aspnet_password_hasher 1.0.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA256:
3
+ metadata.gz: b06e4dc5a1b9d924d3ab268a0558d86411b66f321cdc4dbbf1231875d7f8f967
4
+ data.tar.gz: 30a00eaece15084ac2422c48b9675be4e38b481513a05023f400507b0bac2c81
5
+ SHA512:
6
+ metadata.gz: 21390413464568ba498eca11652e1d7a48d604331da2d04de19d1e70236850396a862514ccf02011a1b5388e6eae1da4189120193bc6ded573b5e8f35a5819e2
7
+ data.tar.gz: 11c9ed3b3bc76420f9e8ab9ab8b29dba7b1541ea3bcf771f6f96f50d17c8a7ece344fc7775cd9f1b999bf15ac23413f099f56bb2cce0206283336690d32522c5
@@ -0,0 +1,39 @@
1
+ name: CI
2
+
3
+ on:
4
+ push:
5
+ pull_request:
6
+ schedule:
7
+ - cron: '0 0 * * 0'
8
+
9
+ jobs:
10
+ test:
11
+ runs-on: ubuntu-latest
12
+ strategy:
13
+ matrix:
14
+ ruby_version: [3.0, 2.7, 2.6, 2.5, 2.4]
15
+
16
+ steps:
17
+ - uses: actions/checkout@v2
18
+
19
+ - name: Setup Ruby
20
+ uses: ruby/setup-ruby@v1
21
+ with:
22
+ ruby-version: ${{ matrix.ruby_version }}
23
+
24
+ - name: Run test
25
+ run: |
26
+ bundle update
27
+ bundle exec rake
28
+
29
+ - name: Upload coverage
30
+ uses: actions/upload-artifact@v2
31
+ if: always()
32
+ with:
33
+ name: coverage-ruby-${{ matrix.ruby_version }}
34
+ path: coverage
35
+
36
+ - name: Show coverage
37
+ if: always()
38
+ run: |
39
+ cat coverage/coverage.txt
data/.gitignore ADDED
@@ -0,0 +1,13 @@
1
+ /.bundle/
2
+ /.yardoc
3
+ /_yardoc/
4
+ /coverage/
5
+ /doc/
6
+ /pkg/
7
+ /spec/reports/
8
+ /tmp/
9
+
10
+ # rspec failure tracking
11
+ .rspec_status
12
+
13
+ /Gemfile.lock
data/.rspec ADDED
@@ -0,0 +1,3 @@
1
+ --format documentation
2
+ --color
3
+ --require spec_helper
data/CHANGELOG.md ADDED
@@ -0,0 +1,3 @@
1
+ ## 1.0.0
2
+
3
+ - Initial release
data/Gemfile ADDED
@@ -0,0 +1,12 @@
1
+ # frozen_string_literal: true
2
+
3
+ source "https://rubygems.org"
4
+
5
+ gemspec
6
+
7
+ gem "rake"
8
+
9
+ gem "rspec"
10
+ gem "rspec-parameterized"
11
+ gem "simplecov"
12
+ gem "simplecov-erb"
data/LICENSE.txt ADDED
@@ -0,0 +1,21 @@
1
+ The MIT License (MIT)
2
+
3
+ Copyright (c) 2021 Kazuki Nishikawa
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in
13
+ all copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21
+ THE SOFTWARE.
data/README.md ADDED
@@ -0,0 +1,84 @@
1
+ ![](https://github.com/kzkn/aspnet_password_hasher/workflows/CI/badge.svg)
2
+
3
+ # AspnetPasswordHasher
4
+
5
+ An implementation of password hashing compatible with [ASP.NET Identity PasswordHasher](https://github.com/dotnet/aspnetcore/blob/main/src/Identity/Extensions.Core/src/PasswordHasher.cs).
6
+
7
+ ## Installation
8
+
9
+ Add this line to your application's Gemfile:
10
+
11
+ ```ruby
12
+ gem 'aspnet_password_hasher'
13
+ ```
14
+
15
+ And then execute:
16
+
17
+ $ bundle install
18
+
19
+ Or install it yourself as:
20
+
21
+ $ gem install aspnet_password_hasher
22
+
23
+ ## Usage
24
+
25
+ Password hashing:
26
+
27
+ ```ruby
28
+ hasher = AspnetPasswordHasher::PasswordHasher.new
29
+ raw_password = 'my password'
30
+ hashed_password = hasher.hash_password(raw_password)
31
+ ```
32
+
33
+ Verify password:
34
+
35
+ ```ruby
36
+ hasher = AspnetPasswordHasher::PasswordHasher.new
37
+ raw_password = 'my password'
38
+ hashed_password = hasher.hash_password(raw_password)
39
+ hasher.verify_hashed_password(hashed_password, raw_password) # => :success
40
+ hasher.verify_hashed_password(hashed_password, 'bad password') # => :failed
41
+ ```
42
+
43
+ If a hashed string with a weaker algorithm is given, report it:
44
+ ```ruby
45
+ hasher = AspnetPasswordHasher::PasswordHasher.new
46
+ raw_password = 'my password'
47
+ hashed_password = hasher.hash_password(raw_password)
48
+
49
+ hasher_v2 = AspnetPasswordHasher::PasswordHasher.new(mode: :v2)
50
+ hasher_v2.verify_hashed_password(hashed_password, raw_password) # => :success_rehash_needed
51
+
52
+ hasher_fewer_iters = AspnetPasswordHasher::PasswordHasher.new(iter_count: 100)
53
+ hasher_fewer_iters.verify_hashed_password(hashed_password, raw_password) # => :success_rehash_needed
54
+ ```
55
+
56
+ You can pass parameters similar to PasswordHasher:
57
+
58
+ ```ruby
59
+ # compatibility mode, version 2
60
+ hasher = AspnetPasswordHasher::PasswordHasher.new(mode: :v2)
61
+
62
+ # compatibility mode, version 3 (default)
63
+ hasher = AspnetPasswordHasher::PasswordHasher.new(mode: :v3)
64
+
65
+ # custom iteration count (default is 10000)
66
+ hasher = AspnetPasswordHasher::PasswordHasher.new(iter_count: 99999)
67
+
68
+ # custom random number generator (default is SecureRandom)
69
+ hasher = AspnetPasswordHasher::PasswordHasher.new(random_number_generator: Random.new)
70
+ ```
71
+
72
+ ## Development
73
+
74
+ After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
75
+
76
+ To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
77
+
78
+ ## Contributing
79
+
80
+ Bug reports and pull requests are welcome on GitHub at https://github.com/kzkn/aspnet_password_hasher.
81
+
82
+ ## License
83
+
84
+ The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
data/Rakefile ADDED
@@ -0,0 +1,8 @@
1
+ # frozen_string_literal: true
2
+
3
+ require "bundler/gem_tasks"
4
+ require "rspec/core/rake_task"
5
+
6
+ RSpec::Core::RakeTask.new(:spec)
7
+
8
+ task default: :spec
@@ -0,0 +1,27 @@
1
+ # frozen_string_literal: true
2
+
3
+ require_relative "lib/aspnet_password_hasher/version"
4
+
5
+ Gem::Specification.new do |spec|
6
+ spec.name = "aspnet_password_hasher"
7
+ spec.version = AspnetPasswordHasher::VERSION
8
+ spec.authors = ["Kazuki Nishikawa"]
9
+ spec.email = ["kzkn@users.noreply.github.com"]
10
+
11
+ spec.summary = "An implementation of password hashing compatible with ASP.NET Identity"
12
+ spec.description = "An implementation of password hashing compatible with ASP.NET Identity"
13
+ spec.homepage = "https://github.com/kzkn/aspnet_password_hasher"
14
+ spec.license = "MIT"
15
+ spec.required_ruby_version = Gem::Requirement.new(">= 2.4.0")
16
+
17
+ spec.metadata["homepage_uri"] = spec.homepage
18
+ spec.metadata["source_code_uri"] = "https://github.com/kzkn/aspnet_password_hasher"
19
+ spec.metadata["changelog_uri"] = "https://github.com/kzkn/aspnet_password_hasher/blob/main/CHANGELOG.md"
20
+
21
+ spec.files = Dir.chdir(File.expand_path(__dir__)) do
22
+ `git ls-files -z`.split("\x0").reject { |f| f.match(%r{\A(?:test|spec|features)/}) }
23
+ end
24
+ spec.bindir = "exe"
25
+ spec.executables = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
26
+ spec.require_paths = ["lib"]
27
+ end
data/bin/console ADDED
@@ -0,0 +1,15 @@
1
+ #!/usr/bin/env ruby
2
+ # frozen_string_literal: true
3
+
4
+ require "bundler/setup"
5
+ require "aspnet_password_hasher"
6
+
7
+ # You can add fixtures and/or initialization code here to make experimenting
8
+ # with your gem easier. You can also use a different console, if you like.
9
+
10
+ # (If you use this, don't forget to add pry to your Gemfile!)
11
+ # require "pry"
12
+ # Pry.start
13
+
14
+ require "irb"
15
+ IRB.start(__FILE__)
data/bin/setup ADDED
@@ -0,0 +1,8 @@
1
+ #!/usr/bin/env bash
2
+ set -euo pipefail
3
+ IFS=$'\n\t'
4
+ set -vx
5
+
6
+ bundle install
7
+
8
+ # Do any other automated setup that you need to do here
@@ -0,0 +1,4 @@
1
+ # frozen_string_literal: true
2
+
3
+ require_relative "aspnet_password_hasher/password_hasher"
4
+ require_relative "aspnet_password_hasher/version"
@@ -0,0 +1,146 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'openssl'
4
+ require 'securerandom'
5
+ require 'base64'
6
+
7
+ module AspnetPasswordHasher
8
+ class PasswordHasher
9
+ def initialize(options = {})
10
+ @mode = options[:mode] || :v3
11
+ @rng = options[:random_number_generator] || SecureRandom
12
+
13
+ case @mode
14
+ when :v2
15
+ @iter_count = 0
16
+ when :v3
17
+ @iter_count = options[:iter_count] || 10000
18
+ if @iter_count < 1
19
+ raise ArgumentError, "Invalid password hasher iteration count"
20
+ end
21
+ else
22
+ raise ArgumentError, "Invalid password hasher compatibility mode"
23
+ end
24
+ end
25
+
26
+ def hash_password(password)
27
+ bytes = case @mode
28
+ when :v2
29
+ hash_password_v2(password)
30
+ when :v3
31
+ hash_password_v3(password)
32
+ end
33
+ Base64.strict_encode64(bytes)
34
+ end
35
+
36
+ def verify_hashed_password(hashed_password, provided_password)
37
+ decoded_hashed_password = Base64.strict_decode64(hashed_password)
38
+ case decoded_hashed_password[0]
39
+ when "\x00"
40
+ # v2
41
+ if verify_hashed_password_v2(decoded_hashed_password, provided_password)
42
+ @mode == :v3 ? :success_rehash_needed : :success
43
+ else
44
+ :failed
45
+ end
46
+ when "\x01"
47
+ # v3
48
+ result, embed_iter_count = verify_hashed_password_v3(decoded_hashed_password, provided_password)
49
+ if result
50
+ embed_iter_count < @iter_count ? :success_rehash_needed : :success
51
+ else
52
+ :failed
53
+ end
54
+ else
55
+ :failed
56
+ end
57
+ end
58
+
59
+ private
60
+
61
+ def hash_password_v2(password)
62
+ iter_count = 1000 # default for Rfc2898DeriveBytes
63
+ subkey_len = 256 / 8 # 256 bits
64
+ salt_size = 128 / 8 # 128 bits
65
+
66
+ salt = @rng.bytes(salt_size)
67
+ digest = OpenSSL::Digest::SHA1.new
68
+ subkey = OpenSSL::PKCS5.pbkdf2_hmac(password, salt, iter_count, subkey_len, digest)
69
+
70
+ output_bytes = String.new
71
+ output_bytes << "\x00" # format marker
72
+ output_bytes << salt
73
+ output_bytes << subkey
74
+ output_bytes
75
+ end
76
+
77
+ def hash_password_v3(password)
78
+ prf = 1 # HMACSHA256
79
+ salt_size = 128 / 8
80
+ num_bytes_requested = 256 / 8
81
+
82
+ salt = @rng.bytes(salt_size)
83
+ digest = OpenSSL::Digest::SHA256.new
84
+ subkey = OpenSSL::PKCS5.pbkdf2_hmac(password, salt, @iter_count, num_bytes_requested, digest)
85
+
86
+ output_bytes = String.new
87
+ output_bytes << "\x01" # format marker
88
+ [prf].pack('N', buffer: output_bytes)
89
+ [@iter_count].pack('N', buffer: output_bytes)
90
+ [salt_size].pack('N', buffer: output_bytes)
91
+ output_bytes << salt
92
+ output_bytes << subkey
93
+ output_bytes
94
+ end
95
+
96
+ def verify_hashed_password_v2(hashed_password, password)
97
+ iter_count = 1000 # default for Rfc2898DeriveBytes
98
+ subkey_len = 256 / 8 # 256 bits
99
+ salt_size = 128 / 8 # 128 bits
100
+
101
+ if hashed_password.length != 1 + subkey_len + salt_size
102
+ return false # bad size
103
+ end
104
+
105
+ salt = hashed_password[1..salt_size]
106
+ expected_subkey = hashed_password[(salt_size + 1)...hashed_password.length]
107
+
108
+ digest = OpenSSL::Digest::SHA1.new
109
+ actual_subkey = OpenSSL::PKCS5.pbkdf2_hmac(password, salt, iter_count, subkey_len, digest)
110
+ expected_subkey == actual_subkey
111
+ end
112
+
113
+ def verify_hashed_password_v3(hashed_password, password)
114
+ prf = hashed_password[1..4].unpack('N')[0]
115
+ iter_count = hashed_password[5..8].unpack('N')[0]
116
+ salt_len = hashed_password[9..12].unpack('N')[0]
117
+ # salt must be >= 128 bits
118
+ if salt_len < 128 / 8
119
+ return [false, nil]
120
+ end
121
+
122
+ salt = hashed_password[13...(13 + salt_len)]
123
+ subkey_len = hashed_password.length - 13 - salt_len
124
+ # subkey must by >= 128 bits
125
+ if subkey_len < 128 / 8
126
+ return [false, nil]
127
+ end
128
+
129
+ expected_subkey = hashed_password[(13 + salt_len)...hashed_password.length]
130
+
131
+ digest = case prf
132
+ when 0
133
+ OpenSSL::Digest::SHA1.new
134
+ when 1
135
+ OpenSSL::Digest::SHA256.new
136
+ when 2
137
+ OpenSSL::Digest::SHA512.new
138
+ end
139
+ actual_subkey = OpenSSL::PKCS5.pbkdf2_hmac(password, salt, iter_count, subkey_len, digest)
140
+
141
+ [expected_subkey == actual_subkey, iter_count]
142
+ rescue StandardError
143
+ [false, nil]
144
+ end
145
+ end
146
+ end
@@ -0,0 +1,5 @@
1
+ # frozen_string_literal: true
2
+
3
+ module AspnetPasswordHasher
4
+ VERSION = "1.0.0"
5
+ end
metadata ADDED
@@ -0,0 +1,60 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: aspnet_password_hasher
3
+ version: !ruby/object:Gem::Version
4
+ version: 1.0.0
5
+ platform: ruby
6
+ authors:
7
+ - Kazuki Nishikawa
8
+ autorequire:
9
+ bindir: exe
10
+ cert_chain: []
11
+ date: 2021-07-01 00:00:00.000000000 Z
12
+ dependencies: []
13
+ description: An implementation of password hashing compatible with ASP.NET Identity
14
+ email:
15
+ - kzkn@users.noreply.github.com
16
+ executables: []
17
+ extensions: []
18
+ extra_rdoc_files: []
19
+ files:
20
+ - ".github/workflows/ci.yml"
21
+ - ".gitignore"
22
+ - ".rspec"
23
+ - CHANGELOG.md
24
+ - Gemfile
25
+ - LICENSE.txt
26
+ - README.md
27
+ - Rakefile
28
+ - aspnet_password_hasher.gemspec
29
+ - bin/console
30
+ - bin/setup
31
+ - lib/aspnet_password_hasher.rb
32
+ - lib/aspnet_password_hasher/password_hasher.rb
33
+ - lib/aspnet_password_hasher/version.rb
34
+ homepage: https://github.com/kzkn/aspnet_password_hasher
35
+ licenses:
36
+ - MIT
37
+ metadata:
38
+ homepage_uri: https://github.com/kzkn/aspnet_password_hasher
39
+ source_code_uri: https://github.com/kzkn/aspnet_password_hasher
40
+ changelog_uri: https://github.com/kzkn/aspnet_password_hasher/blob/main/CHANGELOG.md
41
+ post_install_message:
42
+ rdoc_options: []
43
+ require_paths:
44
+ - lib
45
+ required_ruby_version: !ruby/object:Gem::Requirement
46
+ requirements:
47
+ - - ">="
48
+ - !ruby/object:Gem::Version
49
+ version: 2.4.0
50
+ required_rubygems_version: !ruby/object:Gem::Requirement
51
+ requirements:
52
+ - - ">="
53
+ - !ruby/object:Gem::Version
54
+ version: '0'
55
+ requirements: []
56
+ rubygems_version: 3.1.4
57
+ signing_key:
58
+ specification_version: 4
59
+ summary: An implementation of password hashing compatible with ASP.NET Identity
60
+ test_files: []