Bump github.com/hashicorp/terraform-plugin-sdk/v2 from 2.26.1 to 2.27.0

Bumps [github.com/hashicorp/terraform-plugin-sdk/v2](https://github.com/hashicorp/terraform-plugin-sdk) from 2.26.1 to 2.27.0.
- [Release notes](https://github.com/hashicorp/terraform-plugin-sdk/releases)
- [Changelog](https://github.com/hashicorp/terraform-plugin-sdk/blob/main/CHANGELOG.md)
- [Commits](https://github.com/hashicorp/terraform-plugin-sdk/compare/v2.26.1...v2.27.0)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/terraform-plugin-sdk/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

vendor/github.com/ProtonMail/go-crypto/openpgp/internal/algorithm/aead.go

@@ -0,0 +1,65 @@
+// Copyright (C) 2019 ProtonTech AG
+
+package algorithm
+
+import (
+	"crypto/cipher"
+	"github.com/ProtonMail/go-crypto/eax"
+	"github.com/ProtonMail/go-crypto/ocb"
+)
+
+// AEADMode defines the Authenticated Encryption with Associated Data mode of
+// operation.
+type AEADMode uint8
+
+// Supported modes of operation (see RFC4880bis [EAX] and RFC7253)
+const (
+	AEADModeEAX = AEADMode(1)
+	AEADModeOCB = AEADMode(2)
+	AEADModeGCM = AEADMode(3)
+)
+
+// TagLength returns the length in bytes of authentication tags.
+func (mode AEADMode) TagLength() int {
+	switch mode {
+	case AEADModeEAX:
+		return 16
+	case AEADModeOCB:
+		return 16
+	case AEADModeGCM:
+		return 16
+	default:
+		return 0
+	}
+}
+
+// NonceLength returns the length in bytes of nonces.
+func (mode AEADMode) NonceLength() int {
+	switch mode {
+	case AEADModeEAX:
+		return 16
+	case AEADModeOCB:
+		return 15
+	case AEADModeGCM:
+		return 12
+	default:
+		return 0
+	}
+}
+
+// New returns a fresh instance of the given mode
+func (mode AEADMode) New(block cipher.Block) (alg cipher.AEAD) {
+	var err error
+	switch mode {
+	case AEADModeEAX:
+		alg, err = eax.NewEAX(block)
+	case AEADModeOCB:
+		alg, err = ocb.NewOCB(block)
+	case AEADModeGCM:
+		alg, err = cipher.NewGCM(block)
+	}
+	if err != nil {
+		panic(err.Error())
+	}
+	return alg
+}

vendor/github.com/ProtonMail/go-crypto/openpgp/internal/algorithm/cipher.go

@@ -0,0 +1,107 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package algorithm
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/des"
+
+	"golang.org/x/crypto/cast5"
+)
+
+// Cipher is an official symmetric key cipher algorithm. See RFC 4880,
+// section 9.2.
+type Cipher interface {
+	// Id returns the algorithm ID, as a byte, of the cipher.
+	Id() uint8
+	// KeySize returns the key size, in bytes, of the cipher.
+	KeySize() int
+	// BlockSize returns the block size, in bytes, of the cipher.
+	BlockSize() int
+	// New returns a fresh instance of the given cipher.
+	New(key []byte) cipher.Block
+}
+
+// The following constants mirror the OpenPGP standard (RFC 4880).
+const (
+	TripleDES = CipherFunction(2)
+	CAST5     = CipherFunction(3)
+	AES128    = CipherFunction(7)
+	AES192    = CipherFunction(8)
+	AES256    = CipherFunction(9)
+)
+
+// CipherById represents the different block ciphers specified for OpenPGP. See
+// http://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-13
+var CipherById = map[uint8]Cipher{
+	TripleDES.Id(): TripleDES,
+	CAST5.Id():     CAST5,
+	AES128.Id():    AES128,
+	AES192.Id():    AES192,
+	AES256.Id():    AES256,
+}
+
+type CipherFunction uint8
+
+// ID returns the algorithm Id, as a byte, of cipher.
+func (sk CipherFunction) Id() uint8 {
+	return uint8(sk)
+}
+
+var keySizeByID = map[uint8]int{
+	TripleDES.Id(): 24,
+	CAST5.Id():     cast5.KeySize,
+	AES128.Id():    16,
+	AES192.Id():    24,
+	AES256.Id():    32,
+}
+
+// KeySize returns the key size, in bytes, of cipher.
+func (cipher CipherFunction) KeySize() int {
+	switch cipher {
+	case TripleDES:
+		return 24
+	case CAST5:
+		return cast5.KeySize
+	case AES128:
+		return 16
+	case AES192:
+		return 24
+	case AES256:
+		return 32
+	}
+	return 0
+}
+
+// BlockSize returns the block size, in bytes, of cipher.
+func (cipher CipherFunction) BlockSize() int {
+	switch cipher {
+	case TripleDES:
+		return des.BlockSize
+	case CAST5:
+		return 8
+	case AES128, AES192, AES256:
+		return 16
+	}
+	return 0
+}
+
+// New returns a fresh instance of the given cipher.
+func (cipher CipherFunction) New(key []byte) (block cipher.Block) {
+	var err error
+	switch cipher {
+	case TripleDES:
+		block, err = des.NewTripleDESCipher(key)
+	case CAST5:
+		block, err = cast5.NewCipher(key)
+	case AES128, AES192, AES256:
+		block, err = aes.NewCipher(key)
+	}
+	if err != nil {
+		panic(err.Error())
+	}
+	return
+}

vendor/github.com/ProtonMail/go-crypto/openpgp/internal/algorithm/hash.go

@@ -0,0 +1,143 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package algorithm
+
+import (
+	"crypto"
+	"fmt"
+	"hash"
+)
+
+// Hash is an official hash function algorithm. See RFC 4880, section 9.4.
+type Hash interface {
+	// Id returns the algorithm ID, as a byte, of Hash.
+	Id() uint8
+	// Available reports whether the given hash function is linked into the binary.
+	Available() bool
+	// HashFunc simply returns the value of h so that Hash implements SignerOpts.
+	HashFunc() crypto.Hash
+	// New returns a new hash.Hash calculating the given hash function. New
+	// panics if the hash function is not linked into the binary.
+	New() hash.Hash
+	// Size returns the length, in bytes, of a digest resulting from the given
+	// hash function. It doesn't require that the hash function in question be
+	// linked into the program.
+	Size() int
+	// String is the name of the hash function corresponding to the given
+	// OpenPGP hash id.
+	String() string
+}
+
+// The following vars mirror the crypto/Hash supported hash functions.
+var (
+	SHA1      Hash = cryptoHash{2, crypto.SHA1}
+	SHA256    Hash = cryptoHash{8, crypto.SHA256}
+	SHA384    Hash = cryptoHash{9, crypto.SHA384}
+	SHA512    Hash = cryptoHash{10, crypto.SHA512}
+	SHA224    Hash = cryptoHash{11, crypto.SHA224}
+	SHA3_256  Hash = cryptoHash{12, crypto.SHA3_256}
+	SHA3_512  Hash = cryptoHash{14, crypto.SHA3_512}
+)
+
+// HashById represents the different hash functions specified for OpenPGP. See
+// http://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-14
+var (
+	HashById = map[uint8]Hash{
+		SHA256.Id():    SHA256,
+		SHA384.Id():    SHA384,
+		SHA512.Id():    SHA512,
+		SHA224.Id():    SHA224,
+		SHA3_256.Id():  SHA3_256,
+		SHA3_512.Id():  SHA3_512,
+	}
+)
+
+// cryptoHash contains pairs relating OpenPGP's hash identifier with
+// Go's crypto.Hash type. See RFC 4880, section 9.4.
+type cryptoHash struct {
+	id uint8
+	crypto.Hash
+}
+
+// Id returns the algorithm ID, as a byte, of cryptoHash.
+func (h cryptoHash) Id() uint8 {
+	return h.id
+}
+
+var hashNames = map[uint8]string{
+	SHA256.Id():    "SHA256",
+	SHA384.Id():    "SHA384",
+	SHA512.Id():    "SHA512",
+	SHA224.Id():    "SHA224",
+	SHA3_256.Id():  "SHA3-256",
+	SHA3_512.Id():  "SHA3-512",
+}
+
+func (h cryptoHash) String() string {
+	s, ok := hashNames[h.id]
+	if !ok {
+		panic(fmt.Sprintf("Unsupported hash function %d", h.id))
+	}
+	return s
+}
+
+// HashIdToHash returns a crypto.Hash which corresponds to the given OpenPGP
+// hash id.
+func HashIdToHash(id byte) (h crypto.Hash, ok bool) {
+	if hash, ok := HashById[id]; ok {
+		return hash.HashFunc(), true
+	}
+	return 0, false
+}
+
+// HashIdToHashWithSha1 returns a crypto.Hash which corresponds to the given OpenPGP
+// hash id, allowing sha1.
+func HashIdToHashWithSha1(id byte) (h crypto.Hash, ok bool) {
+	if hash, ok := HashById[id]; ok {
+		return hash.HashFunc(), true
+	}
+
+	if id == SHA1.Id() {
+		return SHA1.HashFunc(), true
+	}
+
+	return 0, false
+}
+
+// HashIdToString returns the name of the hash function corresponding to the
+// given OpenPGP hash id.
+func HashIdToString(id byte) (name string, ok bool) {
+	if hash, ok := HashById[id]; ok {
+		return hash.String(), true
+	}
+	return "", false
+}
+
+// HashToHashId returns an OpenPGP hash id which corresponds the given Hash.
+func HashToHashId(h crypto.Hash) (id byte, ok bool) {
+	for id, hash := range HashById {
+		if hash.HashFunc() == h {
+			return id, true
+		}
+	}
+
+	return 0, false
+}
+
+// HashToHashIdWithSha1 returns an OpenPGP hash id which corresponds the given Hash,
+// allowing instances of SHA1
+func HashToHashIdWithSha1(h crypto.Hash) (id byte, ok bool) {
+	for id, hash := range HashById {
+		if hash.HashFunc() == h {
+			return id, true
+		}
+	}
+
+	if h == SHA1.HashFunc() {
+		return SHA1.Id(), true
+	}
+
+	return 0, false
+}

vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/curve25519.go

@@ -0,0 +1,171 @@
+// Package ecc implements a generic interface for ECDH, ECDSA, and EdDSA.
+package ecc
+
+import (
+	"crypto/subtle"
+	"io"
+
+	"github.com/ProtonMail/go-crypto/openpgp/errors"
+	x25519lib "github.com/cloudflare/circl/dh/x25519"
+)
+
+type curve25519 struct {}
+
+func NewCurve25519() *curve25519 {
+	return &curve25519{}
+}
+
+func (c *curve25519) GetCurveName() string {
+	return "curve25519"
+}
+
+// MarshalBytePoint encodes the public point from native format, adding the prefix.
+// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.6
+func (c *curve25519) MarshalBytePoint(point [] byte) []byte {
+	return append([]byte{0x40}, point...)
+}
+
+// UnmarshalBytePoint decodes the public point to native format, removing the prefix.
+// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.6
+func (c *curve25519) UnmarshalBytePoint(point []byte) []byte {
+	if len(point) != x25519lib.Size + 1 {
+		return nil
+	}
+
+	// Remove prefix
+	return point[1:]
+}
+
+// MarshalByteSecret encodes the secret scalar from native format.
+// Note that the EC secret scalar differs from the definition of public keys in
+// [Curve25519] in two ways: (1) the byte-ordering is big-endian, which is
+// more uniform with how big integers are represented in OpenPGP, and (2) the
+// leading zeros are truncated.
+// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.6.1.1
+// Note that leading zero bytes are stripped later when encoding as an MPI.
+func (c *curve25519) MarshalByteSecret(secret []byte) []byte {
+	d := make([]byte, x25519lib.Size)
+	copyReversed(d, secret)
+
+	// The following ensures that the private key is a number of the form
+	// 2^{254} + 8 * [0, 2^{251}), in order to avoid the small subgroup of
+	// the curve.
+	//
+	// This masking is done internally in the underlying lib and so is unnecessary
+	// for security, but OpenPGP implementations require that private keys be
+	// pre-masked.
+	d[0] &= 127
+	d[0] |= 64
+	d[31] &= 248
+
+	return d
+}
+
+// UnmarshalByteSecret decodes the secret scalar from native format.
+// Note that the EC secret scalar differs from the definition of public keys in
+// [Curve25519] in two ways: (1) the byte-ordering is big-endian, which is
+// more uniform with how big integers are represented in OpenPGP, and (2) the
+// leading zeros are truncated.
+// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.6.1.1
+func (c *curve25519) UnmarshalByteSecret(d []byte) []byte {
+	if len(d) > x25519lib.Size {
+		return nil
+	}
+
+	// Ensure truncated leading bytes are re-added
+	secret := make([]byte, x25519lib.Size)
+	copyReversed(secret, d)
+
+	return secret
+}
+
+// generateKeyPairBytes Generates a private-public key-pair.
+// 'priv' is a private key; a little-endian scalar belonging to the set
+// 2^{254} + 8 * [0, 2^{251}), in order to avoid the small subgroup of the
+// curve. 'pub' is simply 'priv' * G where G is the base point.
+// See https://cr.yp.to/ecdh.html and RFC7748, sec 5.
+func (c *curve25519) generateKeyPairBytes(rand io.Reader) (priv, pub x25519lib.Key, err error) {
+	_, err = io.ReadFull(rand, priv[:])
+	if err != nil {
+		return
+	}
+
+	x25519lib.KeyGen(&pub, &priv)
+	return
+}
+
+func (c *curve25519) GenerateECDH(rand io.Reader) (point []byte, secret []byte, err error) {
+	priv, pub, err := c.generateKeyPairBytes(rand)
+	if err != nil {
+		return
+	}
+
+	return pub[:], priv[:], nil
+}
+
+func (c *genericCurve) MaskSecret(secret []byte) []byte {
+	return secret
+}
+
+func (c *curve25519) Encaps(rand io.Reader, point []byte) (ephemeral, sharedSecret []byte, err error) {
+	// RFC6637 §8: "Generate an ephemeral key pair {v, V=vG}"
+	// ephemeralPrivate corresponds to `v`.
+	// ephemeralPublic corresponds to `V`.
+	ephemeralPrivate, ephemeralPublic, err := c.generateKeyPairBytes(rand)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// RFC6637 §8: "Obtain the authenticated recipient public key R"
+	// pubKey corresponds to `R`.
+	var pubKey x25519lib.Key
+	copy(pubKey[:], point)
+
+	// RFC6637 §8: "Compute the shared point S = vR"
+	//	"VB = convert point V to the octet string"
+	// sharedPoint corresponds to `VB`.
+	var sharedPoint x25519lib.Key
+	x25519lib.Shared(&sharedPoint, &ephemeralPrivate, &pubKey)
+
+	return ephemeralPublic[:], sharedPoint[:], nil
+}
+
+func (c *curve25519) Decaps(vsG, secret []byte) (sharedSecret []byte, err error) {
+	var ephemeralPublic, decodedPrivate, sharedPoint x25519lib.Key
+	// RFC6637 §8: "The decryption is the inverse of the method given."
+	// All quoted descriptions in comments below describe encryption, and
+	// the reverse is performed.
+	// vsG corresponds to `VB` in RFC6637 §8 .
+
+	// RFC6637 §8: "VB = convert point V to the octet string"
+	copy(ephemeralPublic[:], vsG)
+
+	// decodedPrivate corresponds to `r` in RFC6637 §8 .
+	copy(decodedPrivate[:], secret)
+
+	// RFC6637 §8: "Note that the recipient obtains the shared secret by calculating
+	//   S = rV = rvG, where (r,R) is the recipient's key pair."
+	// sharedPoint corresponds to `S`.
+	x25519lib.Shared(&sharedPoint, &decodedPrivate, &ephemeralPublic)
+
+	return sharedPoint[:], nil
+}
+
+func (c *curve25519) ValidateECDH(point []byte, secret []byte) (err error) {
+	var pk, sk x25519lib.Key
+	copy(sk[:], secret)
+	x25519lib.KeyGen(&pk, &sk)
+
+	if subtle.ConstantTimeCompare(point, pk[:]) == 0 {
+		return errors.KeyInvalidError("ecc: invalid curve25519 public point")
+	}
+
+	return nil
+}
+
+func copyReversed(out []byte, in []byte) {
+	l := len(in)
+	for i := 0; i < l; i++ {
+		out[i] = in[l-i-1]
+	}
+}

vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/curve_info.go

@@ -0,0 +1,140 @@
+// Package ecc implements a generic interface for ECDH, ECDSA, and EdDSA.
+package ecc
+
+import (
+	"bytes"
+	"crypto/elliptic"
+	"github.com/ProtonMail/go-crypto/bitcurves"
+	"github.com/ProtonMail/go-crypto/brainpool"
+	"github.com/ProtonMail/go-crypto/openpgp/internal/encoding"
+)
+
+type CurveInfo struct {
+	GenName string
+	Oid *encoding.OID
+	Curve Curve
+}
+
+var Curves = []CurveInfo{
+	{
+		// NIST P-256
+		GenName: "P256",
+		Oid: encoding.NewOID([]byte{0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07}),
+		Curve: NewGenericCurve(elliptic.P256()),
+	},
+	{
+		// NIST P-384
+		GenName: "P384",
+		Oid: encoding.NewOID([]byte{0x2B, 0x81, 0x04, 0x00, 0x22}),
+		Curve: NewGenericCurve(elliptic.P384()),
+	},
+	{
+		// NIST P-521
+		GenName: "P521",
+		Oid: encoding.NewOID([]byte{0x2B, 0x81, 0x04, 0x00, 0x23}),
+		Curve: NewGenericCurve(elliptic.P521()),
+	},
+	{
+		// SecP256k1
+		GenName: "SecP256k1",
+		Oid: encoding.NewOID([]byte{0x2B, 0x81, 0x04, 0x00, 0x0A}),
+		Curve: NewGenericCurve(bitcurves.S256()),
+	},
+	{
+		// Curve25519
+		GenName: "Curve25519",
+		Oid: encoding.NewOID([]byte{0x2B, 0x06, 0x01, 0x04, 0x01, 0x97, 0x55, 0x01, 0x05, 0x01}),
+		Curve: NewCurve25519(),
+	},
+	{
+		// X448
+		GenName: "Curve448",
+		Oid: encoding.NewOID([]byte{0x2B, 0x65, 0x6F}),
+		Curve: NewX448(),
+	},
+	{
+		// Ed25519
+		GenName: "Curve25519",
+		Oid: encoding.NewOID([]byte{0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01}),
+		Curve: NewEd25519(),
+	},
+	{
+		// Ed448
+		GenName: "Curve448",
+		Oid: encoding.NewOID([]byte{0x2B, 0x65, 0x71}),
+		Curve: NewEd448(),
+	},
+	{
+		// BrainpoolP256r1
+		GenName: "BrainpoolP256",
+		Oid: encoding.NewOID([]byte{0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x07}),
+		Curve: NewGenericCurve(brainpool.P256r1()),
+	},
+	{
+		// BrainpoolP384r1
+		GenName: "BrainpoolP384",
+		Oid: encoding.NewOID([]byte{0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x0B}),
+		Curve: NewGenericCurve(brainpool.P384r1()),
+	},
+	{
+		// BrainpoolP512r1
+		GenName: "BrainpoolP512",
+		Oid: encoding.NewOID([]byte{0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x0D}),
+		Curve: NewGenericCurve(brainpool.P512r1()),
+	},
+}
+
+func FindByCurve(curve Curve) *CurveInfo {
+	for _, curveInfo := range Curves {
+		if curveInfo.Curve.GetCurveName() == curve.GetCurveName() {
+			return &curveInfo
+		}
+	}
+	return nil
+}
+
+func FindByOid(oid encoding.Field) *CurveInfo {
+	var rawBytes = oid.Bytes()
+	for _, curveInfo := range Curves {
+		if bytes.Equal(curveInfo.Oid.Bytes(), rawBytes) {
+			return &curveInfo
+		}
+	}
+	return nil
+}
+
+func FindEdDSAByGenName(curveGenName string) EdDSACurve {
+	for _, curveInfo := range Curves {
+		if curveInfo.GenName == curveGenName {
+			curve, ok := curveInfo.Curve.(EdDSACurve)
+			if ok {
+				return curve
+			}
+		}
+	}
+	return nil
+}
+
+func FindECDSAByGenName(curveGenName string) ECDSACurve {
+	for _, curveInfo := range Curves {
+		if curveInfo.GenName == curveGenName {
+			curve, ok := curveInfo.Curve.(ECDSACurve)
+			if ok {
+				return curve
+			}
+		}
+	}
+	return nil
+}
+
+func FindECDHByGenName(curveGenName string) ECDHCurve {
+	for _, curveInfo := range Curves {
+		if curveInfo.GenName == curveGenName {
+			curve, ok := curveInfo.Curve.(ECDHCurve)
+			if ok {
+				return curve
+			}
+		}
+	}
+	return nil
+}

vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/curves.go

@@ -0,0 +1,48 @@
+// Package ecc implements a generic interface for ECDH, ECDSA, and EdDSA.
+package ecc
+
+import (
+	"io"
+	"math/big"
+)
+
+type Curve interface {
+	GetCurveName() string
+}
+
+type ECDSACurve interface {
+	Curve
+	MarshalIntegerPoint(x, y *big.Int) []byte
+	UnmarshalIntegerPoint([]byte) (x, y *big.Int)
+	MarshalIntegerSecret(d *big.Int) []byte
+	UnmarshalIntegerSecret(d []byte) *big.Int
+	GenerateECDSA(rand io.Reader) (x, y, secret *big.Int, err error)
+	Sign(rand io.Reader, x, y, d *big.Int, hash []byte) (r, s *big.Int, err error)
+	Verify(x, y *big.Int, hash []byte, r, s *big.Int) bool
+	ValidateECDSA(x, y *big.Int, secret []byte) error
+}
+
+type EdDSACurve interface {
+	Curve
+	MarshalBytePoint(x []byte) []byte
+	UnmarshalBytePoint([]byte) (x []byte)
+	MarshalByteSecret(d []byte) []byte
+	UnmarshalByteSecret(d []byte) []byte
+	MarshalSignature(sig []byte) (r, s []byte)
+	UnmarshalSignature(r, s []byte) (sig []byte)
+	GenerateEdDSA(rand io.Reader) (pub, priv []byte, err error)
+	Sign(publicKey, privateKey, message []byte) (sig []byte, err error)
+	Verify(publicKey, message, sig []byte) bool
+	ValidateEdDSA(publicKey, privateKey []byte) (err error)
+}
+type ECDHCurve interface {
+	Curve
+	MarshalBytePoint([]byte) (encoded []byte)
+	UnmarshalBytePoint(encoded []byte) ([]byte)
+	MarshalByteSecret(d []byte) []byte
+	UnmarshalByteSecret(d []byte) []byte
+	GenerateECDH(rand io.Reader) (point []byte, secret []byte, err error)
+	Encaps(rand io.Reader, point []byte) (ephemeral, sharedSecret []byte, err error)
+	Decaps(ephemeral, secret []byte) (sharedSecret []byte, err error)
+	ValidateECDH(public []byte, secret []byte) error
+}

vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/ed25519.go

@@ -0,0 +1,111 @@
+// Package ecc implements a generic interface for ECDH, ECDSA, and EdDSA.
+package ecc
+
+import (
+	"crypto/subtle"
+	"io"
+
+	"github.com/ProtonMail/go-crypto/openpgp/errors"
+	ed25519lib "github.com/cloudflare/circl/sign/ed25519"
+)
+
+const ed25519Size = 32
+type ed25519 struct {}
+
+func NewEd25519() *ed25519 {
+	return &ed25519{}
+}
+
+func (c *ed25519) GetCurveName() string {
+	return "ed25519"
+}
+
+// MarshalBytePoint encodes the public point from native format, adding the prefix.
+// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.5
+func (c *ed25519) MarshalBytePoint(x []byte) []byte {
+	return append([]byte{0x40}, x...)
+}
+
+// UnmarshalBytePoint decodes a point from prefixed format to native.
+// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.5
+func (c *ed25519) UnmarshalBytePoint(point []byte) (x []byte) {
+	if len(point) != ed25519lib.PublicKeySize + 1 {
+		return nil
+	}
+
+	// Return unprefixed
+	return point[1:]
+}
+
+// MarshalByteSecret encodes a scalar in native format.
+// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.5
+func (c *ed25519) MarshalByteSecret(d []byte) []byte {
+	return d
+}
+
+// UnmarshalByteSecret decodes a scalar in native format and re-adds the stripped leading zeroes
+// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.5
+func (c *ed25519) UnmarshalByteSecret(s []byte) (d []byte) {
+	if len(s) > ed25519lib.SeedSize {
+		return nil
+	}
+
+	// Handle stripped leading zeroes
+	d = make([]byte, ed25519lib.SeedSize)
+	copy(d[ed25519lib.SeedSize - len(s):], s)
+	return
+}
+
+// MarshalSignature splits a signature in R and S.
+// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.2.3.3.1
+func (c *ed25519) MarshalSignature(sig []byte) (r, s []byte) {
+	return sig[:ed25519Size], sig[ed25519Size:]
+}
+
+// UnmarshalSignature decodes R and S in the native format, re-adding the stripped leading zeroes
+// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.2.3.3.1
+func (c *ed25519) UnmarshalSignature(r, s []byte) (sig []byte) {
+	// Check size
+	if len(r) > 32 || len(s) > 32 {
+		return nil
+	}
+
+	sig = make([]byte, ed25519lib.SignatureSize)
+
+	// Handle stripped leading zeroes
+	copy(sig[ed25519Size-len(r):ed25519Size], r)
+	copy(sig[ed25519lib.SignatureSize-len(s):], s)
+	return sig
+}
+
+func (c *ed25519) GenerateEdDSA(rand io.Reader) (pub, priv []byte, err error) {
+	pk, sk, err := ed25519lib.GenerateKey(rand)
+
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return pk, sk[:ed25519lib.SeedSize], nil
+}
+
+func getEd25519Sk(publicKey, privateKey []byte) ed25519lib.PrivateKey {
+	return append(privateKey, publicKey...)
+}
+
+func (c *ed25519) Sign(publicKey, privateKey, message []byte) (sig []byte, err error) {
+	sig = ed25519lib.Sign(getEd25519Sk(publicKey, privateKey), message)
+	return sig, nil
+}
+
+func (c *ed25519) Verify(publicKey, message, sig []byte) bool {
+	return ed25519lib.Verify(publicKey, message, sig)
+}
+
+func (c *ed25519) ValidateEdDSA(publicKey, privateKey []byte) (err error) {
+	priv := getEd25519Sk(publicKey, privateKey)
+	expectedPriv := ed25519lib.NewKeyFromSeed(priv.Seed())
+	if subtle.ConstantTimeCompare(priv, expectedPriv) == 0 {
+		return errors.KeyInvalidError("ecc: invalid ed25519 secret")
+	}
+	return nil
+}

vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/ed448.go

@@ -0,0 +1,111 @@
+// Package ecc implements a generic interface for ECDH, ECDSA, and EdDSA.
+package ecc
+
+import (
+	"crypto/subtle"
+	"io"
+
+	"github.com/ProtonMail/go-crypto/openpgp/errors"
+	ed448lib "github.com/cloudflare/circl/sign/ed448"
+)
+
+type ed448 struct {}
+
+func NewEd448() *ed448 {
+	return &ed448{}
+}
+
+func (c *ed448) GetCurveName() string {
+	return "ed448"
+}
+
+// MarshalBytePoint encodes the public point from native format, adding the prefix.
+// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.5
+func (c *ed448) MarshalBytePoint(x []byte) []byte {
+	// Return prefixed
+	return append([]byte{0x40}, x...)
+}
+
+// UnmarshalBytePoint decodes a point from prefixed format to native.
+// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.5
+func (c *ed448) UnmarshalBytePoint(point []byte) (x []byte) {
+	if len(point) != ed448lib.PublicKeySize + 1 {
+		return nil
+	}
+
+	// Strip prefix
+	return point[1:]
+}
+
+// MarshalByteSecret encoded a scalar from native format to prefixed.
+// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.5
+func (c *ed448) MarshalByteSecret(d []byte) []byte {
+	// Return prefixed
+	return append([]byte{0x40}, d...)
+}
+
+// UnmarshalByteSecret decodes a scalar from prefixed format to native.
+// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.5
+func (c *ed448) UnmarshalByteSecret(s []byte) (d []byte) {
+	// Check prefixed size
+	if len(s) != ed448lib.SeedSize + 1 {
+		return nil
+	}
+
+	// Strip prefix
+	return s[1:]
+}
+
+// MarshalSignature splits a signature in R and S, where R is in prefixed native format and
+// S is an MPI with value zero.
+// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.2.3.3.2
+func (c *ed448) MarshalSignature(sig []byte) (r, s []byte) {
+	return append([]byte{0x40}, sig...), []byte{}
+}
+
+// UnmarshalSignature decodes R and S in the native format. Only R is used, in prefixed native format.
+// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.2.3.3.2
+func (c *ed448) UnmarshalSignature(r, s []byte) (sig []byte) {
+	if len(r) != ed448lib.SignatureSize + 1 {
+		return nil
+	}
+
+	return r[1:]
+}
+
+func (c *ed448) GenerateEdDSA(rand io.Reader) (pub, priv []byte, err error) {
+	pk, sk, err := ed448lib.GenerateKey(rand)
+
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return pk, sk[:ed448lib.SeedSize], nil
+}
+
+func getEd448Sk(publicKey, privateKey []byte) ed448lib.PrivateKey {
+	return append(privateKey, publicKey...)
+}
+
+func (c *ed448) Sign(publicKey, privateKey, message []byte) (sig []byte, err error) {
+	// Ed448 is used with the empty string as a context string.
+	// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-13.7
+	sig = ed448lib.Sign(getEd448Sk(publicKey, privateKey), message, "")
+
+	return sig, nil
+}
+
+func (c *ed448) Verify(publicKey, message, sig []byte) bool {
+	// Ed448 is used with the empty string as a context string.
+	// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-13.7
+	return ed448lib.Verify(publicKey, message, sig, "")
+}
+
+func (c *ed448) ValidateEdDSA(publicKey, privateKey []byte) (err error) {
+	priv := getEd448Sk(publicKey, privateKey)
+	expectedPriv := ed448lib.NewKeyFromSeed(priv.Seed())
+	if subtle.ConstantTimeCompare(priv, expectedPriv) == 0 {
+		return errors.KeyInvalidError("ecc: invalid ed448 secret")
+	}
+	return nil
+}

vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/generic.go

@@ -0,0 +1,149 @@
+// Package ecc implements a generic interface for ECDH, ECDSA, and EdDSA.
+package ecc
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"fmt"
+	"github.com/ProtonMail/go-crypto/openpgp/errors"
+	"io"
+	"math/big"
+)
+
+type genericCurve struct {
+	Curve elliptic.Curve
+}
+
+func NewGenericCurve(c elliptic.Curve) *genericCurve {
+	return &genericCurve{
+		Curve: c,
+	}
+}
+
+func (c *genericCurve) GetCurveName() string {
+	return c.Curve.Params().Name
+}
+
+func (c *genericCurve) MarshalBytePoint(point []byte) []byte {
+	return point
+}
+
+func (c *genericCurve) UnmarshalBytePoint(point []byte) []byte {
+	return point
+}
+
+func (c *genericCurve) MarshalIntegerPoint(x, y *big.Int) []byte {
+	return elliptic.Marshal(c.Curve, x, y)
+}
+
+func (c *genericCurve) UnmarshalIntegerPoint(point []byte) (x, y *big.Int) {
+	return elliptic.Unmarshal(c.Curve, point)
+}
+
+func (c *genericCurve) MarshalByteSecret(d []byte) []byte {
+	return d
+}
+
+func (c *genericCurve) UnmarshalByteSecret(d []byte) []byte {
+	return d
+}
+
+func (c *genericCurve) MarshalIntegerSecret(d *big.Int) []byte {
+	return d.Bytes()
+}
+
+func (c *genericCurve) UnmarshalIntegerSecret(d []byte) *big.Int {
+	return new(big.Int).SetBytes(d)
+}
+
+func (c *genericCurve) GenerateECDH(rand io.Reader) (point, secret []byte, err error) {
+	secret, x, y, err := elliptic.GenerateKey(c.Curve, rand)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	point = elliptic.Marshal(c.Curve, x, y)
+	return point, secret, nil
+}
+
+func (c *genericCurve) GenerateECDSA(rand io.Reader) (x, y, secret *big.Int, err error) {
+	priv, err := ecdsa.GenerateKey(c.Curve, rand)
+	if err != nil {
+		return
+	}
+
+	return priv.X, priv.Y, priv.D, nil
+}
+
+func (c *genericCurve) Encaps(rand io.Reader, point []byte) (ephemeral, sharedSecret []byte, err error) {
+	xP, yP := elliptic.Unmarshal(c.Curve, point)
+	if xP == nil {
+		panic("invalid point")
+	}
+
+	d, x, y, err := elliptic.GenerateKey(c.Curve, rand)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	vsG := elliptic.Marshal(c.Curve, x, y)
+	zbBig, _ := c.Curve.ScalarMult(xP, yP, d)
+
+	byteLen := (c.Curve.Params().BitSize + 7) >> 3
+	zb := make([]byte, byteLen)
+	zbBytes := zbBig.Bytes()
+	copy(zb[byteLen-len(zbBytes):], zbBytes)
+
+	return vsG, zb, nil
+}
+
+func (c *genericCurve) Decaps(ephemeral, secret []byte) (sharedSecret []byte, err error) {
+	x, y := elliptic.Unmarshal(c.Curve, ephemeral)
+	zbBig, _ := c.Curve.ScalarMult(x, y, secret)
+	byteLen := (c.Curve.Params().BitSize + 7) >> 3
+	zb := make([]byte, byteLen)
+	zbBytes := zbBig.Bytes()
+	copy(zb[byteLen-len(zbBytes):], zbBytes)
+
+	return zb, nil
+}
+
+func (c *genericCurve) Sign(rand io.Reader, x, y, d *big.Int, hash []byte) (r, s *big.Int, err error) {
+	priv := &ecdsa.PrivateKey{D: d, PublicKey: ecdsa.PublicKey{X: x, Y: y, Curve: c.Curve}}
+	return ecdsa.Sign(rand, priv, hash)
+}
+
+func (c *genericCurve) Verify(x, y *big.Int, hash []byte, r, s *big.Int) bool {
+	pub := &ecdsa.PublicKey{X: x, Y: y, Curve: c.Curve}
+	return ecdsa.Verify(pub, hash, r, s)
+}
+
+func (c *genericCurve) validate(xP, yP *big.Int, secret []byte) error {
+	// the public point should not be at infinity (0,0)
+	zero := new(big.Int)
+	if xP.Cmp(zero) == 0 && yP.Cmp(zero) == 0 {
+		return errors.KeyInvalidError(fmt.Sprintf("ecc (%s): infinity point", c.Curve.Params().Name))
+	}
+
+	// re-derive the public point Q' = (X,Y) = dG
+	// to compare to declared Q in public key
+	expectedX, expectedY := c.Curve.ScalarBaseMult(secret)
+	if xP.Cmp(expectedX) != 0 || yP.Cmp(expectedY) != 0 {
+		return errors.KeyInvalidError(fmt.Sprintf("ecc (%s): invalid point", c.Curve.Params().Name))
+	}
+
+	return nil
+}
+
+func (c *genericCurve) ValidateECDSA(xP, yP *big.Int, secret []byte) error {
+	return c.validate(xP, yP, secret)
+}
+
+func (c *genericCurve) ValidateECDH(point []byte, secret []byte) error {
+	xP, yP := elliptic.Unmarshal(c.Curve, point)
+	if xP == nil {
+		return errors.KeyInvalidError(fmt.Sprintf("ecc (%s): invalid point", c.Curve.Params().Name))
+	}
+
+	return c.validate(xP, yP, secret)
+}

vendor/github.com/ProtonMail/go-crypto/openpgp/internal/ecc/x448.go

@@ -0,0 +1,105 @@
+// Package ecc implements a generic interface for ECDH, ECDSA, and EdDSA.
+package ecc
+
+import (
+	"crypto/subtle"
+	"io"
+
+	"github.com/ProtonMail/go-crypto/openpgp/errors"
+	x448lib "github.com/cloudflare/circl/dh/x448"
+)
+
+type x448 struct {}
+
+func NewX448() *x448 {
+	return &x448{}
+}
+
+func (c *x448) GetCurveName() string {
+	return "x448"
+}
+
+// MarshalBytePoint encodes the public point from native format, adding the prefix.
+// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.6
+func (c *x448) MarshalBytePoint(point []byte) []byte {
+	return append([]byte{0x40}, point...)
+}
+
+// UnmarshalBytePoint decodes a point from prefixed format to native.
+// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.6
+func (c *x448) UnmarshalBytePoint(point []byte) []byte {
+	if len(point) != x448lib.Size + 1 {
+		return nil
+	}
+
+	return point[1:]
+}
+
+// MarshalByteSecret encoded a scalar from native format to prefixed.
+// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.6.1.2
+func (c *x448) MarshalByteSecret(d []byte) []byte {
+	return append([]byte{0x40}, d...)
+}
+
+// UnmarshalByteSecret decodes a scalar from prefixed format to native.
+// See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#section-5.5.5.6.1.2
+func (c *x448) UnmarshalByteSecret(d []byte) []byte {
+	if len(d) != x448lib.Size + 1 {
+		return nil
+	}
+
+	// Store without prefix
+	return d[1:]
+}
+
+func (c *x448) generateKeyPairBytes(rand io.Reader) (sk, pk x448lib.Key, err error) {
+	if _, err = rand.Read(sk[:]); err != nil {
+		return
+	}
+
+	x448lib.KeyGen(&pk, &sk)
+	return
+}
+
+func (c *x448) GenerateECDH(rand io.Reader) (point []byte, secret []byte, err error) {
+	priv, pub, err := c.generateKeyPairBytes(rand)
+	if err != nil {
+		return
+	}
+
+	return pub[:], priv[:], nil
+}
+
+func (c *x448) Encaps(rand io.Reader, point []byte) (ephemeral, sharedSecret []byte, err error) {
+	var pk, ss x448lib.Key
+	seed, e, err := c.generateKeyPairBytes(rand)
+
+	copy(pk[:], point)
+	x448lib.Shared(&ss, &seed, &pk)
+
+	return e[:], ss[:], nil
+}
+
+func (c *x448) Decaps(ephemeral, secret []byte) (sharedSecret []byte, err error) {
+	var ss, sk, e x448lib.Key
+
+	copy(sk[:], secret)
+	copy(e[:], ephemeral)
+	x448lib.Shared(&ss, &sk, &e)
+
+	return ss[:], nil
+}
+
+func (c *x448) ValidateECDH(point []byte, secret []byte) error {
+	var sk, pk, expectedPk x448lib.Key
+
+	copy(pk[:], point)
+	copy(sk[:], secret)
+	x448lib.KeyGen(&expectedPk, &sk)
+
+	if subtle.ConstantTimeCompare(expectedPk[:], pk[:]) == 0 {
+		return errors.KeyInvalidError("ecc: invalid curve25519 public point")
+	}
+
+	return nil
+}

vendor/github.com/ProtonMail/go-crypto/openpgp/internal/encoding/encoding.go

@@ -0,0 +1,27 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package encoding implements openpgp packet field encodings as specified in
+// RFC 4880 and 6637.
+package encoding
+
+import "io"
+
+// Field is an encoded field of an openpgp packet.
+type Field interface {
+	// Bytes returns the decoded data.
+	Bytes() []byte
+
+	// BitLength is the size in bits of the decoded data.
+	BitLength() uint16
+
+	// EncodedBytes returns the encoded data.
+	EncodedBytes() []byte
+
+	// EncodedLength is the size in bytes of the encoded data.
+	EncodedLength() uint16
+
+	// ReadFrom reads the next Field from r.
+	ReadFrom(r io.Reader) (int64, error)
+}

vendor/github.com/ProtonMail/go-crypto/openpgp/internal/encoding/mpi.go

@@ -0,0 +1,91 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package encoding
+
+import (
+	"io"
+	"math/big"
+	"math/bits"
+)
+
+// An MPI is used to store the contents of a big integer, along with the bit
+// length that was specified in the original input. This allows the MPI to be
+// reserialized exactly.
+type MPI struct {
+	bytes     []byte
+	bitLength uint16
+}
+
+// NewMPI returns a MPI initialized with bytes.
+func NewMPI(bytes []byte) *MPI {
+	for len(bytes) != 0 && bytes[0] == 0 {
+		bytes = bytes[1:]
+	}
+	if len(bytes) == 0 {
+		bitLength := uint16(0)
+		return &MPI{bytes, bitLength}
+	}
+	bitLength := 8*uint16(len(bytes)-1) + uint16(bits.Len8(bytes[0]))
+	return &MPI{bytes, bitLength}
+}
+
+// Bytes returns the decoded data.
+func (m *MPI) Bytes() []byte {
+	return m.bytes
+}
+
+// BitLength is the size in bits of the decoded data.
+func (m *MPI) BitLength() uint16 {
+	return m.bitLength
+}
+
+// EncodedBytes returns the encoded data.
+func (m *MPI) EncodedBytes() []byte {
+	return append([]byte{byte(m.bitLength >> 8), byte(m.bitLength)}, m.bytes...)
+}
+
+// EncodedLength is the size in bytes of the encoded data.
+func (m *MPI) EncodedLength() uint16 {
+	return uint16(2 + len(m.bytes))
+}
+
+// ReadFrom reads into m the next MPI from r.
+func (m *MPI) ReadFrom(r io.Reader) (int64, error) {
+	var buf [2]byte
+	n, err := io.ReadFull(r, buf[0:])
+	if err != nil {
+		if err == io.EOF {
+			err = io.ErrUnexpectedEOF
+		}
+		return int64(n), err
+	}
+
+	m.bitLength = uint16(buf[0])<<8 | uint16(buf[1])
+	m.bytes = make([]byte, (int(m.bitLength)+7)/8)
+
+	nn, err := io.ReadFull(r, m.bytes)
+	if err == io.EOF {
+		err = io.ErrUnexpectedEOF
+	}
+
+	// remove leading zero bytes from malformed GnuPG encoded MPIs:
+	// https://bugs.gnupg.org/gnupg/issue1853
+	// for _, b := range m.bytes {
+	// 	if b != 0 {
+	// 		break
+	// 	}
+	// 	m.bytes = m.bytes[1:]
+	// 	m.bitLength -= 8
+	// }
+
+	return int64(n) + int64(nn), err
+}
+
+// SetBig initializes m with the bits from n.
+func (m *MPI) SetBig(n *big.Int) *MPI {
+	m.bytes = n.Bytes()
+	m.bitLength = uint16(n.BitLen())
+	return m
+}

vendor/github.com/ProtonMail/go-crypto/openpgp/internal/encoding/oid.go

@@ -0,0 +1,88 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package encoding
+
+import (
+	"io"
+
+	"github.com/ProtonMail/go-crypto/openpgp/errors"
+)
+
+// OID is used to store a variable-length field with a one-octet size
+// prefix. See https://tools.ietf.org/html/rfc6637#section-9.
+type OID struct {
+	bytes []byte
+}
+
+const (
+	// maxOID is the maximum number of bytes in a OID.
+	maxOID = 254
+	// reservedOIDLength1 and reservedOIDLength2 are OID lengths that the RFC
+	// specifies are reserved.
+	reservedOIDLength1 = 0
+	reservedOIDLength2 = 0xff
+)
+
+// NewOID returns a OID initialized with bytes.
+func NewOID(bytes []byte) *OID {
+	switch len(bytes) {
+	case reservedOIDLength1, reservedOIDLength2:
+		panic("encoding: NewOID argument length is reserved")
+	default:
+		if len(bytes) > maxOID {
+			panic("encoding: NewOID argument too large")
+		}
+	}
+
+	return &OID{
+		bytes: bytes,
+	}
+}
+
+// Bytes returns the decoded data.
+func (o *OID) Bytes() []byte {
+	return o.bytes
+}
+
+// BitLength is the size in bits of the decoded data.
+func (o *OID) BitLength() uint16 {
+	return uint16(len(o.bytes) * 8)
+}
+
+// EncodedBytes returns the encoded data.
+func (o *OID) EncodedBytes() []byte {
+	return append([]byte{byte(len(o.bytes))}, o.bytes...)
+}
+
+// EncodedLength is the size in bytes of the encoded data.
+func (o *OID) EncodedLength() uint16 {
+	return uint16(1 + len(o.bytes))
+}
+
+// ReadFrom reads into b the next OID from r.
+func (o *OID) ReadFrom(r io.Reader) (int64, error) {
+	var buf [1]byte
+	n, err := io.ReadFull(r, buf[:])
+	if err != nil {
+		if err == io.EOF {
+			err = io.ErrUnexpectedEOF
+		}
+		return int64(n), err
+	}
+
+	switch buf[0] {
+	case reservedOIDLength1, reservedOIDLength2:
+		return int64(n), errors.UnsupportedError("reserved for future extensions")
+	}
+
+	o.bytes = make([]byte, buf[0])
+
+	nn, err := io.ReadFull(r, o.bytes)
+	if err == io.EOF {
+		err = io.ErrUnexpectedEOF
+	}
+
+	return int64(n) + int64(nn), err
+}