4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * The contents of this file are subject to the terms
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * of the Common Development and Distribution License
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * (the License). You may not use this file except in
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * compliance with the License.
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * You can obtain a copy of the License at
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * See the License for the specific language governing
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * permission and limitations under the License.
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * When distributing Covered Code, include this CDDL
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * Header Notice in each file and include the License file
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * If applicable, add the following below the CDDL Header,
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * with the fields enclosed by brackets [] replaced by
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * your own identifying information:
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * "Portions Copyrighted [year] [name of copyright owner]"
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * $Id: CramMD5MechanismHandler.java,v 1.8 2008/12/16 20:54:03 hengming Exp $
ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpotts * Portions Copyrighted 2016 ForgeRock AS.
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterpackage com.sun.identity.liberty.ws.authnsvc.mechanism;
ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpottsimport static org.forgerock.openam.utils.Time.*;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport javax.security.auth.callback.NameCallback;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport javax.security.auth.callback.PasswordCallback;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport com.sun.identity.common.PeriodicCleanUpMap;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport com.sun.identity.idm.AMIdentityRepository;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport com.sun.identity.security.AdminTokenAction;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport com.sun.identity.shared.configuration.SystemPropertiesManager;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport com.sun.identity.authentication.AuthContext;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport com.sun.identity.authentication.spi.AuthLoginException;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport com.sun.identity.liberty.ws.authnsvc.AuthnSvcConstants;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport com.sun.identity.liberty.ws.authnsvc.AuthnSvcService;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport com.sun.identity.liberty.ws.authnsvc.AuthnSvcUtils;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport com.sun.identity.liberty.ws.authnsvc.protocol.SASLRequest;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport com.sun.identity.liberty.ws.authnsvc.protocol.SASLResponse;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterimport com.sun.identity.liberty.ws.soapbinding.Message;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * The <code>CramMD5MechanismHandler</code> is a handler for 'CRAM-MD5'
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * mechanism.
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Fosterpublic class CramMD5MechanismHandler implements MechanismHandler {
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster private static Debug debug = Debug.getInstance("libIDWSF");
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster private static final String PROP_SERVER_HOST = "com.iplanet.am.server.host";
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster private static final String serverHost = SystemPropertiesManager.get(
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster private static final int MAX_RANDOM_NUM = 9999;
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster private static final String ATTR_USER_PASSWORD = "userPassword";
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster private static final String COMP_AUTHN_SVC = "authnsvc";
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * The block length in characters used in generating an HMAC-MD5 digest.
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * table to convert a nibble to a hex char.
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster private static char[] hexChar = { '0' , '1' , '2' , '3' ,
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster private static SecureRandom secureRandom = new SecureRandom();
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster static final String CHALLENGE_CLEANUP_INTERVAL_PROP =
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster "com.sun.identity.liberty.ws.authnsvc.challengeCleanupInterval";
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster static int challenge_cleanup_interval = 60000; // millisec
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster "com.sun.identity.liberty.ws.soap.staleTimeLimit";
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster static int stale_time_limit = 300000; // millisec
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster private static Map challengeMap = new PeriodicCleanUpMap(
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster (long) challenge_cleanup_interval, (long) stale_time_limit);
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster SystemPropertiesManager.get(CHALLENGE_CLEANUP_INTERVAL_PROP);
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster challenge_cleanup_interval = Integer.parseInt(tmpstr);
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster "CramMD5MechanismHandler.static:" +
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster " Unable to get stale time limit. Default" +
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster tmpstr = SystemPropertiesManager.get(STALE_TIME_LIMIT_PROP);
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster "CramMD5MechanismHandler.static:" +
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster " Unable to get stale time limit. Default " +
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster "value will be used");
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster SystemTimerPool.getTimerPool().schedule((TaskRunnable) challengeMap,
ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpotts new Date(((currentTimeMillis() + challenge_cleanup_interval)
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * Generates a SASL response according to the SASL request.
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * @param saslReq a SASL request
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * @param message a SOAP Message containing the SASL request
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * @param respMessageID messageID of SOAP Message response that will
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * contain returned SASL response
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster * @return a SASL response
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster public SASLResponse processSASLRequest(SASLRequest saslReq,
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster debug.message("CramMD5MechanismHandler.processSASLRequest: ");
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster String refToMessageID = saslReq.getRefToMessageID();
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster boolean isFirstRequest = (refToMessageID == null ||
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster debug.message("CramMD5MechanismHandler.processSASLRequest: " +
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster saslResp = new SASLResponse(SASLResponse.CONTINUE);
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster debug.message("CramMD5MechanismHandler.processSASLRequest:"
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster saslResp = new SASLResponse(SASLResponse.ABORT);
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster debug.error("CramMD5MechanismHandler.processSASLRequest: ", ex);
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster saslResp = new SASLResponse(SASLResponse.ABORT);
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster saslResp.setServerMechanism(AuthnSvcConstants.MECHANISM_PLAIN);
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster private SASLResponse authenticate(String data, Message message) {
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster String clientDigest = data.substring(index + 1);
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster "CramMD5MechanismHandler.authenticate: can't get password");
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster String refToMessageID = message.getCorrelationHeader()
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster if (refToMessageID == null || refToMessageID.length() == 0) {
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster "CramMD5MechanismHandler.authenticate: no refToMessageID");
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster debug.message("CramMD5MechanismHandler.authenticate:" +
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster challengeBytes = (byte[])challengeMap.remove(refToMessageID);
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster "CramMD5MechanismHandler.authenticate: no challenge found");
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster debug.error("CramMD5MechanismHandler.authenticate:", ueex);
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster serverDigest = generateHMACMD5(passwordBytes, challengeBytes);
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster debug.error("CramMD5MechanismHandler.authenticate:", nsaex);
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster "CramMD5MechanismHandler.authenticate: digests not equal");
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster "CramMD5MechanismHandler.authenticate: digests equal");
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster AuthnSvcService.getCramMD5MechanismAuthenticationModule();
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster debug.message("PlainMechanismHandler.authenticate: " +
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster authContext = new AuthContext(SMSEntry.getRootSuffix());
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster authContext.login(AuthContext.IndexType.MODULE_INSTANCE,
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster debug.error("CramMD5MechanismHandler.authenticate: ", le);
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster Callback[] callbacks = authContext.getRequirements();
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster fillInCallbacks(callbacks, userName, password);
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster AuthContext.Status loginStatus = authContext.getStatus();
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster "CramMD5MechanismHandler.authenticate: login status = " +
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster if (loginStatus != AuthContext.Status.SUCCESS) {
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster String userDN = token.getPrincipal().getName();
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster SSOTokenManager.getInstance().destroyToken(token);
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster SASLResponse saslResp = new SASLResponse(SASLResponse.OK);
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster if (!AuthnSvcUtils.setResourceOfferingAndCredentials(
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster debug.error("CramMD5MechanismHandler.authenticate: ", ex);
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster private static void fillInCallbacks(Callback[] callbacks,
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster debug.message("CramMD5MechanismHandler.fillInCallbacks:");
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster } else if (callback instanceof PasswordCallback) {
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster // append random digits
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster int randomInt = secureRandom.nextInt(MAX_RANDOM_NUM);
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster String randomIntString = Integer.toString(randomInt);
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster for(int i=randomIntString.length(); i<NUM_RANDOM_DIGITS; i++) {
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster // append timestamp
ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpotts sb.append(currentTimeMillis()).append("@");
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster // append hostname
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster private static String getUserPassword(String userName) {
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster SSOToken adminToken = (SSOToken)AccessController.doPrivileged(
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster AMIdentityRepository idRepo = new AMIdentityRepository(adminToken,
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster IdSearchControl searchControl = new IdSearchControl();
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster IdSearchResults searchResults = idRepo.searchIdentities(
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster debug.message("CramMD5MechanismHandler.getUserPassword: " +
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster "no user found");
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster debug.message("CramMD5MechanismHandler.getUserPassword: " +
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster "more than 1 user found");
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster AMIdentity user = (AMIdentity)users.iterator().next();
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster Set passwords = user.getAttribute("userPassword");
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster if (passwords == null || passwords.isEmpty()) {
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster debug.message("CramMD5MechanismHandler.getUserPassword: " +
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster "user has no password");
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster debug.message("CramMD5MechanismHandler.getUserPassword: " +
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster "user has more than 1 passwords");
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster String password = (String)passwords.iterator().next();
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster "CramMD5MechanismHandler.getUserPassword: ", ex);
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster private static String generateHMACMD5(byte[] passwordBytes,
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster MessageDigest messagedigest = MessageDigest.getInstance("MD5");
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster passwordBytes = messagedigest.digest(passwordBytes);
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster for(int i = 0; i < passwordBytes.length; i++) {
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster abyte2[i] = (byte)(passwordBytes[i] ^ IPAD_BYTE);
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster abyte3[i] = (byte)(passwordBytes[i] ^ OPAD_BYTE);
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster for(int i = passwordBytes.length; i < BLOCK_LENGTH; i++) {
4a2f0f0be43dfd4c1b490cbf3cc48b6ba6084b1cAllan Foster private static String toHexString ( byte[] b ) {