Spaces:

W404NET
/

Telegram-Chat-Bot

Configuration error

App Files Files Community

Telegram-Chat-Bot / node_modules /node-forge /lib /pbe.js

Lee Thanh

Upload 3012 files

5641073 over 1 year ago

31 kB

	/**
	* Password-based encryption functions.
	*
	* @author Dave Longley
	* @author Stefan Siegl <stesie@brokenpipe.de>
	*
	* Copyright (c) 2010-2013 Digital Bazaar, Inc.
	* Copyright (c) 2012 Stefan Siegl <stesie@brokenpipe.de>
	*
	* An EncryptedPrivateKeyInfo:
	*
	* EncryptedPrivateKeyInfo ::= SEQUENCE {
	* encryptionAlgorithm EncryptionAlgorithmIdentifier,
	* encryptedData EncryptedData }
	*
	* EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
	*
	* EncryptedData ::= OCTET STRING
	*/
	var forge = require('./forge');
	require('./aes');
	require('./asn1');
	require('./des');
	require('./md');
	require('./oids');
	require('./pbkdf2');
	require('./pem');
	require('./random');
	require('./rc2');
	require('./rsa');
	require('./util');

	if(typeof BigInteger === 'undefined') {
	var BigInteger = forge.jsbn.BigInteger;
	}

	// shortcut for asn.1 API
	var asn1 = forge.asn1;

	/* Password-based encryption implementation. */
	var pki = forge.pki = forge.pki \|\| {};
	module.exports = pki.pbe = forge.pbe = forge.pbe \|\| {};
	var oids = pki.oids;

	// validator for an EncryptedPrivateKeyInfo structure
	// Note: Currently only works w/algorithm params
	var encryptedPrivateKeyValidator = {
	name: 'EncryptedPrivateKeyInfo',
	tagClass: asn1.Class.UNIVERSAL,
	type: asn1.Type.SEQUENCE,
	constructed: true,
	value: [{
	name: 'EncryptedPrivateKeyInfo.encryptionAlgorithm',
	tagClass: asn1.Class.UNIVERSAL,
	type: asn1.Type.SEQUENCE,
	constructed: true,
	value: [{
	name: 'AlgorithmIdentifier.algorithm',
	tagClass: asn1.Class.UNIVERSAL,
	type: asn1.Type.OID,
	constructed: false,
	capture: 'encryptionOid'
	}, {
	name: 'AlgorithmIdentifier.parameters',
	tagClass: asn1.Class.UNIVERSAL,
	type: asn1.Type.SEQUENCE,
	constructed: true,
	captureAsn1: 'encryptionParams'
	}]
	}, {
	// encryptedData
	name: 'EncryptedPrivateKeyInfo.encryptedData',
	tagClass: asn1.Class.UNIVERSAL,
	type: asn1.Type.OCTETSTRING,
	constructed: false,
	capture: 'encryptedData'
	}]
	};

	// validator for a PBES2Algorithms structure
	// Note: Currently only works w/PBKDF2 + AES encryption schemes
	var PBES2AlgorithmsValidator = {
	name: 'PBES2Algorithms',
	tagClass: asn1.Class.UNIVERSAL,
	type: asn1.Type.SEQUENCE,
	constructed: true,
	value: [{
	name: 'PBES2Algorithms.keyDerivationFunc',
	tagClass: asn1.Class.UNIVERSAL,
	type: asn1.Type.SEQUENCE,
	constructed: true,
	value: [{
	name: 'PBES2Algorithms.keyDerivationFunc.oid',
	tagClass: asn1.Class.UNIVERSAL,
	type: asn1.Type.OID,
	constructed: false,
	capture: 'kdfOid'
	}, {
	name: 'PBES2Algorithms.params',
	tagClass: asn1.Class.UNIVERSAL,
	type: asn1.Type.SEQUENCE,
	constructed: true,
	value: [{
	name: 'PBES2Algorithms.params.salt',
	tagClass: asn1.Class.UNIVERSAL,
	type: asn1.Type.OCTETSTRING,
	constructed: false,
	capture: 'kdfSalt'
	}, {
	name: 'PBES2Algorithms.params.iterationCount',
	tagClass: asn1.Class.UNIVERSAL,
	type: asn1.Type.INTEGER,
	constructed: false,
	capture: 'kdfIterationCount'
	}, {
	name: 'PBES2Algorithms.params.keyLength',
	tagClass: asn1.Class.UNIVERSAL,
	type: asn1.Type.INTEGER,
	constructed: false,
	optional: true,
	capture: 'keyLength'
	}, {
	// prf
	name: 'PBES2Algorithms.params.prf',
	tagClass: asn1.Class.UNIVERSAL,
	type: asn1.Type.SEQUENCE,
	constructed: true,
	optional: true,
	value: [{
	name: 'PBES2Algorithms.params.prf.algorithm',
	tagClass: asn1.Class.UNIVERSAL,
	type: asn1.Type.OID,
	constructed: false,
	capture: 'prfOid'
	}]
	}]
	}]
	}, {
	name: 'PBES2Algorithms.encryptionScheme',
	tagClass: asn1.Class.UNIVERSAL,
	type: asn1.Type.SEQUENCE,
	constructed: true,
	value: [{
	name: 'PBES2Algorithms.encryptionScheme.oid',
	tagClass: asn1.Class.UNIVERSAL,
	type: asn1.Type.OID,
	constructed: false,
	capture: 'encOid'
	}, {
	name: 'PBES2Algorithms.encryptionScheme.iv',
	tagClass: asn1.Class.UNIVERSAL,
	type: asn1.Type.OCTETSTRING,
	constructed: false,
	capture: 'encIv'
	}]
	}]
	};

	var pkcs12PbeParamsValidator = {
	name: 'pkcs-12PbeParams',
	tagClass: asn1.Class.UNIVERSAL,
	type: asn1.Type.SEQUENCE,
	constructed: true,
	value: [{
	name: 'pkcs-12PbeParams.salt',
	tagClass: asn1.Class.UNIVERSAL,
	type: asn1.Type.OCTETSTRING,
	constructed: false,
	capture: 'salt'
	}, {
	name: 'pkcs-12PbeParams.iterations',
	tagClass: asn1.Class.UNIVERSAL,
	type: asn1.Type.INTEGER,
	constructed: false,
	capture: 'iterations'
	}]
	};

	/**
	* Encrypts a ASN.1 PrivateKeyInfo object, producing an EncryptedPrivateKeyInfo.
	*
	* PBES2Algorithms ALGORITHM-IDENTIFIER ::=
	* { {PBES2-params IDENTIFIED BY id-PBES2}, ...}
	*
	* id-PBES2 OBJECT IDENTIFIER ::= {pkcs-5 13}
	*
	* PBES2-params ::= SEQUENCE {
	* keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}},
	* encryptionScheme AlgorithmIdentifier {{PBES2-Encs}}
	* }
	*
	* PBES2-KDFs ALGORITHM-IDENTIFIER ::=
	* { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }
	*
	* PBES2-Encs ALGORITHM-IDENTIFIER ::= { ... }
	*
	* PBKDF2-params ::= SEQUENCE {
	* salt CHOICE {
	* specified OCTET STRING,
	* otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}}
	* },
	* iterationCount INTEGER (1..MAX),
	* keyLength INTEGER (1..MAX) OPTIONAL,
	* prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT algid-hmacWithSHA1
	* }
	*
	* @param obj the ASN.1 PrivateKeyInfo object.
	* @param password the password to encrypt with.
	* @param options:
	* algorithm the encryption algorithm to use
	* ('aes128', 'aes192', 'aes256', '3des'), defaults to 'aes128'.
	* count the iteration count to use.
	* saltSize the salt size to use.
	* prfAlgorithm the PRF message digest algorithm to use
	* ('sha1', 'sha224', 'sha256', 'sha384', 'sha512')
	*
	* @return the ASN.1 EncryptedPrivateKeyInfo.
	*/
	pki.encryptPrivateKeyInfo = function(obj, password, options) {
	// set default options
	options = options \|\| {};
	options.saltSize = options.saltSize \|\| 8;
	options.count = options.count \|\| 2048;
	options.algorithm = options.algorithm \|\| 'aes128';
	options.prfAlgorithm = options.prfAlgorithm \|\| 'sha1';

	// generate PBE params
	var salt = forge.random.getBytesSync(options.saltSize);
	var count = options.count;
	var countBytes = asn1.integerToDer(count);
	var dkLen;
	var encryptionAlgorithm;
	var encryptedData;
	if(options.algorithm.indexOf('aes') === 0 \|\| options.algorithm === 'des') {
	// do PBES2
	var ivLen, encOid, cipherFn;
	switch(options.algorithm) {
	case 'aes128':
	dkLen = 16;
	ivLen = 16;
	encOid = oids['aes128-CBC'];
	cipherFn = forge.aes.createEncryptionCipher;
	break;
	case 'aes192':
	dkLen = 24;
	ivLen = 16;
	encOid = oids['aes192-CBC'];
	cipherFn = forge.aes.createEncryptionCipher;
	break;
	case 'aes256':
	dkLen = 32;
	ivLen = 16;
	encOid = oids['aes256-CBC'];
	cipherFn = forge.aes.createEncryptionCipher;
	break;
	case 'des':
	dkLen = 8;
	ivLen = 8;
	encOid = oids['desCBC'];
	cipherFn = forge.des.createEncryptionCipher;
	break;
	default:
	var error = new Error('Cannot encrypt private key. Unknown encryption algorithm.');
	error.algorithm = options.algorithm;
	throw error;
	}

	// get PRF message digest
	var prfAlgorithm = 'hmacWith' + options.prfAlgorithm.toUpperCase();
	var md = prfAlgorithmToMessageDigest(prfAlgorithm);

	// encrypt private key using pbe SHA-1 and AES/DES
	var dk = forge.pkcs5.pbkdf2(password, salt, count, dkLen, md);
	var iv = forge.random.getBytesSync(ivLen);
	var cipher = cipherFn(dk);
	cipher.start(iv);
	cipher.update(asn1.toDer(obj));
	cipher.finish();
	encryptedData = cipher.output.getBytes();

	// get PBKDF2-params
	var params = createPbkdf2Params(salt, countBytes, dkLen, prfAlgorithm);

	encryptionAlgorithm = asn1.create(
	asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false,
	asn1.oidToDer(oids['pkcs5PBES2']).getBytes()),
	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
	// keyDerivationFunc
	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false,
	asn1.oidToDer(oids['pkcs5PBKDF2']).getBytes()),
	// PBKDF2-params
	params
	]),
	// encryptionScheme
	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false,
	asn1.oidToDer(encOid).getBytes()),
	// iv
	asn1.create(
	asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false, iv)
	])
	])
	]);
	} else if(options.algorithm === '3des') {
	// Do PKCS12 PBE
	dkLen = 24;

	var saltBytes = new forge.util.ByteBuffer(salt);
	var dk = pki.pbe.generatePkcs12Key(password, saltBytes, 1, count, dkLen);
	var iv = pki.pbe.generatePkcs12Key(password, saltBytes, 2, count, dkLen);
	var cipher = forge.des.createEncryptionCipher(dk);
	cipher.start(iv);
	cipher.update(asn1.toDer(obj));
	cipher.finish();
	encryptedData = cipher.output.getBytes();

	encryptionAlgorithm = asn1.create(
	asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false,
	asn1.oidToDer(oids['pbeWithSHAAnd3-KeyTripleDES-CBC']).getBytes()),
	// pkcs-12PbeParams
	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
	// salt
	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false, salt),
	// iteration count
	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false,
	countBytes.getBytes())
	])
	]);
	} else {
	var error = new Error('Cannot encrypt private key. Unknown encryption algorithm.');
	error.algorithm = options.algorithm;
	throw error;
	}

	// EncryptedPrivateKeyInfo
	var rval = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
	// encryptionAlgorithm
	encryptionAlgorithm,
	// encryptedData
	asn1.create(
	asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false, encryptedData)
	]);
	return rval;
	};

	/**
	* Decrypts a ASN.1 PrivateKeyInfo object.
	*
	* @param obj the ASN.1 EncryptedPrivateKeyInfo object.
	* @param password the password to decrypt with.
	*
	* @return the ASN.1 PrivateKeyInfo on success, null on failure.
	*/
	pki.decryptPrivateKeyInfo = function(obj, password) {
	var rval = null;

	// get PBE params
	var capture = {};
	var errors = [];
	if(!asn1.validate(obj, encryptedPrivateKeyValidator, capture, errors)) {
	var error = new Error('Cannot read encrypted private key. ' +
	'ASN.1 object is not a supported EncryptedPrivateKeyInfo.');
	error.errors = errors;
	throw error;
	}

	// get cipher
	var oid = asn1.derToOid(capture.encryptionOid);
	var cipher = pki.pbe.getCipher(oid, capture.encryptionParams, password);

	// get encrypted data
	var encrypted = forge.util.createBuffer(capture.encryptedData);

	cipher.update(encrypted);
	if(cipher.finish()) {
	rval = asn1.fromDer(cipher.output);
	}

	return rval;
	};

	/**
	* Converts a EncryptedPrivateKeyInfo to PEM format.
	*
	* @param epki the EncryptedPrivateKeyInfo.
	* @param maxline the maximum characters per line, defaults to 64.
	*
	* @return the PEM-formatted encrypted private key.
	*/
	pki.encryptedPrivateKeyToPem = function(epki, maxline) {
	// convert to DER, then PEM-encode
	var msg = {
	type: 'ENCRYPTED PRIVATE KEY',
	body: asn1.toDer(epki).getBytes()
	};
	return forge.pem.encode(msg, {maxline: maxline});
	};

	/**
	* Converts a PEM-encoded EncryptedPrivateKeyInfo to ASN.1 format. Decryption
	* is not performed.
	*
	* @param pem the EncryptedPrivateKeyInfo in PEM-format.
	*
	* @return the ASN.1 EncryptedPrivateKeyInfo.
	*/
	pki.encryptedPrivateKeyFromPem = function(pem) {
	var msg = forge.pem.decode(pem)[0];

	if(msg.type !== 'ENCRYPTED PRIVATE KEY') {
	var error = new Error('Could not convert encrypted private key from PEM; ' +
	'PEM header type is "ENCRYPTED PRIVATE KEY".');
	error.headerType = msg.type;
	throw error;
	}
	if(msg.procType && msg.procType.type === 'ENCRYPTED') {
	throw new Error('Could not convert encrypted private key from PEM; ' +
	'PEM is encrypted.');
	}

	// convert DER to ASN.1 object
	return asn1.fromDer(msg.body);
	};

	/**
	* Encrypts an RSA private key. By default, the key will be wrapped in
	* a PrivateKeyInfo and encrypted to produce a PKCS#8 EncryptedPrivateKeyInfo.
	* This is the standard, preferred way to encrypt a private key.
	*
	* To produce a non-standard PEM-encrypted private key that uses encapsulated
	* headers to indicate the encryption algorithm (old-style non-PKCS#8 OpenSSL
	* private key encryption), set the 'legacy' option to true. Note: Using this
	* option will cause the iteration count to be forced to 1.
	*
	* Note: The 'des' algorithm is supported, but it is not considered to be
	* secure because it only uses a single 56-bit key. If possible, it is highly
	* recommended that a different algorithm be used.
	*
	* @param rsaKey the RSA key to encrypt.
	* @param password the password to use.
	* @param options:
	* algorithm: the encryption algorithm to use
	* ('aes128', 'aes192', 'aes256', '3des', 'des').
	* count: the iteration count to use.
	* saltSize: the salt size to use.
	* legacy: output an old non-PKCS#8 PEM-encrypted+encapsulated
	* headers (DEK-Info) private key.
	*
	* @return the PEM-encoded ASN.1 EncryptedPrivateKeyInfo.
	*/
	pki.encryptRsaPrivateKey = function(rsaKey, password, options) {
	// standard PKCS#8
	options = options \|\| {};
	if(!options.legacy) {
	// encrypt PrivateKeyInfo
	var rval = pki.wrapRsaPrivateKey(pki.privateKeyToAsn1(rsaKey));
	rval = pki.encryptPrivateKeyInfo(rval, password, options);
	return pki.encryptedPrivateKeyToPem(rval);
	}

	// legacy non-PKCS#8
	var algorithm;
	var iv;
	var dkLen;
	var cipherFn;
	switch(options.algorithm) {
	case 'aes128':
	algorithm = 'AES-128-CBC';
	dkLen = 16;
	iv = forge.random.getBytesSync(16);
	cipherFn = forge.aes.createEncryptionCipher;
	break;
	case 'aes192':
	algorithm = 'AES-192-CBC';
	dkLen = 24;
	iv = forge.random.getBytesSync(16);
	cipherFn = forge.aes.createEncryptionCipher;
	break;
	case 'aes256':
	algorithm = 'AES-256-CBC';
	dkLen = 32;
	iv = forge.random.getBytesSync(16);
	cipherFn = forge.aes.createEncryptionCipher;
	break;
	case '3des':
	algorithm = 'DES-EDE3-CBC';
	dkLen = 24;
	iv = forge.random.getBytesSync(8);
	cipherFn = forge.des.createEncryptionCipher;
	break;
	case 'des':
	algorithm = 'DES-CBC';
	dkLen = 8;
	iv = forge.random.getBytesSync(8);
	cipherFn = forge.des.createEncryptionCipher;
	break;
	default:
	var error = new Error('Could not encrypt RSA private key; unsupported ' +
	'encryption algorithm "' + options.algorithm + '".');
	error.algorithm = options.algorithm;
	throw error;
	}

	// encrypt private key using OpenSSL legacy key derivation
	var dk = forge.pbe.opensslDeriveBytes(password, iv.substr(0, 8), dkLen);
	var cipher = cipherFn(dk);
	cipher.start(iv);
	cipher.update(asn1.toDer(pki.privateKeyToAsn1(rsaKey)));
	cipher.finish();

	var msg = {
	type: 'RSA PRIVATE KEY',
	procType: {
	version: '4',
	type: 'ENCRYPTED'
	},
	dekInfo: {
	algorithm: algorithm,
	parameters: forge.util.bytesToHex(iv).toUpperCase()
	},
	body: cipher.output.getBytes()
	};
	return forge.pem.encode(msg);
	};

	/**
	* Decrypts an RSA private key.
	*
	* @param pem the PEM-formatted EncryptedPrivateKeyInfo to decrypt.
	* @param password the password to use.
	*
	* @return the RSA key on success, null on failure.
	*/
	pki.decryptRsaPrivateKey = function(pem, password) {
	var rval = null;

	var msg = forge.pem.decode(pem)[0];

	if(msg.type !== 'ENCRYPTED PRIVATE KEY' &&
	msg.type !== 'PRIVATE KEY' &&
	msg.type !== 'RSA PRIVATE KEY') {
	var error = new Error('Could not convert private key from PEM; PEM header type ' +
	'is not "ENCRYPTED PRIVATE KEY", "PRIVATE KEY", or "RSA PRIVATE KEY".');
	error.headerType = error;
	throw error;
	}

	if(msg.procType && msg.procType.type === 'ENCRYPTED') {
	var dkLen;
	var cipherFn;
	switch(msg.dekInfo.algorithm) {
	case 'DES-CBC':
	dkLen = 8;
	cipherFn = forge.des.createDecryptionCipher;
	break;
	case 'DES-EDE3-CBC':
	dkLen = 24;
	cipherFn = forge.des.createDecryptionCipher;
	break;
	case 'AES-128-CBC':
	dkLen = 16;
	cipherFn = forge.aes.createDecryptionCipher;
	break;
	case 'AES-192-CBC':
	dkLen = 24;
	cipherFn = forge.aes.createDecryptionCipher;
	break;
	case 'AES-256-CBC':
	dkLen = 32;
	cipherFn = forge.aes.createDecryptionCipher;
	break;
	case 'RC2-40-CBC':
	dkLen = 5;
	cipherFn = function(key) {
	return forge.rc2.createDecryptionCipher(key, 40);
	};
	break;
	case 'RC2-64-CBC':
	dkLen = 8;
	cipherFn = function(key) {
	return forge.rc2.createDecryptionCipher(key, 64);
	};
	break;
	case 'RC2-128-CBC':
	dkLen = 16;
	cipherFn = function(key) {
	return forge.rc2.createDecryptionCipher(key, 128);
	};
	break;
	default:
	var error = new Error('Could not decrypt private key; unsupported ' +
	'encryption algorithm "' + msg.dekInfo.algorithm + '".');
	error.algorithm = msg.dekInfo.algorithm;
	throw error;
	}

	// use OpenSSL legacy key derivation
	var iv = forge.util.hexToBytes(msg.dekInfo.parameters);
	var dk = forge.pbe.opensslDeriveBytes(password, iv.substr(0, 8), dkLen);
	var cipher = cipherFn(dk);
	cipher.start(iv);
	cipher.update(forge.util.createBuffer(msg.body));
	if(cipher.finish()) {
	rval = cipher.output.getBytes();
	} else {
	return rval;
	}
	} else {
	rval = msg.body;
	}

	if(msg.type === 'ENCRYPTED PRIVATE KEY') {
	rval = pki.decryptPrivateKeyInfo(asn1.fromDer(rval), password);
	} else {
	// decryption already performed above
	rval = asn1.fromDer(rval);
	}

	if(rval !== null) {
	rval = pki.privateKeyFromAsn1(rval);
	}

	return rval;
	};

	/**
	* Derives a PKCS#12 key.
	*
	* @param password the password to derive the key material from, null or
	* undefined for none.
	* @param salt the salt, as a ByteBuffer, to use.
	* @param id the PKCS#12 ID byte (1 = key material, 2 = IV, 3 = MAC).
	* @param iter the iteration count.
	* @param n the number of bytes to derive from the password.
	* @param md the message digest to use, defaults to SHA-1.
	*
	* @return a ByteBuffer with the bytes derived from the password.
	*/
	pki.pbe.generatePkcs12Key = function(password, salt, id, iter, n, md) {
	var j, l;

	if(typeof md === 'undefined' \|\| md === null) {
	if(!('sha1' in forge.md)) {
	throw new Error('"sha1" hash algorithm unavailable.');
	}
	md = forge.md.sha1.create();
	}

	var u = md.digestLength;
	var v = md.blockLength;
	var result = new forge.util.ByteBuffer();

	/* Convert password to Unicode byte buffer + trailing 0-byte. */
	var passBuf = new forge.util.ByteBuffer();
	if(password !== null && password !== undefined) {
	for(l = 0; l < password.length; l++) {
	passBuf.putInt16(password.charCodeAt(l));
	}
	passBuf.putInt16(0);
	}

	/* Length of salt and password in BYTES. */
	var p = passBuf.length();
	var s = salt.length();

	/* 1. Construct a string, D (the "diversifier"), by concatenating
	v copies of ID. */
	var D = new forge.util.ByteBuffer();
	D.fillWithByte(id, v);

	/* 2. Concatenate copies of the salt together to create a string S of length
	v * ceil(s / v) bytes (the final copy of the salt may be trunacted
	to create S).
	Note that if the salt is the empty string, then so is S. */
	var Slen = v * Math.ceil(s / v);
	var S = new forge.util.ByteBuffer();
	for(l = 0; l < Slen; l++) {
	S.putByte(salt.at(l % s));
	}

	/* 3. Concatenate copies of the password together to create a string P of
	length v * ceil(p / v) bytes (the final copy of the password may be
	truncated to create P).
	Note that if the password is the empty string, then so is P. */
	var Plen = v * Math.ceil(p / v);
	var P = new forge.util.ByteBuffer();
	for(l = 0; l < Plen; l++) {
	P.putByte(passBuf.at(l % p));
	}

	/* 4. Set I=S\|\|P to be the concatenation of S and P. */
	var I = S;
	I.putBuffer(P);

	/* 5. Set c=ceil(n / u). */
	var c = Math.ceil(n / u);

	/* 6. For i=1, 2, ..., c, do the following: */
	for(var i = 1; i <= c; i++) {
	/* a) Set Ai=H^r(D\|\|I). (l.e. the rth hash of D\|\|I, H(H(H(...H(D\|\|I)))) */
	var buf = new forge.util.ByteBuffer();
	buf.putBytes(D.bytes());
	buf.putBytes(I.bytes());
	for(var round = 0; round < iter; round++) {
	md.start();
	md.update(buf.getBytes());
	buf = md.digest();
	}

	/* b) Concatenate copies of Ai to create a string B of length v bytes (the
	final copy of Ai may be truncated to create B). */
	var B = new forge.util.ByteBuffer();
	for(l = 0; l < v; l++) {
	B.putByte(buf.at(l % u));
	}

	/* c) Treating I as a concatenation I0, I1, ..., Ik-1 of v-byte blocks,
	where k=ceil(s / v) + ceil(p / v), modify I by setting
	Ij=(Ij+B+1) mod 2v for each j. */
	var k = Math.ceil(s / v) + Math.ceil(p / v);
	var Inew = new forge.util.ByteBuffer();
	for(j = 0; j < k; j++) {
	var chunk = new forge.util.ByteBuffer(I.getBytes(v));
	var x = 0x1ff;
	for(l = B.length() - 1; l >= 0; l--) {
	x = x >> 8;
	x += B.at(l) + chunk.at(l);
	chunk.setAt(l, x & 0xff);
	}
	Inew.putBuffer(chunk);
	}
	I = Inew;

	/* Add Ai to A. */
	result.putBuffer(buf);
	}

	result.truncate(result.length() - n);
	return result;
	};

	/**
	* Get new Forge cipher object instance.
	*
	* @param oid the OID (in string notation).
	* @param params the ASN.1 params object.
	* @param password the password to decrypt with.
	*
	* @return new cipher object instance.
	*/
	pki.pbe.getCipher = function(oid, params, password) {
	switch(oid) {
	case pki.oids['pkcs5PBES2']:
	return pki.pbe.getCipherForPBES2(oid, params, password);

	case pki.oids['pbeWithSHAAnd3-KeyTripleDES-CBC']:
	case pki.oids['pbewithSHAAnd40BitRC2-CBC']:
	return pki.pbe.getCipherForPKCS12PBE(oid, params, password);

	default:
	var error = new Error('Cannot read encrypted PBE data block. Unsupported OID.');
	error.oid = oid;
	error.supportedOids = [
	'pkcs5PBES2',
	'pbeWithSHAAnd3-KeyTripleDES-CBC',
	'pbewithSHAAnd40BitRC2-CBC'
	];
	throw error;
	}
	};

	/**
	* Get new Forge cipher object instance according to PBES2 params block.
	*
	* The returned cipher instance is already started using the IV
	* from PBES2 parameter block.
	*
	* @param oid the PKCS#5 PBKDF2 OID (in string notation).
	* @param params the ASN.1 PBES2-params object.
	* @param password the password to decrypt with.
	*
	* @return new cipher object instance.
	*/
	pki.pbe.getCipherForPBES2 = function(oid, params, password) {
	// get PBE params
	var capture = {};
	var errors = [];
	if(!asn1.validate(params, PBES2AlgorithmsValidator, capture, errors)) {
	var error = new Error('Cannot read password-based-encryption algorithm ' +
	'parameters. ASN.1 object is not a supported EncryptedPrivateKeyInfo.');
	error.errors = errors;
	throw error;
	}

	// check oids
	oid = asn1.derToOid(capture.kdfOid);
	if(oid !== pki.oids['pkcs5PBKDF2']) {
	var error = new Error('Cannot read encrypted private key. ' +
	'Unsupported key derivation function OID.');
	error.oid = oid;
	error.supportedOids = ['pkcs5PBKDF2'];
	throw error;
	}
	oid = asn1.derToOid(capture.encOid);
	if(oid !== pki.oids['aes128-CBC'] &&
	oid !== pki.oids['aes192-CBC'] &&
	oid !== pki.oids['aes256-CBC'] &&
	oid !== pki.oids['des-EDE3-CBC'] &&
	oid !== pki.oids['desCBC']) {
	var error = new Error('Cannot read encrypted private key. ' +
	'Unsupported encryption scheme OID.');
	error.oid = oid;
	error.supportedOids = [
	'aes128-CBC', 'aes192-CBC', 'aes256-CBC', 'des-EDE3-CBC', 'desCBC'];
	throw error;
	}

	// set PBE params
	var salt = capture.kdfSalt;
	var count = forge.util.createBuffer(capture.kdfIterationCount);
	count = count.getInt(count.length() << 3);
	var dkLen;
	var cipherFn;
	switch(pki.oids[oid]) {
	case 'aes128-CBC':
	dkLen = 16;
	cipherFn = forge.aes.createDecryptionCipher;
	break;
	case 'aes192-CBC':
	dkLen = 24;
	cipherFn = forge.aes.createDecryptionCipher;
	break;
	case 'aes256-CBC':
	dkLen = 32;
	cipherFn = forge.aes.createDecryptionCipher;
	break;
	case 'des-EDE3-CBC':
	dkLen = 24;
	cipherFn = forge.des.createDecryptionCipher;
	break;
	case 'desCBC':
	dkLen = 8;
	cipherFn = forge.des.createDecryptionCipher;
	break;
	}

	// get PRF message digest
	var md = prfOidToMessageDigest(capture.prfOid);

	// decrypt private key using pbe with chosen PRF and AES/DES
	var dk = forge.pkcs5.pbkdf2(password, salt, count, dkLen, md);
	var iv = capture.encIv;
	var cipher = cipherFn(dk);
	cipher.start(iv);

	return cipher;
	};

	/**
	* Get new Forge cipher object instance for PKCS#12 PBE.
	*
	* The returned cipher instance is already started using the key & IV
	* derived from the provided password and PKCS#12 PBE salt.
	*
	* @param oid The PKCS#12 PBE OID (in string notation).
	* @param params The ASN.1 PKCS#12 PBE-params object.
	* @param password The password to decrypt with.
	*
	* @return the new cipher object instance.
	*/
	pki.pbe.getCipherForPKCS12PBE = function(oid, params, password) {
	// get PBE params
	var capture = {};
	var errors = [];
	if(!asn1.validate(params, pkcs12PbeParamsValidator, capture, errors)) {
	var error = new Error('Cannot read password-based-encryption algorithm ' +
	'parameters. ASN.1 object is not a supported EncryptedPrivateKeyInfo.');
	error.errors = errors;
	throw error;
	}

	var salt = forge.util.createBuffer(capture.salt);
	var count = forge.util.createBuffer(capture.iterations);
	count = count.getInt(count.length() << 3);

	var dkLen, dIvLen, cipherFn;
	switch(oid) {
	case pki.oids['pbeWithSHAAnd3-KeyTripleDES-CBC']:
	dkLen = 24;
	dIvLen = 8;
	cipherFn = forge.des.startDecrypting;
	break;

	case pki.oids['pbewithSHAAnd40BitRC2-CBC']:
	dkLen = 5;
	dIvLen = 8;
	cipherFn = function(key, iv) {
	var cipher = forge.rc2.createDecryptionCipher(key, 40);
	cipher.start(iv, null);
	return cipher;
	};
	break;

	default:
	var error = new Error('Cannot read PKCS #12 PBE data block. Unsupported OID.');
	error.oid = oid;
	throw error;
	}

	// get PRF message digest
	var md = prfOidToMessageDigest(capture.prfOid);
	var key = pki.pbe.generatePkcs12Key(password, salt, 1, count, dkLen, md);
	md.start();
	var iv = pki.pbe.generatePkcs12Key(password, salt, 2, count, dIvLen, md);

	return cipherFn(key, iv);
	};

	/**
	* OpenSSL's legacy key derivation function.
	*
	* See: http://www.openssl.org/docs/crypto/EVP_BytesToKey.html
	*
	* @param password the password to derive the key from.
	* @param salt the salt to use, null for none.
	* @param dkLen the number of bytes needed for the derived key.
	* @param [options] the options to use:
	* [md] an optional message digest object to use.
	*/
	pki.pbe.opensslDeriveBytes = function(password, salt, dkLen, md) {
	if(typeof md === 'undefined' \|\| md === null) {
	if(!('md5' in forge.md)) {
	throw new Error('"md5" hash algorithm unavailable.');
	}
	md = forge.md.md5.create();
	}
	if(salt === null) {
	salt = '';
	}
	var digests = [hash(md, password + salt)];
	for(var length = 16, i = 1; length < dkLen; ++i, length += 16) {
	digests.push(hash(md, digests[i - 1] + password + salt));
	}
	return digests.join('').substr(0, dkLen);
	};

	function hash(md, bytes) {
	return md.start().update(bytes).digest().getBytes();
	}

	function prfOidToMessageDigest(prfOid) {
	// get PRF algorithm, default to SHA-1
	var prfAlgorithm;
	if(!prfOid) {
	prfAlgorithm = 'hmacWithSHA1';
	} else {
	prfAlgorithm = pki.oids[asn1.derToOid(prfOid)];
	if(!prfAlgorithm) {
	var error = new Error('Unsupported PRF OID.');
	error.oid = prfOid;
	error.supported = [
	'hmacWithSHA1', 'hmacWithSHA224', 'hmacWithSHA256', 'hmacWithSHA384',
	'hmacWithSHA512'];
	throw error;
	}
	}
	return prfAlgorithmToMessageDigest(prfAlgorithm);
	}

	function prfAlgorithmToMessageDigest(prfAlgorithm) {
	var factory = forge.md;
	switch(prfAlgorithm) {
	case 'hmacWithSHA224':
	factory = forge.md.sha512;
	case 'hmacWithSHA1':
	case 'hmacWithSHA256':
	case 'hmacWithSHA384':
	case 'hmacWithSHA512':
	prfAlgorithm = prfAlgorithm.substr(8).toLowerCase();
	break;
	default:
	var error = new Error('Unsupported PRF algorithm.');
	error.algorithm = prfAlgorithm;
	error.supported = [
	'hmacWithSHA1', 'hmacWithSHA224', 'hmacWithSHA256', 'hmacWithSHA384',
	'hmacWithSHA512'];
	throw error;
	}
	if(!factory \|\| !(prfAlgorithm in factory)) {
	throw new Error('Unknown hash algorithm: ' + prfAlgorithm);
	}
	return factory[prfAlgorithm].create();
	}

	function createPbkdf2Params(salt, countBytes, dkLen, prfAlgorithm) {
	var params = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
	// salt
	asn1.create(
	asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false, salt),
	// iteration count
	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false,
	countBytes.getBytes())
	]);
	// when PRF algorithm is not SHA-1 default, add key length and PRF algorithm
	if(prfAlgorithm !== 'hmacWithSHA1') {
	params.value.push(
	// key length
	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false,
	forge.util.hexToBytes(dkLen.toString(16))),
	// AlgorithmIdentifier
	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
	// algorithm
	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false,
	asn1.oidToDer(pki.oids[prfAlgorithm]).getBytes()),
	// parameters (null)
	asn1.create(asn1.Class.UNIVERSAL, asn1.Type.NULL, false, '')
	]));
	}
	return params;
	}