First

.gitignore

@@ -0,0 +1,132 @@
+# ---> Node
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+.pnpm-debug.log*
+
+# Diagnostic reports (https://nodejs.org/api/report.html)
+report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+*.lcov
+
+# nyc test coverage
+.nyc_output
+
+# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# Bower dependency directory (https://bower.io/)
+bower_components
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (https://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directories
+node_modules/
+jspm_packages/
+
+# Snowpack dependency directory (https://snowpack.dev/)
+web_modules/
+
+# TypeScript cache
+*.tsbuildinfo
+
+# Optional npm cache directory
+.npm
+
+# Optional eslint cache
+.eslintcache
+
+# Optional stylelint cache
+.stylelintcache
+
+# Microbundle cache
+.rpt2_cache/
+.rts2_cache_cjs/
+.rts2_cache_es/
+.rts2_cache_umd/
+
+# Optional REPL history
+.node_repl_history
+
+# Output of 'npm pack'
+*.tgz
+
+# Yarn Integrity file
+.yarn-integrity
+
+# dotenv environment variable files
+.env
+.env.development.local
+.env.test.local
+.env.production.local
+.env.local
+
+# parcel-bundler cache (https://parceljs.org/)
+.cache
+.parcel-cache
+
+# Next.js build output
+.next
+out
+
+# Nuxt.js build / generate output
+.nuxt
+dist
+
+# Gatsby files
+.cache/
+# Comment in the public line in if your project uses Gatsby and not Next.js
+# https://nextjs.org/blog/next-9-1#public-directory-support
+# public
+
+# vuepress build output
+.vuepress/dist
+
+# vuepress v2.x temp and cache directory
+.temp
+.cache
+
+# Docusaurus cache and generated files
+.docusaurus
+
+# Serverless directories
+.serverless/
+
+# FuseBox cache
+.fusebox/
+
+# DynamoDB Local files
+.dynamodb/
+
+# TernJS port file
+.tern-port
+
+# Stores VSCode versions used for testing VSCode extensions
+.vscode-test
+
+# yarn v2
+.yarn/cache
+.yarn/unplugged
+.yarn/build-state.yml
+.yarn/install-state.gz
+.pnp.*
+

LICENSE

@@ -0,0 +1,9 @@
+MIT License
+
+Copyright (c) 2023 Jiang Yio
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -0,0 +1,3 @@
+# XWBSSOi-js
+
+XWBSSOi in JavaScript

package.json

@@ -0,0 +1,10 @@
+{
+  "name": "xwbssoi",
+  "version": "0.0.1",
+  "description": "XWBSSOi in JavaScript",
+  "main": "xwbssoi.js",
+  "license": "MIT",
+  "dependencies": {
+    "koffi": "^2.10.1"
+  }
+}

xwbssoi.js

@@ -0,0 +1,204 @@
+const process = require('node:process');
+const child_process = require('node:child_process');
+const path = require('node:path');
+const koffi = require('koffi');
+
+const DEFAULT_USER_AGENT = 'Borland SOAP 1.2';
+const DEFAULT_ISSUER = 'https://ssoi.sts.va.gov/Issuer/smtoken/SAML2';
+
+const BOOL = koffi.alias('BOOL', koffi.types.int);
+const BYTE = koffi.alias('BYTE', koffi.types.uchar);
+const LPBYTE = koffi.pointer('LPBYTE', BYTE);
+const DWORD = koffi.alias('DWORD', koffi.types.uint32);
+const LPDWORD = koffi.pointer('LPDWORD', DWORD);
+const LONG = koffi.alias('LONG', koffi.types.long);
+const LPVOID = koffi.pointer('LPVOID', koffi.types.void);
+const LPCVOID = koffi.pointer('LPCVOID', koffi.types.void);		// const void *
+const LPWSTR = koffi.pointer('LPWSTR', koffi.types.wchar);
+const LPCWSTR = koffi.pointer('LPCWSTR', koffi.types.wchar);	// const wchar_t *
+const LPCSTR = koffi.pointer('LPCSTR', koffi.types.char);		// const char *
+const LPFILETIME = koffi.pointer('LPFILETIME', koffi.opaque());
+const HWND = koffi.pointer('HWND', koffi.opaque());
+const HKEY = koffi.pointer('HKEY', koffi.opaque());
+const HCERTSTORE = koffi.pointer('HCERTSTORE', koffi.opaque());
+const PCERT_INFO = koffi.pointer('PCERT_INFO', koffi.opaque());
+const HCRYPTPROV_LEGACY = koffi.pointer('HCRYPTPROV_LEGACY', koffi.opaque());
+const COMPUTER_NAME_FORMAT = koffi.alias('COMPUTER_NAME_FORMAT', koffi.types.int32);
+
+const CERT_CONTEXT = koffi.struct('CERT_CONTEXT', {
+	dwCertEncodingType:	DWORD,
+	pbCertEncoded:		LPBYTE,
+	cbCertEncoded:		DWORD,
+	pCertInfo:			PCERT_INFO,
+	hCertStore:			HCERTSTORE,
+});
+const PCCERT_CONTEXT = koffi.pointer('PCCERT_CONTEXT', CERT_CONTEXT);	// const CERT_CONTEXT *
+const PPCCERT_CONTEXT = koffi.pointer('PPCCERT_CONTEXT', PCCERT_CONTEXT);
+
+const CERT_STORE_PROV_MEMORY	= 'Memory';
+const X509_ASN_ENCODING			= 0x00000001;
+const PKCS_7_ASN_ENCODING		= 0x00010000;
+const CERT_COMPARE_ANY			= 0;
+const CERT_COMPARE_SHIFT		= 16;
+const CERT_FIND_ANY				= CERT_COMPARE_ANY<<CERT_COMPARE_SHIFT;
+const CERT_NAME_FRIENDLY_DISPLAY_TYPE	= 5;
+const CERT_DIGITAL_SIGNATURE_KEY_USAGE	= 0x80;
+const CERT_STORE_ADD_ALWAYS		= 4;
+const CERT_HASH_PROP_ID			= CERT_SHA1_HASH_PROP_ID = 3;
+const HKEY_LOCAL_MACHINE		= 0x80000002;
+const RRF_RT_REG_SZ				= 0x00000002;
+const COMPUTER_NAME_DNS_FULLY_QUALIFIED	= 3;
+
+const crypt32 = koffi.load('crypt32');
+const CertOpenStore = crypt32.func('__stdcall', 'CertOpenStore', HCERTSTORE, [LPCSTR, DWORD, HCRYPTPROV_LEGACY, DWORD, LPCVOID]);
+const CertOpenSystemStoreW = crypt32.func('__stdcall', 'CertOpenSystemStoreW', HCERTSTORE, [HCRYPTPROV_LEGACY, LPCWSTR]);
+const CertCloseStore = crypt32.func('__stdcall', 'CertCloseStore', BOOL, [HCERTSTORE, DWORD]);
+const CertEnumCertificatesInStore = crypt32.func('__stdcall', 'CertEnumCertificatesInStore', PCCERT_CONTEXT, [HCERTSTORE, PCCERT_CONTEXT]);
+const CertFindCertificateInStore = crypt32.func('__stdcall', 'CertFindCertificateInStore', PCCERT_CONTEXT, [HCERTSTORE, DWORD, DWORD, DWORD, LPCVOID, PCCERT_CONTEXT]);
+const CertAddCertificateContextToStore = crypt32.func('__stdcall', 'CertAddCertificateContextToStore', BOOL, [HCERTSTORE, PCCERT_CONTEXT, DWORD, koffi.out(PPCCERT_CONTEXT)]);
+const CertGetNameStringW = crypt32.func('__stdcall', 'CertGetNameStringW', DWORD, [PCCERT_CONTEXT, DWORD, DWORD, LPVOID, koffi.out(LPWSTR), DWORD]);
+const CertGetIntendedKeyUsage = crypt32.func('__stdcall', 'CertGetIntendedKeyUsage', BOOL, [DWORD, PCERT_INFO, koffi.out(LPBYTE), DWORD]);
+const CertGetCertificateContextProperty = crypt32.func('__stdcall', 'CertGetCertificateContextProperty', BOOL, [PCCERT_CONTEXT, DWORD, koffi.out(LPVOID), koffi.inout(LPDWORD)]);
+const CertVerifyTimeValidity = crypt32.func('__stdcall', 'CertVerifyTimeValidity', LONG, [LPFILETIME, PCERT_INFO]);
+
+const cryptui = koffi.load('cryptui');
+const CryptUIDlgSelectCertificateFromStore = cryptui.func('__stdcall', 'CryptUIDlgSelectCertificateFromStore', PCCERT_CONTEXT, [HCERTSTORE, HWND, LPCWSTR, LPCWSTR, DWORD, DWORD, LPCVOID]);
+
+const advapi32 = koffi.load('advapi32');
+const RegGetValueW = advapi32.func('__stdcall', 'RegGetValueW', LONG, [HKEY, LPCWSTR, LPCWSTR, DWORD, koffi.out(LPDWORD), koffi.out(LPVOID), koffi.inout(LPDWORD)]);
+
+const kernel32 = koffi.load('kernel32');
+const GetConsoleWindow = kernel32.func('__stdcall', 'GetConsoleWindow', HWND, []);
+const GetComputerNameExW = kernel32.func('__stdcall', 'GetComputerNameExW', BOOL, [COMPUTER_NAME_FORMAT, koffi.out(LPWSTR), koffi.inout(LPDWORD)]);
+
+/**
+ * WS-Trust STS endpoints from VDL documentation
+ * https://www.va.gov/vdl/documents/Infrastructure/KAAJEE/kaajee_ssowap_8_791_depg_r.pdf
+ * https://www.va.gov/vdl/documents/Financial_Admin/Bed_Management_Solution_(BMS)/bms_4_0_tm.pdf
+ * https://www.va.gov/vdl/documents/VistA_GUI_Hybrids/National_Utilization_Management_Integration_Archive/numi_server_setup_guide_v15_9.pdf
+ */
+const get_registry_iam = () => get_registry_value(HKEY_LOCAL_MACHINE, 'SOFTWARE\\Vista\\Common\\IAM') || 'https://services.eauth.va.gov:9301/STS/RequestSecurityToken';
+const get_registry_iam_ad = () => get_registry_value(HKEY_LOCAL_MACHINE, 'SOFTWARE\\Vista\\Common\\IAM_AD') || 'https://services.eauth.va.gov:9201/STS/RequestSecurityToken';
+const get_registry_rioserver = () => get_registry_value(HKEY_LOCAL_MACHINE, 'SOFTWARE\\Vista\\Common\\RIOSERVER') || 'SecurityTokenService';
+const get_registry_rioport = () => get_registry_value(HKEY_LOCAL_MACHINE, 'SOFTWARE\\Vista\\Common\\RIOPORT') || 'RequestSecurityToken';
+function get_registry_value(hkey, subkey, value=null) {
+	const ref_bufsz = [0];
+	RegGetValueW(hkey, subkey, value, RRF_RT_REG_SZ, null, null, ref_bufsz);
+	const buffer = Buffer.alloc(koffi.sizeof('wchar_t')*ref_bufsz[0]);
+	RegGetValueW(hkey, subkey, value, RRF_RT_REG_SZ, null, buffer, ref_bufsz);
+	return koffi.decode(buffer, 'wchar_t', ref_bufsz[0]);
+}
+
+const get_iam_request = (application, issuer) => `<?xml version="1.0" encoding="UTF-8"?>
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
+	<soapenv:Header/>
+	<soapenv:Body>
+		<ns:RequestSecurityToken>
+			<ns:Base>
+				<wss:TLS xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/>
+			</ns:Base>
+			<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
+				<wsa:EndpointReference xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
+					<wsa:Address>${application}</wsa:Address>
+				</wsa:EndpointReference>
+			</wsp:AppliesTo>
+			<ns:Issuer>
+				<wsa:Address xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">${issuer}</wsa:Address>
+			</ns:Issuer>
+			<ns:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Validate</ns:RequestType>
+		</ns:RequestSecurityToken>
+	</soapenv:Body>
+</soapenv:Envelope>`;
+
+function get_local_computer_name() {
+	const ref_bufsz = [0];
+	GetComputerNameExW(COMPUTER_NAME_DNS_FULLY_QUALIFIED, null, ref_bufsz);
+	const buffer = Buffer.alloc(koffi.sizeof('wchar_t')*ref_bufsz[0]);
+	GetComputerNameExW(COMPUTER_NAME_DNS_FULLY_QUALIFIED, buffer, ref_bufsz);
+	return koffi.decode(buffer, 'wchar_t', ref_bufsz[0]);
+}
+
+function get_app_name() {
+	const argv0 = path.basename(process.argv[0]);
+	return (process.argv.length <= 1) || (argv0.substring(0, 4) != 'node') ? argv0 : path.basename(process.argv[1]);
+}
+
+function get_vista_certificate(show_cert_dialog=true, hwnd=null) {
+	store_system = CertOpenSystemStoreW(null, 'MY');
+	try {
+		store_memory = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, null, 0, null);
+		try {
+			let cert_selection, cert_iter, cert_valid;
+			while(cert_iter = CertEnumCertificatesInStore(store_system, cert_iter)) if(cert_valid = CertFindCertificateInStore(store_system, X509_ASN_ENCODING|PKCS_7_ASN_ENCODING, 0, CERT_FIND_ANY, null, null)) {
+				const name_bufsz = CertGetNameStringW(cert_iter, CERT_NAME_FRIENDLY_DISPLAY_TYPE, 0, null, null, 0);
+				name_buffer = Buffer.alloc(koffi.sizeof('wchar_t')*name_bufsz);
+				CertGetNameStringW(cert_iter, CERT_NAME_FRIENDLY_DISPLAY_TYPE, 0, null, name_buffer, name_bufsz);
+				name_string = koffi.decode(name_buffer, 'wchar_t', name_bufsz);
+				const ref_key_usage_bits = [0];
+				const pCertInfo = koffi.decode(cert_iter, 'CERT_CONTEXT').pCertInfo;
+				CertGetIntendedKeyUsage(X509_ASN_ENCODING|PKCS_7_ASN_ENCODING, pCertInfo, ref_key_usage_bits, koffi.sizeof(BYTE));
+				const valid_date = CertVerifyTimeValidity(null, pCertInfo);
+				if(((ref_key_usage_bits[0]&CERT_DIGITAL_SIGNATURE_KEY_USAGE) == CERT_DIGITAL_SIGNATURE_KEY_USAGE) && (valid_date == 0) && (name_string.indexOf('Card Authentication') < 0) && (name_string.indexOf('0,') < 0) && (name_string.indexOf('Signature') < 0)) {
+					CertAddCertificateContextToStore(store_memory, cert_iter, CERT_STORE_ADD_ALWAYS, [cert_valid]);
+					cert_selection = cert_valid;
+				}
+			}
+			return show_cert_dialog ? CryptUIDlgSelectCertificateFromStore(store_memory, hwnd || GetConsoleWindow(), 'VistA Logon - Certificate Selection', 'Select a certificate for VistA authentication', 0, 0, null) : cert_selection;
+		} finally {
+			CertCloseStore(store_memory, 0);
+		}
+	} finally {
+		CertCloseStore(store_system, 0);
+	}
+}
+
+function get_certificate_thumbprint(certificate) {
+	if(certificate) {
+		const ref_bufsz = [0];
+		CertGetCertificateContextProperty(certificate, CERT_HASH_PROP_ID, null, ref_bufsz);
+		const buffer = Buffer.alloc(ref_bufsz[0]);
+		CertGetCertificateContextProperty(certificate, CERT_HASH_PROP_ID, buffer, ref_bufsz);
+		return buffer.subarray(0, ref_bufsz[0]).toString('hex');
+	} else throw new TypeError('Cannot access null certificate');
+}
+
+function get_certificate_friendly_display_name(certificate) {
+	if(certificate) {
+		const bufsz = CertGetNameStringW(certificate, CERT_NAME_FRIENDLY_DISPLAY_TYPE, 0, null, null, 0);
+		const buffer = Buffer.alloc(koffi.sizeof('wchar_t')*bufsz);
+		CertGetNameStringW(certificate, CERT_NAME_FRIENDLY_DISPLAY_TYPE, 0, null, buffer, bufsz);
+		return koffi.decode(buffer, 'wchar_t', bufsz);
+	} else throw new TypeError('Cannot access null certificate');
+}
+
+function get_sso_token({ iam, ua, certificate, issuer, hostname, application }={}) {
+	let ptr_cert;
+	if((certificate) || ((ptr_cert = get_vista_certificate()) && (certificate = get_certificate_thumbprint(ptr_cert)))) {
+		const res = child_process.spawnSync('curl', ['-fsSL', '-X', 'POST', iam || get_registry_iam(), '--ca-native', '--cert', 'CurrentUser\\MY\\' + certificate, '-A', ua || DEFAULT_USER_AGENT, '-H', 'Content-Type: application/xml', '-H', 'Accept: application/xml', '-d', get_iam_request(`https://${hostname || get_local_computer_name()}/Delphi_RPC_Broker/${application || get_app_name()}`, issuer || DEFAULT_ISSUER)]);
+		if(res.stderr.length > 0) process.stderr.write(res.stderr);
+		if(res.status === 0) return res.stdout.toString('utf-8');
+	}
+}
+
+function get_sso_token_async({ iam, ua, certificate, issuer, hostname, application }={}) {
+	let ptr_cert;
+	if((certificate) || ((ptr_cert = get_vista_certificate()) && (certificate = get_certificate_thumbprint(ptr_cert)))) {
+		const child = child_process.spawn('curl', ['-fsSL', '-X', 'POST', iam || get_registry_iam(), '--ca-native', '--cert', 'CurrentUser\\MY\\' + certificate, '-A', ua || DEFAULT_USER_AGENT, '-H', 'Content-Type: application/xml', '-H', 'Accept: application/xml', '-d', get_iam_request(`https://${hostname || get_local_computer_name()}/Delphi_RPC_Broker/${application || get_app_name()}`, issuer || DEFAULT_ISSUER)]), res = [];
+		child.stdout.on('data', function(chunk) { if(chunk) res.push(chunk); });
+		child.stderr.on('data', function(chunk) { if(chunk) process.stderr.write(res.stderr); });
+		return new Promise(function(resolve, reject) {
+			child.on('close', function(code) {
+				if(code === 0) resolve(res.join(''));
+				else reject(code);
+			});
+		});
+	}
+}
+
+module.exports = {
+	get_vista_certificate,
+	get_certificate_thumbprint,
+	get_certificate_friendly_display_name,
+	get_sso_token,
+	get_sso_token_async,
+};