/*
* Copyright 2008 Web Cohesion
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.oauth.common.signature;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import java.io.UnsupportedEncodingException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
/**
* HMAC-SHA1 signature method.
*
* @author Ryan Heaton
*/
public class HMAC_SHA1SignatureMethod implements OAuthSignatureMethod {
private static final Log LOG = LogFactory.getLog(HMAC_SHA1SignatureMethod.class);
/**
* The name of this HMAC-SHA1 signature method ("HMAC-SHA1").
*/
public static final String SIGNATURE_NAME = "HMAC-SHA1";
/**
* The MAC name (for interfacing with javax.crypto.*). "HmacSHA1".
*/
public static final String MAC_NAME = "HmacSHA1";
private final SecretKey key;
/**
* Construct a HMAC-SHA1 signature method with the given HMAC-SHA1 key.
*
* @param key The key.
*/
public HMAC_SHA1SignatureMethod(SecretKey key) {
this.key = key;
}
/**
* The name of this HMAC-SHA1 signature method ("HMAC-SHA1").
*
* @return The name of this HMAC-SHA1 signature method.
*/
public String getName() {
return SIGNATURE_NAME;
}
/**
* Sign the signature base string. The signature is the digest octet string, first base64-encoded per RFC2045, section 6.8, then URL-encoded per
* OAuth Parameter Encoding.
*
* @param signatureBaseString The signature base string.
* @return The signature.
*/
public String sign(String signatureBaseString) {
try {
Mac mac = Mac.getInstance(MAC_NAME);
mac.init(key);
byte[] text = signatureBaseString.getBytes("UTF-8");
byte[] signatureBytes = mac.doFinal(text);
signatureBytes = Base64.encodeBase64(signatureBytes);
String signature = new String(signatureBytes, "UTF-8");
if (LOG.isDebugEnabled()) {
LOG.debug("signature base: " + signatureBaseString);
LOG.debug("signature: " + signature);
}
return signature;
}
catch (NoSuchAlgorithmException e) {
throw new IllegalStateException(e);
}
catch (InvalidKeyException e) {
throw new IllegalStateException(e);
}
catch (UnsupportedEncodingException e) {
throw new RuntimeException(e);
}
}
/**
* Verify the signature of the given signature base string. The signature is verified by generating a new request signature octet string, and comparing it
* to the signature provided by the Consumer, first URL-decoded per Parameter Encoding, then base64-decoded per RFC2045 section 6.8. The signature is
* generated using the request parameters as provided by the Consumer, and the Consumer Secret and Token Secret as stored by the Service Provider.
*
* @param signatureBaseString The signature base string.
* @param signature The signature.
* @throws InvalidSignatureException If the signature is invalid for the specified base string.
*/
public void verify(String signatureBaseString, String signature) throws InvalidSignatureException {
try {
if (LOG.isDebugEnabled()) {
LOG.debug("signature base: " + signatureBaseString);
LOG.debug("signature: " + signature);
}
byte[] signatureBytes = Base64.decodeBase64(signature.getBytes("UTF-8"));
Mac mac = Mac.getInstance(MAC_NAME);
mac.init(key);
byte[] text = signatureBaseString.getBytes("UTF-8");
byte[] calculatedBytes = mac.doFinal(text);
if (!safeArrayEquals(calculatedBytes, signatureBytes)) {
throw new InvalidSignatureException("Invalid signature for signature method " + getName());
}
}
catch (NoSuchAlgorithmException e) {
throw new IllegalStateException(e);
}
catch (InvalidKeyException e) {
throw new IllegalStateException(e);
}
catch (UnsupportedEncodingException e) {
throw new RuntimeException(e);
}
}
boolean safeArrayEquals(byte[] a1, byte[] a2) {
if (a1 == null || a2 == null) {
return (a1 == a2);
}
if (a1.length != a2.length) {
return false;
}
byte result = 0;
for (int i = 0; i < a1.length; i++) {
result |= a1[i] ^ a2[i];
}
return (result == 0);
}
/**
* The secret key.
*
* @return The secret key.
*/
public SecretKey getSecretKey() {
return key;
}
}