mirror of
https://github.com/brianc/node-postgres.git
synced 2026-01-18 15:55:05 +00:00
b4022aa5c0
* Added support for SCRAM-SHA-256-PLUS i.e. channel binding * Requested tweaks to channel binding * Additional tweaks to channel binding * Fixed lint complaints * Update packages/pg/lib/crypto/sasl.js Co-authored-by: Charmander <~@charmander.me> * Update packages/pg/lib/crypto/sasl.js Co-authored-by: Charmander <~@charmander.me> * Update packages/pg/lib/client.js Co-authored-by: Charmander <~@charmander.me> * Tweaks to channel binding * Now using homegrown certificate signature algorithm identification * Update ssl.mdx with channel binding changes * Allow for config object being undefined when assigning enableChannelBinding * Fixed a test failing on an updated error message * Removed - from hash names like SHA-256 for legacy crypto (Node 14 and below) * Removed packageManager key from package.json * Added some SASL/channel binding unit tests * Added a unit test for continueSession to check expected SASL session data * Modify tests: don't require channel binding (which cannot then work) if not using SSL --------- Co-authored-by: Charmander <~@charmander.me>
89 lines
2.5 KiB
JavaScript
89 lines
2.5 KiB
JavaScript
const nodeCrypto = require('crypto')
|
|
|
|
module.exports = {
|
|
postgresMd5PasswordHash,
|
|
randomBytes,
|
|
deriveKey,
|
|
sha256,
|
|
hashByName,
|
|
hmacSha256,
|
|
md5,
|
|
}
|
|
|
|
/**
|
|
* The Web Crypto API - grabbed from the Node.js library or the global
|
|
* @type Crypto
|
|
*/
|
|
const webCrypto = nodeCrypto.webcrypto || globalThis.crypto
|
|
/**
|
|
* The SubtleCrypto API for low level crypto operations.
|
|
* @type SubtleCrypto
|
|
*/
|
|
const subtleCrypto = webCrypto.subtle
|
|
const textEncoder = new TextEncoder()
|
|
|
|
/**
|
|
*
|
|
* @param {*} length
|
|
* @returns
|
|
*/
|
|
function randomBytes(length) {
|
|
return webCrypto.getRandomValues(Buffer.alloc(length))
|
|
}
|
|
|
|
async function md5(string) {
|
|
try {
|
|
return nodeCrypto.createHash('md5').update(string, 'utf-8').digest('hex')
|
|
} catch (e) {
|
|
// `createHash()` failed so we are probably not in Node.js, use the WebCrypto API instead.
|
|
// Note that the MD5 algorithm on WebCrypto is not available in Node.js.
|
|
// This is why we cannot just use WebCrypto in all environments.
|
|
const data = typeof string === 'string' ? textEncoder.encode(string) : string
|
|
const hash = await subtleCrypto.digest('MD5', data)
|
|
return Array.from(new Uint8Array(hash))
|
|
.map((b) => b.toString(16).padStart(2, '0'))
|
|
.join('')
|
|
}
|
|
}
|
|
|
|
// See AuthenticationMD5Password at https://www.postgresql.org/docs/current/static/protocol-flow.html
|
|
async function postgresMd5PasswordHash(user, password, salt) {
|
|
var inner = await md5(password + user)
|
|
var outer = await md5(Buffer.concat([Buffer.from(inner), salt]))
|
|
return 'md5' + outer
|
|
}
|
|
|
|
/**
|
|
* Create a SHA-256 digest of the given data
|
|
* @param {Buffer} data
|
|
*/
|
|
async function sha256(text) {
|
|
return await subtleCrypto.digest('SHA-256', text)
|
|
}
|
|
|
|
async function hashByName(hashName, text) {
|
|
return await subtleCrypto.digest(hashName, text)
|
|
}
|
|
|
|
/**
|
|
* Sign the message with the given key
|
|
* @param {ArrayBuffer} keyBuffer
|
|
* @param {string} msg
|
|
*/
|
|
async function hmacSha256(keyBuffer, msg) {
|
|
const key = await subtleCrypto.importKey('raw', keyBuffer, { name: 'HMAC', hash: 'SHA-256' }, false, ['sign'])
|
|
return await subtleCrypto.sign('HMAC', key, textEncoder.encode(msg))
|
|
}
|
|
|
|
/**
|
|
* Derive a key from the password and salt
|
|
* @param {string} password
|
|
* @param {Uint8Array} salt
|
|
* @param {number} iterations
|
|
*/
|
|
async function deriveKey(password, salt, iterations) {
|
|
const key = await subtleCrypto.importKey('raw', textEncoder.encode(password), 'PBKDF2', false, ['deriveBits'])
|
|
const params = { name: 'PBKDF2', hash: 'SHA-256', salt: salt, iterations: iterations }
|
|
return await subtleCrypto.deriveBits(params, key, 32 * 8, ['deriveBits'])
|
|
}
|