Add password wrap for all versions

README.md

@@ -22,13 +22,13 @@ PASERK extension
 | local | ✅ |
 | seal | ❌ |
 | local-wrap | ❌ |
-| local-pw | ❌ |
+| local-pw | ✅ |
 | sid | ✅ |
 | public | ✅ |
 | pid | ✅ |
 | secret | ✅ |
 | secret-wrap | ❌ |
-| secret-pw | ❌ |
+| secret-pw | ✅ |
 
 ## Installation
 
@@ -125,13 +125,24 @@ k[version].[type].[data]
 #### Encoding a Key
 
 ```csharp
-var paserk = Paserk.Encode(pasetoKey, type);
+// Paserk encode local, public and secret keys.
+var paserk = Paserk.Encode(pasetoKey, paserkType);
+
+// Password wrap a local or secret key for versions 1 and 3.
+// var pwPaserk = Paserk.Encode(pasetoKey, type, password, iterations);
+
+// Password wrap a local or secret key for versions 2 and 4.
+// var pwPaserk = Paserk.Encode(pasetoKey, type, password, memoryCost, iterations, parallelism);
 ```
 
 #### Decoding a Key
 
 ```csharp
+// Decode a paserk encoded paseto key.
 var key = Paserk.Decode(paserk);
+
+// Decode a password wrapped paseto key.
+// var key = Paserk.Decode(paserk, password);
 ```
 
 ## Roadmap
@@ -151,7 +162,7 @@ var key = Paserk.Decode(paserk);
 ## Cryptography
 
 * Uses Ed25519 (EdDSA over Curve25519) algorithm from CodesInChaos [Chaos.NaCl](https://github.com/CodesInChaos/Chaos.NaCl) cryptography library.
-* Uses Blake2b cryptographic hash function from [Konscious.Security.Cryptography](https://github.com/kmaragon/Konscious.Security.Cryptography) repository.
+* Uses Blake2b cryptographic hash and Argon2 key derivation functions from [Konscious.Security.Cryptography](https://github.com/kmaragon/Konscious.Security.Cryptography) repository.
 * Uses AES-256-CTR, ECDSA over P-384 algorithms from [Bouncy Castle](https://github.com/novotnyllc/bc-csharp) cryptography library.
 * Uses XChaCha20-Poly1305 AEAD from [NaCl.Core](https://github.com/daviddesmet/NaCl.Core) repository.
 

src/Paseto/Cryptography/Internal/Argon2/Argon2.cs

@@ -0,0 +1,115 @@
+using System.Diagnostics.CodeAnalysis;
+
+namespace Paseto.Cryptography.Internal.Argon2;
+
+using System;
+using System.Threading.Tasks;
+using System.Security.Cryptography;
+
+/// <summary>
+/// An implementation of Argon2 https://github.com/P-H-C/phc-winner-argon2
+/// </summary>
+[SuppressMessage("Microsoft.Performance", "CA1819")]
+internal abstract class Argon2 : DeriveBytes
+{
+    /// <summary>
+    /// Create an Argon2 for encrypting the given password
+    /// </summary>
+    /// <param name="password"></param>
+    public Argon2(byte[] password)
+    {
+        if (password == null || password.Length == 0)
+            throw new ArgumentException("Argon2 needs a password set", nameof(password));
+
+        _password = password;
+    }
+
+    /// <summary>
+    /// Implementation of Reset
+    /// </summary>
+    public override void Reset()
+    {
+    }
+
+    /// <summary>
+    /// Implementation of GetBytes
+    /// </summary>
+    public override byte[] GetBytes(int bc)
+    {
+        ValidateParameters(bc);
+        var task = Task.Run(async () => await GetBytesAsyncImpl(bc).ConfigureAwait(false));
+        return task.Result;
+    }
+
+
+    /// <summary>
+    /// Implementation of GetBytes
+    /// </summary>
+    public Task<byte[]> GetBytesAsync(int bc)
+    {
+        ValidateParameters(bc);
+        return GetBytesAsyncImpl(bc);
+    }
+
+    /// <summary>
+    /// The password hashing salt
+    /// </summary>
+    public byte[] Salt { get; set; }
+
+    /// <summary>
+    /// An optional secret to use while hashing the Password
+    /// </summary>
+    public byte[] KnownSecret { get; set; }
+
+    /// <summary>
+    /// Any extra associated data to use while hashing the password
+    /// </summary>
+    public byte[] AssociatedData { get; set; }
+
+    /// <summary>
+    /// The number of iterations to apply to the password hash
+    /// </summary>
+    public int Iterations { get; set; }
+
+    /// <summary>
+    /// The number of 1kB memory blocks to use while processing the hash
+    /// </summary>
+    public int MemorySize { get; set; }
+
+    /// <summary>
+    /// The number of lanes to use while processing the hash
+    /// </summary>
+    public int DegreeOfParallelism { get; set; }
+
+    internal abstract Argon2Core BuildCore(int bc);
+
+    private void ValidateParameters(int bc)
+    {
+        if (bc > 1024)
+            throw new NotSupportedException("Current implementation of Argon2 only supports generating up to 1024 bytes");
+
+        if (Iterations < 1)
+            throw new InvalidOperationException("Cannot perform an Argon2 Hash with out at least 1 iteration");
+
+        if (MemorySize < 4)
+            throw new InvalidOperationException("Argon2 requires a minimum of 4kB of memory (MemorySize >= 4)");
+
+        if (DegreeOfParallelism < 1)
+            throw new InvalidOperationException("Argon2 requires at least 1 thread (DegreeOfParallelism)");
+    }
+
+    private Task<byte[]> GetBytesAsyncImpl(int bc)
+    {
+        var n = BuildCore(bc);
+        n.Salt = Salt;
+        n.Secret = KnownSecret;
+        n.AssociatedData = AssociatedData;
+        n.Iterations = Iterations;
+        n.MemorySize = MemorySize;
+        n.DegreeOfParallelism = DegreeOfParallelism;
+
+        return n.Hash(_password);
+    }
+
+    private byte[] _password;
+}