source/vendor/github.com/ProtonMail/go-crypto/ocb/rfc7253_test_vectors_suite_b.go

+package ocb
+
+// Second set of test vectors from https://tools.ietf.org/html/rfc7253
+var rfc7253TestVectorTaglen96 = struct {
+	key, nonce, header, plaintext, ciphertext string
+}{"0F0E0D0C0B0A09080706050403020100",
+	"BBAA9988776655443322110D",
+	"000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627",
+	"000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627",
+	"1792A4E31E0755FB03E31B22116E6C2DDF9EFD6E33D536F1A0124B0A55BAE884ED93481529C76B6AD0C515F4D1CDD4FDAC4F02AA"}
+
+var rfc7253AlgorithmTest = []struct {
+	KEYLEN, TAGLEN int
+	OUTPUT         string
+}{
+	{128, 128, "67E944D23256C5E0B6C61FA22FDF1EA2"},
+	{192, 128, "F673F2C3E7174AAE7BAE986CA9F29E17"},
+	{256, 128, "D90EB8E9C977C88B79DD793D7FFA161C"},
+	{128, 96, "77A3D8E73589158D25D01209"},
+	{192, 96, "05D56EAD2752C86BE6932C5E"},
+	{256, 96, "5458359AC23B0CBA9E6330DD"},
+	{128, 64, "192C9B7BD90BA06A"},
+	{192, 64, "0066BC6E0EF34E24"},
+	{256, 64, "7D4EA5D445501CBE"},
+}

source/vendor/github.com/ProtonMail/go-crypto/openpgp/aes/keywrap/keywrap.go

+// Copyright 2014 Matthew Endsley
+// All rights reserved
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted providing that the following conditions
+// are met:
+// 1. Redistributions of source code must retain the above copyright
+//    notice, this list of conditions and the following disclaimer.
+// 2. Redistributions in binary form must reproduce the above copyright
+//    notice, this list of conditions and the following disclaimer in the
+//    documentation and/or other materials provided with the distribution.
+//
+// THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+// WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+// ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+// DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+// OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+// IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+// POSSIBILITY OF SUCH DAMAGE.
+
+// Package keywrap is an implementation of the RFC 3394 AES key wrapping
+// algorithm. This is used in OpenPGP with elliptic curve keys.
+package keywrap
+
+import (
+	"crypto/aes"
+	"encoding/binary"
+	"errors"
+)
+
+var (
+	// ErrWrapPlaintext is returned if the plaintext is not a multiple
+	// of 64 bits.
+	ErrWrapPlaintext = errors.New("keywrap: plainText must be a multiple of 64 bits")
+
+	// ErrUnwrapCiphertext is returned if the ciphertext is not a
+	// multiple of 64 bits.
+	ErrUnwrapCiphertext = errors.New("keywrap: cipherText must by a multiple of 64 bits")
+
+	// ErrUnwrapFailed is returned if unwrapping a key fails.
+	ErrUnwrapFailed = errors.New("keywrap: failed to unwrap key")
+
+	// NB: the AES NewCipher call only fails if the key is an invalid length.
+
+	// ErrInvalidKey is returned when the AES key is invalid.
+	ErrInvalidKey = errors.New("keywrap: invalid AES key")
+)
+
+// Wrap a key using the RFC 3394 AES Key Wrap Algorithm.
+func Wrap(key, plainText []byte) ([]byte, error) {
+	if len(plainText)%8 != 0 {
+		return nil, ErrWrapPlaintext
+	}
+
+	c, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, ErrInvalidKey
+	}
+
+	nblocks := len(plainText) / 8
+
+	// 1) Initialize variables.
+	var block [aes.BlockSize]byte
+	// - Set A = IV, an initial value (see 2.2.3)
+	for ii := 0; ii < 8; ii++ {
+		block[ii] = 0xA6
+	}
+
+	// - For i = 1 to n
+	// -   Set R[i] = P[i]
+	intermediate := make([]byte, len(plainText))
+	copy(intermediate, plainText)
+
+	// 2) Calculate intermediate values.
+	for ii := 0; ii < 6; ii++ {
+		for jj := 0; jj < nblocks; jj++ {
+			// - B = AES(K, A | R[i])
+			copy(block[8:], intermediate[jj*8:jj*8+8])
+			c.Encrypt(block[:], block[:])
+
+			// - A = MSB(64, B) ^ t where t = (n*j)+1
+			t := uint64(ii*nblocks + jj + 1)
+			val := binary.BigEndian.Uint64(block[:8]) ^ t
+			binary.BigEndian.PutUint64(block[:8], val)
+
+			// - R[i] = LSB(64, B)
+			copy(intermediate[jj*8:jj*8+8], block[8:])
+		}
+	}
+
+	// 3) Output results.
+	// - Set C[0] = A
+	// - For i = 1 to n
+	// -   C[i] = R[i]
+	return append(block[:8], intermediate...), nil
+}
+
+// Unwrap a key using the RFC 3394 AES Key Wrap Algorithm.
+func Unwrap(key, cipherText []byte) ([]byte, error) {
+	if len(cipherText)%8 != 0 {
+		return nil, ErrUnwrapCiphertext
+	}
+
+	c, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, ErrInvalidKey
+	}
+
+	nblocks := len(cipherText)/8 - 1
+
+	// 1) Initialize variables.
+	var block [aes.BlockSize]byte
+	// - Set A = C[0]
+	copy(block[:8], cipherText[:8])
+
+	// - For i = 1 to n
+	// -   Set R[i] = C[i]
+	intermediate := make([]byte, len(cipherText)-8)
+	copy(intermediate, cipherText[8:])
+
+	// 2) Compute intermediate values.
+	for jj := 5; jj >= 0; jj-- {
+		for ii := nblocks - 1; ii >= 0; ii-- {
+			// - B = AES-1(K, (A ^ t) | R[i]) where t = n*j+1
+			// - A = MSB(64, B)
+			t := uint64(jj*nblocks + ii + 1)
+			val := binary.BigEndian.Uint64(block[:8]) ^ t
+			binary.BigEndian.PutUint64(block[:8], val)
+
+			copy(block[8:], intermediate[ii*8:ii*8+8])
+			c.Decrypt(block[:], block[:])
+
+			// - R[i] = LSB(B, 64)
+			copy(intermediate[ii*8:ii*8+8], block[8:])
+		}
+	}
+
+	// 3) Output results.
+	// - If A is an appropriate initial value (see 2.2.3),
+	for ii := 0; ii < 8; ii++ {
+		if block[ii] != 0xA6 {
+			return nil, ErrUnwrapFailed
+		}
+	}
+
+	// - For i = 1 to n
+	// -   P[i] = R[i]
+	return intermediate, nil
+}

source/vendor/github.com/ProtonMail/go-crypto/openpgp/armor/armor.go

+// Copyright 2010 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package armor implements OpenPGP ASCII Armor, see RFC 4880. OpenPGP Armor is
+// very similar to PEM except that it has an additional CRC checksum.
+package armor // import "github.com/ProtonMail/go-crypto/openpgp/armor"
+
+import (
+	"bufio"
+	"bytes"
+	"encoding/base64"
+	"io"
+
+	"github.com/ProtonMail/go-crypto/openpgp/errors"
+)
+
+// A Block represents an OpenPGP armored structure.
+//
+// The encoded form is:
+//
+//	-----BEGIN Type-----
+//	Headers
+//
+//	base64-encoded Bytes
+//	'=' base64 encoded checksum (optional) not checked anymore
+//	-----END Type-----
+//
+// where Headers is a possibly empty sequence of Key: Value lines.
+//
+// Since the armored data can be very large, this package presents a streaming
+// interface.
+type Block struct {
+	Type    string            // The type, taken from the preamble (i.e. "PGP SIGNATURE").
+	Header  map[string]string // Optional headers.
+	Body    io.Reader         // A Reader from which the contents can be read
+	lReader lineReader
+	oReader openpgpReader
+}
+
+var ArmorCorrupt error = errors.StructuralError("armor invalid")
+
+var armorStart = []byte("-----BEGIN ")
+var armorEnd = []byte("-----END ")
+var armorEndOfLine = []byte("-----")
+
+// lineReader wraps a line based reader. It watches for the end of an armor block
+type lineReader struct {
+	in  *bufio.Reader
+	buf []byte
+	eof bool
+}
+
+func (l *lineReader) Read(p []byte) (n int, err error) {
+	if l.eof {
+		return 0, io.EOF
+	}
+
+	if len(l.buf) > 0 {
+		n = copy(p, l.buf)
+		l.buf = l.buf[n:]
+		return
+	}
+
+	line, isPrefix, err := l.in.ReadLine()
+	if err != nil {
+		return
+	}
+	if isPrefix {
+		return 0, ArmorCorrupt
+	}
+
+	if bytes.HasPrefix(line, armorEnd) {
+		l.eof = true
+		return 0, io.EOF
+	}
+
+	if len(line) == 5 && line[0] == '=' {
+		// This is the checksum line
+		// Don't check the checksum
+
+		l.eof = true
+		return 0, io.EOF
+	}
+
+	if len(line) > 96 {
+		return 0, ArmorCorrupt
+	}
+
+	n = copy(p, line)
+	bytesToSave := len(line) - n
+	if bytesToSave > 0 {
+		if cap(l.buf) < bytesToSave {
+			l.buf = make([]byte, 0, bytesToSave)
+		}
+		l.buf = l.buf[0:bytesToSave]
+		copy(l.buf, line[n:])
+	}
+
+	return
+}
+
+// openpgpReader passes Read calls to the underlying base64 decoder.
+type openpgpReader struct {
+	lReader   *lineReader
+	b64Reader io.Reader
+}
+
+func (r *openpgpReader) Read(p []byte) (n int, err error) {
+	n, err = r.b64Reader.Read(p)
+	return
+}
+
+// Decode reads a PGP armored block from the given Reader. It will ignore
+// leading garbage. If it doesn't find a block, it will return nil, io.EOF. The
+// given Reader is not usable after calling this function: an arbitrary amount
+// of data may have been read past the end of the block.
+func Decode(in io.Reader) (p *Block, err error) {
+	r := bufio.NewReaderSize(in, 100)
+	var line []byte
+	ignoreNext := false
+
+TryNextBlock:
+	p = nil
+
+	// Skip leading garbage
+	for {
+		ignoreThis := ignoreNext
+		line, ignoreNext, err = r.ReadLine()
+		if err != nil {
+			return
+		}
+		if ignoreNext || ignoreThis {
+			continue
+		}
+		line = bytes.TrimSpace(line)
+		if len(line) > len(armorStart)+len(armorEndOfLine) && bytes.HasPrefix(line, armorStart) {
+			break
+		}
+	}
+
+	p = new(Block)
+	p.Type = string(line[len(armorStart) : len(line)-len(armorEndOfLine)])
+	p.Header = make(map[string]string)
+	nextIsContinuation := false
+	var lastKey string
+
+	// Read headers
+	for {
+		isContinuation := nextIsContinuation
+		line, nextIsContinuation, err = r.ReadLine()
+		if err != nil {
+			p = nil
+			return
+		}
+		if isContinuation {
+			p.Header[lastKey] += string(line)
+			continue
+		}
+		line = bytes.TrimSpace(line)
+		if len(line) == 0 {
+			break
+		}
+
+		i := bytes.Index(line, []byte(":"))
+		if i == -1 {
+			goto TryNextBlock
+		}
+		lastKey = string(line[:i])
+		var value string
+		if len(line) > i+2 {
+			value = string(line[i+2:])
+		}
+		p.Header[lastKey] = value
+	}
+
+	p.lReader.in = r
+	p.oReader.lReader = &p.lReader
+	p.oReader.b64Reader = base64.NewDecoder(base64.StdEncoding, &p.lReader)
+	p.Body = &p.oReader
+
+	return
+}

source/vendor/github.com/ProtonMail/go-crypto/openpgp/armor/encode.go

+// Copyright 2010 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package armor
+
+import (
+	"encoding/base64"
+	"io"
+	"sort"
+)
+
+var armorHeaderSep = []byte(": ")
+var blockEnd = []byte("\n=")
+var newline = []byte("\n")
+var armorEndOfLineOut = []byte("-----\n")
+
+const crc24Init = 0xb704ce
+const crc24Poly = 0x1864cfb
+
+// crc24 calculates the OpenPGP checksum as specified in RFC 4880, section 6.1
+func crc24(crc uint32, d []byte) uint32 {
+	for _, b := range d {
+		crc ^= uint32(b) << 16
+		for i := 0; i < 8; i++ {
+			crc <<= 1
+			if crc&0x1000000 != 0 {
+				crc ^= crc24Poly
+			}
+		}
+	}
+	return crc
+}
+
+// writeSlices writes its arguments to the given Writer.
+func writeSlices(out io.Writer, slices ...[]byte) (err error) {
+	for _, s := range slices {
+		_, err = out.Write(s)
+		if err != nil {
+			return err
+		}
+	}
+	return
+}
+
+// lineBreaker breaks data across several lines, all of the same byte length
+// (except possibly the last). Lines are broken with a single '\n'.
+type lineBreaker struct {
+	lineLength  int
+	line        []byte
+	used        int
+	out         io.Writer
+	haveWritten bool
+}
+
+func newLineBreaker(out io.Writer, lineLength int) *lineBreaker {
+	return &lineBreaker{
+		lineLength: lineLength,
+		line:       make([]byte, lineLength),
+		used:       0,
+		out:        out,
+	}
+}
+
+func (l *lineBreaker) Write(b []byte) (n int, err error) {
+	n = len(b)
+
+	if n == 0 {
+		return
+	}
+
+	if l.used == 0 && l.haveWritten {
+		_, err = l.out.Write([]byte{'\n'})
+		if err != nil {
+			return
+		}
+	}
+
+	if l.used+len(b) < l.lineLength {
+		l.used += copy(l.line[l.used:], b)
+		return
+	}
+
+	l.haveWritten = true
+	_, err = l.out.Write(l.line[0:l.used])
+	if err != nil {
+		return
+	}
+	excess := l.lineLength - l.used
+	l.used = 0
+
+	_, err = l.out.Write(b[0:excess])
+	if err != nil {
+		return
+	}
+
+	_, err = l.Write(b[excess:])
+	return
+}
+
+func (l *lineBreaker) Close() (err error) {
+	if l.used > 0 {
+		_, err = l.out.Write(l.line[0:l.used])
+		if err != nil {
+			return
+		}
+	}
+
+	return
+}
+
+// encoding keeps track of a running CRC24 over the data which has been written
+// to it and outputs a OpenPGP checksum when closed, followed by an armor
+// trailer.
+//
+// It's built into a stack of io.Writers:
+//
+//	encoding -> base64 encoder -> lineBreaker -> out
+type encoding struct {
+	out        io.Writer
+	breaker    *lineBreaker
+	b64        io.WriteCloser
+	crc        uint32
+	crcEnabled bool
+	blockType  []byte
+}
+
+func (e *encoding) Write(data []byte) (n int, err error) {
+	if e.crcEnabled {
+		e.crc = crc24(e.crc, data)
+	}
+	return e.b64.Write(data)
+}
+
+func (e *encoding) Close() (err error) {
+	err = e.b64.Close()
+	if err != nil {
+		return
+	}
+	e.breaker.Close()
+
+	if e.crcEnabled {
+		var checksumBytes [3]byte
+		checksumBytes[0] = byte(e.crc >> 16)
+		checksumBytes[1] = byte(e.crc >> 8)
+		checksumBytes[2] = byte(e.crc)
+
+		var b64ChecksumBytes [4]byte
+		base64.StdEncoding.Encode(b64ChecksumBytes[:], checksumBytes[:])
+
+		return writeSlices(e.out, blockEnd, b64ChecksumBytes[:], newline, armorEnd, e.blockType, armorEndOfLine)
+	}
+	return writeSlices(e.out, newline, armorEnd, e.blockType, armorEndOfLine)
+}
+
+func encode(out io.Writer, blockType string, headers map[string]string, checksum bool) (w io.WriteCloser, err error) {
+	bType := []byte(blockType)
+	err = writeSlices(out, armorStart, bType, armorEndOfLineOut)
+	if err != nil {
+		return
+	}
+
+	keys := make([]string, len(headers))
+	i := 0
+	for k := range headers {
+		keys[i] = k
+		i++
+	}
+	sort.Strings(keys)
+	for _, k := range keys {
+		err = writeSlices(out, []byte(k), armorHeaderSep, []byte(headers[k]), newline)
+		if err != nil {
+			return
+		}
+	}
+
+	_, err = out.Write(newline)
+	if err != nil {
+		return
+	}
+
+	e := &encoding{
+		out:        out,
+		breaker:    newLineBreaker(out, 64),
+		blockType:  bType,
+		crc:        crc24Init,
+		crcEnabled: checksum,
+	}
+	e.b64 = base64.NewEncoder(base64.StdEncoding, e.breaker)
+	return e, nil
+}
+
+// Encode returns a WriteCloser which will encode the data written to it in
+// OpenPGP armor.
+func Encode(out io.Writer, blockType string, headers map[string]string) (w io.WriteCloser, err error) {
+	return encode(out, blockType, headers, true)
+}
+
+// EncodeWithChecksumOption returns a WriteCloser which will encode the data written to it in
+// OpenPGP armor and provides the option to include a checksum.
+// When forming ASCII Armor, the CRC24 footer SHOULD NOT be generated,
+// unless interoperability with implementations that require the CRC24 footer
+// to be present is a concern.
+func EncodeWithChecksumOption(out io.Writer, blockType string, headers map[string]string, doChecksum bool) (w io.WriteCloser, err error) {
+	return encode(out, blockType, headers, doChecksum)
+}

source/vendor/github.com/ProtonMail/go-crypto/openpgp/canonical_text.go

+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package openpgp
+
+import (
+	"hash"
+	"io"
+)
+
+// NewCanonicalTextHash reformats text written to it into the canonical
+// form and then applies the hash h.  See RFC 4880, section 5.2.1.
+func NewCanonicalTextHash(h hash.Hash) hash.Hash {
+	return &canonicalTextHash{h, 0}
+}
+
+type canonicalTextHash struct {
+	h hash.Hash
+	s int
+}
+
+var newline = []byte{'\r', '\n'}
+
+func writeCanonical(cw io.Writer, buf []byte, s *int) (int, error) {
+	start := 0
+	for i, c := range buf {
+		switch *s {
+		case 0:
+			if c == '\r' {
+				*s = 1
+			} else if c == '\n' {
+				if _, err := cw.Write(buf[start:i]); err != nil {
+					return 0, err
+				}
+				if _, err := cw.Write(newline); err != nil {
+					return 0, err
+				}
+				start = i + 1
+			}
+		case 1:
+			*s = 0
+		}
+	}
+
+	if _, err := cw.Write(buf[start:]); err != nil {
+		return 0, err
+	}
+	return len(buf), nil
+}
+
+func (cth *canonicalTextHash) Write(buf []byte) (int, error) {
+	return writeCanonical(cth.h, buf, &cth.s)
+}
+
+func (cth *canonicalTextHash) Sum(in []byte) []byte {
+	return cth.h.Sum(in)
+}
+
+func (cth *canonicalTextHash) Reset() {
+	cth.h.Reset()
+	cth.s = 0
+}
+
+func (cth *canonicalTextHash) Size() int {
+	return cth.h.Size()
+}
+
+func (cth *canonicalTextHash) BlockSize() int {
+	return cth.h.BlockSize()
+}

source/vendor/github.com/ProtonMail/go-crypto/openpgp/ecdh/ecdh.go

+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package ecdh implements ECDH encryption, suitable for OpenPGP,
+// as specified in RFC 6637, section 8.
+package ecdh
+
+import (
+	"bytes"
+	"errors"
+	"io"
+
+	"github.com/ProtonMail/go-crypto/openpgp/aes/keywrap"
+	"github.com/ProtonMail/go-crypto/openpgp/internal/algorithm"
+	"github.com/ProtonMail/go-crypto/openpgp/internal/ecc"
+)
+
+type KDF struct {
+	Hash   algorithm.Hash
+	Cipher algorithm.Cipher
+}
+
+type PublicKey struct {
+	curve ecc.ECDHCurve
+	Point []byte
+	KDF
+}
+
+type PrivateKey struct {
+	PublicKey
+	D []byte
+}
+
+func NewPublicKey(curve ecc.ECDHCurve, kdfHash algorithm.Hash, kdfCipher algorithm.Cipher) *PublicKey {
+	return &PublicKey{
+		curve: curve,
+		KDF: KDF{
+			Hash:   kdfHash,
+			Cipher: kdfCipher,
+		},
+	}
+}
+
+func NewPrivateKey(key PublicKey) *PrivateKey {
+	return &PrivateKey{
+		PublicKey: key,
+	}
+}
+
+func (pk *PublicKey) GetCurve() ecc.ECDHCurve {
+	return pk.curve
+}
+
+func (pk *PublicKey) MarshalPoint() []byte {
+	return pk.curve.MarshalBytePoint(pk.Point)
+}
+
+func (pk *PublicKey) UnmarshalPoint(p []byte) error {
+	pk.Point = pk.curve.UnmarshalBytePoint(p)
+	if pk.Point == nil {
+		return errors.New("ecdh: failed to parse EC point")
+	}
+	return nil
+}
+
+func (sk *PrivateKey) MarshalByteSecret() []byte {
+	return sk.curve.MarshalByteSecret(sk.D)
+}
+
+func (sk *PrivateKey) UnmarshalByteSecret(d []byte) error {
+	sk.D = sk.curve.UnmarshalByteSecret(d)
+
+	if sk.D == nil {
+		return errors.New("ecdh: failed to parse scalar")
+	}
+	return nil
+}
+
+func GenerateKey(rand io.Reader, c ecc.ECDHCurve, kdf KDF) (priv *PrivateKey, err error) {
+	priv = new(PrivateKey)
+	priv.PublicKey.curve = c
+	priv.PublicKey.KDF = kdf
+	priv.PublicKey.Point, priv.D, err = c.GenerateECDH(rand)
+	return
+}
+
+func Encrypt(random io.Reader, pub *PublicKey, msg, curveOID, fingerprint []byte) (vsG, c []byte, err error) {
+	if len(msg) > 40 {
+		return nil, nil, errors.New("ecdh: message too long")
+	}
+	// the sender MAY use 21, 13, and 5 bytes of padding for AES-128,
+	// AES-192, and AES-256, respectively, to provide the same number of
+	// octets, 40 total, as an input to the key wrapping method.
+	padding := make([]byte, 40-len(msg))
+	for i := range padding {
+		padding[i] = byte(40 - len(msg))
+	}
+	m := append(msg, padding...)
+
+	ephemeral, zb, err := pub.curve.Encaps(random, pub.Point)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	vsG = pub.curve.MarshalBytePoint(ephemeral)
+
+	z, err := buildKey(pub, zb, curveOID, fingerprint, false, false)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	if c, err = keywrap.Wrap(z, m); err != nil {
+		return nil, nil, err
+	}
+
+	return vsG, c, nil
+
+}
+
+func Decrypt(priv *PrivateKey, vsG, c, curveOID, fingerprint []byte) (msg []byte, err error) {
+	var m []byte
+	zb, err := priv.PublicKey.curve.Decaps(priv.curve.UnmarshalBytePoint(vsG), priv.D)
+
+	// Try buildKey three times to workaround an old bug, see comments in buildKey.
+	for i := 0; i < 3; i++ {
+		var z []byte
+		// RFC6637 §8: "Compute Z = KDF( S, Z_len, Param );"
+		z, err = buildKey(&priv.PublicKey, zb, curveOID, fingerprint, i == 1, i == 2)
+		if err != nil {
+			return nil, err
+		}
+
+		// RFC6637 §8: "Compute C = AESKeyWrap( Z, c ) as per [RFC3394]"
+		m, err = keywrap.Unwrap(z, c)
+		if err == nil {
+			break
+		}
+	}
+
+	// Only return an error after we've tried all (required) variants of buildKey.
+	if err != nil {
+		return nil, err
+	}
+
+	// RFC6637 §8: "m = symm_alg_ID || session key || checksum || pkcs5_padding"
+	// The last byte should be the length of the padding, as per PKCS5; strip it off.
+	return m[:len(m)-int(m[len(m)-1])], nil
+}
+
+func buildKey(pub *PublicKey, zb []byte, curveOID, fingerprint []byte, stripLeading, stripTrailing bool) ([]byte, error) {
+	// Param = curve_OID_len || curve_OID || public_key_alg_ID || 03
+	//         || 01 || KDF_hash_ID || KEK_alg_ID for AESKeyWrap
+	//         || "Anonymous Sender    " || recipient_fingerprint;
+	param := new(bytes.Buffer)
+	if _, err := param.Write(curveOID); err != nil {
+		return nil, err
+	}
+	algKDF := []byte{18, 3, 1, pub.KDF.Hash.Id(), pub.KDF.Cipher.Id()}
+	if _, err := param.Write(algKDF); err != nil {
+		return nil, err
+	}
+	if _, err := param.Write([]byte("Anonymous Sender    ")); err != nil {
+		return nil, err
+	}
+	if _, err := param.Write(fingerprint[:]); err != nil {
+		return nil, err
+	}
+
+	// MB = Hash ( 00 || 00 || 00 || 01 || ZB || Param );
+	h := pub.KDF.Hash.New()
+	if _, err := h.Write([]byte{0x0, 0x0, 0x0, 0x1}); err != nil {
+		return nil, err
+	}
+	zbLen := len(zb)
+	i := 0
+	j := zbLen - 1
+	if stripLeading {
+		// Work around old go crypto bug where the leading zeros are missing.
+		for i < zbLen && zb[i] == 0 {
+			i++
+		}
+	}
+	if stripTrailing {
+		// Work around old OpenPGP.js bug where insignificant trailing zeros in
+		// this little-endian number are missing.
+		// (See https://github.com/openpgpjs/openpgpjs/pull/853.)
+		for j >= 0 && zb[j] == 0 {
+			j--
+		}
+	}
+	if _, err := h.Write(zb[i : j+1]); err != nil {
+		return nil, err
+	}
+	if _, err := h.Write(param.Bytes()); err != nil {
+		return nil, err
+	}
+	mb := h.Sum(nil)
+
+	return mb[:pub.KDF.Cipher.KeySize()], nil // return oBits leftmost bits of MB.
+
+}
+
+func Validate(priv *PrivateKey) error {
+	return priv.curve.ValidateECDH(priv.Point, priv.D)
+}

source/vendor/github.com/ProtonMail/go-crypto/openpgp/ecdsa/ecdsa.go

+// Package ecdsa implements ECDSA signature, suitable for OpenPGP,
+// as specified in RFC 6637, section 5.
+package ecdsa
+
+import (
+	"errors"
+	"github.com/ProtonMail/go-crypto/openpgp/internal/ecc"
+	"io"
+	"math/big"
+)
+
+type PublicKey struct {
+	X, Y  *big.Int
+	curve ecc.ECDSACurve
+}
+
+type PrivateKey struct {
+	PublicKey
+	D *big.Int
+}
+
+func NewPublicKey(curve ecc.ECDSACurve) *PublicKey {
+	return &PublicKey{
+		curve: curve,
+	}
+}
+
+func NewPrivateKey(key PublicKey) *PrivateKey {
+	return &PrivateKey{
+		PublicKey: key,
+	}
+}
+
+func (pk *PublicKey) GetCurve() ecc.ECDSACurve {
+	return pk.curve
+}
+
+func (pk *PublicKey) MarshalPoint() []byte {
+	return pk.curve.MarshalIntegerPoint(pk.X, pk.Y)
+}
+
+func (pk *PublicKey) UnmarshalPoint(p []byte) error {
+	pk.X, pk.Y = pk.curve.UnmarshalIntegerPoint(p)
+	if pk.X == nil {
+		return errors.New("ecdsa: failed to parse EC point")
+	}
+	return nil
+}
+
+func (sk *PrivateKey) MarshalIntegerSecret() []byte {
+	return sk.curve.MarshalIntegerSecret(sk.D)
+}
+
+func (sk *PrivateKey) UnmarshalIntegerSecret(d []byte) error {
+	sk.D = sk.curve.UnmarshalIntegerSecret(d)
+
+	if sk.D == nil {
+		return errors.New("ecdsa: failed to parse scalar")
+	}
+	return nil
+}
+
+func GenerateKey(rand io.Reader, c ecc.ECDSACurve) (priv *PrivateKey, err error) {
+	priv = new(PrivateKey)
+	priv.PublicKey.curve = c
+	priv.PublicKey.X, priv.PublicKey.Y, priv.D, err = c.GenerateECDSA(rand)
+	return
+}
+
+func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err error) {
+	return priv.PublicKey.curve.Sign(rand, priv.X, priv.Y, priv.D, hash)
+}
+
+func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool {
+	return pub.curve.Verify(pub.X, pub.Y, hash, r, s)
+}
+
+func Validate(priv *PrivateKey) error {
+	return priv.curve.ValidateECDSA(priv.X, priv.Y, priv.D.Bytes())
+}

source/vendor/github.com/ProtonMail/go-crypto/openpgp/ed25519/ed25519.go

+// Package ed25519 implements the ed25519 signature algorithm for OpenPGP
+// as defined in the Open PGP crypto refresh.
+package ed25519
+
+import (
+	"crypto/subtle"
+	"io"
+
+	"github.com/ProtonMail/go-crypto/openpgp/errors"
+	ed25519lib "github.com/cloudflare/circl/sign/ed25519"
+)
+
+const (
+	// PublicKeySize is the size, in bytes, of public keys in this package.
+	PublicKeySize = ed25519lib.PublicKeySize
+	// SeedSize is the size, in bytes, of private key seeds.
+	// The private key representation used by RFC 8032.
+	SeedSize = ed25519lib.SeedSize
+	// SignatureSize is the size, in bytes, of signatures generated and verified by this package.
+	SignatureSize = ed25519lib.SignatureSize
+)
+
+type PublicKey struct {
+	// Point represents the elliptic curve point of the public key.
+	Point []byte
+}
+
+type PrivateKey struct {
+	PublicKey
+	// Key the private key representation by RFC 8032,
+	// encoded as seed | pub key point.
+	Key []byte
+}
+
+// NewPublicKey creates a new empty ed25519 public key.
+func NewPublicKey() *PublicKey {
+	return &PublicKey{}
+}
+
+// NewPrivateKey creates a new empty private key referencing the public key.
+func NewPrivateKey(key PublicKey) *PrivateKey {
+	return &PrivateKey{
+		PublicKey: key,
+	}
+}
+
+// Seed returns the ed25519 private key secret seed.
+// The private key representation by RFC 8032.
+func (pk *PrivateKey) Seed() []byte {
+	return pk.Key[:SeedSize]
+}
+
+// MarshalByteSecret returns the underlying 32 byte seed of the private key.
+func (pk *PrivateKey) MarshalByteSecret() []byte {
+	return pk.Seed()
+}
+
+// UnmarshalByteSecret computes the private key from the secret seed
+// and stores it in the private key object.
+func (sk *PrivateKey) UnmarshalByteSecret(seed []byte) error {
+	sk.Key = ed25519lib.NewKeyFromSeed(seed)
+	return nil
+}
+
+// GenerateKey generates a fresh private key with the provided randomness source.
+func GenerateKey(rand io.Reader) (*PrivateKey, error) {
+	publicKey, privateKey, err := ed25519lib.GenerateKey(rand)
+	if err != nil {
+		return nil, err
+	}
+	privateKeyOut := new(PrivateKey)
+	privateKeyOut.PublicKey.Point = publicKey[:]
+	privateKeyOut.Key = privateKey[:]
+	return privateKeyOut, nil
+}
+
+// Sign signs a message with the ed25519 algorithm.
+// priv MUST be a valid key! Check this with Validate() before use.
+func Sign(priv *PrivateKey, message []byte) ([]byte, error) {
+	return ed25519lib.Sign(priv.Key, message), nil
+}
+
+// Verify verifies an ed25519 signature.
+func Verify(pub *PublicKey, message []byte, signature []byte) bool {
+	return ed25519lib.Verify(pub.Point, message, signature)
+}
+
+// Validate checks if the ed25519 private key is valid.
+func Validate(priv *PrivateKey) error {
+	expectedPrivateKey := ed25519lib.NewKeyFromSeed(priv.Seed())
+	if subtle.ConstantTimeCompare(priv.Key, expectedPrivateKey) == 0 {
+		return errors.KeyInvalidError("ed25519: invalid ed25519 secret")
+	}
+	if subtle.ConstantTimeCompare(priv.PublicKey.Point, expectedPrivateKey[SeedSize:]) == 0 {
+		return errors.KeyInvalidError("ed25519: invalid ed25519 public key")
+	}
+	return nil
+}
+
+// ENCODING/DECODING signature:
+
+// WriteSignature encodes and writes an ed25519 signature to writer.
+func WriteSignature(writer io.Writer, signature []byte) error {
+	_, err := writer.Write(signature)
+	return err
+}
+
+// ReadSignature decodes an ed25519 signature from a reader.
+func ReadSignature(reader io.Reader) ([]byte, error) {
+	signature := make([]byte, SignatureSize)
+	if _, err := io.ReadFull(reader, signature); err != nil {
+		return nil, err
+	}
+	return signature, nil
+}

source/vendor/github.com/ProtonMail/go-crypto/openpgp/ed448/ed448.go

+// Package ed448 implements the ed448 signature algorithm for OpenPGP
+// as defined in the Open PGP crypto refresh.
+package ed448
+
+import (
+	"crypto/subtle"
+	"io"
+
+	"github.com/ProtonMail/go-crypto/openpgp/errors"
+	ed448lib "github.com/cloudflare/circl/sign/ed448"
+)
+
+const (
+	// PublicKeySize is the size, in bytes, of public keys in this package.
+	PublicKeySize = ed448lib.PublicKeySize
+	// SeedSize is the size, in bytes, of private key seeds.
+	// The private key representation used by RFC 8032.
+	SeedSize = ed448lib.SeedSize
+	// SignatureSize is the size, in bytes, of signatures generated and verified by this package.
+	SignatureSize = ed448lib.SignatureSize
+)
+
+type PublicKey struct {
+	// Point represents the elliptic curve point of the public key.
+	Point []byte
+}
+
+type PrivateKey struct {
+	PublicKey
+	// Key the private key representation by RFC 8032,
+	// encoded as seed | public key point.
+	Key []byte
+}
+
+// NewPublicKey creates a new empty ed448 public key.
+func NewPublicKey() *PublicKey {
+	return &PublicKey{}
+}
+
+// NewPrivateKey creates a new empty private key referencing the public key.
+func NewPrivateKey(key PublicKey) *PrivateKey {
+	return &PrivateKey{
+		PublicKey: key,
+	}
+}
+
+// Seed returns the ed448 private key secret seed.
+// The private key representation by RFC 8032.
+func (pk *PrivateKey) Seed() []byte {
+	return pk.Key[:SeedSize]
+}
+
+// MarshalByteSecret returns the underlying seed of the private key.
+func (pk *PrivateKey) MarshalByteSecret() []byte {
+	return pk.Seed()
+}
+
+// UnmarshalByteSecret computes the private key from the secret seed
+// and stores it in the private key object.
+func (sk *PrivateKey) UnmarshalByteSecret(seed []byte) error {
+	sk.Key = ed448lib.NewKeyFromSeed(seed)
+	return nil
+}
+
+// GenerateKey generates a fresh private key with the provided randomness source.
+func GenerateKey(rand io.Reader) (*PrivateKey, error) {
+	publicKey, privateKey, err := ed448lib.GenerateKey(rand)
+	if err != nil {
+		return nil, err
+	}
+	privateKeyOut := new(PrivateKey)
+	privateKeyOut.PublicKey.Point = publicKey[:]
+	privateKeyOut.Key = privateKey[:]
+	return privateKeyOut, nil
+}
+
+// Sign signs a message with the ed448 algorithm.
+// priv MUST be a valid key! Check this with Validate() before use.
+func Sign(priv *PrivateKey, message []byte) ([]byte, error) {
+	// Ed448 is used with the empty string as a context string.
+	// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-08#section-13.7
+	return ed448lib.Sign(priv.Key, message, ""), nil
+}
+
+// Verify verifies a ed448 signature
+func Verify(pub *PublicKey, message []byte, signature []byte) bool {
+	// Ed448 is used with the empty string as a context string.
+	// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-08#section-13.7
+	return ed448lib.Verify(pub.Point, message, signature, "")
+}
+
+// Validate checks if the ed448 private key is valid
+func Validate(priv *PrivateKey) error {
+	expectedPrivateKey := ed448lib.NewKeyFromSeed(priv.Seed())
+	if subtle.ConstantTimeCompare(priv.Key, expectedPrivateKey) == 0 {
+		return errors.KeyInvalidError("ed448: invalid ed448 secret")
+	}
+	if subtle.ConstantTimeCompare(priv.PublicKey.Point, expectedPrivateKey[SeedSize:]) == 0 {
+		return errors.KeyInvalidError("ed448: invalid ed448 public key")
+	}
+	return nil
+}
+
+// ENCODING/DECODING signature:
+
+// WriteSignature encodes and writes an ed448 signature to writer.
+func WriteSignature(writer io.Writer, signature []byte) error {
+	_, err := writer.Write(signature)
+	return err
+}
+
+// ReadSignature decodes an ed448 signature from a reader.
+func ReadSignature(reader io.Reader) ([]byte, error) {
+	signature := make([]byte, SignatureSize)
+	if _, err := io.ReadFull(reader, signature); err != nil {
+		return nil, err
+	}
+	return signature, nil
+}

source/vendor/github.com/ProtonMail/go-crypto/openpgp/eddsa/eddsa.go

+// Package eddsa implements EdDSA signature, suitable for OpenPGP, as specified in
+// https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-13.7
+package eddsa
+
+import (
+	"errors"
+	"github.com/ProtonMail/go-crypto/openpgp/internal/ecc"
+	"io"
+)
+
+type PublicKey struct {
+	X     []byte
+	curve ecc.EdDSACurve
+}
+
+type PrivateKey struct {
+	PublicKey
+	D []byte
+}
+
+func NewPublicKey(curve ecc.EdDSACurve) *PublicKey {
+	return &PublicKey{
+		curve: curve,
+	}
+}
+
+func NewPrivateKey(key PublicKey) *PrivateKey {
+	return &PrivateKey{
+		PublicKey: key,
+	}
+}
+
+func (pk *PublicKey) GetCurve() ecc.EdDSACurve {
+	return pk.curve
+}
+
+func (pk *PublicKey) MarshalPoint() []byte {
+	return pk.curve.MarshalBytePoint(pk.X)
+}
+
+func (pk *PublicKey) UnmarshalPoint(x []byte) error {
+	pk.X = pk.curve.UnmarshalBytePoint(x)
+
+	if pk.X == nil {
+		return errors.New("eddsa: failed to parse EC point")
+	}
+	return nil
+}
+
+func (sk *PrivateKey) MarshalByteSecret() []byte {
+	return sk.curve.MarshalByteSecret(sk.D)
+}
+
+func (sk *PrivateKey) UnmarshalByteSecret(d []byte) error {
+	sk.D = sk.curve.UnmarshalByteSecret(d)
+
+	if sk.D == nil {
+		return errors.New("eddsa: failed to parse scalar")
+	}
+	return nil
+}
+
+func GenerateKey(rand io.Reader, c ecc.EdDSACurve) (priv *PrivateKey, err error) {
+	priv = new(PrivateKey)
+	priv.PublicKey.curve = c
+	priv.PublicKey.X, priv.D, err = c.GenerateEdDSA(rand)
+	return
+}
+
+func Sign(priv *PrivateKey, message []byte) (r, s []byte, err error) {
+	sig, err := priv.PublicKey.curve.Sign(priv.PublicKey.X, priv.D, message)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	r, s = priv.PublicKey.curve.MarshalSignature(sig)
+	return
+}
+
+func Verify(pub *PublicKey, message, r, s []byte) bool {
+	sig := pub.curve.UnmarshalSignature(r, s)
+	if sig == nil {
+		return false
+	}
+
+	return pub.curve.Verify(pub.X, message, sig)
+}
+
+func Validate(priv *PrivateKey) error {
+	return priv.curve.ValidateEdDSA(priv.PublicKey.X, priv.D)
+}

source/vendor/github.com/ProtonMail/go-crypto/openpgp/elgamal/elgamal.go

+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package elgamal implements ElGamal encryption, suitable for OpenPGP,
+// as specified in "A Public-Key Cryptosystem and a Signature Scheme Based on
+// Discrete Logarithms," IEEE Transactions on Information Theory, v. IT-31,
+// n. 4, 1985, pp. 469-472.
+//
+// This form of ElGamal embeds PKCS#1 v1.5 padding, which may make it
+// unsuitable for other protocols. RSA should be used in preference in any
+// case.
+package elgamal // import "github.com/ProtonMail/go-crypto/openpgp/elgamal"
+
+import (
+	"crypto/rand"
+	"crypto/subtle"
+	"errors"
+	"io"
+	"math/big"
+)
+
+// PublicKey represents an ElGamal public key.
+type PublicKey struct {
+	G, P, Y *big.Int
+}
+
+// PrivateKey represents an ElGamal private key.
+type PrivateKey struct {
+	PublicKey
+	X *big.Int
+}
+
+// Encrypt encrypts the given message to the given public key. The result is a
+// pair of integers. Errors can result from reading random, or because msg is
+// too large to be encrypted to the public key.
+func Encrypt(random io.Reader, pub *PublicKey, msg []byte) (c1, c2 *big.Int, err error) {
+	pLen := (pub.P.BitLen() + 7) / 8
+	if len(msg) > pLen-11 {
+		err = errors.New("elgamal: message too long")
+		return
+	}
+
+	// EM = 0x02 || PS || 0x00 || M
+	em := make([]byte, pLen-1)
+	em[0] = 2
+	ps, mm := em[1:len(em)-len(msg)-1], em[len(em)-len(msg):]
+	err = nonZeroRandomBytes(ps, random)
+	if err != nil {
+		return
+	}
+	em[len(em)-len(msg)-1] = 0
+	copy(mm, msg)
+
+	m := new(big.Int).SetBytes(em)
+
+	k, err := rand.Int(random, pub.P)
+	if err != nil {
+		return
+	}
+
+	c1 = new(big.Int).Exp(pub.G, k, pub.P)
+	s := new(big.Int).Exp(pub.Y, k, pub.P)
+	c2 = s.Mul(s, m)
+	c2.Mod(c2, pub.P)
+
+	return
+}
+
+// Decrypt takes two integers, resulting from an ElGamal encryption, and
+// returns the plaintext of the message. An error can result only if the
+// ciphertext is invalid. Users should keep in mind that this is a padding
+// oracle and thus, if exposed to an adaptive chosen ciphertext attack, can
+// be used to break the cryptosystem.  See “Chosen Ciphertext Attacks
+// Against Protocols Based on the RSA Encryption Standard PKCS #1”, Daniel
+// Bleichenbacher, Advances in Cryptology (Crypto '98),
+func Decrypt(priv *PrivateKey, c1, c2 *big.Int) (msg []byte, err error) {
+	s := new(big.Int).Exp(c1, priv.X, priv.P)
+	if s.ModInverse(s, priv.P) == nil {
+		return nil, errors.New("elgamal: invalid private key")
+	}
+	s.Mul(s, c2)
+	s.Mod(s, priv.P)
+	em := s.Bytes()
+
+	firstByteIsTwo := subtle.ConstantTimeByteEq(em[0], 2)
+
+	// The remainder of the plaintext must be a string of non-zero random
+	// octets, followed by a 0, followed by the message.
+	//   lookingForIndex: 1 iff we are still looking for the zero.
+	//   index: the offset of the first zero byte.
+	var lookingForIndex, index int
+	lookingForIndex = 1
+
+	for i := 1; i < len(em); i++ {
+		equals0 := subtle.ConstantTimeByteEq(em[i], 0)
+		index = subtle.ConstantTimeSelect(lookingForIndex&equals0, i, index)
+		lookingForIndex = subtle.ConstantTimeSelect(equals0, 0, lookingForIndex)
+	}
+
+	if firstByteIsTwo != 1 || lookingForIndex != 0 || index < 9 {
+		return nil, errors.New("elgamal: decryption error")
+	}
+	return em[index+1:], nil
+}
+
+// nonZeroRandomBytes fills the given slice with non-zero random octets.
+func nonZeroRandomBytes(s []byte, rand io.Reader) (err error) {
+	_, err = io.ReadFull(rand, s)
+	if err != nil {
+		return
+	}
+
+	for i := 0; i < len(s); i++ {
+		for s[i] == 0 {
+			_, err = io.ReadFull(rand, s[i:i+1])
+			if err != nil {
+				return
+			}
+		}
+	}
+
+	return
+}

source/vendor/github.com/ProtonMail/go-crypto/openpgp/errors/errors.go

+// Copyright 2010 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package errors contains common error types for the OpenPGP packages.
+package errors // import "github.com/ProtonMail/go-crypto/openpgp/errors"
+
+import (
+	"strconv"
+)
+
+var (
+	// ErrDecryptSessionKeyParsing is a generic error message for parsing errors in decrypted data
+	// to reduce the risk of oracle attacks.
+	ErrDecryptSessionKeyParsing = DecryptWithSessionKeyError("parsing error")
+	// ErrAEADTagVerification is returned if one of the tag verifications in SEIPDv2 fails
+	ErrAEADTagVerification error = DecryptWithSessionKeyError("AEAD tag verification failed")
+	// ErrMDCHashMismatch
+	ErrMDCHashMismatch error = SignatureError("MDC hash mismatch")
+	// ErrMDCMissing
+	ErrMDCMissing error = SignatureError("MDC packet not found")
+)
+
+// A StructuralError is returned when OpenPGP data is found to be syntactically
+// invalid.
+type StructuralError string
+
+func (s StructuralError) Error() string {
+	return "openpgp: invalid data: " + string(s)
+}
+
+// A DecryptWithSessionKeyError is returned when a failure occurs when reading from symmetrically decrypted data or
+// an authentication tag verification fails.
+// Such an error indicates that the supplied session key is likely wrong or the data got corrupted.
+type DecryptWithSessionKeyError string
+
+func (s DecryptWithSessionKeyError) Error() string {
+	return "openpgp: decryption with session key failed: " + string(s)
+}
+
+// HandleSensitiveParsingError handles parsing errors when reading data from potentially decrypted data.
+// The function makes parsing errors generic to reduce the risk of oracle attacks in SEIPDv1.
+func HandleSensitiveParsingError(err error, decrypted bool) error {
+	if !decrypted {
+		// Data was not encrypted so we return the inner error.
+		return err
+	}
+	// The data is read from a stream that decrypts using a session key;
+	// therefore, we need to handle parsing errors appropriately.
+	// This is essential to mitigate the risk of oracle attacks.
+	if decError, ok := err.(*DecryptWithSessionKeyError); ok {
+		return decError
+	}
+	if decError, ok := err.(DecryptWithSessionKeyError); ok {
+		return decError
+	}
+	return ErrDecryptSessionKeyParsing
+}
+
+// UnsupportedError indicates that, although the OpenPGP data is valid, it
+// makes use of currently unimplemented features.
+type UnsupportedError string
+
+func (s UnsupportedError) Error() string {
+	return "openpgp: unsupported feature: " + string(s)
+}
+
+// InvalidArgumentError indicates that the caller is in error and passed an
+// incorrect value.
+type InvalidArgumentError string
+
+func (i InvalidArgumentError) Error() string {
+	return "openpgp: invalid argument: " + string(i)
+}
+
+// SignatureError indicates that a syntactically valid signature failed to
+// validate.
+type SignatureError string
+
+func (b SignatureError) Error() string {
+	return "openpgp: invalid signature: " + string(b)
+}
+
+type signatureExpiredError int
+
+func (se signatureExpiredError) Error() string {
+	return "openpgp: signature expired"
+}
+
+var ErrSignatureExpired error = signatureExpiredError(0)
+
+type keyExpiredError int
+
+func (ke keyExpiredError) Error() string {
+	return "openpgp: key expired"
+}
+
+var ErrSignatureOlderThanKey error = signatureOlderThanKeyError(0)
+
+type signatureOlderThanKeyError int
+
+func (ske signatureOlderThanKeyError) Error() string {
+	return "openpgp: signature is older than the key"
+}
+
+var ErrKeyExpired error = keyExpiredError(0)
+
+type keyIncorrectError int
+
+func (ki keyIncorrectError) Error() string {
+	return "openpgp: incorrect key"
+}
+
+var ErrKeyIncorrect error = keyIncorrectError(0)
+
+// KeyInvalidError indicates that the public key parameters are invalid
+// as they do not match the private ones
+type KeyInvalidError string
+
+func (e KeyInvalidError) Error() string {
+	return "openpgp: invalid key: " + string(e)
+}
+
+type unknownIssuerError int
+
+func (unknownIssuerError) Error() string {
+	return "openpgp: signature made by unknown entity"
+}
+
+var ErrUnknownIssuer error = unknownIssuerError(0)
+
+type keyRevokedError int
+
+func (keyRevokedError) Error() string {
+	return "openpgp: signature made by revoked key"
+}
+
+var ErrKeyRevoked error = keyRevokedError(0)
+
+type WeakAlgorithmError string
+
+func (e WeakAlgorithmError) Error() string {
+	return "openpgp: weak algorithms are rejected: " + string(e)
+}
+
+type UnknownPacketTypeError uint8
+
+func (upte UnknownPacketTypeError) Error() string {
+	return "openpgp: unknown packet type: " + strconv.Itoa(int(upte))
+}
+
+type CriticalUnknownPacketTypeError uint8
+
+func (upte CriticalUnknownPacketTypeError) Error() string {
+	return "openpgp: unknown critical packet type: " + strconv.Itoa(int(upte))
+}
+
+// AEADError indicates that there is a problem when initializing or using a
+// AEAD instance, configuration struct, nonces or index values.
+type AEADError string
+
+func (ae AEADError) Error() string {
+	return "openpgp: aead error: " + string(ae)
+}
+
+// ErrDummyPrivateKey results when operations are attempted on a private key
+// that is just a dummy key. See
+// https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=doc/DETAILS;h=fe55ae16ab4e26d8356dc574c9e8bc935e71aef1;hb=23191d7851eae2217ecdac6484349849a24fd94a#l1109
+type ErrDummyPrivateKey string
+
+func (dke ErrDummyPrivateKey) Error() string {
+	return "openpgp: s2k GNU dummy key: " + string(dke)
+}
+
+// ErrMalformedMessage results when the packet sequence is incorrect
+type ErrMalformedMessage string
+
+func (dke ErrMalformedMessage) Error() string {
+	return "openpgp: malformed message " + string(dke)
+}

source/vendor/github.com/ProtonMail/go-crypto/openpgp/hash.go

+package openpgp
+
+import (
+	"crypto"
+
+	"github.com/ProtonMail/go-crypto/openpgp/internal/algorithm"
+)
+
+// HashIdToHash returns a crypto.Hash which corresponds to the given OpenPGP
+// hash id.
+func HashIdToHash(id byte) (h crypto.Hash, ok bool) {
+	return algorithm.HashIdToHash(id)
+}
+
+// HashIdToString returns the name of the hash function corresponding to the
+// given OpenPGP hash id.
+func HashIdToString(id byte) (name string, ok bool) {
+	return algorithm.HashIdToString(id)
+}
+
+// HashToHashId returns an OpenPGP hash id which corresponds the given Hash.
+func HashToHashId(h crypto.Hash) (id byte, ok bool) {
+	return algorithm.HashToHashId(h)
+}

source/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/algorithm/aead.go

+// Copyright (C) 2019 ProtonTech AG
+
+package algorithm
+
+import (
+	"crypto/cipher"
+	"github.com/ProtonMail/go-crypto/eax"
+	"github.com/ProtonMail/go-crypto/ocb"
+)
+
+// AEADMode defines the Authenticated Encryption with Associated Data mode of
+// operation.
+type AEADMode uint8
+
+// Supported modes of operation (see RFC4880bis [EAX] and RFC7253)
+const (
+	AEADModeEAX = AEADMode(1)
+	AEADModeOCB = AEADMode(2)
+	AEADModeGCM = AEADMode(3)
+)
+
+// TagLength returns the length in bytes of authentication tags.
+func (mode AEADMode) TagLength() int {
+	switch mode {
+	case AEADModeEAX:
+		return 16
+	case AEADModeOCB:
+		return 16
+	case AEADModeGCM:
+		return 16
+	default:
+		return 0
+	}
+}
+
+// NonceLength returns the length in bytes of nonces.
+func (mode AEADMode) NonceLength() int {
+	switch mode {
+	case AEADModeEAX:
+		return 16
+	case AEADModeOCB:
+		return 15
+	case AEADModeGCM:
+		return 12
+	default:
+		return 0
+	}
+}
+
+// New returns a fresh instance of the given mode
+func (mode AEADMode) New(block cipher.Block) (alg cipher.AEAD) {
+	var err error
+	switch mode {
+	case AEADModeEAX:
+		alg, err = eax.NewEAX(block)
+	case AEADModeOCB:
+		alg, err = ocb.NewOCB(block)
+	case AEADModeGCM:
+		alg, err = cipher.NewGCM(block)
+	}
+	if err != nil {
+		panic(err.Error())
+	}
+	return alg
+}

source/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/algorithm/cipher.go

+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package algorithm
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/des"
+
+	"golang.org/x/crypto/cast5"
+)
+
+// Cipher is an official symmetric key cipher algorithm. See RFC 4880,
+// section 9.2.
+type Cipher interface {
+	// Id returns the algorithm ID, as a byte, of the cipher.
+	Id() uint8
+	// KeySize returns the key size, in bytes, of the cipher.
+	KeySize() int
+	// BlockSize returns the block size, in bytes, of the cipher.
+	BlockSize() int
+	// New returns a fresh instance of the given cipher.
+	New(key []byte) cipher.Block
+}
+
+// The following constants mirror the OpenPGP standard (RFC 4880).
+const (
+	TripleDES = CipherFunction(2)
+	CAST5     = CipherFunction(3)
+	AES128    = CipherFunction(7)
+	AES192    = CipherFunction(8)
+	AES256    = CipherFunction(9)
+)
+
+// CipherById represents the different block ciphers specified for OpenPGP. See
+// http://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-13
+var CipherById = map[uint8]Cipher{
+	TripleDES.Id(): TripleDES,
+	CAST5.Id():     CAST5,
+	AES128.Id():    AES128,
+	AES192.Id():    AES192,
+	AES256.Id():    AES256,
+}
+
+type CipherFunction uint8
+
+// ID returns the algorithm Id, as a byte, of cipher.
+func (sk CipherFunction) Id() uint8 {
+	return uint8(sk)
+}
+
+// KeySize returns the key size, in bytes, of cipher.
+func (cipher CipherFunction) KeySize() int {
+	switch cipher {
+	case CAST5:
+		return cast5.KeySize
+	case AES128:
+		return 16
+	case AES192, TripleDES:
+		return 24
+	case AES256:
+		return 32
+	}
+	return 0
+}
+
+// BlockSize returns the block size, in bytes, of cipher.
+func (cipher CipherFunction) BlockSize() int {
+	switch cipher {
+	case TripleDES:
+		return des.BlockSize
+	case CAST5:
+		return 8
+	case AES128, AES192, AES256:
+		return 16
+	}
+	return 0
+}
+
+// New returns a fresh instance of the given cipher.
+func (cipher CipherFunction) New(key []byte) (block cipher.Block) {
+	var err error
+	switch cipher {
+	case TripleDES:
+		block, err = des.NewTripleDESCipher(key)
+	case CAST5:
+		block, err = cast5.NewCipher(key)
+	case AES128, AES192, AES256:
+		block, err = aes.NewCipher(key)
+	}
+	if err != nil {
+		panic(err.Error())
+	}
+	return
+}

source/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/algorithm/hash.go

+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package algorithm
+
+import (
+	"crypto"
+	"fmt"
+	"hash"
+)
+
+// Hash is an official hash function algorithm. See RFC 4880, section 9.4.
+type Hash interface {
+	// Id returns the algorithm ID, as a byte, of Hash.
+	Id() uint8
+	// Available reports whether the given hash function is linked into the binary.
+	Available() bool
+	// HashFunc simply returns the value of h so that Hash implements SignerOpts.
+	HashFunc() crypto.Hash
+	// New returns a new hash.Hash calculating the given hash function. New
+	// panics if the hash function is not linked into the binary.
+	New() hash.Hash
+	// Size returns the length, in bytes, of a digest resulting from the given
+	// hash function. It doesn't require that the hash function in question be
+	// linked into the program.
+	Size() int
+	// String is the name of the hash function corresponding to the given
+	// OpenPGP hash id.
+	String() string
+}
+
+// The following vars mirror the crypto/Hash supported hash functions.
+var (
+	SHA1     Hash = cryptoHash{2, crypto.SHA1}
+	SHA256   Hash = cryptoHash{8, crypto.SHA256}
+	SHA384   Hash = cryptoHash{9, crypto.SHA384}
+	SHA512   Hash = cryptoHash{10, crypto.SHA512}
+	SHA224   Hash = cryptoHash{11, crypto.SHA224}
+	SHA3_256 Hash = cryptoHash{12, crypto.SHA3_256}
+	SHA3_512 Hash = cryptoHash{14, crypto.SHA3_512}
+)
+
+// HashById represents the different hash functions specified for OpenPGP. See
+// http://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-14
+var (
+	HashById = map[uint8]Hash{
+		SHA256.Id():   SHA256,
+		SHA384.Id():   SHA384,
+		SHA512.Id():   SHA512,
+		SHA224.Id():   SHA224,
+		SHA3_256.Id(): SHA3_256,
+		SHA3_512.Id(): SHA3_512,
+	}
+)
+
+// cryptoHash contains pairs relating OpenPGP's hash identifier with
+// Go's crypto.Hash type. See RFC 4880, section 9.4.
+type cryptoHash struct {
+	id uint8
+	crypto.Hash
+}
+
+// Id returns the algorithm ID, as a byte, of cryptoHash.
+func (h cryptoHash) Id() uint8 {
+	return h.id
+}
+
+var hashNames = map[uint8]string{
+	SHA256.Id():   "SHA256",
+	SHA384.Id():   "SHA384",
+	SHA512.Id():   "SHA512",
+	SHA224.Id():   "SHA224",
+	SHA3_256.Id(): "SHA3-256",
+	SHA3_512.Id(): "SHA3-512",
+}
+
+func (h cryptoHash) String() string {
+	s, ok := hashNames[h.id]
+	if !ok {
+		panic(fmt.Sprintf("Unsupported hash function %d", h.id))
+	}
+	return s
+}
+
+// HashIdToHash returns a crypto.Hash which corresponds to the given OpenPGP
+// hash id.
+func HashIdToHash(id byte) (h crypto.Hash, ok bool) {
+	if hash, ok := HashById[id]; ok {
+		return hash.HashFunc(), true
+	}
+	return 0, false
+}
+
+// HashIdToHashWithSha1 returns a crypto.Hash which corresponds to the given OpenPGP
+// hash id, allowing sha1.
+func HashIdToHashWithSha1(id byte) (h crypto.Hash, ok bool) {
+	if hash, ok := HashById[id]; ok {
+		return hash.HashFunc(), true
+	}
+
+	if id == SHA1.Id() {
+		return SHA1.HashFunc(), true
+	}
+
+	return 0, false
+}
+
+// HashIdToString returns the name of the hash function corresponding to the
+// given OpenPGP hash id.
+func HashIdToString(id byte) (name string, ok bool) {
+	if hash, ok := HashById[id]; ok {
+		return hash.String(), true
+	}
+	return "", false
+}
+
+// HashToHashId returns an OpenPGP hash id which corresponds the given Hash.
+func HashToHashId(h crypto.Hash) (id byte, ok bool) {
+	for id, hash := range HashById {
+		if hash.HashFunc() == h {
+			return id, true
+		}
+	}
+
+	return 0, false
+}
+
+// HashToHashIdWithSha1 returns an OpenPGP hash id which corresponds the given Hash,
+// allowing instances of SHA1
+func HashToHashIdWithSha1(h crypto.Hash) (id byte, ok bool) {
+	for id, hash := range HashById {
+		if hash.HashFunc() == h {
+			return id, true
+		}
+	}
+
+	if h == SHA1.HashFunc() {
+		return SHA1.Id(), true
+	}
+
+	return 0, false
+}

source/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/curve25519.go

+// Package ecc implements a generic interface for ECDH, ECDSA, and EdDSA.
+package ecc
+
+import (
+	"crypto/subtle"
+	"io"
+
+	"github.com/ProtonMail/go-crypto/openpgp/errors"
+	x25519lib "github.com/cloudflare/circl/dh/x25519"
+)
+
+type curve25519 struct{}
+
+func NewCurve25519() *curve25519 {
+	return &curve25519{}
+}
+
+func (c *curve25519) GetCurveName() string {
+	return "curve25519"
+}
+
+// MarshalBytePoint encodes the public point from native format, adding the prefix.
+// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.6
+func (c *curve25519) MarshalBytePoint(point []byte) []byte {
+	return append([]byte{0x40}, point...)
+}
+
+// UnmarshalBytePoint decodes the public point to native format, removing the prefix.
+// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.6
+func (c *curve25519) UnmarshalBytePoint(point []byte) []byte {
+	if len(point) != x25519lib.Size+1 {
+		return nil
+	}
+
+	// Remove prefix
+	return point[1:]
+}
+
+// MarshalByteSecret encodes the secret scalar from native format.
+// Note that the EC secret scalar differs from the definition of public keys in
+// [Curve25519] in two ways: (1) the byte-ordering is big-endian, which is
+// more uniform with how big integers are represented in OpenPGP, and (2) the
+// leading zeros are truncated.
+// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.6.1.1
+// Note that leading zero bytes are stripped later when encoding as an MPI.
+func (c *curve25519) MarshalByteSecret(secret []byte) []byte {
+	d := make([]byte, x25519lib.Size)
+	copyReversed(d, secret)
+
+	// The following ensures that the private key is a number of the form
+	// 2^{254} + 8 * [0, 2^{251}), in order to avoid the small subgroup of
+	// the curve.
+	//
+	// This masking is done internally in the underlying lib and so is unnecessary
+	// for security, but OpenPGP implementations require that private keys be
+	// pre-masked.
+	d[0] &= 127
+	d[0] |= 64
+	d[31] &= 248
+
+	return d
+}
+
+// UnmarshalByteSecret decodes the secret scalar from native format.
+// Note that the EC secret scalar differs from the definition of public keys in
+// [Curve25519] in two ways: (1) the byte-ordering is big-endian, which is
+// more uniform with how big integers are represented in OpenPGP, and (2) the
+// leading zeros are truncated.
+// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.6.1.1
+func (c *curve25519) UnmarshalByteSecret(d []byte) []byte {
+	if len(d) > x25519lib.Size {
+		return nil
+	}
+
+	// Ensure truncated leading bytes are re-added
+	secret := make([]byte, x25519lib.Size)
+	copyReversed(secret, d)
+
+	return secret
+}
+
+// generateKeyPairBytes Generates a private-public key-pair.
+// 'priv' is a private key; a little-endian scalar belonging to the set
+// 2^{254} + 8 * [0, 2^{251}), in order to avoid the small subgroup of the
+// curve. 'pub' is simply 'priv' * G where G is the base point.
+// See https://cr.yp.to/ecdh.html and RFC7748, sec 5.
+func (c *curve25519) generateKeyPairBytes(rand io.Reader) (priv, pub x25519lib.Key, err error) {
+	_, err = io.ReadFull(rand, priv[:])
+	if err != nil {
+		return
+	}
+
+	x25519lib.KeyGen(&pub, &priv)
+	return
+}
+
+func (c *curve25519) GenerateECDH(rand io.Reader) (point []byte, secret []byte, err error) {
+	priv, pub, err := c.generateKeyPairBytes(rand)
+	if err != nil {
+		return
+	}
+
+	return pub[:], priv[:], nil
+}
+
+func (c *genericCurve) MaskSecret(secret []byte) []byte {
+	return secret
+}
+
+func (c *curve25519) Encaps(rand io.Reader, point []byte) (ephemeral, sharedSecret []byte, err error) {
+	// RFC6637 §8: "Generate an ephemeral key pair {v, V=vG}"
+	// ephemeralPrivate corresponds to `v`.
+	// ephemeralPublic corresponds to `V`.
+	ephemeralPrivate, ephemeralPublic, err := c.generateKeyPairBytes(rand)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// RFC6637 §8: "Obtain the authenticated recipient public key R"
+	// pubKey corresponds to `R`.
+	var pubKey x25519lib.Key
+	copy(pubKey[:], point)
+
+	// RFC6637 §8: "Compute the shared point S = vR"
+	//	"VB = convert point V to the octet string"
+	// sharedPoint corresponds to `VB`.
+	var sharedPoint x25519lib.Key
+	x25519lib.Shared(&sharedPoint, &ephemeralPrivate, &pubKey)
+
+	return ephemeralPublic[:], sharedPoint[:], nil
+}
+
+func (c *curve25519) Decaps(vsG, secret []byte) (sharedSecret []byte, err error) {
+	var ephemeralPublic, decodedPrivate, sharedPoint x25519lib.Key
+	// RFC6637 §8: "The decryption is the inverse of the method given."
+	// All quoted descriptions in comments below describe encryption, and
+	// the reverse is performed.
+	// vsG corresponds to `VB` in RFC6637 §8 .
+
+	// RFC6637 §8: "VB = convert point V to the octet string"
+	copy(ephemeralPublic[:], vsG)
+
+	// decodedPrivate corresponds to `r` in RFC6637 §8 .
+	copy(decodedPrivate[:], secret)
+
+	// RFC6637 §8: "Note that the recipient obtains the shared secret by calculating
+	//   S = rV = rvG, where (r,R) is the recipient's key pair."
+	// sharedPoint corresponds to `S`.
+	x25519lib.Shared(&sharedPoint, &decodedPrivate, &ephemeralPublic)
+
+	return sharedPoint[:], nil
+}
+
+func (c *curve25519) ValidateECDH(point []byte, secret []byte) (err error) {
+	var pk, sk x25519lib.Key
+	copy(sk[:], secret)
+	x25519lib.KeyGen(&pk, &sk)
+
+	if subtle.ConstantTimeCompare(point, pk[:]) == 0 {
+		return errors.KeyInvalidError("ecc: invalid curve25519 public point")
+	}
+
+	return nil
+}
+
+func copyReversed(out []byte, in []byte) {
+	l := len(in)
+	for i := 0; i < l; i++ {
+		out[i] = in[l-i-1]
+	}
+}

source/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/curve_info.go

+// Package ecc implements a generic interface for ECDH, ECDSA, and EdDSA.
+package ecc
+
+import (
+	"bytes"
+	"crypto/elliptic"
+
+	"github.com/ProtonMail/go-crypto/bitcurves"
+	"github.com/ProtonMail/go-crypto/brainpool"
+	"github.com/ProtonMail/go-crypto/openpgp/internal/encoding"
+)
+
+const Curve25519GenName = "Curve25519"
+
+type CurveInfo struct {
+	GenName string
+	Oid     *encoding.OID
+	Curve   Curve
+}
+
+var Curves = []CurveInfo{
+	{
+		// NIST P-256
+		GenName: "P256",
+		Oid:     encoding.NewOID([]byte{0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07}),
+		Curve:   NewGenericCurve(elliptic.P256()),
+	},
+	{
+		// NIST P-384
+		GenName: "P384",
+		Oid:     encoding.NewOID([]byte{0x2B, 0x81, 0x04, 0x00, 0x22}),
+		Curve:   NewGenericCurve(elliptic.P384()),
+	},
+	{
+		// NIST P-521
+		GenName: "P521",
+		Oid:     encoding.NewOID([]byte{0x2B, 0x81, 0x04, 0x00, 0x23}),
+		Curve:   NewGenericCurve(elliptic.P521()),
+	},
+	{
+		// SecP256k1
+		GenName: "SecP256k1",
+		Oid:     encoding.NewOID([]byte{0x2B, 0x81, 0x04, 0x00, 0x0A}),
+		Curve:   NewGenericCurve(bitcurves.S256()),
+	},
+	{
+		// Curve25519
+		GenName: Curve25519GenName,
+		Oid:     encoding.NewOID([]byte{0x2B, 0x06, 0x01, 0x04, 0x01, 0x97, 0x55, 0x01, 0x05, 0x01}),
+		Curve:   NewCurve25519(),
+	},
+	{
+		// x448
+		GenName: "Curve448",
+		Oid:     encoding.NewOID([]byte{0x2B, 0x65, 0x6F}),
+		Curve:   NewX448(),
+	},
+	{
+		// Ed25519
+		GenName: Curve25519GenName,
+		Oid:     encoding.NewOID([]byte{0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01}),
+		Curve:   NewEd25519(),
+	},
+	{
+		// Ed448
+		GenName: "Curve448",
+		Oid:     encoding.NewOID([]byte{0x2B, 0x65, 0x71}),
+		Curve:   NewEd448(),
+	},
+	{
+		// BrainpoolP256r1
+		GenName: "BrainpoolP256",
+		Oid:     encoding.NewOID([]byte{0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x07}),
+		Curve:   NewGenericCurve(brainpool.P256r1()),
+	},
+	{
+		// BrainpoolP384r1
+		GenName: "BrainpoolP384",
+		Oid:     encoding.NewOID([]byte{0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x0B}),
+		Curve:   NewGenericCurve(brainpool.P384r1()),
+	},
+	{
+		// BrainpoolP512r1
+		GenName: "BrainpoolP512",
+		Oid:     encoding.NewOID([]byte{0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x0D}),
+		Curve:   NewGenericCurve(brainpool.P512r1()),
+	},
+}
+
+func FindByCurve(curve Curve) *CurveInfo {
+	for _, curveInfo := range Curves {
+		if curveInfo.Curve.GetCurveName() == curve.GetCurveName() {
+			return &curveInfo
+		}
+	}
+	return nil
+}
+
+func FindByOid(oid encoding.Field) *CurveInfo {
+	var rawBytes = oid.Bytes()
+	for _, curveInfo := range Curves {
+		if bytes.Equal(curveInfo.Oid.Bytes(), rawBytes) {
+			return &curveInfo
+		}
+	}
+	return nil
+}
+
+func FindEdDSAByGenName(curveGenName string) EdDSACurve {
+	for _, curveInfo := range Curves {
+		if curveInfo.GenName == curveGenName {
+			curve, ok := curveInfo.Curve.(EdDSACurve)
+			if ok {
+				return curve
+			}
+		}
+	}
+	return nil
+}
+
+func FindECDSAByGenName(curveGenName string) ECDSACurve {
+	for _, curveInfo := range Curves {
+		if curveInfo.GenName == curveGenName {
+			curve, ok := curveInfo.Curve.(ECDSACurve)
+			if ok {
+				return curve
+			}
+		}
+	}
+	return nil
+}
+
+func FindECDHByGenName(curveGenName string) ECDHCurve {
+	for _, curveInfo := range Curves {
+		if curveInfo.GenName == curveGenName {
+			curve, ok := curveInfo.Curve.(ECDHCurve)
+			if ok {
+				return curve
+			}
+		}
+	}
+	return nil
+}

source/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/curves.go

+// Package ecc implements a generic interface for ECDH, ECDSA, and EdDSA.
+package ecc
+
+import (
+	"io"
+	"math/big"
+)
+
+type Curve interface {
+	GetCurveName() string
+}
+
+type ECDSACurve interface {
+	Curve
+	MarshalIntegerPoint(x, y *big.Int) []byte
+	UnmarshalIntegerPoint([]byte) (x, y *big.Int)
+	MarshalIntegerSecret(d *big.Int) []byte
+	UnmarshalIntegerSecret(d []byte) *big.Int
+	GenerateECDSA(rand io.Reader) (x, y, secret *big.Int, err error)
+	Sign(rand io.Reader, x, y, d *big.Int, hash []byte) (r, s *big.Int, err error)
+	Verify(x, y *big.Int, hash []byte, r, s *big.Int) bool
+	ValidateECDSA(x, y *big.Int, secret []byte) error
+}
+
+type EdDSACurve interface {
+	Curve
+	MarshalBytePoint(x []byte) []byte
+	UnmarshalBytePoint([]byte) (x []byte)
+	MarshalByteSecret(d []byte) []byte
+	UnmarshalByteSecret(d []byte) []byte
+	MarshalSignature(sig []byte) (r, s []byte)
+	UnmarshalSignature(r, s []byte) (sig []byte)
+	GenerateEdDSA(rand io.Reader) (pub, priv []byte, err error)
+	Sign(publicKey, privateKey, message []byte) (sig []byte, err error)
+	Verify(publicKey, message, sig []byte) bool
+	ValidateEdDSA(publicKey, privateKey []byte) (err error)
+}
+type ECDHCurve interface {
+	Curve
+	MarshalBytePoint([]byte) (encoded []byte)
+	UnmarshalBytePoint(encoded []byte) []byte
+	MarshalByteSecret(d []byte) []byte
+	UnmarshalByteSecret(d []byte) []byte
+	GenerateECDH(rand io.Reader) (point []byte, secret []byte, err error)
+	Encaps(rand io.Reader, point []byte) (ephemeral, sharedSecret []byte, err error)
+	Decaps(ephemeral, secret []byte) (sharedSecret []byte, err error)
+	ValidateECDH(public []byte, secret []byte) error
+}

source/vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/ed25519.go

+// Package ecc implements a generic interface for ECDH, ECDSA, and EdDSA.
+package ecc
+
+import (
+	"bytes"
+	"crypto/subtle"
+	"io"
+
+	"github.com/ProtonMail/go-crypto/openpgp/errors"
+	ed25519lib "github.com/cloudflare/circl/sign/ed25519"
+)
+
+const ed25519Size = 32
+
+type ed25519 struct{}
+
+func NewEd25519() *ed25519 {
+	return &ed25519{}
+}
+
+func (c *ed25519) GetCurveName() string {
+	return "ed25519"
+}
+
+// MarshalBytePoint encodes the public point from native format, adding the prefix.
+// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.5
+func (c *ed25519) MarshalBytePoint(x []byte) []byte {
+	return append([]byte{0x40}, x...)
+}
+
+// UnmarshalBytePoint decodes a point from prefixed format to native.
+// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.5
+func (c *ed25519) UnmarshalBytePoint(point []byte) (x []byte) {
+	if len(point) != ed25519lib.PublicKeySize+1 {
+		return nil
+	}
+
+	// Return unprefixed
+	return point[1:]
+}
+
+// MarshalByteSecret encodes a scalar in native format.
+// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.5
+func (c *ed25519) MarshalByteSecret(d []byte) []byte {
+	return d
+}
+
+// UnmarshalByteSecret decodes a scalar in native format and re-adds the stripped leading zeroes
+// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.5
+func (c *ed25519) UnmarshalByteSecret(s []byte) (d []byte) {
+	if len(s) > ed25519lib.SeedSize {
+		return nil
+	}
+
+	// Handle stripped leading zeroes
+	d = make([]byte, ed25519lib.SeedSize)
+	copy(d[ed25519lib.SeedSize-len(s):], s)
+	return
+}
+
+// MarshalSignature splits a signature in R and S.
+// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.2.3.3.1
+func (c *ed25519) MarshalSignature(sig []byte) (r, s []byte) {
+	return sig[:ed25519Size], sig[ed25519Size:]
+}
+
+// UnmarshalSignature decodes R and S in the native format, re-adding the stripped leading zeroes
+// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.2.3.3.1
+func (c *ed25519) UnmarshalSignature(r, s []byte) (sig []byte) {
+	// Check size
+	if len(r) > 32 || len(s) > 32 {
+		return nil
+	}
+
+	sig = make([]byte, ed25519lib.SignatureSize)
+
+	// Handle stripped leading zeroes
+	copy(sig[ed25519Size-len(r):ed25519Size], r)
+	copy(sig[ed25519lib.SignatureSize-len(s):], s)
+	return sig
+}
+
+func (c *ed25519) GenerateEdDSA(rand io.Reader) (pub, priv []byte, err error) {
+	pk, sk, err := ed25519lib.GenerateKey(rand)
+
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return pk, sk[:ed25519lib.SeedSize], nil
+}
+
+func getEd25519Sk(publicKey, privateKey []byte) ed25519lib.PrivateKey {
+	privateKeyCap, privateKeyLen, publicKeyLen := cap(privateKey), len(privateKey), len(publicKey)
+
+	if privateKeyCap >= privateKeyLen+publicKeyLen &&
+		bytes.Equal(privateKey[privateKeyLen:privateKeyLen+publicKeyLen], publicKey) {
+		return privateKey[:privateKeyLen+publicKeyLen]
+	}
+
+	return append(privateKey[:privateKeyLen:privateKeyLen], publicKey...)
+}
+
+func (c *ed25519) Sign(publicKey, privateKey, message []byte) (sig []byte, err error) {
+	sig = ed25519lib.Sign(getEd25519Sk(publicKey, privateKey), message)
+	return sig, nil
+}
+
+func (c *ed25519) Verify(publicKey, message, sig []byte) bool {
+	return ed25519lib.Verify(publicKey, message, sig)
+}
+
+func (c *ed25519) ValidateEdDSA(publicKey, privateKey []byte) (err error) {
+	priv := getEd25519Sk(publicKey, privateKey)
+	expectedPriv := ed25519lib.NewKeyFromSeed(priv.Seed())
+	if subtle.ConstantTimeCompare(priv, expectedPriv) == 0 {
+		return errors.KeyInvalidError("ecc: invalid ed25519 secret")
+	}
+	return nil
+}