denoland
diff --git a/‎Cargo.lock‎
Lines changed: 1 addition & 0 deletions b/‎Cargo.lock‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎Cargo.toml‎
Lines changed: 1 addition & 0 deletions b/‎Cargo.toml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎ext/node_crypto/Cargo.toml‎
Lines changed: 1 addition & 0 deletions b/‎ext/node_crypto/Cargo.toml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎ext/node_crypto/keys.rs‎
Lines changed: 336 additions & 1 deletion b/‎ext/node_crypto/keys.rs‎
Lines changed: 336 additions & 1 deletion
@@ -397,6 +397,7 @@ ed25519-dalek = "2.1.1"
 ed448-goldilocks = "0.14.0-pre.10"
 elliptic-curve = { version = "0.13.4", features = ["alloc", "arithmetic", "ecdh", "std", "pem", "jwk"] }
 hkdf = "0.12.3"
+hmac = "0.12.1"
 k256 = { version = "0.13.1", features = ["ecdh", "jwk", "pem"] }
 md-5 = "0.10.5"
 md4 = "0.10.2"
 
@@ -37,6 +37,7 @@ ed448-goldilocks = { workspace = true }
 elliptic-curve.workspace = true
 faster-hex.workspace = true
 hkdf.workspace = true
+hmac.workspace = true
 k256.workspace = true
 md-5 = { workspace = true, features = ["oid"] }
 md4.workspace = true
 
@@ -11,10 +11,15 @@ use deno_core::convert::Uint8Array;
 use deno_core::op2;
 use deno_core::unsync::spawn_blocking;
 use deno_error::JsErrorBox;
+use digest::Digest;
+use digest::FixedOutputReset;
 use ed25519_dalek::pkcs8::BitStringRef;
 use elliptic_curve::JwkEcKey;
+use hmac::Hmac;
+use hmac::Mac;
 use num_bigint::BigInt;
 use num_traits::FromPrimitive as _;
+use p12::AlgorithmIdentifier as Pkcs12AlgorithmIdentifier;
 use p12::PFX as Pkcs12;
 use pkcs8::DecodePrivateKey as _;
 use pkcs8::Document;
@@ -4160,6 +4165,16 @@ pub enum PfxValidationError {
   MacVerifyFailure,
 }
 
+// Cap on the iteration count for the PKCS#12 MAC PBKDF, since an attacker
+// who controls the PFX bytes also controls this field (`mac_data.iterations`
+// is a u32, up to ~4 billion, which would tie up CPU for tens of seconds).
+// Matches the limit Mozilla NSS uses for the same KDF; well above any
+// realistic legitimate value — OpenSSL defaults to 2048 on creation, and
+// hardened producers rarely go beyond ~100k. OpenSSL itself doesn't cap
+// here, but Node trusts the caller's PFX; in Deno the PFX often comes
+// from untrusted input (e.g. server config), so capping is defensive.
+const PFX_MAC_ITERATIONS_CAP: u64 = 600_000;
+
 #[op2]
 pub fn op_node_validate_pfx(
   #[buffer] pfx: &[u8],
@@ -4168,12 +4183,249 @@ pub fn op_node_validate_pfx(
   let parsed =
     Pkcs12::parse(pfx).map_err(|_| PfxValidationError::NotEnoughData)?;
   let password = passphrase.as_deref().unwrap_or("");
-  if !parsed.verify_mac(password) {
+  let bmp_password = bmp_string(password);
+  // If no MAC is present, the file is considered valid.
+  let Some(mac_data) = &parsed.mac_data else {
+    return Ok(());
+  };
+  let iterations = u64::from(mac_data.iterations);
+  if iterations > PFX_MAC_ITERATIONS_CAP {
+    return Err(PfxValidationError::MacVerifyFailure);
+  }
+  let data = parsed
+    .auth_safe
+    .data(&bmp_password)
+    .ok_or(PfxValidationError::MacVerifyFailure)?;
+  let ok = verify_pkcs12_mac(
+    &mac_data.mac.digest_algorithm,
+    &mac_data.mac.digest,
+    &mac_data.salt,
+    iterations,
+    &data,
+    &bmp_password,
+  )
+  .ok_or(PfxValidationError::MacVerifyFailure)?;
+  if !ok {
     return Err(PfxValidationError::MacVerifyFailure);
   }
   Ok(())
 }
 
+// Convert a UTF-8 password to the PKCS#12 BMPString form (RFC 7292
+// section B.1): each character is encoded as UTF-16BE, followed by a
+// U+0000 terminator.
+fn bmp_string(s: &str) -> Vec<u8> {
+  let utf16: Vec<u16> = s.encode_utf16().collect();
+  let mut bytes = Vec::with_capacity(utf16.len() * 2 + 2);
+  for c in utf16 {
+    bytes.extend_from_slice(&c.to_be_bytes());
+  }
+  bytes.extend_from_slice(&[0x00, 0x00]);
+  bytes
+}
+
+// PKCS#12 password-based key derivation, generic over a Digest. Implements
+// the algorithm from RFC 7292 Appendix B.2:
+//   https://www.rfc-editor.org/rfc/rfc7292#appendix-B.2
+//
+// `v` is the hash function's block size in bytes (64 for SHA-1, SHA-224,
+// SHA-256; 128 for SHA-384, SHA-512, SHA-512/224, SHA-512/256). `id` is
+// the diversifier (1 = encryption key, 2 = IV, 3 = MAC key). `size` is
+// the number of output bytes desired.
+fn pkcs12_pbkdf<D: Digest + FixedOutputReset>(
+  pass: &[u8],
+  salt: &[u8],
+  iterations: u64,
+  id: u8,
+  size: usize,
+  v: usize,
+) -> Vec<u8> {
+  // u = hash output size in bytes.
+  let u = <D as Digest>::output_size();
+  // Step 1: D = id repeated v bytes.
+  let d = vec![id; v];
+  // Steps 2 & 3: S and P are the salt / password padded to a multiple of
+  // v bytes by cyclic repetition. Empty inputs contribute an empty string.
+  let s: Vec<u8> = if salt.is_empty() {
+    Vec::new()
+  } else {
+    salt
+      .iter()
+      .cycle()
+      .take(v * salt.len().div_ceil(v))
+      .copied()
+      .collect()
+  };
+  let p: Vec<u8> = if pass.is_empty() {
+    Vec::new()
+  } else {
+    pass
+      .iter()
+      .cycle()
+      .take(v * pass.len().div_ceil(v))
+      .copied()
+      .collect()
+  };
+  // Step 4: I = S || P.
+  let mut i: Vec<u8> = Vec::with_capacity(s.len() + p.len());
+  i.extend_from_slice(&s);
+  i.extend_from_slice(&p);
+  // Step 5: c = ceil(size / u).
+  let c = size.div_ceil(u);
+  let mut out: Vec<u8> = Vec::with_capacity(c * u);
+  let mut hasher = D::new();
+  for _ in 0..c {
+    // Step 6a: Ai = H^iterations(D || I).
+    Digest::update(&mut hasher, &d);
+    Digest::update(&mut hasher, &i);
+    let mut ai = hasher.finalize_reset().to_vec();
+    for _ in 1..iterations {
+      Digest::update(&mut hasher, &ai);
+      ai = hasher.finalize_reset().to_vec();
+    }
+    // Step 7 (partial): A = A || Ai.
+    out.extend_from_slice(&ai);
+    if i.is_empty() {
+      continue;
+    }
+    // Step 6b: B = Ai repeated cyclically to v bytes.
+    let b: Vec<u8> = ai.iter().cycle().take(v).copied().collect();
+    // Step 6c: treating I as v-byte blocks, set each block to
+    // (block + B + 1) mod 2^(8v). Big-endian add with carry.
+    for chunk in i.chunks_mut(v) {
+      let mut carry: u16 = 1;
+      for j in (0..v).rev() {
+        let sum = chunk[j] as u16 + b[j] as u16 + carry;
+        chunk[j] = (sum & 0xff) as u8;
+        carry = sum >> 8;
+      }
+    }
+  }
+  // Step 8: take the first `size` bytes of A.
+  out.truncate(size);
+  out
+}
+
+fn pkcs12_hmac<D>(key: &[u8], data: &[u8]) -> Vec<u8>
+where
+  D: Digest
+    + digest::core_api::CoreProxy
+    + FixedOutputReset
+    + digest::core_api::BlockSizeUser,
+  <D as digest::core_api::CoreProxy>::Core: digest::core_api::BufferKindUser<
+      BufferKind = digest::block_buffer::Eager,
+    > + digest::core_api::FixedOutputCore
+    + digest::HashMarker
+    + Default
+    + Clone,
+  <<D as digest::core_api::CoreProxy>::Core as digest::core_api::BlockSizeUser>::BlockSize: digest::typenum::IsLess<digest::typenum::U256>,
+  digest::typenum::Le<<<D as digest::core_api::CoreProxy>::Core as digest::core_api::BlockSizeUser>::BlockSize, digest::typenum::U256>: digest::typenum::NonZero,
+{
+  let mut mac = <Hmac<D> as Mac>::new_from_slice(key).unwrap();
+  Mac::update(&mut mac, data);
+  mac.finalize().into_bytes().to_vec()
+}
+
+// OID identifiers in components.
+const OID_SHA1: &[u64] = &[1, 3, 14, 3, 2, 26];
+const OID_SHA224: &[u64] = &[2, 16, 840, 1, 101, 3, 4, 2, 4];
+const OID_SHA256: &[u64] = &[2, 16, 840, 1, 101, 3, 4, 2, 1];
+const OID_SHA384: &[u64] = &[2, 16, 840, 1, 101, 3, 4, 2, 2];
+const OID_SHA512: &[u64] = &[2, 16, 840, 1, 101, 3, 4, 2, 3];
+const OID_SHA512_224: &[u64] = &[2, 16, 840, 1, 101, 3, 4, 2, 5];
+const OID_SHA512_256: &[u64] = &[2, 16, 840, 1, 101, 3, 4, 2, 6];
+
+enum Pkcs12MacAlgorithm {
+  Sha1,
+  Sha224,
+  Sha256,
+  Sha384,
+  Sha512,
+  Sha512_224,
+  Sha512_256,
+}
+
+fn pkcs12_mac_algorithm(
+  algorithm: &Pkcs12AlgorithmIdentifier,
+) -> Option<Pkcs12MacAlgorithm> {
+  let oid = match algorithm {
+    Pkcs12AlgorithmIdentifier::Sha1 => return Some(Pkcs12MacAlgorithm::Sha1),
+    Pkcs12AlgorithmIdentifier::OtherAlg(other) => {
+      other.algorithm_type.components().as_slice()
+    }
+    _ => return None,
+  };
+  if oid == OID_SHA1 {
+    Some(Pkcs12MacAlgorithm::Sha1)
+  } else if oid == OID_SHA224 {
+    Some(Pkcs12MacAlgorithm::Sha224)
+  } else if oid == OID_SHA256 {
+    Some(Pkcs12MacAlgorithm::Sha256)
+  } else if oid == OID_SHA384 {
+    Some(Pkcs12MacAlgorithm::Sha384)
+  } else if oid == OID_SHA512 {
+    Some(Pkcs12MacAlgorithm::Sha512)
+  } else if oid == OID_SHA512_224 {
+    Some(Pkcs12MacAlgorithm::Sha512_224)
+  } else if oid == OID_SHA512_256 {
+    Some(Pkcs12MacAlgorithm::Sha512_256)
+  } else {
+    None
+  }
+}
+
+fn verify_pkcs12_mac(
+  algorithm: &Pkcs12AlgorithmIdentifier,
+  expected: &[u8],
+  salt: &[u8],
+  iterations: u64,
+  data: &[u8],
+  password: &[u8],
+) -> Option<bool> {
+  let mac_alg = pkcs12_mac_algorithm(algorithm)?;
+  let computed = match mac_alg {
+    Pkcs12MacAlgorithm::Sha1 => {
+      let key =
+        pkcs12_pbkdf::<sha1::Sha1>(password, salt, iterations, 3, 20, 64);
+      pkcs12_hmac::<sha1::Sha1>(&key, data)
+    }
+    Pkcs12MacAlgorithm::Sha224 => {
+      let key =
+        pkcs12_pbkdf::<sha2::Sha224>(password, salt, iterations, 3, 28, 64);
+      pkcs12_hmac::<sha2::Sha224>(&key, data)
+    }
+    Pkcs12MacAlgorithm::Sha256 => {
+      let key =
+        pkcs12_pbkdf::<sha2::Sha256>(password, salt, iterations, 3, 32, 64);
+      pkcs12_hmac::<sha2::Sha256>(&key, data)
+    }
+    Pkcs12MacAlgorithm::Sha384 => {
+      let key =
+        pkcs12_pbkdf::<sha2::Sha384>(password, salt, iterations, 3, 48, 128);
+      pkcs12_hmac::<sha2::Sha384>(&key, data)
+    }
+    Pkcs12MacAlgorithm::Sha512 => {
+      let key =
+        pkcs12_pbkdf::<sha2::Sha512>(password, salt, iterations, 3, 64, 128);
+      pkcs12_hmac::<sha2::Sha512>(&key, data)
+    }
+    Pkcs12MacAlgorithm::Sha512_224 => {
+      let key = pkcs12_pbkdf::<sha2::Sha512_224>(
+        password, salt, iterations, 3, 28, 128,
+      );
+      pkcs12_hmac::<sha2::Sha512_224>(&key, data)
+    }
+    Pkcs12MacAlgorithm::Sha512_256 => {
+      let key = pkcs12_pbkdf::<sha2::Sha512_256>(
+        password, salt, iterations, 3, 32, 128,
+      );
+      pkcs12_hmac::<sha2::Sha512_256>(&key, data)
+    }
+  };
+  use subtle::ConstantTimeEq;
+  Some(bool::from(computed.ct_eq(expected)))
+}
+
 #[derive(Debug, thiserror::Error, deno_error::JsError)]
 pub enum CrlValidationError {
   #[class(generic)]
@@ -4199,3 +4451,86 @@ pub fn op_node_validate_crl(
   }
   Ok(())
 }
+
+#[cfg(test)]
+mod tests {
+  use super::*;
+
+  // Cross-check our generic implementation of the PKCS#12 PBKDF
+  // (RFC 7292 Appendix B.2) against test vectors computed with an
+  // independent reference implementation.
+
+  // SHA-1 vector lifted from the `p12` crate's own test suite, which
+  // matches output produced by Bouncy Castle.
+  #[test]
+  fn pkcs12_pbkdf_sha1() {
+    let pass = bmp_string("");
+    assert_eq!(pass, vec![0, 0]);
+    let salt: [u8; 8] = [0x9a, 0xf4, 0x70, 0x29, 0x58, 0xa8, 0xe9, 0x5c];
+    let got = pkcs12_pbkdf::<sha1::Sha1>(&pass, &salt, 2048, 1, 24, 64);
+    let expected: [u8; 24] = [
+      0xc2, 0x29, 0x4a, 0xa6, 0xd0, 0x29, 0x30, 0xeb, 0x5c, 0xe9, 0xc3, 0x29,
+      0xec, 0xcb, 0x9a, 0xee, 0x1c, 0xb1, 0x36, 0xba, 0xea, 0x74, 0x65, 0x57,
+    ];
+    assert_eq!(got, expected);
+  }
+
+  // SHA-256 / SHA-384 / SHA-512 vectors were generated by porting the
+  // RFC 7292 B.2 pseudocode to Python and feeding the same inputs.
+  #[test]
+  fn pkcs12_pbkdf_sha256() {
+    let pass = bmp_string("secret");
+    let salt: [u8; 8] = [0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef];
+    let got = pkcs12_pbkdf::<sha2::Sha256>(&pass, &salt, 1000, 3, 32, 64);
+    let expected: [u8; 32] = [
+      0x7f, 0xe1, 0x91, 0x75, 0x7d, 0xca, 0xf1, 0xed, 0x6a, 0x29, 0x77, 0xb9,
+      0xb9, 0x15, 0x3f, 0x60, 0x82, 0xaf, 0x0b, 0xda, 0xfd, 0x09, 0x35, 0x2d,
+      0xcd, 0xaa, 0x96, 0x7f, 0x57, 0x17, 0x82, 0xb0,
+    ];
+    assert_eq!(got, expected);
+  }
+
+  #[test]
+  fn pkcs12_pbkdf_sha384() {
+    let pass = bmp_string("secret");
+    let salt: [u8; 8] = [0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef];
+    let got = pkcs12_pbkdf::<sha2::Sha384>(&pass, &salt, 1000, 3, 48, 128);
+    let expected: [u8; 48] = [
+      0x6a, 0x59, 0x71, 0x72, 0x05, 0x22, 0x76, 0x31, 0x21, 0xf4, 0x9a, 0x1d,
+      0x5c, 0x04, 0x10, 0xa1, 0xdb, 0x42, 0x0b, 0xe4, 0x96, 0x6d, 0xc5, 0x2f,
+      0x51, 0x91, 0x9d, 0x91, 0x15, 0x2d, 0x60, 0x2d, 0x31, 0x1c, 0x4c, 0xb0,
+      0x8d, 0x99, 0x83, 0xad, 0xaf, 0x68, 0xff, 0x5d, 0xdd, 0x69, 0x0b, 0x87,
+    ];
+    assert_eq!(got, expected);
+  }
+
+  #[test]
+  fn pkcs12_pbkdf_sha512() {
+    let pass = bmp_string("secret");
+    let salt: [u8; 8] = [0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef];
+    let got = pkcs12_pbkdf::<sha2::Sha512>(&pass, &salt, 1000, 3, 64, 128);
+    let expected: [u8; 64] = [
+      0x3e, 0x5c, 0x5d, 0xb5, 0xf5, 0xe3, 0xd0, 0xc2, 0x23, 0x2e, 0xbf, 0xbb,
+      0x86, 0x08, 0x23, 0x7a, 0x2b, 0x0a, 0xf6, 0x00, 0x30, 0xe6, 0xa0, 0x08,
+      0x2a, 0xbe, 0x7c, 0x19, 0x3f, 0x52, 0x5e, 0x98, 0x97, 0x6f, 0xb2, 0xbb,
+      0x1c, 0x88, 0xc3, 0xc6, 0xf8, 0xb5, 0x64, 0x91, 0x74, 0x3f, 0xc5, 0x04,
+      0xfb, 0x3d, 0xd9, 0x10, 0xf4, 0xf9, 0x5e, 0xf6, 0x99, 0xc2, 0x48, 0x15,
+      0xf1, 0x3e, 0xc1, 0x74,
+    ];
+    assert_eq!(got, expected);
+  }
+
+  #[test]
+  fn bmp_string_basic() {
+    assert_eq!(bmp_string(""), vec![0x00, 0x00]);
+    // "Beavis" — every code unit becomes two big-endian bytes, then a
+    // U+0000 terminator.
+    assert_eq!(
+      bmp_string("Beavis"),
+      vec![
+        0x00, 0x42, 0x00, 0x65, 0x00, 0x61, 0x00, 0x76, 0x00, 0x69, 0x00, 0x73,
+        0x00, 0x00,
+      ],
+    );
+  }
+}