1 files changed, 150 insertions, 0 deletions

diff --git a/src/java/nginx/unit/websocket/DigestAuthenticator.java b/src/java/nginx/unit/websocket/DigestAuthenticator.java
new file mode 100644
index 00000000..9530c303
--- /dev/null
+++ b/src/java/nginx/unit/websocket/DigestAuthenticator.java
@@ -0,0 +1,150 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package nginx.unit.websocket;
+
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.util.Map;
+
+import org.apache.tomcat.util.security.MD5Encoder;
+
+/**
+ * Authenticator supporting the DIGEST auth method.
+ */
+public class DigestAuthenticator extends Authenticator {
+
+    public static final String schemeName = "digest";
+    private SecureRandom cnonceGenerator;
+    private int nonceCount = 0;
+    private long cNonce;
+
+    @Override
+    public String getAuthorization(String requestUri, String WWWAuthenticate,
+            Map<String, Object> userProperties) throws AuthenticationException {
+
+        String userName = (String) userProperties.get(Constants.WS_AUTHENTICATION_USER_NAME);
+        String password = (String) userProperties.get(Constants.WS_AUTHENTICATION_PASSWORD);
+
+        if (userName == null || password == null) {
+            throw new AuthenticationException(
+                    "Failed to perform Digest authentication due to  missing user/password");
+        }
+
+        Map<String, String> wwwAuthenticate = parseWWWAuthenticateHeader(WWWAuthenticate);
+
+        String realm = wwwAuthenticate.get("realm");
+        String nonce = wwwAuthenticate.get("nonce");
+        String messageQop = wwwAuthenticate.get("qop");
+        String algorithm = wwwAuthenticate.get("algorithm") == null ? "MD5"
+                : wwwAuthenticate.get("algorithm");
+        String opaque = wwwAuthenticate.get("opaque");
+
+        StringBuilder challenge = new StringBuilder();
+
+        if (!messageQop.isEmpty()) {
+            if (cnonceGenerator == null) {
+                cnonceGenerator = new SecureRandom();
+            }
+
+            cNonce = cnonceGenerator.nextLong();
+            nonceCount++;
+        }
+
+        challenge.append("Digest ");
+        challenge.append("username =\"" + userName + "\",");
+        challenge.append("realm=\"" + realm + "\",");
+        challenge.append("nonce=\"" + nonce + "\",");
+        challenge.append("uri=\"" + requestUri + "\",");
+
+        try {
+            challenge.append("response=\"" + calculateRequestDigest(requestUri, userName, password,
+                    realm, nonce, messageQop, algorithm) + "\",");
+        }
+
+        catch (NoSuchAlgorithmException e) {
+            throw new AuthenticationException(
+                    "Unable to generate request digest " + e.getMessage());
+        }
+
+        challenge.append("algorithm=" + algorithm + ",");
+        challenge.append("opaque=\"" + opaque + "\",");
+
+        if (!messageQop.isEmpty()) {
+            challenge.append("qop=\"" + messageQop + "\"");
+            challenge.append(",cnonce=\"" + cNonce + "\",");
+            challenge.append("nc=" + String.format("%08X", Integer.valueOf(nonceCount)));
+        }
+
+        return challenge.toString();
+
+    }
+
+    private String calculateRequestDigest(String requestUri, String userName, String password,
+            String realm, String nonce, String qop, String algorithm)
+            throws NoSuchAlgorithmException {
+
+        StringBuilder preDigest = new StringBuilder();
+        String A1;
+
+        if (algorithm.equalsIgnoreCase("MD5"))
+            A1 = userName + ":" + realm + ":" + password;
+
+        else
+            A1 = encodeMD5(userName + ":" + realm + ":" + password) + ":" + nonce + ":" + cNonce;
+
+        /*
+         * If the "qop" value is "auth-int", then A2 is: A2 = Method ":"
+         * digest-uri-value ":" H(entity-body) since we do not have an entity-body, A2 =
+         * Method ":" digest-uri-value for auth and auth_int
+         */
+        String A2 = "GET:" + requestUri;
+
+        preDigest.append(encodeMD5(A1));
+        preDigest.append(":");
+        preDigest.append(nonce);
+
+        if (qop.toLowerCase().contains("auth")) {
+            preDigest.append(":");
+            preDigest.append(String.format("%08X", Integer.valueOf(nonceCount)));
+            preDigest.append(":");
+            preDigest.append(String.valueOf(cNonce));
+            preDigest.append(":");
+            preDigest.append(qop);
+        }
+
+        preDigest.append(":");
+        preDigest.append(encodeMD5(A2));
+
+        return encodeMD5(preDigest.toString());
+
+    }
+
+    private String encodeMD5(String value) throws NoSuchAlgorithmException {
+        byte[] bytesOfMessage = value.getBytes(StandardCharsets.ISO_8859_1);
+        MessageDigest md = MessageDigest.getInstance("MD5");
+        byte[] thedigest = md.digest(bytesOfMessage);
+
+        return MD5Encoder.encode(thedigest);
+    }
+
+    @Override
+    public String getSchemeName() {
+        return schemeName;
+    }
+}