xref: /unit/src/java/nginx/unit/websocket/DigestAuthenticator.java (revision 1157:7ae152bda303)
1 /*
2  * Licensed to the Apache Software Foundation (ASF) under one or more
3  * contributor license agreements.  See the NOTICE file distributed with
4  * this work for additional information regarding copyright ownership.
5  * The ASF licenses this file to You under the Apache License, Version 2.0
6  * (the "License"); you may not use this file except in compliance with
7  * the License.  You may obtain a copy of the License at
8  *
9  *     http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  */
17 package nginx.unit.websocket;
18 
19 import java.nio.charset.StandardCharsets;
20 import java.security.MessageDigest;
21 import java.security.NoSuchAlgorithmException;
22 import java.security.SecureRandom;
23 import java.util.Map;
24 
25 import org.apache.tomcat.util.security.MD5Encoder;
26 
27 /**
28  * Authenticator supporting the DIGEST auth method.
29  */
30 public class DigestAuthenticator extends Authenticator {
31 
32     public static final String schemeName = "digest";
33     private SecureRandom cnonceGenerator;
34     private int nonceCount = 0;
35     private long cNonce;
36 
37     @Override
getAuthorization(String requestUri, String WWWAuthenticate, Map<String, Object> userProperties)38     public String getAuthorization(String requestUri, String WWWAuthenticate,
39             Map<String, Object> userProperties) throws AuthenticationException {
40 
41         String userName = (String) userProperties.get(Constants.WS_AUTHENTICATION_USER_NAME);
42         String password = (String) userProperties.get(Constants.WS_AUTHENTICATION_PASSWORD);
43 
44         if (userName == null || password == null) {
45             throw new AuthenticationException(
46                     "Failed to perform Digest authentication due to  missing user/password");
47         }
48 
49         Map<String, String> wwwAuthenticate = parseWWWAuthenticateHeader(WWWAuthenticate);
50 
51         String realm = wwwAuthenticate.get("realm");
52         String nonce = wwwAuthenticate.get("nonce");
53         String messageQop = wwwAuthenticate.get("qop");
54         String algorithm = wwwAuthenticate.get("algorithm") == null ? "MD5"
55                 : wwwAuthenticate.get("algorithm");
56         String opaque = wwwAuthenticate.get("opaque");
57 
58         StringBuilder challenge = new StringBuilder();
59 
60         if (!messageQop.isEmpty()) {
61             if (cnonceGenerator == null) {
62                 cnonceGenerator = new SecureRandom();
63             }
64 
65             cNonce = cnonceGenerator.nextLong();
66             nonceCount++;
67         }
68 
69         challenge.append("Digest ");
70         challenge.append("username =\"" + userName + "\",");
71         challenge.append("realm=\"" + realm + "\",");
72         challenge.append("nonce=\"" + nonce + "\",");
73         challenge.append("uri=\"" + requestUri + "\",");
74 
75         try {
76             challenge.append("response=\"" + calculateRequestDigest(requestUri, userName, password,
77                     realm, nonce, messageQop, algorithm) + "\",");
78         }
79 
80         catch (NoSuchAlgorithmException e) {
81             throw new AuthenticationException(
82                     "Unable to generate request digest " + e.getMessage());
83         }
84 
85         challenge.append("algorithm=" + algorithm + ",");
86         challenge.append("opaque=\"" + opaque + "\",");
87 
88         if (!messageQop.isEmpty()) {
89             challenge.append("qop=\"" + messageQop + "\"");
90             challenge.append(",cnonce=\"" + cNonce + "\",");
91             challenge.append("nc=" + String.format("%08X", Integer.valueOf(nonceCount)));
92         }
93 
94         return challenge.toString();
95 
96     }
97 
calculateRequestDigest(String requestUri, String userName, String password, String realm, String nonce, String qop, String algorithm)98     private String calculateRequestDigest(String requestUri, String userName, String password,
99             String realm, String nonce, String qop, String algorithm)
100             throws NoSuchAlgorithmException {
101 
102         StringBuilder preDigest = new StringBuilder();
103         String A1;
104 
105         if (algorithm.equalsIgnoreCase("MD5"))
106             A1 = userName + ":" + realm + ":" + password;
107 
108         else
109             A1 = encodeMD5(userName + ":" + realm + ":" + password) + ":" + nonce + ":" + cNonce;
110 
111         /*
112          * If the "qop" value is "auth-int", then A2 is: A2 = Method ":"
113          * digest-uri-value ":" H(entity-body) since we do not have an entity-body, A2 =
114          * Method ":" digest-uri-value for auth and auth_int
115          */
116         String A2 = "GET:" + requestUri;
117 
118         preDigest.append(encodeMD5(A1));
119         preDigest.append(":");
120         preDigest.append(nonce);
121 
122         if (qop.toLowerCase().contains("auth")) {
123             preDigest.append(":");
124             preDigest.append(String.format("%08X", Integer.valueOf(nonceCount)));
125             preDigest.append(":");
126             preDigest.append(String.valueOf(cNonce));
127             preDigest.append(":");
128             preDigest.append(qop);
129         }
130 
131         preDigest.append(":");
132         preDigest.append(encodeMD5(A2));
133 
134         return encodeMD5(preDigest.toString());
135 
136     }
137 
encodeMD5(String value)138     private String encodeMD5(String value) throws NoSuchAlgorithmException {
139         byte[] bytesOfMessage = value.getBytes(StandardCharsets.ISO_8859_1);
140         MessageDigest md = MessageDigest.getInstance("MD5");
141         byte[] thedigest = md.digest(bytesOfMessage);
142 
143         return MD5Encoder.encode(thedigest);
144     }
145 
146     @Override
getSchemeName()147     public String getSchemeName() {
148         return schemeName;
149     }
150 }
151