{"version":3,"file":"CryptoOps.js","sources":["../../src/crypto/CryptoOps.ts"],"sourcesContent":["/*\n * Copyright (c) Microsoft Corporation. All rights reserved.\n * Licensed under the MIT License.\n */\n\nimport { ICrypto, IPerformanceClient, JoseHeader, Logger, PerformanceEvents, PkceCodes, SignedHttpRequest, SignedHttpRequestParameters } from \"@azure/msal-common\";\nimport { GuidGenerator } from \"./GuidGenerator\";\nimport { Base64Encode } from \"../encode/Base64Encode\";\nimport { Base64Decode } from \"../encode/Base64Decode\";\nimport { PkceGenerator } from \"./PkceGenerator\";\nimport { BrowserCrypto } from \"./BrowserCrypto\";\nimport { BrowserStringUtils } from \"../utils/BrowserStringUtils\";\nimport { BrowserAuthError } from \"../error/BrowserAuthError\";\nimport { CryptoKeyStore } from \"../cache/CryptoKeyStore\";\nimport { CryptoOptions } from \"../config/Configuration\";\n\nexport type CachedKeyPair = {\n publicKey: CryptoKey,\n privateKey: CryptoKey,\n requestMethod?: string,\n requestUri?: string\n};\n\n/**\n * This class implements MSAL's crypto interface, which allows it to perform base64 encoding and decoding, generating cryptographically random GUIDs and \n * implementing Proof Key for Code Exchange specs for the OAuth Authorization Code Flow using PKCE (rfc here: https://tools.ietf.org/html/rfc7636).\n */\nexport class CryptoOps implements ICrypto {\n\n private browserCrypto: BrowserCrypto;\n private guidGenerator: GuidGenerator;\n private b64Encode: Base64Encode;\n private b64Decode: Base64Decode;\n private pkceGenerator: PkceGenerator;\n private logger: Logger;\n\n /**\n * CryptoOps can be used in contexts outside a PCA instance,\n * meaning there won't be a performance manager available.\n */\n private performanceClient: IPerformanceClient | undefined;\n\n private static POP_KEY_USAGES: Array = [\"sign\", \"verify\"];\n private static EXTRACTABLE: boolean = true;\n private cache: CryptoKeyStore;\n\n constructor(logger: Logger, performanceClient?: IPerformanceClient, cryptoConfig?: CryptoOptions) {\n this.logger = logger;\n // Browser crypto needs to be validated first before any other classes can be set.\n this.browserCrypto = new BrowserCrypto(this.logger, cryptoConfig);\n this.b64Encode = new Base64Encode();\n this.b64Decode = new Base64Decode();\n this.guidGenerator = new GuidGenerator(this.browserCrypto);\n this.pkceGenerator = new PkceGenerator(this.browserCrypto);\n this.cache = new CryptoKeyStore(this.logger);\n this.performanceClient = performanceClient;\n }\n\n /**\n * Creates a new random GUID - used to populate state and nonce.\n * @returns string (GUID)\n */\n createNewGuid(): string {\n return this.guidGenerator.generateGuid();\n }\n\n /**\n * Encodes input string to base64.\n * @param input \n */\n base64Encode(input: string): string {\n return this.b64Encode.encode(input);\n } \n \n /**\n * Decodes input string from base64.\n * @param input \n */\n base64Decode(input: string): string {\n return this.b64Decode.decode(input);\n }\n\n /**\n * Generates PKCE codes used in Authorization Code Flow.\n */\n async generatePkceCodes(): Promise {\n return this.pkceGenerator.generateCodes();\n }\n\n /**\n * Generates a keypair, stores it and returns a thumbprint\n * @param request\n */\n async getPublicKeyThumbprint(request: SignedHttpRequestParameters): Promise {\n const publicKeyThumbMeasurement = this.performanceClient?.startMeasurement(PerformanceEvents.CryptoOptsGetPublicKeyThumbprint, request.correlationId);\n\n // Generate Keypair\n const keyPair: CryptoKeyPair = await this.browserCrypto.generateKeyPair(CryptoOps.EXTRACTABLE, CryptoOps.POP_KEY_USAGES);\n\n // Generate Thumbprint for Public Key\n const publicKeyJwk: JsonWebKey = await this.browserCrypto.exportJwk(keyPair.publicKey);\n \n const pubKeyThumprintObj: JsonWebKey = {\n e: publicKeyJwk.e,\n kty: publicKeyJwk.kty,\n n: publicKeyJwk.n\n };\n \n const publicJwkString: string = BrowserStringUtils.getSortedObjectString(pubKeyThumprintObj);\n const publicJwkHash = await this.hashString(publicJwkString);\n\n // Generate Thumbprint for Private Key\n const privateKeyJwk: JsonWebKey = await this.browserCrypto.exportJwk(keyPair.privateKey);\n // Re-import private key to make it unextractable\n const unextractablePrivateKey: CryptoKey = await this.browserCrypto.importJwk(privateKeyJwk, false, [\"sign\"]);\n\n // Store Keypair data in keystore\n await this.cache.asymmetricKeys.setItem(\n publicJwkHash, \n {\n privateKey: unextractablePrivateKey,\n publicKey: keyPair.publicKey,\n requestMethod: request.resourceRequestMethod,\n requestUri: request.resourceRequestUri\n }\n );\n\n if (publicKeyThumbMeasurement) {\n publicKeyThumbMeasurement.endMeasurement({\n success: true\n });\n }\n\n return publicJwkHash;\n }\n\n /**\n * Removes cryptographic keypair from key store matching the keyId passed in\n * @param kid \n */\n async removeTokenBindingKey(kid: string): Promise {\n await this.cache.asymmetricKeys.removeItem(kid);\n const keyFound = await this.cache.asymmetricKeys.containsKey(kid);\n return !keyFound;\n }\n\n /**\n * Removes all cryptographic keys from IndexedDB storage\n */\n async clearKeystore(): Promise {\n return await this.cache.clear();\n }\n\n /**\n * Signs the given object as a jwt payload with private key retrieved by given kid.\n * @param payload \n * @param kid \n */\n async signJwt(payload: SignedHttpRequest, kid: string, correlationId?: string): Promise {\n const signJwtMeasurement = this.performanceClient?.startMeasurement(PerformanceEvents.CryptoOptsSignJwt, correlationId);\n const cachedKeyPair = await this.cache.asymmetricKeys.getItem(kid);\n \n if (!cachedKeyPair) {\n throw BrowserAuthError.createSigningKeyNotFoundInStorageError(kid);\n }\n\n // Get public key as JWK\n const publicKeyJwk = await this.browserCrypto.exportJwk(cachedKeyPair.publicKey);\n const publicKeyJwkString = BrowserStringUtils.getSortedObjectString(publicKeyJwk);\n\n // Base64URL encode public key thumbprint with keyId only: BASE64URL({ kid: \"FULL_PUBLIC_KEY_HASH\" })\n const encodedKeyIdThumbprint = this.b64Encode.urlEncode(JSON.stringify({ kid: kid }));\n \n // Generate header\n const shrHeader = JoseHeader.getShrHeaderString({ kid: encodedKeyIdThumbprint, alg: publicKeyJwk.alg });\n const encodedShrHeader = this.b64Encode.urlEncode(shrHeader);\n\n // Generate payload\n payload.cnf = {\n jwk: JSON.parse(publicKeyJwkString)\n };\n const encodedPayload = this.b64Encode.urlEncode(JSON.stringify(payload));\n\n // Form token string\n const tokenString = `${encodedShrHeader}.${encodedPayload}`;\n\n // Sign token\n const tokenBuffer = BrowserStringUtils.stringToArrayBuffer(tokenString);\n const signatureBuffer = await this.browserCrypto.sign(cachedKeyPair.privateKey, tokenBuffer);\n const encodedSignature = this.b64Encode.urlEncodeArr(new Uint8Array(signatureBuffer));\n\n const signedJwt = `${tokenString}.${encodedSignature}`;\n\n if (signJwtMeasurement) {\n signJwtMeasurement.endMeasurement({\n success: true\n });\n }\n\n return signedJwt;\n }\n\n /**\n * Returns the SHA-256 hash of an input string\n * @param plainText\n */\n async hashString(plainText: string): Promise {\n const hashBuffer: ArrayBuffer = await this.browserCrypto.sha256Digest(plainText);\n const hashBytes = new Uint8Array(hashBuffer);\n return this.b64Encode.urlEncodeArr(hashBytes);\n }\n}\n"],"names":[],"mappings":";;;;;;;;;;;;;AAAA;;;;AAuBA;;;;;IAuBI,mBAAY,MAAc,EAAE,iBAAsC,EAAE,YAA4B;QAC5F,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;;QAErB,IAAI,CAAC,aAAa,GAAG,IAAI,aAAa,CAAC,IAAI,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;QAClE,IAAI,CAAC,SAAS,GAAG,IAAI,YAAY,EAAE,CAAC;QACpC,IAAI,CAAC,SAAS,GAAG,IAAI,YAAY,EAAE,CAAC;QACpC,IAAI,CAAC,aAAa,GAAG,IAAI,aAAa,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC3D,IAAI,CAAC,aAAa,GAAG,IAAI,aAAa,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC3D,IAAI,CAAC,KAAK,GAAG,IAAI,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,CAAC,iBAAiB,GAAG,iBAAiB,CAAC;KAC9C;;;;;IAMD,iCAAa,GAAb;QACI,OAAO,IAAI,CAAC,aAAa,CAAC,YAAY,EAAE,CAAC;KAC5C;;;;;IAMD,gCAAY,GAAZ,UAAa,KAAa;QACtB,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;KACvC;;;;;IAMD,gCAAY,GAAZ,UAAa,KAAa;QACtB,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;KACvC;;;;IAKK,qCAAiB,GAAvB;;;gBACI,sBAAO,IAAI,CAAC,aAAa,CAAC,aAAa,EAAE,EAAC;;;KAC7C;;;;;IAMK,0CAAsB,GAA5B,UAA6B,OAAoC;;;;;;;wBACvD,yBAAyB,SAAG,IAAI,CAAC,iBAAiB,0CAAE,gBAAgB,CAAC,iBAAiB,CAAC,gCAAgC,EAAE,OAAO,CAAC,aAAa,CAAC,CAAC;wBAGvH,qBAAM,IAAI,CAAC,aAAa,CAAC,eAAe,CAAC,SAAS,CAAC,WAAW,EAAE,SAAS,CAAC,cAAc,CAAC,EAAA;;wBAAlH,OAAO,GAAkB,SAAyF;wBAGvF,qBAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,OAAO,CAAC,SAAS,CAAC,EAAA;;wBAAhF,YAAY,GAAe,SAAqD;wBAEhF,kBAAkB,GAAe;4BACnC,CAAC,EAAE,YAAY,CAAC,CAAC;4BACjB,GAAG,EAAE,YAAY,CAAC,GAAG;4BACrB,CAAC,EAAE,YAAY,CAAC,CAAC;yBACpB,CAAC;wBAEI,eAAe,GAAW,kBAAkB,CAAC,qBAAqB,CAAC,kBAAkB,CAAC,CAAC;wBACvE,qBAAM,IAAI,CAAC,UAAU,CAAC,eAAe,CAAC,EAAA;;wBAAtD,aAAa,GAAG,SAAsC;wBAG1B,qBAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,OAAO,CAAC,UAAU,CAAC,EAAA;;wBAAlF,aAAa,GAAe,SAAsD;wBAE7C,qBAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,aAAa,EAAE,KAAK,EAAE,CAAC,MAAM,CAAC,CAAC,EAAA;;wBAAvG,uBAAuB,GAAc,SAAkE;;wBAG7G,qBAAM,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,OAAO,CACnC,aAAa,EACb;gCACI,UAAU,EAAE,uBAAuB;gCACnC,SAAS,EAAE,OAAO,CAAC,SAAS;gCAC5B,aAAa,EAAE,OAAO,CAAC,qBAAqB;gCAC5C,UAAU,EAAE,OAAO,CAAC,kBAAkB;6BACzC,CACJ,EAAA;;;wBARD,SAQC,CAAC;wBAEF,IAAI,yBAAyB,EAAE;4BAC3B,yBAAyB,CAAC,cAAc,CAAC;gCACrC,OAAO,EAAE,IAAI;6BAChB,CAAC,CAAC;yBACN;wBAED,sBAAO,aAAa,EAAC;;;;KACxB;;;;;IAMK,yCAAqB,GAA3B,UAA4B,GAAW;;;;;4BACnC,qBAAM,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,UAAU,CAAC,GAAG,CAAC,EAAA;;wBAA/C,SAA+C,CAAC;wBAC/B,qBAAM,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,WAAW,CAAC,GAAG,CAAC,EAAA;;wBAA3D,QAAQ,GAAG,SAAgD;wBACjE,sBAAO,CAAC,QAAQ,EAAC;;;;KACpB;;;;IAKK,iCAAa,GAAnB;;;;4BACW,qBAAM,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,EAAA;4BAA/B,sBAAO,SAAwB,EAAC;;;;KACnC;;;;;;IAOK,2BAAO,GAAb,UAAc,OAA0B,EAAE,GAAW,EAAE,aAAsB;;;;;;;wBACnE,kBAAkB,SAAG,IAAI,CAAC,iBAAiB,0CAAE,gBAAgB,CAAC,iBAAiB,CAAC,iBAAiB,EAAE,aAAa,CAAC,CAAC;wBAClG,qBAAM,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,EAAA;;wBAA5D,aAAa,GAAG,SAA4C;wBAElE,IAAI,CAAC,aAAa,EAAE;4BAChB,MAAM,gBAAgB,CAAC,sCAAsC,CAAC,GAAG,CAAC,CAAC;yBACtE;wBAGoB,qBAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,aAAa,CAAC,SAAS,CAAC,EAAA;;wBAA1E,YAAY,GAAG,SAA2D;wBAC1E,kBAAkB,GAAG,kBAAkB,CAAC,qBAAqB,CAAC,YAAY,CAAC,CAAC;wBAG5E,sBAAsB,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC;wBAGhF,SAAS,GAAG,UAAU,CAAC,kBAAkB,CAAC,EAAE,GAAG,EAAE,sBAAsB,EAAE,GAAG,EAAE,YAAY,CAAC,GAAG,EAAE,CAAC,CAAC;wBAClG,gBAAgB,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;;wBAG7D,OAAO,CAAC,GAAG,GAAG;4BACV,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC;yBACtC,CAAC;wBACI,cAAc,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;wBAGnE,WAAW,GAAM,gBAAgB,SAAI,cAAgB,CAAC;wBAGtD,WAAW,GAAG,kBAAkB,CAAC,mBAAmB,CAAC,WAAW,CAAC,CAAC;wBAChD,qBAAM,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,WAAW,CAAC,EAAA;;wBAAtF,eAAe,GAAG,SAAoE;wBACtF,gBAAgB,GAAG,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,IAAI,UAAU,CAAC,eAAe,CAAC,CAAC,CAAC;wBAEhF,SAAS,GAAM,WAAW,SAAI,gBAAkB,CAAC;wBAEvD,IAAI,kBAAkB,EAAE;4BACpB,kBAAkB,CAAC,cAAc,CAAC;gCAC9B,OAAO,EAAE,IAAI;6BAChB,CAAC,CAAC;yBACN;wBAED,sBAAO,SAAS,EAAC;;;;KACpB;;;;;IAMK,8BAAU,GAAhB,UAAiB,SAAiB;;;;;4BACE,qBAAM,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,SAAS,CAAC,EAAA;;wBAA1E,UAAU,GAAgB,SAAgD;wBAC1E,SAAS,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC;wBAC7C,sBAAO,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,SAAS,CAAC,EAAC;;;;KACjD;IAxKc,wBAAc,GAAoB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IACrD,qBAAW,GAAY,IAAI,CAAC;IAwK/C,gBAAC;CAxLD;;;;"}