UNPKG

node-forge/lib/pbkdf2.js

Version:

5.81 kBJavaScriptView Raw

1/**
* Password-Based Key-Derivation Function #2 implementation.
*
* See RFC 2898 for details.
*
* @author Dave Longley
*
* Copyright (c) 2010-2013 Digital Bazaar, Inc.
*/
10var forge = require('./forge');
11require('./hmac');
12require('./md');
13require('./util');
14
15var pkcs5 = forge.pkcs5 = forge.pkcs5 || {};
16
17var crypto;
18if(forge.util.isNodejs && !forge.options.usePureJavaScript) {
crypto = require('crypto');
20}
21
22/**
* Derives a key from a password.
*
* @param p the password as a binary-encoded string of bytes.
* @param s the salt as a binary-encoded string of bytes.
* @param c the iteration count, a positive integer.
* @param dkLen the intended length, in bytes, of the derived key,
*          (max: 2^32 - 1) * hash length of the PRF.
* @param [md] the message digest (or algorithm identifier as a string) to use
*          in the PRF, defaults to SHA-1.
* @param [callback(err, key)] presence triggers asynchronous version, called
*          once the operation completes.
*
* @return the derived key, as a binary-encoded string of bytes, for the
*           synchronous version (if no callback is specified).
*/
38module.exports = forge.pbkdf2 = pkcs5.pbkdf2 = function(
p, s, c, dkLen, md, callback) {
if(typeof md === 'function') {
  callback = md;
  md = null;
}
44
// use native implementation if possible and not disabled, note that
// some node versions only support SHA-1, others allow digest to be changed
if(forge.util.isNodejs && !forge.options.usePureJavaScript &&
  crypto.pbkdf2 && (md === null || typeof md !== 'object') &&
  (crypto.pbkdf2Sync.length > 4 || (!md || md === 'sha1'))) {
  if(typeof md !== 'string') {
    // default prf to SHA-1
    md = 'sha1';
  }
  p = Buffer.from(p, 'binary');
  s = Buffer.from(s, 'binary');
  if(!callback) {
    if(crypto.pbkdf2Sync.length === 4) {
      return crypto.pbkdf2Sync(p, s, c, dkLen).toString('binary');
    }
    return crypto.pbkdf2Sync(p, s, c, dkLen, md).toString('binary');
  }
  if(crypto.pbkdf2Sync.length === 4) {
    return crypto.pbkdf2(p, s, c, dkLen, function(err, key) {
      if(err) {
        return callback(err);
      }
      callback(null, key.toString('binary'));
    });
  }
  return crypto.pbkdf2(p, s, c, dkLen, md, function(err, key) {
    if(err) {
      return callback(err);
    }
    callback(null, key.toString('binary'));
  });
}
77
if(typeof md === 'undefined' || md === null) {
  // default prf to SHA-1
  md = 'sha1';
}
if(typeof md === 'string') {
  if(!(md in forge.md.algorithms)) {
    throw new Error('Unknown hash algorithm: ' + md);
  }
  md = forge.md[md].create();
}
88
var hLen = md.digestLength;
90
/* 1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and
  stop. */
if(dkLen > (0xFFFFFFFF * hLen)) {
  var err = new Error('Derived key is too long.');
  if(callback) {
    return callback(err);
  }
  throw err;
}
100
/* 2. Let len be the number of hLen-octet blocks in the derived key,
  rounding up, and let r be the number of octets in the last
  block:
104
  len = CEIL(dkLen / hLen),
  r = dkLen - (len - 1) * hLen. */
var len = Math.ceil(dkLen / hLen);
var r = dkLen - (len - 1) * hLen;
109
/* 3. For each block of the derived key apply the function F defined
  below to the password P, the salt S, the iteration count c, and
  the block index to compute the block:
113
  T_1 = F(P, S, c, 1),
  T_2 = F(P, S, c, 2),
  ...
  T_len = F(P, S, c, len),
118
  where the function F is defined as the exclusive-or sum of the
  first c iterates of the underlying pseudorandom function PRF
  applied to the password P and the concatenation of the salt S
  and the block index i:
123
  F(P, S, c, i) = u_1 XOR u_2 XOR ... XOR u_c
125
  where
127
  u_1 = PRF(P, S || INT(i)),
  u_2 = PRF(P, u_1),
  ...
  u_c = PRF(P, u_{c-1}).
132
  Here, INT(i) is a four-octet encoding of the integer i, most
  significant octet first. */
var prf = forge.hmac.create();
prf.start(md, p);
var dk = '';
var xor, u_c, u_c1;
139
// sync version
if(!callback) {
  for(var i = 1; i <= len; ++i) {
    // PRF(P, S || INT(i)) (first iteration)
    prf.start(null, null);
    prf.update(s);
    prf.update(forge.util.int32ToBytes(i));
    xor = u_c1 = prf.digest().getBytes();
148
    // PRF(P, u_{c-1}) (other iterations)
    for(var j = 2; j <= c; ++j) {
      prf.start(null, null);
      prf.update(u_c1);
      u_c = prf.digest().getBytes();
      // F(p, s, c, i)
      xor = forge.util.xorBytes(xor, u_c, hLen);
      u_c1 = u_c;
    }
158
    /* 4. Concatenate the blocks and extract the first dkLen octets to
      produce a derived key DK:
161
      DK = T_1 || T_2 ||  ...  || T_len<0..r-1> */
    dk += (i < len) ? xor : xor.substr(0, r);
  }
  /* 5. Output the derived key DK. */
  return dk;
}
168
// async version
var i = 1, j;
function outer() {
  if(i > len) {
    // done
    return callback(null, dk);
  }
176
  // PRF(P, S || INT(i)) (first iteration)
  prf.start(null, null);
  prf.update(s);
  prf.update(forge.util.int32ToBytes(i));
  xor = u_c1 = prf.digest().getBytes();
182
  // PRF(P, u_{c-1}) (other iterations)
  j = 2;
  inner();
}
187
function inner() {
  if(j <= c) {
    prf.start(null, null);
    prf.update(u_c1);
    u_c = prf.digest().getBytes();
    // F(p, s, c, i)
    xor = forge.util.xorBytes(xor, u_c, hLen);
    u_c1 = u_c;
    ++j;
    return forge.util.setImmediate(inner);
  }
199
  /* 4. Concatenate the blocks and extract the first dkLen octets to
    produce a derived key DK:
202
    DK = T_1 || T_2 ||  ...  || T_len<0..r-1> */
  dk += (i < len) ? xor : xor.substr(0, r);
205
  ++i;
  outer();
}
209
outer();
211};

1	`/**`
2	`* Password-Based Key-Derivation Function #2 implementation.`
3	`*`
4	`* See RFC 2898 for details.`
5	`*`
6	`* @author Dave Longley`
7	`*`
8	`* Copyright (c) 2010-2013 Digital Bazaar, Inc.`
9	`*/`
10	`var forge = require('./forge');`
11	`require('./hmac');`
12	`require('./md');`
13	`require('./util');`
14
15	`var pkcs5 = forge.pkcs5 = forge.pkcs5 \|\| {};`
16
17	`var crypto;`
18	`if(forge.util.isNodejs && !forge.options.usePureJavaScript) {`
19	`crypto = require('crypto');`
20	`}`
21
22	`/**`
23	`* Derives a key from a password.`
24	`*`
25	`* @param p the password as a binary-encoded string of bytes.`
26	`* @param s the salt as a binary-encoded string of bytes.`
27	`* @param c the iteration count, a positive integer.`
28	`* @param dkLen the intended length, in bytes, of the derived key,`
29	`* (max: 2^32 - 1) * hash length of the PRF.`
30	`* @param [md] the message digest (or algorithm identifier as a string) to use`
31	`* in the PRF, defaults to SHA-1.`
32	`* @param [callback(err, key)] presence triggers asynchronous version, called`
33	`* once the operation completes.`
34	`*`
35	`* @return the derived key, as a binary-encoded string of bytes, for the`
36	`* synchronous version (if no callback is specified).`
37	`*/`
38	`module.exports = forge.pbkdf2 = pkcs5.pbkdf2 = function(`
39	`p, s, c, dkLen, md, callback) {`
40	`if(typeof md === 'function') {`
41	`callback = md;`
42	`md = null;`
43	`}`
44
45	`// use native implementation if possible and not disabled, note that`
46	`// some node versions only support SHA-1, others allow digest to be changed`
47	`if(forge.util.isNodejs && !forge.options.usePureJavaScript &&`
48	`crypto.pbkdf2 && (md === null \|\| typeof md !== 'object') &&`
49	`(crypto.pbkdf2Sync.length > 4 \|\| (!md \|\| md === 'sha1'))) {`
50	`if(typeof md !== 'string') {`
51	`// default prf to SHA-1`
52	`md = 'sha1';`
53	`}`
54	`p = Buffer.from(p, 'binary');`
55	`s = Buffer.from(s, 'binary');`
56	`if(!callback) {`
57	`if(crypto.pbkdf2Sync.length === 4) {`
58	`return crypto.pbkdf2Sync(p, s, c, dkLen).toString('binary');`
59	`}`
60	`return crypto.pbkdf2Sync(p, s, c, dkLen, md).toString('binary');`
61	`}`
62	`if(crypto.pbkdf2Sync.length === 4) {`
63	`return crypto.pbkdf2(p, s, c, dkLen, function(err, key) {`
64	`if(err) {`
65	`return callback(err);`
66	`}`
67	`callback(null, key.toString('binary'));`
68	`});`
69	`}`
70	`return crypto.pbkdf2(p, s, c, dkLen, md, function(err, key) {`
71	`if(err) {`
72	`return callback(err);`
73	`}`
74	`callback(null, key.toString('binary'));`
75	`});`
76	`}`
77
78	`if(typeof md === 'undefined' \|\| md === null) {`
79	`// default prf to SHA-1`
80	`md = 'sha1';`
81	`}`
82	`if(typeof md === 'string') {`
83	`if(!(md in forge.md.algorithms)) {`
84	`throw new Error('Unknown hash algorithm: ' + md);`
85	`}`
86	`md = forge.md[md].create();`
87	`}`
88
89	`var hLen = md.digestLength;`
90
91	`/* 1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and`
92	`stop. */`
93	`if(dkLen > (0xFFFFFFFF * hLen)) {`
94	`var err = new Error('Derived key is too long.');`
95	`if(callback) {`
96	`return callback(err);`
97	`}`
98	`throw err;`
99	`}`
100
101	`/* 2. Let len be the number of hLen-octet blocks in the derived key,`
102	`rounding up, and let r be the number of octets in the last`
103	`block:`
104
105	`len = CEIL(dkLen / hLen),`
106	`r = dkLen - (len - 1) * hLen. */`
107	`var len = Math.ceil(dkLen / hLen);`
108	`var r = dkLen - (len - 1) * hLen;`
109
110	`/* 3. For each block of the derived key apply the function F defined`
111	`below to the password P, the salt S, the iteration count c, and`
112	`the block index to compute the block:`
113
114	`T_1 = F(P, S, c, 1),`
115	`T_2 = F(P, S, c, 2),`
116	`...`
117	`T_len = F(P, S, c, len),`
118
119	`where the function F is defined as the exclusive-or sum of the`
120	`first c iterates of the underlying pseudorandom function PRF`
121	`applied to the password P and the concatenation of the salt S`
122	`and the block index i:`
123
124	`F(P, S, c, i) = u_1 XOR u_2 XOR ... XOR u_c`
125
126	`where`
127
128	`u_1 = PRF(P, S \|\| INT(i)),`
129	`u_2 = PRF(P, u_1),`
130	`...`
131	`u_c = PRF(P, u_{c-1}).`
132
133	`Here, INT(i) is a four-octet encoding of the integer i, most`
134	`significant octet first. */`
135	`var prf = forge.hmac.create();`
136	`prf.start(md, p);`
137	`var dk = '';`
138	`var xor, u_c, u_c1;`
139
140	`// sync version`
141	`if(!callback) {`
142	`for(var i = 1; i <= len; ++i) {`
143	`// PRF(P, S \|\| INT(i)) (first iteration)`
144	`prf.start(null, null);`
145	`prf.update(s);`
146	`prf.update(forge.util.int32ToBytes(i));`
147	`xor = u_c1 = prf.digest().getBytes();`
148
149	`// PRF(P, u_{c-1}) (other iterations)`
150	`for(var j = 2; j <= c; ++j) {`
151	`prf.start(null, null);`
152	`prf.update(u_c1);`
153	`u_c = prf.digest().getBytes();`
154	`// F(p, s, c, i)`
155	`xor = forge.util.xorBytes(xor, u_c, hLen);`
156	`u_c1 = u_c;`
157	`}`
158
159	`/* 4. Concatenate the blocks and extract the first dkLen octets to`
160	`produce a derived key DK:`
161
162	`DK = T_1 \|\| T_2 \|\| ... \|\| T_len<0..r-1> */`
163	`dk += (i < len) ? xor : xor.substr(0, r);`
164	`}`
165	`/* 5. Output the derived key DK. */`
166	`return dk;`
167	`}`
168
169	`// async version`
170	`var i = 1, j;`
171	`function outer() {`
172	`if(i > len) {`
173	`// done`
174	`return callback(null, dk);`
175	`}`
176
177	`// PRF(P, S \|\| INT(i)) (first iteration)`
178	`prf.start(null, null);`
179	`prf.update(s);`
180	`prf.update(forge.util.int32ToBytes(i));`
181	`xor = u_c1 = prf.digest().getBytes();`
182
183	`// PRF(P, u_{c-1}) (other iterations)`
184	`j = 2;`
185	`inner();`
186	`}`
187
188	`function inner() {`
189	`if(j <= c) {`
190	`prf.start(null, null);`
191	`prf.update(u_c1);`
192	`u_c = prf.digest().getBytes();`
193	`// F(p, s, c, i)`
194	`xor = forge.util.xorBytes(xor, u_c, hLen);`
195	`u_c1 = u_c;`
196	`++j;`
197	`return forge.util.setImmediate(inner);`
198	`}`
199
200	`/* 4. Concatenate the blocks and extract the first dkLen octets to`
201	`produce a derived key DK:`
202
203	`DK = T_1 \|\| T_2 \|\| ... \|\| T_len<0..r-1> */`
204	`dk += (i < len) ? xor : xor.substr(0, r);`
205
206	`++i;`
207	`outer();`
208	`}`
209
210	`outer();`
211	`};`