UNPKG

@azure/msal-browser

Version:

Microsoft Authentication Library for js

github.com/AzureAD/microsoft-authentication-library-for-js

AzureAD/microsoft-authentication-library-for-js

286 lines (249 loc) 8.65 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
/* * Copyright (c) Microsoft Corporation. All rights reserved. * Licensed under the MIT License. */ import { ICrypto, IPerformanceClient, JoseHeader, Logger, PerformanceEvents, ShrOptions, SignedHttpRequest, SignedHttpRequestParameters, } from "@azure/msal-common/browser"; import { base64Encode, urlEncode, urlEncodeArr, } from "../encode/Base64Encode.js"; import { base64Decode } from "../encode/Base64Decode.js"; import * as BrowserCrypto from "./BrowserCrypto.js"; import { createBrowserAuthError, BrowserAuthErrorCodes, } from "../error/BrowserAuthError.js"; import { AsyncMemoryStorage } from "../cache/AsyncMemoryStorage.js"; export type CachedKeyPair = { publicKey: CryptoKey; privateKey: CryptoKey; requestMethod?: string; requestUri?: string; }; /** * This class implements MSAL's crypto interface, which allows it to perform base64 encoding and decoding, generating cryptographically random GUIDs and * implementing Proof Key for Code Exchange specs for the OAuth Authorization Code Flow using PKCE (rfc here: https://tools.ietf.org/html/rfc7636). */ export class CryptoOps implements ICrypto { private logger: Logger; /** * CryptoOps can be used in contexts outside a PCA instance, * meaning there won't be a performance manager available. */ private performanceClient: IPerformanceClient | undefined; private static POP_KEY_USAGES: Array<KeyUsage> = ["sign", "verify"]; private static EXTRACTABLE: boolean = true; private cache: AsyncMemoryStorage<CachedKeyPair>; constructor( logger: Logger, performanceClient?: IPerformanceClient, skipValidateSubtleCrypto?: boolean ) { this.logger = logger; // Browser crypto needs to be validated first before any other classes can be set. BrowserCrypto.validateCryptoAvailable( skipValidateSubtleCrypto ?? false ); this.cache = new AsyncMemoryStorage<CachedKeyPair>(this.logger); this.performanceClient = performanceClient; } /** * Creates a new random GUID - used to populate state and nonce. * @returns string (GUID) */ createNewGuid(): string { return BrowserCrypto.createNewGuid(); } /** * Encodes input string to base64. * @param input */ base64Encode(input: string): string { return base64Encode(input); } /** * Decodes input string from base64. * @param input */ base64Decode(input: string): string { return base64Decode(input); } /** * Encodes input string to base64 URL safe string. * @param input */ base64UrlEncode(input: string): string { return urlEncode(input); } /** * Stringifies and base64Url encodes input public key * @param inputKid * @returns Base64Url encoded public key */ encodeKid(inputKid: string): string { return this.base64UrlEncode(JSON.stringify({ kid: inputKid })); } /** * Generates a keypair, stores it and returns a thumbprint * @param request */ async getPublicKeyThumbprint( request: SignedHttpRequestParameters ): Promise<string> { const publicKeyThumbMeasurement = this.performanceClient?.startMeasurement( PerformanceEvents.CryptoOptsGetPublicKeyThumbprint, request.correlationId ); // Generate Keypair const keyPair: CryptoKeyPair = await BrowserCrypto.generateKeyPair( CryptoOps.EXTRACTABLE, CryptoOps.POP_KEY_USAGES ); // Generate Thumbprint for Public Key const publicKeyJwk: JsonWebKey = await BrowserCrypto.exportJwk( keyPair.publicKey ); const pubKeyThumprintObj: JsonWebKey = { e: publicKeyJwk.e, kty: publicKeyJwk.kty, n: publicKeyJwk.n, }; const publicJwkString: string = getSortedObjectString(pubKeyThumprintObj); const publicJwkHash = await this.hashString(publicJwkString); // Generate Thumbprint for Private Key const privateKeyJwk: JsonWebKey = await BrowserCrypto.exportJwk( keyPair.privateKey ); // Re-import private key to make it unextractable const unextractablePrivateKey: CryptoKey = await BrowserCrypto.importJwk(privateKeyJwk, false, ["sign"]); // Store Keypair data in keystore await this.cache.setItem(publicJwkHash, { privateKey: unextractablePrivateKey, publicKey: keyPair.publicKey, requestMethod: request.resourceRequestMethod, requestUri: request.resourceRequestUri, }); if (publicKeyThumbMeasurement) { publicKeyThumbMeasurement.end({ success: true, }); } return publicJwkHash; } /** * Removes cryptographic keypair from key store matching the keyId passed in * @param kid */ async removeTokenBindingKey(kid: string): Promise<boolean> { await this.cache.removeItem(kid); const keyFound = await this.cache.containsKey(kid); return !keyFound; } /** * Removes all cryptographic keys from IndexedDB storage */ async clearKeystore(): Promise<boolean> { // Delete in-memory keystores this.cache.clearInMemory(); /** * There is only one database, so calling clearPersistent on asymmetric keystore takes care of * every persistent keystore */ try { await this.cache.clearPersistent(); return true; } catch (e) { if (e instanceof Error) { this.logger.error( `Clearing keystore failed with error: ${e.message}` ); } else { this.logger.error( "Clearing keystore failed with unknown error" ); } return false; } } /** * Signs the given object as a jwt payload with private key retrieved by given kid. * @param payload * @param kid */ async signJwt( payload: SignedHttpRequest, kid: string, shrOptions?: ShrOptions, correlationId?: string ): Promise<string> { const signJwtMeasurement = this.performanceClient?.startMeasurement( PerformanceEvents.CryptoOptsSignJwt, correlationId ); const cachedKeyPair = await this.cache.getItem(kid); if (!cachedKeyPair) { throw createBrowserAuthError( BrowserAuthErrorCodes.cryptoKeyNotFound ); } // Get public key as JWK const publicKeyJwk = await BrowserCrypto.exportJwk( cachedKeyPair.publicKey ); const publicKeyJwkString = getSortedObjectString(publicKeyJwk); // Base64URL encode public key thumbprint with keyId only: BASE64URL({ kid: "FULL_PUBLIC_KEY_HASH" }) const encodedKeyIdThumbprint = urlEncode(JSON.stringify({ kid: kid })); // Generate header const shrHeader = JoseHeader.getShrHeaderString({ ...shrOptions?.header, alg: publicKeyJwk.alg, kid: encodedKeyIdThumbprint, }); const encodedShrHeader = urlEncode(shrHeader); // Generate payload payload.cnf = { jwk: JSON.parse(publicKeyJwkString), }; const encodedPayload = urlEncode(JSON.stringify(payload)); // Form token string const tokenString = `${encodedShrHeader}.${encodedPayload}`; // Sign token const encoder = new TextEncoder(); const tokenBuffer = encoder.encode(tokenString); const signatureBuffer = await BrowserCrypto.sign( cachedKeyPair.privateKey, tokenBuffer ); const encodedSignature = urlEncodeArr(new Uint8Array(signatureBuffer)); const signedJwt = `${tokenString}.${encodedSignature}`; if (signJwtMeasurement) { signJwtMeasurement.end({ success: true, }); } return signedJwt; } /** * Returns the SHA-256 hash of an input string * @param plainText */ async hashString(plainText: string): Promise<string> { return BrowserCrypto.hashString(plainText); } } function getSortedObjectString(obj: object): string { return JSON.stringify(obj, Object.keys(obj).sort()); }