(ITS#4887) JLDAP - com.novell.sasl.client.DigestMD5SaslClient and RFC2831

21 Mar 2007


      Full_Name: Giovanni Almeida Santos
Version: 2.3.34
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (200.199.204.60)
According to RFC2831 (Using Digest Authentication as a SASL Mechanism), the
rules for a "digest-response" is defined as follows:
digest-response  = 1#( username | realm | nonce | cnonce |
                          nonce-count | qop | digest-uri | response |
                          maxbuf | charset | cipher | authzid |
                          auth-param )
       username         = "username" "=" <"> username-value <">
       username-value   = qdstr-val
       ...
       authzid          = "authzid" "=" <"> authzid-value <">
       authzid-value    = qdstr-val
com.novell.sasl.client.DigestMD5SaslClient class does not implement that RFC at
all because it does not use authzid as described above.
To correct this, it is necessary modify two methods on DigestMD5SaslClient:
DigestCalcHA1 and createDigestResponse.
In the DigestCalcHA1 method it is necessary include the code delimited by //
-->> as follows:
char[] DigestCalcHA1(
        String   algorithm,
        String   userName,
        String   realm,
        String   password,
        String   nonce,
        String   clientNonce) throws SaslException
    {
     ...
            if ("md5-sess".equals(algorithm))
            {
                md.update(hash);
                md.update(":".getBytes("UTF-8"));
                md.update(nonce.getBytes("UTF-8"));
                md.update(":".getBytes("UTF-8"));
                md.update(clientNonce.getBytes("UTF-8"));
                // -->> It is necessary to allow Proxy Authorization
                if(m_authorizationId != null && !"".equals(m_authorizationId))
                {
                    md.update(":".getBytes("UTF-8"));
                    md.update(m_authorizationId.getBytes("UTF-8"));
                }
                // -->> End
                hash = md.digest();
            }
     ...
    }
In the createDigestResponse method it is necessary remove
<code>digestResponse.append(m_authorizationId)<code> (commented below) and
insert the code delimited by // -->>
private String createDigestResponse(
        byte[] challenge)
            throws SaslException
    {
     ...
        digestResponse.append("username="");
        //digestResponse.append(m_authorizationId);
        // -->> It is necessary to allow Proxy Authorization
        digestResponse.append(m_name);
        if(m_authorizationId != null && !"".equals(m_authorizationId))
        {
        	digestResponse.append("",authzid="");
        	digestResponse.append(m_authorizationId);
        }
        // -->> End
     ...
     }
Without these modifications, proxy authorization is not possible.

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

(ITS#4887) JLDAP - com.novell.sasl.client.DigestMD5SaslClient and RFC2831