feat: implement PBKDF2 algorithm with registry

2025-11-13 13:13:15 +00:00
parent 5c4371f787
commit 95f4d7dafd
3 changed files with 90 additions and 0 deletions
--- a/algorithms.py
+++ b/algorithms.py
@@ -38,3 +38,7 @@ def get_algorithm(name: str) -> Algorithm:
 def list_algorithms() -> list[str]:
    """Return list of registered algorithm identifiers."""
    return sorted(_ALGORITHMS.keys())
+
+
+# Import to auto-register algorithms
+import pbkdf2_algorithm  # noqa: E402, F401
--- a/pbkdf2_algorithm.py
+++ b/pbkdf2_algorithm.py
@@ -0,0 +1,69 @@
+"""PBKDF2 algorithm implementation."""
+
+from __future__ import annotations
+
+import base64
+import binascii
+import hashlib
+import hmac
+import os
+
+DEFAULT_SALT_BYTES = 16
+DEFAULT_ITERATIONS = int(os.environ.get("PBKDF2_ITERATIONS", "200000"))
+
+
+class PBKDF2Algorithm:
+    """PBKDF2-HMAC-SHA256 password hashing algorithm."""
+
+    identifier = "pbkdf2"
+
+    def hash(
+        self,
+        password: str,
+        *,
+        iterations: int | None = None,
+        salt_bytes: int = DEFAULT_SALT_BYTES,
+    ) -> tuple[str, str]:
+        """Hash a password using PBKDF2-HMAC-SHA256."""
+        iterations = iterations or DEFAULT_ITERATIONS
+        salt = os.urandom(salt_bytes)
+        derived = hashlib.pbkdf2_hmac(
+            "sha256",
+            password.encode("utf-8"),
+            salt,
+            iterations,
+        )
+        return (
+            base64.b64encode(salt).decode("utf-8"),
+            base64.b64encode(derived).decode("utf-8"),
+        )
+
+    def verify(
+        self,
+        password: str,
+        salt_b64: str,
+        hash_b64: str,
+        *,
+        iterations: int | None = None,
+    ) -> bool:
+        """Verify a password against PBKDF2 salt and hash."""
+        iterations = iterations or DEFAULT_ITERATIONS
+        try:
+            salt = base64.b64decode(salt_b64, validate=True)
+            stored_hash = base64.b64decode(hash_b64, validate=True)
+        except (binascii.Error, ValueError):
+            return False
+
+        derived = hashlib.pbkdf2_hmac(
+            "sha256",
+            password.encode("utf-8"),
+            salt,
+            iterations,
+        )
+        return hmac.compare_digest(derived, stored_hash)
+
+
+from algorithms import register_algorithm
+
+# Auto-register when module is imported
+register_algorithm(PBKDF2Algorithm())
--- a/tests/test_algorithms.py
+++ b/tests/test_algorithms.py
@@ -21,3 +21,20 @@ def test_get_algorithm_unknown_raises_error():
    """Verify unknown algorithm raises ValueError."""
    with pytest.raises(ValueError, match="Unknown algorithm"):
        get_algorithm("unknown")
+
+
+def test_pbkdf2_algorithm_hash_round_trip():
+    """Verify PBKDF2 algorithm can hash and verify passwords."""
+    algo = get_algorithm("pbkdf2")
+    salt, hashed = algo.hash("test password")
+    assert algo.verify("test password", salt, hashed)
+    assert not algo.verify("wrong password", salt, hashed)
+
+
+def test_pbkdf2_algorithm_respects_iterations():
+    """Verify PBKDF2 algorithm respects custom iterations."""
+    algo = get_algorithm("pbkdf2")
+    salt1, hash1 = algo.hash("test", iterations=100000)
+    salt2, hash2 = algo.hash("test", iterations=200000)
+    # Different iterations should produce different hashes even with same password
+    assert hash1 != hash2