1// Copyright 2015 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package pkcs12
6
7import (
8 "bytes"
9 "crypto/sha1"
10 "math/big"
11)
12
13var (
14 one = big.NewInt(1)
15)
16
17// sha1Sum returns the SHA-1 hash of in.
18func sha1Sum(in []byte) []byte {
19 sum := sha1.Sum(in)
20 return sum[:]
21}
22
23// fillWithRepeats returns v*ceiling(len(pattern) / v) bytes consisting of
24// repeats of pattern.
25func fillWithRepeats(pattern []byte, v int) []byte {
26 if len(pattern) == 0 {
27 return nil
28 }
29 outputLen := v * ((len(pattern) + v - 1) / v)
30 return bytes.Repeat(pattern, (outputLen+len(pattern)-1)/len(pattern))[:outputLen]
31}
32
33func pbkdf(hash func([]byte) []byte, u, v int, salt, password []byte, r int, ID byte, size int) (key []byte) {
34 // implementation of https://tools.ietf.org/html/rfc7292#appendix-B.2 , RFC text verbatim in comments
35
36 // Let H be a hash function built around a compression function f:
37
38 // Z_2^u x Z_2^v -> Z_2^u
39
40 // (that is, H has a chaining variable and output of length u bits, and
41 // the message input to the compression function of H is v bits). The
42 // values for u and v are as follows:
43
44 // HASH FUNCTION VALUE u VALUE v
45 // MD2, MD5 128 512
46 // SHA-1 160 512
47 // SHA-224 224 512
48 // SHA-256 256 512
49 // SHA-384 384 1024
50 // SHA-512 512 1024
51 // SHA-512/224 224 1024
52 // SHA-512/256 256 1024
53
54 // Furthermore, let r be the iteration count.
55
56 // We assume here that u and v are both multiples of 8, as are the
57 // lengths of the password and salt strings (which we denote by p and s,
58 // respectively) and the number n of pseudorandom bits required. In
59 // addition, u and v are of course non-zero.
60
61 // For information on security considerations for MD5 [19], see [25] and
62 // [1], and on those for MD2, see [18].
63
64 // The following procedure can be used to produce pseudorandom bits for
65 // a particular "purpose" that is identified by a byte called "ID".
66 // This standard specifies 3 different values for the ID byte:
67
68 // 1. If ID=1, then the pseudorandom bits being produced are to be used
69 // as key material for performing encryption or decryption.
70
71 // 2. If ID=2, then the pseudorandom bits being produced are to be used
72 // as an IV (Initial Value) for encryption or decryption.
73
74 // 3. If ID=3, then the pseudorandom bits being produced are to be used
75 // as an integrity key for MACing.
76
77 // 1. Construct a string, D (the "diversifier"), by concatenating v/8
78 // copies of ID.
79 var D []byte
80 for i := 0; i < v; i++ {
81 D = append(D, ID)
82 }
83
84 // 2. Concatenate copies of the salt together to create a string S of
85 // length v(ceiling(s/v)) bits (the final copy of the salt may be
86 // truncated to create S). Note that if the salt is the empty
87 // string, then so is S.
88
89 S := fillWithRepeats(salt, v)
90
91 // 3. Concatenate copies of the password together to create a string P
92 // of length v(ceiling(p/v)) bits (the final copy of the password
93 // may be truncated to create P). Note that if the password is the
94 // empty string, then so is P.
95
96 P := fillWithRepeats(password, v)
97
98 // 4. Set I=S||P to be the concatenation of S and P.
99 I := append(S, P...)
100
101 // 5. Set c=ceiling(n/u).
102 c := (size + u - 1) / u
103
104 // 6. For i=1, 2, ..., c, do the following:
105 A := make([]byte, c*20)
106 var IjBuf []byte
107 for i := 0; i < c; i++ {
108 // A. Set A2=H^r(D||I). (i.e., the r-th hash of D||1,
109 // H(H(H(... H(D||I))))
110 Ai := hash(append(D, I...))
111 for j := 1; j < r; j++ {
112 Ai = hash(Ai)
113 }
114 copy(A[i*20:], Ai[:])
115
116 if i < c-1 { // skip on last iteration
117 // B. Concatenate copies of Ai to create a string B of length v
118 // bits (the final copy of Ai may be truncated to create B).
119 var B []byte
120 for len(B) < v {
121 B = append(B, Ai[:]...)
122 }
123 B = B[:v]
124
125 // C. Treating I as a concatenation I_0, I_1, ..., I_(k-1) of v-bit
126 // blocks, where k=ceiling(s/v)+ceiling(p/v), modify I by
127 // setting I_j=(I_j+B+1) mod 2^v for each j.
128 {
129 Bbi := new(big.Int).SetBytes(B)
130 Ij := new(big.Int)
131
132 for j := 0; j < len(I)/v; j++ {
133 Ij.SetBytes(I[j*v : (j+1)*v])
134 Ij.Add(Ij, Bbi)
135 Ij.Add(Ij, one)
136 Ijb := Ij.Bytes()
137 // We expect Ijb to be exactly v bytes,
138 // if it is longer or shorter we must
139 // adjust it accordingly.
140 if len(Ijb) > v {
141 Ijb = Ijb[len(Ijb)-v:]
142 }
143 if len(Ijb) < v {
144 if IjBuf == nil {
145 IjBuf = make([]byte, v)
146 }
147 bytesShort := v - len(Ijb)
148 for i := 0; i < bytesShort; i++ {
149 IjBuf[i] = 0
150 }
151 copy(IjBuf[bytesShort:], Ijb)
152 Ijb = IjBuf
153 }
154 copy(I[j*v:(j+1)*v], Ijb)
155 }
156 }
157 }
158 }
159 // 7. Concatenate A_1, A_2, ..., A_c together to form a pseudorandom
160 // bit string, A.
161
162 // 8. Use the first n bits of A as the output of this entire process.
163 return A[:size]
164
165 // If the above process is being used to generate a DES key, the process
166 // should be used to create 64 random bits, and the key's parity bits
167 // should be set after the 64 bits have been produced. Similar concerns
168 // hold for 2-key and 3-key triple-DES keys, for CDMF keys, and for any
169 // similar keys with parity bits "built into them".
170}