dignity.js 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -2454,7 +2454,8 @@ var require_message_security_service = __commonJS({
2454
2454
  broadcastPasswords: {},
2455
2455
  resolveBroadcastPassword: null,
2456
2456
  powSteps: 22,
2457
- trustedPeerKeys: {}
2457
+ trustedPeerKeys: {},
2458
+ kdfIterations: 1e5
2458
2459
  };
2459
2460
  function stableStringify(value) {
2460
2461
  if (value === null || typeof value !== "object") {
@@ -2481,6 +2482,33 @@ var require_message_security_service = __commonJS({
2481
2482
  function utf8ToBytes(value) {
2482
2483
  return naclUtil.decodeUTF8(value);
2483
2484
  }
2485
+ async function deriveBroadcastKey(password, salt, iterations) {
2486
+ const subtle = globalThis.crypto && globalThis.crypto.subtle;
2487
+ if (subtle) {
2488
+ const keyMaterial = await subtle.importKey(
2489
+ "raw",
2490
+ utf8ToBytes(password),
2491
+ "PBKDF2",
2492
+ false,
2493
+ ["deriveBits"]
2494
+ );
2495
+ const bits = await subtle.deriveBits(
2496
+ { name: "PBKDF2", salt, iterations, hash: "SHA-256" },
2497
+ keyMaterial,
2498
+ 256
2499
+ );
2500
+ return new Uint8Array(bits);
2501
+ }
2502
+ try {
2503
+ const { pbkdf2Sync } = __require("crypto");
2504
+ return new Uint8Array(pbkdf2Sync(password, Buffer.from(salt), iterations, 32, "sha256"));
2505
+ } catch (_ignored) {
2506
+ return hash32(concatBytes(utf8ToBytes(password), salt));
2507
+ }
2508
+ }
2509
+ function legacyBroadcastKey(password, salt) {
2510
+ return hash32(concatBytes(utf8ToBytes(password), salt));
2511
+ }
2484
2512
  function normalizePeerPublicKey(publicKey) {
2485
2513
  if (!publicKey || typeof publicKey !== "object") {
2486
2514
  throw new Error("Public key must be an object with signingPublicKey and encryptionPublicKey");
@@ -2641,7 +2669,7 @@ var require_message_security_service = __commonJS({
2641
2669
  if (envelope.security && envelope.security.signing && envelope.security.signing.enabled && this.options.signingEnabled) {
2642
2670
  this.verifySignature(envelope);
2643
2671
  }
2644
- const payload = this.decryptPayload(envelope);
2672
+ const payload = await this.decryptPayload(envelope);
2645
2673
  return {
2646
2674
  ignored: false,
2647
2675
  messageType: envelope.messageType,
@@ -2706,7 +2734,8 @@ var require_message_security_service = __commonJS({
2706
2734
  const nonce = nacl.randomBytes(nacl.secretbox.nonceLength);
2707
2735
  const salt = nacl.randomBytes(16);
2708
2736
  const password = this.resolveBroadcastPassword(scope);
2709
- const key = hash32(concatBytes(utf8ToBytes(password), salt));
2737
+ const iterations = this.options.kdfIterations || DEFAULT_SECURITY_OPTIONS.kdfIterations;
2738
+ const key = await deriveBroadcastKey(password, salt, iterations);
2710
2739
  const encrypted = nacl.secretbox(plainText, nonce, key);
2711
2740
  return {
2712
2741
  payload: naclUtil.encodeBase64(encrypted),
@@ -2715,11 +2744,13 @@ var require_message_security_service = __commonJS({
2715
2744
  mode: "broadcast",
2716
2745
  scope,
2717
2746
  nonce: naclUtil.encodeBase64(nonce),
2718
- salt: naclUtil.encodeBase64(salt)
2747
+ salt: naclUtil.encodeBase64(salt),
2748
+ kdf: "pbkdf2",
2749
+ kdfIterations: iterations
2719
2750
  }
2720
2751
  };
2721
2752
  }
2722
- decryptPayload(envelope) {
2753
+ async decryptPayload(envelope) {
2723
2754
  const encryption = envelope.security ? envelope.security.encryption : null;
2724
2755
  if (!encryption || !encryption.enabled || !this.options.encryptionEnabled) {
2725
2756
  return envelope.payload;
@@ -2730,7 +2761,13 @@ var require_message_security_service = __commonJS({
2730
2761
  const password = this.resolveBroadcastPassword(scope);
2731
2762
  const salt = naclUtil.decodeBase64(encryption.salt);
2732
2763
  const nonce = naclUtil.decodeBase64(encryption.nonce);
2733
- const key = hash32(concatBytes(utf8ToBytes(password), salt));
2764
+ let key;
2765
+ if (encryption.kdf === "pbkdf2") {
2766
+ const iterations = encryption.kdfIterations || DEFAULT_SECURITY_OPTIONS.kdfIterations;
2767
+ key = await deriveBroadcastKey(password, salt, iterations);
2768
+ } else {
2769
+ key = legacyBroadcastKey(password, salt);
2770
+ }
2734
2771
  const decrypted = nacl.secretbox.open(encryptedBuffer, nonce, key);
2735
2772
  if (!decrypted) {
2736
2773
  throw new Error("Unable to decrypt broadcast payload");
@@ -2824,6 +2861,8 @@ var require_message_security_service = __commonJS({
2824
2861
  module.exports = {
2825
2862
  MessageSecurityService,
2826
2863
  stableStringify,
2864
+ deriveBroadcastKey,
2865
+ legacyBroadcastKey,
2827
2866
  DEFAULT_SECURITY_OPTIONS
2828
2867
  };
2829
2868
  }