@iotize/device-client.js
Version:
IoTize Device client for Javascript
402 lines (401 loc) • 19.7 kB
JavaScript
;
var __extends = (this && this.__extends) || (function () {
var extendStatics = Object.setPrototypeOf ||
({ __proto__: [] } instanceof Array && function (d, b) { d.__proto__ = b; }) ||
function (d, b) { for (var p in b) if (b.hasOwnProperty(p)) d[p] = b[p]; };
return function (d, b) {
extendStatics(d, b);
function __() { this.constructor = d; }
d.prototype = b === null ? Object.create(b) : (__.prototype = b.prototype, new __());
};
})();
var __assign = (this && this.__assign) || Object.assign || function(t) {
for (var s, i = 1, n = arguments.length; i < n; i++) {
s = arguments[i];
for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p))
t[p] = s[p];
}
return t;
};
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
return new (P || (P = Promise))(function (resolve, reject) {
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
function step(result) { result.done ? resolve(result.value) : new P(function (resolve) { resolve(result.value); }).then(fulfilled, rejected); }
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};
var __generator = (this && this.__generator) || function (thisArg, body) {
var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
function verb(n) { return function (v) { return step([n, v]); }; }
function step(op) {
if (f) throw new TypeError("Generator is already executing.");
while (_) try {
if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
if (y = 0, t) op = [op[0] & 2, t.value];
switch (op[0]) {
case 0: case 1: t = op; break;
case 4: _.label++; return { value: op[1], done: false };
case 5: _.label++; y = op[1]; op = [0]; continue;
case 7: op = _.ops.pop(); _.trys.pop(); continue;
default:
if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
if (t[2]) _.ops.pop();
_.trys.pop(); continue;
}
op = body.call(thisArg, _);
} catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
}
};
Object.defineProperty(exports, "__esModule", { value: true });
var byte_buffer_1 = require("../../core/buffer/byte-buffer");
var impl_1 = require("../../client/impl");
var crypto_js_1 = require("crypto-js");
var crypto_helper_1 = require("../config/crypto-helper");
var format_1 = require("../../core/format");
var logger_1 = require("../../logger");
var logger = logger_1.default('Scram');
var AuthError = /** @class */ (function (_super) {
__extends(AuthError, _super);
function AuthError(code, message) {
var _this = _super.call(this, message + (" (Error n\u00B0 " + code + ")")) || this;
_this.code = code;
return _this;
}
AuthError.Code = {
INVALID_SERVER_PROOF: 1,
SCRAM_DISABLED: 2,
};
return AuthError;
}(Error));
exports.AuthError = AuthError;
var InvalidServerKey = /** @class */ (function (_super) {
__extends(InvalidServerKey, _super);
function InvalidServerKey(deviceServerProof, expectedServerProof) {
var _this = _super.call(this, AuthError.Code.INVALID_SERVER_PROOF, "Login fail invalid server proof ('" + format_1.FormatHelper.toHexString(deviceServerProof) + "' != '" + format_1.FormatHelper.toHexString(expectedServerProof) + "') ") || this;
_this.deviceServerProof = deviceServerProof;
_this.expectedServerProof = expectedServerProof;
return _this;
}
return InvalidServerKey;
}(AuthError));
exports.InvalidServerKey = InvalidServerKey;
var ScramAuth = /** @class */ (function () {
function ScramAuth(device) {
this.device = device;
this.nonceGenerator = function () {
return Math.floor(Math.random() * 0xFFFFFFFF);
};
this.saltGenerator = function () {
var data = new Array(ScramAuth.USER_SALT_SIZE)
.fill(0)
.map(function (_) {
return Math.floor(Math.random() * 0xFF);
});
// To be 100% sure that salt will never be [0,0,0,0] which will disable login for the user
if (data[0] === 0) {
data[0] = 1;
}
return Uint8Array.from(data);
};
this.sessionData = {};
}
// async changeCurrentUserPassword(newPassword: string): Promise<void> {
// let groupId = (await this.device.service.interface.getCurrentGroupId()).body()!;
// if (!this.sessionData.options || !groupId){
// throw new AuthError(AuthError.Code.NOT_LOGGED_IN, 'Cannot change password, your are not logged in');
// }
// let newPasswordKey: Uint8Array = ScramAuth.createScramPasswordKey(newPassword, this.sessionData.options);
// (await this.device.service.group.changePasswordKey(groupId, newPasswordKey)).successful();
// }
ScramAuth.prototype.changeUserPassword = function (newPassword, groupId, salt) {
if (salt === void 0) { salt = this.saltGenerator(); }
return __awaiter(this, void 0, void 0, function () {
var loginBody, _a, newPasswordKey;
return __generator(this, function (_b) {
switch (_b.label) {
case 0:
_a = {};
return [4 /*yield*/, this.device.service.scram.getHashIteration()];
case 1:
loginBody = (_a.iterationNumber = (_b.sent()).body(),
_a.salt = salt,
_a);
newPasswordKey = ScramAuth.createScramPasswordKey(newPassword, loginBody);
logger.debug("Changing password key: " + format_1.FormatHelper.toHexString(newPasswordKey) + " salt=" + format_1.FormatHelper.toHexString(salt) + "; iteration=" + loginBody.iterationNumber + " for user id \"" + groupId + "\"");
return [4 /*yield*/, this.device.service.group.changePasswordKey(groupId, newPasswordKey)];
case 2:
(_b.sent()).successful();
return [2 /*return*/];
}
});
});
};
/**
* Perform login
*
* @param params
*
* @throws Error if scram is not activated
*/
ScramAuth.prototype.login = function (params) {
return __awaiter(this, void 0, void 0, function () {
var clientNonce, loginParams, loginBody, keys, serverNonce, deviceServerProof, expectedServerProof, sessionKey;
return __generator(this, function (_a) {
switch (_a.label) {
case 0:
clientNonce = this.generateNonce();
logger.debug('clientNonce', clientNonce);
loginParams = {
username: params.username,
clientNonce: clientNonce
};
return [4 /*yield*/, this.device.service.scram.login(loginParams)];
case 1:
loginBody = (_a.sent()).body();
keys = ScramAuth.computeKeys(params, loginBody, clientNonce);
serverNonce = loginBody.serverNonce;
return [4 /*yield*/, this.device.service.scram.loginProof(keys.clientProof)];
case 2:
deviceServerProof = (_a.sent()).body();
expectedServerProof = keys.serverProof;
// TODO maybe we can find something better to test array equals ...
if (format_1.FormatHelper.toHexString(expectedServerProof) != format_1.FormatHelper.toHexString(deviceServerProof)) {
throw new InvalidServerKey(expectedServerProof, deviceServerProof);
}
sessionKey = ScramAuth.computeSessionKey(clientNonce, serverNonce, loginBody.salt, keys.serverKey, keys.storedKey);
this.sessionData.options = loginBody;
this.sessionData.clientNonce = clientNonce;
this.sessionData.username = params.username;
this.sessionData.key = sessionKey;
return [2 /*return*/];
}
});
});
};
ScramAuth.createScramPasswordKey = function (newPassword, options) {
var keys = ScramAuth.computeBaseKeys(newPassword, options);
var saltCopy = new Uint8Array(options.salt);
var buffer = byte_buffer_1.ByteBuffer.create(ScramAuth.SCRAM_PASSWORD_LENGTH);
buffer
.add(keys.storedKey, ScramAuth.KEY_SIZE)
.add(keys.serverKey, ScramAuth.KEY_SIZE)
.add(saltCopy, ScramAuth.USER_SALT_SIZE);
return buffer.data;
};
ScramAuth.computeBaseKeys = function (password, loginBody) {
var hashedPassword = ScramAuth.hashPassword(password);
// logger.debug('ScramAuth', 'hashedPassword', FormatHelper.toHexString(hashedPassword));
var saltedPassword = ScramAuth.saltedPassword(hashedPassword, loginBody.salt, loginBody.iterationNumber);
// logger.debug('ScramAuth', 'saltedPassword', FormatHelper.toHexString(saltedPassword));
// let clientKey: Uint8Array = ScramAuth.clientKey(saltedPassword);
// logger.debug('ScramAuth', 'clientKey', FormatHelper.toHexString(clientKey));
var storedKey = ScramAuth.storedKey(saltedPassword);
logger.debug('storeKey', format_1.FormatHelper.toHexString(storedKey));
var serverKey = ScramAuth.serverKey(saltedPassword);
logger.debug('serverKey', format_1.FormatHelper.toHexString(serverKey));
return {
hashedPassword: hashedPassword,
saltedPassword: saltedPassword,
storedKey: storedKey,
serverKey: serverKey
};
};
ScramAuth.computeKeys = function (credentials, loginBody, clientNonce) {
var keys = ScramAuth.computeBaseKeys(credentials.password, loginBody);
var clientProof = ScramAuth.clientProof(keys.storedKey, clientNonce, loginBody.serverNonce);
// logger.debug('ScramAuth', 'clientProof', FormatHelper.toHexString(clientProof));
var serverProof = ScramAuth.serverProof(keys.serverKey, clientNonce, loginBody.serverNonce);
// logger.debug('ScramAuth', 'serverProof', FormatHelper.toHexString(serverProof));
return __assign({}, keys, { clientProof: clientProof, serverProof: serverProof });
};
ScramAuth.prototype.logout = function () {
return __awaiter(this, void 0, void 0, function () {
var response;
return __generator(this, function (_a) {
response = this.device.service.interface.logout();
return [2 /*return*/, response];
});
});
};
ScramAuth.clientProof = function (storedKey, clientNonce, serverNonce) {
return ScramAuth.computeProof(storedKey, clientNonce, serverNonce).subarray(0, ScramAuth.KEY_SIZE);
};
// computeClientProof(storedKey: Uint8Array, clientSignature: Uint8Array): Uint8Array {
// return ScramAuth.XOR(storedKey, clientSignature);
// }
ScramAuth.serverProof = function (serverKey, clientNonce, serverNonce) {
return ScramAuth.computeProof(serverKey, serverNonce, clientNonce).subarray(0, ScramAuth.KEY_SIZE);
};
ScramAuth.prototype.getSessionKey = function () {
if (!this.sessionData.key) {
throw new Error("Session not started");
}
return this.sessionData.key;
};
ScramAuth.prototype.generateNonce = function () {
return this.nonceGenerator();
};
/**
*
* @param input
*/
ScramAuth.HASH = function (input, salt, iteration) {
var wordInput = crypto_helper_1.CryptoHelper.sanitizeInput(input);
salt = crypto_helper_1.CryptoHelper.sanitizeInput(salt);
var hash = crypto_js_1.PBKDF2(wordInput, salt, {
iterations: iteration,
keySize: ScramAuth.KEY_SIZE / 4,
hasher: crypto_js_1.algo.SHA256
});
return crypto_helper_1.CryptoHelper.wordArrayToByteArray(hash);
};
/**
*
* @param input
*/
ScramAuth.HMAC = function (input, key) {
var wordArray = crypto_helper_1.CryptoHelper.sanitizeInput(input);
var keyArray = crypto_helper_1.CryptoHelper.sanitizeInput(key);
var result = crypto_js_1.HmacSHA256(wordArray, keyArray);
return crypto_helper_1.CryptoHelper.wordArrayToByteArray(result);
};
ScramAuth.hashPassword = function (password) {
return format_1.FormatHelper.hexStringToBuffer(crypto_helper_1.CryptoHelper.passwordHasher.hash(password).substring(0, ScramAuth.KEY_SIZE * 2));
};
/**
* SaltedPwd = PBKDF2 ( HashedPassword, UserSalt, ItCnt )
* @param password
* @param userSalt
* @param iteration
*/
ScramAuth.saltedPassword = function (hashedPassword, userSalt, iterations) {
var hashedPasswordArray = crypto_helper_1.CryptoHelper.sanitizeInput(hashedPassword);
// logger.debug('ScramAuth', 'hashedPassword', hashedPassword.toString());
var userSaltArray = crypto_helper_1.CryptoHelper.sanitizeInput(userSalt);
var key = crypto_js_1.PBKDF2(hashedPasswordArray, userSaltArray, {
iterations: iterations,
// keySize: ScramAuth.KEY_SIZE / 4,
hasher: crypto_js_1.algo.SHA256
});
return format_1.FormatHelper.hexStringToBuffer(key.toString(crypto_js_1.enc.Hex));
};
/**
* ClientKey = HMAC ( SaltedPwd | « ClientKey »)
* @param saltedPassword
*/
// public static clientKey(saltedPassword: InputDataType): Uint8Array{
// let encodedLabel = ScramAuth.encodeLabel(ScramAuth.CLIENT_KEY_LABEL);
// let encodedLabel2 : Uint8Array = ByteBuffer.merge(
// encodedLabel,
// Uint8Array.from([0])
// ).data;
// // logger.log('ScramAuth', 'clientKey()', 'data => ', FormatHelper.toHexString(data), 'len', data.length, `(${saltedPassword.length} + ${encodedLabel.length})`);
// return ScramAuth.HMAC(
// saltedPassword,
// // userSalt
// encodedLabel2
// ).subarray(0, ScramAuth.KEY_SIZE);
// }
/**
* StoredKey = H ( ClientKey )
* @param saltedPassword
*/
ScramAuth.storedKey = function (saltedPassword) {
return ScramAuth.HASH(saltedPassword, ScramAuth.CLIENT_KEY_LABEL, ScramAuth.CLIENT_KEY_ITERATION_NUMBER);
};
ScramAuth.serverKey = function (saltedPassword) {
return ScramAuth.HASH(saltedPassword, ScramAuth.SERVER_KEY_LABEL, ScramAuth.SERVER_KEY_ITERATION_NUMBER);
};
/**
* ClientSignature = HMAC ( StoredKey | ClientNonce | ServerNonce )
* @param key
* @param nonce1
* @param nonce2
*/
ScramAuth.computeProof = function (key, nonce1, nonce2) {
var buffer = byte_buffer_1.ByteBuffer.create(key.length + ScramAuth.CLIENT_NONCE_SIZE + ScramAuth.SERVER_NONCE_SIZE);
buffer
.addNumber(nonce1, ScramAuth.CLIENT_NONCE_SIZE)
.add(key)
.addNumber(nonce2, ScramAuth.SERVER_NONCE_SIZE);
return ScramAuth.HMAC(buffer.data, key);
};
/**
* Client proof must be 16 bytes
* ClientProof = StoredKey ^ ClientSignature
*/
// public static clientProof(storedKey: Uint8Array, clientSignature: Uint8Array): Uint8Array{
// return ScramAuth.XOR(storedKey, clientSignature);
// }
ScramAuth.XOR = function (value1, value2) {
if (value1.length != value2.length) {
throw new Error('Length does not match between the two array. Cannot compute XOR');
}
var result = new Uint8Array(value1.length);
for (var i = 0; i < result.length; i++) {
result[i] = value1[i] ^ value2[i];
}
return result;
};
/**
* ClientProofCheck = StoredKey ^ ClientProof
* @param storedKey
* @param clientProof
*/
ScramAuth.clientProofCheck = function (storedKey, clientProof) {
return ScramAuth.XOR(storedKey, clientProof);
};
/**
* CommunicationKey = H ( ClientNonce | ServerNonce | StoredKey | « CommunicationKey » )
* @param clientNonce
* @param serverNonce
* @param storedKey
*/
ScramAuth.computeSessionKey = function (clientNonce, serverNonce, userSalt, serverKey, storedKey) {
var encodedLabel = ScramAuth.encodeLabel(ScramAuth.COMMUNICATION_KEY_LABEL);
var buffer = byte_buffer_1.ByteBuffer.create(ScramAuth.CLIENT_NONCE_SIZE
+ ScramAuth.SERVER_NONCE_SIZE
+ userSalt.length
+ serverKey.length
+ storedKey.length
// + encodedLabel.length
);
buffer
.addNumber(clientNonce, ScramAuth.CLIENT_NONCE_SIZE)
.add(serverKey)
.add(userSalt)
.add(storedKey)
.addNumber(serverNonce, ScramAuth.SERVER_NONCE_SIZE);
return ScramAuth.HMAC(buffer.data, serverKey).subarray(0, ScramAuth.KEY_SIZE);
};
/**
*
* @param input
*/
ScramAuth.encodeLabel = function (input) {
return this.stringConverter.encode(input);
};
ScramAuth.CRC_LENGTH = 4;
ScramAuth.CLIENT_NONCE_SIZE = 4;
ScramAuth.SERVER_NONCE_SIZE = 4;
ScramAuth.PASSWORD_LENGTH = 16;
ScramAuth.ITERATION_NUMBER_SIZE = 4;
ScramAuth.COMMUNICATION_KEY_LABEL = "CommunicationKey";
// static CLIENT_PROOF_LABEL: string = "ClientProof";
ScramAuth.CLIENT_KEY_LABEL = "ClientKey";
ScramAuth.SERVER_KEY_LABEL = "ServerKey";
ScramAuth.KEY_SIZE = 16;
ScramAuth.CLIENT_KEY_ITERATION_NUMBER = 2;
ScramAuth.SERVER_KEY_ITERATION_NUMBER = 2;
ScramAuth.USER_SALT_SIZE = 4;
ScramAuth.SCRAM_PASSWORD_LENGTH = (ScramAuth.KEY_SIZE * 2) + ScramAuth.USER_SALT_SIZE;
ScramAuth.stringConverter = impl_1.StringConverter.ascii();
return ScramAuth;
}());
exports.ScramAuth = ScramAuth;