WIP : Add support for GS2 SASL (RFC 5801) #360
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| package org.jivesoftware.smack.sasl.gssApi; | ||
|
|
||
| public class GssApiContext extends GssContext { | ||
|
|
||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,72 @@ | ||
| package org.jivesoftware.smack.sasl.gssApi; | ||
|
|
||
| import org.ietf.jgss.*; | ||
| import org.jivesoftware.smack.XMPPConnection; | ||
|
|
||
| import java.security.Provider; | ||
|
|
||
| public class GssApiManager { | ||
|
|
||
| GSSManager gssManager; | ||
| GSSName userName = null; | ||
| GSSName serverName = null; | ||
| GSSCredential userCredential = null; | ||
| GSSContext clientContext = null; | ||
|
|
||
| Oid objectIdentifiers; | ||
| byte[] clientToken; | ||
|
|
||
| private static GssApiManager gssApiManager = null; | ||
|
|
||
| public static synchronized GssApiManager getInstanceFor(XMPPConnection connection) { | ||
| if (gssApiManager == null) { | ||
| return new GssApiManager(connection); | ||
| } | ||
| return gssApiManager; | ||
| } | ||
|
|
||
| private GssApiManager(XMPPConnection connection){ | ||
| gssManager = GSSManager.getInstance(); | ||
|
|
||
| try { | ||
| userName = gssManager.createName(connection.getUser().asEntityBareJid().asEntityBareJidString(),GSSName.NT_USER_NAME); | ||
|
There was a problem hiding this comment. Nit: Missing spaces after comma. |
||
| serverName = gssManager.createName(connection.getHost(),objectIdentifiers); | ||
| userCredential = gssManager.createCredential(userName,GSSCredential.DEFAULT_LIFETIME,objectIdentifiers,GSSCredential.INITIATE_ONLY); | ||
| clientContext = gssManager.createContext(serverName,objectIdentifiers,userCredential,GSSContext.DEFAULT_LIFETIME); | ||
| clientContext.requestMutualAuth(true); | ||
| clientContext.requestConf(true); | ||
| clientContext.requestInteg(true); | ||
| } catch (GSSException e) { | ||
| e.printStackTrace(); | ||
| } | ||
| } | ||
|
|
||
| public byte[] authenticate() throws GSSException { | ||
| clientToken = clientContext.initSecContext(new byte[0], 0, 0); | ||
|
|
||
| // Send client token over the network | ||
| return clientToken; | ||
| } | ||
|
|
||
| public byte[] acceptServerToken(byte[] serverToken) { | ||
| try { | ||
| return clientContext.initSecContext(serverToken,0,serverToken.length); | ||
| } catch (GSSException e) { | ||
| e.printStackTrace(); | ||
| return null; | ||
| } | ||
| } | ||
|
|
||
| public boolean isContextEstablished() { | ||
| return clientContext.isEstablished(); | ||
| } | ||
|
|
||
| public byte[] sendData(byte[] messageBytes) throws GSSException { | ||
| MessageProp clientProp = new MessageProp(0,true); | ||
| clientToken = clientContext.wrap(messageBytes,0,messageBytes.length,clientProp); | ||
|
|
||
| // Send client token over the network | ||
| return clientToken; | ||
| } | ||
|
|
||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,168 @@ | ||
| /** | ||
| * | ||
| * Copyright 2020 Aditya Borikar | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
| package org.jivesoftware.smack.sasl.gssApi; | ||
|
|
||
| import java.io.IOException; | ||
| import java.math.BigInteger; | ||
| import java.security.NoSuchAlgorithmException; | ||
|
|
||
| import javax.security.auth.callback.CallbackHandler; | ||
|
|
||
| import org.ietf.jgss.*; | ||
| import org.jivesoftware.smack.SmackException.SmackSaslException; | ||
| import org.jivesoftware.smack.XMPPConnection; | ||
| import org.jivesoftware.smack.sasl.SASLMechanism; | ||
|
|
||
| import org.jivesoftware.smack.util.SHA1; | ||
| import org.jivesoftware.smack.util.stringencoder.Base32; | ||
|
|
||
| import org.bouncycastle.asn1.ASN1ObjectIdentifier; | ||
|
|
||
| /** | ||
| * Use of GSS-API mechanism in SASL by defining a new SASL mechanism family called GS2. | ||
| * This mechanism offers a number of improvements over the previous "SASL/GSSAPI" mechanism. | ||
| * In general, it uses fewer messages for authentication phase in some cases, and supports negotiable use of channel binding. | ||
| * Only GSS-API mechanisms that support channel binding and mutual authentication are supported. | ||
| * <br> | ||
| * The absence of `PLUS` suffix in the name `GSS-API` suggests that the server doesn't support channel binding. | ||
| * <br> | ||
| * SASL implementations can use the GSS_Inquire_SASLname_for_mech call | ||
| * to query for the SASL mechanism name of a GSS-API mechanism. | ||
| * <br> | ||
| * If the GSS_Inquire_SASLname_for_mech interface is not used, the GS2 | ||
| * implementation needs some other mechanism to map mechanism Object | ||
| * Identifiers (OIDs) to SASL names internally. | ||
| * <br> | ||
| * In this case, the implementation can only support the mechanisms for which it knows the | ||
| * SASL name. | ||
| * | ||
| * @author adiaholic | ||
| */ | ||
| public class GssApiMechanism extends SASLMechanism{ | ||
|
|
||
| public static final String NAME = "GSS-API"; | ||
|
|
||
| public static final String GS2_PREFIX = "GS2-"; | ||
|
|
||
| private Oid objectIdentifiers = null; | ||
|
|
||
| private GssApiManager gssApiManager = null; | ||
|
|
||
| GssApiMechanism(Oid oid, XMPPConnection connection) { | ||
| super(); | ||
| this.connection = connection; | ||
| gssApiManager = GssApiManager.getInstanceFor(connection); | ||
| setObjectIdentifier(oid); | ||
| } | ||
|
|
||
| @Override | ||
| protected byte[] getAuthenticationText() throws SmackSaslException { | ||
| try { | ||
| return gssApiManager.authenticate(); | ||
| } catch (GSSException e) { | ||
| e.printStackTrace(); | ||
| return null; | ||
| } | ||
| } | ||
|
|
||
| @Override | ||
| protected byte[] evaluateChallenge(byte[] challenge) throws SmackSaslException { | ||
| return gssApiManager.acceptServerToken(challenge); | ||
| } | ||
|
|
||
| /* | ||
| * The SASL Mechanism name is concatenation of the string "GS2-" and the | ||
| * Base32 encoding of the first 55 bits of the binary SHA-1 hash string | ||
| * computed over the ASN.1 DER encoding | ||
| * <br> | ||
| * Note : Some older GSS-API mechanisms were not specified with a SASL GS2 mechanism name. | ||
| */ | ||
| public String generateSASLMechanismNameFromGSSApiOIDs (String objectIdentifier) throws NoSuchAlgorithmException, IOException { | ||
|
|
||
| // To generate a SHA-1 hash string over ASN1.DER. | ||
| byte[] ASN1_DER = getASN1DERencoding(objectIdentifier); | ||
| String sha1_hash = SHA1.hex(ASN1_DER); | ||
|
|
||
| // Obtain first 55 bits of the SHA-1 hash. | ||
| String binary55Bits = getbinary55Bits(sha1_hash); | ||
|
|
||
| // Make groups of 5 bits each | ||
| String[] binaryGroups = new String[11]; | ||
| for (int i = 0 ; i < binary55Bits.length() / 5 ; i++) { | ||
| String binaryGroup = ""; | ||
| for (int j = 0 ; j < 5 ; j++) { | ||
| binaryGroup += binary55Bits.charAt(5 * i + j); | ||
| } | ||
| // int decimalForGroup = Integer.parseInt(binaryGroup,2); | ||
|
|
||
| binaryGroups[i] = binaryGroup; | ||
| } | ||
|
|
||
| // Base32 encoding for the above binaryGroups | ||
| String base32Encoding = ""; | ||
| for (int i = 0 ; i < 11 ; i++) { | ||
| int decimalValue = Integer.parseInt(binaryGroups[i], 2); | ||
| base32Encoding += Base32.encodeIntValue(decimalValue); | ||
| } | ||
| return GS2_PREFIX + base32Encoding; | ||
| } | ||
|
|
||
| private static String getbinary55Bits(String sha1_hash) { | ||
|
There was a problem hiding this comment. Nit: better use camelCase for the method name |
||
| // Get first 7 octets. | ||
| String first7Octets = sha1_hash.substring(0, 14); | ||
|
|
||
| // Convert first 7 octets of the sha1 hash into binary. | ||
| String binaryOctets = new BigInteger(first7Octets, 16).toString(2); | ||
|
|
||
| // Return first 55 bits of the binary hash. | ||
| return binaryOctets.substring(0, 55); | ||
| } | ||
|
|
||
| public byte[] getASN1DERencoding(String objectIdentifier) throws IOException { | ||
| ASN1ObjectIdentifier asn1ObjectIdentifier = new ASN1ObjectIdentifier(objectIdentifier).intern(); | ||
| byte[] encoded = asn1ObjectIdentifier.getEncoded(); | ||
| return encoded; | ||
| } | ||
|
|
||
| @Override | ||
| protected void authenticateInternal(CallbackHandler cbh) throws SmackSaslException { | ||
| } | ||
|
|
||
| @Override | ||
| public String getName() { | ||
| return NAME; | ||
| } | ||
|
|
||
| @Override | ||
| public int getPriority() { | ||
| return 0; | ||
| } | ||
|
|
||
| @Override | ||
| protected void checkIfSuccessfulOrThrow() throws SmackSaslException { | ||
| } | ||
|
|
||
| @Override | ||
| protected GssApiMechanism newInstance() { | ||
| return new GssApiMechanism(null,null); | ||
| } | ||
|
|
||
| public void setObjectIdentifier(Oid oid) { | ||
| this.objectIdentifiers = oid; | ||
| } | ||
|
|
||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,58 @@ | ||
| /** | ||
| * | ||
| * Copyright 2020 Aditya Borikar | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
| package org.jivesoftware.smack.sasl.gssApi; | ||
|
|
||
| import javax.security.auth.callback.CallbackHandler; | ||
|
|
||
| import org.jivesoftware.smack.SmackException.SmackSaslException; | ||
| import org.jivesoftware.smack.sasl.SASLMechanism; | ||
|
|
||
| /** | ||
| * The plus inside the GSS-API-plus mechanism name suggests that the server supports channel binding. | ||
| * | ||
| * @author adiaholic | ||
| */ | ||
| public class GssApiPlusMechanism extends SASLMechanism{ | ||
|
|
||
| @Override | ||
| protected void authenticateInternal(CallbackHandler cbh) throws SmackSaslException { | ||
| } | ||
|
|
||
| @Override | ||
| protected byte[] getAuthenticationText() throws SmackSaslException { | ||
| return null; | ||
| } | ||
|
|
||
| @Override | ||
| public String getName() { | ||
| return null; | ||
| } | ||
|
|
||
| @Override | ||
| public int getPriority() { | ||
| return 0; | ||
| } | ||
|
|
||
| @Override | ||
| protected void checkIfSuccessfulOrThrow() throws SmackSaslException { | ||
| } | ||
|
|
||
| @Override | ||
| protected SASLMechanism newInstance() { | ||
| return null; | ||
| } | ||
| } |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: Indentation