It seems like a red flag that it took more than 50 lines of code to do this simple thing, though.
EDIT: Specifically, should the PBKDF2 "key", not be used for something (like HMAC) rather than being used as the hash itself?
Using the output of 1,000 rounds of PBKDF2 as an input to HMAC wouldn't get you any extra security.
It seems like a red flag that it took more than 50 lines of code to do this simple thing, though.
EDIT: Specifically, should the PBKDF2 "key", not be used for something (like HMAC) rather than being used as the hash itself?
Using the output of 1,000 rounds of PBKDF2 as an input to HMAC wouldn't get you any extra security.