Merge pull request #412 from PeculiarVentures/fix-pfx-pass-utf8

Fix password transformation for characters with char codes greater than 255

examples/NodePKCS12Example/NodeEngineNodeSpecific.ts

@@ -141,18 +141,21 @@ function makePKCS12B2Key(
 
   //#region Main algorithm making key
   //#region Transform password to UTF-8 like string
-  const passwordViewInitial = new Uint8Array(password);
-
-  const passwordTransformed = new ArrayBuffer((password.byteLength * 2) + 2);
-  const passwordTransformedView = new Uint8Array(passwordTransformed);
-
-  for (let i = 0; i < passwordViewInitial.length; i++) {
-    passwordTransformedView[i * 2] = 0x00;
-    passwordTransformedView[i * 2 + 1] = passwordViewInitial[i];
+  const originalPassword = new Uint8Array(password);
+  let decodedPassword = new TextDecoder().decode(password);
+  const encodedPassword = new TextEncoder().encode(decodedPassword);
+  if (encodedPassword.some((byte, i) => byte !== originalPassword[i])) {
+    decodedPassword = String.fromCharCode(...originalPassword);
   }
 
-  passwordTransformedView[passwordTransformedView.length - 2] = 0x00;
-  passwordTransformedView[passwordTransformedView.length - 1] = 0x00;
+  // Transform the password into a byte array
+  const passwordTransformed = new Uint8Array(decodedPassword.length * 2 + 2);
+  const passwordDataView = new DataView(passwordTransformed.buffer);
+  for (let i = 0; i < decodedPassword.length; i++) {
+    passwordDataView.setUint16(i * 2, decodedPassword.charCodeAt(i), false);
+  }
+  // Add null-terminator
+  passwordDataView.setUint16(decodedPassword.length * 2, 0, false);
 
   password = passwordTransformed.slice(0);
   //#endregion

src/CryptoEngine/CryptoEngine.ts

@@ -52,14 +52,22 @@ async function makePKCS12B2Key(hashAlgorithm: string, keyLength: number, passwor
       throw new Error("Unsupported hashing algorithm");
   }
 
-  // Transform the password into a null-terminated UCS-2 encoded string
-  const passwordViewInitial = new Uint8Array(password);
-  const passwordTransformed = new Uint8Array((password.byteLength * 2) + 2);
-  for (let i = 0; i < passwordViewInitial.length; i++) {
-    passwordTransformed[i * 2] = 0x00;
-    passwordTransformed[i * 2 + 1] = passwordViewInitial[i];
+  const originalPassword = new Uint8Array(password);
+  let decodedPassword = new TextDecoder().decode(password);
+  const encodedPassword = new TextEncoder().encode(decodedPassword);
+  if (encodedPassword.some((byte, i) => byte !== originalPassword[i])) {
+    decodedPassword = String.fromCharCode(...originalPassword);
   }
 
+  // Transform the password into a byte array
+  const passwordTransformed = new Uint8Array(decodedPassword.length * 2 + 2);
+  const passwordView = new DataView(passwordTransformed.buffer);
+  for (let i = 0; i < decodedPassword.length; i++) {
+    passwordView.setUint16(i * 2, decodedPassword.charCodeAt(i), false);
+  }
+  // Add null-terminator
+  passwordView.setUint16(decodedPassword.length * 2, 0, false);
+
   // Create a filled array D with the value 3 (ID for MACing)
   const D = new Uint8Array(v).fill(3);
 

test/pkcs12SimpleExample.spec.ts

@@ -46,9 +46,23 @@ context("PKCS#12 Simple Example", () => {
     await example.certificatePrivacy(password);
   });
 
-  it("Making OpenSSL-like PKCS#12 Data", async () => {
-    const pfx = await example.openSSLLike(password);
-    await example.parsePKCS12(pfx, password);
+  context("Making OpenSSL-like PKCS#12 Data", () => {
+    it("ASCII", async () => {
+      const pfx = await example.openSSLLike(password);
+      await example.parsePKCS12(pfx, password);
+    });
+
+    it("UTF-8", async () => {
+      const password = "пароль";
+      const pfx = await example.openSSLLike(password);
+      await example.parsePKCS12(pfx, password);
+    });
+
+    it("Binary", async () => {
+      const password = "\x04\xff\x20\x21"; // decode/encode -> [ 4, 239, 191, 189, 32, 33 ]
+      const pfx = await example.openSSLLike(password);
+      await example.parsePKCS12(pfx, password);
+    });
   });
 
   it("Speed test for stampDataWithPassword", async () => {