[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4887) JLDAP - com.novell.sasl.client.DigestMD5SaslClient and RFC2831

To: openldap-its@OpenLDAP.org
Subject: (ITS#4887) JLDAP - com.novell.sasl.client.DigestMD5SaslClient and RFC2831
From: giovannix@gmail.com
Date: Wed, 21 Mar 2007 20:57:06 GMT

Full_Name: Giovanni Almeida Santos
Version: 2.3.34
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (200.199.204.60)


According to RFC2831 (Using Digest Authentication as a SASL Mechanism), the
rules for a "digest-response" is defined as follows:

digest-response  = 1#( username | realm | nonce | cnonce |
                          nonce-count | qop | digest-uri | response |
                          maxbuf | charset | cipher | authzid |
                          auth-param )
       username         = "username" "=" <"> username-value <">
       username-value   = qdstr-val
       ...
       authzid          = "authzid" "=" <"> authzid-value <">
       authzid-value    = qdstr-val

com.novell.sasl.client.DigestMD5SaslClient class does not implement that RFC at
all because it does not use authzid as described above.

To correct this, it is necessary modify two methods on DigestMD5SaslClient:
DigestCalcHA1 and createDigestResponse.

In the DigestCalcHA1 method it is necessary include the code delimited by //
-->> as follows:

    char[] DigestCalcHA1(
        String   algorithm,
        String   userName,
        String   realm,
        String   password,
        String   nonce,
        String   clientNonce) throws SaslException
    {
     ...
            if ("md5-sess".equals(algorithm))
            {
                md.update(hash);
                md.update(":".getBytes("UTF-8"));
                md.update(nonce.getBytes("UTF-8"));
                md.update(":".getBytes("UTF-8"));
                md.update(clientNonce.getBytes("UTF-8"));
                // -->> It is necessary to allow Proxy Authorization
                if(m_authorizationId != null && !"".equals(m_authorizationId))
                {
                    md.update(":".getBytes("UTF-8"));
                    md.update(m_authorizationId.getBytes("UTF-8"));
                }
                // -->> End
                hash = md.digest();
            }
     ...
    }

In the createDigestResponse method it is necessary remove
<code>digestResponse.append(m_authorizationId)<code> (commented below) and
insert the code delimited by // -->>

    private String createDigestResponse(
        byte[] challenge)
            throws SaslException
    {
     ...
        digestResponse.append("username=\"");
        //digestResponse.append(m_authorizationId);
        // -->> It is necessary to allow Proxy Authorization
        digestResponse.append(m_name);
        if(m_authorizationId != null && !"".equals(m_authorizationId))
        {
        	digestResponse.append("\",authzid=\"");
        	digestResponse.append(m_authorizationId);
        }
        // -->> End
     ...
     }

Without these modifications, proxy authorization is not possible.

Prev by Date: (ITS#4886) slapd stopping with no error message
Next by Date: (ITS#4888) Enhance back-sql with paged results
Index(es):
- Chronological
- Thread