Merge pull request #2151 from AzureAD/pop-req-thumbprint

AT Proof-Of-Possession #1: Adding req_cnf to the token request

Author: Prithvi Kanherkar

lib/msal-browser/src/app/PublicClientApplication.ts

@@ -64,9 +64,6 @@ export class PublicClientApplication implements IPublicClientApplication {
     // Network interface implementation
     private readonly networkClient: INetworkModule;
 
-    // Response promise
-    private readonly tokenExchangePromise: Promise<AuthenticationResult>;
-
     // Input configuration by developer/user
     private config: Configuration;
 

lib/msal-browser/src/crypto/BrowserCrypto.ts

@@ -1,23 +1,44 @@
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
+ * 
  */
 import { BrowserStringUtils } from "../utils/BrowserStringUtils";
 import { BrowserAuthError } from "../error/BrowserAuthError";
-
+import { StringUtils } from "@azure/msal-common";
+/**
+ * See here for more info on RsaHashedKeyGenParams: https://developer.mozilla.org/en-US/docs/Web/API/RsaHashedKeyGenParams
+ */
+// RSA KeyGen Algorithm
+const PKCS1_V15_KEYGEN_ALG = "RSASSA-PKCS1-v1_5";
 // SHA-256 hashing algorithm
-const HASH_ALG = "SHA-256";
+const S256_HASH_ALG = "SHA-256";
+// MOD length for PoP tokens
+const MODULUS_LENGTH = 2048;
+// Public Exponent
+const PUBLIC_EXPONENT: Uint8Array = new Uint8Array([0x01, 0x00, 0x01]);
+// JWK Key Format string
+const KEY_FORMAT_JWK = "jwk";
 
 /**
  * This class implements functions used by the browser library to perform cryptography operations such as
  * hashing and encoding. It also has helper functions to validate the availability of specific APIs.
  */
 export class BrowserCrypto {
 
+    private _keygenAlgorithmOptions: RsaHashedKeyGenParams;
+
     constructor() {
         if (!(this.hasCryptoAPI())) {
             throw BrowserAuthError.createCryptoNotAvailableError("Browser crypto or msCrypto object not available.");
         }
+
+        this._keygenAlgorithmOptions = {
+            name: PKCS1_V15_KEYGEN_ALG,
+            hash: S256_HASH_ALG,
+            modulusLength: MODULUS_LENGTH,
+            publicExponent: PUBLIC_EXPONENT
+        };
     }
 
     /**
@@ -27,7 +48,7 @@ export class BrowserCrypto {
     async sha256Digest(dataString: string): Promise<ArrayBuffer> {
         const data = BrowserStringUtils.stringToUtf8Arr(dataString);
 
-        return this.hasIECrypto() ? this.getMSCryptoDigest(HASH_ALG, data) : this.getSubtleCryptoDigest(HASH_ALG, data);
+        return this.hasIECrypto() ? this.getMSCryptoDigest(S256_HASH_ALG, data) : this.getSubtleCryptoDigest(S256_HASH_ALG, data);
     }
 
     /**
@@ -43,17 +64,25 @@ export class BrowserCrypto {
     }
 
     /**
-     * Checks whether IE crypto (AKA msCrypto) is available.
+     * Generates a keypair based on current keygen algorithm config.
+     * @param extractable 
+     * @param usages 
      */
-    private hasIECrypto(): boolean {
-        return !!window["msCrypto"];
+    async generateKeyPair(extractable: boolean, usages: Array<KeyUsage>): Promise<CryptoKeyPair> {
+        return (
+            this.hasIECrypto() ? 
+                this.msCryptoGenerateKey(extractable, usages) 
+                : window.crypto.subtle.generateKey(this._keygenAlgorithmOptions, extractable, usages)
+        ) as Promise<CryptoKeyPair>;
     }
 
     /**
-     * Check whether browser crypto is available.
+     * Export key as given KeyFormat (see above)
+     * @param key 
+     * @param format 
      */
-    private hasBrowserCrypto(): boolean {
-        return !!window.crypto;
+    async exportJwk(key: CryptoKey): Promise<JsonWebKey> {
+        return this.hasIECrypto() ? this.msCryptoExportJwk(key) : window.crypto.subtle.exportKey(KEY_FORMAT_JWK, key);
     }
 
     /**
@@ -63,17 +92,32 @@ export class BrowserCrypto {
         return this.hasIECrypto() || this.hasBrowserCrypto();
     }
 
+    /**
+     * Checks whether IE crypto (AKA msCrypto) is available.
+     */
+    private hasIECrypto(): boolean {
+        return "msCrypto" in window;
+    }
+
+    /**
+     * Check whether browser crypto is available.
+     */
+    private hasBrowserCrypto(): boolean {
+        return "crypto" in window;
+    }
+
     /**
      * Helper function for SHA digest.
      * @param algorithm 
      * @param data 
      */
     private async getSubtleCryptoDigest(algorithm: string, data: Uint8Array): Promise<ArrayBuffer> {
+        console.log(algorithm);
         return window.crypto.subtle.digest(algorithm, data);
     }
 
     /**
-     * Helper function for SHA digest.
+     * IE Helper function for SHA digest.
      * @param algorithm 
      * @param data 
      */
@@ -88,4 +132,56 @@ export class BrowserCrypto {
             });
         });
     }
+
+    private async msCryptoGenerateKey(extractable: boolean, usages: Array<KeyUsage>): Promise<CryptoKeyPair> {
+        return new Promise((resolve: any, reject: any) => {
+            const msGenerateKey = window["msCrypto"].subtle.generateKey(this._keygenAlgorithmOptions, extractable, usages);
+            msGenerateKey.addEventListener("complete", (e: { target: { result: CryptoKeyPair | PromiseLike<CryptoKeyPair>; }; }) => {
+                resolve(e.target.result);
+            });
+
+            msGenerateKey.addEventListener("error", (error: any) => {
+                reject(error);
+            });
+        });
+    }
+
+    /**
+     * IE Helper function for exporting keys
+     * @param key 
+     * @param format 
+     */
+    private async msCryptoExportJwk(key: CryptoKey): Promise<JsonWebKey> {
+        return new Promise((resolve: any, reject: any) => {
+            const msExportKey = window["msCrypto"].subtle.exportKey(KEY_FORMAT_JWK, key);
+            msExportKey.addEventListener("complete", (e: { target: { result: ArrayBuffer; }; }) => {
+                const resultBuffer: ArrayBuffer = e.target.result;
+
+                const resultString = BrowserStringUtils.utf8ArrToString(new Uint8Array(resultBuffer))
+                    .replace(/\r/g, "")
+                    .replace(/\n/g, "")
+                    .replace(/\t/g, "")
+                    .split(" ").join("")
+                    .replace("\u0000", "");
+
+                try {
+                    resolve(JSON.parse(resultString));
+                } catch (e) {
+                    reject(e);
+                }
+            });
+
+            msExportKey.addEventListener("error", (error: any) => {
+                reject(error);
+            });
+        });
+    }
+
+    /**
+     * Returns stringified jwk.
+     * @param jwk 
+     */
+    static getJwkString(jwk: JsonWebKey): string {
+        return JSON.stringify(jwk, Object.keys(jwk).sort());
+    }
 }

lib/msal-browser/src/crypto/CryptoOps.ts

@@ -21,6 +21,10 @@ export class CryptoOps implements ICrypto {
     private b64Decode: Base64Decode;
     private pkceGenerator: PkceGenerator;
 
+    private static POP_KEY_USAGES: Array<KeyUsage> = ["sign", "verify"];
+    private static EXTRACTABLE: boolean = true;
+    private static POP_HASH_LENGTH = 43; // 256 bit digest / 6 bits per char = 43
+
     constructor() {
         // Browser crypto needs to be validated first before any other classes can be set.
         this.browserCrypto = new BrowserCrypto();
@@ -30,6 +34,16 @@ export class CryptoOps implements ICrypto {
         this.pkceGenerator = new PkceGenerator(this.browserCrypto);
     }
 
+    async getPublicKeyThumbprint(): Promise<string> {
+        const keyPair = await this.browserCrypto.generateKeyPair(CryptoOps.EXTRACTABLE, CryptoOps.POP_KEY_USAGES);
+        // TODO: Store keypair
+        const publicKeyJwk: JsonWebKey = await this.browserCrypto.exportJwk(keyPair.publicKey);
+        const publicJwkString: string = BrowserCrypto.getJwkString(publicKeyJwk);
+        const publicJwkBuffer: ArrayBuffer = await this.browserCrypto.sha256Digest(publicJwkString);
+        const publicJwkDigest: string = this.b64Encode.urlEncodeArr(new Uint8Array(publicJwkBuffer));
+        return this.base64Encode(publicJwkDigest).substr(0, CryptoOps.POP_HASH_LENGTH);
+    }
+
     /**
      * Creates a new random GUID - used to populate state and nonce.
      * @returns string (GUID)

lib/msal-browser/src/index.ts

@@ -14,6 +14,7 @@ export { SilentRequest } from "./request/SilentRequest";
 
 // Common Object Formats
 export {
+    AuthenticationScheme,
     // Account
     AccountInfo,
     // Request

lib/msal-browser/test/app/PublicClientApplication.spec.ts

@@ -1,7 +1,6 @@
-import * as Mocha from "mocha";
+import * as mocha from "mocha";
 import chai from "chai";
 import chaiAsPromised from "chai-as-promised";
-
 chai.use(chaiAsPromised);
 const expect = chai.expect;
 import sinon from "sinon";
@@ -590,7 +589,7 @@ describe("PublicClientApplication.ts Class Unit Tests", () => {
 			it("Uses adal token from cache if it is present.", async () => {
 				const idTokenClaims: IdTokenClaims = {
 					"iss": "https://sts.windows.net/fa15d692-e9c7-4460-a743-29f2956fd429/",
-					"exp": "1536279024",
+					"exp": 1536279024,
 					"name": "abeli",
 					"nonce": "123523",
 					"oid": "05833b6b-aa1d-42d4-9ec0-1b2bb9194438",
@@ -637,7 +636,7 @@ describe("PublicClientApplication.ts Class Unit Tests", () => {
 			it("Does not use adal token from cache if it is present and SSO params have been given.", async () => {
 				const idTokenClaims: IdTokenClaims = {
 					"iss": "https://sts.windows.net/fa15d692-e9c7-4460-a743-29f2956fd429/",
-					"exp": "1536279024",
+					"exp": 1536279024,
 					"name": "abeli",
 					"nonce": "123523",
 					"oid": "05833b6b-aa1d-42d4-9ec0-1b2bb9194438",
@@ -796,7 +795,7 @@ describe("PublicClientApplication.ts Class Unit Tests", () => {
 				const testScope = "testscope";
 				const idTokenClaims: IdTokenClaims = {
 					"iss": "https://sts.windows.net/fa15d692-e9c7-4460-a743-29f2956fd429/",
-					"exp": "1536279024",
+					"exp": 1536279024,
 					"name": "abeli",
 					"nonce": "123523",
 					"oid": "05833b6b-aa1d-42d4-9ec0-1b2bb9194438",
@@ -843,7 +842,7 @@ describe("PublicClientApplication.ts Class Unit Tests", () => {
 			it("Does not use adal token from cache if it is present and SSO params have been given.", async () => {
 				const idTokenClaims: IdTokenClaims = {
 					"iss": "https://sts.windows.net/fa15d692-e9c7-4460-a743-29f2956fd429/",
-					"exp": "1536279024",
+					"exp": 1536279024,
 					"name": "abeli",
 					"nonce": "123523",
 					"oid": "05833b6b-aa1d-42d4-9ec0-1b2bb9194438",

lib/msal-browser/test/crypto/CryptoOps.spec.ts

@@ -7,7 +7,6 @@ import crypto from "crypto";
 import { PkceCodes } from "@azure/msal-common";
 
 describe("CryptoOps.ts Unit Tests", () => {
-
     let cryptoObj: CryptoOps;
     beforeEach(() => {
         cryptoObj = new CryptoOps();
@@ -61,7 +60,7 @@ describe("CryptoOps.ts Unit Tests", () => {
         expect(cryptoObj.base64Decode("Zm9vYmFy")).to.be.eq("foobar");
     });
 
-    it("generatePkceCode()", async () => {
+    it("generatePkceCode() creates a valid Pkce code", async () => {
         sinon.stub(BrowserCrypto.prototype, <any>"getSubtleCryptoDigest").callsFake(async (algorithm: string, data: Uint8Array): Promise<ArrayBuffer> => {
             expect(algorithm).to.be.eq("SHA-256");
             return crypto.createHash("SHA256").update(Buffer.from(data)).digest();
@@ -75,4 +74,21 @@ describe("CryptoOps.ts Unit Tests", () => {
         expect(regExp.test(generatedCodes.challenge)).to.be.true;
         expect(regExp.test(generatedCodes.verifier)).to.be.true;
     });
+
+    it("getPublicKeyThumbprint() generates a valid request thumbprint", async () => {
+        sinon.stub(BrowserCrypto.prototype, <any>"getSubtleCryptoDigest").callsFake(async (algorithm: string, data: Uint8Array): Promise<ArrayBuffer> => {
+            expect(algorithm).to.be.eq("SHA-256");
+            return crypto.createHash("SHA256").update(Buffer.from(data)).digest();
+        });
+        const generateKeyPairSpy = sinon.spy(BrowserCrypto.prototype, "generateKeyPair");
+        const exportJwkSpy = sinon.spy(BrowserCrypto.prototype, "exportJwk");
+        const pkThumbprint = await cryptoObj.getPublicKeyThumbprint();
+        /**
+         * Contains alphanumeric, dash '-', underscore '_', plus '+', or slash '/' with length of 43.
+         */
+        const regExp = new RegExp("[A-Za-z0-9-_+/]{43}");
+        expect(generateKeyPairSpy.calledWith(true, ["sign", "verify"]));
+        expect(exportJwkSpy.calledWith((await generateKeyPairSpy.returnValues[0]).publicKey));
+        expect(regExp.test(pkThumbprint)).to.be.true;
+    }).timeout(2500);
 });

lib/msal-browser/test/encode/Base64Decode.spec.ts

@@ -67,7 +67,7 @@ describe("Base64Decode.ts Unit Tests", () => {
                 "ver": "2.0",
                 "iss": `${TEST_URIS.DEFAULT_INSTANCE}9188040d-6c67-4c5b-b112-36a304b66dad/v2.0`,
                 "sub": "AAAAAAAAAAAAAAAAAAAAAIkzqFVrSaSaFHy782bbtaQ",
-                "exp": "1536361411",
+                "exp": 1536361411,
                 "name": "Abe Lincoln",
                 "preferred_username": "[email protected]",
                 "oid": "00000000-0000-0000-66f3-3332eca7ea81",

lib/msal-browser/test/interaction_handler/InteractionHandler.spec.ts

@@ -2,7 +2,7 @@ import { expect } from "chai";
 import { InteractionHandler } from "../../src/interaction_handler/InteractionHandler";
 import { PkceCodes, NetworkRequestOptions, LogLevel, AccountInfo, AuthorityFactory, AuthorizationCodeRequest, AuthenticationResult, CacheManager, AuthorizationCodeClient } from "@azure/msal-common";
 import { Configuration, buildConfiguration } from "../../src/config/Configuration";
-import { TEST_CONFIG, TEST_URIS, TEST_DATA_CLIENT_INFO, TEST_TOKENS, TEST_TOKEN_LIFETIMES, TEST_HASHES } from "../utils/StringConstants";
+import { TEST_CONFIG, TEST_URIS, TEST_DATA_CLIENT_INFO, TEST_TOKENS, TEST_TOKEN_LIFETIMES, TEST_HASHES, TEST_POP_VALUES } from "../utils/StringConstants";
 import { BrowserStorage } from "../../src/cache/BrowserStorage";
 import { BrowserAuthErrorMessage, BrowserAuthError } from "../../src/error/BrowserAuthError";
 import sinon from "sinon";
@@ -108,6 +108,9 @@ describe("InteractionHandler.ts Unit Tests", () => {
                 },
                 generatePkceCodes: async (): Promise<PkceCodes> => {
                     return testPkceCodes;
+                },
+                getPublicKeyThumbprint: async (): Promise<string> => {
+                    return TEST_POP_VALUES.ENCODED_REQ_CNF;
                 }
             },
             storageInterface: new TestStorageInterface(),

lib/msal-browser/test/interaction_handler/PopupHandler.spec.ts

@@ -6,7 +6,7 @@ import { PkceCodes, NetworkRequestOptions, LogLevel, AuthorityFactory, Authoriza
 import { PopupHandler } from "../../src/interaction_handler/PopupHandler";
 import { BrowserStorage } from "../../src/cache/BrowserStorage";
 import { Configuration, buildConfiguration } from "../../src/config/Configuration";
-import { TEST_CONFIG, TEST_URIS, RANDOM_TEST_GUID } from "../utils/StringConstants";
+import { TEST_CONFIG, TEST_URIS, RANDOM_TEST_GUID, TEST_POP_VALUES } from "../utils/StringConstants";
 import sinon from "sinon";
 import { InteractionHandler } from "../../src/interaction_handler/InteractionHandler";
 import { BrowserAuthErrorMessage, BrowserAuthError } from "../../src/error/BrowserAuthError";
@@ -93,6 +93,9 @@ describe("PopupHandler.ts Unit Tests", () => {
                 generatePkceCodes: async (): Promise<PkceCodes> => {
                     return testPkceCodes;
                 },
+                getPublicKeyThumbprint: async (): Promise<string> => {
+                    return TEST_POP_VALUES.ENCODED_REQ_CNF;
+                }
             },
             storageInterface: new TestStorageInterface(),
             networkInterface: {

lib/msal-browser/test/interaction_handler/RedirectHandler.spec.ts

@@ -5,7 +5,7 @@ const expect = chai.expect;
 import sinon from "sinon";
 import { Configuration, buildConfiguration } from "../../src/config/Configuration";
 import { PkceCodes, NetworkRequestOptions, LogLevel, AccountInfo, AuthorityFactory, AuthorizationCodeRequest, Constants, AuthenticationResult, CacheSchemaType, CacheManager, AuthorizationCodeClient } from "@azure/msal-common";
-import { TEST_CONFIG, TEST_URIS, TEST_TOKENS, TEST_DATA_CLIENT_INFO, RANDOM_TEST_GUID, TEST_HASHES, TEST_TOKEN_LIFETIMES } from "../utils/StringConstants";
+import { TEST_CONFIG, TEST_URIS, TEST_TOKENS, TEST_DATA_CLIENT_INFO, RANDOM_TEST_GUID, TEST_HASHES, TEST_TOKEN_LIFETIMES, TEST_POP_VALUES } from "../utils/StringConstants";
 import { BrowserStorage } from "../../src/cache/BrowserStorage";
 import { RedirectHandler } from "../../src/interaction_handler/RedirectHandler";
 import { InteractionHandler } from "../../src/interaction_handler/InteractionHandler";
@@ -73,6 +73,9 @@ describe("RedirectHandler.ts Unit Tests", () => {
                 generatePkceCodes: async (): Promise<PkceCodes> => {
                     return testPkceCodes;
                 },
+                getPublicKeyThumbprint: async (): Promise<string> => {
+                    return TEST_POP_VALUES.ENCODED_REQ_CNF;
+                }
             },
             storageInterface: browserStorage,
             networkInterface: {

lib/msal-browser/test/interaction_handler/SilentHandler.spec.ts

@@ -7,7 +7,7 @@ import sinon from "sinon";
 import { SilentHandler } from "../../src/interaction_handler/SilentHandler";
 import { BrowserStorage } from "../../src/cache/BrowserStorage";
 import { Configuration, buildConfiguration } from "../../src/config/Configuration";
-import { TEST_CONFIG, testNavUrl, TEST_URIS, RANDOM_TEST_GUID } from "../utils/StringConstants";
+import { TEST_CONFIG, testNavUrl, TEST_URIS, RANDOM_TEST_GUID, TEST_POP_VALUES } from "../utils/StringConstants";
 import { InteractionHandler } from "../../src/interaction_handler/InteractionHandler";
 import { BrowserAuthError, BrowserAuthErrorMessage } from "../../src/error/BrowserAuthError";
 
@@ -94,6 +94,9 @@ describe("SilentHandler.ts Unit Tests", () => {
                 generatePkceCodes: async (): Promise<PkceCodes> => {
                     return testPkceCodes;
                 },
+                getPublicKeyThumbprint: async (): Promise<string> => {
+                    return TEST_POP_VALUES.ENCODED_REQ_CNF;
+                }
             },
             storageInterface: new TestStorageInterface(),
             networkInterface: {