|
|
- /**
- * Password-based encryption functions.
- *
- * @author Dave Longley
- * @author Stefan Siegl <stesie@brokenpipe.de>
- *
- * Copyright (c) 2010-2013 Digital Bazaar, Inc.
- * Copyright (c) 2012 Stefan Siegl <stesie@brokenpipe.de>
- *
- * An EncryptedPrivateKeyInfo:
- *
- * EncryptedPrivateKeyInfo ::= SEQUENCE {
- * encryptionAlgorithm EncryptionAlgorithmIdentifier,
- * encryptedData EncryptedData }
- *
- * EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
- *
- * EncryptedData ::= OCTET STRING
- */
- var forge = require('./forge');
- require('./aes');
- require('./asn1');
- require('./des');
- require('./md');
- require('./oids');
- require('./pbkdf2');
- require('./pem');
- require('./random');
- require('./rc2');
- require('./rsa');
- require('./util');
-
- if(typeof BigInteger === 'undefined') {
- var BigInteger = forge.jsbn.BigInteger;
- }
-
- // shortcut for asn.1 API
- var asn1 = forge.asn1;
-
- /* Password-based encryption implementation. */
- var pki = forge.pki = forge.pki || {};
- module.exports = pki.pbe = forge.pbe = forge.pbe || {};
- var oids = pki.oids;
-
- // validator for an EncryptedPrivateKeyInfo structure
- // Note: Currently only works w/algorithm params
- var encryptedPrivateKeyValidator = {
- name: 'EncryptedPrivateKeyInfo',
- tagClass: asn1.Class.UNIVERSAL,
- type: asn1.Type.SEQUENCE,
- constructed: true,
- value: [{
- name: 'EncryptedPrivateKeyInfo.encryptionAlgorithm',
- tagClass: asn1.Class.UNIVERSAL,
- type: asn1.Type.SEQUENCE,
- constructed: true,
- value: [{
- name: 'AlgorithmIdentifier.algorithm',
- tagClass: asn1.Class.UNIVERSAL,
- type: asn1.Type.OID,
- constructed: false,
- capture: 'encryptionOid'
- }, {
- name: 'AlgorithmIdentifier.parameters',
- tagClass: asn1.Class.UNIVERSAL,
- type: asn1.Type.SEQUENCE,
- constructed: true,
- captureAsn1: 'encryptionParams'
- }]
- }, {
- // encryptedData
- name: 'EncryptedPrivateKeyInfo.encryptedData',
- tagClass: asn1.Class.UNIVERSAL,
- type: asn1.Type.OCTETSTRING,
- constructed: false,
- capture: 'encryptedData'
- }]
- };
-
- // validator for a PBES2Algorithms structure
- // Note: Currently only works w/PBKDF2 + AES encryption schemes
- var PBES2AlgorithmsValidator = {
- name: 'PBES2Algorithms',
- tagClass: asn1.Class.UNIVERSAL,
- type: asn1.Type.SEQUENCE,
- constructed: true,
- value: [{
- name: 'PBES2Algorithms.keyDerivationFunc',
- tagClass: asn1.Class.UNIVERSAL,
- type: asn1.Type.SEQUENCE,
- constructed: true,
- value: [{
- name: 'PBES2Algorithms.keyDerivationFunc.oid',
- tagClass: asn1.Class.UNIVERSAL,
- type: asn1.Type.OID,
- constructed: false,
- capture: 'kdfOid'
- }, {
- name: 'PBES2Algorithms.params',
- tagClass: asn1.Class.UNIVERSAL,
- type: asn1.Type.SEQUENCE,
- constructed: true,
- value: [{
- name: 'PBES2Algorithms.params.salt',
- tagClass: asn1.Class.UNIVERSAL,
- type: asn1.Type.OCTETSTRING,
- constructed: false,
- capture: 'kdfSalt'
- }, {
- name: 'PBES2Algorithms.params.iterationCount',
- tagClass: asn1.Class.UNIVERSAL,
- type: asn1.Type.INTEGER,
- constructed: false,
- capture: 'kdfIterationCount'
- }, {
- name: 'PBES2Algorithms.params.keyLength',
- tagClass: asn1.Class.UNIVERSAL,
- type: asn1.Type.INTEGER,
- constructed: false,
- optional: true,
- capture: 'keyLength'
- }, {
- // prf
- name: 'PBES2Algorithms.params.prf',
- tagClass: asn1.Class.UNIVERSAL,
- type: asn1.Type.SEQUENCE,
- constructed: true,
- optional: true,
- value: [{
- name: 'PBES2Algorithms.params.prf.algorithm',
- tagClass: asn1.Class.UNIVERSAL,
- type: asn1.Type.OID,
- constructed: false,
- capture: 'prfOid'
- }]
- }]
- }]
- }, {
- name: 'PBES2Algorithms.encryptionScheme',
- tagClass: asn1.Class.UNIVERSAL,
- type: asn1.Type.SEQUENCE,
- constructed: true,
- value: [{
- name: 'PBES2Algorithms.encryptionScheme.oid',
- tagClass: asn1.Class.UNIVERSAL,
- type: asn1.Type.OID,
- constructed: false,
- capture: 'encOid'
- }, {
- name: 'PBES2Algorithms.encryptionScheme.iv',
- tagClass: asn1.Class.UNIVERSAL,
- type: asn1.Type.OCTETSTRING,
- constructed: false,
- capture: 'encIv'
- }]
- }]
- };
-
- var pkcs12PbeParamsValidator = {
- name: 'pkcs-12PbeParams',
- tagClass: asn1.Class.UNIVERSAL,
- type: asn1.Type.SEQUENCE,
- constructed: true,
- value: [{
- name: 'pkcs-12PbeParams.salt',
- tagClass: asn1.Class.UNIVERSAL,
- type: asn1.Type.OCTETSTRING,
- constructed: false,
- capture: 'salt'
- }, {
- name: 'pkcs-12PbeParams.iterations',
- tagClass: asn1.Class.UNIVERSAL,
- type: asn1.Type.INTEGER,
- constructed: false,
- capture: 'iterations'
- }]
- };
-
- /**
- * Encrypts a ASN.1 PrivateKeyInfo object, producing an EncryptedPrivateKeyInfo.
- *
- * PBES2Algorithms ALGORITHM-IDENTIFIER ::=
- * { {PBES2-params IDENTIFIED BY id-PBES2}, ...}
- *
- * id-PBES2 OBJECT IDENTIFIER ::= {pkcs-5 13}
- *
- * PBES2-params ::= SEQUENCE {
- * keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}},
- * encryptionScheme AlgorithmIdentifier {{PBES2-Encs}}
- * }
- *
- * PBES2-KDFs ALGORITHM-IDENTIFIER ::=
- * { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }
- *
- * PBES2-Encs ALGORITHM-IDENTIFIER ::= { ... }
- *
- * PBKDF2-params ::= SEQUENCE {
- * salt CHOICE {
- * specified OCTET STRING,
- * otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}}
- * },
- * iterationCount INTEGER (1..MAX),
- * keyLength INTEGER (1..MAX) OPTIONAL,
- * prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT algid-hmacWithSHA1
- * }
- *
- * @param obj the ASN.1 PrivateKeyInfo object.
- * @param password the password to encrypt with.
- * @param options:
- * algorithm the encryption algorithm to use
- * ('aes128', 'aes192', 'aes256', '3des'), defaults to 'aes128'.
- * count the iteration count to use.
- * saltSize the salt size to use.
- * prfAlgorithm the PRF message digest algorithm to use
- * ('sha1', 'sha224', 'sha256', 'sha384', 'sha512')
- *
- * @return the ASN.1 EncryptedPrivateKeyInfo.
- */
- pki.encryptPrivateKeyInfo = function(obj, password, options) {
- // set default options
- options = options || {};
- options.saltSize = options.saltSize || 8;
- options.count = options.count || 2048;
- options.algorithm = options.algorithm || 'aes128';
- options.prfAlgorithm = options.prfAlgorithm || 'sha1';
-
- // generate PBE params
- var salt = forge.random.getBytesSync(options.saltSize);
- var count = options.count;
- var countBytes = asn1.integerToDer(count);
- var dkLen;
- var encryptionAlgorithm;
- var encryptedData;
- if(options.algorithm.indexOf('aes') === 0 || options.algorithm === 'des') {
- // do PBES2
- var ivLen, encOid, cipherFn;
- switch(options.algorithm) {
- case 'aes128':
- dkLen = 16;
- ivLen = 16;
- encOid = oids['aes128-CBC'];
- cipherFn = forge.aes.createEncryptionCipher;
- break;
- case 'aes192':
- dkLen = 24;
- ivLen = 16;
- encOid = oids['aes192-CBC'];
- cipherFn = forge.aes.createEncryptionCipher;
- break;
- case 'aes256':
- dkLen = 32;
- ivLen = 16;
- encOid = oids['aes256-CBC'];
- cipherFn = forge.aes.createEncryptionCipher;
- break;
- case 'des':
- dkLen = 8;
- ivLen = 8;
- encOid = oids['desCBC'];
- cipherFn = forge.des.createEncryptionCipher;
- break;
- default:
- var error = new Error('Cannot encrypt private key. Unknown encryption algorithm.');
- error.algorithm = options.algorithm;
- throw error;
- }
-
- // get PRF message digest
- var prfAlgorithm = 'hmacWith' + options.prfAlgorithm.toUpperCase();
- var md = prfAlgorithmToMessageDigest(prfAlgorithm);
-
- // encrypt private key using pbe SHA-1 and AES/DES
- var dk = forge.pkcs5.pbkdf2(password, salt, count, dkLen, md);
- var iv = forge.random.getBytesSync(ivLen);
- var cipher = cipherFn(dk);
- cipher.start(iv);
- cipher.update(asn1.toDer(obj));
- cipher.finish();
- encryptedData = cipher.output.getBytes();
-
- // get PBKDF2-params
- var params = createPbkdf2Params(salt, countBytes, dkLen, prfAlgorithm);
-
- encryptionAlgorithm = asn1.create(
- asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
- asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false,
- asn1.oidToDer(oids['pkcs5PBES2']).getBytes()),
- asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
- // keyDerivationFunc
- asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
- asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false,
- asn1.oidToDer(oids['pkcs5PBKDF2']).getBytes()),
- // PBKDF2-params
- params
- ]),
- // encryptionScheme
- asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
- asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false,
- asn1.oidToDer(encOid).getBytes()),
- // iv
- asn1.create(
- asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false, iv)
- ])
- ])
- ]);
- } else if(options.algorithm === '3des') {
- // Do PKCS12 PBE
- dkLen = 24;
-
- var saltBytes = new forge.util.ByteBuffer(salt);
- var dk = pki.pbe.generatePkcs12Key(password, saltBytes, 1, count, dkLen);
- var iv = pki.pbe.generatePkcs12Key(password, saltBytes, 2, count, dkLen);
- var cipher = forge.des.createEncryptionCipher(dk);
- cipher.start(iv);
- cipher.update(asn1.toDer(obj));
- cipher.finish();
- encryptedData = cipher.output.getBytes();
-
- encryptionAlgorithm = asn1.create(
- asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
- asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false,
- asn1.oidToDer(oids['pbeWithSHAAnd3-KeyTripleDES-CBC']).getBytes()),
- // pkcs-12PbeParams
- asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
- // salt
- asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false, salt),
- // iteration count
- asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false,
- countBytes.getBytes())
- ])
- ]);
- } else {
- var error = new Error('Cannot encrypt private key. Unknown encryption algorithm.');
- error.algorithm = options.algorithm;
- throw error;
- }
-
- // EncryptedPrivateKeyInfo
- var rval = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
- // encryptionAlgorithm
- encryptionAlgorithm,
- // encryptedData
- asn1.create(
- asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false, encryptedData)
- ]);
- return rval;
- };
-
- /**
- * Decrypts a ASN.1 PrivateKeyInfo object.
- *
- * @param obj the ASN.1 EncryptedPrivateKeyInfo object.
- * @param password the password to decrypt with.
- *
- * @return the ASN.1 PrivateKeyInfo on success, null on failure.
- */
- pki.decryptPrivateKeyInfo = function(obj, password) {
- var rval = null;
-
- // get PBE params
- var capture = {};
- var errors = [];
- if(!asn1.validate(obj, encryptedPrivateKeyValidator, capture, errors)) {
- var error = new Error('Cannot read encrypted private key. ' +
- 'ASN.1 object is not a supported EncryptedPrivateKeyInfo.');
- error.errors = errors;
- throw error;
- }
-
- // get cipher
- var oid = asn1.derToOid(capture.encryptionOid);
- var cipher = pki.pbe.getCipher(oid, capture.encryptionParams, password);
-
- // get encrypted data
- var encrypted = forge.util.createBuffer(capture.encryptedData);
-
- cipher.update(encrypted);
- if(cipher.finish()) {
- rval = asn1.fromDer(cipher.output);
- }
-
- return rval;
- };
-
- /**
- * Converts a EncryptedPrivateKeyInfo to PEM format.
- *
- * @param epki the EncryptedPrivateKeyInfo.
- * @param maxline the maximum characters per line, defaults to 64.
- *
- * @return the PEM-formatted encrypted private key.
- */
- pki.encryptedPrivateKeyToPem = function(epki, maxline) {
- // convert to DER, then PEM-encode
- var msg = {
- type: 'ENCRYPTED PRIVATE KEY',
- body: asn1.toDer(epki).getBytes()
- };
- return forge.pem.encode(msg, {maxline: maxline});
- };
-
- /**
- * Converts a PEM-encoded EncryptedPrivateKeyInfo to ASN.1 format. Decryption
- * is not performed.
- *
- * @param pem the EncryptedPrivateKeyInfo in PEM-format.
- *
- * @return the ASN.1 EncryptedPrivateKeyInfo.
- */
- pki.encryptedPrivateKeyFromPem = function(pem) {
- var msg = forge.pem.decode(pem)[0];
-
- if(msg.type !== 'ENCRYPTED PRIVATE KEY') {
- var error = new Error('Could not convert encrypted private key from PEM; ' +
- 'PEM header type is "ENCRYPTED PRIVATE KEY".');
- error.headerType = msg.type;
- throw error;
- }
- if(msg.procType && msg.procType.type === 'ENCRYPTED') {
- throw new Error('Could not convert encrypted private key from PEM; ' +
- 'PEM is encrypted.');
- }
-
- // convert DER to ASN.1 object
- return asn1.fromDer(msg.body);
- };
-
- /**
- * Encrypts an RSA private key. By default, the key will be wrapped in
- * a PrivateKeyInfo and encrypted to produce a PKCS#8 EncryptedPrivateKeyInfo.
- * This is the standard, preferred way to encrypt a private key.
- *
- * To produce a non-standard PEM-encrypted private key that uses encapsulated
- * headers to indicate the encryption algorithm (old-style non-PKCS#8 OpenSSL
- * private key encryption), set the 'legacy' option to true. Note: Using this
- * option will cause the iteration count to be forced to 1.
- *
- * Note: The 'des' algorithm is supported, but it is not considered to be
- * secure because it only uses a single 56-bit key. If possible, it is highly
- * recommended that a different algorithm be used.
- *
- * @param rsaKey the RSA key to encrypt.
- * @param password the password to use.
- * @param options:
- * algorithm: the encryption algorithm to use
- * ('aes128', 'aes192', 'aes256', '3des', 'des').
- * count: the iteration count to use.
- * saltSize: the salt size to use.
- * legacy: output an old non-PKCS#8 PEM-encrypted+encapsulated
- * headers (DEK-Info) private key.
- *
- * @return the PEM-encoded ASN.1 EncryptedPrivateKeyInfo.
- */
- pki.encryptRsaPrivateKey = function(rsaKey, password, options) {
- // standard PKCS#8
- options = options || {};
- if(!options.legacy) {
- // encrypt PrivateKeyInfo
- var rval = pki.wrapRsaPrivateKey(pki.privateKeyToAsn1(rsaKey));
- rval = pki.encryptPrivateKeyInfo(rval, password, options);
- return pki.encryptedPrivateKeyToPem(rval);
- }
-
- // legacy non-PKCS#8
- var algorithm;
- var iv;
- var dkLen;
- var cipherFn;
- switch(options.algorithm) {
- case 'aes128':
- algorithm = 'AES-128-CBC';
- dkLen = 16;
- iv = forge.random.getBytesSync(16);
- cipherFn = forge.aes.createEncryptionCipher;
- break;
- case 'aes192':
- algorithm = 'AES-192-CBC';
- dkLen = 24;
- iv = forge.random.getBytesSync(16);
- cipherFn = forge.aes.createEncryptionCipher;
- break;
- case 'aes256':
- algorithm = 'AES-256-CBC';
- dkLen = 32;
- iv = forge.random.getBytesSync(16);
- cipherFn = forge.aes.createEncryptionCipher;
- break;
- case '3des':
- algorithm = 'DES-EDE3-CBC';
- dkLen = 24;
- iv = forge.random.getBytesSync(8);
- cipherFn = forge.des.createEncryptionCipher;
- break;
- case 'des':
- algorithm = 'DES-CBC';
- dkLen = 8;
- iv = forge.random.getBytesSync(8);
- cipherFn = forge.des.createEncryptionCipher;
- break;
- default:
- var error = new Error('Could not encrypt RSA private key; unsupported ' +
- 'encryption algorithm "' + options.algorithm + '".');
- error.algorithm = options.algorithm;
- throw error;
- }
-
- // encrypt private key using OpenSSL legacy key derivation
- var dk = forge.pbe.opensslDeriveBytes(password, iv.substr(0, 8), dkLen);
- var cipher = cipherFn(dk);
- cipher.start(iv);
- cipher.update(asn1.toDer(pki.privateKeyToAsn1(rsaKey)));
- cipher.finish();
-
- var msg = {
- type: 'RSA PRIVATE KEY',
- procType: {
- version: '4',
- type: 'ENCRYPTED'
- },
- dekInfo: {
- algorithm: algorithm,
- parameters: forge.util.bytesToHex(iv).toUpperCase()
- },
- body: cipher.output.getBytes()
- };
- return forge.pem.encode(msg);
- };
-
- /**
- * Decrypts an RSA private key.
- *
- * @param pem the PEM-formatted EncryptedPrivateKeyInfo to decrypt.
- * @param password the password to use.
- *
- * @return the RSA key on success, null on failure.
- */
- pki.decryptRsaPrivateKey = function(pem, password) {
- var rval = null;
-
- var msg = forge.pem.decode(pem)[0];
-
- if(msg.type !== 'ENCRYPTED PRIVATE KEY' &&
- msg.type !== 'PRIVATE KEY' &&
- msg.type !== 'RSA PRIVATE KEY') {
- var error = new Error('Could not convert private key from PEM; PEM header type ' +
- 'is not "ENCRYPTED PRIVATE KEY", "PRIVATE KEY", or "RSA PRIVATE KEY".');
- error.headerType = error;
- throw error;
- }
-
- if(msg.procType && msg.procType.type === 'ENCRYPTED') {
- var dkLen;
- var cipherFn;
- switch(msg.dekInfo.algorithm) {
- case 'DES-CBC':
- dkLen = 8;
- cipherFn = forge.des.createDecryptionCipher;
- break;
- case 'DES-EDE3-CBC':
- dkLen = 24;
- cipherFn = forge.des.createDecryptionCipher;
- break;
- case 'AES-128-CBC':
- dkLen = 16;
- cipherFn = forge.aes.createDecryptionCipher;
- break;
- case 'AES-192-CBC':
- dkLen = 24;
- cipherFn = forge.aes.createDecryptionCipher;
- break;
- case 'AES-256-CBC':
- dkLen = 32;
- cipherFn = forge.aes.createDecryptionCipher;
- break;
- case 'RC2-40-CBC':
- dkLen = 5;
- cipherFn = function(key) {
- return forge.rc2.createDecryptionCipher(key, 40);
- };
- break;
- case 'RC2-64-CBC':
- dkLen = 8;
- cipherFn = function(key) {
- return forge.rc2.createDecryptionCipher(key, 64);
- };
- break;
- case 'RC2-128-CBC':
- dkLen = 16;
- cipherFn = function(key) {
- return forge.rc2.createDecryptionCipher(key, 128);
- };
- break;
- default:
- var error = new Error('Could not decrypt private key; unsupported ' +
- 'encryption algorithm "' + msg.dekInfo.algorithm + '".');
- error.algorithm = msg.dekInfo.algorithm;
- throw error;
- }
-
- // use OpenSSL legacy key derivation
- var iv = forge.util.hexToBytes(msg.dekInfo.parameters);
- var dk = forge.pbe.opensslDeriveBytes(password, iv.substr(0, 8), dkLen);
- var cipher = cipherFn(dk);
- cipher.start(iv);
- cipher.update(forge.util.createBuffer(msg.body));
- if(cipher.finish()) {
- rval = cipher.output.getBytes();
- } else {
- return rval;
- }
- } else {
- rval = msg.body;
- }
-
- if(msg.type === 'ENCRYPTED PRIVATE KEY') {
- rval = pki.decryptPrivateKeyInfo(asn1.fromDer(rval), password);
- } else {
- // decryption already performed above
- rval = asn1.fromDer(rval);
- }
-
- if(rval !== null) {
- rval = pki.privateKeyFromAsn1(rval);
- }
-
- return rval;
- };
-
- /**
- * Derives a PKCS#12 key.
- *
- * @param password the password to derive the key material from, null or
- * undefined for none.
- * @param salt the salt, as a ByteBuffer, to use.
- * @param id the PKCS#12 ID byte (1 = key material, 2 = IV, 3 = MAC).
- * @param iter the iteration count.
- * @param n the number of bytes to derive from the password.
- * @param md the message digest to use, defaults to SHA-1.
- *
- * @return a ByteBuffer with the bytes derived from the password.
- */
- pki.pbe.generatePkcs12Key = function(password, salt, id, iter, n, md) {
- var j, l;
-
- if(typeof md === 'undefined' || md === null) {
- if(!('sha1' in forge.md)) {
- throw new Error('"sha1" hash algorithm unavailable.');
- }
- md = forge.md.sha1.create();
- }
-
- var u = md.digestLength;
- var v = md.blockLength;
- var result = new forge.util.ByteBuffer();
-
- /* Convert password to Unicode byte buffer + trailing 0-byte. */
- var passBuf = new forge.util.ByteBuffer();
- if(password !== null && password !== undefined) {
- for(l = 0; l < password.length; l++) {
- passBuf.putInt16(password.charCodeAt(l));
- }
- passBuf.putInt16(0);
- }
-
- /* Length of salt and password in BYTES. */
- var p = passBuf.length();
- var s = salt.length();
-
- /* 1. Construct a string, D (the "diversifier"), by concatenating
- v copies of ID. */
- var D = new forge.util.ByteBuffer();
- D.fillWithByte(id, v);
-
- /* 2. Concatenate copies of the salt together to create a string S of length
- v * ceil(s / v) bytes (the final copy of the salt may be trunacted
- to create S).
- Note that if the salt is the empty string, then so is S. */
- var Slen = v * Math.ceil(s / v);
- var S = new forge.util.ByteBuffer();
- for(l = 0; l < Slen; l++) {
- S.putByte(salt.at(l % s));
- }
-
- /* 3. Concatenate copies of the password together to create a string P of
- length v * ceil(p / v) bytes (the final copy of the password may be
- truncated to create P).
- Note that if the password is the empty string, then so is P. */
- var Plen = v * Math.ceil(p / v);
- var P = new forge.util.ByteBuffer();
- for(l = 0; l < Plen; l++) {
- P.putByte(passBuf.at(l % p));
- }
-
- /* 4. Set I=S||P to be the concatenation of S and P. */
- var I = S;
- I.putBuffer(P);
-
- /* 5. Set c=ceil(n / u). */
- var c = Math.ceil(n / u);
-
- /* 6. For i=1, 2, ..., c, do the following: */
- for(var i = 1; i <= c; i++) {
- /* a) Set Ai=H^r(D||I). (l.e. the rth hash of D||I, H(H(H(...H(D||I)))) */
- var buf = new forge.util.ByteBuffer();
- buf.putBytes(D.bytes());
- buf.putBytes(I.bytes());
- for(var round = 0; round < iter; round++) {
- md.start();
- md.update(buf.getBytes());
- buf = md.digest();
- }
-
- /* b) Concatenate copies of Ai to create a string B of length v bytes (the
- final copy of Ai may be truncated to create B). */
- var B = new forge.util.ByteBuffer();
- for(l = 0; l < v; l++) {
- B.putByte(buf.at(l % u));
- }
-
- /* c) Treating I as a concatenation I0, I1, ..., Ik-1 of v-byte blocks,
- where k=ceil(s / v) + ceil(p / v), modify I by setting
- Ij=(Ij+B+1) mod 2v for each j. */
- var k = Math.ceil(s / v) + Math.ceil(p / v);
- var Inew = new forge.util.ByteBuffer();
- for(j = 0; j < k; j++) {
- var chunk = new forge.util.ByteBuffer(I.getBytes(v));
- var x = 0x1ff;
- for(l = B.length() - 1; l >= 0; l--) {
- x = x >> 8;
- x += B.at(l) + chunk.at(l);
- chunk.setAt(l, x & 0xff);
- }
- Inew.putBuffer(chunk);
- }
- I = Inew;
-
- /* Add Ai to A. */
- result.putBuffer(buf);
- }
-
- result.truncate(result.length() - n);
- return result;
- };
-
- /**
- * Get new Forge cipher object instance.
- *
- * @param oid the OID (in string notation).
- * @param params the ASN.1 params object.
- * @param password the password to decrypt with.
- *
- * @return new cipher object instance.
- */
- pki.pbe.getCipher = function(oid, params, password) {
- switch(oid) {
- case pki.oids['pkcs5PBES2']:
- return pki.pbe.getCipherForPBES2(oid, params, password);
-
- case pki.oids['pbeWithSHAAnd3-KeyTripleDES-CBC']:
- case pki.oids['pbewithSHAAnd40BitRC2-CBC']:
- return pki.pbe.getCipherForPKCS12PBE(oid, params, password);
-
- default:
- var error = new Error('Cannot read encrypted PBE data block. Unsupported OID.');
- error.oid = oid;
- error.supportedOids = [
- 'pkcs5PBES2',
- 'pbeWithSHAAnd3-KeyTripleDES-CBC',
- 'pbewithSHAAnd40BitRC2-CBC'
- ];
- throw error;
- }
- };
-
- /**
- * Get new Forge cipher object instance according to PBES2 params block.
- *
- * The returned cipher instance is already started using the IV
- * from PBES2 parameter block.
- *
- * @param oid the PKCS#5 PBKDF2 OID (in string notation).
- * @param params the ASN.1 PBES2-params object.
- * @param password the password to decrypt with.
- *
- * @return new cipher object instance.
- */
- pki.pbe.getCipherForPBES2 = function(oid, params, password) {
- // get PBE params
- var capture = {};
- var errors = [];
- if(!asn1.validate(params, PBES2AlgorithmsValidator, capture, errors)) {
- var error = new Error('Cannot read password-based-encryption algorithm ' +
- 'parameters. ASN.1 object is not a supported EncryptedPrivateKeyInfo.');
- error.errors = errors;
- throw error;
- }
-
- // check oids
- oid = asn1.derToOid(capture.kdfOid);
- if(oid !== pki.oids['pkcs5PBKDF2']) {
- var error = new Error('Cannot read encrypted private key. ' +
- 'Unsupported key derivation function OID.');
- error.oid = oid;
- error.supportedOids = ['pkcs5PBKDF2'];
- throw error;
- }
- oid = asn1.derToOid(capture.encOid);
- if(oid !== pki.oids['aes128-CBC'] &&
- oid !== pki.oids['aes192-CBC'] &&
- oid !== pki.oids['aes256-CBC'] &&
- oid !== pki.oids['des-EDE3-CBC'] &&
- oid !== pki.oids['desCBC']) {
- var error = new Error('Cannot read encrypted private key. ' +
- 'Unsupported encryption scheme OID.');
- error.oid = oid;
- error.supportedOids = [
- 'aes128-CBC', 'aes192-CBC', 'aes256-CBC', 'des-EDE3-CBC', 'desCBC'];
- throw error;
- }
-
- // set PBE params
- var salt = capture.kdfSalt;
- var count = forge.util.createBuffer(capture.kdfIterationCount);
- count = count.getInt(count.length() << 3);
- var dkLen;
- var cipherFn;
- switch(pki.oids[oid]) {
- case 'aes128-CBC':
- dkLen = 16;
- cipherFn = forge.aes.createDecryptionCipher;
- break;
- case 'aes192-CBC':
- dkLen = 24;
- cipherFn = forge.aes.createDecryptionCipher;
- break;
- case 'aes256-CBC':
- dkLen = 32;
- cipherFn = forge.aes.createDecryptionCipher;
- break;
- case 'des-EDE3-CBC':
- dkLen = 24;
- cipherFn = forge.des.createDecryptionCipher;
- break;
- case 'desCBC':
- dkLen = 8;
- cipherFn = forge.des.createDecryptionCipher;
- break;
- }
-
- // get PRF message digest
- var md = prfOidToMessageDigest(capture.prfOid);
-
- // decrypt private key using pbe with chosen PRF and AES/DES
- var dk = forge.pkcs5.pbkdf2(password, salt, count, dkLen, md);
- var iv = capture.encIv;
- var cipher = cipherFn(dk);
- cipher.start(iv);
-
- return cipher;
- };
-
- /**
- * Get new Forge cipher object instance for PKCS#12 PBE.
- *
- * The returned cipher instance is already started using the key & IV
- * derived from the provided password and PKCS#12 PBE salt.
- *
- * @param oid The PKCS#12 PBE OID (in string notation).
- * @param params The ASN.1 PKCS#12 PBE-params object.
- * @param password The password to decrypt with.
- *
- * @return the new cipher object instance.
- */
- pki.pbe.getCipherForPKCS12PBE = function(oid, params, password) {
- // get PBE params
- var capture = {};
- var errors = [];
- if(!asn1.validate(params, pkcs12PbeParamsValidator, capture, errors)) {
- var error = new Error('Cannot read password-based-encryption algorithm ' +
- 'parameters. ASN.1 object is not a supported EncryptedPrivateKeyInfo.');
- error.errors = errors;
- throw error;
- }
-
- var salt = forge.util.createBuffer(capture.salt);
- var count = forge.util.createBuffer(capture.iterations);
- count = count.getInt(count.length() << 3);
-
- var dkLen, dIvLen, cipherFn;
- switch(oid) {
- case pki.oids['pbeWithSHAAnd3-KeyTripleDES-CBC']:
- dkLen = 24;
- dIvLen = 8;
- cipherFn = forge.des.startDecrypting;
- break;
-
- case pki.oids['pbewithSHAAnd40BitRC2-CBC']:
- dkLen = 5;
- dIvLen = 8;
- cipherFn = function(key, iv) {
- var cipher = forge.rc2.createDecryptionCipher(key, 40);
- cipher.start(iv, null);
- return cipher;
- };
- break;
-
- default:
- var error = new Error('Cannot read PKCS #12 PBE data block. Unsupported OID.');
- error.oid = oid;
- throw error;
- }
-
- // get PRF message digest
- var md = prfOidToMessageDigest(capture.prfOid);
- var key = pki.pbe.generatePkcs12Key(password, salt, 1, count, dkLen, md);
- md.start();
- var iv = pki.pbe.generatePkcs12Key(password, salt, 2, count, dIvLen, md);
-
- return cipherFn(key, iv);
- };
-
- /**
- * OpenSSL's legacy key derivation function.
- *
- * See: http://www.openssl.org/docs/crypto/EVP_BytesToKey.html
- *
- * @param password the password to derive the key from.
- * @param salt the salt to use, null for none.
- * @param dkLen the number of bytes needed for the derived key.
- * @param [options] the options to use:
- * [md] an optional message digest object to use.
- */
- pki.pbe.opensslDeriveBytes = function(password, salt, dkLen, md) {
- if(typeof md === 'undefined' || md === null) {
- if(!('md5' in forge.md)) {
- throw new Error('"md5" hash algorithm unavailable.');
- }
- md = forge.md.md5.create();
- }
- if(salt === null) {
- salt = '';
- }
- var digests = [hash(md, password + salt)];
- for(var length = 16, i = 1; length < dkLen; ++i, length += 16) {
- digests.push(hash(md, digests[i - 1] + password + salt));
- }
- return digests.join('').substr(0, dkLen);
- };
-
- function hash(md, bytes) {
- return md.start().update(bytes).digest().getBytes();
- }
-
- function prfOidToMessageDigest(prfOid) {
- // get PRF algorithm, default to SHA-1
- var prfAlgorithm;
- if(!prfOid) {
- prfAlgorithm = 'hmacWithSHA1';
- } else {
- prfAlgorithm = pki.oids[asn1.derToOid(prfOid)];
- if(!prfAlgorithm) {
- var error = new Error('Unsupported PRF OID.');
- error.oid = prfOid;
- error.supported = [
- 'hmacWithSHA1', 'hmacWithSHA224', 'hmacWithSHA256', 'hmacWithSHA384',
- 'hmacWithSHA512'];
- throw error;
- }
- }
- return prfAlgorithmToMessageDigest(prfAlgorithm);
- }
-
- function prfAlgorithmToMessageDigest(prfAlgorithm) {
- var factory = forge.md;
- switch(prfAlgorithm) {
- case 'hmacWithSHA224':
- factory = forge.md.sha512;
- case 'hmacWithSHA1':
- case 'hmacWithSHA256':
- case 'hmacWithSHA384':
- case 'hmacWithSHA512':
- prfAlgorithm = prfAlgorithm.substr(8).toLowerCase();
- break;
- default:
- var error = new Error('Unsupported PRF algorithm.');
- error.algorithm = prfAlgorithm;
- error.supported = [
- 'hmacWithSHA1', 'hmacWithSHA224', 'hmacWithSHA256', 'hmacWithSHA384',
- 'hmacWithSHA512'];
- throw error;
- }
- if(!factory || !(prfAlgorithm in factory)) {
- throw new Error('Unknown hash algorithm: ' + prfAlgorithm);
- }
- return factory[prfAlgorithm].create();
- }
-
- function createPbkdf2Params(salt, countBytes, dkLen, prfAlgorithm) {
- var params = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
- // salt
- asn1.create(
- asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false, salt),
- // iteration count
- asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false,
- countBytes.getBytes())
- ]);
- // when PRF algorithm is not SHA-1 default, add key length and PRF algorithm
- if(prfAlgorithm !== 'hmacWithSHA1') {
- params.value.push(
- // key length
- asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false,
- forge.util.hexToBytes(dkLen.toString(16))),
- // AlgorithmIdentifier
- asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
- // algorithm
- asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false,
- asn1.oidToDer(pki.oids[prfAlgorithm]).getBytes()),
- // parameters (null)
- asn1.create(asn1.Class.UNIVERSAL, asn1.Type.NULL, false, '')
- ]));
- }
- return params;
- }
|