All files / src/setup/factors hmacsha1.js

100% Statements 21/21
100% Branches 10/10
100% Functions 3/3
100% Lines 16/16

Press n or j to go to the next uncovered block, b, p or k for the previous block.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75                  1x 1x 1x                                                                   9x   9x 8x   7x 7x 6x   5x           5x 5x 5x 5x           5x       1x  
/**
 * @file MFKDF HMAC-SHA1 Factor Setup
 * @copyright Multifactor 2022 All Rights Reserved
 *
 * @description
 * Setup an HMAC-SHA1 challenge-response factor for multi-factor key derivation
 *
 * @author Vivek Nair (https://nair.me) <[email protected]>
 */
const defaults = require('../../defaults')
const crypto = require('crypto')
const xor = require('buffer-xor')
 
/**
 * Setup a YubiKey-compatible MFKDF HMAC-SHA1 challenge-response factor
 *
 * @example
 * // setup key with hmacsha1 factor
 * const setup = await mfkdf.setup.key([
 *   await mfkdf.setup.factors.hmacsha1()
 * ], {size: 8})
 *
 * // calculate response; could be done using hardware device
 * const secret = setup.outputs.hmacsha1.secret
 * const challenge = Buffer.from(setup.policy.factors[0].params.challenge, 'hex')
 * const response = crypto.createHmac('sha1', secret).update(challenge).digest()
 *
 * // derive key with hmacsha1 factor
 * const derive = await mfkdf.derive.key(setup.policy, {
 *   hmacsha1: mfkdf.derive.factors.hmacsha1(response)
 * })
 *
 * setup.key.toString('hex') // -> 01d0c7236adf2516
 * derive.key.toString('hex') // -> 01d0c7236adf2516
 *
 * @param {Object} [options] - Configuration options
 * @param {string} [options.id='hmacsha1'] - Unique identifier for this factor
 * @param {Buffer} [options.secret] - HMAC secret to use; randomly generated by default
 * @returns {MFKDFFactor} MFKDF factor information
 * @author Vivek Nair (https://nair.me) <[email protected]>
 * @since 0.21.0
 * @async
 * @memberof setup.factors
 */
async function hmacsha1 (options) {
  options = Object.assign(Object.assign({}, defaults.hmacsha1), options)
 
  if (typeof options.id !== 'string') throw new TypeError('id must be a string')
  if (options.id.length === 0) throw new RangeError('id cannot be empty')
 
  if (typeof options.secret === 'undefined') options.secret = crypto.randomBytes(20)
  if (!Buffer.isBuffer(options.secret)) throw new TypeError('secret must be a buffer')
  if (Buffer.byteLength(options.secret) !== 20) throw new RangeError('secret must be 20 bytes')
 
  return {
    type: 'hmacsha1',
    id: options.id,
    data: options.secret,
    entropy: 160,
    params: async ({ key }) => {
      const challenge = crypto.randomBytes(64)
      const response = crypto.createHmac('sha1', options.secret).update(challenge).digest()
      const pad = xor(response.subarray(0, 20), options.secret)
      return {
        challenge: challenge.toString('hex'),
        pad: pad.toString('hex')
      }
    },
    output: async () => {
      return { secret: options.secret }
    }
  }
}
module.exports.hmacsha1 = hmacsha1