Use WebCrypto APIs where possible

The only place we are stuck with node's original crypto API
is for generating md5 hashes, which are not supported by WebCrypto.

Author: petebacondarwin

packages/pg/lib/client.js

@@ -2,13 +2,14 @@
 
 var EventEmitter = require('events').EventEmitter
 var utils = require('./utils')
-var sasl = require('./sasl')
+var sasl = require('./crypto/sasl')
 var TypeOverrides = require('./type-overrides')
 
 var ConnectionParameters = require('./connection-parameters')
 var Query = require('./query')
 var defaults = require('./defaults')
 var Connection = require('./connection')
+const crypto = require('./crypto/utils')
 
 class Client extends EventEmitter {
   constructor(config) {
@@ -245,9 +246,13 @@ class Client extends EventEmitter {
   }
 
   _handleAuthMD5Password(msg) {
-    this._checkPgPass(() => {
-      const hashedPassword = utils.postgresMd5PasswordHash(this.user, this.password, msg.salt)
-      this.connection.password(hashedPassword)
+    this._checkPgPass(async () => {
+      try {
+        const hashedPassword = await crypto.postgresMd5PasswordHash(this.user, this.password, msg.salt)
+        this.connection.password(hashedPassword)
+      } catch (e) {
+        this.emit('error', e)
+      }
     })
   }
 
@@ -262,9 +267,9 @@ class Client extends EventEmitter {
     })
   }
 
-  _handleAuthSASLContinue(msg) {
+  async _handleAuthSASLContinue(msg) {
     try {
-      sasl.continueSession(this.saslSession, this.password, msg.data)
+      await sasl.continueSession(this.saslSession, this.password, msg.data)
       this.connection.sendSCRAMClientFinalMessage(this.saslSession.response)
     } catch (err) {
       this.connection.emit('error', err)

packages/pg/lib/sasl.js renamed to packages/pg/lib/crypto/sasl.js

@@ -1,5 +1,5 @@
 'use strict'
-const crypto = require('crypto')
+const crypto = require('./utils')
 
 function startSession(mechanisms) {
   if (mechanisms.indexOf('SCRAM-SHA-256') === -1) {
@@ -16,7 +16,7 @@ function startSession(mechanisms) {
   }
 }
 
-function continueSession(session, password, serverData) {
+async function continueSession(session, password, serverData) {
   if (session.message !== 'SASLInitialResponse') {
     throw new Error('SASL: Last message was not SASLInitialResponse')
   }
@@ -38,29 +38,22 @@ function continueSession(session, password, serverData) {
     throw new Error('SASL: SCRAM-SERVER-FIRST-MESSAGE: server nonce is too short')
   }
 
-  var saltBytes = Buffer.from(sv.salt, 'base64')
-
-  var saltedPassword = crypto.pbkdf2Sync(password, saltBytes, sv.iteration, 32, 'sha256')
-
-  var clientKey = hmacSha256(saltedPassword, 'Client Key')
-  var storedKey = sha256(clientKey)
-
   var clientFirstMessageBare = 'n=*,r=' + session.clientNonce
   var serverFirstMessage = 'r=' + sv.nonce + ',s=' + sv.salt + ',i=' + sv.iteration
-
   var clientFinalMessageWithoutProof = 'c=biws,r=' + sv.nonce
-
   var authMessage = clientFirstMessageBare + ',' + serverFirstMessage + ',' + clientFinalMessageWithoutProof
 
-  var clientSignature = hmacSha256(storedKey, authMessage)
-  var clientProofBytes = xorBuffers(clientKey, clientSignature)
-  var clientProof = clientProofBytes.toString('base64')
-
-  var serverKey = hmacSha256(saltedPassword, 'Server Key')
-  var serverSignatureBytes = hmacSha256(serverKey, authMessage)
+  var saltBytes = Buffer.from(sv.salt, 'base64')
+  var saltedPassword = await crypto.deriveKey(password, saltBytes, sv.iteration)
+  var clientKey = await crypto.hmacSha256(saltedPassword, 'Client Key')
+  var storedKey = await crypto.sha256(clientKey)
+  var clientSignature = await crypto.hmacSha256(storedKey, authMessage)
+  var clientProof = xorBuffers(Buffer.from(clientKey), Buffer.from(clientSignature)).toString('base64')
+  var serverKey = await crypto.hmacSha256(saltedPassword, 'Server Key')
+  var serverSignatureBytes = await crypto.hmacSha256(serverKey, authMessage)
 
   session.message = 'SASLResponse'
-  session.serverSignature = serverSignatureBytes.toString('base64')
+  session.serverSignature = Buffer.from(serverSignatureBytes).toString('base64')
   session.response = clientFinalMessageWithoutProof + ',p=' + clientProof
 }
 
@@ -186,14 +179,6 @@ function xorBuffers(a, b) {
   return Buffer.from(a.map((_, i) => a[i] ^ b[i]))
 }
 
-function sha256(text) {
-  return crypto.createHash('sha256').update(text).digest()
-}
-
-function hmacSha256(key, msg) {
-  return crypto.createHmac('sha256', key).update(msg).digest()
-}
-
 module.exports = {
   startSession,
   continueSession,

packages/pg/lib/crypto/utils-legacy.js

@@ -0,0 +1,37 @@
+'use strict'
+// This file contains crypto utility functions for versions of Node.js < 15.0.0,
+// which does not support the WebCrypto.subtle API.
+
+const nodeCrypto = require('crypto')
+
+function md5(string) {
+  return nodeCrypto.createHash('md5').update(string, 'utf-8').digest('hex')
+}
+
+// See AuthenticationMD5Password at https://www.postgresql.org/docs/current/static/protocol-flow.html
+function postgresMd5PasswordHash(user, password, salt) {
+  var inner = md5(password + user)
+  var outer = md5(Buffer.concat([Buffer.from(inner), salt]))
+  return 'md5' + outer
+}
+
+function sha256(text) {
+  return nodeCrypto.createHash('sha256').update(text).digest()
+}
+
+function hmacSha256(key, msg) {
+  return nodeCrypto.createHmac('sha256', key).update(msg).digest()
+}
+
+async function deriveKey(password, salt, iterations) {
+  return nodeCrypto.pbkdf2Sync(password, salt, iterations, 32, 'sha256')
+}
+
+module.exports = {
+  postgresMd5PasswordHash,
+  randomBytes: nodeCrypto.randomBytes,
+  deriveKey,
+  sha256,
+  hmacSha256,
+  md5,
+}

packages/pg/lib/crypto/utils.js

@@ -0,0 +1,92 @@
+'use strict'
+
+const useLegacyCrypto = parseInt(process.versions && process.versions.node && process.versions.node.split('.')[0]) < 15
+if (useLegacyCrypto) {
+  // We are on an old version of Node.js that requires legacy crypto utilities.
+  module.exports = require('./utils-legacy')
+  return
+}
+
+const nodeCrypto = require('crypto')
+
+module.exports = {
+  postgresMd5PasswordHash,
+  randomBytes,
+  deriveKey,
+  sha256,
+  hmacSha256,
+  md5,
+}
+
+/**
+ * The Web Crypto API - grabbed from the Node.js library or the global
+ * @type Crypto
+ */
+const webCrypto = nodeCrypto.webcrypto || globalThis.crypto
+/**
+ * The SubtleCrypto API for low level crypto operations.
+ * @type SubtleCrypto
+ */
+const subtleCrypto = webCrypto.subtle
+const textEncoder = new TextEncoder()
+
+/**
+ *
+ * @param {*} length
+ * @returns
+ */
+function randomBytes(length) {
+  return webCrypto.getRandomValues(Buffer.alloc(length))
+}
+
+async function md5(string) {
+  try {
+    return nodeCrypto.createHash('md5').update(string, 'utf-8').digest('hex')
+  } catch (e) {
+    // `createHash()` failed so we are probably not in Node.js, use the WebCrypto API instead.
+    // Note that the MD5 algorithm on WebCrypto is not available in Node.js.
+    // This is why we cannot just use WebCrypto in all environments.
+    const data = typeof string === 'string' ? textEncoder.encode(string) : string
+    const hash = await subtleCrypto.digest('MD5', data)
+    return Array.from(new Uint8Array(hash))
+      .map((b) => b.toString(16).padStart(2, '0'))
+      .join('')
+  }
+}
+
+// See AuthenticationMD5Password at https://www.postgresql.org/docs/current/static/protocol-flow.html
+async function postgresMd5PasswordHash(user, password, salt) {
+  var inner = await md5(password + user)
+  var outer = await md5(Buffer.concat([Buffer.from(inner), salt]))
+  return 'md5' + outer
+}
+
+/**
+ * Create a SHA-256 digest of the given data
+ * @param {Buffer} data
+ */
+async function sha256(text) {
+  return await subtleCrypto.digest('SHA-256', text)
+}
+
+/**
+ * Sign the message with the given key
+ * @param {ArrayBuffer} keyBuffer
+ * @param {string} msg
+ */
+async function hmacSha256(keyBuffer, msg) {
+  const key = await subtleCrypto.importKey('raw', keyBuffer, { name: 'HMAC', hash: 'SHA-256' }, false, ['sign'])
+  return await subtleCrypto.sign('HMAC', key, textEncoder.encode(msg))
+}
+
+/**
+ * Derive a key from the password and salt
+ * @param {string} password
+ * @param {Uint8Array} salt
+ * @param {number} iterations
+ */
+async function deriveKey(password, salt, iterations) {
+  const key = await subtleCrypto.importKey('raw', textEncoder.encode(password), 'PBKDF2', false, ['deriveBits'])
+  const params = { name: 'PBKDF2', hash: 'SHA-256', salt: salt, iterations: iterations }
+  return await subtleCrypto.deriveBits(params, key, 32 * 8, ['deriveBits'])
+}

packages/pg/lib/utils.js

@@ -1,7 +1,5 @@
 'use strict'
 
-const crypto = require('crypto')
-
 const defaults = require('./defaults')
 
 function escapeElement(elementRepresentation) {
@@ -164,17 +162,6 @@ function normalizeQueryConfig(config, values, callback) {
   return config
 }
 
-const md5 = function (string) {
-  return crypto.createHash('md5').update(string, 'utf-8').digest('hex')
-}
-
-// See AuthenticationMD5Password at https://www.postgresql.org/docs/current/static/protocol-flow.html
-const postgresMd5PasswordHash = function (user, password, salt) {
-  var inner = md5(password + user)
-  var outer = md5(Buffer.concat([Buffer.from(inner), salt]))
-  return 'md5' + outer
-}
-
 // Ported from PostgreSQL 9.2.4 source code in src/interfaces/libpq/fe-exec.c
 const escapeIdentifier = function (str) {
   return '"' + str.replace(/"/g, '""') + '"'
@@ -205,17 +192,13 @@ const escapeLiteral = function (str) {
   return escaped
 }
 
-
-
 module.exports = {
   prepareValue: function prepareValueWrapper(value) {
     // this ensures that extra arguments do not get passed into prepareValue
     // by accident, eg: from calling values.map(utils.prepareValue)
     return prepareValue(value)
   },
   normalizeQueryConfig,
-  postgresMd5PasswordHash,
-  md5,
   escapeIdentifier,
-  escapeLiteral
+  escapeLiteral,
 }

packages/pg/test/integration/connection/test-helper.js

@@ -3,6 +3,7 @@ var net = require('net')
 var helper = require('../test-helper')
 var Connection = require('../../../lib/connection')
 var utils = require('../../../lib/utils')
+const crypto = require('../../../lib/crypto/utils')
 var connect = function (callback) {
   var username = helper.args.user
   var database = helper.args.database
@@ -20,8 +21,8 @@ var connect = function (callback) {
     con.once('authenticationCleartextPassword', function () {
       con.password(helper.args.password)
     })
-    con.once('authenticationMD5Password', function (msg) {
-      con.password(utils.postgresMd5PasswordHash(helper.args.user, helper.args.password, msg.salt))
+    con.once('authenticationMD5Password', async function (msg) {
+      con.password(await crypto.postgresMd5PasswordHash(helper.args.user, helper.args.password, msg.salt))
     })
     con.once('readyForQuery', function () {
       con.query('create temp table ids(id integer)')

packages/pg/test/unit/client/md5-password-tests.js

@@ -1,24 +1,26 @@
 'use strict'
 var helper = require('./test-helper')
 const BufferList = require('../../buffer-list')
-var utils = require('../../../lib/utils')
+var crypto = require('../../../lib/crypto/utils')
 
-test('md5 authentication', function () {
+test('md5 authentication', async function () {
   var client = helper.createClient()
   client.password = '!'
   var salt = Buffer.from([1, 2, 3, 4])
-  client.connection.emit('authenticationMD5Password', { salt: salt })
+  await client.connection.emit('authenticationMD5Password', { salt: salt })
 
-  test('responds', function () {
-    assert.lengthIs(client.connection.stream.packets, 1)
-    test('should have correct encrypted data', function () {
-      var password = utils.postgresMd5PasswordHash(client.user, client.password, salt)
-      // how do we want to test this?
-      assert.equalBuffers(client.connection.stream.packets[0], new BufferList().addCString(password).join(true, 'p'))
+  setTimeout(() =>
+    test('responds', function () {
+      assert.lengthIs(client.connection.stream.packets, 1)
+      test('should have correct encrypted data', async function () {
+        var password = await crypto.postgresMd5PasswordHash(client.user, client.password, salt)
+        // how do we want to test this?
+        assert.equalBuffers(client.connection.stream.packets[0], new BufferList().addCString(password).join(true, 'p'))
+      })
     })
-  })
+  )
 })
 
-test('md5 of utf-8 strings', function () {
-  assert.equal(utils.md5('😊'), '5deda34cd95f304948d2bc1b4a62c11e')
+test('md5 of utf-8 strings', async function () {
+  assert.equal(await crypto.md5('😊'), '5deda34cd95f304948d2bc1b4a62c11e')
 })