dart-lang / crypto Goto Github PK

I have dart code that converts string to sha256 hash. remarry party using csharp and same string they get different result.

So where should I have to look? What should I tell them?

Why Dart sha256 and Csharp sha256 has different result?

String a = "2424242401224672";
  var bytes = utf8.encode(a);
  var digest = sha256.convert(bytes);
  print("digest: $digest");

Base64 current handles percent-encoded padding characters, but only if the percent encoding is uppercase. It should handle lowercase encoding as well.

From https://codereview.chromium.org/1349293002/

Tracking issue.

If we don't plan to do this relatively soon, let's close. But I hear we have this code. :)

Originally opened as dart-lang/sdk#4611

This issue was originally filed by [email protected]

Test code:
new File('recordroyale.ogg').readAsBytes().then((buf) {
  var md5 = new MD5();
  md5.update(buf);
  print(md5.digest());
});

where 'recordroyale.ogg' is about six megabytes. This takes 22 seconds on my machine. Shelling out to md5sum(1) takes under 0.02 seconds. I understand that Dart won't ever be as fast as C, but with this disparity, the hash algorithms should be implemented in C[++] rather than Dart.

I had a vague suspicion that this was slow due to unnecessary allocations, but the allocations are mostly small and consumed quickly. Refactoring to eliminate unnecessary allocations resulted in no change.

My use case involved checksumming a byte array that existed only in memory at the relevant location; it is far less convenient to write data to a temporary file, shell out to md5sum(1), then delete that file.

Please add HMAC-SHA512 feature.
thank you.

Customer request.

Originally opened as dart-lang/sdk#2875

This issue was originally filed by [email protected]

In its current shape, the hash and HMAC functions in the crypto library return List<int> as a message digest. This has several deficiencies:

1. If you want to print it, you need an extra function to convert it to string (see issue #2839).
2. If you want to compare it and use the hashes for passwords, you have to be very careful to avoid timing attacks (se http://codahale.com/a-lesson-in-timing-attacks/).

Therefore, I propose to use a rich object called Digest instead. It would look like this:

interface Digest {
  final List<int> bytes;

  // TODO operator equals, when implemented
  bool operator ==(Digest other);

  String toString();
}

I'm attaching a patch with complete implementation (necessary modifications to tests included). Note that if you accept this, it supersedes issue #2839.

Please note that I DON'T really understand crypto, so if you decide to accept this API change, proper crypto review is a good idea :-)

Attachment:
0001-represent-message-digest-as-a-rich-object-with-bette.patch (9.72 KB)

Our major product uses this library, and recently the 0.9.2 version was released. This version does not work with dart2js.

Unsupported operation: Uint64 accessor not supported by dart2js.

Error message when run pub get:

Because every version of flutter_test from sdk depends on crypto 2.1.3 and driver depends on crypto ^2.1.4, flutter_test from sdk is forbidden.
So, because driver depends on flutter_test any from sdk, version solving failed.
pub get failed (1; So, because driver depends on flutter_test any from sdk, version solving failed.).

My environment
sdk: ">=2.2.2 <3.0.0"

[✓] Flutter (Channel stable, v1.12.13+hotfix.5, on Mac OS X 10.14.6 18G103, locale en-VN)
    • Flutter version 1.12.13+hotfix.5 at /Users/thanhphung/code/flutter
    • Framework revision 27321ebbad (4 weeks ago), 2019-12-10 18:15:01 -0800
    • Engine revision 2994f7e1e6
    • Dart version 2.7.0

[✓] Android toolchain - develop for Android devices (Android SDK version 29.0.2)
    • Android SDK at /Users/thanhphung/Library/Android/sdk
    • Android NDK location not configured (optional; useful for native profiling support)
    • Platform android-29, build-tools 29.0.2
    • Java binary at: /Applications/Android Studio.app/Contents/jre/jdk/Contents/Home/bin/java
    • Java version OpenJDK Runtime Environment (build 1.8.0_202-release-1483-b49-5587405)
    • All Android licenses accepted.

[✓] Xcode - develop for iOS and macOS (Xcode 11.2.1)
    • Xcode at /Applications/Xcode.app/Contents/Developer
    • Xcode 11.2.1, Build version 11B53
    • CocoaPods version 1.6.0

[✓] Android Studio (version 3.5)
    • Android Studio at /Applications/Android Studio.app/Contents
    • Flutter plugin version 42.1.1
    • Dart plugin version 191.8593
    • Java version OpenJDK Runtime Environment (build 1.8.0_202-release-1483-b49-5587405)

[✓] VS Code (version 1.41.1)
    • VS Code at /Applications/Visual Studio Code.app/Contents
    • Flutter extension version 3.7.1

[✓] Connected device (1 available)
    • iPhone 8 • 30A0D063-FD79-4F62-9C5F-EDDA9B736F10 • ios • com.apple.CoreSimulator.SimRuntime.iOS-13-2 (simulator)

It's common to link to where the latest CI system's output is. For example, if this were using Travis, we could link to the latest Travis results.

This package might be tested on the package bots? If so, can we link to there?

Thanks!

Either both or neither, right @nex3 ?

Currently, the Base64 implementation accepts A===. It's invalid and should be rejected.

Customer request.

Customer request.

See https://travis-ci.org/dart-lang/crypto/jobs/400991759

This is probably user error, but for tracking:

~/Code/crypto[example*] $ dart example/md5.dart large.txt 
398b8e562429a971168e91ecf7117144
~/Code/crypto[example*] $ md5 large.txt 
MD5 (large.txt) = b5c667a723a10a3485a33263c4c2b978

Example code:

// Copyright (c) 2015, the Dart project authors.  Please see the AUTHORS file
// for details. All rights reserved. Use of this source code is governed by a
// BSD-style license that can be found in the LICENSE file.

import 'dart:io' show exit, File;
import 'package:crypto/crypto.dart' show MD5, CryptoUtils;

main(List<String> args) async {
  if (args == null || args.length != 1) {
    print('Usage: dart md5.dart <input_filename>');
    exit(1);
  }

  var input = new File(args[0]);

  if (!input.existsSync()) {
    print('File "${args[0]}" does not exist.');
    exit(1);
  }

  var md5 = new MD5();

  await for (var bytes in input.openRead()) {
    md5.add(bytes);
  }

  var hex = CryptoUtils.bytesToHex(md5.close());

  print(hex);
}

Running with

~/Code/crypto[example*] $ dart --version
Dart VM version: 1.13.0-dev.2.0 (Tue Sep  8 05:13:39 2015) on "macos_x64"

The size of the output of HMAC should be the same as that of the underlying hash function. However, that's not the case. For example, the following code fails:

final hash = sha256;
final converted = Hmac(hash, utf8.encode('some key'))
    .convert(utf8.encode('some data'))
    .bytes;
assert(hash.blockSize == converted.length);

customer request.

<img src="https://avatars.githubusercontent.com/u/1924313?v=3" align="left" width="96" height="96"hspace="10"> Issue by jtmcdole
Originally opened as dart-lang/sdk#19255

crypto's bytesToBase64 is great, but I'd really like to specify the alphabet; specifically base64url in which the last two characters are -_

See: http://tools.ietf.org/html/rfc4648#section-5
See: http://en.wikipedia.org/wiki/Base64

Originally opened as dart-lang/sdk#19292

This issue was originally filed by [email protected]

The crypto library fails with an assertion error:

lengthInBits < pow(2, 32)

when trying to take an md5 hash of a file larger than 512MB. This limitation effectively means dart is unsafe for transferring large files between a client and server.

I converted the dart_jwt package to the latest crypto (pre 1.0) version and followed the deprecation advice to use the convert package for base64.

Unfortunately all my tests started failing as they encoding was not the same as you get with the url safe version of the old base64.

I need the equivalent of

const Base64Codec(urlSafe: true).decode(...);

to exist in the convert package but can't find it. What am I missing?

Do you have plans to support blake2b ? Thanks a lot.

There seems to be a bug in (at least) the sha256 hash function. The conversion with gives me for some inputs a wrong result.
Below is an example where I converted the same input once with this package and once with java. The results are different and I was expecting the result which I got in the java version.
I am using the latest version of this package (2.1.2).

Here is an example where its not working as expected:

Dart Code:

// [49, 53, 54, 54, 51, 51, 50, 54, 55, 49, 49, 49, 56, 48, 48, 48]
List<int> bytes = utf8.encode("1566332671118000"); 
// [133, 249, 41, 195, 160, 66, 219, 55, 26, 124, 141, 228, 53, 42, 184, 177, 140, 149, 252, 151, 104, 226, 242, 51, 157, 236, 122, 90, 60, 32, 207, 91]
sha256.convert(bytes); 

Java Code:

// [49, 53, 54, 54, 51, 51, 50, 54, 55, 49, 49, 49, 56, 48, 48, 48]
byte[] bytes = "1566332671118000".getBytes (Charset.forName (UTF8); 
MessageDigest md = MessageDigest.getInstance (SHA256); 
// [-123, -7, 41, -61, -96, 66, -37, 55, 26, 124, -115, -28, 53, 42, -72, -79, -116, -107, -4, -105, 104, -30, -14, 51, -99, -20, 122, 90, 60, 32, -49, 91]
md.digest (bytes);

<img src="https://avatars.githubusercontent.com/u/480590?v=3" align="left" width="96" height="96"hspace="10"> Issue by Ladicek
Originally opened as dart-lang/sdk#2875

Attachment:
0001-represent-message-digest-as-a-rich-object-with-bette.patch (9.72 KB)

Currently, the Base64 decoder crashes when passed a string containing a character with a codepoint above 256. It shouldn't accept this, but it should throw a more useful error.

<img src="https://avatars.githubusercontent.com/u/209047?v=3" align="left" width="96" height="96"hspace="10"> Issue by dasmoth
Originally opened as dart-lang/sdk#10217

Any reason why these can't be top-level functions in the dart:crypto package? Didn't Dart add support for top-level functions to avoid this kind of Java-ism?

Customer request.

There is a startChunkedConversion api on the Hash class here, but you can't use it easily without an import to lib/src/ because the DigestSink class is not exposed (as far as I can tell at least).

Description
https://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange

Example of implementation
https://nodejs.org/api/crypto.html#crypto_class_diffiehellman

<img src="https://avatars.githubusercontent.com/u/1046115?v=3" align="left" width="96" height="96"hspace="10"> Issue by jwendel
Originally opened as dart-lang/sdk#9822

What steps will reproduce the problem?
The current crypto library only supports SHA-1 and a limited subset of SHA-2 (SHA-256). While this may be enough for client-side, it would be nice to have full SHA-2 support for server-side development. This would mean support for all SHA-2 algorithms: (SHA-224, SHA-256, SHA-384, SHA-512).

What is the expected output? What do you see instead?

What version of the product are you using? On what operating system?
Dart SDK version 0.4.5.1_r21094

Please provide any additional information below.
I was looking to write a server-side program that talked to a RESTful service, but it required that all requests had a SHA-512 signature, which is not currently supported by the included Dart crypto library. I could also see this being needed for anyone doing a server-side Dart app that wants to store SHA-512 versions of users passwords.

I am using flutter to send data to my aqueduct web api in encrypted mode. In aqueduct I need to use decryption to get the data, sort out request info from data base, encrypted data and send to flutter app. I couldn't find any HMAC-SHA256 Decryption so I can use the plugin in my flutter app and aqueduct web api. Any help please?

import 'dart:convert';
import 'package:crypto/crypto.dart';
import 'package:crypto/src/digest_sink.dart';

void main() {
var key = utf8.encode('p@ssw0rd');
var bytes = utf8.encode("foobar");

var hmacSha256 = new Hmac(sha256, key); // HMAC-SHA256
var digest = hmacSha256.convert(bytes);

print("HMAC digest as bytes: ${digest.bytes}");
print("HMAC digest as hex string: $digest");
}

I am building a Flutter package and need to perform RSA encryption but not sure this package currently supports it. Open to ideas as to options i can explore.

The pub site can show example code for a package.
https://www.dartlang.org/tools/pub/package-layout#examples

Let me know if you want me to try working on this.

related issue : dart-lang/site-www#413

A customer asked for "anything to help me check a payload against an RSA public key signature? (I think I want to use the sha256WithRSAEncryption algo)." and "I only need the functionality of Chrome's SignatureVerifier class[1], which uses openssl's EVP_PKEY_* and EVP_DigestVerify* and friends."

Hi,

Other packages have tags for released versions which makes referencing specific versions in Git easier than the complete commit hash.

It seems that HashSink does not close the underlying sync when its close method is called.

This means users have to call close twice when doing a chunked conversion, for instance.

Customer request.

It makes sense to accept the CRLF sequence to allow base64 to be broken across lines, but these characters shouldn't be allowed on their own.

<img src="https://avatars.githubusercontent.com/u/5479?v=3" align="left" width="96" height="96"hspace="10"> Issue by sethladd
Originally opened as dart-lang/sdk#3396

Suggesting adding an optional List<int> param to Hash.digest() for the more simple one-liner cases.

Instead of:

var digest = sha256.update("message".charCodes()).digest();

It would be nicer to have:

var digest = sha256.digest("message".charCodes());

Thanks!

Currently, if there are a multiple of four = or %3D sequences in a Base64 string, the parser will treat them as zero bytes. This is clearly wrong; it should reject those strings like it does for strings with other numbers of =.

Couldn't find a simple way to hash a simple string.

The example within the example folder uses stream.

<img src="https://avatars.githubusercontent.com/u/148256?v=3" align="left" width="96" height="96"hspace="10"> Issue by kaisellgren
Originally opened as dart-lang/sdk#4367

Support for bcrypt and/or scrypt is needed for secure password hashing purposes.

Here's a reference for scrypt: http://www.tarsnap.com/scrypt.html

<img src="https://avatars.githubusercontent.com/u/1269969?v=3" align="left" width="96" height="96"hspace="10"> Issue by devoncarew
Originally opened as dart-lang/sdk#17317

The SHA implementation seems slower then it should be. I created some benchmarks here:

https://github.com/devoncarew/sha_benchmark.dart

the benchmark numbers are here:

https://github.com/devoncarew/sha_benchmark.dart/blob/master/lib/sha_bench.dart#L8

I added benchmarks for a pure-dart implementation of inflate and deflate, to have something to compare SHA to. The SHA implementation seems about an order magnitude slower. Spark's git implementation is fairly slow, and we seem to be spending a lot of our time generating SHAs. It would be great to have this sped up a bit; not sure if there's some low-hanging fruit in the implementation.