3

Does anyone know how I can generate a PBKDF2 key in Google Apps Script? (including generating the "salt" value needed)

I'm looking for something like this from Node.js:

const key = crypto.pbkdf2Sync('secret', 'salt', 100000, 64, 'sha512');

Or something like this from the Go pbkdf2 function:

pbkdf2.Key([]byte(plaintext), salt, iterations, macKeyLen, sha512.New)

I'm trying to satisfy the standard from Apple's MDM Protocol for AccountConfiguration, as on this page:

https://developer.apple.com/library/archive/documentation/Miscellaneous/Reference/MobileDeviceManagementProtocolRef/3-MDM_Protocol/MDM_Protocol.html

Here is the snippet I'm trying to fulfill:

The passwordHash data objects should be created on the server using the CommonCrypto libraries or equivalent as a salted SHA512 PBKDF2 dictionary containing three items: entropy is the derived key from the password hash (an example is from CCKeyDerivationPBKDF()), salt is the 32 byte randomized salt (from CCRandomCopyBytes()), and iterations contains the number of iterations (from CCCalibratePBKDF()) using a minimum hash time of 100 milliseconds (or if not known, a number in the range 20,000 to 40,000 iterations). This dictionary of the three keys should be placed into an outer dictionary under the key SALTED-SHA512-PBKDF2 and converted to binary data before being set into the configuration dictionary passwordHash key value.

I need the PBKDF2 key for the "entropy" dictionary item.

The script needs to run as a Google Apps Script, as it will be part of a Sheets add-on that I am developing.

UPDATE: I thought it might help to work backwards a bit.

Here is a password hash like I am looking for. It was generated using the Go pbkdf2 function, and the password "password".

PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCFET0NUWVBFIHBsaXN0IFBVQkxJQyAiLS8vQXBwbGUvL0RURCBQTElTVCAxLjAvL0VOIiAiaHR0cDovL3d3dy5hcHBsZS5jb20vRFREcy9Qcm9wZXJ0eUxpc3QtMS4wLmR0ZCI+CjxwbGlzdCB2ZXJzaW9uPSIxLjAiPjxkaWN0PjxrZXk+U0FMVEVELVNIQTUxMi1QQktERjI8L2tleT48ZGljdD48a2V5PmVudHJvcHk8L2tleT48ZGF0YT4ycnFxTGVHQVY0OTdFemROUm5pcHNPcUFGZHhHSjZzZWV5d2U3UURyQlVxNzE5ZitUNTNkaG0rQkJTeUZ2WlovM25TUVZyeHhUTGk1a1FhQWF5Nm5Kc0tjTGllRFBwR0E2dWFpWUsrRlRtYUdKRkl5cWR4a1lUT2tlWFBKMUJGUjBXRUxVRkRXYzVxUUwrL0dMb21CMnRYSldYUGxOMXJPVmdxQnpHZ1BlTTQ9PC9kYXRhPjxrZXk+aXRlcmF0aW9uczwva2V5PjxpbnRlZ2VyPjIxNTA3PC9pbnRlZ2VyPjxrZXk+c2FsdDwva2V5PjxkYXRhPktmRU1QUDZJOWtZTldKR056ajU1eEwvdWFpUlduUlJPUG9HVkx3NGtjdE09PC9kYXRhPjwvZGljdD48L2RpY3Q+PC9wbGlzdD4K

So if I run this sequence of commands in Google Apps Script:

var passwordHash = "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCFET0NUWVBFIHBsaXN0IFBVQkxJQyAiLS8vQXBwbGUvL0RURCBQTElTVCAxLjAvL0VOIiAiaHR0cDovL3d3dy5hcHBsZS5jb20vRFREcy9Qcm9wZXJ0eUxpc3QtMS4wLmR0ZCI+CjxwbGlzdCB2ZXJzaW9uPSIxLjAiPjxkaWN0PjxrZXk+U0FMVEVELVNIQTUxMi1QQktERjI8L2tleT48ZGljdD48a2V5PmVudHJvcHk8L2tleT48ZGF0YT5nNnVGdml2RkpwUTFuSjFCblp3Yk0wdVFLNVZ2SWorU2s4d0piTVRFdjhZdEVZS1ZUWFpIZUluZHB0OWZZM0hmaTdNQ3VCb1pROHhOMDlFNWJTZzRab0FaN3FSOWZNanB0a2czZE1pbngyaXBDdng0aEl2RHJZS0UzamF4a0VaSFlJaW9TWHZYSWg1TXczNHhsd1JuRHdzVGZ6S3h0YmpUQ29oVS9lSjdOWFk9PC9kYXRhPjxrZXk+aXRlcmF0aW9uczwva2V5PjxpbnRlZ2VyPjM5NzY2PC9pbnRlZ2VyPjxrZXk+c2FsdDwva2V5PjxkYXRhPlFwVjk3K2UrVzgvdHB3Z0M1dXcrT0VBYzBxS2dJZ1ZYTTRXdzR2R2NXdHc9PC9kYXRhPjwvZGljdD48L2RpY3Q+PC9wbGlzdD4K";
var decoded = Utilities.base64Decode(passwordHash);
var plist = Utilities.newBlob(decoded).getDataAsString();

I get the following plist output:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>SALTED-SHA512-PBKDF2</key>
  <dict>
    <key>entropy</key>
    <data>g6uFvivFJpQ1nJ1BnZwbM0uQK5VvIj+Sk8wJbMTEv8YtEYKVTXZHeIndpt9fY3Hfi7MCuBoZQ8xN09E5bSg4ZoAZ7qR9fMjptkg3dMinx2ipCvx4hIvDrYKE3jaxkEZHYIioSXvXIh5Mw34xlwRnDwsTfzKxtbjTCohU/eJ7NXY=</data>
    <key>iterations</key>
    <integer>39766</integer>
    <key>salt</key>
    <data>QpV97+e+W8/tpwgC5uw+OEAc0qKgIgVXM4Ww4vGcWtw=</data>
  </dict>
</dict>
</plist>

Does anyone know how (in Google Apps Script) to generate "entropy", "iterations", and "salt" values like this data from an original password value of "password"?

I think it would require using the methods of this Class:

https://developers.google.com/apps-script/reference/utilities/utilities

Jacob Jensen
  • 31
  • 2
  • Can you provide your latest script related to your question? I think that it will help users think of your solution. – Tanaike Aug 22 '18 at 22:49
  • OK, I updated it with a test value for a password hash that I am looking for, and some code snippets that I have so far. Thank you! – Jacob Jensen Sep 19 '18 at 16:01
  • Thank you for your response. You have ``"password"`` like ``PD94bWwgdm...`` which is used as ``passwordHash`` in GAS. You want to decode it as XML. Is my understanding correct? I'm sorry for my poor English skill. – Tanaike Sep 19 '18 at 22:25

0 Answers0