Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhance DigestScheme for RFC 7616 Compliance and Expanded Hash Algorithm Support #597

Merged
merged 3 commits into from
Nov 13, 2024
Merged

Enhance DigestScheme for RFC 7616 Compliance and Expanded Hash Algorithm Support #597

merged 3 commits into from
Nov 13, 2024

Conversation

arturobernalg
Copy link
Member

This PR upgrades the DigestScheme implementation to align with RFC 7616 requirements, introducing support for SHA-256 and SHA-512/256 hash algorithms in addition to MD5

@arturobernalg arturobernalg requested a review from ok2c November 1, 2024 21:34
ok2c
ok2c approved these changes Nov 2, 2024
View reviewed changes
Copy link
Member

@ok2c ok2c left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@arturobernalg Looks good to me.

Please do consider investing some effort into creating compatibility integration tests with Apache HTTPD or Ngnix in httpcore5-testing

httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/DigestScheme.java Outdated
@@ -367,7 +365,7 @@ private String createDigestResponse(final HttpRequest request) throws Authentica
}

// 3.2.2.2: Calculating digest
if ("MD5-sess".equalsIgnoreCase(algorithm)) {
if ("MD5-sess".equalsIgnoreCase(algorithm) || "SHA-256-sess".equalsIgnoreCase(algorithm) || "SHA-512-256-sess".equalsIgnoreCase(algorithm)) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@arturobernalg You might want to se a set here

httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/DigestScheme.java Outdated
* @deprecated Use {@link DigestScheme#createCnonce(String)} instead.
*/
@Deprecated
static byte[] createCnonce() {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@arturobernalg This method is package private. Just delete it.

httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/DigestScheme.java Outdated
* @return the resolved base algorithm name, or the original algorithm name if no mapping applies
*/
private String resolveAlgorithm(final String algorithm) {
if (algorithm == null || algorithm.equalsIgnoreCase("MD5-sess")) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@arturobernalg Maybe we should use an enum to represent supported algorithms?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@olegk I’d say yes in principle, but enforcing a fixed set of algorithms would restrict client flexibility. Currently, we support any algorithm, as demonstrated in the testDigestAuthenticationWithSHA test, which validates a SHA algorithm. According to RFC 7616, only SHA-256, SHA-512/256, and MD5 are actually supported (with MD5 being discouraged).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@arturobernalg I am not suggesting this enum be made a part of the public APIs. It could be package private and could be changes whenever required. But it is merely a thought.

@arturobernalg
Copy link
Member Author

@arturobernalg Looks good to me.

Please do consider investing some effort into creating compatibility integration tests with Apache HTTPD or Ngnix in httpcore5-testing
@ok2c I'm working on it.

@arturobernalg
Support RFC 7616 compliance in DigestScheme with extended hash algori…
a4a3930 
…thm support and charset

Enhanced DigestScheme to support SHA-256, SHA-512/256,  algorithms in compliance with RFC 7616.
Adjusted cnonce generation for adequate entropy in SHA-256 and SHA-512/256 contexts.
@arturobernalg
Increase MD5 cnonce length to 16 bytes for full 128-bit entropy
4da0d60
@arturobernalg
Use represent supported algorithms.
d2c0e08
@michael-o
Copy link
Member

I am very surprised that Digest isn't dead, at least in SASL it is dead and has long been superseded by SCRAM...

@arturobernalg
Copy link
Member Author

@arturobernalg Looks good to me.

Please do consider investing some effort into creating compatibility integration tests with Apache HTTPD or Ngnix in httpcore5-testing

@ok2c AFAIK, neither mod_auth_digest in Apache HTTPD nor NGINX support SHA-256 for digest authentication natively. Any thoughts on a workaround or approach for stronger hashing in this context? or i´m missing something. Open to suggestions.

@ok2c
Copy link
Member

ok2c commented Nov 12, 2024

@ok2c AFAIK, neither mod_auth_digest in Apache HTTPD nor NGINX support SHA-256 for digest authentication natively. Any thoughts on a workaround or approach for stronger hashing in this context? or i´m missing something. Open to suggestions.

@arturobernalg It was a nice-to-have, not a blocker. Go ahead and merge the change-set as is.

@arturobernalg arturobernalg merged commit 4b2a365 into apache:master Nov 13, 2024
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ok2c ok2c ok2c approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@arturobernalg @michael-o @ok2c