Are you talking dojo itself, or the fact that the http-management plugin also notes that it "This bundles portions of crypto-js, which is under the MIT licence".
The only "cryptographic functions" used within the web console are those necessary to implement the necessary SASL authentication mechanisms. In particular SHA-1, SHA-256 (and for historical reasons MD5) hashing. There is no encryption used within the console (other than TLS through the standard browser mechanism). The use of crypto-js code was because dojo didn't have an implementation of the necessary HMAC mechanisms for SHA-1 / SHA-256 if I remember correctly. (See https://tools.ietf.org/html/rfc5802 and https://tools.ietf.org/html/rfc7677 for details of the SCRAM-SHA* SASL mechanisms). Hope this helps, Rob On 29 March 2017 at 21:17, Adel Boutros <[email protected]> wrote: > Hello, > > > While our legal team was reviewing the Broker's packaged dependencies and > their licenses, they had some questions regarding Dojo toolkit materials > which I hope you can help me with: > > > * Could you please list all cryptographic means contained in the dojo > materials used? > > > * Could you please describe: > > 1) the purpose(s) for which the dojo materials use these cryptographic > means > > 2) whether these means will be accessible to end users > > > * Why is this dependency needed and could we omit it from distribution? > > > Regards, > > Adel >
