP Intended Recipient Fingerprint feature
 	// should be enabled for encryption and decryption.
 	// (See https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-12.html#name-intended-recipient-fingerpr).
 	// When the flag is set, encryption produces Intended Recipient Fingerprint signature sub-packets and decryption
 	// checks whether the key it was encrypted to is one of the included fingerprints in the signature.
 	// If the flag is disabled, no Intended Recipient Fingerprint sub-packets are created or checked.
 	// The default behavior, when the config or flag is nil, is to enable the feature.
 	CheckIntendedRecipients *bool
 	// CacheSessionKey controls if decryption should return the session key used for decryption.
 	// If the flag is set, the session key is cached in the message details struct.
 	CacheSessionKey bool
 	// CheckPacketSequence is a flag that controls if the pgp message reader should strictly check
 	// that the packet sequence conforms with the grammar mandated by rfc4880.
 	// The default behavior, when the config or flag is nil, is to check the packet sequence.
 	CheckPacketSequence *bool
 	// NonDeterministicSignaturesViaNotation is a flag to enable randomization of signatures.
 	// If true, a salt notation is used to randomize signatures generated by v4 and v5 keys
 	// (v6 signatures are always non-deterministic, by design).
 	// This protects EdDSA signatures from potentially leaking the secret key in case of faults (i.e. bitflips) which, in principle, could occur
 	// during the signing computation. It is added to signatures of any algo for simplicity, and as it may also serve as protection in case of
 	// weaknesses in the hash algo, potentially hindering e.g. some chosen-prefix attacks.
 	// The default behavior, when the config or flag is nil, is to enable the feature.
 	NonDeterministicSignaturesViaNotation *bool
 	// InsecureAllowAllKeyFlagsWhenMissing determines how a key without valid key flags is handled.
 	// When set to true, a key without flags is treated as if all flags are enabled.
 	// This behavior is consistent with GPG.
 	InsecureAllowAllKeyFlagsWhenMissing bool
 	// MaxDecompressedMessageSize specifies the maximum number of bytes that can be
 	// read from a compressed packet. This serves as an upper limit to prevent
 	// excessively large decompressed messages.
 	MaxDecompressedMessageSize *int64
 }
 func (c *Config) Random() io.Reader {
 	if c == nil || c.Rand == nil {
 		return rand.Reader
 	}
 	return c.Rand
 }
 func (c *Config) Hash() crypto.Hash {
 	if c == nil || uint(c.DefaultHash) == 0 {
 		return crypto.SHA256
 	}
 	return c.DefaultHash
 }
 func (c *Config) Cipher() CipherFunction {
 	if c == nil || uint8(c.DefaultCipher) == 0 {
 		return CipherAES128
 	}
 	return c.DefaultCipher
 }
 func (c *Config) Now() time.Time {
 	if c == nil || c.Time == nil {
 		return time.Now().Truncate(time.Second)
 	}
 	return c.Time().Truncate(time.Second)
 }
 // KeyLifetime returns the validity period of the key.
 func (c *Config) KeyLifetime() uint32 {
 	if c == nil {
 		return 0
 	}
 	return c.KeyLifetimeSecs
 }
 // SigLifetime returns the validity period of the signature.
 func (c *Config) SigLifetime() uint32 {
 	if c == nil {
 		return 0
 	}
 	return c.SigLifetimeSecs
 }
 func (c *Config) Compression() CompressionAlgo {
 	if c == nil {
 		return CompressionNone
 	}
 	return c.DefaultCompressionAlgo
 }
 func (c *Config) RSAModulusBits() int {
 	if c == nil || c.RSABits == 0 {
 		return 2048
 	}
 	return c.RSABits
 }
 func (c *Config) PublicKeyAlgorithm() PublicKeyAlgorithm {
 	if c == nil || c.Algorithm == 0 {
 		return PubKeyAlgoRSA
 	}
 	return c.Algorithm
 }
 func (c *Config) CurveName() Curve {
 	if c == nil || c.Curve == "" {
 		return Curve25519
 	}
 	return c.Curve
 }
 // Deprecated: The hash iterations should now be queried via the S2K() method.
 func (c *Config) PasswordHashIterations() int {
 	if c == nil || c.S2KCount == 0 {
 		return 0
 	}
 	return c.S2KCount
 }
 func (c *Config) S2K() *s2k.Config {
 	if c == nil {
 		return nil
 	}
 	// for backwards compatibility
 	if c.S2KCount > 0 && c.S2KConfig == nil {
 		return &s2k.Config{
 			S2KCount: c.S2KCount,
 		}
 	}
 	return c.S2KConfig
 }
 func (c *Config) AEAD() *AEADConfig {
 	if c == nil {
 		return nil
 	}
 	return c.AEADConfig
 }
 func (c *Config) SigningKey() uint64 {
 	if c == nil {
 		return 0
 	}
 	return c.SigningKeyId
 }
 func (c *Config) SigningUserId() string {
 	if c == nil {
 		return ""
 	}
 	return c.SigningIdentity
 }
 func (c *Config) AllowUnauthenticatedMessages() bool {
 	if c == nil {
 		return false
 	}
 	return c.InsecureAllowUnauthenticatedMessages
 }
 func (c *Config) AllowDecryptionWithSigningKeys() bool {
 	if c == nil {
 		return false
 	}
 	return c.InsecureAllowDecryptionWithSigningKeys
 }
 func (c *Config) KnownNotation(notationName string) bool {
 	if c == nil {
 		return false
 	}
 	return c.KnownNotations[notationName]
 }
 func (c *Config) Notations() []*Notation {
 	if c == nil {
 		return nil
 	}
 	return c.SignatureNotations
 }
 func (c *Config) V6() bool {
 	if c == nil {
 		return false
 	}
 	return c.V6Keys
 }
 func (c *Config) IntendedRecipients() bool {
 	if c == nil || c.CheckIntendedRecipients == nil {
 		return true
 	}
 	return *c.CheckIntendedRecipients
 }
 func (c *Config) RetrieveSessionKey() bool {
 	if c == nil {
 		return false
 	}
 	return c.CacheSessionKey
 }
 func (c *Config) MinimumRSABits() uint16 {
 	if c == nil || c.MinRSABits == 0 {
 		return 2047
 	}
 	return c.MinRSABits
 }
 func (c *Config) RejectPublicKeyAlgorithm(alg PublicKeyAlgorithm) bool {
 	var rejectedAlgorithms map[PublicKeyAlgorithm]bool
 	if c == nil || c.RejectPublicKeyAlgorithms == nil {
 		// Default
 		rejectedAlgorithms = defaultRejectPublicKeyAlgorithms
 	} else {
 		rejectedAlgorithms = c.RejectPublicKeyAlgorithms
 	}
 	return rejectedAlgorithms[alg]
 }
 func (c *Config) RejectHashAlgorithm(hash crypto.Hash) bool {
 	var rejectedAlgorithms map[crypto.Hash]bool
 	if c == nil || c.RejectHashAlgorithms == nil {
 		// Default
 		rejectedAlgorithms = defaultRejectHashAlgorithms
 	} else {
 		rejectedAlgorithms = c.RejectHashAlgorithms
 	}
 	return rejectedAlgorithms[hash]
 }
 func (c *Config) RejectMessageHashAlgorithm(hash crypto.Hash) bool {
 	var rejectedAlgorithms map[crypto.Hash]bool
 	if c == nil || c.RejectMessageHashAlgorithms == nil {
 		// Default
 		rejectedAlgorithms = defaultRejectMessageHashAlgorithms
 	} else {
 		rejectedAlgorithms = c.RejectMessageHashAlgorithms
 	}
 	return rejectedAlgorithms[hash]
 }
 func (c *Config) RejectCurve(curve Curve) bool {
 	var rejectedCurve map[Curve]bool
 	if c == nil || c.RejectCurves == nil {
 		// Default
 		rejectedCurve = defaultRejectCurves
 	} else {
 		rejectedCurve = c.RejectCurves
 	}
 	return rejectedCurve[curve]
 }
 func (c *Config) StrictPacketSequence() bool {
 	if c == nil || c.CheckPacketSequence == nil {
 		return true
 	}
 	return *c.CheckPacketSequence
 }
 func (c *Config) RandomizeSignaturesViaNotation() bool {
 	if c == nil || c.NonDeterministicSignaturesViaNotation == nil {
 		return true
 	}
 	return *c.NonDeterministicSignaturesViaNotation
 }
 func (c *Config) AllowAllKeyFlagsWhenMissing() bool {
 	if c == nil {
 		return false
 	}
 	return c.InsecureAllowAllKeyFlagsWhenMissing
 }
 func (c *Config) DecompressedMessageSizeLimit() *int64 {
 	if c == nil {
 		return nil
 	}
 	return c.MaxDecompressedMessageSize
 }
 // BoolPointer is a helper function to set a boolean pointer in the Config.
 // e.g., config.CheckPacketSequence = BoolPointer(true)
 func BoolPointer(value bool) *bool {
 	return &value
 }
@@ -0,0 +1,7 @@
 //go:build !v5
 package packet
 func init() {
 	V5Disabled = true
 }
@@ -0,0 +1,584 @@
 // Copyright 2011 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package packet
 import (
 	"bytes"
 	"crypto"
 	"crypto/rsa"
 	"encoding/binary"
 	"encoding/hex"
 	"io"
 	"math/big"
 	"strconv"
 	"github.com/ProtonMail/go-crypto/openpgp/ecdh"
 	"github.com/ProtonMail/go-crypto/openpgp/elgamal"
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 	"github.com/ProtonMail/go-crypto/openpgp/internal/encoding"
 	"github.com/ProtonMail/go-crypto/openpgp/x25519"
 	"github.com/ProtonMail/go-crypto/openpgp/x448"
 )
 // EncryptedKey represents a public-key encrypted session key. See RFC 4880,
 // section 5.1.
 type EncryptedKey struct {
 	Version        int
 	KeyId          uint64
 	KeyVersion     int    // v6
 	KeyFingerprint []byte // v6
 	Algo           PublicKeyAlgorithm
 	CipherFunc     CipherFunction // only valid after a successful Decrypt for a v3 packet
 	Key            []byte         // only valid after a successful Decrypt
 	encryptedMPI1, encryptedMPI2 encoding.Field
 	ephemeralPublicX25519        *x25519.PublicKey // used for x25519
 	ephemeralPublicX448          *x448.PublicKey   // used for x448
 	encryptedSession             []byte            // used for x25519 and x448
 }
 func (e *EncryptedKey) parse(r io.Reader) (err error) {
 	var buf [8]byte
 	_, err = readFull(r, buf[:versionSize])
 	if err != nil {
 		return
 	}
 	e.Version = int(buf[0])
 	if e.Version != 3 && e.Version != 6 {
 		return errors.UnsupportedError("unknown EncryptedKey version " + strconv.Itoa(int(buf[0])))
 	}
 	if e.Version == 6 {
 		//Read a one-octet size of the following two fields.
 		if _, err = readFull(r, buf[:1]); err != nil {
 			return
 		}
 		// The size may also be zero, and the key version and
 		// fingerprint omitted for an "anonymous recipient"
 		if buf[0] != 0 {
 			// non-anonymous case
 			_, err = readFull(r, buf[:versionSize])
 			if err != nil {
 				return
 			}
 			e.KeyVersion = int(buf[0])
 			if e.KeyVersion != 4 && e.KeyVersion != 6 {
 				return errors.UnsupportedError("unknown public key version " + strconv.Itoa(e.KeyVersion))
 			}
 			var fingerprint []byte
 			if e.KeyVersion == 6 {
 				fingerprint = make([]byte, fingerprintSizeV6)
 			} else if e.KeyVersion == 4 {
 				fingerprint = make([]byte, fingerprintSize)
 			}
 			_, err = readFull(r, fingerprint)
 			if err != nil {
 				return
 			}
 			e.KeyFingerprint = fingerprint
 			if e.KeyVersion == 6 {
 				e.KeyId = binary.BigEndian.Uint64(e.KeyFingerprint[:keyIdSize])
 			} else if e.KeyVersion == 4 {
 				e.KeyId = binary.BigEndian.Uint64(e.KeyFingerprint[fingerprintSize-keyIdSize : fingerprintSize])
 			}
 		}
 	} else {
 		_, err = readFull(r, buf[:8])
 		if err != nil {
 			return
 		}
 		e.KeyId = binary.BigEndian.Uint64(buf[:keyIdSize])
 	}
 	_, err = readFull(r, buf[:1])
 	if err != nil {
 		return
 	}
 	e.Algo = PublicKeyAlgorithm(buf[0])
 	var cipherFunction byte
 	switch e.Algo {
 	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly:
 		e.encryptedMPI1 = new(encoding.MPI)
 		if _, err = e.encryptedMPI1.ReadFrom(r); err != nil {
 			return
 		}
 	case PubKeyAlgoElGamal:
 		e.encryptedMPI1 = new(encoding.MPI)
 		if _, err = e.encryptedMPI1.ReadFrom(r); err != nil {
 			return
 		}
 		e.encryptedMPI2 = new(encoding.MPI)
 		if _, err = e.encryptedMPI2.ReadFrom(r); err != nil {
 			return
 		}
 	case PubKeyAlgoECDH:
 		e.encryptedMPI1 = new(encoding.MPI)
 		if _, err = e.encryptedMPI1.ReadFrom(r); err != nil {
 			return
 		}
 		e.encryptedMPI2 = new(encoding.OID)
 		if _, err = e.encryptedMPI2.ReadFrom(r); err != nil {
 			return
 		}
 	case PubKeyAlgoX25519:
 		e.ephemeralPublicX25519, e.encryptedSession, cipherFunction, err = x25519.DecodeFields(r, e.Version == 6)
 		if err != nil {
 			return
 		}
 	case PubKeyAlgoX448:
 		e.ephemeralPublicX448, e.encryptedSession, cipherFunction, err = x448.DecodeFields(r, e.Version == 6)
 		if err != nil {
 			return
 		}
 	}
 	if e.Version < 6 {
 		switch e.Algo {
 		case PubKeyAlgoX25519, PubKeyAlgoX448:
 			e.CipherFunc = CipherFunction(cipherFunction)
 			// Check for validiy is in the Decrypt method
 		}
 	}
 	_, err = consumeAll(r)
 	return
 }
 // Decrypt decrypts an encrypted session key with the given private key. The
 // private key must have been decrypted first.
 // If config is nil, sensible defaults will be used.
 func (e *EncryptedKey) Decrypt(priv *PrivateKey, config *Config) error {
 	if e.Version < 6 && e.KeyId != 0 && e.KeyId != priv.KeyId {
 		return errors.InvalidArgumentError("cannot decrypt encrypted session key for key id " + strconv.FormatUint(e.KeyId, 16) + " with private key id " + strconv.FormatUint(priv.KeyId, 16))
 	}
 	if e.Version == 6 && e.KeyVersion != 0 && !bytes.Equal(e.KeyFingerprint, priv.Fingerprint) {
 		return errors.InvalidArgumentError("cannot decrypt encrypted session key for key fingerprint " + hex.EncodeToString(e.KeyFingerprint) + " with private key fingerprint " + hex.EncodeToString(priv.Fingerprint))
 	}
 	if e.Algo != priv.PubKeyAlgo {
 		return errors.InvalidArgumentError("cannot decrypt encrypted session key of type " + strconv.Itoa(int(e.Algo)) + " with private key of type " + strconv.Itoa(int(priv.PubKeyAlgo)))
 	}
 	if priv.Dummy() {
 		return errors.ErrDummyPrivateKey("dummy key found")
 	}
 	var err error
 	var b []byte
 	// TODO(agl): use session key decryption routines here to avoid
 	// padding oracle attacks.
 	switch priv.PubKeyAlgo {
 	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly:
 		// Supports both *rsa.PrivateKey and crypto.Decrypter
 		k := priv.PrivateKey.(crypto.Decrypter)
 		b, err = k.Decrypt(config.Random(), padToKeySize(k.Public().(*rsa.PublicKey), e.encryptedMPI1.Bytes()), nil)
 	case PubKeyAlgoElGamal:
 		c1 := new(big.Int).SetBytes(e.encryptedMPI1.Bytes())
 		c2 := new(big.Int).SetBytes(e.encryptedMPI2.Bytes())
 		b, err = elgamal.Decrypt(priv.PrivateKey.(*elgamal.PrivateKey), c1, c2)
 	case PubKeyAlgoECDH:
 		vsG := e.encryptedMPI1.Bytes()
 		m := e.encryptedMPI2.Bytes()
 		oid := priv.PublicKey.oid.EncodedBytes()
 		fp := priv.PublicKey.Fingerprint[:]
 		if priv.PublicKey.Version == 5 {
 			// For v5 the, the fingerprint must be restricted to 20 bytes
 			fp = fp[:20]
 		}
 		b, err = ecdh.Decrypt(priv.PrivateKey.(*ecdh.PrivateKey), vsG, m, oid, fp)
 	case PubKeyAlgoX25519:
 		b, err = x25519.Decrypt(priv.PrivateKey.(*x25519.PrivateKey), e.ephemeralPublicX25519, e.encryptedSession)
 	case PubKeyAlgoX448:
 		b, err = x448.Decrypt(priv.PrivateKey.(*x448.PrivateKey), e.ephemeralPublicX448, e.encryptedSession)
 	default:
 		err = errors.InvalidArgumentError("cannot decrypt encrypted session key with private key of type " + strconv.Itoa(int(priv.PubKeyAlgo)))
 	}
 	if err != nil {
 		return err
 	}
 	var key []byte
 	switch priv.PubKeyAlgo {
 	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoElGamal, PubKeyAlgoECDH:
 		keyOffset := 0
 		if e.Version < 6 {
 			e.CipherFunc = CipherFunction(b[0])
 			keyOffset = 1
 			if !e.CipherFunc.IsSupported() {
 				return errors.UnsupportedError("unsupported encryption function")
 			}
 		}
 		key, err = decodeChecksumKey(b[keyOffset:])
 		if err != nil {
 			return err
 		}
 	case PubKeyAlgoX25519, PubKeyAlgoX448:
 		if e.Version < 6 {
 			switch e.CipherFunc {
 			case CipherAES128, CipherAES192, CipherAES256:
 				break
 			default:
 				return errors.StructuralError("v3 PKESK mandates AES as cipher function for x25519 and x448")
 			}
 		}
 		key = b[:]
 	default:
 		return errors.UnsupportedError("unsupported algorithm for decryption")
 	}
 	e.Key = key
 	return nil
 }
 // Serialize writes the encrypted key packet, e, to w.
 func (e *EncryptedKey) Serialize(w io.Writer) error {
 	var encodedLength int
 	switch e.Algo {
 	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly:
 		encodedLength = int(e.encryptedMPI1.EncodedLength())
 	case PubKeyAlgoElGamal:
 		encodedLength = int(e.encryptedMPI1.EncodedLength()) + int(e.encryptedMPI2.EncodedLength())
 	case PubKeyAlgoECDH:
 		encodedLength = int(e.encryptedMPI1.EncodedLength()) + int(e.encryptedMPI2.EncodedLength())
 	case PubKeyAlgoX25519:
 		encodedLength = x25519.EncodedFieldsLength(e.encryptedSession, e.Version == 6)
 	case PubKeyAlgoX448:
 		encodedLength = x448.EncodedFieldsLength(e.encryptedSession, e.Version == 6)
 	default:
 		return errors.InvalidArgumentError("don't know how to serialize encrypted key type " + strconv.Itoa(int(e.Algo)))
 	}
 	packetLen := versionSize /* version */ + keyIdSize /* key id */ + algorithmSize /* algo */ + encodedLength
 	if e.Version == 6 {
 		packetLen = versionSize /* version */ + algorithmSize /* algo */ + encodedLength + keyVersionSize /* key version */
 		if e.KeyVersion == 6 {
 			packetLen += fingerprintSizeV6
 		} else if e.KeyVersion == 4 {
 			packetLen += fingerprintSize
 		}
 	}
 	err := serializeHeader(w, packetTypeEncryptedKey, packetLen)
 	if err != nil {
 		return err
 	}
 	_, err = w.Write([]byte{byte(e.Version)})
 	if err != nil {
 		return err
 	}
 	if e.Version == 6 {
 		_, err = w.Write([]byte{byte(e.KeyVersion)})
 		if err != nil {
 			return err
 		}
 		// The key version number may also be zero,
 		// and the fingerprint omitted
 		if e.KeyVersion != 0 {
 			_, err = w.Write(e.KeyFingerprint)
 			if err != nil {
 				return err
 			}
 		}
 	} else {
 		// Write KeyID
 		err = binary.Write(w, binary.BigEndian, e.KeyId)
 		if err != nil {
 			return err
 		}
 	}
 	_, err = w.Write([]byte{byte(e.Algo)})
 	if err != nil {
 		return err
 	}
 	switch e.Algo {
 	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly:
 		_, err := w.Write(e.encryptedMPI1.EncodedBytes())
 		return err
 	case PubKeyAlgoElGamal:
 		if _, err := w.Write(e.encryptedMPI1.EncodedBytes()); err != nil {
 			return err
 		}
 		_, err := w.Write(e.encryptedMPI2.EncodedBytes())
 		return err
 	case PubKeyAlgoECDH:
 		if _, err := w.Write(e.encryptedMPI1.EncodedBytes()); err != nil {
 			return err
 		}
 		_, err := w.Write(e.encryptedMPI2.EncodedBytes())
 		return err
 	case PubKeyAlgoX25519:
 		err := x25519.EncodeFields(w, e.ephemeralPublicX25519, e.encryptedSession, byte(e.CipherFunc), e.Version == 6)
 		return err
 	case PubKeyAlgoX448:
 		err := x448.EncodeFields(w, e.ephemeralPublicX448, e.encryptedSession, byte(e.CipherFunc), e.Version == 6)
 		return err
 	default:
 		panic("internal error")
 	}
 }
 // SerializeEncryptedKeyAEAD serializes an encrypted key packet to w that contains
 // key, encrypted to pub.
 // If aeadSupported is set, PKESK v6 is used, otherwise v3.
 // Note: aeadSupported MUST match the value passed to SerializeSymmetricallyEncrypted.
 // If config is nil, sensible defaults will be used.
 func SerializeEncryptedKeyAEAD(w io.Writer, pub *PublicKey, cipherFunc CipherFunction, aeadSupported bool, key []byte, config *Config) error {
 	return SerializeEncryptedKeyAEADwithHiddenOption(w, pub, cipherFunc, aeadSupported, key, false, config)
 }
 // SerializeEncryptedKeyAEADwithHiddenOption serializes an encrypted key packet to w that contains
 // key, encrypted to pub.
 // Offers the hidden flag option to indicated if the PKESK packet should include a wildcard KeyID.
 // If aeadSupported is set, PKESK v6 is used, otherwise v3.
 // Note: aeadSupported MUST match the value passed to SerializeSymmetricallyEncrypted.
 // If config is nil, sensible defaults will be used.
 func SerializeEncryptedKeyAEADwithHiddenOption(w io.Writer, pub *PublicKey, cipherFunc CipherFunction, aeadSupported bool, key []byte, hidden bool, config *Config) error {
 	var buf [36]byte // max possible header size is v6
 	lenHeaderWritten := versionSize
 	version := 3
 	if aeadSupported {
 		version = 6
 	}
 	// An implementation MUST NOT generate ElGamal v6 PKESKs.
 	if version == 6 && pub.PubKeyAlgo == PubKeyAlgoElGamal {
 		return errors.InvalidArgumentError("ElGamal v6 PKESK are not allowed")
 	}
 	// In v3 PKESKs, for x25519 and x448, mandate using AES
 	if version == 3 && (pub.PubKeyAlgo == PubKeyAlgoX25519 || pub.PubKeyAlgo == PubKeyAlgoX448) {
 		switch cipherFunc {
 		case CipherAES128, CipherAES192, CipherAES256:
 			break
 		default:
 			return errors.InvalidArgumentError("v3 PKESK mandates AES for x25519 and x448")
 		}
 	}
 	buf[0] = byte(version)
 	// If hidden is set, the key should be hidden
 	// An implementation MAY accept or use a Key ID of all zeros,
 	// or a key version of zero and no key fingerprint, to hide the intended decryption key.
 	// See Section 5.1.8. in the open pgp crypto refresh
 	if version == 6 {
 		if !hidden {
 			// A one-octet size of the following two fields.
 			buf[1] = byte(keyVersionSize + len(pub.Fingerprint))
 			// A one octet key version number.
 			buf[2] = byte(pub.Version)
 			lenHeaderWritten += keyVersionSize + 1
 			// The fingerprint of the public key
 			copy(buf[lenHeaderWritten:lenHeaderWritten+len(pub.Fingerprint)], pub.Fingerprint)
 			lenHeaderWritten += len(pub.Fingerprint)
 		} else {
 			// The size may also be zero, and the key version
 			// and fingerprint omitted for an "anonymous recipient"
 			buf[1] = 0
 			lenHeaderWritten += 1
 		}
 	} else {
 		if !hidden {
 			binary.BigEndian.PutUint64(buf[versionSize:(versionSize+keyIdSize)], pub.KeyId)
 		}
 		lenHeaderWritten += keyIdSize
 	}
 	buf[lenHeaderWritten] = byte(pub.PubKeyAlgo)
 	lenHeaderWritten += algorithmSize
 	var keyBlock []byte
 	switch pub.PubKeyAlgo {
 	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoElGamal, PubKeyAlgoECDH:
 		lenKeyBlock := len(key) + 2
 		if version < 6 {
 			lenKeyBlock += 1 // cipher type included
 		}
 		keyBlock = make([]byte, lenKeyBlock)
 		keyOffset := 0
 		if version < 6 {
 			keyBlock[0] = byte(cipherFunc)
 			keyOffset = 1
 		}
 		encodeChecksumKey(keyBlock[keyOffset:], key)
 	case PubKeyAlgoX25519, PubKeyAlgoX448:
 		// algorithm is added in plaintext below
 		keyBlock = key
 	}
 	switch pub.PubKeyAlgo {
 	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly:
 		return serializeEncryptedKeyRSA(w, config.Random(), buf[:lenHeaderWritten], pub.PublicKey.(*rsa.PublicKey), keyBlock)
 	case PubKeyAlgoElGamal:
 		return serializeEncryptedKeyElGamal(w, config.Random(), buf[:lenHeaderWritten], pub.PublicKey.(*elgamal.PublicKey), keyBlock)
 	case PubKeyAlgoECDH:
 		return serializeEncryptedKeyECDH(w, config.Random(), buf[:lenHeaderWritten], pub.PublicKey.(*ecdh.PublicKey), keyBlock, pub.oid, pub.Fingerprint)
 	case PubKeyAlgoX25519:
 		return serializeEncryptedKeyX25519(w, config.Random(), buf[:lenHeaderWritten], pub.PublicKey.(*x25519.PublicKey), keyBlock, byte(cipherFunc), version)
 	case PubKeyAlgoX448:
 		return serializeEncryptedKeyX448(w, config.Random(), buf[:lenHeaderWritten], pub.PublicKey.(*x448.PublicKey), keyBlock, byte(cipherFunc), version)
 	case PubKeyAlgoDSA, PubKeyAlgoRSASignOnly:
 		return errors.InvalidArgumentError("cannot encrypt to public key of type " + strconv.Itoa(int(pub.PubKeyAlgo)))
 	}
 	return errors.UnsupportedError("encrypting a key to public key of type " + strconv.Itoa(int(pub.PubKeyAlgo)))
 }
 // SerializeEncryptedKey serializes an encrypted key packet to w that contains
 // key, encrypted to pub.
 // PKESKv6 is used if config.AEAD() is not nil.
 // If config is nil, sensible defaults will be used.
 // Deprecated: Use SerializeEncryptedKeyAEAD instead.
 func SerializeEncryptedKey(w io.Writer, pub *PublicKey, cipherFunc CipherFunction, key []byte, config *Config) error {
 	return SerializeEncryptedKeyAEAD(w, pub, cipherFunc, config.AEAD() != nil, key, config)
 }
 // SerializeEncryptedKeyWithHiddenOption serializes an encrypted key packet to w that contains
 // key, encrypted to pub. PKESKv6 is used if config.AEAD() is not nil.
 // The hidden option controls if the packet should be anonymous, i.e., omit key metadata.
 // If config is nil, sensible defaults will be used.
 // Deprecated: Use SerializeEncryptedKeyAEADwithHiddenOption instead.
 func SerializeEncryptedKeyWithHiddenOption(w io.Writer, pub *PublicKey, cipherFunc CipherFunction, key []byte, hidden bool, config *Config) error {
 	return SerializeEncryptedKeyAEADwithHiddenOption(w, pub, cipherFunc, config.AEAD() != nil, key, hidden, config)
 }
 func serializeEncryptedKeyRSA(w io.Writer, rand io.Reader, header []byte, pub *rsa.PublicKey, keyBlock []byte) error {
 	cipherText, err := rsa.EncryptPKCS1v15(rand, pub, keyBlock)
 	if err != nil {
 		return errors.InvalidArgumentError("RSA encryption failed: " + err.Error())
 	}
 	cipherMPI := encoding.NewMPI(cipherText)
 	packetLen := len(header) /* header length */ + int(cipherMPI.EncodedLength())
 	err = serializeHeader(w, packetTypeEncryptedKey, packetLen)
 	if err != nil {
 		return err
 	}
 	_, err = w.Write(header[:])
 	if err != nil {
 		return err
 	}
 	_, err = w.Write(cipherMPI.EncodedBytes())
 	return err
 }
 func serializeEncryptedKeyElGamal(w io.Writer, rand io.Reader, header []byte, pub *elgamal.PublicKey, keyBlock []byte) error {
 	c1, c2, err := elgamal.Encrypt(rand, pub, keyBlock)
 	if err != nil {
 		return errors.InvalidArgumentError("ElGamal encryption failed: " + err.Error())
 	}
 	packetLen := len(header) /* header length */
 	packetLen += 2 /* mpi size */ + (c1.BitLen()+7)/8
 	packetLen += 2 /* mpi size */ + (c2.BitLen()+7)/8
 	err = serializeHeader(w, packetTypeEncryptedKey, packetLen)
 	if err != nil {
 		return err
 	}
 	_, err = w.Write(header[:])
 	if err != nil {
 		return err
 	}
 	if _, err = w.Write(new(encoding.MPI).SetBig(c1).EncodedBytes()); err != nil {
 		return err
 	}
 	_, err = w.Write(new(encoding.MPI).SetBig(c2).EncodedBytes())
 	return err
 }
 func serializeEncryptedKeyECDH(w io.Writer, rand io.Reader, header []byte, pub *ecdh.PublicKey, keyBlock []byte, oid encoding.Field, fingerprint []byte) error {
 	vsG, c, err := ecdh.Encrypt(rand, pub, keyBlock, oid.EncodedBytes(), fingerprint)
 	if err != nil {
 		return errors.InvalidArgumentError("ECDH encryption failed: " + err.Error())
 	}
 	g := encoding.NewMPI(vsG)
 	m := encoding.NewOID(c)
 	packetLen := len(header) /* header length */
 	packetLen += int(g.EncodedLength()) + int(m.EncodedLength())
 	err = serializeHeader(w, packetTypeEncryptedKey, packetLen)
 	if err != nil {
 		return err
 	}
 	_, err = w.Write(header[:])
 	if err != nil {
 		return err
 	}
 	if _, err = w.Write(g.EncodedBytes()); err != nil {
 		return err
 	}
 	_, err = w.Write(m.EncodedBytes())
 	return err
 }
 func serializeEncryptedKeyX25519(w io.Writer, rand io.Reader, header []byte, pub *x25519.PublicKey, keyBlock []byte, cipherFunc byte, version int) error {
 	ephemeralPublicX25519, ciphertext, err := x25519.Encrypt(rand, pub, keyBlock)
 	if err != nil {
 		return errors.InvalidArgumentError("x25519 encryption failed: " + err.Error())
 	}
 	packetLen := len(header) /* header length */
 	packetLen += x25519.EncodedFieldsLength(ciphertext, version == 6)
 	err = serializeHeader(w, packetTypeEncryptedKey, packetLen)
 	if err != nil {
 		return err
 	}
 	_, err = w.Write(header[:])
 	if err != nil {
 		return err
 	}
 	return x25519.EncodeFields(w, ephemeralPublicX25519, ciphertext, cipherFunc, version == 6)
 }
 func serializeEncryptedKeyX448(w io.Writer, rand io.Reader, header []byte, pub *x448.PublicKey, keyBlock []byte, cipherFunc byte, version int) error {
 	ephemeralPublicX448, ciphertext, err := x448.Encrypt(rand, pub, keyBlock)
 	if err != nil {
 		return errors.InvalidArgumentError("x448 encryption failed: " + err.Error())
 	}
 	packetLen := len(header) /* header length */
 	packetLen += x448.EncodedFieldsLength(ciphertext, version == 6)
 	err = serializeHeader(w, packetTypeEncryptedKey, packetLen)
 	if err != nil {
 		return err
 	}
 	_, err = w.Write(header[:])
 	if err != nil {
 		return err
 	}
 	return x448.EncodeFields(w, ephemeralPublicX448, ciphertext, cipherFunc, version == 6)
 }
 func checksumKeyMaterial(key []byte) uint16 {
 	var checksum uint16
 	for _, v := range key {
 		checksum += uint16(v)
 	}
 	return checksum
 }
 func decodeChecksumKey(msg []byte) (key []byte, err error) {
 	key = msg[:len(msg)-2]
 	expectedChecksum := uint16(msg[len(msg)-2])<<8 | uint16(msg[len(msg)-1])
 	checksum := checksumKeyMaterial(key)
 	if checksum != expectedChecksum {
 		err = errors.StructuralError("session key checksum is incorrect")
 	}
 	return
 }
 func encodeChecksumKey(buffer []byte, key []byte) {
 	copy(buffer, key)
 	checksum := checksumKeyMaterial(key)
 	buffer[len(key)] = byte(checksum >> 8)
 	buffer[len(key)+1] = byte(checksum)
 }
@@ -0,0 +1,91 @@
 // Copyright 2011 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package packet
 import (
 	"encoding/binary"
 	"io"
 )
 // LiteralData represents an encrypted file. See RFC 4880, section 5.9.
 type LiteralData struct {
 	Format   uint8
 	IsBinary bool
 	FileName string
 	Time     uint32 // Unix epoch time. Either creation time or modification time. 0 means undefined.
 	Body     io.Reader
 }
 // ForEyesOnly returns whether the contents of the LiteralData have been marked
 // as especially sensitive.
 func (l *LiteralData) ForEyesOnly() bool {
 	return l.FileName == "_CONSOLE"
 }
 func (l *LiteralData) parse(r io.Reader) (err error) {
 	var buf [256]byte
 	_, err = readFull(r, buf[:2])
 	if err != nil {
 		return
 	}
 	l.Format = buf[0]
 	l.IsBinary = l.Format == 'b'
 	fileNameLen := int(buf[1])
 	_, err = readFull(r, buf[:fileNameLen])
 	if err != nil {
 		return
 	}
 	l.FileName = string(buf[:fileNameLen])
 	_, err = readFull(r, buf[:4])
 	if err != nil {
 		return
 	}
 	l.Time = binary.BigEndian.Uint32(buf[:4])
 	l.Body = r
 	return
 }
 // SerializeLiteral serializes a literal data packet to w and returns a
 // WriteCloser to which the data itself can be written and which MUST be closed
 // on completion. The fileName is truncated to 255 bytes.
 func SerializeLiteral(w io.WriteCloser, isBinary bool, fileName string, time uint32) (plaintext io.WriteCloser, err error) {
 	var buf [4]byte
 	buf[0] = 'b'
 	if !isBinary {
 		buf[0] = 'u'
 	}
 	if len(fileName) > 255 {
 		fileName = fileName[:255]
 	}
 	buf[1] = byte(len(fileName))
 	inner, err := serializeStreamHeader(w, packetTypeLiteralData)
 	if err != nil {
 		return
 	}
 	_, err = inner.Write(buf[:2])
 	if err != nil {
 		return
 	}
 	_, err = inner.Write([]byte(fileName))
 	if err != nil {
 		return
 	}
 	binary.BigEndian.PutUint32(buf[:], time)
 	_, err = inner.Write(buf[:])
 	if err != nil {
 		return
 	}
 	plaintext = inner
 	return
 }
@@ -0,0 +1,33 @@
 package packet
 import (
 	"io"
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 )
 type Marker struct{}
 const markerString = "PGP"
 // parse just checks if the packet contains "PGP".
 func (m *Marker) parse(reader io.Reader) error {
 	var buffer [3]byte
 	if _, err := io.ReadFull(reader, buffer[:]); err != nil {
 		return err
 	}
 	if string(buffer[:]) != markerString {
 		return errors.StructuralError("invalid marker packet")
 	}
 	return nil
 }
 // SerializeMarker writes a marker packet to writer.
 func SerializeMarker(writer io.Writer) error {
 	err := serializeHeader(writer, packetTypeMarker, len(markerString))
 	if err != nil {
 		return err
 	}
 	_, err = writer.Write([]byte(markerString))
 	return err
 }
@@ -0,0 +1,29 @@
 package packet
 // Notation type represents a Notation Data subpacket
 // see https://tools.ietf.org/html/rfc4880#section-5.2.3.16
 type Notation struct {
 	Name            string
 	Value           []byte
 	IsCritical      bool
 	IsHumanReadable bool
 }
 func (notation *Notation) getData() []byte {
 	nameData := []byte(notation.Name)
 	nameLen := len(nameData)
 	valueLen := len(notation.Value)
 	data := make([]byte, 8+nameLen+valueLen)
 	if notation.IsHumanReadable {
 		data[0] = 0x80
 	}
 	data[4] = byte(nameLen >> 8)
 	data[5] = byte(nameLen)
 	data[6] = byte(valueLen >> 8)
 	data[7] = byte(valueLen)
 	copy(data[8:8+nameLen], nameData)
 	copy(data[8+nameLen:], notation.Value)
 	return data
 }
@@ -0,0 +1,137 @@
 // Copyright 2010 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // OpenPGP CFB Mode. http://tools.ietf.org/html/rfc4880#section-13.9
 package packet
 import (
 	"crypto/cipher"
 )
 type ocfbEncrypter struct {
 	b       cipher.Block
 	fre     []byte
 	outUsed int
 }
 // An OCFBResyncOption determines if the "resynchronization step" of OCFB is
 // performed.
 type OCFBResyncOption bool
 const (
 	OCFBResync   OCFBResyncOption = true
 	OCFBNoResync OCFBResyncOption = false
 )
 // NewOCFBEncrypter returns a cipher.Stream which encrypts data with OpenPGP's
 // cipher feedback mode using the given cipher.Block, and an initial amount of
 // ciphertext.  randData must be random bytes and be the same length as the
 // cipher.Block's block size. Resync determines if the "resynchronization step"
 // from RFC 4880, 13.9 step 7 is performed. Different parts of OpenPGP vary on
 // this point.
 func NewOCFBEncrypter(block cipher.Block, randData []byte, resync OCFBResyncOption) (cipher.Stream, []byte) {
 	blockSize := block.BlockSize()
 	if len(randData) != blockSize {
 		return nil, nil
 	}
 	x := &ocfbEncrypter{
 		b:       block,
 		fre:     make([]byte, blockSize),
 		outUsed: 0,
 	}
 	prefix := make([]byte, blockSize+2)
 	block.Encrypt(x.fre, x.fre)
 	for i := 0; i < blockSize; i++ {
 		prefix[i] = randData[i] ^ x.fre[i]
 	}
 	block.Encrypt(x.fre, prefix[:blockSize])
 	prefix[blockSize] = x.fre[0] ^ randData[blockSize-2]
 	prefix[blockSize+1] = x.fre[1] ^ randData[blockSize-1]
 	if resync {
 		block.Encrypt(x.fre, prefix[2:])
 	} else {
 		x.fre[0] = prefix[blockSize]
 		x.fre[1] = prefix[blockSize+1]
 		x.outUsed = 2
 	}
 	return x, prefix
 }
 func (x *ocfbEncrypter) XORKeyStream(dst, src []byte) {
 	for i := 0; i < len(src); i++ {
 		if x.outUsed == len(x.fre) {
 			x.b.Encrypt(x.fre, x.fre)
 			x.outUsed = 0
 		}
 		x.fre[x.outUsed] ^= src[i]
 		dst[i] = x.fre[x.outUsed]
 		x.outUsed++
 	}
 }
 type ocfbDecrypter struct {
 	b       cipher.Block
 	fre     []byte
 	outUsed int
 }
 // NewOCFBDecrypter returns a cipher.Stream which decrypts data with OpenPGP's
 // cipher feedback mode using the given cipher.Block. Prefix must be the first
 // blockSize + 2 bytes of the ciphertext, where blockSize is the cipher.Block's
 // block size. On successful exit, blockSize+2 bytes of decrypted data are written into
 // prefix. Resync determines if the "resynchronization step" from RFC 4880,
 // 13.9 step 7 is performed. Different parts of OpenPGP vary on this point.
 func NewOCFBDecrypter(block cipher.Block, prefix []byte, resync OCFBResyncOption) cipher.Stream {
 	blockSize := block.BlockSize()
 	if len(prefix) != blockSize+2 {
 		return nil
 	}
 	x := &ocfbDecrypter{
 		b:       block,
 		fre:     make([]byte, blockSize),
 		outUsed: 0,
 	}
 	prefixCopy := make([]byte, len(prefix))
 	copy(prefixCopy, prefix)
 	block.Encrypt(x.fre, x.fre)
 	for i := 0; i < blockSize; i++ {
 		prefixCopy[i] ^= x.fre[i]
 	}
 	block.Encrypt(x.fre, prefix[:blockSize])
 	prefixCopy[blockSize] ^= x.fre[0]
 	prefixCopy[blockSize+1] ^= x.fre[1]
 	if resync {
 		block.Encrypt(x.fre, prefix[2:])
 	} else {
 		x.fre[0] = prefix[blockSize]
 		x.fre[1] = prefix[blockSize+1]
 		x.outUsed = 2
 	}
 	copy(prefix, prefixCopy)
 	return x
 }
 func (x *ocfbDecrypter) XORKeyStream(dst, src []byte) {
 	for i := 0; i < len(src); i++ {
 		if x.outUsed == len(x.fre) {
 			x.b.Encrypt(x.fre, x.fre)
 			x.outUsed = 0
 		}
 		c := src[i]
 		dst[i] = x.fre[x.outUsed] ^ src[i]
 		x.fre[x.outUsed] = c
 		x.outUsed++
 	}
 }
@@ -0,0 +1,157 @@
 // Copyright 2011 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package packet
 import (
 	"crypto"
 	"encoding/binary"
 	"io"
 	"strconv"
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 	"github.com/ProtonMail/go-crypto/openpgp/internal/algorithm"
 )
 // OnePassSignature represents a one-pass signature packet. See RFC 4880,
 // section 5.4.
 type OnePassSignature struct {
 	Version        int
 	SigType        SignatureType
 	Hash           crypto.Hash
 	PubKeyAlgo     PublicKeyAlgorithm
 	KeyId          uint64
 	IsLast         bool
 	Salt           []byte // v6 only
 	KeyFingerprint []byte // v6 only
 }
 func (ops *OnePassSignature) parse(r io.Reader) (err error) {
 	var buf [8]byte
 	// Read: version | signature type | hash algorithm | public-key algorithm
 	_, err = readFull(r, buf[:4])
 	if err != nil {
 		return
 	}
 	if buf[0] != 3 && buf[0] != 6 {
 		return errors.UnsupportedError("one-pass-signature packet version " + strconv.Itoa(int(buf[0])))
 	}
 	ops.Version = int(buf[0])
 	var ok bool
 	ops.Hash, ok = algorithm.HashIdToHashWithSha1(buf[2])
 	if !ok {
 		return errors.UnsupportedError("hash function: " + strconv.Itoa(int(buf[2])))
 	}
 	ops.SigType = SignatureType(buf[1])
 	ops.PubKeyAlgo = PublicKeyAlgorithm(buf[3])
 	if ops.Version == 6 {
 		// Only for v6, a variable-length field containing the salt
 		_, err = readFull(r, buf[:1])
 		if err != nil {
 			return
 		}
 		saltLength := int(buf[0])
 		var expectedSaltLength int
 		expectedSaltLength, err = SaltLengthForHash(ops.Hash)
 		if err != nil {
 			return
 		}
 		if saltLength != expectedSaltLength {
 			err = errors.StructuralError("unexpected salt size for the given hash algorithm")
 			return
 		}
 		salt := make([]byte, expectedSaltLength)
 		_, err = readFull(r, salt)
 		if err != nil {
 			return
 		}
 		ops.Salt = salt
 		// Only for v6 packets, 32 octets of the fingerprint of the signing key.
 		fingerprint := make([]byte, 32)
 		_, err = readFull(r, fingerprint)
 		if err != nil {
 			return
 		}
 		ops.KeyFingerprint = fingerprint
 		ops.KeyId = binary.BigEndian.Uint64(ops.KeyFingerprint[:8])
 	} else {
 		_, err = readFull(r, buf[:8])
 		if err != nil {
 			return
 		}
 		ops.KeyId = binary.BigEndian.Uint64(buf[:8])
 	}
 	_, err = readFull(r, buf[:1])
 	if err != nil {
 		return
 	}
 	ops.IsLast = buf[0] != 0
 	return
 }
 // Serialize marshals the given OnePassSignature to w.
 func (ops *OnePassSignature) Serialize(w io.Writer) error {
 	//v3 length 1+1+1+1+8+1 =
 	packetLength := 13
 	if ops.Version == 6 {
 		// v6 length 1+1+1+1+1+len(salt)+32+1 =
 		packetLength = 38 + len(ops.Salt)
 	}
 	if err := serializeHeader(w, packetTypeOnePassSignature, packetLength); err != nil {
 		return err
 	}
 	var buf [8]byte
 	buf[0] = byte(ops.Version)
 	buf[1] = uint8(ops.SigType)
 	var ok bool
 	buf[2], ok = algorithm.HashToHashIdWithSha1(ops.Hash)
 	if !ok {
 		return errors.UnsupportedError("hash type: " + strconv.Itoa(int(ops.Hash)))
 	}
 	buf[3] = uint8(ops.PubKeyAlgo)
 	_, err := w.Write(buf[:4])
 	if err != nil {
 		return err
 	}
 	if ops.Version == 6 {
 		// write salt for v6 signatures
 		_, err := w.Write([]byte{uint8(len(ops.Salt))})
 		if err != nil {
 			return err
 		}
 		_, err = w.Write(ops.Salt)
 		if err != nil {
 			return err
 		}
 		// write fingerprint v6 signatures
 		_, err = w.Write(ops.KeyFingerprint)
 		if err != nil {
 			return err
 		}
 	} else {
 		binary.BigEndian.PutUint64(buf[:8], ops.KeyId)
 		_, err := w.Write(buf[:8])
 		if err != nil {
 			return err
 		}
 	}
 	isLast := []byte{byte(0)}
 	if ops.IsLast {
 		isLast[0] = 1
 	}
 	_, err = w.Write(isLast)
 	return err
 }
@@ -0,0 +1,170 @@
 // Copyright 2012 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package packet
 import (
 	"bytes"
 	"io"
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 )
 // OpaquePacket represents an OpenPGP packet as raw, unparsed data. This is
 // useful for splitting and storing the original packet contents separately,
 // handling unsupported packet types or accessing parts of the packet not yet
 // implemented by this package.
 type OpaquePacket struct {
 	// Packet type
 	Tag uint8
 	// Reason why the packet was parsed opaquely
 	Reason error
 	// Binary contents of the packet data
 	Contents []byte
 }
 func (op *OpaquePacket) parse(r io.Reader) (err error) {
 	op.Contents, err = io.ReadAll(r)
 	return
 }
 // Serialize marshals the packet to a writer in its original form, including
 // the packet header.
 func (op *OpaquePacket) Serialize(w io.Writer) (err error) {
 	err = serializeHeader(w, packetType(op.Tag), len(op.Contents))
 	if err == nil {
 		_, err = w.Write(op.Contents)
 	}
 	return
 }
 // Parse attempts to parse the opaque contents into a structure supported by
 // this package. If the packet is not known then the result will be another
 // OpaquePacket.
 func (op *OpaquePacket) Parse() (p Packet, err error) {
 	hdr := bytes.NewBuffer(nil)
 	err = serializeHeader(hdr, packetType(op.Tag), len(op.Contents))
 	if err != nil {
 		op.Reason = err
 		return op, err
 	}
 	p, err = Read(io.MultiReader(hdr, bytes.NewBuffer(op.Contents)))
 	if err != nil {
 		op.Reason = err
 		p = op
 	}
 	return
 }
 // OpaqueReader reads OpaquePackets from an io.Reader.
 type OpaqueReader struct {
 	r io.Reader
 }
 func NewOpaqueReader(r io.Reader) *OpaqueReader {
 	return &OpaqueReader{r: r}
 }
 // Read the next OpaquePacket.
 func (or *OpaqueReader) Next() (op *OpaquePacket, err error) {
 	tag, _, contents, err := readHeader(or.r)
 	if err != nil {
 		return
 	}
 	op = &OpaquePacket{Tag: uint8(tag), Reason: err}
 	err = op.parse(contents)
 	if err != nil {
 		consumeAll(contents)
 	}
 	return
 }
 // OpaqueSubpacket represents an unparsed OpenPGP subpacket,
 // as found in signature and user attribute packets.
 type OpaqueSubpacket struct {
 	SubType       uint8
 	EncodedLength []byte // Store the original encoded length for signature verifications.
 	Contents      []byte
 }
 // OpaqueSubpackets extracts opaque, unparsed OpenPGP subpackets from
 // their byte representation.
 func OpaqueSubpackets(contents []byte) (result []*OpaqueSubpacket, err error) {
 	var (
 		subHeaderLen int
 		subPacket    *OpaqueSubpacket
 	)
 	for len(contents) > 0 {
 		subHeaderLen, subPacket, err = nextSubpacket(contents)
 		if err != nil {
 			break
 		}
 		result = append(result, subPacket)
 		contents = contents[subHeaderLen+len(subPacket.Contents):]
 	}
 	return
 }
 func nextSubpacket(contents []byte) (subHeaderLen int, subPacket *OpaqueSubpacket, err error) {
 	// RFC 4880, section 5.2.3.1
 	var subLen uint32
 	var encodedLength []byte
 	if len(contents) < 1 {
 		goto Truncated
 	}
 	subPacket = &OpaqueSubpacket{}
 	switch {
 	case contents[0] < 192:
 		subHeaderLen = 2 // 1 length byte, 1 subtype byte
 		if len(contents) < subHeaderLen {
 			goto Truncated
 		}
 		encodedLength = contents[0:1]
 		subLen = uint32(contents[0])
 		contents = contents[1:]
 	case contents[0] < 255:
 		subHeaderLen = 3 // 2 length bytes, 1 subtype
 		if len(contents) < subHeaderLen {
 			goto Truncated
 		}
 		encodedLength = contents[0:2]
 		subLen = uint32(contents[0]-192)<<8 + uint32(contents[1]) + 192
 		contents = contents[2:]
 	default:
 		subHeaderLen = 6 // 5 length bytes, 1 subtype
 		if len(contents) < subHeaderLen {
 			goto Truncated
 		}
 		encodedLength = contents[0:5]
 		subLen = uint32(contents[1])<<24 |
 			uint32(contents[2])<<16 |
 			uint32(contents[3])<<8 |
 			uint32(contents[4])
 		contents = contents[5:]
 	}
 	if subLen > uint32(len(contents)) || subLen == 0 {
 		goto Truncated
 	}
 	subPacket.SubType = contents[0]
 	subPacket.EncodedLength = encodedLength
 	subPacket.Contents = contents[1:subLen]
 	return
 Truncated:
 	err = errors.StructuralError("subpacket truncated")
 	return
 }
 func (osp *OpaqueSubpacket) Serialize(w io.Writer) (err error) {
 	buf := make([]byte, 6)
 	copy(buf, osp.EncodedLength)
 	n := len(osp.EncodedLength)
 	buf[n] = osp.SubType
 	if _, err = w.Write(buf[:n+1]); err != nil {
 		return
 	}
 	_, err = w.Write(osp.Contents)
 	return
 }
@@ -0,0 +1,675 @@
 // Copyright 2011 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // Package packet implements parsing and serialization of OpenPGP packets, as
 // specified in RFC 4880.
 package packet // import "github.com/ProtonMail/go-crypto/openpgp/packet"
 import (
 	"bytes"
 	"crypto/cipher"
 	"crypto/rsa"
 	"io"
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 	"github.com/ProtonMail/go-crypto/openpgp/internal/algorithm"
 )
 // readFull is the same as io.ReadFull except that reading zero bytes returns
 // ErrUnexpectedEOF rather than EOF.
 func readFull(r io.Reader, buf []byte) (n int, err error) {
 	n, err = io.ReadFull(r, buf)
 	if err == io.EOF {
 		err = io.ErrUnexpectedEOF
 	}
 	return
 }
 // readLength reads an OpenPGP length from r. See RFC 4880, section 4.2.2.
 func readLength(r io.Reader) (length int64, isPartial bool, err error) {
 	var buf [4]byte
 	_, err = readFull(r, buf[:1])
 	if err != nil {
 		return
 	}
 	switch {
 	case buf[0] < 192:
 		length = int64(buf[0])
 	case buf[0] < 224:
 		length = int64(buf[0]-192) << 8
 		_, err = readFull(r, buf[0:1])
 		if err != nil {
 			return
 		}
 		length += int64(buf[0]) + 192
 	case buf[0] < 255:
 		length = int64(1) << (buf[0] & 0x1f)
 		isPartial = true
 	default:
 		_, err = readFull(r, buf[0:4])
 		if err != nil {
 			return
 		}
 		length = int64(buf[0])<<24 |
 			int64(buf[1])<<16 |
 			int64(buf[2])<<8 |
 			int64(buf[3])
 	}
 	return
 }
 // partialLengthReader wraps an io.Reader and handles OpenPGP partial lengths.
 // The continuation lengths are parsed and removed from the stream and EOF is
 // returned at the end of the packet. See RFC 4880, section 4.2.2.4.
 type partialLengthReader struct {
 	r         io.Reader
 	remaining int64
 	isPartial bool
 }
 func (r *partialLengthReader) Read(p []byte) (n int, err error) {
 	for r.remaining == 0 {
 		if !r.isPartial {
 			return 0, io.EOF
 		}
 		r.remaining, r.isPartial, err = readLength(r.r)
 		if err != nil {
 			return 0, err
 		}
 	}
 	toRead := int64(len(p))
 	if toRead > r.remaining {
 		toRead = r.remaining
 	}
 	n, err = r.r.Read(p[:int(toRead)])
 	r.remaining -= int64(n)
 	if n < int(toRead) && err == io.EOF {
 		err = io.ErrUnexpectedEOF
 	}
 	return
 }
 // partialLengthWriter writes a stream of data using OpenPGP partial lengths.
 // See RFC 4880, section 4.2.2.4.
 type partialLengthWriter struct {
 	w          io.WriteCloser
 	buf        bytes.Buffer
 	lengthByte [1]byte
 }
 func (w *partialLengthWriter) Write(p []byte) (n int, err error) {
 	bufLen := w.buf.Len()
 	if bufLen > 512 {
 		for power := uint(30); ; power-- {
 			l := 1 << power
 			if bufLen >= l {
 				w.lengthByte[0] = 224 + uint8(power)
 				_, err = w.w.Write(w.lengthByte[:])
 				if err != nil {
 					return
 				}
 				var m int
 				m, err = w.w.Write(w.buf.Next(l))
 				if err != nil {
 					return
 				}
 				if m != l {
 					return 0, io.ErrShortWrite
 				}
 				break
 			}
 		}
 	}
 	return w.buf.Write(p)
 }
 func (w *partialLengthWriter) Close() (err error) {
 	len := w.buf.Len()
 	err = serializeLength(w.w, len)
 	if err != nil {
 		return err
 	}
 	_, err = w.buf.WriteTo(w.w)
 	if err != nil {
 		return err
 	}
 	return w.w.Close()
 }
 // A spanReader is an io.LimitReader, but it returns ErrUnexpectedEOF if the
 // underlying Reader returns EOF before the limit has been reached.
 type spanReader struct {
 	r io.Reader
 	n int64
 }
 func (l *spanReader) Read(p []byte) (n int, err error) {
 	if l.n <= 0 {
 		return 0, io.EOF
 	}
 	if int64(len(p)) > l.n {
 		p = p[0:l.n]
 	}
 	n, err = l.r.Read(p)
 	l.n -= int64(n)
 	if l.n > 0 && err == io.EOF {
 		err = io.ErrUnexpectedEOF
 	}
 	return
 }
 // readHeader parses a packet header and returns an io.Reader which will return
 // the contents of the packet. See RFC 4880, section 4.2.
 func readHeader(r io.Reader) (tag packetType, length int64, contents io.Reader, err error) {
 	var buf [4]byte
 	_, err = io.ReadFull(r, buf[:1])
 	if err != nil {
 		return
 	}
 	if buf[0]&0x80 == 0 {
 		err = errors.StructuralError("tag byte does not have MSB set")
 		return
 	}
 	if buf[0]&0x40 == 0 {
 		// Old format packet
 		tag = packetType((buf[0] & 0x3f) >> 2)
 		lengthType := buf[0] & 3
 		if lengthType == 3 {
 			length = -1
 			contents = r
 			return
 		}
 		lengthBytes := 1 << lengthType
 		_, err = readFull(r, buf[0:lengthBytes])
 		if err != nil {
 			return
 		}
 		for i := 0; i < lengthBytes; i++ {
 			length <<= 8
 			length |= int64(buf[i])
 		}
 		contents = &spanReader{r, length}
 		return
 	}
 	// New format packet
 	tag = packetType(buf[0] & 0x3f)
 	length, isPartial, err := readLength(r)
 	if err != nil {
 		return
 	}
 	if isPartial {
 		contents = &partialLengthReader{
 			remaining: length,
 			isPartial: true,
 			r:         r,
 		}
 		length = -1
 	} else {
 		contents = &spanReader{r, length}
 	}
 	return
 }
 // serializeHeader writes an OpenPGP packet header to w. See RFC 4880, section
 // 4.2.
 func serializeHeader(w io.Writer, ptype packetType, length int) (err error) {
 	err = serializeType(w, ptype)
 	if err != nil {
 		return
 	}
 	return serializeLength(w, length)
 }
 // serializeType writes an OpenPGP packet type to w. See RFC 4880, section
 // 4.2.
 func serializeType(w io.Writer, ptype packetType) (err error) {
 	var buf [1]byte
 	buf[0] = 0x80 | 0x40 | byte(ptype)
 	_, err = w.Write(buf[:])
 	return
 }
 // serializeLength writes an OpenPGP packet length to w. See RFC 4880, section
 // 4.2.2.
 func serializeLength(w io.Writer, length int) (err error) {
 	var buf [5]byte
 	var n int
 	if length < 192 {
 		buf[0] = byte(length)
 		n = 1
 	} else if length < 8384 {
 		length -= 192
 		buf[0] = 192 + byte(length>>8)
 		buf[1] = byte(length)
 		n = 2
 	} else {
 		buf[0] = 255
 		buf[1] = byte(length >> 24)
 		buf[2] = byte(length >> 16)
 		buf[3] = byte(length >> 8)
 		buf[4] = byte(length)
 		n = 5
 	}
 	_, err = w.Write(buf[:n])
 	return
 }
 // serializeStreamHeader writes an OpenPGP packet header to w where the
 // length of the packet is unknown. It returns a io.WriteCloser which can be
 // used to write the contents of the packet. See RFC 4880, section 4.2.
 func serializeStreamHeader(w io.WriteCloser, ptype packetType) (out io.WriteCloser, err error) {
 	err = serializeType(w, ptype)
 	if err != nil {
 		return
 	}
 	out = &partialLengthWriter{w: w}
 	return
 }
 // Packet represents an OpenPGP packet. Users are expected to try casting
 // instances of this interface to specific packet types.
 type Packet interface {
 	parse(io.Reader) error
 }
 // consumeAll reads from the given Reader until error, returning the number of
 // bytes read.
 func consumeAll(r io.Reader) (n int64, err error) {
 	var m int
 	var buf [1024]byte
 	for {
 		m, err = r.Read(buf[:])
 		n += int64(m)
 		if err == io.EOF {
 			err = nil
 			return
 		}
 		if err != nil {
 			return
 		}
 	}
 }
 // packetType represents the numeric ids of the different OpenPGP packet types. See
 // http://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-2
 type packetType uint8
 const (
 	packetTypeEncryptedKey                             packetType = 1
 	packetTypeSignature                                packetType = 2
 	packetTypeSymmetricKeyEncrypted                    packetType = 3
 	packetTypeOnePassSignature                         packetType = 4
 	packetTypePrivateKey                               packetType = 5
 	packetTypePublicKey                                packetType = 6
 	packetTypePrivateSubkey                            packetType = 7
 	packetTypeCompressed                               packetType = 8
 	packetTypeSymmetricallyEncrypted                   packetType = 9
 	packetTypeMarker                                   packetType = 10
 	packetTypeLiteralData                              packetType = 11
 	packetTypeTrust                                    packetType = 12
 	packetTypeUserId                                   packetType = 13
 	packetTypePublicSubkey                             packetType = 14
 	packetTypeUserAttribute                            packetType = 17
 	packetTypeSymmetricallyEncryptedIntegrityProtected packetType = 18
 	packetTypeAEADEncrypted                            packetType = 20
 	packetPadding                                      packetType = 21
 )
 // EncryptedDataPacket holds encrypted data. It is currently implemented by
 // SymmetricallyEncrypted and AEADEncrypted.
 type EncryptedDataPacket interface {
 	Decrypt(CipherFunction, []byte) (io.ReadCloser, error)
 }
 // Read reads a single OpenPGP packet from the given io.Reader. If there is an
 // error parsing a packet, the whole packet is consumed from the input.
 func Read(r io.Reader) (p Packet, err error) {
 	tag, len, contents, err := readHeader(r)
 	if err != nil {
 		return
 	}
 	switch tag {
 	case packetTypeEncryptedKey:
 		p = new(EncryptedKey)
 	case packetTypeSignature:
 		p = new(Signature)
 	case packetTypeSymmetricKeyEncrypted:
 		p = new(SymmetricKeyEncrypted)
 	case packetTypeOnePassSignature:
 		p = new(OnePassSignature)
 	case packetTypePrivateKey, packetTypePrivateSubkey:
 		pk := new(PrivateKey)
 		if tag == packetTypePrivateSubkey {
 			pk.IsSubkey = true
 		}
 		p = pk
 	case packetTypePublicKey, packetTypePublicSubkey:
 		isSubkey := tag == packetTypePublicSubkey
 		p = &PublicKey{IsSubkey: isSubkey}
 	case packetTypeCompressed:
 		p = new(Compressed)
 	case packetTypeSymmetricallyEncrypted:
 		p = new(SymmetricallyEncrypted)
 	case packetTypeLiteralData:
 		p = new(LiteralData)
 	case packetTypeUserId:
 		p = new(UserId)
 	case packetTypeUserAttribute:
 		p = new(UserAttribute)
 	case packetTypeSymmetricallyEncryptedIntegrityProtected:
 		se := new(SymmetricallyEncrypted)
 		se.IntegrityProtected = true
 		p = se
 	case packetTypeAEADEncrypted:
 		p = new(AEADEncrypted)
 	case packetPadding:
 		p = Padding(len)
 	case packetTypeMarker:
 		p = new(Marker)
 	case packetTypeTrust:
 		// Not implemented, just consume
 		err = errors.UnknownPacketTypeError(tag)
 	default:
 		// Packet Tags from 0 to 39 are critical.
 		// Packet Tags from 40 to 63 are non-critical.
 		if tag < 40 {
 			err = errors.CriticalUnknownPacketTypeError(tag)
 		} else {
 			err = errors.UnknownPacketTypeError(tag)
 		}
 	}
 	if p != nil {
 		err = p.parse(contents)
 	}
 	if err != nil {
 		consumeAll(contents)
 	}
 	return
 }
 // ReadWithCheck reads a single OpenPGP message packet from the given io.Reader. If there is an
 // error parsing a packet, the whole packet is consumed from the input.
 // ReadWithCheck additionally checks if the OpenPGP message packet sequence adheres
 // to the packet composition rules in rfc4880, if not throws an error.
 func ReadWithCheck(r io.Reader, sequence *SequenceVerifier) (p Packet, msgErr error, err error) {
 	tag, len, contents, err := readHeader(r)
 	if err != nil {
 		return
 	}
 	switch tag {
 	case packetTypeEncryptedKey:
 		msgErr = sequence.Next(ESKSymbol)
 		p = new(EncryptedKey)
 	case packetTypeSignature:
 		msgErr = sequence.Next(SigSymbol)
 		p = new(Signature)
 	case packetTypeSymmetricKeyEncrypted:
 		msgErr = sequence.Next(ESKSymbol)
 		p = new(SymmetricKeyEncrypted)
 	case packetTypeOnePassSignature:
 		msgErr = sequence.Next(OPSSymbol)
 		p = new(OnePassSignature)
 	case packetTypeCompressed:
 		msgErr = sequence.Next(CompSymbol)
 		p = new(Compressed)
 	case packetTypeSymmetricallyEncrypted:
 		msgErr = sequence.Next(EncSymbol)
 		p = new(SymmetricallyEncrypted)
 	case packetTypeLiteralData:
 		msgErr = sequence.Next(LDSymbol)
 		p = new(LiteralData)
 	case packetTypeSymmetricallyEncryptedIntegrityProtected:
 		msgErr = sequence.Next(EncSymbol)
 		se := new(SymmetricallyEncrypted)
 		se.IntegrityProtected = true
 		p = se
 	case packetTypeAEADEncrypted:
 		msgErr = sequence.Next(EncSymbol)
 		p = new(AEADEncrypted)
 	case packetPadding:
 		p = Padding(len)
 	case packetTypeMarker:
 		p = new(Marker)
 	case packetTypeTrust:
 		// Not implemented, just consume
 		err = errors.UnknownPacketTypeError(tag)
 	case packetTypePrivateKey,
 		packetTypePrivateSubkey,
 		packetTypePublicKey,
 		packetTypePublicSubkey,
 		packetTypeUserId,
 		packetTypeUserAttribute:
 		msgErr = sequence.Next(UnknownSymbol)
 		consumeAll(contents)
 	default:
 		// Packet Tags from 0 to 39 are critical.
 		// Packet Tags from 40 to 63 are non-critical.
 		if tag < 40 {
 			err = errors.CriticalUnknownPacketTypeError(tag)
 		} else {
 			err = errors.UnknownPacketTypeError(tag)
 		}
 	}
 	if p != nil {
 		err = p.parse(contents)
 	}
 	if err != nil {
 		consumeAll(contents)
 	}
 	return
 }
 // SignatureType represents the different semantic meanings of an OpenPGP
 // signature. See RFC 4880, section 5.2.1.
 type SignatureType uint8
 const (
 	SigTypeBinary                  SignatureType = 0x00
 	SigTypeText                    SignatureType = 0x01
 	SigTypeGenericCert             SignatureType = 0x10
 	SigTypePersonaCert             SignatureType = 0x11
 	SigTypeCasualCert              SignatureType = 0x12
 	SigTypePositiveCert            SignatureType = 0x13
 	SigTypeSubkeyBinding           SignatureType = 0x18
 	SigTypePrimaryKeyBinding       SignatureType = 0x19
 	SigTypeDirectSignature         SignatureType = 0x1F
 	SigTypeKeyRevocation           SignatureType = 0x20
 	SigTypeSubkeyRevocation        SignatureType = 0x28
 	SigTypeCertificationRevocation SignatureType = 0x30
 )
 // PublicKeyAlgorithm represents the different public key system specified for
 // OpenPGP. See
 // http://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-12
 type PublicKeyAlgorithm uint8
 const (
 	PubKeyAlgoRSA     PublicKeyAlgorithm = 1
 	PubKeyAlgoElGamal PublicKeyAlgorithm = 16
 	PubKeyAlgoDSA     PublicKeyAlgorithm = 17
 	// RFC 6637, Section 5.
 	PubKeyAlgoECDH  PublicKeyAlgorithm = 18
 	PubKeyAlgoECDSA PublicKeyAlgorithm = 19
 	// https://www.ietf.org/archive/id/draft-koch-eddsa-for-openpgp-04.txt
 	PubKeyAlgoEdDSA PublicKeyAlgorithm = 22
 	// https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh
 	PubKeyAlgoX25519  PublicKeyAlgorithm = 25
 	PubKeyAlgoX448    PublicKeyAlgorithm = 26
 	PubKeyAlgoEd25519 PublicKeyAlgorithm = 27
 	PubKeyAlgoEd448   PublicKeyAlgorithm = 28
 	// Deprecated in RFC 4880, Section 13.5. Use key flags instead.
 	PubKeyAlgoRSAEncryptOnly PublicKeyAlgorithm = 2
 	PubKeyAlgoRSASignOnly    PublicKeyAlgorithm = 3
 )
 // CanEncrypt returns true if it's possible to encrypt a message to a public
 // key of the given type.
 func (pka PublicKeyAlgorithm) CanEncrypt() bool {
 	switch pka {
 	case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoElGamal, PubKeyAlgoECDH, PubKeyAlgoX25519, PubKeyAlgoX448:
 		return true
 	}
 	return false
 }
 // CanSign returns true if it's possible for a public key of the given type to
 // sign a message.
 func (pka PublicKeyAlgorithm) CanSign() bool {
 	switch pka {
 	case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly, PubKeyAlgoDSA, PubKeyAlgoECDSA, PubKeyAlgoEdDSA, PubKeyAlgoEd25519, PubKeyAlgoEd448:
 		return true
 	}
 	return false
 }
 // CipherFunction represents the different block ciphers specified for OpenPGP. See
 // http://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-13
 type CipherFunction algorithm.CipherFunction
 const (
 	Cipher3DES   CipherFunction = 2
 	CipherCAST5  CipherFunction = 3
 	CipherAES128 CipherFunction = 7
 	CipherAES192 CipherFunction = 8
 	CipherAES256 CipherFunction = 9
 )
 // KeySize returns the key size, in bytes, of cipher.
 func (cipher CipherFunction) KeySize() int {
 	return algorithm.CipherFunction(cipher).KeySize()
 }
 // IsSupported returns true if the cipher is supported from the library
 func (cipher CipherFunction) IsSupported() bool {
 	return algorithm.CipherFunction(cipher).KeySize() > 0
 }
 // blockSize returns the block size, in bytes, of cipher.
 func (cipher CipherFunction) blockSize() int {
 	return algorithm.CipherFunction(cipher).BlockSize()
 }
 // new returns a fresh instance of the given cipher.
 func (cipher CipherFunction) new(key []byte) (block cipher.Block) {
 	return algorithm.CipherFunction(cipher).New(key)
 }
 // padToKeySize left-pads a MPI with zeroes to match the length of the
 // specified RSA public.
 func padToKeySize(pub *rsa.PublicKey, b []byte) []byte {
 	k := (pub.N.BitLen() + 7) / 8
 	if len(b) >= k {
 		return b
 	}
 	bb := make([]byte, k)
 	copy(bb[len(bb)-len(b):], b)
 	return bb
 }
 // CompressionAlgo Represents the different compression algorithms
 // supported by OpenPGP (except for BZIP2, which is not currently
 // supported). See Section 9.3 of RFC 4880.
 type CompressionAlgo uint8
 const (
 	CompressionNone CompressionAlgo = 0
 	CompressionZIP  CompressionAlgo = 1
 	CompressionZLIB CompressionAlgo = 2
 )
 // AEADMode represents the different Authenticated Encryption with Associated
 // Data specified for OpenPGP.
 // See https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#section-9.6
 type AEADMode algorithm.AEADMode
 const (
 	AEADModeEAX AEADMode = 1
 	AEADModeOCB AEADMode = 2
 	AEADModeGCM AEADMode = 3
 )
 func (mode AEADMode) IvLength() int {
 	return algorithm.AEADMode(mode).NonceLength()
 }
 func (mode AEADMode) TagLength() int {
 	return algorithm.AEADMode(mode).TagLength()
 }
 // IsSupported returns true if the aead mode is supported from the library
 func (mode AEADMode) IsSupported() bool {
 	return algorithm.AEADMode(mode).TagLength() > 0
 }
 // new returns a fresh instance of the given mode.
 func (mode AEADMode) new(block cipher.Block) cipher.AEAD {
 	return algorithm.AEADMode(mode).New(block)
 }
 // ReasonForRevocation represents a revocation reason code as per RFC4880
 // section 5.2.3.23.
 type ReasonForRevocation uint8
 const (
 	NoReason       ReasonForRevocation = 0
 	KeySuperseded  ReasonForRevocation = 1
 	KeyCompromised ReasonForRevocation = 2
 	KeyRetired     ReasonForRevocation = 3
 	UserIDNotValid ReasonForRevocation = 32
 	Unknown        ReasonForRevocation = 200
 )
 func NewReasonForRevocation(value byte) ReasonForRevocation {
 	if value < 4 || value == 32 {
 		return ReasonForRevocation(value)
 	}
 	return Unknown
 }
 // Curve is a mapping to supported ECC curves for key generation.
 // See https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-06.html#name-curve-specific-wire-formats
 type Curve string
 const (
 	Curve25519         Curve = "Curve25519"
 	Curve448           Curve = "Curve448"
 	CurveNistP256      Curve = "P256"
 	CurveNistP384      Curve = "P384"
 	CurveNistP521      Curve = "P521"
 	CurveSecP256k1     Curve = "SecP256k1"
 	CurveBrainpoolP256 Curve = "BrainpoolP256"
 	CurveBrainpoolP384 Curve = "BrainpoolP384"
 	CurveBrainpoolP512 Curve = "BrainpoolP512"
 )
 // TrustLevel represents a trust level per RFC4880 5.2.3.13
 type TrustLevel uint8
 // TrustAmount represents a trust amount per RFC4880 5.2.3.13
 type TrustAmount uint8
 const (
 	// versionSize is the length in bytes of the version value.
 	versionSize = 1
 	// algorithmSize is the length in bytes of the key algorithm value.
 	algorithmSize = 1
 	// keyVersionSize is the length in bytes of the key version value
 	keyVersionSize = 1
 	// keyIdSize is the length in bytes of the key identifier value.
 	keyIdSize = 8
 	// timestampSize is the length in bytes of encoded timestamps.
 	timestampSize = 4
 	// fingerprintSizeV6 is the length in bytes of the key fingerprint in v6.
 	fingerprintSizeV6 = 32
 	// fingerprintSize is the length in bytes of the key fingerprint.
 	fingerprintSize = 20
 )
@@ -0,0 +1,222 @@
 package packet
 // This file implements the pushdown automata (PDA) from PGPainless (Paul Schaub)
 // to verify pgp packet sequences. See Paul's blogpost for more details:
 // https://blog.jabberhead.tk/2022/10/26/implementing-packet-sequence-validation-using-pushdown-automata/
 import (
 	"fmt"
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 )
 func NewErrMalformedMessage(from State, input InputSymbol, stackSymbol StackSymbol) errors.ErrMalformedMessage {
 	return errors.ErrMalformedMessage(fmt.Sprintf("state %d, input symbol %d, stack symbol %d ", from, input, stackSymbol))
 }
 // InputSymbol defines the input alphabet of the PDA
 type InputSymbol uint8
 const (
 	LDSymbol InputSymbol = iota
 	SigSymbol
 	OPSSymbol
 	CompSymbol
 	ESKSymbol
 	EncSymbol
 	EOSSymbol
 	UnknownSymbol
 )
 // StackSymbol defines the stack alphabet of the PDA
 type StackSymbol int8
 const (
 	MsgStackSymbol StackSymbol = iota
 	OpsStackSymbol
 	KeyStackSymbol
 	EndStackSymbol
 	EmptyStackSymbol
 )
 // State defines the states of the PDA
 type State int8
 const (
 	OpenPGPMessage State = iota
 	ESKMessage
 	LiteralMessage
 	CompressedMessage
 	EncryptedMessage
 	ValidMessage
 )
 // transition represents a state transition in the PDA
 type transition func(input InputSymbol, stackSymbol StackSymbol) (State, []StackSymbol, bool, error)
 // SequenceVerifier is a pushdown automata to verify
 // PGP messages packet sequences according to rfc4880.
 type SequenceVerifier struct {
 	stack []StackSymbol
 	state State
 }
 // Next performs a state transition with the given input symbol.
 // If the transition fails a ErrMalformedMessage is returned.
 func (sv *SequenceVerifier) Next(input InputSymbol) error {
 	for {
 		stackSymbol := sv.popStack()
 		transitionFunc := getTransition(sv.state)
 		nextState, newStackSymbols, redo, err := transitionFunc(input, stackSymbol)
 		if err != nil {
 			return err
 		}
 		if redo {
 			sv.pushStack(stackSymbol)
 		}
 		for _, newStackSymbol := range newStackSymbols {
 			sv.pushStack(newStackSymbol)
 		}
 		sv.state = nextState
 		if !redo {
 			break
 		}
 	}
 	return nil
 }
 // Valid returns true if RDA is in a valid state.
 func (sv *SequenceVerifier) Valid() bool {
 	return sv.state == ValidMessage && len(sv.stack) == 0
 }
 func (sv *SequenceVerifier) AssertValid() error {
 	if !sv.Valid() {
 		return errors.ErrMalformedMessage("invalid message")
 	}
 	return nil
 }
 func NewSequenceVerifier() *SequenceVerifier {
 	return &SequenceVerifier{
 		stack: []StackSymbol{EndStackSymbol, MsgStackSymbol},
 		state: OpenPGPMessage,
 	}
 }
 func (sv *SequenceVerifier) popStack() StackSymbol {
 	if len(sv.stack) == 0 {
 		return EmptyStackSymbol
 	}
 	elemIndex := len(sv.stack) - 1
 	stackSymbol := sv.stack[elemIndex]
 	sv.stack = sv.stack[:elemIndex]
 	return stackSymbol
 }
 func (sv *SequenceVerifier) pushStack(stackSymbol StackSymbol) {
 	sv.stack = append(sv.stack, stackSymbol)
 }
 func getTransition(from State) transition {
 	switch from {
 	case OpenPGPMessage:
 		return fromOpenPGPMessage
 	case LiteralMessage:
 		return fromLiteralMessage
 	case CompressedMessage:
 		return fromCompressedMessage
 	case EncryptedMessage:
 		return fromEncryptedMessage
 	case ESKMessage:
 		return fromESKMessage
 	case ValidMessage:
 		return fromValidMessage
 	}
 	return nil
 }
 // fromOpenPGPMessage is the transition for the state OpenPGPMessage.
 func fromOpenPGPMessage(input InputSymbol, stackSymbol StackSymbol) (State, []StackSymbol, bool, error) {
 	if stackSymbol != MsgStackSymbol {
 		return 0, nil, false, NewErrMalformedMessage(OpenPGPMessage, input, stackSymbol)
 	}
 	switch input {
 	case LDSymbol:
 		return LiteralMessage, nil, false, nil
 	case SigSymbol:
 		return OpenPGPMessage, []StackSymbol{MsgStackSymbol}, false, nil
 	case OPSSymbol:
 		return OpenPGPMessage, []StackSymbol{OpsStackSymbol, MsgStackSymbol}, false, nil
 	case CompSymbol:
 		return CompressedMessage, nil, false, nil
 	case ESKSymbol:
 		return ESKMessage, []StackSymbol{KeyStackSymbol}, false, nil
 	case EncSymbol:
 		return EncryptedMessage, nil, false, nil
 	}
 	return 0, nil, false, NewErrMalformedMessage(OpenPGPMessage, input, stackSymbol)
 }
 // fromESKMessage is the transition for the state ESKMessage.
 func fromESKMessage(input InputSymbol, stackSymbol StackSymbol) (State, []StackSymbol, bool, error) {
 	if stackSymbol != KeyStackSymbol {
 		return 0, nil, false, NewErrMalformedMessage(ESKMessage, input, stackSymbol)
 	}
 	switch input {
 	case ESKSymbol:
 		return ESKMessage, []StackSymbol{KeyStackSymbol}, false, nil
 	case EncSymbol:
 		return EncryptedMessage, nil, false, nil
 	}
 	return 0, nil, false, NewErrMalformedMessage(ESKMessage, input, stackSymbol)
 }
 // fromLiteralMessage is the transition for the state LiteralMessage.
 func fromLiteralMessage(input InputSymbol, stackSymbol StackSymbol) (State, []StackSymbol, bool, error) {
 	switch input {
 	case SigSymbol:
 		if stackSymbol == OpsStackSymbol {
 			return LiteralMessage, nil, false, nil
 		}
 	case EOSSymbol:
 		if stackSymbol == EndStackSymbol {
 			return ValidMessage, nil, false, nil
 		}
 	}
 	return 0, nil, false, NewErrMalformedMessage(LiteralMessage, input, stackSymbol)
 }
 // fromLiteralMessage is the transition for the state CompressedMessage.
 func fromCompressedMessage(input InputSymbol, stackSymbol StackSymbol) (State, []StackSymbol, bool, error) {
 	switch input {
 	case SigSymbol:
 		if stackSymbol == OpsStackSymbol {
 			return CompressedMessage, nil, false, nil
 		}
 	case EOSSymbol:
 		if stackSymbol == EndStackSymbol {
 			return ValidMessage, nil, false, nil
 		}
 	}
 	return OpenPGPMessage, []StackSymbol{MsgStackSymbol}, true, nil
 }
 // fromEncryptedMessage is the transition for the state EncryptedMessage.
 func fromEncryptedMessage(input InputSymbol, stackSymbol StackSymbol) (State, []StackSymbol, bool, error) {
 	switch input {
 	case SigSymbol:
 		if stackSymbol == OpsStackSymbol {
 			return EncryptedMessage, nil, false, nil
 		}
 	case EOSSymbol:
 		if stackSymbol == EndStackSymbol {
 			return ValidMessage, nil, false, nil
 		}
 	}
 	return OpenPGPMessage, []StackSymbol{MsgStackSymbol}, true, nil
 }
 // fromValidMessage is the transition for the state ValidMessage.
 func fromValidMessage(input InputSymbol, stackSymbol StackSymbol) (State, []StackSymbol, bool, error) {
 	return 0, nil, false, NewErrMalformedMessage(ValidMessage, input, stackSymbol)
 }
@@ -0,0 +1,24 @@
 package packet
 import (
 	"io"
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 )
 // UnsupportedPackage represents a OpenPGP packet with a known packet type
 // but with unsupported content.
 type UnsupportedPacket struct {
 	IncompletePacket Packet
 	Error            errors.UnsupportedError
 }
 // Implements the Packet interface
 func (up *UnsupportedPacket) parse(read io.Reader) error {
 	err := up.IncompletePacket.parse(read)
 	if castedErr, ok := err.(errors.UnsupportedError); ok {
 		up.Error = castedErr
 		return nil
 	}
 	return err
 }
@@ -0,0 +1,26 @@
 package packet
 import (
 	"io"
 )
 // Padding type represents a Padding Packet (Tag 21).
 // The padding type is represented by the length of its padding.
 // see https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh#name-padding-packet-tag-21
 type Padding int
 // parse just ignores the padding content.
 func (pad Padding) parse(reader io.Reader) error {
 	_, err := io.CopyN(io.Discard, reader, int64(pad))
 	return err
 }
 // SerializePadding writes the padding to writer.
 func (pad Padding) SerializePadding(writer io.Writer, rand io.Reader) error {
 	err := serializeHeader(writer, packetPadding, int(pad))
 	if err != nil {
 		return err
 	}
 	_, err = io.CopyN(writer, rand, int64(pad))
 	return err
 }
@@ -0,0 +1,12 @@
 package packet
 // Generated with `gpg --export-secret-keys "Test Key 2"`
 const privKeyRSAHex = "9501fe044cc349a8010400b70ca0010e98c090008d45d1ee8f9113bd5861fd57b88bacb7c68658747663f1e1a3b5a98f32fda6472373c024b97359cd2efc88ff60f77751adfbf6af5e615e6a1408cfad8bf0cea30b0d5f53aa27ad59089ba9b15b7ebc2777a25d7b436144027e3bcd203909f147d0e332b240cf63d3395f5dfe0df0a6c04e8655af7eacdf0011010001fe0303024a252e7d475fd445607de39a265472aa74a9320ba2dac395faa687e9e0336aeb7e9a7397e511b5afd9dc84557c80ac0f3d4d7bfec5ae16f20d41c8c84a04552a33870b930420e230e179564f6d19bb153145e76c33ae993886c388832b0fa042ddda7f133924f3854481533e0ede31d51278c0519b29abc3bf53da673e13e3e1214b52413d179d7f66deee35cac8eacb060f78379d70ef4af8607e68131ff529439668fc39c9ce6dfef8a5ac234d234802cbfb749a26107db26406213ae5c06d4673253a3cbee1fcbae58d6ab77e38d6e2c0e7c6317c48e054edadb5a40d0d48acb44643d998139a8a66bb820be1f3f80185bc777d14b5954b60effe2448a036d565c6bc0b915fcea518acdd20ab07bc1529f561c58cd044f723109b93f6fd99f876ff891d64306b5d08f48bab59f38695e9109c4dec34013ba3153488ce070268381ba923ee1eb77125b36afcb4347ec3478c8f2735b06ef17351d872e577fa95d0c397c88c71b59629a36aec"
 // Generated by `gpg --export-secret-keys` followed by a manual extraction of
 // the ElGamal subkey from the packets.
 const privKeyElGamalHex = "9d0157044df9ee1a100400eb8e136a58ec39b582629cdadf830bc64e0a94ed8103ca8bb247b27b11b46d1d25297ef4bcc3071785ba0c0bedfe89eabc5287fcc0edf81ab5896c1c8e4b20d27d79813c7aede75320b33eaeeaa586edc00fd1036c10133e6ba0ff277245d0d59d04b2b3421b7244aca5f4a8d870c6f1c1fbff9e1c26699a860b9504f35ca1d700030503fd1ededd3b840795be6d9ccbe3c51ee42e2f39233c432b831ddd9c4e72b7025a819317e47bf94f9ee316d7273b05d5fcf2999c3a681f519b1234bbfa6d359b4752bd9c3f77d6b6456cde152464763414ca130f4e91d91041432f90620fec0e6d6b5116076c2985d5aeaae13be492b9b329efcaf7ee25120159a0a30cd976b42d7afe030302dae7eb80db744d4960c4df930d57e87fe81412eaace9f900e6c839817a614ddb75ba6603b9417c33ea7b6c93967dfa2bcff3fa3c74a5ce2c962db65b03aece14c96cbd0038fc"
 // pkcs1PrivKeyHex is a PKCS#1, RSA private key.
 // Generated by `openssl genrsa 1024 | openssl rsa -outform DER  | xxd -p`
 const pkcs1PrivKeyHex = "3082025d02010002818100e98edfa1c3b35884a54d0b36a6a603b0290fa85e49e30fa23fc94fef9c6790bc4849928607aa48d809da326fb42a969d06ad756b98b9c1a90f5d4a2b6d0ac05953c97f4da3120164a21a679793ce181c906dc01d235cc085ddcdf6ea06c389b6ab8885dfd685959e693138856a68a7e5db263337ff82a088d583a897cf2d59e9020301000102818100b6d5c9eb70b02d5369b3ee5b520a14490b5bde8a317d36f7e4c74b7460141311d1e5067735f8f01d6f5908b2b96fbd881f7a1ab9a84d82753e39e19e2d36856be960d05ac9ef8e8782ea1b6d65aee28fdfe1d61451e8cff0adfe84322f12cf455028b581cf60eb9e0e140ba5d21aeba6c2634d7c65318b9a665fc01c3191ca21024100fa5e818da3705b0fa33278bb28d4b6f6050388af2d4b75ec9375dd91ccf2e7d7068086a8b82a8f6282e4fbbdb8a7f2622eb97295249d87acea7f5f816f54d347024100eecf9406d7dc49cdfb95ab1eff4064de84c7a30f64b2798936a0d2018ba9eb52e4b636f82e96c49cc63b80b675e91e40d1b2e4017d4b9adaf33ab3d9cf1c214f024100c173704ace742c082323066226a4655226819a85304c542b9dacbeacbf5d1881ee863485fcf6f59f3a604f9b42289282067447f2b13dfeed3eab7851fc81e0550240741fc41f3fc002b382eed8730e33c5d8de40256e4accee846667f536832f711ab1d4590e7db91a8a116ac5bff3be13d3f9243ff2e976662aa9b395d907f8e9c9024046a5696c9ef882363e06c9fa4e2f5b580906452befba03f4a99d0f873697ef1f851d2226ca7934b30b7c3e80cb634a67172bbbf4781735fe3e09263e2dd723e7"
@@ -0,0 +1,24 @@
 package packet
 const rsaFingerprintHex = "5fb74b1d03b1e3cb31bc2f8aa34d7e18c20c31bb"
 const rsaPkDataHex = "988d044d3c5c10010400b1d13382944bd5aba23a4312968b5095d14f947f600eb478e14a6fcb16b0e0cac764884909c020bc495cfcc39a935387c661507bdb236a0612fb582cac3af9b29cc2c8c70090616c41b662f4da4c1201e195472eb7f4ae1ccbcbf9940fe21d985e379a5563dde5b9a23d35f1cfaa5790da3b79db26f23695107bfaca8e7b5bcd0011010001"
 const dsaFingerprintHex = "eece4c094db002103714c63c8e8fbe54062f19ed"
 const dsaPkDataHex = "9901a2044d432f89110400cd581334f0d7a1e1bdc8b9d6d8c0baf68793632735d2bb0903224cbaa1dfbf35a60ee7a13b92643421e1eb41aa8d79bea19a115a677f6b8ba3c7818ce53a6c2a24a1608bd8b8d6e55c5090cbde09dd26e356267465ae25e69ec8bdd57c7bbb2623e4d73336f73a0a9098f7f16da2e25252130fd694c0e8070c55a812a423ae7f00a0ebf50e70c2f19c3520a551bd4b08d30f23530d3d03ff7d0bf4a53a64a09dc5e6e6e35854b7d70c882b0c60293401958b1bd9e40abec3ea05ba87cf64899299d4bd6aa7f459c201d3fbbd6c82004bdc5e8a9eb8082d12054cc90fa9d4ec251a843236a588bf49552441817436c4f43326966fe85447d4e6d0acf8fa1ef0f014730770603ad7634c3088dc52501c237328417c31c89ed70400b2f1a98b0bf42f11fefc430704bebbaa41d9f355600c3facee1e490f64208e0e094ea55e3a598a219a58500bf78ac677b670a14f4e47e9cf8eab4f368cc1ddcaa18cc59309d4cc62dd4f680e73e6cc3e1ce87a84d0925efbcb26c575c093fc42eecf45135fabf6403a25c2016e1774c0484e440a18319072c617cc97ac0a3bb0"
 const ecdsaFingerprintHex = "9892270b38b8980b05c8d56d43fe956c542ca00b"
 const ecdsaPkDataHex = "9893045071c29413052b8104002304230401f4867769cedfa52c325018896245443968e52e51d0c2df8d939949cb5b330f2921711fbee1c9b9dddb95d15cb0255e99badeddda7cc23d9ddcaacbc290969b9f24019375d61c2e4e3b36953a28d8b2bc95f78c3f1d592fb24499be348656a7b17e3963187b4361afe497bc5f9f81213f04069f8e1fb9e6a6290ae295ca1a92b894396cb4"
 const ecdhFingerprintHex = "722354df2475a42164d1d49faa8b938f9a201946"
 const ecdhPkDataHex = "b90073044d53059212052b810400220303042faa84024a20b6735c4897efa5bfb41bf85b7eefeab5ca0cb9ffc8ea04a46acb25534a577694f9e25340a4ab5223a9dd1eda530c8aa2e6718db10d7e672558c7736fe09369ea5739a2a3554bf16d41faa50562f11c6d39bbd5dffb6b9a9ec91803010909"
 const eddsaFingerprintHex = "b2d5e5ec0e6deca6bc8eeeb00907e75e1dd99ad8"
 const eddsaPkDataHex = "98330456e2132b16092b06010401da470f01010740bbda39266affa511a8c2d02edf690fb784b0499c4406185811a163539ef11dc1b41d74657374696e67203c74657374696e674074657374696e672e636f6d3e8879041316080021050256e2132b021b03050b09080702061508090a0b020416020301021e01021780000a09100907e75e1dd99ad86d0c00fe39d2008359352782bc9b61ac382584cd8eff3f57a18c2287e3afeeb05d1f04ba00fe2d0bc1ddf3ff8adb9afa3e7d9287244b4ec567f3db4d60b74a9b5465ed528203"
 // Source: https://sites.google.com/site/brainhub/pgpecckeys#TOC-ECC-NIST-P-384-key
 const ecc384PubHex = `99006f044d53059213052b81040022030304f6b8c5aced5b84ef9f4a209db2e4a9dfb70d28cb8c10ecd57674a9fa5a67389942b62d5e51367df4c7bfd3f8e500feecf07ed265a621a8ebbbe53e947ec78c677eba143bd1533c2b350e1c29f82313e1e1108eba063be1e64b10e6950e799c2db42465635f6473615f64685f333834203c6f70656e70677040627261696e6875622e6f72673e8900cb04101309005305024d530592301480000000002000077072656665727265642d656d61696c2d656e636f64696e67407067702e636f6d7067706d696d65040b090807021901051b03000000021602051e010000000415090a08000a0910098033880f54719fca2b0180aa37350968bd5f115afd8ce7bc7b103822152dbff06d0afcda835329510905b98cb469ba208faab87c7412b799e7b633017f58364ea480e8a1a3f253a0c5f22c446e8be9a9fce6210136ee30811abbd49139de28b5bdf8dc36d06ae748579e9ff503b90073044d53059212052b810400220303042faa84024a20b6735c4897efa5bfb41bf85b7eefeab5ca0cb9ffc8ea04a46acb25534a577694f9e25340a4ab5223a9dd1eda530c8aa2e6718db10d7e672558c7736fe09369ea5739a2a3554bf16d41faa50562f11c6d39bbd5dffb6b9a9ec9180301090989008404181309000c05024d530592051b0c000000000a0910098033880f54719f80970180eee7a6d8fcee41ee4f9289df17f9bcf9d955dca25c583b94336f3a2b2d4986dc5cf417b8d2dc86f741a9e1a6d236c0e3017d1c76575458a0cfb93ae8a2b274fcc65ceecd7a91eec83656ba13219969f06945b48c56bd04152c3a0553c5f2f4bd1267`
@@ -0,0 +1,209 @@
 // Copyright 2011 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package packet
 import (
 	"io"
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 )
 type PacketReader interface {
 	Next() (p Packet, err error)
 	Push(reader io.Reader) (err error)
 	Unread(p Packet)
 }
 // Reader reads packets from an io.Reader and allows packets to be 'unread' so
 // that they result from the next call to Next.
 type Reader struct {
 	q       []Packet
 	readers []io.Reader
 }
 // New io.Readers are pushed when a compressed or encrypted packet is processed
 // and recursively treated as a new source of packets. However, a carefully
 // crafted packet can trigger an infinite recursive sequence of packets. See
 // http://mumble.net/~campbell/misc/pgp-quine
 // https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4402
 // This constant limits the number of recursive packets that may be pushed.
 const maxReaders = 32
 // Next returns the most recently unread Packet, or reads another packet from
 // the top-most io.Reader. Unknown/unsupported/Marker packet types are skipped.
 func (r *Reader) Next() (p Packet, err error) {
 	for {
 		p, err := r.read()
 		if err == io.EOF {
 			break
 		} else if err != nil {
 			if _, ok := err.(errors.UnknownPacketTypeError); ok {
 				continue
 			}
 			if _, ok := err.(errors.UnsupportedError); ok {
 				switch p.(type) {
 				case *SymmetricallyEncrypted, *AEADEncrypted, *Compressed, *LiteralData:
 					return nil, err
 				}
 				continue
 			}
 			return nil, err
 		} else {
 			//A marker packet MUST be ignored when received
 			switch p.(type) {
 			case *Marker:
 				continue
 			}
 			return p, nil
 		}
 	}
 	return nil, io.EOF
 }
 // Next returns the most recently unread Packet, or reads another packet from
 // the top-most io.Reader. Unknown/Marker packet types are skipped while unsupported
 // packets are returned as UnsupportedPacket type.
 func (r *Reader) NextWithUnsupported() (p Packet, err error) {
 	for {
 		p, err = r.read()
 		if err == io.EOF {
 			break
 		} else if err != nil {
 			if _, ok := err.(errors.UnknownPacketTypeError); ok {
 				continue
 			}
 			if casteErr, ok := err.(errors.UnsupportedError); ok {
 				return &UnsupportedPacket{
 					IncompletePacket: p,
 					Error:            casteErr,
 				}, nil
 			}
 			return
 		} else {
 			//A marker packet MUST be ignored when received
 			switch p.(type) {
 			case *Marker:
 				continue
 			}
 			return
 		}
 	}
 	return nil, io.EOF
 }
 func (r *Reader) read() (p Packet, err error) {
 	if len(r.q) > 0 {
 		p = r.q[len(r.q)-1]
 		r.q = r.q[:len(r.q)-1]
 		return
 	}
 	for len(r.readers) > 0 {
 		p, err = Read(r.readers[len(r.readers)-1])
 		if err == io.EOF {
 			r.readers = r.readers[:len(r.readers)-1]
 			continue
 		}
 		return p, err
 	}
 	return nil, io.EOF
 }
 // Push causes the Reader to start reading from a new io.Reader. When an EOF
 // error is seen from the new io.Reader, it is popped and the Reader continues
 // to read from the next most recent io.Reader. Push returns a StructuralError
 // if pushing the reader would exceed the maximum recursion level, otherwise it
 // returns nil.
 func (r *Reader) Push(reader io.Reader) (err error) {
 	if len(r.readers) >= maxReaders {
 		return errors.StructuralError("too many layers of packets")
 	}
 	r.readers = append(r.readers, reader)
 	return nil
 }
 // Unread causes the given Packet to be returned from the next call to Next.
 func (r *Reader) Unread(p Packet) {
 	r.q = append(r.q, p)
 }
 func NewReader(r io.Reader) *Reader {
 	return &Reader{
 		q:       nil,
 		readers: []io.Reader{r},
 	}
 }
 // CheckReader is similar to Reader but additionally
 // uses the pushdown automata to verify the read packet sequence.
 type CheckReader struct {
 	Reader
 	verifier  *SequenceVerifier
 	fullyRead bool
 }
 // Next returns the most recently unread Packet, or reads another packet from
 // the top-most io.Reader. Unknown packet types are skipped.
 // If the read packet sequence does not conform to the packet composition
 // rules in rfc4880, it returns an error.
 func (r *CheckReader) Next() (p Packet, err error) {
 	if r.fullyRead {
 		return nil, io.EOF
 	}
 	if len(r.q) > 0 {
 		p = r.q[len(r.q)-1]
 		r.q = r.q[:len(r.q)-1]
 		return
 	}
 	var errMsg error
 	for len(r.readers) > 0 {
 		p, errMsg, err = ReadWithCheck(r.readers[len(r.readers)-1], r.verifier)
 		if errMsg != nil {
 			err = errMsg
 			return
 		}
 		if err == nil {
 			return
 		}
 		if err == io.EOF {
 			r.readers = r.readers[:len(r.readers)-1]
 			continue
 		}
 		//A marker packet MUST be ignored when received
 		switch p.(type) {
 		case *Marker:
 			continue
 		}
 		if _, ok := err.(errors.UnknownPacketTypeError); ok {
 			continue
 		}
 		if _, ok := err.(errors.UnsupportedError); ok {
 			switch p.(type) {
 			case *SymmetricallyEncrypted, *AEADEncrypted, *Compressed, *LiteralData:
 				return nil, err
 			}
 			continue
 		}
 		return nil, err
 	}
 	if errMsg = r.verifier.Next(EOSSymbol); errMsg != nil {
 		return nil, errMsg
 	}
 	if errMsg = r.verifier.AssertValid(); errMsg != nil {
 		return nil, errMsg
 	}
 	r.fullyRead = true
 	return nil, io.EOF
 }
 func NewCheckReader(r io.Reader) *CheckReader {
 	return &CheckReader{
 		Reader: Reader{
 			q:       nil,
 			readers: []io.Reader{r},
 		},
 		verifier:  NewSequenceVerifier(),
 		fullyRead: false,
 	}
 }
@@ -0,0 +1,15 @@
 package packet
 // Recipient type represents a Intended Recipient Fingerprint subpacket
 // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh#name-intended-recipient-fingerpr
 type Recipient struct {
 	KeyVersion  int
 	Fingerprint []byte
 }
 func (r *Recipient) Serialize() []byte {
 	packet := make([]byte, len(r.Fingerprint)+1)
 	packet[0] = byte(r.KeyVersion)
 	copy(packet[1:], r.Fingerprint)
 	return packet
 }
@@ -0,0 +1,331 @@
 // Copyright 2011 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package packet
 import (
 	"bytes"
 	"crypto/cipher"
 	"crypto/sha256"
 	"io"
 	"strconv"
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 	"github.com/ProtonMail/go-crypto/openpgp/s2k"
 	"golang.org/x/crypto/hkdf"
 )
 // This is the largest session key that we'll support. Since at most 256-bit cipher
 // is supported in OpenPGP, this is large enough to contain also the auth tag.
 const maxSessionKeySizeInBytes = 64
 // SymmetricKeyEncrypted represents a passphrase protected session key. See RFC
 // 4880, section 5.3.
 type SymmetricKeyEncrypted struct {
 	Version      int
 	CipherFunc   CipherFunction
 	Mode         AEADMode
 	s2k          func(out, in []byte)
 	iv           []byte
 	encryptedKey []byte // Contains also the authentication tag for AEAD
 }
 // parse parses an SymmetricKeyEncrypted packet as specified in
 // https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#name-symmetric-key-encrypted-ses
 func (ske *SymmetricKeyEncrypted) parse(r io.Reader) error {
 	var buf [1]byte
 	// Version
 	if _, err := readFull(r, buf[:]); err != nil {
 		return err
 	}
 	ske.Version = int(buf[0])
 	if ske.Version != 4 && ske.Version != 5 && ske.Version != 6 {
 		return errors.UnsupportedError("unknown SymmetricKeyEncrypted version")
 	}
 	if V5Disabled && ske.Version == 5 {
 		return errors.UnsupportedError("support for parsing v5 entities is disabled; build with `-tags v5` if needed")
 	}
 	if ske.Version > 5 {
 		// Scalar octet count
 		if _, err := readFull(r, buf[:]); err != nil {
 			return err
 		}
 	}
 	// Cipher function
 	if _, err := readFull(r, buf[:]); err != nil {
 		return err
 	}
 	ske.CipherFunc = CipherFunction(buf[0])
 	if !ske.CipherFunc.IsSupported() {
 		return errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(buf[0])))
 	}
 	if ske.Version >= 5 {
 		// AEAD mode
 		if _, err := readFull(r, buf[:]); err != nil {
 			return errors.StructuralError("cannot read AEAD octet from packet")
 		}
 		ske.Mode = AEADMode(buf[0])
 	}
 	if ske.Version > 5 {
 		// Scalar octet count
 		if _, err := readFull(r, buf[:]); err != nil {
 			return err
 		}
 	}
 	var err error
 	if ske.s2k, err = s2k.Parse(r); err != nil {
 		if _, ok := err.(errors.ErrDummyPrivateKey); ok {
 			return errors.UnsupportedError("missing key GNU extension in session key")
 		}
 		return err
 	}
 	if ske.Version >= 5 {
 		// AEAD IV
 		iv := make([]byte, ske.Mode.IvLength())
 		_, err := readFull(r, iv)
 		if err != nil {
 			return errors.StructuralError("cannot read AEAD IV")
 		}
 		ske.iv = iv
 	}
 	encryptedKey := make([]byte, maxSessionKeySizeInBytes)
 	// The session key may follow. We just have to try and read to find
 	// out. If it exists then we limit it to maxSessionKeySizeInBytes.
 	n, err := readFull(r, encryptedKey)
 	if err != nil && err != io.ErrUnexpectedEOF {
 		return err
 	}
 	if n != 0 {
 		if n == maxSessionKeySizeInBytes {
 			return errors.UnsupportedError("oversized encrypted session key")
 		}
 		ske.encryptedKey = encryptedKey[:n]
 	}
 	return nil
 }
 // Decrypt attempts to decrypt an encrypted session key and returns the key and
 // the cipher to use when decrypting a subsequent Symmetrically Encrypted Data
 // packet.
 func (ske *SymmetricKeyEncrypted) Decrypt(passphrase []byte) ([]byte, CipherFunction, error) {
 	key := make([]byte, ske.CipherFunc.KeySize())
 	ske.s2k(key, passphrase)
 	if len(ske.encryptedKey) == 0 {
 		return key, ske.CipherFunc, nil
 	}
 	switch ske.Version {
 	case 4:
 		plaintextKey, cipherFunc, err := ske.decryptV4(key)
 		return plaintextKey, cipherFunc, err
 	case 5, 6:
 		plaintextKey, err := ske.aeadDecrypt(ske.Version, key)
 		return plaintextKey, CipherFunction(0), err
 	}
 	err := errors.UnsupportedError("unknown SymmetricKeyEncrypted version")
 	return nil, CipherFunction(0), err
 }
 func (ske *SymmetricKeyEncrypted) decryptV4(key []byte) ([]byte, CipherFunction, error) {
 	// the IV is all zeros
 	iv := make([]byte, ske.CipherFunc.blockSize())
 	c := cipher.NewCFBDecrypter(ske.CipherFunc.new(key), iv)
 	plaintextKey := make([]byte, len(ske.encryptedKey))
 	c.XORKeyStream(plaintextKey, ske.encryptedKey)
 	cipherFunc := CipherFunction(plaintextKey[0])
 	if cipherFunc.blockSize() == 0 {
 		return nil, ske.CipherFunc, errors.UnsupportedError(
 			"unknown cipher: " + strconv.Itoa(int(cipherFunc)))
 	}
 	plaintextKey = plaintextKey[1:]
 	if len(plaintextKey) != cipherFunc.KeySize() {
 		return nil, cipherFunc, errors.StructuralError(
 			"length of decrypted key not equal to cipher keysize")
 	}
 	return plaintextKey, cipherFunc, nil
 }
 func (ske *SymmetricKeyEncrypted) aeadDecrypt(version int, key []byte) ([]byte, error) {
 	adata := []byte{0xc3, byte(version), byte(ske.CipherFunc), byte(ske.Mode)}
 	aead := getEncryptedKeyAeadInstance(ske.CipherFunc, ske.Mode, key, adata, version)
 	plaintextKey, err := aead.Open(nil, ske.iv, ske.encryptedKey, adata)
 	if err != nil {
 		return nil, err
 	}
 	return plaintextKey, nil
 }
 // SerializeSymmetricKeyEncrypted serializes a symmetric key packet to w.
 // The packet contains a random session key, encrypted by a key derived from
 // the given passphrase. The session key is returned and must be passed to
 // SerializeSymmetricallyEncrypted.
 // If config is nil, sensible defaults will be used.
 func SerializeSymmetricKeyEncrypted(w io.Writer, passphrase []byte, config *Config) (key []byte, err error) {
 	cipherFunc := config.Cipher()
 	sessionKey := make([]byte, cipherFunc.KeySize())
 	_, err = io.ReadFull(config.Random(), sessionKey)
 	if err != nil {
 		return
 	}
 	err = SerializeSymmetricKeyEncryptedReuseKey(w, sessionKey, passphrase, config)
 	if err != nil {
 		return
 	}
 	key = sessionKey
 	return
 }
 // SerializeSymmetricKeyEncryptedReuseKey serializes a symmetric key packet to w.
 // The packet contains the given session key, encrypted by a key derived from
 // the given passphrase. The returned session key must be passed to
 // SerializeSymmetricallyEncrypted.
 // If config is nil, sensible defaults will be used.
 // Deprecated: Use SerializeSymmetricKeyEncryptedAEADReuseKey instead.
 func SerializeSymmetricKeyEncryptedReuseKey(w io.Writer, sessionKey []byte, passphrase []byte, config *Config) (err error) {
 	return SerializeSymmetricKeyEncryptedAEADReuseKey(w, sessionKey, passphrase, config.AEAD() != nil, config)
 }
 // SerializeSymmetricKeyEncryptedAEADReuseKey serializes a symmetric key packet to w.
 // The packet contains the given session key, encrypted by a key derived from
 // the given passphrase. The returned session key must be passed to
 // SerializeSymmetricallyEncrypted.
 // If aeadSupported is set, SKESK v6 is used, otherwise v4.
 // Note: aeadSupported MUST match the value passed to SerializeSymmetricallyEncrypted.
 // If config is nil, sensible defaults will be used.
 func SerializeSymmetricKeyEncryptedAEADReuseKey(w io.Writer, sessionKey []byte, passphrase []byte, aeadSupported bool, config *Config) (err error) {
 	var version int
 	if aeadSupported {
 		version = 6
 	} else {
 		version = 4
 	}
 	cipherFunc := config.Cipher()
 	// cipherFunc must be AES
 	if !cipherFunc.IsSupported() || cipherFunc < CipherAES128 || cipherFunc > CipherAES256 {
 		return errors.UnsupportedError("unsupported cipher: " + strconv.Itoa(int(cipherFunc)))
 	}
 	keySize := cipherFunc.KeySize()
 	s2kBuf := new(bytes.Buffer)
 	keyEncryptingKey := make([]byte, keySize)
 	// s2k.Serialize salts and stretches the passphrase, and writes the
 	// resulting key to keyEncryptingKey and the s2k descriptor to s2kBuf.
 	err = s2k.Serialize(s2kBuf, keyEncryptingKey, config.Random(), passphrase, config.S2K())
 	if err != nil {
 		return
 	}
 	s2kBytes := s2kBuf.Bytes()
 	var packetLength int
 	switch version {
 	case 4:
 		packetLength = 2 /* header */ + len(s2kBytes) + 1 /* cipher type */ + keySize
 	case 5, 6:
 		ivLen := config.AEAD().Mode().IvLength()
 		tagLen := config.AEAD().Mode().TagLength()
 		packetLength = 3 + len(s2kBytes) + ivLen + keySize + tagLen
 	}
 	if version > 5 {
 		packetLength += 2 // additional octet count fields
 	}
 	err = serializeHeader(w, packetTypeSymmetricKeyEncrypted, packetLength)
 	if err != nil {
 		return
 	}
 	// Symmetric Key Encrypted Version
 	buf := []byte{byte(version)}
 	if version > 5 {
 		// Scalar octet count
 		buf = append(buf, byte(3+len(s2kBytes)+config.AEAD().Mode().IvLength()))
 	}
 	// Cipher function
 	buf = append(buf, byte(cipherFunc))
 	if version >= 5 {
 		// AEAD mode
 		buf = append(buf, byte(config.AEAD().Mode()))
 	}
 	if version > 5 {
 		// Scalar octet count
 		buf = append(buf, byte(len(s2kBytes)))
 	}
 	_, err = w.Write(buf)
 	if err != nil {
 		return
 	}
 	_, err = w.Write(s2kBytes)
 	if err != nil {
 		return
 	}
 	switch version {
 	case 4:
 		iv := make([]byte, cipherFunc.blockSize())
 		c := cipher.NewCFBEncrypter(cipherFunc.new(keyEncryptingKey), iv)
 		encryptedCipherAndKey := make([]byte, keySize+1)
 		c.XORKeyStream(encryptedCipherAndKey, buf[1:])
 		c.XORKeyStream(encryptedCipherAndKey[1:], sessionKey)
 		_, err = w.Write(encryptedCipherAndKey)
 		if err != nil {
 			return
 		}
 	case 5, 6:
 		mode := config.AEAD().Mode()
 		adata := []byte{0xc3, byte(version), byte(cipherFunc), byte(mode)}
 		aead := getEncryptedKeyAeadInstance(cipherFunc, mode, keyEncryptingKey, adata, version)
 		// Sample iv using random reader
 		iv := make([]byte, config.AEAD().Mode().IvLength())
 		_, err = io.ReadFull(config.Random(), iv)
 		if err != nil {
 			return
 		}
 		// Seal and write (encryptedData includes auth. tag)
 		encryptedData := aead.Seal(nil, iv, sessionKey, adata)
 		_, err = w.Write(iv)
 		if err != nil {
 			return
 		}
 		_, err = w.Write(encryptedData)
 		if err != nil {
 			return
 		}
 	}
 	return
 }
 func getEncryptedKeyAeadInstance(c CipherFunction, mode AEADMode, inputKey, associatedData []byte, version int) (aead cipher.AEAD) {
 	var blockCipher cipher.Block
 	if version > 5 {
 		hkdfReader := hkdf.New(sha256.New, inputKey, []byte{}, associatedData)
 		encryptionKey := make([]byte, c.KeySize())
 		_, _ = readFull(hkdfReader, encryptionKey)
 		blockCipher = c.new(encryptionKey)
 	} else {
 		blockCipher = c.new(inputKey)
 	}
 	return mode.new(blockCipher)
 }
@@ -0,0 +1,94 @@
 // Copyright 2011 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package packet
 import (
 	"io"
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 )
 const aeadSaltSize = 32
 // SymmetricallyEncrypted represents a symmetrically encrypted byte string. The
 // encrypted Contents will consist of more OpenPGP packets. See RFC 4880,
 // sections 5.7 and 5.13.
 type SymmetricallyEncrypted struct {
 	Version            int
 	Contents           io.Reader // contains tag for version 2
 	IntegrityProtected bool      // If true it is type 18 (with MDC or AEAD). False is packet type 9
 	// Specific to version 1
 	prefix []byte
 	// Specific to version 2
 	Cipher        CipherFunction
 	Mode          AEADMode
 	ChunkSizeByte byte
 	Salt          [aeadSaltSize]byte
 }
 const (
 	symmetricallyEncryptedVersionMdc  = 1
 	symmetricallyEncryptedVersionAead = 2
 )
 func (se *SymmetricallyEncrypted) parse(r io.Reader) error {
 	if se.IntegrityProtected {
 		// See RFC 4880, section 5.13.
 		var buf [1]byte
 		_, err := readFull(r, buf[:])
 		if err != nil {
 			return err
 		}
 		switch buf[0] {
 		case symmetricallyEncryptedVersionMdc:
 			se.Version = symmetricallyEncryptedVersionMdc
 		case symmetricallyEncryptedVersionAead:
 			se.Version = symmetricallyEncryptedVersionAead
 			if err := se.parseAead(r); err != nil {
 				return err
 			}
 		default:
 			return errors.UnsupportedError("unknown SymmetricallyEncrypted version")
 		}
 	}
 	se.Contents = r
 	return nil
 }
 // Decrypt returns a ReadCloser, from which the decrypted Contents of the
 // packet can be read. An incorrect key will only be detected after trying
 // to decrypt the entire data.
 func (se *SymmetricallyEncrypted) Decrypt(c CipherFunction, key []byte) (io.ReadCloser, error) {
 	if se.Version == symmetricallyEncryptedVersionAead {
 		return se.decryptAead(key)
 	}
 	return se.decryptMdc(c, key)
 }
 // SerializeSymmetricallyEncrypted serializes a symmetrically encrypted packet
 // to w and returns a WriteCloser to which the to-be-encrypted packets can be
 // written.
 // If aeadSupported is set to true, SEIPDv2 is used with the indicated CipherSuite.
 // Otherwise, SEIPDv1 is used with the indicated CipherFunction.
 // Note: aeadSupported MUST match the value passed to SerializeEncryptedKeyAEAD
 // and/or SerializeSymmetricKeyEncryptedAEADReuseKey.
 // If config is nil, sensible defaults will be used.
 func SerializeSymmetricallyEncrypted(w io.Writer, c CipherFunction, aeadSupported bool, cipherSuite CipherSuite, key []byte, config *Config) (Contents io.WriteCloser, err error) {
 	writeCloser := noOpCloser{w}
 	ciphertext, err := serializeStreamHeader(writeCloser, packetTypeSymmetricallyEncryptedIntegrityProtected)
 	if err != nil {
 		return
 	}
 	if aeadSupported {
 		return serializeSymmetricallyEncryptedAead(ciphertext, cipherSuite, config.AEADConfig.ChunkSizeByte(), config.Random(), key)
 	}
 	return serializeSymmetricallyEncryptedMdc(ciphertext, c, key, config)
 }
@@ -0,0 +1,168 @@
 // Copyright 2023 Proton AG. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package packet
 import (
 	"crypto/cipher"
 	"crypto/sha256"
 	"fmt"
 	"io"
 	"strconv"
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 	"golang.org/x/crypto/hkdf"
 )
 // parseAead parses a V2 SEIPD packet (AEAD) as specified in
 // https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#section-5.13.2
 func (se *SymmetricallyEncrypted) parseAead(r io.Reader) error {
 	headerData := make([]byte, 3)
 	if n, err := io.ReadFull(r, headerData); n < 3 {
 		return errors.StructuralError("could not read aead header: " + err.Error())
 	}
 	// Cipher
 	se.Cipher = CipherFunction(headerData[0])
 	// cipherFunc must have block size 16 to use AEAD
 	if se.Cipher.blockSize() != 16 {
 		return errors.UnsupportedError("invalid aead cipher: " + strconv.Itoa(int(se.Cipher)))
 	}
 	// Mode
 	se.Mode = AEADMode(headerData[1])
 	if se.Mode.TagLength() == 0 {
 		return errors.UnsupportedError("unknown aead mode: " + strconv.Itoa(int(se.Mode)))
 	}
 	// Chunk size
 	se.ChunkSizeByte = headerData[2]
 	if se.ChunkSizeByte > 16 {
 		return errors.UnsupportedError("invalid aead chunk size byte: " + strconv.Itoa(int(se.ChunkSizeByte)))
 	}
 	// Salt
 	if n, err := io.ReadFull(r, se.Salt[:]); n < aeadSaltSize {
 		return errors.StructuralError("could not read aead salt: " + err.Error())
 	}
 	return nil
 }
 // associatedData for chunks: tag, version, cipher, mode, chunk size byte
 func (se *SymmetricallyEncrypted) associatedData() []byte {
 	return []byte{
 		0xD2,
 		symmetricallyEncryptedVersionAead,
 		byte(se.Cipher),
 		byte(se.Mode),
 		se.ChunkSizeByte,
 	}
 }
 // decryptAead decrypts a V2 SEIPD packet (AEAD) as specified in
 // https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#section-5.13.2
 func (se *SymmetricallyEncrypted) decryptAead(inputKey []byte) (io.ReadCloser, error) {
 	if se.Cipher.KeySize() != len(inputKey) {
 		return nil, errors.StructuralError(fmt.Sprintf("invalid session key length for cipher: got %d bytes, but expected %d bytes", len(inputKey), se.Cipher.KeySize()))
 	}
 	aead, nonce := getSymmetricallyEncryptedAeadInstance(se.Cipher, se.Mode, inputKey, se.Salt[:], se.associatedData())
 	// Carry the first tagLen bytes
 	chunkSize := decodeAEADChunkSize(se.ChunkSizeByte)
 	tagLen := se.Mode.TagLength()
 	chunkBytes := make([]byte, chunkSize+tagLen*2)
 	peekedBytes := chunkBytes[chunkSize+tagLen:]
 	n, err := io.ReadFull(se.Contents, peekedBytes)
 	if n < tagLen || (err != nil && err != io.EOF) {
 		return nil, errors.StructuralError("not enough data to decrypt:" + err.Error())
 	}
 	return &aeadDecrypter{
 		aeadCrypter: aeadCrypter{
 			aead:           aead,
 			chunkSize:      decodeAEADChunkSize(se.ChunkSizeByte),
 			nonce:          nonce,
 			associatedData: se.associatedData(),
 			chunkIndex:     nonce[len(nonce)-8:],
 			packetTag:      packetTypeSymmetricallyEncryptedIntegrityProtected,
 		},
 		reader:      se.Contents,
 		chunkBytes:  chunkBytes,
 		peekedBytes: peekedBytes,
 	}, nil
 }
 // serializeSymmetricallyEncryptedAead encrypts to a writer a V2 SEIPD packet (AEAD) as specified in
 // https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#section-5.13.2
 func serializeSymmetricallyEncryptedAead(ciphertext io.WriteCloser, cipherSuite CipherSuite, chunkSizeByte byte, rand io.Reader, inputKey []byte) (Contents io.WriteCloser, err error) {
 	// cipherFunc must have block size 16 to use AEAD
 	if cipherSuite.Cipher.blockSize() != 16 {
 		return nil, errors.InvalidArgumentError("invalid aead cipher function")
 	}
 	if cipherSuite.Cipher.KeySize() != len(inputKey) {
 		return nil, errors.InvalidArgumentError("error in aead serialization: bad key length")
 	}
 	// Data for en/decryption: tag, version, cipher, aead mode, chunk size
 	prefix := []byte{
 		0xD2,
 		symmetricallyEncryptedVersionAead,
 		byte(cipherSuite.Cipher),
 		byte(cipherSuite.Mode),
 		chunkSizeByte,
 	}
 	// Write header (that correspond to prefix except first byte)
 	n, err := ciphertext.Write(prefix[1:])
 	if err != nil || n < 4 {
 		return nil, err
 	}
 	// Random salt
 	salt := make([]byte, aeadSaltSize)
 	if _, err := io.ReadFull(rand, salt); err != nil {
 		return nil, err
 	}
 	if _, err := ciphertext.Write(salt); err != nil {
 		return nil, err
 	}
 	aead, nonce := getSymmetricallyEncryptedAeadInstance(cipherSuite.Cipher, cipherSuite.Mode, inputKey, salt, prefix)
 	chunkSize := decodeAEADChunkSize(chunkSizeByte)
 	tagLen := aead.Overhead()
 	chunkBytes := make([]byte, chunkSize+tagLen)
 	return &aeadEncrypter{
 		aeadCrypter: aeadCrypter{
 			aead:           aead,
 			chunkSize:      chunkSize,
 			associatedData: prefix,
 			nonce:          nonce,
 			chunkIndex:     nonce[len(nonce)-8:],
 			packetTag:      packetTypeSymmetricallyEncryptedIntegrityProtected,
 		},
 		writer:     ciphertext,
 		chunkBytes: chunkBytes,
 	}, nil
 }
 func getSymmetricallyEncryptedAeadInstance(c CipherFunction, mode AEADMode, inputKey, salt, associatedData []byte) (aead cipher.AEAD, nonce []byte) {
 	hkdfReader := hkdf.New(sha256.New, inputKey, salt, associatedData)
 	encryptionKey := make([]byte, c.KeySize())
 	_, _ = readFull(hkdfReader, encryptionKey)
 	nonce = make([]byte, mode.IvLength())
 	// Last 64 bits of nonce are the counter
 	_, _ = readFull(hkdfReader, nonce[:len(nonce)-8])
 	blockCipher := c.new(encryptionKey)
 	aead = mode.new(blockCipher)
 	return
 }
@@ -0,0 +1,256 @@
 // Copyright 2011 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package packet
 import (
 	"crypto/cipher"
 	"crypto/sha1"
 	"crypto/subtle"
 	"hash"
 	"io"
 	"strconv"
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 )
 // seMdcReader wraps an io.Reader with a no-op Close method.
 type seMdcReader struct {
 	in io.Reader
 }
 func (ser seMdcReader) Read(buf []byte) (int, error) {
 	return ser.in.Read(buf)
 }
 func (ser seMdcReader) Close() error {
 	return nil
 }
 func (se *SymmetricallyEncrypted) decryptMdc(c CipherFunction, key []byte) (io.ReadCloser, error) {
 	if !c.IsSupported() {
 		return nil, errors.UnsupportedError("unsupported cipher: " + strconv.Itoa(int(c)))
 	}
 	if len(key) != c.KeySize() {
 		return nil, errors.InvalidArgumentError("SymmetricallyEncrypted: incorrect key length")
 	}
 	if se.prefix == nil {
 		se.prefix = make([]byte, c.blockSize()+2)
 		_, err := readFull(se.Contents, se.prefix)
 		if err != nil {
 			return nil, err
 		}
 	} else if len(se.prefix) != c.blockSize()+2 {
 		return nil, errors.InvalidArgumentError("can't try ciphers with different block lengths")
 	}
 	ocfbResync := OCFBResync
 	if se.IntegrityProtected {
 		// MDC packets use a different form of OCFB mode.
 		ocfbResync = OCFBNoResync
 	}
 	s := NewOCFBDecrypter(c.new(key), se.prefix, ocfbResync)
 	plaintext := cipher.StreamReader{S: s, R: se.Contents}
 	if se.IntegrityProtected {
 		// IntegrityProtected packets have an embedded hash that we need to check.
 		h := sha1.New()
 		h.Write(se.prefix)
 		return &seMDCReader{in: plaintext, h: h}, nil
 	}
 	// Otherwise, we just need to wrap plaintext so that it's a valid ReadCloser.
 	return seMdcReader{plaintext}, nil
 }
 const mdcTrailerSize = 1 /* tag byte */ + 1 /* length byte */ + sha1.Size
 // An seMDCReader wraps an io.Reader, maintains a running hash and keeps hold
 // of the most recent 22 bytes (mdcTrailerSize). Upon EOF, those bytes form an
 // MDC packet containing a hash of the previous Contents which is checked
 // against the running hash. See RFC 4880, section 5.13.
 type seMDCReader struct {
 	in          io.Reader
 	h           hash.Hash
 	trailer     [mdcTrailerSize]byte
 	scratch     [mdcTrailerSize]byte
 	trailerUsed int
 	error       bool
 	eof         bool
 }
 func (ser *seMDCReader) Read(buf []byte) (n int, err error) {
 	if ser.error {
 		err = io.ErrUnexpectedEOF
 		return
 	}
 	if ser.eof {
 		err = io.EOF
 		return
 	}
 	// If we haven't yet filled the trailer buffer then we must do that
 	// first.
 	for ser.trailerUsed < mdcTrailerSize {
 		n, err = ser.in.Read(ser.trailer[ser.trailerUsed:])
 		ser.trailerUsed += n
 		if err == io.EOF {
 			if ser.trailerUsed != mdcTrailerSize {
 				n = 0
 				err = io.ErrUnexpectedEOF
 				ser.error = true
 				return
 			}
 			ser.eof = true
 			n = 0
 			return
 		}
 		if err != nil {
 			n = 0
 			return
 		}
 	}
 	// If it's a short read then we read into a temporary buffer and shift
 	// the data into the caller's buffer.
 	if len(buf) <= mdcTrailerSize {
 		n, err = readFull(ser.in, ser.scratch[:len(buf)])
 		copy(buf, ser.trailer[:n])
 		ser.h.Write(buf[:n])
 		copy(ser.trailer[:], ser.trailer[n:])
 		copy(ser.trailer[mdcTrailerSize-n:], ser.scratch[:])
 		if n < len(buf) {
 			ser.eof = true
 			err = io.EOF
 		}
 		return
 	}
 	n, err = ser.in.Read(buf[mdcTrailerSize:])
 	copy(buf, ser.trailer[:])
 	ser.h.Write(buf[:n])
 	copy(ser.trailer[:], buf[n:])
 	if err == io.EOF {
 		ser.eof = true
 	}
 	return
 }
 // This is a new-format packet tag byte for a type 19 (Integrity Protected) packet.
 const mdcPacketTagByte = byte(0x80) | 0x40 | 19
 func (ser *seMDCReader) Close() error {
 	if ser.error {
 		return errors.ErrMDCHashMismatch
 	}
 	for !ser.eof {
 		// We haven't seen EOF so we need to read to the end
 		var buf [1024]byte
 		_, err := ser.Read(buf[:])
 		if err == io.EOF {
 			break
 		}
 		if err != nil {
 			return errors.ErrMDCHashMismatch
 		}
 	}
 	ser.h.Write(ser.trailer[:2])
 	final := ser.h.Sum(nil)
 	if subtle.ConstantTimeCompare(final, ser.trailer[2:]) != 1 {
 		return errors.ErrMDCHashMismatch
 	}
 	// The hash already includes the MDC header, but we still check its value
 	// to confirm encryption correctness
 	if ser.trailer[0] != mdcPacketTagByte || ser.trailer[1] != sha1.Size {
 		return errors.ErrMDCHashMismatch
 	}
 	return nil
 }
 // An seMDCWriter writes through to an io.WriteCloser while maintains a running
 // hash of the data written. On close, it emits an MDC packet containing the
 // running hash.
 type seMDCWriter struct {
 	w io.WriteCloser
 	h hash.Hash
 }
 func (w *seMDCWriter) Write(buf []byte) (n int, err error) {
 	w.h.Write(buf)
 	return w.w.Write(buf)
 }
 func (w *seMDCWriter) Close() (err error) {
 	var buf [mdcTrailerSize]byte
 	buf[0] = mdcPacketTagByte
 	buf[1] = sha1.Size
 	w.h.Write(buf[:2])
 	digest := w.h.Sum(nil)
 	copy(buf[2:], digest)
 	_, err = w.w.Write(buf[:])
 	if err != nil {
 		return
 	}
 	return w.w.Close()
 }
 // noOpCloser is like an ioutil.NopCloser, but for an io.Writer.
 type noOpCloser struct {
 	w io.Writer
 }
 func (c noOpCloser) Write(data []byte) (n int, err error) {
 	return c.w.Write(data)
 }
 func (c noOpCloser) Close() error {
 	return nil
 }
 func serializeSymmetricallyEncryptedMdc(ciphertext io.WriteCloser, c CipherFunction, key []byte, config *Config) (Contents io.WriteCloser, err error) {
 	// Disallow old cipher suites
 	if !c.IsSupported() || c < CipherAES128 {
 		return nil, errors.InvalidArgumentError("invalid mdc cipher function")
 	}
 	if c.KeySize() != len(key) {
 		return nil, errors.InvalidArgumentError("error in mdc serialization: bad key length")
 	}
 	_, err = ciphertext.Write([]byte{symmetricallyEncryptedVersionMdc})
 	if err != nil {
 		return
 	}
 	block := c.new(key)
 	blockSize := block.BlockSize()
 	iv := make([]byte, blockSize)
 	_, err = io.ReadFull(config.Random(), iv)
 	if err != nil {
 		return nil, err
 	}
 	s, prefix := NewOCFBEncrypter(block, iv, OCFBNoResync)
 	_, err = ciphertext.Write(prefix)
 	if err != nil {
 		return
 	}
 	plaintext := cipher.StreamWriter{S: s, W: ciphertext}
 	h := sha1.New()
 	h.Write(iv)
 	h.Write(iv[blockSize-2:])
 	Contents = &seMDCWriter{w: plaintext, h: h}
 	return
 }
@@ -0,0 +1,100 @@
 // Copyright 2013 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package packet
 import (
 	"bytes"
 	"image"
 	"image/jpeg"
 	"io"
 )
 const UserAttrImageSubpacket = 1
 // UserAttribute is capable of storing other types of data about a user
 // beyond name, email and a text comment. In practice, user attributes are typically used
 // to store a signed thumbnail photo JPEG image of the user.
 // See RFC 4880, section 5.12.
 type UserAttribute struct {
 	Contents []*OpaqueSubpacket
 }
 // NewUserAttributePhoto creates a user attribute packet
 // containing the given images.
 func NewUserAttributePhoto(photos ...image.Image) (uat *UserAttribute, err error) {
 	uat = new(UserAttribute)
 	for _, photo := range photos {
 		var buf bytes.Buffer
 		// RFC 4880, Section 5.12.1.
 		data := []byte{
 			0x10, 0x00, // Little-endian image header length (16 bytes)
 			0x01,       // Image header version 1
 			0x01,       // JPEG
 			0, 0, 0, 0, // 12 reserved octets, must be all zero.
 			0, 0, 0, 0,
 			0, 0, 0, 0}
 		if _, err = buf.Write(data); err != nil {
 			return
 		}
 		if err = jpeg.Encode(&buf, photo, nil); err != nil {
 			return
 		}
 		lengthBuf := make([]byte, 5)
 		n := serializeSubpacketLength(lengthBuf, len(buf.Bytes())+1)
 		lengthBuf = lengthBuf[:n]
 		uat.Contents = append(uat.Contents, &OpaqueSubpacket{
 			SubType:       UserAttrImageSubpacket,
 			EncodedLength: lengthBuf,
 			Contents:      buf.Bytes(),
 		})
 	}
 	return
 }
 // NewUserAttribute creates a new user attribute packet containing the given subpackets.
 func NewUserAttribute(contents ...*OpaqueSubpacket) *UserAttribute {
 	return &UserAttribute{Contents: contents}
 }
 func (uat *UserAttribute) parse(r io.Reader) (err error) {
 	// RFC 4880, section 5.13
 	b, err := io.ReadAll(r)
 	if err != nil {
 		return
 	}
 	uat.Contents, err = OpaqueSubpackets(b)
 	return
 }
 // Serialize marshals the user attribute to w in the form of an OpenPGP packet, including
 // header.
 func (uat *UserAttribute) Serialize(w io.Writer) (err error) {
 	var buf bytes.Buffer
 	for _, sp := range uat.Contents {
 		err = sp.Serialize(&buf)
 		if err != nil {
 			return err
 		}
 	}
 	if err = serializeHeader(w, packetTypeUserAttribute, buf.Len()); err != nil {
 		return err
 	}
 	_, err = w.Write(buf.Bytes())
 	return
 }
 // ImageData returns zero or more byte slices, each containing
 // JPEG File Interchange Format (JFIF), for each photo in the
 // user attribute packet.
 func (uat *UserAttribute) ImageData() (imageData [][]byte) {
 	for _, sp := range uat.Contents {
 		if sp.SubType == UserAttrImageSubpacket && len(sp.Contents) > 16 {
 			imageData = append(imageData, sp.Contents[16:])
 		}
 	}
 	return
 }
@@ -0,0 +1,166 @@
 // Copyright 2011 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package packet
 import (
 	"io"
 	"strings"
 )
 // UserId contains text that is intended to represent the name and email
 // address of the key holder. See RFC 4880, section 5.11. By convention, this
 // takes the form "Full Name (Comment) <email@example.com>"
 type UserId struct {
 	Id string // By convention, this takes the form "Full Name (Comment) <email@example.com>" which is split out in the fields below.
 	Name, Comment, Email string
 }
 func hasInvalidCharacters(s string) bool {
 	for _, c := range s {
 		switch c {
 		case '(', ')', '<', '>', 0:
 			return true
 		}
 	}
 	return false
 }
 // NewUserId returns a UserId or nil if any of the arguments contain invalid
 // characters. The invalid characters are '\x00', '(', ')', '<' and '>'
 func NewUserId(name, comment, email string) *UserId {
 	// RFC 4880 doesn't deal with the structure of userid strings; the
 	// name, comment and email form is just a convention. However, there's
 	// no convention about escaping the metacharacters and GPG just refuses
 	// to create user ids where, say, the name contains a '('. We mirror
 	// this behaviour.
 	if hasInvalidCharacters(name) || hasInvalidCharacters(comment) || hasInvalidCharacters(email) {
 		return nil
 	}
 	uid := new(UserId)
 	uid.Name, uid.Comment, uid.Email = name, comment, email
 	uid.Id = name
 	if len(comment) > 0 {
 		if len(uid.Id) > 0 {
 			uid.Id += " "
 		}
 		uid.Id += "("
 		uid.Id += comment
 		uid.Id += ")"
 	}
 	if len(email) > 0 {
 		if len(uid.Id) > 0 {
 			uid.Id += " "
 		}
 		uid.Id += "<"
 		uid.Id += email
 		uid.Id += ">"
 	}
 	return uid
 }
 func (uid *UserId) parse(r io.Reader) (err error) {
 	// RFC 4880, section 5.11
 	b, err := io.ReadAll(r)
 	if err != nil {
 		return
 	}
 	uid.Id = string(b)
 	uid.Name, uid.Comment, uid.Email = parseUserId(uid.Id)
 	return
 }
 // Serialize marshals uid to w in the form of an OpenPGP packet, including
 // header.
 func (uid *UserId) Serialize(w io.Writer) error {
 	err := serializeHeader(w, packetTypeUserId, len(uid.Id))
 	if err != nil {
 		return err
 	}
 	_, err = w.Write([]byte(uid.Id))
 	return err
 }
 // parseUserId extracts the name, comment and email from a user id string that
 // is formatted as "Full Name (Comment) <email@example.com>".
 func parseUserId(id string) (name, comment, email string) {
 	var n, c, e struct {
 		start, end int
 	}
 	var state int
 	for offset, rune := range id {
 		switch state {
 		case 0:
 			// Entering name
 			n.start = offset
 			state = 1
 			fallthrough
 		case 1:
 			// In name
 			if rune == '(' {
 				state = 2
 				n.end = offset
 			} else if rune == '<' {
 				state = 5
 				n.end = offset
 			}
 		case 2:
 			// Entering comment
 			c.start = offset
 			state = 3
 			fallthrough
 		case 3:
 			// In comment
 			if rune == ')' {
 				state = 4
 				c.end = offset
 			}
 		case 4:
 			// Between comment and email
 			if rune == '<' {
 				state = 5
 			}
 		case 5:
 			// Entering email
 			e.start = offset
 			state = 6
 			fallthrough
 		case 6:
 			// In email
 			if rune == '>' {
 				state = 7
 				e.end = offset
 			}
 		default:
 			// After email
 		}
 	}
 	switch state {
 	case 1:
 		// ended in the name
 		n.end = len(id)
 	case 3:
 		// ended in comment
 		c.end = len(id)
 	case 6:
 		// ended in email
 		e.end = len(id)
 	}
 	name = strings.TrimSpace(id[n.start:n.end])
 	comment = strings.TrimSpace(id[c.start:c.end])
 	email = strings.TrimSpace(id[e.start:e.end])
 	// RFC 2822 3.4: alternate simple form of a mailbox
 	if email == "" && strings.ContainsRune(name, '@') {
 		email = name
 		name = ""
 	}
 	return
 }
@@ -0,0 +1,619 @@
 // Copyright 2011 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // Package openpgp implements high level operations on OpenPGP messages.
 package openpgp // import "github.com/ProtonMail/go-crypto/openpgp"
 import (
 	"crypto"
 	_ "crypto/sha256"
 	_ "crypto/sha512"
 	"hash"
 	"io"
 	"strconv"
 	"github.com/ProtonMail/go-crypto/openpgp/armor"
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 	"github.com/ProtonMail/go-crypto/openpgp/internal/algorithm"
 	"github.com/ProtonMail/go-crypto/openpgp/packet"
 	_ "golang.org/x/crypto/sha3"
 )
 // SignatureType is the armor type for a PGP signature.
 var SignatureType = "PGP SIGNATURE"
 // readArmored reads an armored block with the given type.
 func readArmored(r io.Reader, expectedType string) (body io.Reader, err error) {
 	block, err := armor.Decode(r)
 	if err != nil {
 		return
 	}
 	if block.Type != expectedType {
 		return nil, errors.InvalidArgumentError("expected '" + expectedType + "', got: " + block.Type)
 	}
 	return block.Body, nil
 }
 // MessageDetails contains the result of parsing an OpenPGP encrypted and/or
 // signed message.
 type MessageDetails struct {
 	IsEncrypted              bool                // true if the message was encrypted.
 	EncryptedToKeyIds        []uint64            // the list of recipient key ids.
 	IsSymmetricallyEncrypted bool                // true if a passphrase could have decrypted the message.
 	DecryptedWith            Key                 // the private key used to decrypt the message, if any.
 	IsSigned                 bool                // true if the message is signed.
 	SignedByKeyId            uint64              // the key id of the signer, if any.
 	SignedByFingerprint      []byte              // the key fingerprint of the signer, if any.
 	SignedBy                 *Key                // the key of the signer, if available.
 	LiteralData              *packet.LiteralData // the metadata of the contents
 	UnverifiedBody           io.Reader           // the contents of the message.
 	// If IsSigned is true and SignedBy is non-zero then the signature will
 	// be verified as UnverifiedBody is read. The signature cannot be
 	// checked until the whole of UnverifiedBody is read so UnverifiedBody
 	// must be consumed until EOF before the data can be trusted. Even if a
 	// message isn't signed (or the signer is unknown) the data may contain
 	// an authentication code that is only checked once UnverifiedBody has
 	// been consumed. Once EOF has been seen, the following fields are
 	// valid. (An authentication code failure is reported as a
 	// SignatureError error when reading from UnverifiedBody.)
 	Signature            *packet.Signature   // the signature packet itself.
 	SignatureError       error               // nil if the signature is good.
 	UnverifiedSignatures []*packet.Signature // all other unverified signature packets.
 	decrypted io.ReadCloser
 }
 // A PromptFunction is used as a callback by functions that may need to decrypt
 // a private key, or prompt for a passphrase. It is called with a list of
 // acceptable, encrypted private keys and a boolean that indicates whether a
 // passphrase is usable. It should either decrypt a private key or return a
 // passphrase to try. If the decrypted private key or given passphrase isn't
 // correct, the function will be called again, forever. Any error returned will
 // be passed up.
 type PromptFunction func(keys []Key, symmetric bool) ([]byte, error)
 // A keyEnvelopePair is used to store a private key with the envelope that
 // contains a symmetric key, encrypted with that key.
 type keyEnvelopePair struct {
 	key          Key
 	encryptedKey *packet.EncryptedKey
 }
 // ReadMessage parses an OpenPGP message that may be signed and/or encrypted.
 // The given KeyRing should contain both public keys (for signature
 // verification) and, possibly encrypted, private keys for decrypting.
 // If config is nil, sensible defaults will be used.
 func ReadMessage(r io.Reader, keyring KeyRing, prompt PromptFunction, config *packet.Config) (md *MessageDetails, err error) {
 	var p packet.Packet
 	var symKeys []*packet.SymmetricKeyEncrypted
 	var pubKeys []keyEnvelopePair
 	// Integrity protected encrypted packet: SymmetricallyEncrypted or AEADEncrypted
 	var edp packet.EncryptedDataPacket
 	packets := packet.NewReader(r)
 	md = new(MessageDetails)
 	md.IsEncrypted = true
 	// The message, if encrypted, starts with a number of packets
 	// containing an encrypted decryption key. The decryption key is either
 	// encrypted to a public key, or with a passphrase. This loop
 	// collects these packets.
 ParsePackets:
 	for {
 		p, err = packets.Next()
 		if err != nil {
 			return nil, err
 		}
 		switch p := p.(type) {
 		case *packet.SymmetricKeyEncrypted:
 			// This packet contains the decryption key encrypted with a passphrase.
 			md.IsSymmetricallyEncrypted = true
 			symKeys = append(symKeys, p)
 		case *packet.EncryptedKey:
 			// This packet contains the decryption key encrypted to a public key.
 			md.EncryptedToKeyIds = append(md.EncryptedToKeyIds, p.KeyId)
 			switch p.Algo {
 			case packet.PubKeyAlgoRSA, packet.PubKeyAlgoRSAEncryptOnly, packet.PubKeyAlgoElGamal, packet.PubKeyAlgoECDH, packet.PubKeyAlgoX25519, packet.PubKeyAlgoX448:
 				break
 			default:
 				continue
 			}
 			if keyring != nil {
 				var keys []Key
 				if p.KeyId == 0 {
 					keys = keyring.DecryptionKeys()
 				} else {
 					keys = keyring.KeysById(p.KeyId)
 				}
 				for _, k := range keys {
 					pubKeys = append(pubKeys, keyEnvelopePair{k, p})
 				}
 			}
 		case *packet.SymmetricallyEncrypted:
 			if !p.IntegrityProtected && !config.AllowUnauthenticatedMessages() {
 				return nil, errors.UnsupportedError("message is not integrity protected")
 			}
 			edp = p
 			break ParsePackets
 		case *packet.AEADEncrypted:
 			edp = p
 			break ParsePackets
 		case *packet.Compressed, *packet.LiteralData, *packet.OnePassSignature:
 			// This message isn't encrypted.
 			if len(symKeys) != 0 || len(pubKeys) != 0 {
 				return nil, errors.StructuralError("key material not followed by encrypted message")
 			}
 			packets.Unread(p)
 			return readSignedMessage(packets, nil, keyring, config)
 		}
 	}
 	var candidates []Key
 	var decrypted io.ReadCloser
 	// Now that we have the list of encrypted keys we need to decrypt at
 	// least one of them or, if we cannot, we need to call the prompt
 	// function so that it can decrypt a key or give us a passphrase.
 FindKey:
 	for {
 		// See if any of the keys already have a private key available
 		candidates = candidates[:0]
 		candidateFingerprints := make(map[string]bool)
 		for _, pk := range pubKeys {
 			if pk.key.PrivateKey == nil {
 				continue
 			}
 			if !pk.key.PrivateKey.Encrypted {
 				if len(pk.encryptedKey.Key) == 0 {
 					errDec := pk.encryptedKey.Decrypt(pk.key.PrivateKey, config)
 					if errDec != nil {
 						continue
 					}
 				}
 				// Try to decrypt symmetrically encrypted
 				decrypted, err = edp.Decrypt(pk.encryptedKey.CipherFunc, pk.encryptedKey.Key)
 				if err != nil && err != errors.ErrKeyIncorrect {
 					return nil, err
 				}
 				if decrypted != nil {
 					md.DecryptedWith = pk.key
 					break FindKey
 				}
 			} else {
 				fpr := string(pk.key.PublicKey.Fingerprint[:])
 				if v := candidateFingerprints[fpr]; v {
 					continue
 				}
 				candidates = append(candidates, pk.key)
 				candidateFingerprints[fpr] = true
 			}
 		}
 		if len(candidates) == 0 && len(symKeys) == 0 {
 			return nil, errors.ErrKeyIncorrect
 		}
 		if prompt == nil {
 			return nil, errors.ErrKeyIncorrect
 		}
 		passphrase, err := prompt(candidates, len(symKeys) != 0)
 		if err != nil {
 			return nil, err
 		}
 		// Try the symmetric passphrase first
 		if len(symKeys) != 0 && passphrase != nil {
 			for _, s := range symKeys {
 				key, cipherFunc, err := s.Decrypt(passphrase)
 				// In v4, on wrong passphrase, session key decryption is very likely to result in an invalid cipherFunc:
 				// only for < 5% of cases we will proceed to decrypt the data
 				if err == nil {
 					decrypted, err = edp.Decrypt(cipherFunc, key)
 					if err != nil {
 						return nil, err
 					}
 					if decrypted != nil {
 						break FindKey
 					}
 				}
 			}
 		}
 	}
 	md.decrypted = decrypted
 	if err := packets.Push(decrypted); err != nil {
 		return nil, err
 	}
 	mdFinal, sensitiveParsingErr := readSignedMessage(packets, md, keyring, config)
 	if sensitiveParsingErr != nil {
 		return nil, errors.HandleSensitiveParsingError(sensitiveParsingErr, md.decrypted != nil)
 	}
 	return mdFinal, nil
 }
 // readSignedMessage reads a possibly signed message if mdin is non-zero then
 // that structure is updated and returned. Otherwise a fresh MessageDetails is
 // used.
 func readSignedMessage(packets *packet.Reader, mdin *MessageDetails, keyring KeyRing, config *packet.Config) (md *MessageDetails, err error) {
 	if mdin == nil {
 		mdin = new(MessageDetails)
 	}
 	md = mdin
 	var p packet.Packet
 	var h hash.Hash
 	var wrappedHash hash.Hash
 	var prevLast bool
 FindLiteralData:
 	for {
 		p, err = packets.Next()
 		if err != nil {
 			return nil, err
 		}
 		switch p := p.(type) {
 		case *packet.Compressed:
 			if err := packets.Push(p.LimitedBodyReader(config.DecompressedMessageSizeLimit())); err != nil {
 				return nil, err
 			}
 		case *packet.OnePassSignature:
 			if prevLast {
 				return nil, errors.UnsupportedError("nested signature packets")
 			}
 			if p.IsLast {
 				prevLast = true
 			}
 			h, wrappedHash, err = hashForSignature(p.Hash, p.SigType, p.Salt)
 			if err != nil {
 				md.SignatureError = err
 			}
 			md.IsSigned = true
 			if p.Version == 6 {
 				md.SignedByFingerprint = p.KeyFingerprint
 			}
 			md.SignedByKeyId = p.KeyId
 			if keyring != nil {
 				keys := keyring.KeysByIdUsage(p.KeyId, packet.KeyFlagSign)
 				if len(keys) > 0 {
 					md.SignedBy = &keys[0]
 				}
 			}
 		case *packet.LiteralData:
 			md.LiteralData = p
 			break FindLiteralData
 		}
 	}
 	if md.IsSigned && md.SignatureError == nil {
 		md.UnverifiedBody = &signatureCheckReader{packets, h, wrappedHash, md, config}
 	} else if md.decrypted != nil {
 		md.UnverifiedBody = &checkReader{md, false}
 	} else {
 		md.UnverifiedBody = md.LiteralData.Body
 	}
 	return md, nil
 }
 func wrapHashForSignature(hashFunc hash.Hash, sigType packet.SignatureType) (hash.Hash, error) {
 	switch sigType {
 	case packet.SigTypeBinary:
 		return hashFunc, nil
 	case packet.SigTypeText:
 		return NewCanonicalTextHash(hashFunc), nil
 	}
 	return nil, errors.UnsupportedError("unsupported signature type: " + strconv.Itoa(int(sigType)))
 }
 // hashForSignature returns a pair of hashes that can be used to verify a
 // signature. The signature may specify that the contents of the signed message
 // should be preprocessed (i.e. to normalize line endings). Thus this function
 // returns two hashes. The second should be used to hash the message itself and
 // performs any needed preprocessing.
 func hashForSignature(hashFunc crypto.Hash, sigType packet.SignatureType, sigSalt []byte) (hash.Hash, hash.Hash, error) {
 	if _, ok := algorithm.HashToHashIdWithSha1(hashFunc); !ok {
 		return nil, nil, errors.UnsupportedError("unsupported hash function")
 	}
 	if !hashFunc.Available() {
 		return nil, nil, errors.UnsupportedError("hash not available: " + strconv.Itoa(int(hashFunc)))
 	}
 	h := hashFunc.New()
 	if sigSalt != nil {
 		h.Write(sigSalt)
 	}
 	wrappedHash, err := wrapHashForSignature(h, sigType)
 	if err != nil {
 		return nil, nil, err
 	}
 	switch sigType {
 	case packet.SigTypeBinary:
 		return h, wrappedHash, nil
 	case packet.SigTypeText:
 		return h, wrappedHash, nil
 	}
 	return nil, nil, errors.UnsupportedError("unsupported signature type: " + strconv.Itoa(int(sigType)))
 }
 // checkReader wraps an io.Reader from a LiteralData packet. When it sees EOF
 // it closes the ReadCloser from any SymmetricallyEncrypted packet to trigger
 // MDC checks.
 type checkReader struct {
 	md      *MessageDetails
 	checked bool
 }
 func (cr *checkReader) Read(buf []byte) (int, error) {
 	n, sensitiveParsingError := cr.md.LiteralData.Body.Read(buf)
 	if sensitiveParsingError == io.EOF {
 		if cr.checked {
 			// Only check once
 			return n, io.EOF
 		}
 		mdcErr := cr.md.decrypted.Close()
 		if mdcErr != nil {
 			return n, mdcErr
 		}
 		cr.checked = true
 		return n, io.EOF
 	}
 	if sensitiveParsingError != nil {
 		return n, errors.HandleSensitiveParsingError(sensitiveParsingError, true)
 	}
 	return n, nil
 }
 // signatureCheckReader wraps an io.Reader from a LiteralData packet and hashes
 // the data as it is read. When it sees an EOF from the underlying io.Reader
 // it parses and checks a trailing Signature packet and triggers any MDC checks.
 type signatureCheckReader struct {
 	packets        *packet.Reader
 	h, wrappedHash hash.Hash
 	md             *MessageDetails
 	config         *packet.Config
 }
 func (scr *signatureCheckReader) Read(buf []byte) (int, error) {
 	n, sensitiveParsingError := scr.md.LiteralData.Body.Read(buf)
 	// Hash only if required
 	if scr.md.SignedBy != nil {
 		scr.wrappedHash.Write(buf[:n])
 	}
 	readsDecryptedData := scr.md.decrypted != nil
 	if sensitiveParsingError == io.EOF {
 		var p packet.Packet
 		var readError error
 		var sig *packet.Signature
 		p, readError = scr.packets.Next()
 		for readError == nil {
 			var ok bool
 			if sig, ok = p.(*packet.Signature); ok {
 				if sig.Version == 5 && (sig.SigType == 0x00 || sig.SigType == 0x01) {
 					sig.Metadata = scr.md.LiteralData
 				}
 				// If signature KeyID matches
 				if scr.md.SignedBy != nil && *sig.IssuerKeyId == scr.md.SignedByKeyId {
 					key := scr.md.SignedBy
 					signatureError := key.PublicKey.VerifySignature(scr.h, sig)
 					if signatureError == nil {
 						signatureError = checkMessageSignatureDetails(key, sig, scr.config)
 					}
 					scr.md.Signature = sig
 					scr.md.SignatureError = signatureError
 				} else {
 					scr.md.UnverifiedSignatures = append(scr.md.UnverifiedSignatures, sig)
 				}
 			}
 			p, readError = scr.packets.Next()
 		}
 		if scr.md.SignedBy != nil && scr.md.Signature == nil {
 			if scr.md.UnverifiedSignatures == nil {
 				scr.md.SignatureError = errors.StructuralError("LiteralData not followed by signature")
 			} else {
 				scr.md.SignatureError = errors.StructuralError("No matching signature found")
 			}
 		}
 		// The SymmetricallyEncrypted packet, if any, might have an
 		// unsigned hash of its own. In order to check this we need to
 		// close that Reader.
 		if scr.md.decrypted != nil {
 			if sensitiveParsingError := scr.md.decrypted.Close(); sensitiveParsingError != nil {
 				return n, errors.HandleSensitiveParsingError(sensitiveParsingError, true)
 			}
 		}
 		return n, io.EOF
 	}
 	if sensitiveParsingError != nil {
 		return n, errors.HandleSensitiveParsingError(sensitiveParsingError, readsDecryptedData)
 	}
 	return n, nil
 }
 // VerifyDetachedSignature takes a signed file and a detached signature and
 // returns the signature packet and the entity the signature was signed by,
 // if any, and a possible signature verification error.
 // If the signer isn't known, ErrUnknownIssuer is returned.
 func VerifyDetachedSignature(keyring KeyRing, signed, signature io.Reader, config *packet.Config) (sig *packet.Signature, signer *Entity, err error) {
 	return verifyDetachedSignature(keyring, signed, signature, nil, false, config)
 }
 // VerifyDetachedSignatureAndHash performs the same actions as
 // VerifyDetachedSignature and checks that the expected hash functions were used.
 func VerifyDetachedSignatureAndHash(keyring KeyRing, signed, signature io.Reader, expectedHashes []crypto.Hash, config *packet.Config) (sig *packet.Signature, signer *Entity, err error) {
 	return verifyDetachedSignature(keyring, signed, signature, expectedHashes, true, config)
 }
 // CheckDetachedSignature takes a signed file and a detached signature and
 // returns the entity the signature was signed by, if any, and a possible
 // signature verification error. If the signer isn't known,
 // ErrUnknownIssuer is returned.
 func CheckDetachedSignature(keyring KeyRing, signed, signature io.Reader, config *packet.Config) (signer *Entity, err error) {
 	_, signer, err = verifyDetachedSignature(keyring, signed, signature, nil, false, config)
 	return
 }
 // CheckDetachedSignatureAndHash performs the same actions as
 // CheckDetachedSignature and checks that the expected hash functions were used.
 func CheckDetachedSignatureAndHash(keyring KeyRing, signed, signature io.Reader, expectedHashes []crypto.Hash, config *packet.Config) (signer *Entity, err error) {
 	_, signer, err = verifyDetachedSignature(keyring, signed, signature, expectedHashes, true, config)
 	return
 }
 func verifyDetachedSignature(keyring KeyRing, signed, signature io.Reader, expectedHashes []crypto.Hash, checkHashes bool, config *packet.Config) (sig *packet.Signature, signer *Entity, err error) {
 	var issuerKeyId uint64
 	var hashFunc crypto.Hash
 	var sigType packet.SignatureType
 	var keys []Key
 	var p packet.Packet
 	packets := packet.NewReader(signature)
 	for {
 		p, err = packets.Next()
 		if err == io.EOF {
 			return nil, nil, errors.ErrUnknownIssuer
 		}
 		if err != nil {
 			return nil, nil, err
 		}
 		var ok bool
 		sig, ok = p.(*packet.Signature)
 		if !ok {
 			return nil, nil, errors.StructuralError("non signature packet found")
 		}
 		if sig.IssuerKeyId == nil {
 			return nil, nil, errors.StructuralError("signature doesn't have an issuer")
 		}
 		issuerKeyId = *sig.IssuerKeyId
 		hashFunc = sig.Hash
 		sigType = sig.SigType
 		if checkHashes {
 			matchFound := false
 			// check for hashes
 			for _, expectedHash := range expectedHashes {
 				if hashFunc == expectedHash {
 					matchFound = true
 					break
 				}
 			}
 			if !matchFound {
 				return nil, nil, errors.StructuralError("hash algorithm or salt mismatch with cleartext message headers")
 			}
 		}
 		keys = keyring.KeysByIdUsage(issuerKeyId, packet.KeyFlagSign)
 		if len(keys) > 0 {
 			break
 		}
 	}
 	if len(keys) == 0 {
 		panic("unreachable")
 	}
 	h, err := sig.PrepareVerify()
 	if err != nil {
 		return nil, nil, err
 	}
 	wrappedHash, err := wrapHashForSignature(h, sigType)
 	if err != nil {
 		return nil, nil, err
 	}
 	if _, err := io.Copy(wrappedHash, signed); err != nil && err != io.EOF {
 		return nil, nil, err
 	}
 	for _, key := range keys {
 		err = key.PublicKey.VerifySignature(h, sig)
 		if err == nil {
 			return sig, key.Entity, checkMessageSignatureDetails(&key, sig, config)
 		}
 	}
 	return nil, nil, err
 }
 // CheckArmoredDetachedSignature performs the same actions as
 // CheckDetachedSignature but expects the signature to be armored.
 func CheckArmoredDetachedSignature(keyring KeyRing, signed, signature io.Reader, config *packet.Config) (signer *Entity, err error) {
 	body, err := readArmored(signature, SignatureType)
 	if err != nil {
 		return
 	}
 	return CheckDetachedSignature(keyring, signed, body, config)
 }
 // checkMessageSignatureDetails returns an error if:
 //   - The signature (or one of the binding signatures mentioned below)
 //     has a unknown critical notation data subpacket
 //   - The primary key of the signing entity is revoked
 //   - The primary identity is revoked
 //   - The signature is expired
 //   - The primary key of the signing entity is expired according to the
 //     primary identity binding signature
 //
 // ... or, if the signature was signed by a subkey and:
 //   - The signing subkey is revoked
 //   - The signing subkey is expired according to the subkey binding signature
 //   - The signing subkey binding signature is expired
 //   - The signing subkey cross-signature is expired
 //
 // NOTE: The order of these checks is important, as the caller may choose to
 // ignore ErrSignatureExpired or ErrKeyExpired errors, but should never
 // ignore any other errors.
 func checkMessageSignatureDetails(key *Key, signature *packet.Signature, config *packet.Config) error {
 	now := config.Now()
 	primarySelfSignature, primaryIdentity := key.Entity.PrimarySelfSignature()
 	signedBySubKey := key.PublicKey != key.Entity.PrimaryKey
 	sigsToCheck := []*packet.Signature{signature, primarySelfSignature}
 	if signedBySubKey {
 		sigsToCheck = append(sigsToCheck, key.SelfSignature, key.SelfSignature.EmbeddedSignature)
 	}
 	for _, sig := range sigsToCheck {
 		for _, notation := range sig.Notations {
 			if notation.IsCritical && !config.KnownNotation(notation.Name) {
 				return errors.SignatureError("unknown critical notation: " + notation.Name)
 			}
 		}
 	}
 	if key.Entity.Revoked(now) || // primary key is revoked
 		(signedBySubKey && key.Revoked(now)) || // subkey is revoked
 		(primaryIdentity != nil && primaryIdentity.Revoked(now)) { // primary identity is revoked for v4
 		return errors.ErrKeyRevoked
 	}
 	if key.Entity.PrimaryKey.KeyExpired(primarySelfSignature, now) { // primary key is expired
 		return errors.ErrKeyExpired
 	}
 	if signedBySubKey {
 		if key.PublicKey.KeyExpired(key.SelfSignature, now) { // subkey is expired
 			return errors.ErrKeyExpired
 		}
 	}
 	for _, sig := range sigsToCheck {
 		if sig.SigExpired(now) { // any of the relevant signatures are expired
 			return errors.ErrSignatureExpired
 		}
 	}
 	return nil
 }
@@ -0,0 +1,436 @@
 // Copyright 2011 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // Package s2k implements the various OpenPGP string-to-key transforms as
 // specified in RFC 4800 section 3.7.1, and Argon2 specified in
 // draft-ietf-openpgp-crypto-refresh-08 section 3.7.1.4.
 package s2k // import "github.com/ProtonMail/go-crypto/openpgp/s2k"
 import (
 	"crypto"
 	"hash"
 	"io"
 	"strconv"
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 	"github.com/ProtonMail/go-crypto/openpgp/internal/algorithm"
 	"golang.org/x/crypto/argon2"
 )
 type Mode uint8
 // Defines the default S2KMode constants
 //
 //	0 (simple), 1(salted), 3(iterated), 4(argon2)
 const (
 	SimpleS2K         Mode = 0
 	SaltedS2K         Mode = 1
 	IteratedSaltedS2K Mode = 3
 	Argon2S2K         Mode = 4
 	GnuS2K            Mode = 101
 )
 const Argon2SaltSize int = 16
 // Params contains all the parameters of the s2k packet
 type Params struct {
 	// mode is the mode of s2k function.
 	// It can be 0 (simple), 1(salted), 3(iterated)
 	// 2(reserved) 100-110(private/experimental).
 	mode Mode
 	// hashId is the ID of the hash function used in any of the modes
 	hashId byte
 	// salt is a byte array to use as a salt in hashing process or argon2
 	saltBytes [Argon2SaltSize]byte
 	// countByte is used to determine how many rounds of hashing are to
 	// be performed in s2k mode 3. See RFC 4880 Section 3.7.1.3.
 	countByte byte
 	// passes is a parameter in Argon2 to determine the number of iterations
 	// See RFC the crypto refresh Section 3.7.1.4.
 	passes byte
 	// parallelism is a parameter in Argon2 to determine the degree of paralellism
 	// See RFC the crypto refresh Section 3.7.1.4.
 	parallelism byte
 	// memoryExp is a parameter in Argon2 to determine the memory usage
 	// i.e., 2 ** memoryExp kibibytes
 	// See RFC the crypto refresh Section 3.7.1.4.
 	memoryExp byte
 }
 // encodeCount converts an iterative "count" in the range 1024 to
 // 65011712, inclusive, to an encoded count. The return value is the
 // octet that is actually stored in the GPG file. encodeCount panics
 // if i is not in the above range (encodedCount above takes care to
 // pass i in the correct range). See RFC 4880 Section 3.7.7.1.
 func encodeCount(i int) uint8 {
 	if i < 65536 || i > 65011712 {
 		panic("count arg i outside the required range")
 	}
 	for encoded := 96; encoded < 256; encoded++ {
 		count := decodeCount(uint8(encoded))
 		if count >= i {
 			return uint8(encoded)
 		}
 	}
 	return 255
 }
 // decodeCount returns the s2k mode 3 iterative "count" corresponding to
 // the encoded octet c.
 func decodeCount(c uint8) int {
 	return (16 + int(c&15)) << (uint32(c>>4) + 6)
 }
 // encodeMemory converts the Argon2 "memory" in the range parallelism*8 to
 // 2**31, inclusive, to an encoded memory. The return value is the
 // octet that is actually stored in the GPG file. encodeMemory panics
 // if is not in the above range
 // See OpenPGP crypto refresh Section 3.7.1.4.
 func encodeMemory(memory uint32, parallelism uint8) uint8 {
 	if memory < (8*uint32(parallelism)) || memory > uint32(2147483648) {
 		panic("Memory argument memory is outside the required range")
 	}
 	for exp := 3; exp < 31; exp++ {
 		compare := decodeMemory(uint8(exp))
 		if compare >= memory {
 			return uint8(exp)
 		}
 	}
 	return 31
 }
 // decodeMemory computes the decoded memory in kibibytes as 2**memoryExponent
 func decodeMemory(memoryExponent uint8) uint32 {
 	return uint32(1) << memoryExponent
 }
 // Simple writes to out the result of computing the Simple S2K function (RFC
 // 4880, section 3.7.1.1) using the given hash and input passphrase.
 func Simple(out []byte, h hash.Hash, in []byte) {
 	Salted(out, h, in, nil)
 }
 var zero [1]byte
 // Salted writes to out the result of computing the Salted S2K function (RFC
 // 4880, section 3.7.1.2) using the given hash, input passphrase and salt.
 func Salted(out []byte, h hash.Hash, in []byte, salt []byte) {
 	done := 0
 	var digest []byte
 	for i := 0; done < len(out); i++ {
 		h.Reset()
 		for j := 0; j < i; j++ {
 			h.Write(zero[:])
 		}
 		h.Write(salt)
 		h.Write(in)
 		digest = h.Sum(digest[:0])
 		n := copy(out[done:], digest)
 		done += n
 	}
 }
 // Iterated writes to out the result of computing the Iterated and Salted S2K
 // function (RFC 4880, section 3.7.1.3) using the given hash, input passphrase,
 // salt and iteration count.
 func Iterated(out []byte, h hash.Hash, in []byte, salt []byte, count int) {
 	combined := make([]byte, len(in)+len(salt))
 	copy(combined, salt)
 	copy(combined[len(salt):], in)
 	if count < len(combined) {
 		count = len(combined)
 	}
 	done := 0
 	var digest []byte
 	for i := 0; done < len(out); i++ {
 		h.Reset()
 		for j := 0; j < i; j++ {
 			h.Write(zero[:])
 		}
 		written := 0
 		for written < count {
 			if written+len(combined) > count {
 				todo := count - written
 				h.Write(combined[:todo])
 				written = count
 			} else {
 				h.Write(combined)
 				written += len(combined)
 			}
 		}
 		digest = h.Sum(digest[:0])
 		n := copy(out[done:], digest)
 		done += n
 	}
 }
 // Argon2 writes to out the key derived from the password (in) with the Argon2
 // function (the crypto refresh, section 3.7.1.4)
 func Argon2(out []byte, in []byte, salt []byte, passes uint8, paralellism uint8, memoryExp uint8) {
 	key := argon2.IDKey(in, salt, uint32(passes), decodeMemory(memoryExp), paralellism, uint32(len(out)))
 	copy(out[:], key)
 }
 // Generate generates valid parameters from given configuration.
 // It will enforce the Iterated and Salted or Argon2 S2K method.
 func Generate(rand io.Reader, c *Config) (*Params, error) {
 	var params *Params
 	if c != nil && c.Mode() == Argon2S2K {
 		// handle Argon2 case
 		argonConfig := c.Argon2()
 		params = &Params{
 			mode:        Argon2S2K,
 			passes:      argonConfig.Passes(),
 			parallelism: argonConfig.Parallelism(),
 			memoryExp:   argonConfig.EncodedMemory(),
 		}
 	} else if c != nil && c.PassphraseIsHighEntropy && c.Mode() == SaltedS2K { // Allow SaltedS2K if PassphraseIsHighEntropy
 		hashId, ok := algorithm.HashToHashId(c.hash())
 		if !ok {
 			return nil, errors.UnsupportedError("no such hash")
 		}
 		params = &Params{
 			mode:   SaltedS2K,
 			hashId: hashId,
 		}
 	} else { // Enforce IteratedSaltedS2K method otherwise
 		hashId, ok := algorithm.HashToHashId(c.hash())
 		if !ok {
 			return nil, errors.UnsupportedError("no such hash")
 		}
 		if c != nil {
 			c.S2KMode = IteratedSaltedS2K
 		}
 		params = &Params{
 			mode:      IteratedSaltedS2K,
 			hashId:    hashId,
 			countByte: c.EncodedCount(),
 		}
 	}
 	if _, err := io.ReadFull(rand, params.salt()); err != nil {
 		return nil, err
 	}
 	return params, nil
 }
 // Parse reads a binary specification for a string-to-key transformation from r
 // and returns a function which performs that transform. If the S2K is a special
 // GNU extension that indicates that the private key is missing, then the error
 // returned is errors.ErrDummyPrivateKey.
 func Parse(r io.Reader) (f func(out, in []byte), err error) {
 	params, err := ParseIntoParams(r)
 	if err != nil {
 		return nil, err
 	}
 	return params.Function()
 }
 // ParseIntoParams reads a binary specification for a string-to-key
 // transformation from r and returns a struct describing the s2k parameters.
 func ParseIntoParams(r io.Reader) (params *Params, err error) {
 	var buf [Argon2SaltSize + 3]byte
 	_, err = io.ReadFull(r, buf[:1])
 	if err != nil {
 		return
 	}
 	params = &Params{
 		mode: Mode(buf[0]),
 	}
 	switch params.mode {
 	case SimpleS2K:
 		_, err = io.ReadFull(r, buf[:1])
 		if err != nil {
 			return nil, err
 		}
 		params.hashId = buf[0]
 		return params, nil
 	case SaltedS2K:
 		_, err = io.ReadFull(r, buf[:9])
 		if err != nil {
 			return nil, err
 		}
 		params.hashId = buf[0]
 		copy(params.salt(), buf[1:9])
 		return params, nil
 	case IteratedSaltedS2K:
 		_, err = io.ReadFull(r, buf[:10])
 		if err != nil {
 			return nil, err
 		}
 		params.hashId = buf[0]
 		copy(params.salt(), buf[1:9])
 		params.countByte = buf[9]
 		return params, nil
 	case Argon2S2K:
 		_, err = io.ReadFull(r, buf[:Argon2SaltSize+3])
 		if err != nil {
 			return nil, err
 		}
 		copy(params.salt(), buf[:Argon2SaltSize])
 		params.passes = buf[Argon2SaltSize]
 		params.parallelism = buf[Argon2SaltSize+1]
 		params.memoryExp = buf[Argon2SaltSize+2]
 		if err := validateArgon2Params(params); err != nil {
 			return nil, err
 		}
 		return params, nil
 	case GnuS2K:
 		// This is a GNU extension. See
 		// https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=doc/DETAILS;h=fe55ae16ab4e26d8356dc574c9e8bc935e71aef1;hb=23191d7851eae2217ecdac6484349849a24fd94a#l1109
 		if _, err = io.ReadFull(r, buf[:5]); err != nil {
 			return nil, err
 		}
 		params.hashId = buf[0]
 		if buf[1] == 'G' && buf[2] == 'N' && buf[3] == 'U' && buf[4] == 1 {
 			return params, nil
 		}
 		return nil, errors.UnsupportedError("GNU S2K extension")
 	}
 	return nil, errors.UnsupportedError("S2K function")
 }
 func (params *Params) Mode() Mode {
 	return params.mode
 }
 func (params *Params) Dummy() bool {
 	return params != nil && params.mode == GnuS2K
 }
 func (params *Params) salt() []byte {
 	switch params.mode {
 	case SaltedS2K, IteratedSaltedS2K:
 		return params.saltBytes[:8]
 	case Argon2S2K:
 		return params.saltBytes[:Argon2SaltSize]
 	default:
 		return nil
 	}
 }
 func (params *Params) Function() (f func(out, in []byte), err error) {
 	if params.Dummy() {
 		return nil, errors.ErrDummyPrivateKey("dummy key found")
 	}
 	var hashObj crypto.Hash
 	if params.mode != Argon2S2K {
 		var ok bool
 		hashObj, ok = algorithm.HashIdToHashWithSha1(params.hashId)
 		if !ok {
 			return nil, errors.UnsupportedError("hash for S2K function: " + strconv.Itoa(int(params.hashId)))
 		}
 		if !hashObj.Available() {
 			return nil, errors.UnsupportedError("hash not available: " + strconv.Itoa(int(hashObj)))
 		}
 	}
 	switch params.mode {
 	case SimpleS2K:
 		f := func(out, in []byte) {
 			Simple(out, hashObj.New(), in)
 		}
 		return f, nil
 	case SaltedS2K:
 		f := func(out, in []byte) {
 			Salted(out, hashObj.New(), in, params.salt())
 		}
 		return f, nil
 	case IteratedSaltedS2K:
 		f := func(out, in []byte) {
 			Iterated(out, hashObj.New(), in, params.salt(), decodeCount(params.countByte))
 		}
 		return f, nil
 	case Argon2S2K:
 		f := func(out, in []byte) {
 			Argon2(out, in, params.salt(), params.passes, params.parallelism, params.memoryExp)
 		}
 		return f, nil
 	}
 	return nil, errors.UnsupportedError("S2K function")
 }
 func (params *Params) Serialize(w io.Writer) (err error) {
 	if _, err = w.Write([]byte{uint8(params.mode)}); err != nil {
 		return
 	}
 	if params.mode != Argon2S2K {
 		if _, err = w.Write([]byte{params.hashId}); err != nil {
 			return
 		}
 	}
 	if params.Dummy() {
 		_, err = w.Write(append([]byte("GNU"), 1))
 		return
 	}
 	if params.mode > 0 {
 		if _, err = w.Write(params.salt()); err != nil {
 			return
 		}
 		if params.mode == IteratedSaltedS2K {
 			_, err = w.Write([]byte{params.countByte})
 		}
 		if params.mode == Argon2S2K {
 			_, err = w.Write([]byte{params.passes, params.parallelism, params.memoryExp})
 		}
 	}
 	return
 }
 // Serialize salts and stretches the given passphrase and writes the
 // resulting key into key. It also serializes an S2K descriptor to
 // w. The key stretching can be configured with c, which may be
 // nil. In that case, sensible defaults will be used.
 func Serialize(w io.Writer, key []byte, rand io.Reader, passphrase []byte, c *Config) error {
 	params, err := Generate(rand, c)
 	if err != nil {
 		return err
 	}
 	err = params.Serialize(w)
 	if err != nil {
 		return err
 	}
 	f, err := params.Function()
 	if err != nil {
 		return err
 	}
 	f(key, passphrase)
 	return nil
 }
 // validateArgon2Params checks that the argon2 parameters are valid according to RFC9580.
 func validateArgon2Params(params *Params) error {
 	// The number of passes t and the degree of parallelism p MUST be non-zero.
 	if params.parallelism == 0 {
 		return errors.StructuralError("invalid argon2 params: parallelism is 0")
 	}
 	if params.passes == 0 {
 		return errors.StructuralError("invalid argon2 params: iterations is 0")
 	}
 	// The encoded memory size MUST be a value from 3+ceil(log2(p)) to 31,
 	// such that the decoded memory size m is a value from 8*p to 2^31.
 	if params.memoryExp > 31 || decodeMemory(params.memoryExp) < 8*uint32(params.parallelism) {
 		return errors.StructuralError("invalid argon2 params: memory is out of bounds")
 	}
 	return nil
 }
@@ -0,0 +1,26 @@
 package s2k
 // Cache stores keys derived with s2k functions from one passphrase
 // to avoid recomputation if multiple items are encrypted with
 // the same parameters.
 type Cache map[Params][]byte
 // GetOrComputeDerivedKey tries to retrieve the key
 // for the given s2k parameters from the cache.
 // If there is no hit, it derives the key with the s2k function from the passphrase,
 // updates the cache, and returns the key.
 func (c *Cache) GetOrComputeDerivedKey(passphrase []byte, params *Params, expectedKeySize int) ([]byte, error) {
 	key, found := (*c)[*params]
 	if !found || len(key) != expectedKeySize {
 		var err error
 		derivedKey := make([]byte, expectedKeySize)
 		s2k, err := params.Function()
 		if err != nil {
 			return nil, err
 		}
 		s2k(derivedKey, passphrase)
 		(*c)[*params] = key
 		return derivedKey, nil
 	}
 	return key, nil
 }
@@ -0,0 +1,129 @@
 package s2k
 import "crypto"
 // Config collects configuration parameters for s2k key-stretching
 // transformations. A nil *Config is valid and results in all default
 // values.
 type Config struct {
 	// S2K (String to Key) mode, used for key derivation in the context of secret key encryption
 	// and passphrase-encrypted data. Either s2k.Argon2S2K or s2k.IteratedSaltedS2K may be used.
 	// If the passphrase is a high-entropy key, indicated by setting PassphraseIsHighEntropy to true,
 	// s2k.SaltedS2K can also be used.
 	// Note: Argon2 is the strongest option but not all OpenPGP implementations are compatible with it
 	//(pending standardisation).
 	// 0 (simple), 1(salted), 3(iterated), 4(argon2)
 	// 2(reserved) 100-110(private/experimental).
 	S2KMode Mode
 	// Only relevant if S2KMode is not set to s2k.Argon2S2K.
 	// Hash is the default hash function to be used. If
 	// nil, SHA256 is used.
 	Hash crypto.Hash
 	// Argon2 parameters for S2K (String to Key).
 	// Only relevant if S2KMode is set to s2k.Argon2S2K.
 	// If nil, default parameters are used.
 	// For more details on the choice of parameters, see https://tools.ietf.org/html/rfc9106#section-4.
 	Argon2Config *Argon2Config
 	// Only relevant if S2KMode is set to s2k.IteratedSaltedS2K.
 	// Iteration count for Iterated S2K (String to Key). It
 	// determines the strength of the passphrase stretching when
 	// the said passphrase is hashed to produce a key. S2KCount
 	// should be between 65536 and 65011712, inclusive. If Config
 	// is nil or S2KCount is 0, the value 16777216 used. Not all
 	// values in the above range can be represented. S2KCount will
 	// be rounded up to the next representable value if it cannot
 	// be encoded exactly. When set, it is strongly encrouraged to
 	// use a value that is at least 65536. See RFC 4880 Section
 	// 3.7.1.3.
 	S2KCount int
 	// Indicates whether the passphrase passed by the application is a
 	// high-entropy key (e.g. it's randomly generated or derived from
 	// another passphrase using a strong key derivation function).
 	// When true, allows the S2KMode to be s2k.SaltedS2K.
 	// When the passphrase is not a high-entropy key, using SaltedS2K is
 	// insecure, and not allowed by draft-ietf-openpgp-crypto-refresh-08.
 	PassphraseIsHighEntropy bool
 }
 // Argon2Config stores the Argon2 parameters
 // A nil *Argon2Config is valid and results in all default
 type Argon2Config struct {
 	NumberOfPasses      uint8
 	DegreeOfParallelism uint8
 	// Memory specifies the desired Argon2 memory usage in kibibytes.
 	// For example memory=64*1024 sets the memory cost to ~64 MB.
 	Memory uint32
 }
 func (c *Config) Mode() Mode {
 	if c == nil {
 		return IteratedSaltedS2K
 	}
 	return c.S2KMode
 }
 func (c *Config) hash() crypto.Hash {
 	if c == nil || uint(c.Hash) == 0 {
 		return crypto.SHA256
 	}
 	return c.Hash
 }
 func (c *Config) Argon2() *Argon2Config {
 	if c == nil || c.Argon2Config == nil {
 		return nil
 	}
 	return c.Argon2Config
 }
 // EncodedCount get encoded count
 func (c *Config) EncodedCount() uint8 {
 	if c == nil || c.S2KCount == 0 {
 		return 224 // The common case. Corresponding to 16777216
 	}
 	i := c.S2KCount
 	switch {
 	case i < 65536:
 		i = 65536
 	case i > 65011712:
 		i = 65011712
 	}
 	return encodeCount(i)
 }
 func (c *Argon2Config) Passes() uint8 {
 	if c == nil || c.NumberOfPasses == 0 {
 		return 3
 	}
 	return c.NumberOfPasses
 }
 func (c *Argon2Config) Parallelism() uint8 {
 	if c == nil || c.DegreeOfParallelism == 0 {
 		return 4
 	}
 	return c.DegreeOfParallelism
 }
 func (c *Argon2Config) EncodedMemory() uint8 {
 	if c == nil || c.Memory == 0 {
 		return 16 // 64 MiB of RAM
 	}
 	memory := c.Memory
 	lowerBound := uint32(c.Parallelism()) * 8
 	upperBound := uint32(2147483648)
 	switch {
 	case memory < lowerBound:
 		memory = lowerBound
 	case memory > upperBound:
 		memory = upperBound
 	}
 	return encodeMemory(memory, c.Parallelism())
 }
@@ -0,0 +1,690 @@
 // Copyright 2011 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package openpgp
 import (
 	"crypto"
 	"hash"
 	"io"
 	"strconv"
 	"time"
 	"github.com/ProtonMail/go-crypto/openpgp/armor"
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 	"github.com/ProtonMail/go-crypto/openpgp/internal/algorithm"
 	"github.com/ProtonMail/go-crypto/openpgp/packet"
 )
 // DetachSign signs message with the private key from signer (which must
 // already have been decrypted) and writes the signature to w.
 // If config is nil, sensible defaults will be used.
 func DetachSign(w io.Writer, signer *Entity, message io.Reader, config *packet.Config) error {
 	return detachSign(w, signer, message, packet.SigTypeBinary, config)
 }
 // ArmoredDetachSign signs message with the private key from signer (which
 // must already have been decrypted) and writes an armored signature to w.
 // If config is nil, sensible defaults will be used.
 func ArmoredDetachSign(w io.Writer, signer *Entity, message io.Reader, config *packet.Config) (err error) {
 	return armoredDetachSign(w, signer, message, packet.SigTypeBinary, config)
 }
 // DetachSignText signs message (after canonicalising the line endings) with
 // the private key from signer (which must already have been decrypted) and
 // writes the signature to w.
 // If config is nil, sensible defaults will be used.
 func DetachSignText(w io.Writer, signer *Entity, message io.Reader, config *packet.Config) error {
 	return detachSign(w, signer, message, packet.SigTypeText, config)
 }
 // ArmoredDetachSignText signs message (after canonicalising the line endings)
 // with the private key from signer (which must already have been decrypted)
 // and writes an armored signature to w.
 // If config is nil, sensible defaults will be used.
 func ArmoredDetachSignText(w io.Writer, signer *Entity, message io.Reader, config *packet.Config) error {
 	return armoredDetachSign(w, signer, message, packet.SigTypeText, config)
 }
 func armoredDetachSign(w io.Writer, signer *Entity, message io.Reader, sigType packet.SignatureType, config *packet.Config) (err error) {
 	out, err := armor.Encode(w, SignatureType, nil)
 	if err != nil {
 		return
 	}
 	err = detachSign(out, signer, message, sigType, config)
 	if err != nil {
 		return
 	}
 	return out.Close()
 }
 func detachSign(w io.Writer, signer *Entity, message io.Reader, sigType packet.SignatureType, config *packet.Config) (err error) {
 	signingKey, ok := signer.SigningKeyById(config.Now(), config.SigningKey())
 	if !ok {
 		return errors.InvalidArgumentError("no valid signing keys")
 	}
 	if signingKey.PrivateKey == nil {
 		return errors.InvalidArgumentError("signing key doesn't have a private key")
 	}
 	if signingKey.PrivateKey.Encrypted {
 		return errors.InvalidArgumentError("signing key is encrypted")
 	}
 	if _, ok := algorithm.HashToHashId(config.Hash()); !ok {
 		return errors.InvalidArgumentError("invalid hash function")
 	}
 	sig := createSignaturePacket(signingKey.PublicKey, sigType, config)
 	h, err := sig.PrepareSign(config)
 	if err != nil {
 		return
 	}
 	wrappedHash, err := wrapHashForSignature(h, sig.SigType)
 	if err != nil {
 		return
 	}
 	if _, err = io.Copy(wrappedHash, message); err != nil {
 		return err
 	}
 	err = sig.Sign(h, signingKey.PrivateKey, config)
 	if err != nil {
 		return
 	}
 	return sig.Serialize(w)
 }
 // FileHints contains metadata about encrypted files. This metadata is, itself,
 // encrypted.
 type FileHints struct {
 	// IsBinary can be set to hint that the contents are binary data.
 	IsBinary bool
 	// FileName hints at the name of the file that should be written. It's
 	// truncated to 255 bytes if longer. It may be empty to suggest that the
 	// file should not be written to disk. It may be equal to "_CONSOLE" to
 	// suggest the data should not be written to disk.
 	FileName string
 	// ModTime contains the modification time of the file, or the zero time if not applicable.
 	ModTime time.Time
 }
 // SymmetricallyEncrypt acts like gpg -c: it encrypts a file with a passphrase.
 // The resulting WriteCloser must be closed after the contents of the file have
 // been written.
 // If config is nil, sensible defaults will be used.
 func SymmetricallyEncrypt(ciphertext io.Writer, passphrase []byte, hints *FileHints, config *packet.Config) (plaintext io.WriteCloser, err error) {
 	if hints == nil {
 		hints = &FileHints{}
 	}
 	key, err := packet.SerializeSymmetricKeyEncrypted(ciphertext, passphrase, config)
 	if err != nil {
 		return
 	}
 	var w io.WriteCloser
 	cipherSuite := packet.CipherSuite{
 		Cipher: config.Cipher(),
 		Mode:   config.AEAD().Mode(),
 	}
 	w, err = packet.SerializeSymmetricallyEncrypted(ciphertext, config.Cipher(), config.AEAD() != nil, cipherSuite, key, config)
 	if err != nil {
 		return
 	}
 	literalData := w
 	if algo := config.Compression(); algo != packet.CompressionNone {
 		var compConfig *packet.CompressionConfig
 		if config != nil {
 			compConfig = config.CompressionConfig
 		}
 		literalData, err = packet.SerializeCompressed(w, algo, compConfig)
 		if err != nil {
 			return
 		}
 	}
 	var epochSeconds uint32
 	if !hints.ModTime.IsZero() {
 		epochSeconds = uint32(hints.ModTime.Unix())
 	}
 	return packet.SerializeLiteral(literalData, hints.IsBinary, hints.FileName, epochSeconds)
 }
 // intersectPreferences mutates and returns a prefix of a that contains only
 // the values in the intersection of a and b. The order of a is preserved.
 func intersectPreferences(a []uint8, b []uint8) (intersection []uint8) {
 	var j int
 	for _, v := range a {
 		for _, v2 := range b {
 			if v == v2 {
 				a[j] = v
 				j++
 				break
 			}
 		}
 	}
 	return a[:j]
 }
 // intersectPreferences mutates and returns a prefix of a that contains only
 // the values in the intersection of a and b. The order of a is preserved.
 func intersectCipherSuites(a [][2]uint8, b [][2]uint8) (intersection [][2]uint8) {
 	var j int
 	for _, v := range a {
 		for _, v2 := range b {
 			if v[0] == v2[0] && v[1] == v2[1] {
 				a[j] = v
 				j++
 				break
 			}
 		}
 	}
 	return a[:j]
 }
 func hashToHashId(h crypto.Hash) uint8 {
 	v, ok := algorithm.HashToHashId(h)
 	if !ok {
 		panic("tried to convert unknown hash")
 	}
 	return v
 }
 // EncryptText encrypts a message to a number of recipients and, optionally,
 // signs it. Optional information is contained in 'hints', also encrypted, that
 // aids the recipients in processing the message. The resulting WriteCloser
 // must be closed after the contents of the file have been written. If config
 // is nil, sensible defaults will be used. The signing is done in text mode.
 func EncryptText(ciphertext io.Writer, to []*Entity, signed *Entity, hints *FileHints, config *packet.Config) (plaintext io.WriteCloser, err error) {
 	return encrypt(ciphertext, ciphertext, to, signed, hints, packet.SigTypeText, config)
 }
 // Encrypt encrypts a message to a number of recipients and, optionally, signs
 // it. hints contains optional information, that is also encrypted, that aids
 // the recipients in processing the message. The resulting WriteCloser must
 // be closed after the contents of the file have been written.
 // If config is nil, sensible defaults will be used.
 func Encrypt(ciphertext io.Writer, to []*Entity, signed *Entity, hints *FileHints, config *packet.Config) (plaintext io.WriteCloser, err error) {
 	return encrypt(ciphertext, ciphertext, to, signed, hints, packet.SigTypeBinary, config)
 }
 // EncryptSplit encrypts a message to a number of recipients and, optionally, signs
 // it. hints contains optional information, that is also encrypted, that aids
 // the recipients in processing the message. The resulting WriteCloser must
 // be closed after the contents of the file have been written.
 // If config is nil, sensible defaults will be used.
 func EncryptSplit(keyWriter io.Writer, dataWriter io.Writer, to []*Entity, signed *Entity, hints *FileHints, config *packet.Config) (plaintext io.WriteCloser, err error) {
 	return encrypt(keyWriter, dataWriter, to, signed, hints, packet.SigTypeBinary, config)
 }
 // EncryptTextSplit encrypts a message to a number of recipients and, optionally, signs
 // it. hints contains optional information, that is also encrypted, that aids
 // the recipients in processing the message. The resulting WriteCloser must
 // be closed after the contents of the file have been written.
 // If config is nil, sensible defaults will be used.
 func EncryptTextSplit(keyWriter io.Writer, dataWriter io.Writer, to []*Entity, signed *Entity, hints *FileHints, config *packet.Config) (plaintext io.WriteCloser, err error) {
 	return encrypt(keyWriter, dataWriter, to, signed, hints, packet.SigTypeText, config)
 }
 // writeAndSign writes the data as a payload package and, optionally, signs
 // it. hints contains optional information, that is also encrypted,
 // that aids the recipients in processing the message. The resulting
 // WriteCloser must be closed after the contents of the file have been
 // written. If config is nil, sensible defaults will be used.
 func writeAndSign(payload io.WriteCloser, candidateHashes []uint8, signed *Entity, hints *FileHints, sigType packet.SignatureType, config *packet.Config) (plaintext io.WriteCloser, err error) {
 	var signer *packet.PrivateKey
 	if signed != nil {
 		signKey, ok := signed.SigningKeyById(config.Now(), config.SigningKey())
 		if !ok {
 			return nil, errors.InvalidArgumentError("no valid signing keys")
 		}
 		signer = signKey.PrivateKey
 		if signer == nil {
 			return nil, errors.InvalidArgumentError("no private key in signing key")
 		}
 		if signer.Encrypted {
 			return nil, errors.InvalidArgumentError("signing key must be decrypted")
 		}
 	}
 	var hash crypto.Hash
 	var salt []byte
 	if signer != nil {
 		if hash, err = selectHash(candidateHashes, config.Hash(), signer); err != nil {
 			return nil, err
 		}
 		var opsVersion = 3
 		if signer.Version == 6 {
 			opsVersion = signer.Version
 		}
 		ops := &packet.OnePassSignature{
 			Version:    opsVersion,
 			SigType:    sigType,
 			Hash:       hash,
 			PubKeyAlgo: signer.PubKeyAlgo,
 			KeyId:      signer.KeyId,
 			IsLast:     true,
 		}
 		if opsVersion == 6 {
 			ops.KeyFingerprint = signer.Fingerprint
 			salt, err = packet.SignatureSaltForHash(hash, config.Random())
 			if err != nil {
 				return nil, err
 			}
 			ops.Salt = salt
 		}
 		if err := ops.Serialize(payload); err != nil {
 			return nil, err
 		}
 	}
 	if hints == nil {
 		hints = &FileHints{}
 	}
 	w := payload
 	if signer != nil {
 		// If we need to write a signature packet after the literal
 		// data then we need to stop literalData from closing
 		// encryptedData.
 		w = noOpCloser{w}
 	}
 	var epochSeconds uint32
 	if !hints.ModTime.IsZero() {
 		epochSeconds = uint32(hints.ModTime.Unix())
 	}
 	literalData, err := packet.SerializeLiteral(w, hints.IsBinary, hints.FileName, epochSeconds)
 	if err != nil {
 		return nil, err
 	}
 	if signer != nil {
 		h, wrappedHash, err := hashForSignature(hash, sigType, salt)
 		if err != nil {
 			return nil, err
 		}
 		metadata := &packet.LiteralData{
 			Format:   'u',
 			FileName: hints.FileName,
 			Time:     epochSeconds,
 		}
 		if hints.IsBinary {
 			metadata.Format = 'b'
 		}
 		return signatureWriter{payload, literalData, hash, wrappedHash, h, salt, signer, sigType, config, metadata}, nil
 	}
 	return literalData, nil
 }
 // encrypt encrypts a message to a number of recipients and, optionally, signs
 // it. hints contains optional information, that is also encrypted, that aids
 // the recipients in processing the message. The resulting WriteCloser must
 // be closed after the contents of the file have been written.
 // If config is nil, sensible defaults will be used.
 func encrypt(keyWriter io.Writer, dataWriter io.Writer, to []*Entity, signed *Entity, hints *FileHints, sigType packet.SignatureType, config *packet.Config) (plaintext io.WriteCloser, err error) {
 	if len(to) == 0 {
 		return nil, errors.InvalidArgumentError("no encryption recipient provided")
 	}
 	// These are the possible ciphers that we'll use for the message.
 	candidateCiphers := []uint8{
 		uint8(packet.CipherAES256),
 		uint8(packet.CipherAES128),
 	}
 	// These are the possible hash functions that we'll use for the signature.
 	candidateHashes := []uint8{
 		hashToHashId(crypto.SHA256),
 		hashToHashId(crypto.SHA384),
 		hashToHashId(crypto.SHA512),
 		hashToHashId(crypto.SHA3_256),
 		hashToHashId(crypto.SHA3_512),
 	}
 	// Prefer GCM if everyone supports it
 	candidateCipherSuites := [][2]uint8{
 		{uint8(packet.CipherAES256), uint8(packet.AEADModeGCM)},
 		{uint8(packet.CipherAES256), uint8(packet.AEADModeEAX)},
 		{uint8(packet.CipherAES256), uint8(packet.AEADModeOCB)},
 		{uint8(packet.CipherAES128), uint8(packet.AEADModeGCM)},
 		{uint8(packet.CipherAES128), uint8(packet.AEADModeEAX)},
 		{uint8(packet.CipherAES128), uint8(packet.AEADModeOCB)},
 	}
 	candidateCompression := []uint8{
 		uint8(packet.CompressionNone),
 		uint8(packet.CompressionZIP),
 		uint8(packet.CompressionZLIB),
 	}
 	encryptKeys := make([]Key, len(to))
 	// AEAD is used only if config enables it and every key supports it
 	aeadSupported := config.AEAD() != nil
 	for i := range to {
 		var ok bool
 		encryptKeys[i], ok = to[i].EncryptionKey(config.Now())
 		if !ok {
 			return nil, errors.InvalidArgumentError("cannot encrypt a message to key id " + strconv.FormatUint(to[i].PrimaryKey.KeyId, 16) + " because it has no valid encryption keys")
 		}
 		primarySelfSignature, _ := to[i].PrimarySelfSignature()
 		if primarySelfSignature == nil {
 			return nil, errors.InvalidArgumentError("entity without a self-signature")
 		}
 		if !primarySelfSignature.SEIPDv2 {
 			aeadSupported = false
 		}
 		candidateCiphers = intersectPreferences(candidateCiphers, primarySelfSignature.PreferredSymmetric)
 		candidateHashes = intersectPreferences(candidateHashes, primarySelfSignature.PreferredHash)
 		candidateCipherSuites = intersectCipherSuites(candidateCipherSuites, primarySelfSignature.PreferredCipherSuites)
 		candidateCompression = intersectPreferences(candidateCompression, primarySelfSignature.PreferredCompression)
 	}
 	// In the event that the intersection of supported algorithms is empty we use the ones
 	// labelled as MUST that every implementation supports.
 	if len(candidateCiphers) == 0 {
 		// https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#section-9.3
 		candidateCiphers = []uint8{uint8(packet.CipherAES128)}
 	}
 	if len(candidateHashes) == 0 {
 		// https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#hash-algos
 		candidateHashes = []uint8{hashToHashId(crypto.SHA256)}
 	}
 	if len(candidateCipherSuites) == 0 {
 		// https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#section-9.6
 		candidateCipherSuites = [][2]uint8{{uint8(packet.CipherAES128), uint8(packet.AEADModeOCB)}}
 	}
 	cipher := packet.CipherFunction(candidateCiphers[0])
 	aeadCipherSuite := packet.CipherSuite{
 		Cipher: packet.CipherFunction(candidateCipherSuites[0][0]),
 		Mode:   packet.AEADMode(candidateCipherSuites[0][1]),
 	}
 	// If the cipher specified by config is a candidate, we'll use that.
 	configuredCipher := config.Cipher()
 	for _, c := range candidateCiphers {
 		cipherFunc := packet.CipherFunction(c)
 		if cipherFunc == configuredCipher {
 			cipher = cipherFunc
 			break
 		}
 	}
 	var symKey []byte
 	if aeadSupported {
 		symKey = make([]byte, aeadCipherSuite.Cipher.KeySize())
 	} else {
 		symKey = make([]byte, cipher.KeySize())
 	}
 	if _, err := io.ReadFull(config.Random(), symKey); err != nil {
 		return nil, err
 	}
 	for _, key := range encryptKeys {
 		if err := packet.SerializeEncryptedKeyAEAD(keyWriter, key.PublicKey, cipher, aeadSupported, symKey, config); err != nil {
 			return nil, err
 		}
 	}
 	var payload io.WriteCloser
 	payload, err = packet.SerializeSymmetricallyEncrypted(dataWriter, cipher, aeadSupported, aeadCipherSuite, symKey, config)
 	if err != nil {
 		return
 	}
 	payload, err = handleCompression(payload, candidateCompression, config)
 	if err != nil {
 		return nil, err
 	}
 	return writeAndSign(payload, candidateHashes, signed, hints, sigType, config)
 }
 // Sign signs a message. The resulting WriteCloser must be closed after the
 // contents of the file have been written.  hints contains optional information
 // that aids the recipients in processing the message.
 // If config is nil, sensible defaults will be used.
 func Sign(output io.Writer, signed *Entity, hints *FileHints, config *packet.Config) (input io.WriteCloser, err error) {
 	if signed == nil {
 		return nil, errors.InvalidArgumentError("no signer provided")
 	}
 	// These are the possible hash functions that we'll use for the signature.
 	candidateHashes := []uint8{
 		hashToHashId(crypto.SHA256),
 		hashToHashId(crypto.SHA384),
 		hashToHashId(crypto.SHA512),
 		hashToHashId(crypto.SHA3_256),
 		hashToHashId(crypto.SHA3_512),
 	}
 	defaultHashes := candidateHashes[0:1]
 	primarySelfSignature, _ := signed.PrimarySelfSignature()
 	if primarySelfSignature == nil {
 		return nil, errors.StructuralError("signed entity has no self-signature")
 	}
 	preferredHashes := primarySelfSignature.PreferredHash
 	if len(preferredHashes) == 0 {
 		preferredHashes = defaultHashes
 	}
 	candidateHashes = intersectPreferences(candidateHashes, preferredHashes)
 	if len(candidateHashes) == 0 {
 		return nil, errors.StructuralError("cannot sign because signing key shares no common algorithms with candidate hashes")
 	}
 	return writeAndSign(noOpCloser{output}, candidateHashes, signed, hints, packet.SigTypeBinary, config)
 }
 // signatureWriter hashes the contents of a message while passing it along to
 // literalData. When closed, it closes literalData, writes a signature packet
 // to encryptedData and then also closes encryptedData.
 type signatureWriter struct {
 	encryptedData io.WriteCloser
 	literalData   io.WriteCloser
 	hashType      crypto.Hash
 	wrappedHash   hash.Hash
 	h             hash.Hash
 	salt          []byte // v6 only
 	signer        *packet.PrivateKey
 	sigType       packet.SignatureType
 	config        *packet.Config
 	metadata      *packet.LiteralData // V5 signatures protect document metadata
 }
 func (s signatureWriter) Write(data []byte) (int, error) {
 	s.wrappedHash.Write(data)
 	switch s.sigType {
 	case packet.SigTypeBinary:
 		return s.literalData.Write(data)
 	case packet.SigTypeText:
 		flag := 0
 		return writeCanonical(s.literalData, data, &flag)
 	}
 	return 0, errors.UnsupportedError("unsupported signature type: " + strconv.Itoa(int(s.sigType)))
 }
 func (s signatureWriter) Close() error {
 	sig := createSignaturePacket(&s.signer.PublicKey, s.sigType, s.config)
 	sig.Hash = s.hashType
 	sig.Metadata = s.metadata
 	if err := sig.SetSalt(s.salt); err != nil {
 		return err
 	}
 	if err := sig.Sign(s.h, s.signer, s.config); err != nil {
 		return err
 	}
 	if err := s.literalData.Close(); err != nil {
 		return err
 	}
 	if err := sig.Serialize(s.encryptedData); err != nil {
 		return err
 	}
 	return s.encryptedData.Close()
 }
 func selectHashForSigningKey(config *packet.Config, signer *packet.PublicKey) crypto.Hash {
 	acceptableHashes := acceptableHashesToWrite(signer)
 	hash, ok := algorithm.HashToHashId(config.Hash())
 	if !ok {
 		return config.Hash()
 	}
 	for _, acceptableHashes := range acceptableHashes {
 		if acceptableHashes == hash {
 			return config.Hash()
 		}
 	}
 	if len(acceptableHashes) > 0 {
 		defaultAcceptedHash, ok := algorithm.HashIdToHash(acceptableHashes[0])
 		if ok {
 			return defaultAcceptedHash
 		}
 	}
 	return config.Hash()
 }
 func createSignaturePacket(signer *packet.PublicKey, sigType packet.SignatureType, config *packet.Config) *packet.Signature {
 	sigLifetimeSecs := config.SigLifetime()
 	hash := selectHashForSigningKey(config, signer)
 	return &packet.Signature{
 		Version:           signer.Version,
 		SigType:           sigType,
 		PubKeyAlgo:        signer.PubKeyAlgo,
 		Hash:              hash,
 		CreationTime:      config.Now(),
 		IssuerKeyId:       &signer.KeyId,
 		IssuerFingerprint: signer.Fingerprint,
 		Notations:         config.Notations(),
 		SigLifetimeSecs:   &sigLifetimeSecs,
 	}
 }
 // noOpCloser is like an ioutil.NopCloser, but for an io.Writer.
 // TODO: we have two of these in OpenPGP packages alone. This probably needs
 // to be promoted somewhere more common.
 type noOpCloser struct {
 	w io.Writer
 }
 func (c noOpCloser) Write(data []byte) (n int, err error) {
 	return c.w.Write(data)
 }
 func (c noOpCloser) Close() error {
 	return nil
 }
 func handleCompression(compressed io.WriteCloser, candidateCompression []uint8, config *packet.Config) (data io.WriteCloser, err error) {
 	data = compressed
 	confAlgo := config.Compression()
 	if confAlgo == packet.CompressionNone {
 		return
 	}
 	// Set algorithm labelled as MUST as fallback
 	// https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-07.html#section-9.4
 	finalAlgo := packet.CompressionNone
 	// if compression specified by config available we will use it
 	for _, c := range candidateCompression {
 		if uint8(confAlgo) == c {
 			finalAlgo = confAlgo
 			break
 		}
 	}
 	if finalAlgo != packet.CompressionNone {
 		var compConfig *packet.CompressionConfig
 		if config != nil {
 			compConfig = config.CompressionConfig
 		}
 		data, err = packet.SerializeCompressed(compressed, finalAlgo, compConfig)
 		if err != nil {
 			return
 		}
 	}
 	return data, nil
 }
 // selectHash selects the preferred hash given the candidateHashes and the configuredHash
 func selectHash(candidateHashes []byte, configuredHash crypto.Hash, signer *packet.PrivateKey) (hash crypto.Hash, err error) {
 	acceptableHashes := acceptableHashesToWrite(&signer.PublicKey)
 	candidateHashes = intersectPreferences(acceptableHashes, candidateHashes)
 	for _, hashId := range candidateHashes {
 		if h, ok := algorithm.HashIdToHash(hashId); ok && h.Available() {
 			hash = h
 			break
 		}
 	}
 	// If the hash specified by config is a candidate, we'll use that.
 	if configuredHash.Available() {
 		for _, hashId := range candidateHashes {
 			if h, ok := algorithm.HashIdToHash(hashId); ok && h == configuredHash {
 				hash = h
 				break
 			}
 		}
 	}
 	if hash == 0 {
 		if len(acceptableHashes) > 0 {
 			if h, ok := algorithm.HashIdToHash(acceptableHashes[0]); ok {
 				hash = h
 			} else {
 				return 0, errors.UnsupportedError("no candidate hash functions are compiled in.")
 			}
 		} else {
 			return 0, errors.UnsupportedError("no candidate hash functions are compiled in.")
 		}
 	}
 	return
 }
 func acceptableHashesToWrite(singingKey *packet.PublicKey) []uint8 {
 	switch singingKey.PubKeyAlgo {
 	case packet.PubKeyAlgoEd448:
 		return []uint8{
 			hashToHashId(crypto.SHA512),
 			hashToHashId(crypto.SHA3_512),
 		}
 	case packet.PubKeyAlgoECDSA, packet.PubKeyAlgoEdDSA:
 		if curve, err := singingKey.Curve(); err == nil {
 			if curve == packet.Curve448 ||
 				curve == packet.CurveNistP521 ||
 				curve == packet.CurveBrainpoolP512 {
 				return []uint8{
 					hashToHashId(crypto.SHA512),
 					hashToHashId(crypto.SHA3_512),
 				}
 			} else if curve == packet.CurveBrainpoolP384 ||
 				curve == packet.CurveNistP384 {
 				return []uint8{
 					hashToHashId(crypto.SHA384),
 					hashToHashId(crypto.SHA512),
 					hashToHashId(crypto.SHA3_512),
 				}
 			}
 		}
 	}
 	return []uint8{
 		hashToHashId(crypto.SHA256),
 		hashToHashId(crypto.SHA384),
 		hashToHashId(crypto.SHA512),
 		hashToHashId(crypto.SHA3_256),
 		hashToHashId(crypto.SHA3_512),
 	}
 }
--- a/Show More
+++ b/Show More