UNPKG

@noble/hashes

Version:

Audited & minimal 0-dependency JS implementation of SHA, RIPEMD, BLAKE, HMAC, HKDF, PBKDF & Scrypt

paulmillr.com/noble/

paulmillr/noble-hashes

83 lines 3.55 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
/** * HKDF (RFC 5869): extract + expand in one step. * See https://soatok.blog/2021/11/17/understanding-hkdf/. * @module */ import { ahash, anumber } from './_assert.js'; import { hmac } from './hmac.js'; import { toBytes } from './utils.js'; /** * HKDF-extract from spec. Less important part. `HKDF-Extract(IKM, salt) -> PRK` * Arguments position differs from spec (IKM is first one, since it is not optional) * @param hash - hash function that would be used (e.g. sha256) * @param ikm - input keying material, the initial key * @param salt - optional salt value (a non-secret random value) */ export function extract(hash, ikm, salt) { ahash(hash); // NOTE: some libraries treat zero-length array as 'not provided'; // we don't, since we have undefined as 'not provided' // https://github.com/RustCrypto/KDFs/issues/15 if (salt === undefined) salt = new Uint8Array(hash.outputLen); return hmac(hash, toBytes(salt), toBytes(ikm)); } const HKDF_COUNTER = /* @__PURE__ */ new Uint8Array([0]); const EMPTY_BUFFER = /* @__PURE__ */ new Uint8Array(); /** * HKDF-expand from the spec. The most important part. `HKDF-Expand(PRK, info, L) -> OKM` * @param hash - hash function that would be used (e.g. sha256) * @param prk - a pseudorandom key of at least HashLen octets (usually, the output from the extract step) * @param info - optional context and application specific information (can be a zero-length string) * @param length - length of output keying material in bytes */ export function expand(hash, prk, info, length = 32) { ahash(hash); anumber(length); if (length > 255 * hash.outputLen) throw new Error('Length should be <= 255*HashLen'); const blocks = Math.ceil(length / hash.outputLen); if (info === undefined) info = EMPTY_BUFFER; // first L(ength) octets of T const okm = new Uint8Array(blocks * hash.outputLen); // Re-use HMAC instance between blocks const HMAC = hmac.create(hash, prk); const HMACTmp = HMAC._cloneInto(); const T = new Uint8Array(HMAC.outputLen); for (let counter = 0; counter < blocks; counter++) { HKDF_COUNTER[0] = counter + 1; // T(0) = empty string (zero length) // T(N) = HMAC-Hash(PRK, T(N-1) | info | N) HMACTmp.update(counter === 0 ? EMPTY_BUFFER : T) .update(info) .update(HKDF_COUNTER) .digestInto(T); okm.set(T, hash.outputLen * counter); HMAC._cloneInto(HMACTmp); } HMAC.destroy(); HMACTmp.destroy(); T.fill(0); HKDF_COUNTER.fill(0); return okm.slice(0, length); } /** * HKDF (RFC 5869): derive keys from an initial input. * Combines hkdf_extract + hkdf_expand in one step * @param hash - hash function that would be used (e.g. sha256) * @param ikm - input keying material, the initial key * @param salt - optional salt value (a non-secret random value) * @param info - optional context and application specific information (can be a zero-length string) * @param length - length of output keying material in bytes * @example * import { hkdf } from '@noble/hashes/hkdf'; * import { sha256 } from '@noble/hashes/sha2'; * import { randomBytes } from '@noble/hashes/utils'; * const inputKey = randomBytes(32); * const salt = randomBytes(32); * const info = 'application-key'; * const hk1 = hkdf(sha256, inputKey, salt, info, 32); */ export const hkdf = (hash, ikm, salt, info, length) => expand(hash, extract(hash, ikm, salt), info, length); //# sourceMappingURL=hkdf.js.map