Source: hkdf.js

  1. /** @fileOverview HKDF implementation.
  2.  *
  3.  * @author Steve Thomas
  4.  */
  6. /** HKDF with the specified hash function.
  7.  * @param {bitArray} ikm The input keying material.
  8.  * @param {Number} keyBitLength The output key length, in bits.
  9.  * @param {String|bitArray} salt The salt for HKDF.
  10.  * @param {String|bitArray} info The info for HKDF.
  11.  * @param {Object} [Hash=sjcl.hash.sha256] The hash function to use.
  12.  * @return {bitArray} derived key.
  13.  */
  14. sjcl.misc.hkdf = function (ikm, keyBitLength, salt, info, Hash) {
  15.   var hmac, key, i, hashLen, loops, curOut, ret = [];
  17.   Hash = Hash || sjcl.hash.sha256;
  18.   if (typeof info === "string") {
  19.     info = sjcl.codec.utf8String.toBits(info);
  20.   }
  21.   if (typeof salt === "string") {
  22.     salt = sjcl.codec.utf8String.toBits(salt);
  23.   } else if (!salt) {
  24.     salt = [];
  25.   }
  27.   hmac = new sjcl.misc.hmac(salt, Hash);
  28.   key = hmac.mac(ikm);
  29.   hashLen = sjcl.bitArray.bitLength(key);
  31.   loops = Math.ceil(keyBitLength / hashLen);
  32.   if (loops > 255) {
  33.     throw new sjcl.exception.invalid("key bit length is too large for hkdf");
  34.   }
  36.   hmac = new sjcl.misc.hmac(key, Hash);
  37.   curOut = [];
  38.   for (i = 1; i <= loops; i++) {
  39.     hmac.update(curOut);
  40.     hmac.update(info);
  41.     hmac.update([sjcl.bitArray.partial(8, i)]);
  42.     curOut = hmac.digest();
  43.     ret = sjcl.bitArray.concat(ret, curOut);
  44.   }
  45.   return sjcl.bitArray.clamp(ret, keyBitLength);
  46. };