support argon2 in secure-config and argon2 example

Author: sevenbitbyte

examples/secure-config-argon2.js

@@ -0,0 +1,138 @@
+
+const argon2 = require('argon2')
+
+const Dataparty = require('../src/index')
+
+const prompt = require('prompt')
+
+let secureConfig = null
+
+async function main(){
+    const memoryConfig = new Dataparty.Config.MemoryConfig({foo: 'bar'})
+
+
+    const jsonConfig = new Dataparty.Config.JsonFileConfig({
+        basePath: '/tmp'
+    })
+
+
+    secureConfig = new Dataparty.Config.SecureConfig({
+        config: jsonConfig,
+        timeoutMs: 15*1000,
+        argon: argon2
+    })
+
+    
+    secureConfig.on('locked', ()=>{ console.log('locked') })
+
+    secureConfig.on('unlocked', async ()=>{ 
+        console.log('unlocked')
+
+        await secureConfig.write('timestamp', Date.now())
+    })
+
+    secureConfig.on('timeout', ()=>{ console.log('timeout') })
+
+    secureConfig.on('ready', async ()=>{ 
+        console.log('ready')
+
+        console.log('config', await secureConfig.readAll())
+    })
+
+    let blocked = false
+
+    secureConfig.on('blocked', async (reason)=>{
+
+        if(await secureConfig.isInitialized() && secureConfig.isLocked()){
+
+            if(blocked){
+                console.log('blocked true')
+                await secureConfig.waitForUnlocked()
+                return
+            }
+
+            blocked = true
+            console.log('blocked -',reason)
+
+
+            const {password} = await prompt.get({
+                properties: {
+                    password: {
+                        message: 'Enter password',
+                        hidden: true
+                }
+            }})
+
+            await secureConfig.unlock(password)
+
+            blocked = false
+        }
+        
+    
+    })
+
+    secureConfig.on('setup-required', async ()=>{
+        
+        console.log('setup-required')
+
+        let password = ''
+
+        while(1){
+            let passes = await prompt.get({
+                properties: {
+                    password1: {
+                        message: 'Set password',
+                        hidden: true
+                    },
+                    password2: {
+                        message: 'Confim password',
+                        hidden: true
+                    }
+                }
+            })
+
+            if(passes.password1 == passes.password2){
+
+                password = passes.password1
+                break
+            }
+
+            console.log("passwords don't match")
+        }
+
+        await secureConfig.setPassword(password, {
+            foo: 'bar'
+        })
+
+        console.log('password set')
+
+
+        await secureConfig.unlock(password)
+
+    })
+
+    console.log('starting')
+
+    await secureConfig.start()
+
+    console.log('wait for startup')
+
+    await secureConfig.waitForUnlocked('startup')
+
+    console.log('wait over')
+
+    console.log('main config', await secureConfig.readAll())
+
+    let timer = setTimeout(async ()=>{
+
+        console.log('timer config', await secureConfig.readAll())
+
+    }, 1000*30)
+
+}
+
+main().catch((err)=>{
+    console.error('crashed', err)  
+}).then(()=>{
+    console.log('done')
+})

examples/secure-config.js examples/secure-config-pbkdf2.jsexamples/secure-config.js renamed to examples/secure-config-pbkdf2.js

@@ -1,7 +1,7 @@
 {
   "name": "@dataparty/api",
   "private": false,
-  "version": "1.2.23",
+  "version": "1.2.24",
   "main": "dist/dataparty.js",
   "frontend": "dist/dataparty-browser.js",
   "backend": "dist/dataparty.js",
@@ -59,7 +59,7 @@
   },
   "dependencies": {
     "@dataparty/bouncer-db": "1.0.1",
-    "@dataparty/crypto": "^1.1.1",
+    "@dataparty/crypto": "^1.1.2",
     "@dataparty/tasker": "^0.0.2",
     "@diva.exchange/i2p-sam": "^4.1.8",
     "@markwylde/liferaft": "^1.3.4",
@@ -116,6 +116,8 @@
     "@dataparty/bouncer-model": "1.4.3",
     "@hapi/code": "^9.0.1",
     "@hapi/lab": "^25.0.1",
+    "argon2": "^0.30.3",
+    "argon2-browser": "^1.18.0",
     "assert": "^2.0.0",
     "browserify-zlib": "^0.2.0",
     "clean-jsdoc-theme": "^4.2.6",

package.json

@@ -10,6 +10,11 @@ const IConfig = require('./iconfig')
 const PASSWORD_HASHING_ROUNDS = 1000000
 const DEFAULT_TIMEOUT_MS = 5*60*1000 //! 5min
 
+const ARGON_TIME_COST = 3
+const ARGON_MEMORY_COST = 65536 
+const ARGON_PARALLELLISM = 4
+const ARGON_TYPE = 'argon2id'
+
 class SecureConfig extends IConfig {
 
     /**
@@ -20,15 +25,19 @@ class SecureConfig extends IConfig {
      * @param {IConfig}     config          The underlying IConfig to use for storage
      * @param {number}      timeoutMs       Timeout since last unlock, after which the config will be locked. Defaults to 5 minutes.
      * @param {boolean}     includeActivity When set to `true` the timeout is reset after any read/write activity. Defaults to `true`
+     * @param {Argon2}      argon           Instance of argon2 from either `npm:argon2` or `npm:argon2-browser`
      */
     constructor({
         id = 'secure-config',
-        config, timeoutMs=DEFAULT_TIMEOUT_MS, includeActivity=true
+        config, timeoutMs=DEFAULT_TIMEOUT_MS, includeActivity=true,
+        argon
     }){
         super()
         this.id = id || 'secure-config'
         this.config = config
 
+        this.argon = argon
+
         this.content = null
         this.identity = null
         this.timer = null
@@ -84,6 +93,16 @@ class SecureConfig extends IConfig {
 
             return (salt != undefined && salt.length > 16 && rounds > 100000)
 
+        } else if(keyType == 'argon2'){
+
+            let salt = await this.config.read(this.id+'.settings.salt')
+            let timeCost = await this.config.read(this.id+'.settings.timeCost')
+            let memoryCost = await this.config.read(this.id+'.settings.memoryCost')
+            let parallelism = await this.config.read(this.id+'.settings.parallelism')
+            let argonType = await this.config.read(this.id+'.settings.argonType')
+
+            return (salt != undefined && salt.length > 16 && memoryCost > 1024)
+
         } else if(keyType == 'key'){
             return true
         } else if(!keyType) {
@@ -111,28 +130,59 @@ class SecureConfig extends IConfig {
      * @method module:Config.SecureConfig.setPassword
      * @param {string} password 
      * @param {object} defaults 
-     * @param {('pbkdf2')} type
      * @async
      */
-    async setPassword(password, defaults={}, type='pbkdf2'){
+    async setPassword(password, defaults={}){
         debug('setPassword')
         if(await this.isInitialized()){ throw new Error('already initialized') }
 
         let key = null
         let settings = null
 
-        if(type == 'pbkdf2'){
+        if(!this.argon){
+            //! pbkdf2
             const salt = await dataparty_crypto.Routines.generateSalt()
             const rounds = PASSWORD_HASHING_ROUNDS
 
             settings = {
-                type: type,
+                type: 'pbkdf2',
                 salt: salt.toString('hex'),
                 rounds
             }
 
-            key = await dataparty_crypto.Routines.createKeyFromPassword(password, salt, rounds)
+            key = await dataparty_crypto.Routines.createKeyFromPasswordPbkdf2(password, salt, rounds)
+
+        } else if(this.argon){
+            //! argon2
+
+            const salt = await dataparty_crypto.Routines.generateSalt()
+            let timeCost = ARGON_TIME_COST
+            let memoryCost = ARGON_MEMORY_COST
+            let parallelism = ARGON_PARALLELLISM
+            let argonType = ARGON_TYPE
+
+            settings = {
+                type: 'argon2',
+                salt: salt.toString('hex'),
+                timeCost,
+                memoryCost,
+                parallelism,
+                argonType
+            }
+
+            if(!this.argon){
+                this.argon = argon
+            }
 
+            key = await dataparty_crypto.Routines.createKeyFromPasswordArgon2(
+                this.argon,
+                password,
+                salt,
+                timeCost,
+                memoryCost,
+                parallelism,
+                argonType
+            )
         } else {
             throw new Error('unsupported KDF['+type+']')
         }
@@ -263,10 +313,37 @@ class SecureConfig extends IConfig {
             this.timer = null
         }
 
-        let salt = Buffer.from(await this.config.read(this.id+'.settings.salt'),'hex')
-        let rounds = await this.config.read(this.id+'.settings.rounds')
+        let key = null
+        let keyType = await this.config.read(this.id+'.settings.type')
+
+        if(keyType == 'pbkdf2'){
+
+            let salt = Buffer.from(await this.config.read(this.id+'.settings.salt'),'hex')
+            let rounds = await this.config.read(this.id+'.settings.rounds')
+
+            key = await dataparty_crypto.Routines.createKeyFromPasswordPbkdf2(password, salt, rounds)
+
+        } else if(keyType == 'argon2'){
+
+            let salt = Buffer.from(await this.config.read(this.id+'.settings.salt'), 'hex')
+            let timeCost = await this.config.read(this.id+'.settings.timeCost')
+            let memoryCost = await this.config.read(this.id+'.settings.memoryCost')
+            let parallelism = await this.config.read(this.id+'.settings.parallelism')
+            let argonType = await this.config.read(this.id+'.settings.argonType')
+
+
+            key = await dataparty_crypto.Routines.createKeyFromPasswordArgon2(
+                this.argon,
+                password,
+                salt,
+                timeCost,
+                memoryCost,
+                parallelism,
+                argonType
+            )
+
+        }
 
-        let key = await dataparty_crypto.Routines.createKeyFromPassword(password, salt, rounds)
 
         const pwIdentity = new dataparty_crypto.Identity({
             key,