[PS-2365] Kdf Configuration Options for Argon2 (#4578)

* Implement argon2 config * Remove argon2 webassembly warning * Replace magic numbers by enum * Implement kdf configuration * Update UI according to design feedback * Further updates to follow design feedback * Add oxford comma in argon2 description * Fix typos in argon2 descriptions * move key creation into promise with API call * change casing on PBKDF2 * general improvements * kdf config on set pin component * SHA-256 hash argon2 salt * Change argon2 defaults * Change argon2 salt hash to cryptoFunctionService * Fix isLowKdfIteration check --------- Co-authored-by: Kyle Spearrin <kyle.spearrin@gmail.com> Co-authored-by: Kyle Spearrin <kspearrin@users.noreply.github.com>
2025-12-15 07:43:35 +00:00 · 2023-01-30 15:07:51 +01:00
parent b1a1068906
commit 01091fe260
35 changed files with 329 additions and 143 deletions
--- a/libs/common/src/models/domain/account.ts
+++ b/libs/common/src/models/domain/account.ts
@@ -189,6 +189,8 @@ export class AccountProfile {
  usesKeyConnector?: boolean;
  keyHash?: string;
  kdfIterations?: number;
+  kdfMemory?: number;
+  kdfParallelism?: number;
  kdfType?: KdfType;

  static fromJSON(obj: Jsonify<AccountProfile>): AccountProfile {
--- a/libs/common/src/models/domain/kdf-config.ts
+++ b/libs/common/src/models/domain/kdf-config.ts
@@ -0,0 +1,11 @@
+export class KdfConfig {
+  iterations: number;
+  memory?: number;
+  parallelism?: number;
+
+  constructor(iterations: number, memory?: number, parallelism?: number) {
+    this.iterations = iterations;
+    this.memory = memory;
+    this.parallelism = parallelism;
+  }
+}
--- a/libs/common/src/models/request/kdf.request.ts
+++ b/libs/common/src/models/request/kdf.request.ts
@@ -5,4 +5,6 @@ import { PasswordRequest } from "./password.request";
 export class KdfRequest extends PasswordRequest {
  kdf: KdfType;
  kdfIterations: number;
+  kdfMemory?: number;
+  kdfParallelism?: number;
 }
--- a/libs/common/src/models/request/register.request.ts
+++ b/libs/common/src/models/request/register.request.ts
@@ -16,10 +16,12 @@ export class RegisterRequest implements CaptchaProtectedRequest {
    public masterPasswordHash: string,
    masterPasswordHint: string,
    public key: string,
+    public referenceData: ReferenceEventRequest,
+    public captchaResponse: string,
    public kdf: KdfType,
    public kdfIterations: number,
-    public referenceData: ReferenceEventRequest,
-    public captchaResponse: string
+    public kdfMemory?: number,
+    public kdfParallelism?: number
  ) {
    this.masterPasswordHint = masterPasswordHint ? masterPasswordHint : null;
  }
--- a/libs/common/src/models/request/set-password.request.ts
+++ b/libs/common/src/models/request/set-password.request.ts
@@ -9,22 +9,28 @@ export class SetPasswordRequest {
  keys: KeysRequest;
  kdf: KdfType;
  kdfIterations: number;
+  kdfMemory?: number;
+  kdfParallelism?: number;
  orgIdentifier: string;

  constructor(
    masterPasswordHash: string,
    key: string,
    masterPasswordHint: string,
+    orgIdentifier: string,
+    keys: KeysRequest,
    kdf: KdfType,
    kdfIterations: number,
-    orgIdentifier: string,
-    keys: KeysRequest
+    kdfMemory?: number,
+    kdfParallelism?: number
  ) {
    this.masterPasswordHash = masterPasswordHash;
    this.key = key;
    this.masterPasswordHint = masterPasswordHint;
    this.kdf = kdf;
    this.kdfIterations = kdfIterations;
+    this.kdfMemory = kdfMemory;
+    this.kdfParallelism = kdfParallelism;
    this.orgIdentifier = orgIdentifier;
    this.keys = keys;
  }
--- a/libs/common/src/models/response/emergency-access.response.ts
+++ b/libs/common/src/models/response/emergency-access.response.ts
@@ -59,6 +59,8 @@ export class EmergencyAccessTakeoverResponse extends BaseResponse {
  keyEncrypted: string;
  kdf: KdfType;
  kdfIterations: number;
+  kdfMemory?: number;
+  kdfParallelism?: number;

  constructor(response: any) {
    super(response);
@@ -66,6 +68,8 @@ export class EmergencyAccessTakeoverResponse extends BaseResponse {
    this.keyEncrypted = this.getResponseProperty("KeyEncrypted");
    this.kdf = this.getResponseProperty("Kdf");
    this.kdfIterations = this.getResponseProperty("KdfIterations");
+    this.kdfMemory = this.getResponseProperty("KdfMemory");
+    this.kdfParallelism = this.getResponseProperty("KdfParallelism");
  }
 }

--- a/libs/common/src/models/response/identity-token.response.ts
+++ b/libs/common/src/models/response/identity-token.response.ts
@@ -14,6 +14,8 @@ export class IdentityTokenResponse extends BaseResponse {
  twoFactorToken: string;
  kdf: KdfType;
  kdfIterations: number;
+  kdfMemory?: number;
+  kdfParallelism?: number;
  forcePasswordReset: boolean;
  apiUseKeyConnector: boolean;
  keyConnectorUrl: string;
@@ -31,6 +33,8 @@ export class IdentityTokenResponse extends BaseResponse {
    this.twoFactorToken = this.getResponseProperty("TwoFactorToken");
    this.kdf = this.getResponseProperty("Kdf");
    this.kdfIterations = this.getResponseProperty("KdfIterations");
+    this.kdfMemory = this.getResponseProperty("KdfMemory");
+    this.kdfParallelism = this.getResponseProperty("KdfParallelism");
    this.forcePasswordReset = this.getResponseProperty("ForcePasswordReset");
    this.apiUseKeyConnector = this.getResponseProperty("ApiUseKeyConnector");
    this.keyConnectorUrl = this.getResponseProperty("KeyConnectorUrl");
--- a/libs/common/src/models/response/prelogin.response.ts
+++ b/libs/common/src/models/response/prelogin.response.ts
@@ -5,10 +5,14 @@ import { BaseResponse } from "./base.response";
 export class PreloginResponse extends BaseResponse {
  kdf: KdfType;
  kdfIterations: number;
+  kdfMemory?: number;
+  kdfParallelism?: number;

  constructor(response: any) {
    super(response);
    this.kdf = this.getResponseProperty("Kdf");
    this.kdfIterations = this.getResponseProperty("KdfIterations");
+    this.kdfMemory = this.getResponseProperty("KdfMemory");
+    this.kdfParallelism = this.getResponseProperty("KdfParallelism");
  }
 }