All Downloads are FREE. Search and download functionalities are using the official Maven repository.

resources.js.qpid.sasl.ScramShaSaslClient.js Maven / Gradle / Ivy

/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */

define(["dojo/_base/declare",
        "dojo/_base/lang",
        "dojox/encoding/base64",
        "dojo/json",
        "dojo/request/script",
        "dojo/promise/all",
        "dojox/uuid/generateRandomUuid",
        "dojo/Deferred",
        "qpid/sasl/CredentialBasedSaslClient"],
    function (declare, lang, base64, json, script, all, uuid, Deferred, SaslClient)
    {

        var toBase64 = function toBase64(input)
        {
            var result = [];
            for (var i = 0; i < input.length; i++)
            {
                result[i] = input.charCodeAt(i);
            }
            return base64.encode(result)
        };

        var fromBase64 = function fromBase64(input)
        {
            var decoded = base64.decode(input);
            var result = "";
            for (var i = 0; i < decoded.length; i++)
            {
                result += String.fromCharCode(decoded[i]);
            }
            return result;
        };

        var xor = function xor(lhs, rhs)
        {
            var words = [];
            for (var i = 0; i < lhs.words.length; i++)
            {
                words.push(lhs.words[i] ^ rhs.words[i]);
            }
            return CryptoJS.lib.WordArray.create(words);
        };

        var hasNonAscii = function hasNonAscii(name)
        {
            for (var i = 0; i < name.length; i++)
            {
                if (name.charCodeAt(i) > 127)
                {
                    return true;
                }
            }
            return false;
        };

        var generateSaltedPassword = function generateSaltedPassword(digest, salt, password, iterationCount)
        {
            var hmac = CryptoJS.algo.HMAC.create(CryptoJS.algo[digest], password);
            hmac.update(salt);
            hmac.update(CryptoJS.enc.Hex.parse("00000001"));
            var result = hmac.finalize();
            var previous = null;
            for (var i = 1; i < iterationCount; i++)
            {
                hmac = CryptoJS.algo.HMAC.create(CryptoJS.algo[digest], password);
                hmac.update(previous != null ? previous : result);
                previous = hmac.finalize();
                result = xor(result, previous);
            }
            return result;
        };

        var scriptLoadError = function scriptLoadError(error)
        {
            var message = "Cannot load script due to " + json.stringify(error);
            console.error(message);
            throw {message: message};
        };

        // hidden context scope variables
        var digest = null;
        var hmac = null;
        var gs2_header = "n,,";

        return declare("qpid.sasl.ShaSaslClient", [SaslClient], {
            _state: "initial",
            "-chains-": {
                constructor: "manual" // disable auto-constructor invocation
            },

            constructor: function (mechanism)
            {
                this._mechanism = mechanism;
            },
            init : function()
            {
                var superPromise = this.inherited(arguments);
                var deferred = new Deferred();
                var hmacDeferred = new Deferred();

                var shaName = this._mechanism.substring(6)
                    .replace('-', '')
                    .toLowerCase();
                digest = shaName.toUpperCase();
                hmac = "Hmac" + digest;

                // loading crypto-js functionality based on mechanism
                script.get("js/crypto-js/hmac-" + shaName + ".js")
                    .then(function ()
                    {
                        script.get("js/crypto-js/enc-base64-min.js")
                            .then(function ()
                            {
                                hmacDeferred.resolve(true);
                            }, function (error)
                            {
                                hmacDeferred.reject(error);
                                scriptLoadError(error);
                            });
                    }, function (error)
                    {
                        hmacDeferred.reject("error");
                        scriptLoadError(error);
                    });

                all([superPromise, hmacDeferred.promise])
                    .then(function ()
                    {
                        deferred.resolve();
                    }, function (error)
                    {
                        deferred.reject(error);
                    });
                return deferred.promise;

            },
            getMechanismName: function ()
            {
                return this._mechanism;
            },
            isComplete: function ()
            {
                return this._state == "completed";
            },
            getInitialResponse : function()
            {
                if (this._state != "initial")
                {
                    throw new Error("Unexpected state : " + this._state);
                }

                if (!hasNonAscii(this.username))
                {
                    var user = this.username;
                    user = user.replace(/=/g, "=3D");
                    user = user.replace(/,/g, "=2C");
                    this._clientNonce = uuid();
                    this._clientFirstMessageBare = "n=" + user + ",r=" + this._clientNonce;
                    this._state = "initiated";
                    return toBase64(gs2_header + this._clientFirstMessageBare);
                }
                else
                {
                    this._state = "error";
                    throw new Error("Username '" + this.username + "' is invalid");
                }
            },
            getResponse: function (challengeOrAdditionalData)
            {
                if (this._state == "initiated")
                {
                    var serverFirstMessage = fromBase64(challengeOrAdditionalData);
                    var parts = serverFirstMessage.split(",");
                    var nonce = parts[0].substring(2);
                    if (!nonce.substr(0, this._clientNonce.length) == this._clientNonce)
                    {
                        this._state = "error";
                        throw new Error("Authentication error - server nonce does not start with client nonce");
                    }
                    else
                    {
                        var salt = CryptoJS.enc.Base64.parse(parts[1].substring(2));
                        var iterationCount = parts[2].substring(2);
                        var saltedPassword = generateSaltedPassword(digest, salt, this.password, iterationCount);
                        var clientFinalMessageWithoutProof = "c=" + toBase64(gs2_header) + ",r=" + nonce;
                        var authMessage = this._clientFirstMessageBare + "," + serverFirstMessage + ","
                                          + clientFinalMessageWithoutProof;
                        var clientKey = CryptoJS[hmac]("Client Key", saltedPassword);
                        var storedKey = CryptoJS[digest](clientKey);
                        var clientSignature = CryptoJS[hmac](authMessage, storedKey);
                        var clientProof = xor(clientKey, clientSignature);
                        var serverKey = CryptoJS[hmac]("Server Key", saltedPassword);
                        this._serverSignature = CryptoJS[hmac](authMessage, serverKey);
                        var response = toBase64(clientFinalMessageWithoutProof + ",p="
                                                + clientProof.toString(CryptoJS.enc.Base64));
                        this._state = "generated";
                        return response;
                    }
                }
                else if (this._state == "generated")
                {
                    var serverFinalMessage = fromBase64(challengeOrAdditionalData);
                    if (this._serverSignature.toString(CryptoJS.enc.Base64) == serverFinalMessage.substring(2))
                    {
                        this._state = "completed";
                        return null;
                    }
                    else
                    {
                        this._state = "error";
                        throw new Error("Server signature does not match");
                    }
                }
                else
                {
                    throw new Error("Unexpected state '" + this._state + ". Cannot handle challenge!");
                }
            },
            toString: function ()
            {
                return "[SaslClient" + this.getMechanismName() + "]";
            }
        });

    });




© 2015 - 2025 Weber Informatics LLC | Privacy Policy