downgrade to jsrsasign

manfredsteyer · manfredsteyer · commit c2162d0c1019 · 2018-10-24T19:42:41.000+02:00
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -30,10 +30,13 @@
     "@angular/platform-browser-dynamic": "7.0.0",
     "@angular/router": "7.0.0",
     "@webcomponents/custom-elements": "^1.1.0",
+    "base64-js": "^1.3.0",
     "bootstrap": "^3.3.7",
     "core-js": "^2.5.1",
+    "jsrsasign": "^8.0.12",
     "rxjs": "6.3.3",
     "rxjs-compat": "^6.0.0-rc.0",
+    "text-encoder-lite": "^1.0.1",
     "tsickle": "^0.33.0",
     "zone.js": "^0.8.26"
   },
@@ -47,7 +50,7 @@
     "@types/jasmine": "~2.6.3",
     "@types/jasminewd2": "~2.0.3",
     "@types/node": "~8.0.51",
-    "angular-oauth2-oidc": "^5.0.0",
+    "angular-oauth2-oidc": "^5.0.2",
     "codelyzer": "~4.2.1",
     "cpr": "^3.0.1",
     "jasmine-core": "~2.8.0",
diff --git a/projects/lib/ng-package.json b/projects/lib/ng-package.json
@@ -5,5 +5,8 @@
   "lib": {
     "languageLevel": ["dom", "es2017"],
     "entryFile": "src/public_api.ts"
-  }
+  },
+  "whitelistedNonPeerDependencies": [
+    "jsrsasign"
+  ] 
 }
diff --git a/projects/lib/ng-package.prod.json b/projects/lib/ng-package.prod.json
@@ -3,5 +3,8 @@
   "dest": "../../dist/lib",
   "lib": {
     "entryFile": "src/public_api.ts"
-  }
+  },
+  "whitelistedNonPeerDependencies": [
+    "jsrsasign"
+  ]  
 }
diff --git a/projects/lib/package.json b/projects/lib/package.json
@@ -4,8 +4,11 @@
   "author": {
     "name": "Manfred Steyer"
   },
-  "version": "5.0.0",
+  "version": "5.0.2",
   "repository": "manfredsteyer/angular-oauth2-oidc",
+  "dependencies": {
+    "jsrsasign": "^8.0.12"
+  },
   "peerDependencies": {
     "@angular/common": ">=6.0.0 < 8.0.0",
     "@angular/core": ">=6.0.0 < 8.0.0"
diff --git a/projects/lib/src/token-validation/jwks-validation-handler.ts b/projects/lib/src/token-validation/jwks-validation-handler.ts
@@ -3,6 +3,11 @@ import {
   ValidationParams
 } from './validation-handler';
 
+// declare var require: any;
+// let rs = require('jsrsasign');
+
+import * as rs from 'jsrsasign';
+
 /**
  * Validates the signature of an id_token against one
  * of the keys of an JSON Web Key Set (jwks).
@@ -33,10 +38,7 @@ export class JwksValidationHandler extends AbstractValidationHandler {
    */
   gracePeriodInSec = 600;
 
-  private cyptoObj: Crypto = window.crypto || (window as any).msCrypto // for IE11
-  private textEncoder = new (window as any).TextEncoder();
-
-  async validateSignature(params: ValidationParams, retry = false): Promise<any> {
+  validateSignature(params: ValidationParams, retry = false): Promise<any> {
     if (!params.idToken) throw new Error('Parameter idToken expected!');
     if (!params.idTokenHeader)
       throw new Error('Parameter idTokenHandler expected.');
@@ -50,9 +52,11 @@ export class JwksValidationHandler extends AbstractValidationHandler {
       throw new Error('Array keys in jwks missing!');
     }
 
+    // console.debug('validateSignature: retry', retry);
+
     let kid: string = params.idTokenHeader['kid'];
-    let keys: JsonWebKey[] = params.jwks['keys'];
-    let key: JsonWebKey;
+    let keys: object[] = params.jwks['keys'];
+    let key: object;
 
     let alg = params.idTokenHeader['alg'];
 
@@ -64,6 +68,12 @@ export class JwksValidationHandler extends AbstractValidationHandler {
         k => k['kty'] === kty && k['use'] === 'sig'
       );
 
+      /*
+            if (matchingKeys.length == 0) {
+                let error = 'No matching key found.';
+                console.error(error);
+                return Promise.reject(error);
+            }*/
       if (matchingKeys.length > 1) {
         let error =
           'More than one matching key found. Please specify a kid in the id_token header.';
@@ -99,14 +109,20 @@ export class JwksValidationHandler extends AbstractValidationHandler {
       return Promise.reject(error);
     }
 
-    const [header, body, sig] = params.idToken.split(',');
-
-    const cyptokey = await this.cyptoObj.subtle.importKey('jwk', key as any, alg, true, ['verify']);
-    const isValid = await this.cyptoObj.subtle.verify(alg, cyptokey, this.textEncoder.encode(sig), this.textEncoder.encode(body));
-
-    if(isValid) {
+    let keyObj = rs.KEYUTIL.getKey(key);
+    let validationOptions = {
+      alg: this.allowedAlgorithms,
+      gracePeriod: this.gracePeriodInSec
+    };
+    let isValid = rs.KJUR.jws.JWS.verifyJWT(
+      params.idToken,
+      keyObj,
+      validationOptions
+    );
+
+    if (isValid) {
       return Promise.resolve();
-    }else {
+    } else {
       return Promise.reject('Signature not valid');
     }
   }
@@ -122,11 +138,11 @@ export class JwksValidationHandler extends AbstractValidationHandler {
     }
   }
 
-  async calcHash(valueToHash: string, algorithm: string): Promise<string> {
-    const valueAsBytes = this.textEncoder.encode(valueToHash);
-    const resultBytes = await this.cyptoObj.subtle.digest(algorithm, valueAsBytes);
-    // the returned bytes are encoded as UTF-16
-    return String.fromCharCode.apply(null, new Uint16Array(resultBytes));
+  calcHash(valueToHash: string, algorithm: string): Promise<string> {
+    let hashAlg = new rs.KJUR.crypto.MessageDigest({ alg: algorithm });
+    let result = hashAlg.digestString(valueToHash);
+    let byteArrayAsString = this.toByteArrayAsString(result);
+    return Promise.resolve(byteArrayAsString);
   }
 
   toByteArrayAsString(hexString: string) {
@@ -138,4 +154,4 @@ export class JwksValidationHandler extends AbstractValidationHandler {
     }
     return result;
   }
-}
+}
diff --git a/projects/lib/src/token-validation/validation-handler.ts b/projects/lib/src/token-validation/validation-handler.ts
@@ -70,12 +70,12 @@ export abstract class AbstractValidationHandler implements ValidationHandler {
    */
   protected inferHashAlgorithm(jwtHeader: object): string {
     let alg: string = jwtHeader['alg'];
-
+    
     if (!alg.match(/^.S[0-9]{3}$/)) {
       throw new Error('Algorithm not supported: ' + alg);
     }
 
-    return 'sha' + alg.substr(2);
+    return 'sha-' + alg.substr(2);
   }
 
   /**
diff --git a/projects/sample/src/app/app.component.ts b/projects/sample/src/app/app.component.ts
@@ -3,7 +3,7 @@ import { googleAuthConfig } from './auth.google.config';
 import { authConfig } from './auth.config';
 import { FlightHistoryComponent } from './flight-history/flight-history.component';
 import { Component } from '@angular/core';
-import { OAuthService, AuthConfig, NullValidationHandler } from 'angular-oauth2-oidc';
+import { OAuthService, AuthConfig, NullValidationHandler, JwksValidationHandler } from 'angular-oauth2-oidc';
 // import { JwksValidationHandler } from 'angular-oauth2-oidc';
 import { Router } from '@angular/router';
 import { filter, delay } from 'rxjs/operators';
@@ -32,7 +32,7 @@ export class AppComponent {
   private configureWithNewConfigApi() {
     this.oauthService.configure(authConfig);
     this.oauthService.setStorage(localStorage);
-    this.oauthService.tokenValidationHandler = new NullValidationHandler();
+    this.oauthService.tokenValidationHandler = new JwksValidationHandler();
     this.oauthService.loadDiscoveryDocumentAndTryLogin();
 
 

Original file line number	Diff line number	Diff line change
`@@ -70,12 +70,12 @@ export abstract class AbstractValidationHandler implements ValidationHandler {`
`70`	`70`	`*/`
`71`	`71`	`protected inferHashAlgorithm(jwtHeader: object): string {`
`72`	`72`	`let alg: string = jwtHeader['alg'];`
`73`		`-`
	`73`	`+`
`74`	`74`	`if (!alg.match(/^.S[0-9]{3}$/)) {`
`75`	`75`	`throw new Error('Algorithm not supported: ' + alg);`
`76`	`76`	`}`
`77`	`77`
`78`		`- return 'sha' + alg.substr(2);`
	`78`	`+ return 'sha-' + alg.substr(2);`
`79`	`79`	`}`
`80`	`80`
`81`	`81`	`/**`