| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023 | /** * Password-based encryption functions. * * @author Dave Longley * @author Stefan Siegl <stesie@brokenpipe.de> * * Copyright (c) 2010-2013 Digital Bazaar, Inc. * Copyright (c) 2012 Stefan Siegl <stesie@brokenpipe.de> * * An EncryptedPrivateKeyInfo: * * EncryptedPrivateKeyInfo ::= SEQUENCE { *   encryptionAlgorithm  EncryptionAlgorithmIdentifier, *   encryptedData        EncryptedData } * * EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier * * EncryptedData ::= OCTET STRING */var forge = require('./forge');require('./aes');require('./asn1');require('./des');require('./md');require('./oids');require('./pbkdf2');require('./pem');require('./random');require('./rc2');require('./rsa');require('./util');if(typeof BigInteger === 'undefined') {  var BigInteger = forge.jsbn.BigInteger;}// shortcut for asn.1 APIvar asn1 = forge.asn1;/* Password-based encryption implementation. */var pki = forge.pki = forge.pki || {};module.exports = pki.pbe = forge.pbe = forge.pbe || {};var oids = pki.oids;// validator for an EncryptedPrivateKeyInfo structure// Note: Currently only works w/algorithm paramsvar encryptedPrivateKeyValidator = {  name: 'EncryptedPrivateKeyInfo',  tagClass: asn1.Class.UNIVERSAL,  type: asn1.Type.SEQUENCE,  constructed: true,  value: [{    name: 'EncryptedPrivateKeyInfo.encryptionAlgorithm',    tagClass: asn1.Class.UNIVERSAL,    type: asn1.Type.SEQUENCE,    constructed: true,    value: [{      name: 'AlgorithmIdentifier.algorithm',      tagClass: asn1.Class.UNIVERSAL,      type: asn1.Type.OID,      constructed: false,      capture: 'encryptionOid'    }, {      name: 'AlgorithmIdentifier.parameters',      tagClass: asn1.Class.UNIVERSAL,      type: asn1.Type.SEQUENCE,      constructed: true,      captureAsn1: 'encryptionParams'    }]  }, {    // encryptedData    name: 'EncryptedPrivateKeyInfo.encryptedData',    tagClass: asn1.Class.UNIVERSAL,    type: asn1.Type.OCTETSTRING,    constructed: false,    capture: 'encryptedData'  }]};// validator for a PBES2Algorithms structure// Note: Currently only works w/PBKDF2 + AES encryption schemesvar PBES2AlgorithmsValidator = {  name: 'PBES2Algorithms',  tagClass: asn1.Class.UNIVERSAL,  type: asn1.Type.SEQUENCE,  constructed: true,  value: [{    name: 'PBES2Algorithms.keyDerivationFunc',    tagClass: asn1.Class.UNIVERSAL,    type: asn1.Type.SEQUENCE,    constructed: true,    value: [{      name: 'PBES2Algorithms.keyDerivationFunc.oid',      tagClass: asn1.Class.UNIVERSAL,      type: asn1.Type.OID,      constructed: false,      capture: 'kdfOid'    }, {      name: 'PBES2Algorithms.params',      tagClass: asn1.Class.UNIVERSAL,      type: asn1.Type.SEQUENCE,      constructed: true,      value: [{        name: 'PBES2Algorithms.params.salt',        tagClass: asn1.Class.UNIVERSAL,        type: asn1.Type.OCTETSTRING,        constructed: false,        capture: 'kdfSalt'      }, {        name: 'PBES2Algorithms.params.iterationCount',        tagClass: asn1.Class.UNIVERSAL,        type: asn1.Type.INTEGER,        constructed: false,        capture: 'kdfIterationCount'      }, {        name: 'PBES2Algorithms.params.keyLength',        tagClass: asn1.Class.UNIVERSAL,        type: asn1.Type.INTEGER,        constructed: false,        optional: true,        capture: 'keyLength'      }, {        // prf        name: 'PBES2Algorithms.params.prf',        tagClass: asn1.Class.UNIVERSAL,        type: asn1.Type.SEQUENCE,        constructed: true,        optional: true,        value: [{          name: 'PBES2Algorithms.params.prf.algorithm',          tagClass: asn1.Class.UNIVERSAL,          type: asn1.Type.OID,          constructed: false,          capture: 'prfOid'        }]      }]    }]  }, {    name: 'PBES2Algorithms.encryptionScheme',    tagClass: asn1.Class.UNIVERSAL,    type: asn1.Type.SEQUENCE,    constructed: true,    value: [{      name: 'PBES2Algorithms.encryptionScheme.oid',      tagClass: asn1.Class.UNIVERSAL,      type: asn1.Type.OID,      constructed: false,      capture: 'encOid'    }, {      name: 'PBES2Algorithms.encryptionScheme.iv',      tagClass: asn1.Class.UNIVERSAL,      type: asn1.Type.OCTETSTRING,      constructed: false,      capture: 'encIv'    }]  }]};var pkcs12PbeParamsValidator = {  name: 'pkcs-12PbeParams',  tagClass: asn1.Class.UNIVERSAL,  type: asn1.Type.SEQUENCE,  constructed: true,  value: [{    name: 'pkcs-12PbeParams.salt',    tagClass: asn1.Class.UNIVERSAL,    type: asn1.Type.OCTETSTRING,    constructed: false,    capture: 'salt'  }, {    name: 'pkcs-12PbeParams.iterations',    tagClass: asn1.Class.UNIVERSAL,    type: asn1.Type.INTEGER,    constructed: false,    capture: 'iterations'  }]};/** * Encrypts a ASN.1 PrivateKeyInfo object, producing an EncryptedPrivateKeyInfo. * * PBES2Algorithms ALGORITHM-IDENTIFIER ::= *   { {PBES2-params IDENTIFIED BY id-PBES2}, ...} * * id-PBES2 OBJECT IDENTIFIER ::= {pkcs-5 13} * * PBES2-params ::= SEQUENCE { *   keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}}, *   encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} * } * * PBES2-KDFs ALGORITHM-IDENTIFIER ::= *   { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... } * * PBES2-Encs ALGORITHM-IDENTIFIER ::= { ... } * * PBKDF2-params ::= SEQUENCE { *   salt CHOICE { *     specified OCTET STRING, *     otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}} *   }, *   iterationCount INTEGER (1..MAX), *   keyLength INTEGER (1..MAX) OPTIONAL, *   prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT algid-hmacWithSHA1 * } * * @param obj the ASN.1 PrivateKeyInfo object. * @param password the password to encrypt with. * @param options: *          algorithm the encryption algorithm to use *            ('aes128', 'aes192', 'aes256', '3des'), defaults to 'aes128'. *          count the iteration count to use. *          saltSize the salt size to use. *          prfAlgorithm the PRF message digest algorithm to use *            ('sha1', 'sha224', 'sha256', 'sha384', 'sha512') * * @return the ASN.1 EncryptedPrivateKeyInfo. */pki.encryptPrivateKeyInfo = function(obj, password, options) {  // set default options  options = options || {};  options.saltSize = options.saltSize || 8;  options.count = options.count || 2048;  options.algorithm = options.algorithm || 'aes128';  options.prfAlgorithm = options.prfAlgorithm || 'sha1';  // generate PBE params  var salt = forge.random.getBytesSync(options.saltSize);  var count = options.count;  var countBytes = asn1.integerToDer(count);  var dkLen;  var encryptionAlgorithm;  var encryptedData;  if(options.algorithm.indexOf('aes') === 0 || options.algorithm === 'des') {    // do PBES2    var ivLen, encOid, cipherFn;    switch(options.algorithm) {    case 'aes128':      dkLen = 16;      ivLen = 16;      encOid = oids['aes128-CBC'];      cipherFn = forge.aes.createEncryptionCipher;      break;    case 'aes192':      dkLen = 24;      ivLen = 16;      encOid = oids['aes192-CBC'];      cipherFn = forge.aes.createEncryptionCipher;      break;    case 'aes256':      dkLen = 32;      ivLen = 16;      encOid = oids['aes256-CBC'];      cipherFn = forge.aes.createEncryptionCipher;      break;    case 'des':      dkLen = 8;      ivLen = 8;      encOid = oids['desCBC'];      cipherFn = forge.des.createEncryptionCipher;      break;    default:      var error = new Error('Cannot encrypt private key. Unknown encryption algorithm.');      error.algorithm = options.algorithm;      throw error;    }    // get PRF message digest    var prfAlgorithm = 'hmacWith' + options.prfAlgorithm.toUpperCase();    var md = prfAlgorithmToMessageDigest(prfAlgorithm);    // encrypt private key using pbe SHA-1 and AES/DES    var dk = forge.pkcs5.pbkdf2(password, salt, count, dkLen, md);    var iv = forge.random.getBytesSync(ivLen);    var cipher = cipherFn(dk);    cipher.start(iv);    cipher.update(asn1.toDer(obj));    cipher.finish();    encryptedData = cipher.output.getBytes();    // get PBKDF2-params    var params = createPbkdf2Params(salt, countBytes, dkLen, prfAlgorithm);    encryptionAlgorithm = asn1.create(      asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [      asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false,        asn1.oidToDer(oids['pkcs5PBES2']).getBytes()),      asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [        // keyDerivationFunc        asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [          asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false,            asn1.oidToDer(oids['pkcs5PBKDF2']).getBytes()),          // PBKDF2-params          params        ]),        // encryptionScheme        asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [          asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false,            asn1.oidToDer(encOid).getBytes()),          // iv          asn1.create(            asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false, iv)        ])      ])    ]);  } else if(options.algorithm === '3des') {    // Do PKCS12 PBE    dkLen = 24;    var saltBytes = new forge.util.ByteBuffer(salt);    var dk = pki.pbe.generatePkcs12Key(password, saltBytes, 1, count, dkLen);    var iv = pki.pbe.generatePkcs12Key(password, saltBytes, 2, count, dkLen);    var cipher = forge.des.createEncryptionCipher(dk);    cipher.start(iv);    cipher.update(asn1.toDer(obj));    cipher.finish();    encryptedData = cipher.output.getBytes();    encryptionAlgorithm = asn1.create(      asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [      asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false,        asn1.oidToDer(oids['pbeWithSHAAnd3-KeyTripleDES-CBC']).getBytes()),      // pkcs-12PbeParams      asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [        // salt        asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false, salt),        // iteration count        asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false,          countBytes.getBytes())      ])    ]);  } else {    var error = new Error('Cannot encrypt private key. Unknown encryption algorithm.');    error.algorithm = options.algorithm;    throw error;  }  // EncryptedPrivateKeyInfo  var rval = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [    // encryptionAlgorithm    encryptionAlgorithm,    // encryptedData    asn1.create(      asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false, encryptedData)  ]);  return rval;};/** * Decrypts a ASN.1 PrivateKeyInfo object. * * @param obj the ASN.1 EncryptedPrivateKeyInfo object. * @param password the password to decrypt with. * * @return the ASN.1 PrivateKeyInfo on success, null on failure. */pki.decryptPrivateKeyInfo = function(obj, password) {  var rval = null;  // get PBE params  var capture = {};  var errors = [];  if(!asn1.validate(obj, encryptedPrivateKeyValidator, capture, errors)) {    var error = new Error('Cannot read encrypted private key. ' +      'ASN.1 object is not a supported EncryptedPrivateKeyInfo.');    error.errors = errors;    throw error;  }  // get cipher  var oid = asn1.derToOid(capture.encryptionOid);  var cipher = pki.pbe.getCipher(oid, capture.encryptionParams, password);  // get encrypted data  var encrypted = forge.util.createBuffer(capture.encryptedData);  cipher.update(encrypted);  if(cipher.finish()) {    rval = asn1.fromDer(cipher.output);  }  return rval;};/** * Converts a EncryptedPrivateKeyInfo to PEM format. * * @param epki the EncryptedPrivateKeyInfo. * @param maxline the maximum characters per line, defaults to 64. * * @return the PEM-formatted encrypted private key. */pki.encryptedPrivateKeyToPem = function(epki, maxline) {  // convert to DER, then PEM-encode  var msg = {    type: 'ENCRYPTED PRIVATE KEY',    body: asn1.toDer(epki).getBytes()  };  return forge.pem.encode(msg, {maxline: maxline});};/** * Converts a PEM-encoded EncryptedPrivateKeyInfo to ASN.1 format. Decryption * is not performed. * * @param pem the EncryptedPrivateKeyInfo in PEM-format. * * @return the ASN.1 EncryptedPrivateKeyInfo. */pki.encryptedPrivateKeyFromPem = function(pem) {  var msg = forge.pem.decode(pem)[0];  if(msg.type !== 'ENCRYPTED PRIVATE KEY') {    var error = new Error('Could not convert encrypted private key from PEM; ' +      'PEM header type is "ENCRYPTED PRIVATE KEY".');    error.headerType = msg.type;    throw error;  }  if(msg.procType && msg.procType.type === 'ENCRYPTED') {    throw new Error('Could not convert encrypted private key from PEM; ' +      'PEM is encrypted.');  }  // convert DER to ASN.1 object  return asn1.fromDer(msg.body);};/** * Encrypts an RSA private key. By default, the key will be wrapped in * a PrivateKeyInfo and encrypted to produce a PKCS#8 EncryptedPrivateKeyInfo. * This is the standard, preferred way to encrypt a private key. * * To produce a non-standard PEM-encrypted private key that uses encapsulated * headers to indicate the encryption algorithm (old-style non-PKCS#8 OpenSSL * private key encryption), set the 'legacy' option to true. Note: Using this * option will cause the iteration count to be forced to 1. * * Note: The 'des' algorithm is supported, but it is not considered to be * secure because it only uses a single 56-bit key. If possible, it is highly * recommended that a different algorithm be used. * * @param rsaKey the RSA key to encrypt. * @param password the password to use. * @param options: *          algorithm: the encryption algorithm to use *            ('aes128', 'aes192', 'aes256', '3des', 'des'). *          count: the iteration count to use. *          saltSize: the salt size to use. *          legacy: output an old non-PKCS#8 PEM-encrypted+encapsulated *            headers (DEK-Info) private key. * * @return the PEM-encoded ASN.1 EncryptedPrivateKeyInfo. */pki.encryptRsaPrivateKey = function(rsaKey, password, options) {  // standard PKCS#8  options = options || {};  if(!options.legacy) {    // encrypt PrivateKeyInfo    var rval = pki.wrapRsaPrivateKey(pki.privateKeyToAsn1(rsaKey));    rval = pki.encryptPrivateKeyInfo(rval, password, options);    return pki.encryptedPrivateKeyToPem(rval);  }  // legacy non-PKCS#8  var algorithm;  var iv;  var dkLen;  var cipherFn;  switch(options.algorithm) {  case 'aes128':    algorithm = 'AES-128-CBC';    dkLen = 16;    iv = forge.random.getBytesSync(16);    cipherFn = forge.aes.createEncryptionCipher;    break;  case 'aes192':    algorithm = 'AES-192-CBC';    dkLen = 24;    iv = forge.random.getBytesSync(16);    cipherFn = forge.aes.createEncryptionCipher;    break;  case 'aes256':    algorithm = 'AES-256-CBC';    dkLen = 32;    iv = forge.random.getBytesSync(16);    cipherFn = forge.aes.createEncryptionCipher;    break;  case '3des':    algorithm = 'DES-EDE3-CBC';    dkLen = 24;    iv = forge.random.getBytesSync(8);    cipherFn = forge.des.createEncryptionCipher;    break;  case 'des':    algorithm = 'DES-CBC';    dkLen = 8;    iv = forge.random.getBytesSync(8);    cipherFn = forge.des.createEncryptionCipher;    break;  default:    var error = new Error('Could not encrypt RSA private key; unsupported ' +      'encryption algorithm "' + options.algorithm + '".');    error.algorithm = options.algorithm;    throw error;  }  // encrypt private key using OpenSSL legacy key derivation  var dk = forge.pbe.opensslDeriveBytes(password, iv.substr(0, 8), dkLen);  var cipher = cipherFn(dk);  cipher.start(iv);  cipher.update(asn1.toDer(pki.privateKeyToAsn1(rsaKey)));  cipher.finish();  var msg = {    type: 'RSA PRIVATE KEY',    procType: {      version: '4',      type: 'ENCRYPTED'    },    dekInfo: {      algorithm: algorithm,      parameters: forge.util.bytesToHex(iv).toUpperCase()    },    body: cipher.output.getBytes()  };  return forge.pem.encode(msg);};/** * Decrypts an RSA private key. * * @param pem the PEM-formatted EncryptedPrivateKeyInfo to decrypt. * @param password the password to use. * * @return the RSA key on success, null on failure. */pki.decryptRsaPrivateKey = function(pem, password) {  var rval = null;  var msg = forge.pem.decode(pem)[0];  if(msg.type !== 'ENCRYPTED PRIVATE KEY' &&    msg.type !== 'PRIVATE KEY' &&    msg.type !== 'RSA PRIVATE KEY') {    var error = new Error('Could not convert private key from PEM; PEM header type ' +      'is not "ENCRYPTED PRIVATE KEY", "PRIVATE KEY", or "RSA PRIVATE KEY".');    error.headerType = error;    throw error;  }  if(msg.procType && msg.procType.type === 'ENCRYPTED') {    var dkLen;    var cipherFn;    switch(msg.dekInfo.algorithm) {    case 'DES-CBC':      dkLen = 8;      cipherFn = forge.des.createDecryptionCipher;      break;    case 'DES-EDE3-CBC':      dkLen = 24;      cipherFn = forge.des.createDecryptionCipher;      break;    case 'AES-128-CBC':      dkLen = 16;      cipherFn = forge.aes.createDecryptionCipher;      break;    case 'AES-192-CBC':      dkLen = 24;      cipherFn = forge.aes.createDecryptionCipher;      break;    case 'AES-256-CBC':      dkLen = 32;      cipherFn = forge.aes.createDecryptionCipher;      break;    case 'RC2-40-CBC':      dkLen = 5;      cipherFn = function(key) {        return forge.rc2.createDecryptionCipher(key, 40);      };      break;    case 'RC2-64-CBC':      dkLen = 8;      cipherFn = function(key) {        return forge.rc2.createDecryptionCipher(key, 64);      };      break;    case 'RC2-128-CBC':      dkLen = 16;      cipherFn = function(key) {        return forge.rc2.createDecryptionCipher(key, 128);      };      break;    default:      var error = new Error('Could not decrypt private key; unsupported ' +        'encryption algorithm "' + msg.dekInfo.algorithm + '".');      error.algorithm = msg.dekInfo.algorithm;      throw error;    }    // use OpenSSL legacy key derivation    var iv = forge.util.hexToBytes(msg.dekInfo.parameters);    var dk = forge.pbe.opensslDeriveBytes(password, iv.substr(0, 8), dkLen);    var cipher = cipherFn(dk);    cipher.start(iv);    cipher.update(forge.util.createBuffer(msg.body));    if(cipher.finish()) {      rval = cipher.output.getBytes();    } else {      return rval;    }  } else {    rval = msg.body;  }  if(msg.type === 'ENCRYPTED PRIVATE KEY') {    rval = pki.decryptPrivateKeyInfo(asn1.fromDer(rval), password);  } else {    // decryption already performed above    rval = asn1.fromDer(rval);  }  if(rval !== null) {    rval = pki.privateKeyFromAsn1(rval);  }  return rval;};/** * Derives a PKCS#12 key. * * @param password the password to derive the key material from, null or *          undefined for none. * @param salt the salt, as a ByteBuffer, to use. * @param id the PKCS#12 ID byte (1 = key material, 2 = IV, 3 = MAC). * @param iter the iteration count. * @param n the number of bytes to derive from the password. * @param md the message digest to use, defaults to SHA-1. * * @return a ByteBuffer with the bytes derived from the password. */pki.pbe.generatePkcs12Key = function(password, salt, id, iter, n, md) {  var j, l;  if(typeof md === 'undefined' || md === null) {    if(!('sha1' in forge.md)) {      throw new Error('"sha1" hash algorithm unavailable.');    }    md = forge.md.sha1.create();  }  var u = md.digestLength;  var v = md.blockLength;  var result = new forge.util.ByteBuffer();  /* Convert password to Unicode byte buffer + trailing 0-byte. */  var passBuf = new forge.util.ByteBuffer();  if(password !== null && password !== undefined) {    for(l = 0; l < password.length; l++) {      passBuf.putInt16(password.charCodeAt(l));    }    passBuf.putInt16(0);  }  /* Length of salt and password in BYTES. */  var p = passBuf.length();  var s = salt.length();  /* 1. Construct a string, D (the "diversifier"), by concatenating        v copies of ID. */  var D = new forge.util.ByteBuffer();  D.fillWithByte(id, v);  /* 2. Concatenate copies of the salt together to create a string S of length        v * ceil(s / v) bytes (the final copy of the salt may be trunacted        to create S).        Note that if the salt is the empty string, then so is S. */  var Slen = v * Math.ceil(s / v);  var S = new forge.util.ByteBuffer();  for(l = 0; l < Slen; l++) {    S.putByte(salt.at(l % s));  }  /* 3. Concatenate copies of the password together to create a string P of        length v * ceil(p / v) bytes (the final copy of the password may be        truncated to create P).        Note that if the password is the empty string, then so is P. */  var Plen = v * Math.ceil(p / v);  var P = new forge.util.ByteBuffer();  for(l = 0; l < Plen; l++) {    P.putByte(passBuf.at(l % p));  }  /* 4. Set I=S||P to be the concatenation of S and P. */  var I = S;  I.putBuffer(P);  /* 5. Set c=ceil(n / u). */  var c = Math.ceil(n / u);  /* 6. For i=1, 2, ..., c, do the following: */  for(var i = 1; i <= c; i++) {    /* a) Set Ai=H^r(D||I). (l.e. the rth hash of D||I, H(H(H(...H(D||I)))) */    var buf = new forge.util.ByteBuffer();    buf.putBytes(D.bytes());    buf.putBytes(I.bytes());    for(var round = 0; round < iter; round++) {      md.start();      md.update(buf.getBytes());      buf = md.digest();    }    /* b) Concatenate copies of Ai to create a string B of length v bytes (the          final copy of Ai may be truncated to create B). */    var B = new forge.util.ByteBuffer();    for(l = 0; l < v; l++) {      B.putByte(buf.at(l % u));    }    /* c) Treating I as a concatenation I0, I1, ..., Ik-1 of v-byte blocks,          where k=ceil(s / v) + ceil(p / v), modify I by setting          Ij=(Ij+B+1) mod 2v for each j.  */    var k = Math.ceil(s / v) + Math.ceil(p / v);    var Inew = new forge.util.ByteBuffer();    for(j = 0; j < k; j++) {      var chunk = new forge.util.ByteBuffer(I.getBytes(v));      var x = 0x1ff;      for(l = B.length() - 1; l >= 0; l--) {        x = x >> 8;        x += B.at(l) + chunk.at(l);        chunk.setAt(l, x & 0xff);      }      Inew.putBuffer(chunk);    }    I = Inew;    /* Add Ai to A. */    result.putBuffer(buf);  }  result.truncate(result.length() - n);  return result;};/** * Get new Forge cipher object instance. * * @param oid the OID (in string notation). * @param params the ASN.1 params object. * @param password the password to decrypt with. * * @return new cipher object instance. */pki.pbe.getCipher = function(oid, params, password) {  switch(oid) {  case pki.oids['pkcs5PBES2']:    return pki.pbe.getCipherForPBES2(oid, params, password);  case pki.oids['pbeWithSHAAnd3-KeyTripleDES-CBC']:  case pki.oids['pbewithSHAAnd40BitRC2-CBC']:    return pki.pbe.getCipherForPKCS12PBE(oid, params, password);  default:    var error = new Error('Cannot read encrypted PBE data block. Unsupported OID.');    error.oid = oid;    error.supportedOids = [      'pkcs5PBES2',      'pbeWithSHAAnd3-KeyTripleDES-CBC',      'pbewithSHAAnd40BitRC2-CBC'    ];    throw error;  }};/** * Get new Forge cipher object instance according to PBES2 params block. * * The returned cipher instance is already started using the IV * from PBES2 parameter block. * * @param oid the PKCS#5 PBKDF2 OID (in string notation). * @param params the ASN.1 PBES2-params object. * @param password the password to decrypt with. * * @return new cipher object instance. */pki.pbe.getCipherForPBES2 = function(oid, params, password) {  // get PBE params  var capture = {};  var errors = [];  if(!asn1.validate(params, PBES2AlgorithmsValidator, capture, errors)) {    var error = new Error('Cannot read password-based-encryption algorithm ' +      'parameters. ASN.1 object is not a supported EncryptedPrivateKeyInfo.');    error.errors = errors;    throw error;  }  // check oids  oid = asn1.derToOid(capture.kdfOid);  if(oid !== pki.oids['pkcs5PBKDF2']) {    var error = new Error('Cannot read encrypted private key. ' +      'Unsupported key derivation function OID.');    error.oid = oid;    error.supportedOids = ['pkcs5PBKDF2'];    throw error;  }  oid = asn1.derToOid(capture.encOid);  if(oid !== pki.oids['aes128-CBC'] &&    oid !== pki.oids['aes192-CBC'] &&    oid !== pki.oids['aes256-CBC'] &&    oid !== pki.oids['des-EDE3-CBC'] &&    oid !== pki.oids['desCBC']) {    var error = new Error('Cannot read encrypted private key. ' +      'Unsupported encryption scheme OID.');    error.oid = oid;    error.supportedOids = [      'aes128-CBC', 'aes192-CBC', 'aes256-CBC', 'des-EDE3-CBC', 'desCBC'];    throw error;  }  // set PBE params  var salt = capture.kdfSalt;  var count = forge.util.createBuffer(capture.kdfIterationCount);  count = count.getInt(count.length() << 3);  var dkLen;  var cipherFn;  switch(pki.oids[oid]) {  case 'aes128-CBC':    dkLen = 16;    cipherFn = forge.aes.createDecryptionCipher;    break;  case 'aes192-CBC':    dkLen = 24;    cipherFn = forge.aes.createDecryptionCipher;    break;  case 'aes256-CBC':    dkLen = 32;    cipherFn = forge.aes.createDecryptionCipher;    break;  case 'des-EDE3-CBC':    dkLen = 24;    cipherFn = forge.des.createDecryptionCipher;    break;  case 'desCBC':    dkLen = 8;    cipherFn = forge.des.createDecryptionCipher;    break;  }  // get PRF message digest  var md = prfOidToMessageDigest(capture.prfOid);  // decrypt private key using pbe with chosen PRF and AES/DES  var dk = forge.pkcs5.pbkdf2(password, salt, count, dkLen, md);  var iv = capture.encIv;  var cipher = cipherFn(dk);  cipher.start(iv);  return cipher;};/** * Get new Forge cipher object instance for PKCS#12 PBE. * * The returned cipher instance is already started using the key & IV * derived from the provided password and PKCS#12 PBE salt. * * @param oid The PKCS#12 PBE OID (in string notation). * @param params The ASN.1 PKCS#12 PBE-params object. * @param password The password to decrypt with. * * @return the new cipher object instance. */pki.pbe.getCipherForPKCS12PBE = function(oid, params, password) {  // get PBE params  var capture = {};  var errors = [];  if(!asn1.validate(params, pkcs12PbeParamsValidator, capture, errors)) {    var error = new Error('Cannot read password-based-encryption algorithm ' +      'parameters. ASN.1 object is not a supported EncryptedPrivateKeyInfo.');    error.errors = errors;    throw error;  }  var salt = forge.util.createBuffer(capture.salt);  var count = forge.util.createBuffer(capture.iterations);  count = count.getInt(count.length() << 3);  var dkLen, dIvLen, cipherFn;  switch(oid) {    case pki.oids['pbeWithSHAAnd3-KeyTripleDES-CBC']:      dkLen = 24;      dIvLen = 8;      cipherFn = forge.des.startDecrypting;      break;    case pki.oids['pbewithSHAAnd40BitRC2-CBC']:      dkLen = 5;      dIvLen = 8;      cipherFn = function(key, iv) {        var cipher = forge.rc2.createDecryptionCipher(key, 40);        cipher.start(iv, null);        return cipher;      };      break;    default:      var error = new Error('Cannot read PKCS #12 PBE data block. Unsupported OID.');      error.oid = oid;      throw error;  }  // get PRF message digest  var md = prfOidToMessageDigest(capture.prfOid);  var key = pki.pbe.generatePkcs12Key(password, salt, 1, count, dkLen, md);  md.start();  var iv = pki.pbe.generatePkcs12Key(password, salt, 2, count, dIvLen, md);  return cipherFn(key, iv);};/** * OpenSSL's legacy key derivation function. * * See: http://www.openssl.org/docs/crypto/EVP_BytesToKey.html * * @param password the password to derive the key from. * @param salt the salt to use, null for none. * @param dkLen the number of bytes needed for the derived key. * @param [options] the options to use: *          [md] an optional message digest object to use. */pki.pbe.opensslDeriveBytes = function(password, salt, dkLen, md) {  if(typeof md === 'undefined' || md === null) {    if(!('md5' in forge.md)) {      throw new Error('"md5" hash algorithm unavailable.');    }    md = forge.md.md5.create();  }  if(salt === null) {    salt = '';  }  var digests = [hash(md, password + salt)];  for(var length = 16, i = 1; length < dkLen; ++i, length += 16) {    digests.push(hash(md, digests[i - 1] + password + salt));  }  return digests.join('').substr(0, dkLen);};function hash(md, bytes) {  return md.start().update(bytes).digest().getBytes();}function prfOidToMessageDigest(prfOid) {  // get PRF algorithm, default to SHA-1  var prfAlgorithm;  if(!prfOid) {    prfAlgorithm = 'hmacWithSHA1';  } else {    prfAlgorithm = pki.oids[asn1.derToOid(prfOid)];    if(!prfAlgorithm) {      var error = new Error('Unsupported PRF OID.');      error.oid = prfOid;      error.supported = [        'hmacWithSHA1', 'hmacWithSHA224', 'hmacWithSHA256', 'hmacWithSHA384',        'hmacWithSHA512'];      throw error;    }  }  return prfAlgorithmToMessageDigest(prfAlgorithm);}function prfAlgorithmToMessageDigest(prfAlgorithm) {  var factory = forge.md;  switch(prfAlgorithm) {  case 'hmacWithSHA224':    factory = forge.md.sha512;  case 'hmacWithSHA1':  case 'hmacWithSHA256':  case 'hmacWithSHA384':  case 'hmacWithSHA512':    prfAlgorithm = prfAlgorithm.substr(8).toLowerCase();    break;  default:    var error = new Error('Unsupported PRF algorithm.');    error.algorithm = prfAlgorithm;    error.supported = [      'hmacWithSHA1', 'hmacWithSHA224', 'hmacWithSHA256', 'hmacWithSHA384',      'hmacWithSHA512'];    throw error;  }  if(!factory || !(prfAlgorithm in factory)) {    throw new Error('Unknown hash algorithm: ' + prfAlgorithm);  }  return factory[prfAlgorithm].create();}function createPbkdf2Params(salt, countBytes, dkLen, prfAlgorithm) {  var params = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [    // salt    asn1.create(      asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false, salt),    // iteration count    asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false,      countBytes.getBytes())  ]);  // when PRF algorithm is not SHA-1 default, add key length and PRF algorithm  if(prfAlgorithm !== 'hmacWithSHA1') {    params.value.push(      // key length      asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false,        forge.util.hexToBytes(dkLen.toString(16))),      // AlgorithmIdentifier      asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [        // algorithm        asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false,          asn1.oidToDer(pki.oids[prfAlgorithm]).getBytes()),        // parameters (null)        asn1.create(asn1.Class.UNIVERSAL, asn1.Type.NULL, false, '')      ]));  }  return params;}
 |