Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C0BBF102C5 for ; Thu, 20 Mar 2014 10:54:48 +0000 (UTC) Received: (qmail 19939 invoked by uid 500); 20 Mar 2014 10:54:47 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 19798 invoked by uid 500); 20 Mar 2014 10:54:41 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 19790 invoked by uid 99); 20 Mar 2014 10:54:39 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 20 Mar 2014 10:54:39 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id C88F9985CB6; Thu, 20 Mar 2014 10:54:38 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: sergeyb@apache.org To: commits@cxf.apache.org Message-Id: X-Mailer: ASF-Git Admin Mailer Subject: git commit: [CXF-5628] Fixes to Base64URLUtility and HmacUtils Date: Thu, 20 Mar 2014 10:54:38 +0000 (UTC) Repository: cxf Updated Branches: refs/heads/2.7.x-fixes 39a0f5868 -> a04262693 [CXF-5628] Fixes to Base64URLUtility and HmacUtils Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a0426269 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a0426269 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a0426269 Branch: refs/heads/2.7.x-fixes Commit: a04262693f199507617833f78cfc636a209cfe87 Parents: 39a0f58 Author: Sergey Beryozkin Authored: Thu Mar 20 10:29:09 2014 +0000 Committer: Sergey Beryozkin Committed: Thu Mar 20 10:54:10 2014 +0000 ---------------------------------------------------------------------- .../code/AuthorizationCodeGrantHandler.java | 11 +- .../security/oauth2/utils/Base64UrlUtility.java | 359 ++----------------- .../oauth2/utils/MessageDigestGenerator.java | 6 +- 3 files changed, 36 insertions(+), 340 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/a0426269/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java index 1a4276f..c414486 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java @@ -19,11 +19,8 @@ package org.apache.cxf.rs.security.oauth2.grants.code; -import java.io.StringWriter; - import javax.ws.rs.core.MultivaluedMap; -import org.apache.cxf.common.util.Base64Exception; import org.apache.cxf.rs.security.oauth2.common.Client; import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken; import org.apache.cxf.rs.security.oauth2.grants.AbstractGrantHandler; @@ -96,13 +93,7 @@ public class AuthorizationCodeGrantHandler extends AbstractGrantHandler { byte[] digest = mdg.createDigest(tempClientSecret, "SHA-256"); int length = digest.length > 128 / 8 ? 128 / 8 : digest.length; - StringWriter stringWriter = new StringWriter(); - try { - Base64UrlUtility.encode(digest, 0, length, stringWriter); - } catch (Base64Exception e) { - throw new OAuthServiceException("server_error", e); - } - String expectedHash = stringWriter.toString(); + String expectedHash = Base64UrlUtility.encodeChunk(digest, 0, length); return tempClientSecretHash.equals(expectedHash); } http://git-wip-us.apache.org/repos/asf/cxf/blob/a0426269/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/Base64UrlUtility.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/Base64UrlUtility.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/Base64UrlUtility.java index 5d1075d..76beabf 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/Base64UrlUtility.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/Base64UrlUtility.java @@ -20,361 +20,62 @@ package org.apache.cxf.rs.security.oauth2.utils; /** - * Base64 URL Encoding/Decoding utility (character 62 is '-', 63 - '_') - * TODO: - * - encoding: exclude padding characters by default, - * - decoding: calculate a number of missing padding characters - * based on a number of base64url encoded octets - * - * - once the above two points are addressed, consider extracting - * most of Base64Utility into Base64EncoderDecoder and extending it - * with Base64UrlEncoderDecoder to minimize the duplication + * Base64 URL Encoding/Decoding utility. + * + * Character 62 ('+') is '-', Character 63 ('/') is '_'; + * Padding characters are dropped after the encoding. * */ -import java.io.IOException; -import java.io.OutputStream; -import java.io.StringWriter; import java.io.UnsupportedEncodingException; -import java.io.Writer; import java.util.logging.Logger; import org.apache.cxf.common.i18n.Message; import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.common.util.Base64Exception; +import org.apache.cxf.common.util.Base64Utility; public final class Base64UrlUtility { - private static final Logger LOG = LogUtils.getL7dLogger(Base64UrlUtility.class); - - private static final String ENCODED_PAD = "%3D"; - - // Base 64 URL character set - // - private static final char[] BCS = { - 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', - 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', - 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', - 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', - 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', - 'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7', - '8', '9', '-', '_' - }; - - // base 64 wadding - private static final char PAD = '='; - - // size of base 64 decode table - private static final int BDTSIZE = 128; - - // base 64 decode table - private static final byte[] BDT = new byte[128]; - - - private static final int PAD_SIZE0 = 1; - private static final int PAD_SIZE4 = 2; - private static final int PAD_SIZE8 = 3; - - // class static intializer for building decode table - static { - for (int i = 0; i < BDTSIZE; i++) { - BDT[i] = Byte.MAX_VALUE; - } - - for (int i = 0; i < BCS.length; i++) { - BDT[BCS[i]] = (byte)i; - } - } - private Base64UrlUtility() { //utility class, never constructed } - /** - * The decode_chunk routine decodes a chunk of data - * into its native encoding. - * - * base64 encodes each 3 octets of data into 4 characters from a - * limited 64 character set. The 3 octets are joined to form - * 24 bits which are then split into 4 x 6bit values. Each 6 bit - * value is then used as an index into the 64 character table of - * base64 chars. If the total data length is not a 3 octet multiple - * the '=' char is used as padding for the final 4 char group, - * either 1 octet + '==' or 2 octets + '='. - * - * @param id The input data to be processed - * @param o The offset from which to begin processing - * @param l The length (bound) at which processing is to end - * @return The decoded data - * @exception Base64Exception Thrown is processing fails due to - * formatting exceptions in the encoded data - */ - public static byte[] decodeChunk(char[] id, - int o, - int l) - throws Base64Exception { - - // Keep it simple - must be >= 4. Unpadded - // base64 data contain < 3 octets is invalid. - // - if ((l - o) < 4) { - return null; - } - - char[] ib = new char[4]; - int ibcount = 0; - - // cryan. Calc the num of octets. Each 4 chars of base64 chars - // (representing 24 bits) encodes 3 octets. - // - int octetCount = 3 * (l / 4); - - // Final 4 chars may contain 3 octets or padded to contain - // 1 or 2 octets. - // - if (id[l - 1] == PAD) { - // TT== means last 4 chars encode 8 bits (ie subtract 2) - // TTT= means last 4 chars encode 16 bits (ie subtract 1) - octetCount -= (id[l - 2] == PAD) ? 2 : 1; - } - - byte[] ob = new byte[octetCount]; - int obcount = 0; - - for (int i = o; i < o + l && i < id.length; i++) { - if (id[i] == PAD - || id[i] < BDT.length - && BDT[id[i]] != Byte.MAX_VALUE) { - - ib[ibcount++] = id[i]; - - // Decode each 4 char sequence. - // - if (ibcount == ib.length) { - ibcount = 0; - obcount += processEncodeme(ib, ob, obcount); - } - } - } - - if (obcount != ob.length) { - byte []tmp = new byte[obcount]; - System.arraycopy(ob, 0, tmp, 0, obcount); - ob = tmp; - } - - return ob; - } - - public static byte[] decode(String id) throws Base64Exception { - int count = 0; - while (id.endsWith(ENCODED_PAD)) { - id = id.substring(0, id.length() - ENCODED_PAD.length()); - count++; - } - for (int i = 0; i < count; i++) { - id += PAD; - } - - try { - char[] cd = id.toCharArray(); - return decodeChunk(cd, 0, cd.length); - } catch (Exception e) { - LOG.warning("Invalid base64 encoded string : " + id); - throw new Base64Exception(new Message("BASE64_RUNTIME_EXCEPTION", LOG), e); - } - } - - public static void decode(char[] id, - int o, - int l, - OutputStream ostream) - throws Base64Exception { - - try { - ostream.write(decodeChunk(id, o, l)); - } catch (Exception e) { - LOG.warning("Invalid base64 encoded string : " + new String(id)); - throw new Base64Exception(new Message("BASE64_RUNTIME_EXCEPTION", LOG), e); - } - } - - public static void decode(String id, - OutputStream ostream) - throws Base64Exception { - - try { - char[] cd = id.toCharArray(); - ostream.write(decodeChunk(cd, 0, cd.length)); - } catch (IOException ioe) { - throw new Base64Exception(new Message("BASE64_DECODE_IOEXCEPTION", LOG), ioe); - } catch (Exception e) { - LOG.warning("Invalid base64 encoded string : " + id); - throw new Base64Exception(new Message("BASE64_RUNTIME_EXCEPTION", LOG), e); - } - } - - // Returns base64 representation of specified byte array. - // - public static String encode(byte[] id) { - char[] cd = encodeChunk(id, 0, id.length); - return new String(cd, 0, cd.length); - } - - // Returns base64 representation of specified byte array. - // - public static char[] encodeChunk(byte[] id, - int o, - int l) { - if (l <= 0) { - return null; - } - - char[] out; - - // If not a multiple of 3 octets then a final padded 4 char - // slot is needed. - // - if ((l - o) % 3 == 0) { - out = new char[l / 3 * 4]; - } else { - out = new char[l / 3 * 4 + 4]; - } - - int rindex = o; - int windex = 0; - int rest = l - o; - - while (rest >= 3) { - int i = ((id[rindex] & 0xff) << 16) - + ((id[rindex + 1] & 0xff) << 8) - + (id[rindex + 2] & 0xff); - - out[windex++] = BCS[i >> 18]; - out[windex++] = BCS[(i >> 12) & 0x3f]; - out[windex++] = BCS[(i >> 6) & 0x3f]; - out[windex++] = BCS[i & 0x3f]; - rindex += 3; - rest -= 3; - } - - if (rest == 1) { - int i = id[rindex] & 0xff; - out[windex++] = BCS[i >> 2]; - out[windex++] = BCS[(i << 4) & 0x3f]; - out[windex++] = PAD; - out[windex++] = PAD; - } else if (rest == 2) { - int i = ((id[rindex] & 0xff) << 8) + (id[rindex + 1] & 0xff); - out[windex++] = BCS[i >> 10]; - out[windex++] = BCS[(i >> 4) & 0x3f]; - out[windex++] = BCS[(i << 2) & 0x3f]; - out[windex++] = PAD; - } - return out; + public static byte[] decode(String encoded) throws Base64Exception { + encoded = encoded.replace("-", "+").replace('_', '/'); + switch (encoded.length() % 4) { + case 0: + break; + case 2: + encoded += "=="; + break; + case 3: + encoded += "="; + break; + default: + throw new Base64Exception(new Message("BASE64_RUNTIME_EXCEPTION", LOG)); + } + return Base64Utility.decode(encoded); } - // - // Outputs base64 representation of the specified byte array - // to a byte stream. - // - public static void encodeChunk(byte[] id, - int o, - int l, - OutputStream ostream) throws Base64Exception { + public static String encode(String str) throws Base64Exception { try { - ostream.write(new String(encodeChunk(id, o, l)).getBytes()); - } catch (IOException e) { - throw new Base64Exception(new Message("BASE64_ENCODE_IOEXCEPTION", LOG), e); - } - } - - public static String encode(String value) throws Base64Exception { - StringWriter writer = new StringWriter(); - Base64UrlUtility.encode(value, writer); - return writer.toString(); - } - - public static void encode(String value, Writer writer) throws Base64Exception { - byte[] chunk = null; - try { - chunk = value.getBytes("UTF-8"); + return encode(str.getBytes("UTF-8")); } catch (UnsupportedEncodingException ex) { - // won't happen + throw new RuntimeException(ex); } - Base64UrlUtility.encode(chunk, 0, chunk.length, writer); - } - - // Outputs base64 representation of the specified byte - // array to a character stream. - // - public static void encode(byte[] id, - int o, - int l, - Writer writer) throws Base64Exception { - try { - writer.write(encodeChunk(id, o, l)); - } catch (IOException e) { - throw new Base64Exception(new Message("BASE64_ENCODE_WRITER_IOEXCEPTION", LOG), e); - } + public static String encode(byte[] id) { + return encodeChunk(id, 0, id.length); } - - //---- Private static methods -------------------------------------- - - /** - * The process routine processes an atomic base64 - * unit of encoding (encodeme) into its native encoding. This class is - * used by decode routines to do the grunt work of decoding - * base64 encoded information - * - * @param ib Input character buffer of encoded bytes - * @param ob Output byte buffer of decoded bytes - * @param p Pointer to the encodeme of interest - * @return The decoded encodeme - * @exception Base64Exception Thrown is processing fails due to - * formatting exceptions in the encoded data - */ - private static int processEncodeme(char[] ib, - byte[] ob, - int p) - throws Base64Exception { - - - int spad = PAD_SIZE8; - if (ib[3] == PAD) { - spad = PAD_SIZE4; - } - if (ib[2] == PAD) { - spad = PAD_SIZE0; - } - - int b0 = BDT[ib[0]]; - int b1 = BDT[ib[1]]; - int b2 = BDT[ib[2]]; - int b3 = BDT[ib[3]]; - - switch (spad) { - case PAD_SIZE0: - ob[p] = (byte)(b0 << 2 & 0xfc | b1 >> 4 & 0x3); - return PAD_SIZE0; - case PAD_SIZE4: - ob[p++] = (byte)(b0 << 2 & 0xfc | b1 >> 4 & 0x3); - ob[p] = (byte)(b1 << 4 & 0xf0 | b2 >> 2 & 0xf); - return PAD_SIZE4; - case PAD_SIZE8: - ob[p++] = (byte)(b0 << 2 & 0xfc | b1 >> 4 & 0x3); - ob[p++] = (byte)(b1 << 4 & 0xf0 | b2 >> 2 & 0xf); - ob[p] = (byte)(b2 << 6 & 0xc0 | b3 & 0x3f); - return PAD_SIZE8; - default: - // We should never get here - throw new IllegalStateException(); - } - } + public static String encodeChunk(byte[] id, int offset, int length) { + String encoded = new String(Base64Utility.encodeChunk(id, offset, length)); + return encoded.replace("+", "-").replace('/', '_').replace("=", ""); + } + } http://git-wip-us.apache.org/repos/asf/cxf/blob/a0426269/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/MessageDigestGenerator.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/MessageDigestGenerator.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/MessageDigestGenerator.java index fbde43b..15d4870 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/MessageDigestGenerator.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/MessageDigestGenerator.java @@ -29,7 +29,11 @@ import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException; * random values */ public class MessageDigestGenerator { - private String algorithm = "MD5"; + public static final String ALGO_SHA_1 = "SHA-1"; + public static final String ALGO_SHA_256 = "SHA-256"; + public static final String ALGO_MD5 = "MD5"; + + private String algorithm = ALGO_MD5; public String generate(byte[] input) throws OAuthServiceException { if (input == null) {