The Tor Browser / file comparison

comparison: mobile/android/base/sync/net/HMACAuthHeaderProvider.java

mobile/android/base/sync/net/HMACAuthHeaderProvider.java

changeset 0
6474c204b198
equal deleted inserted replaced
-1:000000000000 0:0f4ea7b2d4ef
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5 package org.mozilla.gecko.sync.net;
6
7 import java.io.UnsupportedEncodingException;
8 import java.net.URI;
9 import java.security.GeneralSecurityException;
10 import java.security.InvalidKeyException;
11 import java.security.NoSuchAlgorithmException;
12
13 import javax.crypto.Mac;
14 import javax.crypto.spec.SecretKeySpec;
15
16 import org.mozilla.apache.commons.codec.binary.Base64;
17 import org.mozilla.gecko.background.common.log.Logger;
18 import org.mozilla.gecko.sync.Utils;
19
20 import ch.boye.httpclientandroidlib.Header;
21 import ch.boye.httpclientandroidlib.client.methods.HttpRequestBase;
22 import ch.boye.httpclientandroidlib.client.methods.HttpUriRequest;
23 import ch.boye.httpclientandroidlib.impl.client.DefaultHttpClient;
24 import ch.boye.httpclientandroidlib.message.BasicHeader;
25 import ch.boye.httpclientandroidlib.protocol.BasicHttpContext;
26
27 /**
28 * An <code>AuthHeaderProvider</code> that returns an Authorization header for
29 * HMAC-SHA1-signed requests in the format expected by Mozilla Services
30 * identity-attached services and specified by the MAC Authentication spec, available at
31 * <a href="https://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac">https://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac</a>.
32 * <p>
33 * See <a href="https://wiki.mozilla.org/Services/Sagrada/ServiceClientFlow#Access">https://wiki.mozilla.org/Services/Sagrada/ServiceClientFlow#Access</a>.
34 */
35 public class HMACAuthHeaderProvider implements AuthHeaderProvider {
36 public static final String LOG_TAG = "HMACAuthHeaderProvider";
37
38 public static final int NONCE_LENGTH_IN_BYTES = 8;
39
40 public static final String HMAC_SHA1_ALGORITHM = "hmacSHA1";
41
42 public final String identifier;
43 public final String key;
44
45 public HMACAuthHeaderProvider(String identifier, String key) {
46 // Validate identifier string. From the MAC Authentication spec:
47 // id = "id" "=" string-value
48 // string-value = ( <"> plain-string <"> ) / plain-string
49 // plain-string = 1*( %x20-21 / %x23-5B / %x5D-7E )
50 // We add quotes around the id string, so input identifier must be a plain-string.
51 if (identifier == null) {
52 throw new IllegalArgumentException("identifier must not be null.");
53 }
54 if (!isPlainString(identifier)) {
55 throw new IllegalArgumentException("identifier must be a plain-string.");
56 }
57
58 if (key == null) {
59 throw new IllegalArgumentException("key must not be null.");
60 }
61
62 this.identifier = identifier;
63 this.key = key;
64 }
65
66 @Override
67 public Header getAuthHeader(HttpRequestBase request, BasicHttpContext context, DefaultHttpClient client) throws GeneralSecurityException {
68 long timestamp = System.currentTimeMillis() / 1000;
69 String nonce = Base64.encodeBase64String(Utils.generateRandomBytes(NONCE_LENGTH_IN_BYTES));
70 String extra = "";
71
72 try {
73 return getAuthHeader(request, context, client, timestamp, nonce, extra);
74 } catch (InvalidKeyException e) {
75 // We lie a little and make every exception a GeneralSecurityException.
76 throw new GeneralSecurityException(e);
77 } catch (UnsupportedEncodingException e) {
78 throw new GeneralSecurityException(e);
79 } catch (NoSuchAlgorithmException e) {
80 throw new GeneralSecurityException(e);
81 }
82 }
83
84 /**
85 * Test if input is a <code>plain-string</code>.
86 * <p>
87 * A plain-string is defined by the MAC Authentication spec as
88 * <code>plain-string = 1*( %x20-21 / %x23-5B / %x5D-7E )</code>.
89 *
90 * @param input
91 * as a String of "US-ASCII" bytes.
92 * @return true if input is a <code>plain-string</code>; false otherwise.
93 * @throws UnsupportedEncodingException
94 */
95 protected static boolean isPlainString(String input) {
96 if (input == null || input.length() == 0) {
97 return false;
98 }
99
100 byte[] bytes;
101 try {
102 bytes = input.getBytes("US-ASCII");
103 } catch (UnsupportedEncodingException e) {
104 // Should never happen.
105 Logger.warn(LOG_TAG, "Got exception in isPlainString; returning false.", e);
106 return false;
107 }
108
109 for (byte b : bytes) {
110 if ((0x20 <= b && b <= 0x21) || (0x23 <= b && b <= 0x5B) || (0x5D <= b && b <= 0x7E)) {
111 continue;
112 }
113 return false;
114 }
115
116 return true;
117 }
118
119 /**
120 * Helper function that generates an HTTP Authorization header given
121 * additional MAC Authentication specific data.
122 *
123 * @throws UnsupportedEncodingException
124 * @throws NoSuchAlgorithmException
125 * @throws InvalidKeyException
126 */
127 protected Header getAuthHeader(HttpRequestBase request, BasicHttpContext context, DefaultHttpClient client,
128 long timestamp, String nonce, String extra)
129 throws UnsupportedEncodingException, InvalidKeyException, NoSuchAlgorithmException {
130 // Validate timestamp. From the MAC Authentication spec:
131 // timestamp = 1*DIGIT
132 // This is equivalent to timestamp >= 0.
133 if (timestamp < 0) {
134 throw new IllegalArgumentException("timestamp must contain only [0-9].");
135 }
136
137 // Validate nonce string. From the MAC Authentication spec:
138 // nonce = "nonce" "=" string-value
139 // string-value = ( <"> plain-string <"> ) / plain-string
140 // plain-string = 1*( %x20-21 / %x23-5B / %x5D-7E )
141 // We add quotes around the nonce string, so input nonce must be a plain-string.
142 if (nonce == null) {
143 throw new IllegalArgumentException("nonce must not be null.");
144 }
145 if (nonce.length() == 0) {
146 throw new IllegalArgumentException("nonce must not be empty.");
147 }
148 if (!isPlainString(nonce)) {
149 throw new IllegalArgumentException("nonce must be a plain-string.");
150 }
151
152 // Validate extra string. From the MAC Authentication spec:
153 // ext = "ext" "=" string-value
154 // string-value = ( <"> plain-string <"> ) / plain-string
155 // plain-string = 1*( %x20-21 / %x23-5B / %x5D-7E )
156 // We add quotes around the extra string, so input extra must be a plain-string.
157 // We break the spec by allowing ext to be an empty string, i.e. to match 0*(...).
158 if (extra == null) {
159 throw new IllegalArgumentException("extra must not be null.");
160 }
161 if (extra.length() > 0 && !isPlainString(extra)) {
162 throw new IllegalArgumentException("extra must be a plain-string.");
163 }
164
165 String requestString = getRequestString(request, timestamp, nonce, extra);
166 String macString = getSignature(requestString, this.key);
167
168 String h = "MAC id=\"" + this.identifier + "\", " +
169 "ts=\"" + timestamp + "\", " +
170 "nonce=\"" + nonce + "\", " +
171 "mac=\"" + macString + "\"";
172
173 if (extra != null) {
174 h += ", ext=\"" + extra + "\"";
175 }
176
177 Header header = new BasicHeader("Authorization", h);
178
179 return header;
180 }
181
182 protected static byte[] sha1(byte[] message, byte[] key)
183 throws NoSuchAlgorithmException, InvalidKeyException {
184
185 SecretKeySpec keySpec = new SecretKeySpec(key, HMAC_SHA1_ALGORITHM);
186
187 Mac hasher = Mac.getInstance(HMAC_SHA1_ALGORITHM);
188 hasher.init(keySpec);
189 hasher.update(message);
190
191 byte[] hmac = hasher.doFinal();
192
193 return hmac;
194 }
195
196 /**
197 * Sign an HMAC request string.
198 *
199 * @param requestString to sign.
200 * @param key as <code>String</code>.
201 * @return signature as base-64 encoded string.
202 * @throws InvalidKeyException
203 * @throws NoSuchAlgorithmException
204 * @throws UnsupportedEncodingException
205 */
206 protected static String getSignature(String requestString, String key)
207 throws InvalidKeyException, NoSuchAlgorithmException, UnsupportedEncodingException {
208 String macString = Base64.encodeBase64String(sha1(requestString.getBytes("UTF-8"), key.getBytes("UTF-8")));
209
210 return macString;
211 }
212
213 /**
214 * Generate an HMAC request string.
215 * <p>
216 * This method trusts its inputs to be valid as per the MAC Authentication spec.
217 *
218 * @param request HTTP request.
219 * @param timestamp to use.
220 * @param nonce to use.
221 * @param extra to use.
222 * @return request string.
223 */
224 protected static String getRequestString(HttpUriRequest request, long timestamp, String nonce, String extra) {
225 String method = request.getMethod().toUpperCase();
226
227 URI uri = request.getURI();
228 String host = uri.getHost();
229
230 String path = uri.getRawPath();
231 if (uri.getRawQuery() != null) {
232 path += "?";
233 path += uri.getRawQuery();
234 }
235 if (uri.getRawFragment() != null) {
236 path += "#";
237 path += uri.getRawFragment();
238 }
239
240 int port = uri.getPort();
241 String scheme = uri.getScheme();
242 if (port != -1) {
243 } else if ("http".equalsIgnoreCase(scheme)) {
244 port = 80;
245 } else if ("https".equalsIgnoreCase(scheme)) {
246 port = 443;
247 } else {
248 throw new IllegalArgumentException("Unsupported URI scheme: " + scheme + ".");
249 }
250
251 String requestString = timestamp + "\n" +
252 nonce + "\n" +
253 method + "\n" +
254 path + "\n" +
255 host + "\n" +
256 port + "\n" +
257 extra + "\n";
258
259 return requestString;
260 }
261 }

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial