/base/000_base/node_modules/node-forge/lib/pbe.js |
@@ -0,0 +1,1023 @@ |
/** |
* Password-based encryption functions. |
* |
* @author Dave Longley |
* @author Stefan Siegl <stesie@brokenpipe.de> |
* |
* Copyright (c) 2010-2013 Digital Bazaar, Inc. |
* Copyright (c) 2012 Stefan Siegl <stesie@brokenpipe.de> |
* |
* An EncryptedPrivateKeyInfo: |
* |
* EncryptedPrivateKeyInfo ::= SEQUENCE { |
* encryptionAlgorithm EncryptionAlgorithmIdentifier, |
* encryptedData EncryptedData } |
* |
* EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier |
* |
* EncryptedData ::= OCTET STRING |
*/ |
var forge = require('./forge'); |
require('./aes'); |
require('./asn1'); |
require('./des'); |
require('./md'); |
require('./oids'); |
require('./pbkdf2'); |
require('./pem'); |
require('./random'); |
require('./rc2'); |
require('./rsa'); |
require('./util'); |
|
if(typeof BigInteger === 'undefined') { |
var BigInteger = forge.jsbn.BigInteger; |
} |
|
// shortcut for asn.1 API |
var asn1 = forge.asn1; |
|
/* Password-based encryption implementation. */ |
var pki = forge.pki = forge.pki || {}; |
module.exports = pki.pbe = forge.pbe = forge.pbe || {}; |
var oids = pki.oids; |
|
// validator for an EncryptedPrivateKeyInfo structure |
// Note: Currently only works w/algorithm params |
var encryptedPrivateKeyValidator = { |
name: 'EncryptedPrivateKeyInfo', |
tagClass: asn1.Class.UNIVERSAL, |
type: asn1.Type.SEQUENCE, |
constructed: true, |
value: [{ |
name: 'EncryptedPrivateKeyInfo.encryptionAlgorithm', |
tagClass: asn1.Class.UNIVERSAL, |
type: asn1.Type.SEQUENCE, |
constructed: true, |
value: [{ |
name: 'AlgorithmIdentifier.algorithm', |
tagClass: asn1.Class.UNIVERSAL, |
type: asn1.Type.OID, |
constructed: false, |
capture: 'encryptionOid' |
}, { |
name: 'AlgorithmIdentifier.parameters', |
tagClass: asn1.Class.UNIVERSAL, |
type: asn1.Type.SEQUENCE, |
constructed: true, |
captureAsn1: 'encryptionParams' |
}] |
}, { |
// encryptedData |
name: 'EncryptedPrivateKeyInfo.encryptedData', |
tagClass: asn1.Class.UNIVERSAL, |
type: asn1.Type.OCTETSTRING, |
constructed: false, |
capture: 'encryptedData' |
}] |
}; |
|
// validator for a PBES2Algorithms structure |
// Note: Currently only works w/PBKDF2 + AES encryption schemes |
var PBES2AlgorithmsValidator = { |
name: 'PBES2Algorithms', |
tagClass: asn1.Class.UNIVERSAL, |
type: asn1.Type.SEQUENCE, |
constructed: true, |
value: [{ |
name: 'PBES2Algorithms.keyDerivationFunc', |
tagClass: asn1.Class.UNIVERSAL, |
type: asn1.Type.SEQUENCE, |
constructed: true, |
value: [{ |
name: 'PBES2Algorithms.keyDerivationFunc.oid', |
tagClass: asn1.Class.UNIVERSAL, |
type: asn1.Type.OID, |
constructed: false, |
capture: 'kdfOid' |
}, { |
name: 'PBES2Algorithms.params', |
tagClass: asn1.Class.UNIVERSAL, |
type: asn1.Type.SEQUENCE, |
constructed: true, |
value: [{ |
name: 'PBES2Algorithms.params.salt', |
tagClass: asn1.Class.UNIVERSAL, |
type: asn1.Type.OCTETSTRING, |
constructed: false, |
capture: 'kdfSalt' |
}, { |
name: 'PBES2Algorithms.params.iterationCount', |
tagClass: asn1.Class.UNIVERSAL, |
type: asn1.Type.INTEGER, |
constructed: false, |
capture: 'kdfIterationCount' |
}, { |
name: 'PBES2Algorithms.params.keyLength', |
tagClass: asn1.Class.UNIVERSAL, |
type: asn1.Type.INTEGER, |
constructed: false, |
optional: true, |
capture: 'keyLength' |
}, { |
// prf |
name: 'PBES2Algorithms.params.prf', |
tagClass: asn1.Class.UNIVERSAL, |
type: asn1.Type.SEQUENCE, |
constructed: true, |
optional: true, |
value: [{ |
name: 'PBES2Algorithms.params.prf.algorithm', |
tagClass: asn1.Class.UNIVERSAL, |
type: asn1.Type.OID, |
constructed: false, |
capture: 'prfOid' |
}] |
}] |
}] |
}, { |
name: 'PBES2Algorithms.encryptionScheme', |
tagClass: asn1.Class.UNIVERSAL, |
type: asn1.Type.SEQUENCE, |
constructed: true, |
value: [{ |
name: 'PBES2Algorithms.encryptionScheme.oid', |
tagClass: asn1.Class.UNIVERSAL, |
type: asn1.Type.OID, |
constructed: false, |
capture: 'encOid' |
}, { |
name: 'PBES2Algorithms.encryptionScheme.iv', |
tagClass: asn1.Class.UNIVERSAL, |
type: asn1.Type.OCTETSTRING, |
constructed: false, |
capture: 'encIv' |
}] |
}] |
}; |
|
var pkcs12PbeParamsValidator = { |
name: 'pkcs-12PbeParams', |
tagClass: asn1.Class.UNIVERSAL, |
type: asn1.Type.SEQUENCE, |
constructed: true, |
value: [{ |
name: 'pkcs-12PbeParams.salt', |
tagClass: asn1.Class.UNIVERSAL, |
type: asn1.Type.OCTETSTRING, |
constructed: false, |
capture: 'salt' |
}, { |
name: 'pkcs-12PbeParams.iterations', |
tagClass: asn1.Class.UNIVERSAL, |
type: asn1.Type.INTEGER, |
constructed: false, |
capture: 'iterations' |
}] |
}; |
|
/** |
* Encrypts a ASN.1 PrivateKeyInfo object, producing an EncryptedPrivateKeyInfo. |
* |
* PBES2Algorithms ALGORITHM-IDENTIFIER ::= |
* { {PBES2-params IDENTIFIED BY id-PBES2}, ...} |
* |
* id-PBES2 OBJECT IDENTIFIER ::= {pkcs-5 13} |
* |
* PBES2-params ::= SEQUENCE { |
* keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}}, |
* encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} |
* } |
* |
* PBES2-KDFs ALGORITHM-IDENTIFIER ::= |
* { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... } |
* |
* PBES2-Encs ALGORITHM-IDENTIFIER ::= { ... } |
* |
* PBKDF2-params ::= SEQUENCE { |
* salt CHOICE { |
* specified OCTET STRING, |
* otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}} |
* }, |
* iterationCount INTEGER (1..MAX), |
* keyLength INTEGER (1..MAX) OPTIONAL, |
* prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT algid-hmacWithSHA1 |
* } |
* |
* @param obj the ASN.1 PrivateKeyInfo object. |
* @param password the password to encrypt with. |
* @param options: |
* algorithm the encryption algorithm to use |
* ('aes128', 'aes192', 'aes256', '3des'), defaults to 'aes128'. |
* count the iteration count to use. |
* saltSize the salt size to use. |
* prfAlgorithm the PRF message digest algorithm to use |
* ('sha1', 'sha224', 'sha256', 'sha384', 'sha512') |
* |
* @return the ASN.1 EncryptedPrivateKeyInfo. |
*/ |
pki.encryptPrivateKeyInfo = function(obj, password, options) { |
// set default options |
options = options || {}; |
options.saltSize = options.saltSize || 8; |
options.count = options.count || 2048; |
options.algorithm = options.algorithm || 'aes128'; |
options.prfAlgorithm = options.prfAlgorithm || 'sha1'; |
|
// generate PBE params |
var salt = forge.random.getBytesSync(options.saltSize); |
var count = options.count; |
var countBytes = asn1.integerToDer(count); |
var dkLen; |
var encryptionAlgorithm; |
var encryptedData; |
if(options.algorithm.indexOf('aes') === 0 || options.algorithm === 'des') { |
// do PBES2 |
var ivLen, encOid, cipherFn; |
switch(options.algorithm) { |
case 'aes128': |
dkLen = 16; |
ivLen = 16; |
encOid = oids['aes128-CBC']; |
cipherFn = forge.aes.createEncryptionCipher; |
break; |
case 'aes192': |
dkLen = 24; |
ivLen = 16; |
encOid = oids['aes192-CBC']; |
cipherFn = forge.aes.createEncryptionCipher; |
break; |
case 'aes256': |
dkLen = 32; |
ivLen = 16; |
encOid = oids['aes256-CBC']; |
cipherFn = forge.aes.createEncryptionCipher; |
break; |
case 'des': |
dkLen = 8; |
ivLen = 8; |
encOid = oids['desCBC']; |
cipherFn = forge.des.createEncryptionCipher; |
break; |
default: |
var error = new Error('Cannot encrypt private key. Unknown encryption algorithm.'); |
error.algorithm = options.algorithm; |
throw error; |
} |
|
// get PRF message digest |
var prfAlgorithm = 'hmacWith' + options.prfAlgorithm.toUpperCase(); |
var md = prfAlgorithmToMessageDigest(prfAlgorithm); |
|
// encrypt private key using pbe SHA-1 and AES/DES |
var dk = forge.pkcs5.pbkdf2(password, salt, count, dkLen, md); |
var iv = forge.random.getBytesSync(ivLen); |
var cipher = cipherFn(dk); |
cipher.start(iv); |
cipher.update(asn1.toDer(obj)); |
cipher.finish(); |
encryptedData = cipher.output.getBytes(); |
|
// get PBKDF2-params |
var params = createPbkdf2Params(salt, countBytes, dkLen, prfAlgorithm); |
|
encryptionAlgorithm = asn1.create( |
asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [ |
asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false, |
asn1.oidToDer(oids['pkcs5PBES2']).getBytes()), |
asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [ |
// keyDerivationFunc |
asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [ |
asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false, |
asn1.oidToDer(oids['pkcs5PBKDF2']).getBytes()), |
// PBKDF2-params |
params |
]), |
// encryptionScheme |
asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [ |
asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false, |
asn1.oidToDer(encOid).getBytes()), |
// iv |
asn1.create( |
asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false, iv) |
]) |
]) |
]); |
} else if(options.algorithm === '3des') { |
// Do PKCS12 PBE |
dkLen = 24; |
|
var saltBytes = new forge.util.ByteBuffer(salt); |
var dk = pki.pbe.generatePkcs12Key(password, saltBytes, 1, count, dkLen); |
var iv = pki.pbe.generatePkcs12Key(password, saltBytes, 2, count, dkLen); |
var cipher = forge.des.createEncryptionCipher(dk); |
cipher.start(iv); |
cipher.update(asn1.toDer(obj)); |
cipher.finish(); |
encryptedData = cipher.output.getBytes(); |
|
encryptionAlgorithm = asn1.create( |
asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [ |
asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false, |
asn1.oidToDer(oids['pbeWithSHAAnd3-KeyTripleDES-CBC']).getBytes()), |
// pkcs-12PbeParams |
asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [ |
// salt |
asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false, salt), |
// iteration count |
asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false, |
countBytes.getBytes()) |
]) |
]); |
} else { |
var error = new Error('Cannot encrypt private key. Unknown encryption algorithm.'); |
error.algorithm = options.algorithm; |
throw error; |
} |
|
// EncryptedPrivateKeyInfo |
var rval = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [ |
// encryptionAlgorithm |
encryptionAlgorithm, |
// encryptedData |
asn1.create( |
asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false, encryptedData) |
]); |
return rval; |
}; |
|
/** |
* Decrypts a ASN.1 PrivateKeyInfo object. |
* |
* @param obj the ASN.1 EncryptedPrivateKeyInfo object. |
* @param password the password to decrypt with. |
* |
* @return the ASN.1 PrivateKeyInfo on success, null on failure. |
*/ |
pki.decryptPrivateKeyInfo = function(obj, password) { |
var rval = null; |
|
// get PBE params |
var capture = {}; |
var errors = []; |
if(!asn1.validate(obj, encryptedPrivateKeyValidator, capture, errors)) { |
var error = new Error('Cannot read encrypted private key. ' + |
'ASN.1 object is not a supported EncryptedPrivateKeyInfo.'); |
error.errors = errors; |
throw error; |
} |
|
// get cipher |
var oid = asn1.derToOid(capture.encryptionOid); |
var cipher = pki.pbe.getCipher(oid, capture.encryptionParams, password); |
|
// get encrypted data |
var encrypted = forge.util.createBuffer(capture.encryptedData); |
|
cipher.update(encrypted); |
if(cipher.finish()) { |
rval = asn1.fromDer(cipher.output); |
} |
|
return rval; |
}; |
|
/** |
* Converts a EncryptedPrivateKeyInfo to PEM format. |
* |
* @param epki the EncryptedPrivateKeyInfo. |
* @param maxline the maximum characters per line, defaults to 64. |
* |
* @return the PEM-formatted encrypted private key. |
*/ |
pki.encryptedPrivateKeyToPem = function(epki, maxline) { |
// convert to DER, then PEM-encode |
var msg = { |
type: 'ENCRYPTED PRIVATE KEY', |
body: asn1.toDer(epki).getBytes() |
}; |
return forge.pem.encode(msg, {maxline: maxline}); |
}; |
|
/** |
* Converts a PEM-encoded EncryptedPrivateKeyInfo to ASN.1 format. Decryption |
* is not performed. |
* |
* @param pem the EncryptedPrivateKeyInfo in PEM-format. |
* |
* @return the ASN.1 EncryptedPrivateKeyInfo. |
*/ |
pki.encryptedPrivateKeyFromPem = function(pem) { |
var msg = forge.pem.decode(pem)[0]; |
|
if(msg.type !== 'ENCRYPTED PRIVATE KEY') { |
var error = new Error('Could not convert encrypted private key from PEM; ' + |
'PEM header type is "ENCRYPTED PRIVATE KEY".'); |
error.headerType = msg.type; |
throw error; |
} |
if(msg.procType && msg.procType.type === 'ENCRYPTED') { |
throw new Error('Could not convert encrypted private key from PEM; ' + |
'PEM is encrypted.'); |
} |
|
// convert DER to ASN.1 object |
return asn1.fromDer(msg.body); |
}; |
|
/** |
* Encrypts an RSA private key. By default, the key will be wrapped in |
* a PrivateKeyInfo and encrypted to produce a PKCS#8 EncryptedPrivateKeyInfo. |
* This is the standard, preferred way to encrypt a private key. |
* |
* To produce a non-standard PEM-encrypted private key that uses encapsulated |
* headers to indicate the encryption algorithm (old-style non-PKCS#8 OpenSSL |
* private key encryption), set the 'legacy' option to true. Note: Using this |
* option will cause the iteration count to be forced to 1. |
* |
* Note: The 'des' algorithm is supported, but it is not considered to be |
* secure because it only uses a single 56-bit key. If possible, it is highly |
* recommended that a different algorithm be used. |
* |
* @param rsaKey the RSA key to encrypt. |
* @param password the password to use. |
* @param options: |
* algorithm: the encryption algorithm to use |
* ('aes128', 'aes192', 'aes256', '3des', 'des'). |
* count: the iteration count to use. |
* saltSize: the salt size to use. |
* legacy: output an old non-PKCS#8 PEM-encrypted+encapsulated |
* headers (DEK-Info) private key. |
* |
* @return the PEM-encoded ASN.1 EncryptedPrivateKeyInfo. |
*/ |
pki.encryptRsaPrivateKey = function(rsaKey, password, options) { |
// standard PKCS#8 |
options = options || {}; |
if(!options.legacy) { |
// encrypt PrivateKeyInfo |
var rval = pki.wrapRsaPrivateKey(pki.privateKeyToAsn1(rsaKey)); |
rval = pki.encryptPrivateKeyInfo(rval, password, options); |
return pki.encryptedPrivateKeyToPem(rval); |
} |
|
// legacy non-PKCS#8 |
var algorithm; |
var iv; |
var dkLen; |
var cipherFn; |
switch(options.algorithm) { |
case 'aes128': |
algorithm = 'AES-128-CBC'; |
dkLen = 16; |
iv = forge.random.getBytesSync(16); |
cipherFn = forge.aes.createEncryptionCipher; |
break; |
case 'aes192': |
algorithm = 'AES-192-CBC'; |
dkLen = 24; |
iv = forge.random.getBytesSync(16); |
cipherFn = forge.aes.createEncryptionCipher; |
break; |
case 'aes256': |
algorithm = 'AES-256-CBC'; |
dkLen = 32; |
iv = forge.random.getBytesSync(16); |
cipherFn = forge.aes.createEncryptionCipher; |
break; |
case '3des': |
algorithm = 'DES-EDE3-CBC'; |
dkLen = 24; |
iv = forge.random.getBytesSync(8); |
cipherFn = forge.des.createEncryptionCipher; |
break; |
case 'des': |
algorithm = 'DES-CBC'; |
dkLen = 8; |
iv = forge.random.getBytesSync(8); |
cipherFn = forge.des.createEncryptionCipher; |
break; |
default: |
var error = new Error('Could not encrypt RSA private key; unsupported ' + |
'encryption algorithm "' + options.algorithm + '".'); |
error.algorithm = options.algorithm; |
throw error; |
} |
|
// encrypt private key using OpenSSL legacy key derivation |
var dk = forge.pbe.opensslDeriveBytes(password, iv.substr(0, 8), dkLen); |
var cipher = cipherFn(dk); |
cipher.start(iv); |
cipher.update(asn1.toDer(pki.privateKeyToAsn1(rsaKey))); |
cipher.finish(); |
|
var msg = { |
type: 'RSA PRIVATE KEY', |
procType: { |
version: '4', |
type: 'ENCRYPTED' |
}, |
dekInfo: { |
algorithm: algorithm, |
parameters: forge.util.bytesToHex(iv).toUpperCase() |
}, |
body: cipher.output.getBytes() |
}; |
return forge.pem.encode(msg); |
}; |
|
/** |
* Decrypts an RSA private key. |
* |
* @param pem the PEM-formatted EncryptedPrivateKeyInfo to decrypt. |
* @param password the password to use. |
* |
* @return the RSA key on success, null on failure. |
*/ |
pki.decryptRsaPrivateKey = function(pem, password) { |
var rval = null; |
|
var msg = forge.pem.decode(pem)[0]; |
|
if(msg.type !== 'ENCRYPTED PRIVATE KEY' && |
msg.type !== 'PRIVATE KEY' && |
msg.type !== 'RSA PRIVATE KEY') { |
var error = new Error('Could not convert private key from PEM; PEM header type ' + |
'is not "ENCRYPTED PRIVATE KEY", "PRIVATE KEY", or "RSA PRIVATE KEY".'); |
error.headerType = error; |
throw error; |
} |
|
if(msg.procType && msg.procType.type === 'ENCRYPTED') { |
var dkLen; |
var cipherFn; |
switch(msg.dekInfo.algorithm) { |
case 'DES-CBC': |
dkLen = 8; |
cipherFn = forge.des.createDecryptionCipher; |
break; |
case 'DES-EDE3-CBC': |
dkLen = 24; |
cipherFn = forge.des.createDecryptionCipher; |
break; |
case 'AES-128-CBC': |
dkLen = 16; |
cipherFn = forge.aes.createDecryptionCipher; |
break; |
case 'AES-192-CBC': |
dkLen = 24; |
cipherFn = forge.aes.createDecryptionCipher; |
break; |
case 'AES-256-CBC': |
dkLen = 32; |
cipherFn = forge.aes.createDecryptionCipher; |
break; |
case 'RC2-40-CBC': |
dkLen = 5; |
cipherFn = function(key) { |
return forge.rc2.createDecryptionCipher(key, 40); |
}; |
break; |
case 'RC2-64-CBC': |
dkLen = 8; |
cipherFn = function(key) { |
return forge.rc2.createDecryptionCipher(key, 64); |
}; |
break; |
case 'RC2-128-CBC': |
dkLen = 16; |
cipherFn = function(key) { |
return forge.rc2.createDecryptionCipher(key, 128); |
}; |
break; |
default: |
var error = new Error('Could not decrypt private key; unsupported ' + |
'encryption algorithm "' + msg.dekInfo.algorithm + '".'); |
error.algorithm = msg.dekInfo.algorithm; |
throw error; |
} |
|
// use OpenSSL legacy key derivation |
var iv = forge.util.hexToBytes(msg.dekInfo.parameters); |
var dk = forge.pbe.opensslDeriveBytes(password, iv.substr(0, 8), dkLen); |
var cipher = cipherFn(dk); |
cipher.start(iv); |
cipher.update(forge.util.createBuffer(msg.body)); |
if(cipher.finish()) { |
rval = cipher.output.getBytes(); |
} else { |
return rval; |
} |
} else { |
rval = msg.body; |
} |
|
if(msg.type === 'ENCRYPTED PRIVATE KEY') { |
rval = pki.decryptPrivateKeyInfo(asn1.fromDer(rval), password); |
} else { |
// decryption already performed above |
rval = asn1.fromDer(rval); |
} |
|
if(rval !== null) { |
rval = pki.privateKeyFromAsn1(rval); |
} |
|
return rval; |
}; |
|
/** |
* Derives a PKCS#12 key. |
* |
* @param password the password to derive the key material from, null or |
* undefined for none. |
* @param salt the salt, as a ByteBuffer, to use. |
* @param id the PKCS#12 ID byte (1 = key material, 2 = IV, 3 = MAC). |
* @param iter the iteration count. |
* @param n the number of bytes to derive from the password. |
* @param md the message digest to use, defaults to SHA-1. |
* |
* @return a ByteBuffer with the bytes derived from the password. |
*/ |
pki.pbe.generatePkcs12Key = function(password, salt, id, iter, n, md) { |
var j, l; |
|
if(typeof md === 'undefined' || md === null) { |
if(!('sha1' in forge.md)) { |
throw new Error('"sha1" hash algorithm unavailable.'); |
} |
md = forge.md.sha1.create(); |
} |
|
var u = md.digestLength; |
var v = md.blockLength; |
var result = new forge.util.ByteBuffer(); |
|
/* Convert password to Unicode byte buffer + trailing 0-byte. */ |
var passBuf = new forge.util.ByteBuffer(); |
if(password !== null && password !== undefined) { |
for(l = 0; l < password.length; l++) { |
passBuf.putInt16(password.charCodeAt(l)); |
} |
passBuf.putInt16(0); |
} |
|
/* Length of salt and password in BYTES. */ |
var p = passBuf.length(); |
var s = salt.length(); |
|
/* 1. Construct a string, D (the "diversifier"), by concatenating |
v copies of ID. */ |
var D = new forge.util.ByteBuffer(); |
D.fillWithByte(id, v); |
|
/* 2. Concatenate copies of the salt together to create a string S of length |
v * ceil(s / v) bytes (the final copy of the salt may be trunacted |
to create S). |
Note that if the salt is the empty string, then so is S. */ |
var Slen = v * Math.ceil(s / v); |
var S = new forge.util.ByteBuffer(); |
for(l = 0; l < Slen; l++) { |
S.putByte(salt.at(l % s)); |
} |
|
/* 3. Concatenate copies of the password together to create a string P of |
length v * ceil(p / v) bytes (the final copy of the password may be |
truncated to create P). |
Note that if the password is the empty string, then so is P. */ |
var Plen = v * Math.ceil(p / v); |
var P = new forge.util.ByteBuffer(); |
for(l = 0; l < Plen; l++) { |
P.putByte(passBuf.at(l % p)); |
} |
|
/* 4. Set I=S||P to be the concatenation of S and P. */ |
var I = S; |
I.putBuffer(P); |
|
/* 5. Set c=ceil(n / u). */ |
var c = Math.ceil(n / u); |
|
/* 6. For i=1, 2, ..., c, do the following: */ |
for(var i = 1; i <= c; i++) { |
/* a) Set Ai=H^r(D||I). (l.e. the rth hash of D||I, H(H(H(...H(D||I)))) */ |
var buf = new forge.util.ByteBuffer(); |
buf.putBytes(D.bytes()); |
buf.putBytes(I.bytes()); |
for(var round = 0; round < iter; round++) { |
md.start(); |
md.update(buf.getBytes()); |
buf = md.digest(); |
} |
|
/* b) Concatenate copies of Ai to create a string B of length v bytes (the |
final copy of Ai may be truncated to create B). */ |
var B = new forge.util.ByteBuffer(); |
for(l = 0; l < v; l++) { |
B.putByte(buf.at(l % u)); |
} |
|
/* c) Treating I as a concatenation I0, I1, ..., Ik-1 of v-byte blocks, |
where k=ceil(s / v) + ceil(p / v), modify I by setting |
Ij=(Ij+B+1) mod 2v for each j. */ |
var k = Math.ceil(s / v) + Math.ceil(p / v); |
var Inew = new forge.util.ByteBuffer(); |
for(j = 0; j < k; j++) { |
var chunk = new forge.util.ByteBuffer(I.getBytes(v)); |
var x = 0x1ff; |
for(l = B.length() - 1; l >= 0; l--) { |
x = x >> 8; |
x += B.at(l) + chunk.at(l); |
chunk.setAt(l, x & 0xff); |
} |
Inew.putBuffer(chunk); |
} |
I = Inew; |
|
/* Add Ai to A. */ |
result.putBuffer(buf); |
} |
|
result.truncate(result.length() - n); |
return result; |
}; |
|
/** |
* Get new Forge cipher object instance. |
* |
* @param oid the OID (in string notation). |
* @param params the ASN.1 params object. |
* @param password the password to decrypt with. |
* |
* @return new cipher object instance. |
*/ |
pki.pbe.getCipher = function(oid, params, password) { |
switch(oid) { |
case pki.oids['pkcs5PBES2']: |
return pki.pbe.getCipherForPBES2(oid, params, password); |
|
case pki.oids['pbeWithSHAAnd3-KeyTripleDES-CBC']: |
case pki.oids['pbewithSHAAnd40BitRC2-CBC']: |
return pki.pbe.getCipherForPKCS12PBE(oid, params, password); |
|
default: |
var error = new Error('Cannot read encrypted PBE data block. Unsupported OID.'); |
error.oid = oid; |
error.supportedOids = [ |
'pkcs5PBES2', |
'pbeWithSHAAnd3-KeyTripleDES-CBC', |
'pbewithSHAAnd40BitRC2-CBC' |
]; |
throw error; |
} |
}; |
|
/** |
* Get new Forge cipher object instance according to PBES2 params block. |
* |
* The returned cipher instance is already started using the IV |
* from PBES2 parameter block. |
* |
* @param oid the PKCS#5 PBKDF2 OID (in string notation). |
* @param params the ASN.1 PBES2-params object. |
* @param password the password to decrypt with. |
* |
* @return new cipher object instance. |
*/ |
pki.pbe.getCipherForPBES2 = function(oid, params, password) { |
// get PBE params |
var capture = {}; |
var errors = []; |
if(!asn1.validate(params, PBES2AlgorithmsValidator, capture, errors)) { |
var error = new Error('Cannot read password-based-encryption algorithm ' + |
'parameters. ASN.1 object is not a supported EncryptedPrivateKeyInfo.'); |
error.errors = errors; |
throw error; |
} |
|
// check oids |
oid = asn1.derToOid(capture.kdfOid); |
if(oid !== pki.oids['pkcs5PBKDF2']) { |
var error = new Error('Cannot read encrypted private key. ' + |
'Unsupported key derivation function OID.'); |
error.oid = oid; |
error.supportedOids = ['pkcs5PBKDF2']; |
throw error; |
} |
oid = asn1.derToOid(capture.encOid); |
if(oid !== pki.oids['aes128-CBC'] && |
oid !== pki.oids['aes192-CBC'] && |
oid !== pki.oids['aes256-CBC'] && |
oid !== pki.oids['des-EDE3-CBC'] && |
oid !== pki.oids['desCBC']) { |
var error = new Error('Cannot read encrypted private key. ' + |
'Unsupported encryption scheme OID.'); |
error.oid = oid; |
error.supportedOids = [ |
'aes128-CBC', 'aes192-CBC', 'aes256-CBC', 'des-EDE3-CBC', 'desCBC']; |
throw error; |
} |
|
// set PBE params |
var salt = capture.kdfSalt; |
var count = forge.util.createBuffer(capture.kdfIterationCount); |
count = count.getInt(count.length() << 3); |
var dkLen; |
var cipherFn; |
switch(pki.oids[oid]) { |
case 'aes128-CBC': |
dkLen = 16; |
cipherFn = forge.aes.createDecryptionCipher; |
break; |
case 'aes192-CBC': |
dkLen = 24; |
cipherFn = forge.aes.createDecryptionCipher; |
break; |
case 'aes256-CBC': |
dkLen = 32; |
cipherFn = forge.aes.createDecryptionCipher; |
break; |
case 'des-EDE3-CBC': |
dkLen = 24; |
cipherFn = forge.des.createDecryptionCipher; |
break; |
case 'desCBC': |
dkLen = 8; |
cipherFn = forge.des.createDecryptionCipher; |
break; |
} |
|
// get PRF message digest |
var md = prfOidToMessageDigest(capture.prfOid); |
|
// decrypt private key using pbe with chosen PRF and AES/DES |
var dk = forge.pkcs5.pbkdf2(password, salt, count, dkLen, md); |
var iv = capture.encIv; |
var cipher = cipherFn(dk); |
cipher.start(iv); |
|
return cipher; |
}; |
|
/** |
* Get new Forge cipher object instance for PKCS#12 PBE. |
* |
* The returned cipher instance is already started using the key & IV |
* derived from the provided password and PKCS#12 PBE salt. |
* |
* @param oid The PKCS#12 PBE OID (in string notation). |
* @param params The ASN.1 PKCS#12 PBE-params object. |
* @param password The password to decrypt with. |
* |
* @return the new cipher object instance. |
*/ |
pki.pbe.getCipherForPKCS12PBE = function(oid, params, password) { |
// get PBE params |
var capture = {}; |
var errors = []; |
if(!asn1.validate(params, pkcs12PbeParamsValidator, capture, errors)) { |
var error = new Error('Cannot read password-based-encryption algorithm ' + |
'parameters. ASN.1 object is not a supported EncryptedPrivateKeyInfo.'); |
error.errors = errors; |
throw error; |
} |
|
var salt = forge.util.createBuffer(capture.salt); |
var count = forge.util.createBuffer(capture.iterations); |
count = count.getInt(count.length() << 3); |
|
var dkLen, dIvLen, cipherFn; |
switch(oid) { |
case pki.oids['pbeWithSHAAnd3-KeyTripleDES-CBC']: |
dkLen = 24; |
dIvLen = 8; |
cipherFn = forge.des.startDecrypting; |
break; |
|
case pki.oids['pbewithSHAAnd40BitRC2-CBC']: |
dkLen = 5; |
dIvLen = 8; |
cipherFn = function(key, iv) { |
var cipher = forge.rc2.createDecryptionCipher(key, 40); |
cipher.start(iv, null); |
return cipher; |
}; |
break; |
|
default: |
var error = new Error('Cannot read PKCS #12 PBE data block. Unsupported OID.'); |
error.oid = oid; |
throw error; |
} |
|
// get PRF message digest |
var md = prfOidToMessageDigest(capture.prfOid); |
var key = pki.pbe.generatePkcs12Key(password, salt, 1, count, dkLen, md); |
md.start(); |
var iv = pki.pbe.generatePkcs12Key(password, salt, 2, count, dIvLen, md); |
|
return cipherFn(key, iv); |
}; |
|
/** |
* OpenSSL's legacy key derivation function. |
* |
* See: http://www.openssl.org/docs/crypto/EVP_BytesToKey.html |
* |
* @param password the password to derive the key from. |
* @param salt the salt to use, null for none. |
* @param dkLen the number of bytes needed for the derived key. |
* @param [options] the options to use: |
* [md] an optional message digest object to use. |
*/ |
pki.pbe.opensslDeriveBytes = function(password, salt, dkLen, md) { |
if(typeof md === 'undefined' || md === null) { |
if(!('md5' in forge.md)) { |
throw new Error('"md5" hash algorithm unavailable.'); |
} |
md = forge.md.md5.create(); |
} |
if(salt === null) { |
salt = ''; |
} |
var digests = [hash(md, password + salt)]; |
for(var length = 16, i = 1; length < dkLen; ++i, length += 16) { |
digests.push(hash(md, digests[i - 1] + password + salt)); |
} |
return digests.join('').substr(0, dkLen); |
}; |
|
function hash(md, bytes) { |
return md.start().update(bytes).digest().getBytes(); |
} |
|
function prfOidToMessageDigest(prfOid) { |
// get PRF algorithm, default to SHA-1 |
var prfAlgorithm; |
if(!prfOid) { |
prfAlgorithm = 'hmacWithSHA1'; |
} else { |
prfAlgorithm = pki.oids[asn1.derToOid(prfOid)]; |
if(!prfAlgorithm) { |
var error = new Error('Unsupported PRF OID.'); |
error.oid = prfOid; |
error.supported = [ |
'hmacWithSHA1', 'hmacWithSHA224', 'hmacWithSHA256', 'hmacWithSHA384', |
'hmacWithSHA512']; |
throw error; |
} |
} |
return prfAlgorithmToMessageDigest(prfAlgorithm); |
} |
|
function prfAlgorithmToMessageDigest(prfAlgorithm) { |
var factory = forge.md; |
switch(prfAlgorithm) { |
case 'hmacWithSHA224': |
factory = forge.md.sha512; |
case 'hmacWithSHA1': |
case 'hmacWithSHA256': |
case 'hmacWithSHA384': |
case 'hmacWithSHA512': |
prfAlgorithm = prfAlgorithm.substr(8).toLowerCase(); |
break; |
default: |
var error = new Error('Unsupported PRF algorithm.'); |
error.algorithm = prfAlgorithm; |
error.supported = [ |
'hmacWithSHA1', 'hmacWithSHA224', 'hmacWithSHA256', 'hmacWithSHA384', |
'hmacWithSHA512']; |
throw error; |
} |
if(!factory || !(prfAlgorithm in factory)) { |
throw new Error('Unknown hash algorithm: ' + prfAlgorithm); |
} |
return factory[prfAlgorithm].create(); |
} |
|
function createPbkdf2Params(salt, countBytes, dkLen, prfAlgorithm) { |
var params = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [ |
// salt |
asn1.create( |
asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false, salt), |
// iteration count |
asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false, |
countBytes.getBytes()) |
]); |
// when PRF algorithm is not SHA-1 default, add key length and PRF algorithm |
if(prfAlgorithm !== 'hmacWithSHA1') { |
params.value.push( |
// key length |
asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false, |
forge.util.hexToBytes(dkLen.toString(16))), |
// AlgorithmIdentifier |
asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [ |
// algorithm |
asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false, |
asn1.oidToDer(pki.oids[prfAlgorithm]).getBytes()), |
// parameters (null) |
asn1.create(asn1.Class.UNIVERSAL, asn1.Type.NULL, false, '') |
])); |
} |
return params; |
} |