/*
*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*
*/
using System;
using System.Collections;
using System.Collections.Specialized;
using System.Globalization;
using System.Security.Cryptography;
using System.Text;
namespace Apache.Qpid.Sasl.Mechanisms
{
///
/// Implements the DIGEST MD5 authentication mechanism
/// as outlined in RFC 2831
///
public class DigestSaslClient : SaslClient
{
public const string Mechanism = "DIGEST-MD5";
private static readonly MD5 _md5 = new MD5CryptoServiceProvider();
private int _state;
private string _cnonce;
private Encoding _encoding = Encoding.UTF8;
public string Cnonce
{
get { return _cnonce; }
set { _cnonce = value; }
}
public DigestSaslClient(
string authid, string serverName, string protocol,
IDictionary properties, ISaslCallbackHandler handler)
: base(authid, serverName, protocol, properties, handler)
{
_cnonce = Guid.NewGuid().ToString("N");
}
#region ISaslClient Implementation
//
// ISaslClient Implementation
//
public override string MechanismName
{
get { return Mechanism; }
}
public override bool HasInitialResponse
{
get { return false; }
}
public override byte[] EvaluateChallenge(byte[] challenge)
{
if ( challenge == null || challenge.Length <= 0 )
throw new ArgumentNullException("challenge");
switch ( _state++ )
{
case 0: return OnInitialChallenge(challenge);
case 1: return OnFinalResponse(challenge);
}
throw new SaslException("Invalid State for authentication");
}
#endregion // ISaslClient Implementation
#region Private Methods
//
// Private Methods
//
///
/// Process the first challenge from the server
/// and calculate a response
///
/// The server issued challenge
/// Client response
private byte[] OnInitialChallenge(byte[] challenge)
{
DigestChallenge dch =
DigestChallenge.Parse(_encoding.GetString(challenge));
// validate input challenge
if ( dch.Nonce == null || dch.Nonce.Length == 0 )
throw new SaslException("Nonce value missing in server challenge");
if ( dch.Algorithm != "md5-sess" )
throw new SaslException("Invalid or missing algorithm value in server challenge");
NameCallback nameCB = new NameCallback(AuthorizationId);
PasswordCallback pwdCB = new PasswordCallback();
RealmCallback realmCB = new RealmCallback(dch.Realm);
ISaslCallback[] callbacks = { nameCB, pwdCB, realmCB };
Handler.Handle(callbacks);
DigestResponse response = new DigestResponse();
response.Username = nameCB.Text;
response.Realm = realmCB.Text;
response.Nonce = dch.Nonce;
response.Cnonce = Cnonce;
response.NonceCount = 1;
response.Qop = DigestQop.Auth; // only auth supported for now
response.DigestUri = Protocol.ToLower() + "/" + ServerName;
response.MaxBuffer = dch.MaxBuffer;
response.Charset = dch.Charset;
response.Cipher = null; // not supported for now
response.Authzid = AuthorizationId;
response.AuthParam = dch.AuthParam;
response.Response = CalculateResponse(
nameCB.Text, realmCB.Text, pwdCB.Text,
dch.Nonce, response.NonceCount, response.Qop, response.DigestUri
);
return _encoding.GetBytes(response.ToString());
}
///
/// Process the second server challenge
///
/// Server issued challenge
/// The client response
private byte[] OnFinalResponse(byte[] challenge)
{
DigestChallenge dch =
DigestChallenge.Parse(_encoding.GetString(challenge));
if ( dch.Rspauth == null || dch.Rspauth.Length == 0 )
throw new SaslException("Expected 'rspauth' in server challenge not found");
SetComplete();
return new byte[0];
}
///
/// Calculate the response field of the client response
///
/// The user name
/// The realm
/// The user's password
/// Server nonce value
/// Client nonce count (always 1)
/// Quality of Protection
/// Digest-URI
/// The value for the response field
private string CalculateResponse(
string username, string realm, string passwd,
string nonce, int nc, string qop, string digestUri
)
{
string a1 = CalcHexA1(username, realm, passwd, nonce);
string a2 = CalcHexA2(digestUri, qop);
string ncs = nc.ToString("x8", CultureInfo.InvariantCulture);
StringBuilder prekd = new StringBuilder();
prekd.Append(a1).Append(':').Append(nonce).Append(':')
.Append(ncs).Append(':').Append(Cnonce)
.Append(':').Append(qop).Append(':').Append(a2);
return ToHex(CalcH(_encoding.GetBytes(prekd.ToString())));
}
private string CalcHexA1(
string username, string realm,
string passwd, string nonce
)
{
bool hasAuthId = AuthorizationId != null && AuthorizationId.Length > 0;
string premd = username + ":" + realm + ":" + passwd;
byte[] temp1 = CalcH(_encoding.GetBytes(premd));
int a1len = 16 + 1 + nonce.Length + 1 + Cnonce.Length;
if ( hasAuthId )
a1len += 1 + AuthorizationId.Length;
byte[] buffer = new byte[a1len];
Array.Copy(temp1, buffer, temp1.Length);
string p2 = ":" + nonce + ":" + Cnonce;
if ( hasAuthId )
p2 += ":" + AuthorizationId;
byte[] temp2 = _encoding.GetBytes(p2);
Array.Copy(temp2, 0, buffer, 16, temp2.Length);
return ToHex(CalcH(buffer));
}
private string CalcHexA2(string digestUri, string qop)
{
string a2 = "AUTHENTICATE:" + digestUri;
if ( qop != DigestQop.Auth )
a2 += ":00000000000000000000000000000000";
return ToHex(CalcH(_encoding.GetBytes(a2)));
}
private static byte[] CalcH(byte[] value)
{
return _md5.ComputeHash(value);
}
#endregion // Private Methods
} // class DigestSaslClient
///
/// Available QOP options in the DIGEST scheme
///
public sealed class DigestQop
{
public const string Auth = "auth";
public const string AuthInt = "auth-int";
public const string AuthConf = "auth-conf";
} // class DigestQop
///
/// Represents and parses a digest server challenge
///
public class DigestChallenge
{
private string _realm = "localhost";
private string _nonce;
private string[] _qopOptions = { DigestQop.Auth };
private bool _stale;
private int _maxBuffer = 65536;
private string _charset = "ISO 8859-1";
private string _algorithm;
private string[] _cipherOptions;
private string _authParam;
private string _rspauth;
#region Properties
//
// Properties
//
public string Realm
{
get { return _realm; }
}
public string Nonce
{
get { return _nonce; }
}
public string[] QopOptions
{
get { return _qopOptions; }
}
public bool Stale
{
get { return _stale; }
}
public int MaxBuffer
{
get { return _maxBuffer; }
set { _maxBuffer = value; }
}
public string Charset
{
get { return _charset; }
}
public string Algorithm
{
get { return _algorithm; }
}
public string[] CipherOptions
{
get { return _cipherOptions; }
}
public string AuthParam
{
get { return _authParam; }
}
public string Rspauth
{
get { return _rspauth; }
}
#endregion // Properties
public static DigestChallenge Parse(string challenge)
{
DigestChallenge parsed = new DigestChallenge();
StringDictionary parts = ParseParameters(challenge);
foreach ( string optname in parts.Keys )
{
switch ( optname )
{
case "realm":
parsed._realm = parts[optname];
break;
case "nonce":
parsed._nonce = parts[optname];
break;
case "qop-options":
parsed._qopOptions = GetOptions(parts[optname]);
break;
case "cipher-opts":
parsed._cipherOptions = GetOptions(parts[optname]);
break;
case "stale":
parsed._stale = Convert.ToBoolean(parts[optname], CultureInfo.InvariantCulture);
break;
case "maxbuf":
parsed._maxBuffer = Convert.ToInt32(parts[optname], CultureInfo.InvariantCulture);
break;
case "charset":
parsed._charset = parts[optname];
break;
case "algorithm":
parsed._algorithm = parts[optname];
break;
case "auth-param":
parsed._authParam = parts[optname];
break;
case "rspauth":
parsed._rspauth = parts[optname];
break;
}
}
return parsed;
}
public static StringDictionary ParseParameters(string source)
{
if ( source == null )
throw new ArgumentNullException("source");
StringDictionary ret = new StringDictionary();
string remaining = source.Trim();
while ( remaining.Length > 0 )
{
int equals = remaining.IndexOf('=');
if ( equals < 0 )
break;
string optname = remaining.Substring(0, equals).Trim();
remaining = remaining.Substring(equals + 1);
string value = ParseQuoted(ref remaining);
ret[optname] = value.Trim();
}
return ret;
}
private static string ParseQuoted(ref string str)
{
string ns = str.TrimStart();
int start = 0;
bool quoted = ns[0] == '\"';
if ( quoted ) start++;
bool inquotes = quoted;
bool escaped = false;
int pos = start;
for ( ; pos < ns.Length; pos++ )
{
if ( !inquotes && ns[pos] == ',' )
break;
// at end of quotes?
if ( quoted && !escaped && ns[pos] == '\"' )
inquotes = false;
// is this char an escape for the next one?
escaped = inquotes && ns[pos] == '\\';
}
// pos has end of string
string value = ns.Substring(start, pos-start).Trim();
if ( quoted )
{
// remove trailing quote
value = value.Substring(0, value.Length - 1);
}
str = ns.Substring(pos < ns.Length-1 ? pos+1 : pos);
return value;
}
private static string[] GetOptions(string value)
{
return value.Split(' ');
}
} // class DigestChallenge
///
/// Represents and knows how to write a
/// digest client response
///
public class DigestResponse
{
private string _username;
private string _realm;
private string _nonce;
private string _cnonce;
private int _nonceCount;
private string _qop;
private string _digestUri;
private string _response;
private int _maxBuffer;
private string _charset;
private string _cipher;
private string _authzid;
private string _authParam;
#region Properties
//
// Properties
//
public string Username
{
get { return _username; }
set { _username = value; }
}
public string Realm
{
get { return _realm; }
set { _realm = value; }
}
public string Nonce
{
get { return _nonce; }
set { _nonce = value; }
}
public string Cnonce
{
get { return _cnonce; }
set { _cnonce = value; }
}
public int NonceCount
{
get { return _nonceCount; }
set { _nonceCount = value; }
}
public string Qop
{
get { return _qop; }
set { _qop = value; }
}
public string DigestUri
{
get { return _digestUri; }
set { _digestUri = value; }
}
public string Response
{
get { return _response; }
set { _response = value; }
}
public int MaxBuffer
{
get { return _maxBuffer; }
set { _maxBuffer = value; }
}
public string Charset
{
get { return _charset; }
set { _charset = value; }
}
public string Cipher
{
get { return _cipher; }
set { _cipher = value; }
}
public string Authzid
{
get { return _authzid; }
set { _authzid = value; }
}
public string AuthParam
{
get { return _authParam; }
set { _authParam = value; }
}
#endregion // Properties
public override string ToString()
{
StringBuilder buffer = new StringBuilder();
Pair(buffer, "username", Username, true);
Pair(buffer, "realm", Realm, true);
Pair(buffer, "nonce", Nonce, true);
Pair(buffer, "cnonce", Cnonce, true);
string nc = NonceCount.ToString("x8", CultureInfo.InvariantCulture);
Pair(buffer, "nc", nc, false);
Pair(buffer, "qop", Qop, false);
Pair(buffer, "digest-uri", DigestUri, true);
Pair(buffer, "response", Response, true);
string maxBuffer = MaxBuffer.ToString(CultureInfo.InvariantCulture);
Pair(buffer, "maxbuf", maxBuffer, false);
Pair(buffer, "charset", Charset, false);
Pair(buffer, "cipher", Cipher, false);
Pair(buffer, "authzid", Authzid, true);
Pair(buffer, "auth-param", AuthParam, true);
return buffer.ToString().TrimEnd(',');
}
private static void Pair(StringBuilder buffer, string name, string value, bool quoted)
{
if ( value != null && value.Length > 0 )
{
buffer.Append(name);
buffer.Append('=');
if ( quoted )
{
buffer.Append('\"');
buffer.Append(value.Replace("\"", "\\\""));
buffer.Append('\"');
} else
{
buffer.Append(value);
}
buffer.Append(',');
}
}
} // class DigestResponse
} // namespace Apache.Qpid.Sasl.Mechanisms