Top Description Fields Constructors Methods
com.sun.security.sasl.digest

pack-priv final Class DigestMD5Client

extends DigestMD5Base
implements SaslClient
Class Inheritance
All Implemented Interfaces
javax.security.sasl.SaslClient
Imports
java.security.NoSuchAlgorithmException, java.io.ByteArrayOutputStream, .IOException, java.util.StringTokenizer, .ArrayList, .List, .Map, .Arrays, java.util.logging.Level, javax.security.sasl.*, javax.security.auth.callback.CallbackHandler, .PasswordCallback, .NameCallback, .Callback, .UnsupportedCallbackException
An implementation of the DIGEST-MD5 (RFC 2831) SASL (RFC 2222) mechanism. The DIGEST-MD5 SASL mechanism specifies two modes of authentication. - Initial Authentication - Subsequent Authentication - optional, (currently unsupported) Required callbacks: - RealmChoiceCallback shows user list of realms server has offered; handler must choose one from list - RealmCallback shows user the only realm server has offered or none; handler must enter realm to use - NameCallback handler must enter username to use for authentication - PasswordCallback handler must enter password for username to use for authentication Environment properties that affect behavior of implementation: javax.security.sasl.qop quality of protection; list of auth, auth-int, auth-conf; default is "auth" javax.security.sasl.strength auth-conf strength; list of high, medium, low; default is highest available on platform ["high,medium,low"]. high means des3 or rc4 (128); medium des or rc4-56; low is rc4-40; choice of cipher depends on its availablility on platform javax.security.sasl.maxbuf max receive buffer size; default is 65536 javax.security.sasl.sendmaxbuffer max send buffer size; default is 65536; (min with server max recv size) com.sun.security.sasl.digest.cipher name a specific cipher to use; setting must be compatible with the setting of the javax.security.sasl.strength property.
Authors
Jonathan Bruce, Rosanna Lee
See Also
RFC 2222 - Simple Authentication and Security Layer (SASL), RFC 2831 - Using Digest Authentication as a SASL Mechanism, Java(TM) Cryptography Extension 1.2.1 (JCE), Java(TM) Authentication and Authorization Service (JAAS)

Field Summary

Modifier and TypeField and Description
private static final int
ALGORITHM

private byte[]
authzidBytes

private static final int
CHARSET

private static final int
CIPHER

private static final String
CIPHER_PROPERTY

private byte[]
cnonce

private static final String[]
DIRECTIVE_KEY

private static final int
MAXBUF

private static final String
MY_CLASS_NAME

private static final int
NONCE

private int
nonceCount

private char[]
passwd

private static final int
QOP

private static final int
REALM

private static final int
RESPONSE_AUTH

private String
specifiedCipher

private static final int
STALE

private String
username

Inherited from com.sun.security.sasl.digest.DigestMD5Base:
authzidcbhCIPHER_MASKSCIPHER_TOKENSDEFAULT_MAXBUFDESDES3DES_3_STRENGTHDES_STRENGTHdigestUriEMPTY_BYTE_ARRAYencodingH_A1MAX_CHALLENGE_LENGTHMAX_RESPONSE_LENGTHnegotiatedCiphernegotiatedQopnegotiatedRealmnegotiatedStrengthnonceRC4RC4_40RC4_40_STRENGTHRC4_56RC4_56_STRENGTHRC4_STRENGTHsecCtxstepUNSETuseUTF8

Constructor Summary

AccessConstructor and Description
pack-priv
DigestMD5Client(String
A non-null String representing the principal for which authorization is being granted..
authzid, String
A non-null String representing detailing the combined protocol and host being used for authentication.
protocol, String serverName, Map<String, ?>
The possibly null properties to be used by the SASL mechanism to configure the authentication exchange.
props, CallbackHandler
The non-null CallbackHanlder object for callbacks
cbh)

Constructor for DIGEST-MD5 mechanism.

Method Summary

Modifier and TypeMethod and Description
private void
checkQopSupport(byte[] qopInChallenge, byte[] ciphersInChallenge)

Parses the 'qop' directive.

private void
checkStrengthSupport(byte[] ciphersInChallenge)

Processes the 'cipher' digest-challenge directive.

private void
clearPassword()

public byte[]

Returns:

A possibly null byte array containing the response to be sent to the server.
evaluateChallenge(byte[]
A non-null byte array containing the challenge data from the server.
challengeData)

Implements javax.security.sasl.SaslClient.evaluateChallenge.

Process the challenge data.
private String

Returns:

The agreed cipher.
findCipherAndStrength(byte[] supportedCiphers, String[]
The array of cipher tokens sent by server
tokens)

Steps through the ordered 'strength' array, and compares it with the 'supportedCiphers' array.

private byte[]

Returns:

digest-response in a byte array
generateClientResponse(byte[] charset)

Returns digest-response suitable for an initial authentication.

private static int
getNonceCount(byte[] nonceValue)

Returns the number of requests (including current request) that the client has sent in response to nonceValue.

public boolean

Returns:

false
hasInitialResponse()

Implements javax.security.sasl.SaslClient.hasInitialResponse.

DIGEST-MD5 has no initial response
private void
processChallenge(byte[][] challengeVal, List<byte[]> realmChoices)

Record information from the challengeVal array into variables/fields.

private void
validateResponseValue(byte[] fromServer)

From RFC 2831, Section 2.1.3: Step Three [Server] sends a message formatted as follows: response-auth = "rspauth" "=" response-value where response-value is calculated as above, using the values sent in step two, except that if qop is "auth", then A2 is A2 = { ":", digest-uri-value } And if qop is "auth-int" or "auth-conf" then A2 is A2 = { ":", digest-uri-value, ":00000000000000000000000000000000" }

Inherited from com.sun.security.sasl.digest.DigestMD5Base:
binaryToHexdisposegenerateNoncegenerateResponseValuegetMechanismNamegetNegotiatedPropertygetPlatformCiphersnonceCountToHexparseDirectivesquotedStringValuestringToByte_8859_1unwrapwrapwriteQuotedStringValue

Field Detail

ALGORITHMback to summary
private static final int ALGORITHM
authzidBytesback to summary
private byte[] authzidBytes
CHARSETback to summary
private static final int CHARSET
CIPHERback to summary
private static final int CIPHER
CIPHER_PROPERTYback to summary
private static final String CIPHER_PROPERTY
cnonceback to summary
private byte[] cnonce
DIRECTIVE_KEYback to summary
private static final String[] DIRECTIVE_KEY
MAXBUFback to summary
private static final int MAXBUF
MY_CLASS_NAMEback to summary
private static final String MY_CLASS_NAME
NONCEback to summary
private static final int NONCE
nonceCountback to summary
private int nonceCount
passwdback to summary
private char[] passwd
QOPback to summary
private static final int QOP
REALMback to summary
private static final int REALM
RESPONSE_AUTHback to summary
private static final int RESPONSE_AUTH
specifiedCipherback to summary
private String specifiedCipher
STALEback to summary
private static final int STALE
usernameback to summary
private String username

Constructor Detail

DigestMD5Clientback to summary
pack-priv DigestMD5Client(String authzid, String protocol, String serverName, Map<String, ?> props, CallbackHandler cbh) throws SaslException

Constructor for DIGEST-MD5 mechanism.

Parameters
authzid:String

A non-null String representing the principal for which authorization is being granted..

protocol:String

A non-null String representing detailing the combined protocol and host being used for authentication.

props:Map<String, ?>

The possibly null properties to be used by the SASL mechanism to configure the authentication exchange.

cbh:CallbackHandler

The non-null CallbackHanlder object for callbacks

Exceptions
SaslException:
if no authentication ID or password is supplied

Method Detail

checkQopSupportback to summary
private void checkQopSupport(byte[] qopInChallenge, byte[] ciphersInChallenge) throws IOException

Parses the 'qop' directive. If 'auth-conf' is specified by the client and offered as a QOP option by the server, then a check is client-side supported ciphers is performed.

checkStrengthSupportback to summary
private void checkStrengthSupport(byte[] ciphersInChallenge) throws IOException

Processes the 'cipher' digest-challenge directive. This allows the mechanism to check for client-side support against the list of supported ciphers send by the server. If no match is found, the mechanism aborts.

Exceptions
SaslException:
If an error is encountered in processing the cipher digest-challenge directive or if no client-side support is found.
clearPasswordback to summary
private void clearPassword()
evaluateChallengeback to summary
public byte[] evaluateChallenge(byte[] challengeData) throws SaslException

Implements javax.security.sasl.SaslClient.evaluateChallenge.

Process the challenge data. The server sends a digest-challenge which the client must reply to in a digest-response. When the authentication is complete, the completed field is set to true.

Parameters
challengeData:byte[]

A non-null byte array containing the challenge data from the server.

Returns:byte[]

A possibly null byte array containing the response to be sent to the server.

Exceptions
SaslException:
If the platform does not have MD5 digest support or if the server sends an invalid challenge.
findCipherAndStrengthback to summary
private String findCipherAndStrength(byte[] supportedCiphers, String[] tokens)

Steps through the ordered 'strength' array, and compares it with the 'supportedCiphers' array. The cipher returned represents the best possible cipher based on the strength preference and the available ciphers on both the server and client environments.

Parameters
tokens:String[]

The array of cipher tokens sent by server

Returns:String

The agreed cipher.

generateClientResponseback to summary
private byte[] generateClientResponse(byte[] charset) throws IOException

Returns digest-response suitable for an initial authentication. The following are qdstr-val (quoted string values) as per RFC 2831, which means that any embedded quotes must be escaped. realm-value nonce-value username-value cnonce-value authzid-value

Returns:byte[]

digest-response in a byte array

Exceptions
SaslException:
if there is an error generating the response value or the cnonce value.
getNonceCountback to summary
private static int getNonceCount(byte[] nonceValue)

Returns the number of requests (including current request) that the client has sent in response to nonceValue. This is 1 the first time nonceValue is seen. We don't cache nonce values seen, and we don't support subsequent authentication, so the value is always 1.

hasInitialResponseback to summary
public boolean hasInitialResponse()

Implements javax.security.sasl.SaslClient.hasInitialResponse.

DIGEST-MD5 has no initial response

Returns:boolean

false

processChallengeback to summary
private void processChallenge(byte[][] challengeVal, List<byte[]> realmChoices) throws SaslException

Record information from the challengeVal array into variables/fields. Check directive values that are multi-valued and ensure that mandatory directives not missing from the digest-challenge.

Exceptions
SaslException:
if a sasl mechanism cannot correctly handle callbacks or if a violation in the digest challenge format is detected.
validateResponseValueback to summary
private void validateResponseValue(byte[] fromServer) throws SaslException

From RFC 2831, Section 2.1.3: Step Three [Server] sends a message formatted as follows: response-auth = "rspauth" "=" response-value where response-value is calculated as above, using the values sent in step two, except that if qop is "auth", then A2 is A2 = { ":", digest-uri-value } And if qop is "auth-int" or "auth-conf" then A2 is A2 = { ":", digest-uri-value, ":00000000000000000000000000000000" }