UNPKG

fortify2-js

Version:

MOST POWERFUL JavaScript Security Library! Military-grade cryptography + 19 enhanced object methods + quantum-resistant algorithms + perfect TypeScript support. More powerful than Lodash with built-in security.

lab.nehonix.space/nehonix_viewer/_doc/Nehonix%20FortifyJs/readme.md

nehonix/FortifyJS

320 lines (314 loc) 11.7 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
'use strict'; var crypto = require('crypto'); var registry = require('../../../algorithms/registry.js'); var CryptoAlgorithmUtils = require('../../../utils/CryptoAlgorithmUtils.js'); function _interopNamespaceDefault(e) { var n = Object.create(null); if (e) { Object.keys(e).forEach(function (k) { if (k !== 'default') { var d = Object.getOwnPropertyDescriptor(e, k); Object.defineProperty(n, k, d.get ? d : { enumerable: true, get: function () { return e[k]; } }); } }); } n.default = e; return Object.freeze(n); } var crypto__namespace = /*#__PURE__*/_interopNamespaceDefault(crypto); /** * Cryptographic Operations Module * Handles hashing, HMAC, and key derivation for SecureString */ /** * Handles cryptographic operations for SecureString */ class CryptoOperations { /** * Creates a hash of the string content */ static async hash(content, algorithm = "SHA-256", format = "hex") { // Validate algorithm const validatedAlgorithm = CryptoAlgorithmUtils.CryptoAlgorithmUtils.validateAlgorithm(algorithm); const encoder = new TextEncoder(); const data = encoder.encode(content); const hashBuffer = await crypto__namespace.subtle.digest(validatedAlgorithm, data); const hashArray = new Uint8Array(hashBuffer); return this.formatHash(hashArray, format); } /** * Creates an HMAC of the string content */ static async hmac(content, options, format = "hex") { const { key, algorithm } = options; // Validate algorithm if (!CryptoAlgorithmUtils.CryptoAlgorithmUtils.isSupported(algorithm)) { throw new Error(`Unsupported HMAC algorithm: ${algorithm}`); } // Prepare key let keyData; if (typeof key === "string") { keyData = new TextEncoder().encode(key); } else if (this.isSecureString(key)) { keyData = new TextEncoder().encode(key.toString()); } else { keyData = key; } // Extract hash algorithm from HMAC algorithm const hashAlgorithm = algorithm.replace("HMAC-", ""); // Import key const cryptoKey = await crypto__namespace.subtle.importKey("raw", keyData, { name: "HMAC", hash: hashAlgorithm }, false, ["sign"]); // Sign data const data = new TextEncoder().encode(content); const signature = await crypto__namespace.subtle.sign("HMAC", cryptoKey, data); const signatureArray = new Uint8Array(signature); return this.formatHash(signatureArray, format); } /** * Derives a key using PBKDF2 */ static async deriveKeyPBKDF2(content, options, format = "hex") { const { salt, iterations, keyLength, hash } = options; // Validate parameters if (iterations < 1000) { console.warn("Warning: PBKDF2 iterations should be at least 1000 for security"); } // Prepare salt const saltData = typeof salt === "string" ? new TextEncoder().encode(salt) : salt; // Import password const passwordKey = await crypto__namespace.subtle.importKey("raw", new TextEncoder().encode(content), "PBKDF2", false, ["deriveBits"]); // Derive key const derivedBits = await crypto__namespace.subtle.deriveBits({ name: "PBKDF2", salt: saltData, iterations: iterations, hash: hash, }, passwordKey, keyLength * 8 // Convert bytes to bits ); const derivedArray = new Uint8Array(derivedBits); return this.formatHash(derivedArray, format); } /** * Derives a key using scrypt (Node.js only) */ static async deriveKeyScrypt(content, salt, keyLength = 32, options = {}, format = "hex") { const { N = 16384, r = 8, p = 1 } = options; return new Promise((resolve, reject) => { const saltData = typeof salt === "string" ? Buffer.from(salt, "utf8") : Buffer.from(salt); crypto__namespace.scrypt(content, saltData, keyLength, { N, r, p }, (err, derivedKey) => { if (err) { reject(err); return; } const derivedArray = new Uint8Array(derivedKey); resolve(this.formatHash(derivedArray, format)); }); }); } /** * Derives a key using Argon2 (with fallback to PBKDF2) */ static async deriveKeyArgon2(content, salt, keyLength = 32, options = {}, format = "hex") { const { type = "argon2id", memoryCost = 65536, timeCost = 3, parallelism = 1, } = options; // Try to use Argon2 library if available try { // Check if argon2 is available (common library names) let argon2; try { argon2 = require("argon2"); } catch { try { argon2 = require("@node-rs/argon2"); } catch { try { argon2 = require("argon2-browser"); } catch { // No Argon2 library found, fall back to PBKDF2 console.warn("Argon2 library not found, falling back to PBKDF2"); return this.deriveKeyPBKDF2(content, { salt, iterations: 100000, keyLength, hash: "SHA-256", }, format); } } } // Use the Argon2 library const saltBuffer = typeof salt === "string" ? Buffer.from(salt, "utf8") : Buffer.from(salt); let hashResult; if (argon2.hash) { // Standard argon2 library const hashOptions = { type: argon2[type.toUpperCase()] || argon2.argon2id, memoryCost, timeCost, parallelism, hashLength: keyLength, salt: saltBuffer, raw: true, }; hashResult = await argon2.hash(content, hashOptions); } else if (argon2.argon2id || argon2.argon2i || argon2.argon2d) { // @node-rs/argon2 library const hashFunction = argon2[type] || argon2.argon2id; hashResult = await hashFunction(Buffer.from(content, "utf8"), saltBuffer, { memoryCost, timeCost, parallelism, outputLen: keyLength, }); } else { // Fallback to PBKDF2 if Argon2 interface is not recognized console.warn("Unrecognized Argon2 library interface, falling back to PBKDF2"); return this.deriveKeyPBKDF2(content, { salt, iterations: 100000, keyLength, hash: "SHA-256", }, format); } const derivedArray = new Uint8Array(hashResult); return this.formatHash(derivedArray, format); } catch (error) { // If Argon2 fails for any reason, fall back to PBKDF2 console.warn("Argon2 operation failed, falling back to PBKDF2:", error); return this.deriveKeyPBKDF2(content, { salt, iterations: 100000, keyLength, hash: "SHA-256", }, format); } } /** * Generates a cryptographically secure salt */ static generateSalt(length = 32) { return crypto__namespace.getRandomValues(new Uint8Array(length)); } /** * Generates a cryptographically secure salt as hex string */ static generateSaltHex(length = 32) { const salt = this.generateSalt(length); return this.formatHash(salt, "hex"); } /** * Generates a cryptographically secure salt as base64 string */ static generateSaltBase64(length = 32) { const salt = this.generateSalt(length); return this.formatHash(salt, "base64"); } /** * Formats hash output according to specified format */ static formatHash(hashArray, format) { switch (format) { case "hex": return Array.from(hashArray) .map((b) => b.toString(16).padStart(2, "0")) .join(""); case "base64": return btoa(String.fromCharCode(...hashArray)); case "base64url": return btoa(String.fromCharCode(...hashArray)) .replace(/\+/g, "-") .replace(/\//g, "_") .replace(/=/g, ""); case "uint8array": return hashArray; default: throw new Error(`Unsupported hash format: ${format}`); } } /** * Checks if a value is a SecureString instance */ static isSecureString(value) { return (value && typeof value === "object" && typeof value.toString === "function"); } /** * Gets information about available algorithms */ static getAlgorithmInfo() { return { ...registry.ALGORITHM_REGISTRY }; } /** * Lists all supported hash algorithms */ static getSupportedHashAlgorithms() { return ["SHA-1", "SHA-256", "SHA-384", "SHA-512"]; } /** * Lists all supported HMAC algorithms */ static getSupportedHMACAlgorithms() { return ["HMAC-SHA-1", "HMAC-SHA-256", "HMAC-SHA-384", "HMAC-SHA-512"]; } /** * Validates if an algorithm is supported */ static isAlgorithmSupported(algorithm) { return CryptoAlgorithmUtils.CryptoAlgorithmUtils.isSupported(algorithm); } /** * Gets algorithm information for a specific algorithm */ static getAlgorithmDetails(algorithm) { return registry.ALGORITHM_REGISTRY[algorithm]; } /** * Compares two hashes in constant time */ static constantTimeHashCompare(hash1, hash2) { if (hash1.length !== hash2.length) { return false; } let result = 0; for (let i = 0; i < hash1.length; i++) { result |= hash1.charCodeAt(i) ^ hash2.charCodeAt(i); } return result === 0; } /** * Verifies a hash against content */ static async verifyHash(content, expectedHash, algorithm = "SHA-256", format = "hex") { const actualHash = await this.hash(content, algorithm, format); if (typeof actualHash !== "string") { throw new Error("Hash verification requires string format"); } return this.constantTimeHashCompare(actualHash, expectedHash); } /** * Verifies an HMAC against content */ static async verifyHMAC(content, expectedHMAC, options, format = "hex") { const actualHMAC = await this.hmac(content, options, format); if (typeof actualHMAC !== "string") { throw new Error("HMAC verification requires string format"); } return this.constantTimeHashCompare(actualHMAC, expectedHMAC); } } exports.CryptoOperations = CryptoOperations; //# sourceMappingURL=crypto-operations.js.map