Re: [Handle-info] Authentication HS_SECKEY/PUBKEY via Authorization:Handle

Hello Robert.

Thank you very much!. It works, although I have to change:

byte[] password = "admin".getBytes(StandardCharsets.UTF_8);

byte[] password = Encoder.encodeSecretKey("admin".getBytes(StandardCharsets.UTF_8),true);

because HS_SECKEY is encrypted as well (just in case someone has or could have the same issue).

In addition, and about with the private/public key method, I'm following now the documentation as well as the several examples of the "Community Software". However I get 401 error code -_-'.

This is what I get (I'm using of course other handle with HS_PUBKEY as authentication method):

1º Load private key

PrivateKey privkey = Util.getPrivateKeyFromFileWithPassphrase(new File(path),passphrase);

2º Concat nonce + cnonce and digest the result using algorithm (SHA1 in this case).

byte[] serverNonce = Base64.getDecoder().decode("whatevernonce");
byte[] clientNonce = Base64.getDecoder().decode("whatevercnonce);
ByteArrayOutputStream outputStream = new ByteArrayOutputStream( );
outputStream.write(serverNonce);
outputStream.write(clientNonce);
MessageDigest digester = MessageDigest.getInstance("SHA-1");
digester.update(outputStream.toByteArray());
byte[] digestBytes =  digester.digest();

3ºSign the digest using the privatekey

Signature signature = Signature.getInstance("SHA1withRSA");
signature.initSign(privkey);
signature.update(digestBytes);
byte[] sigBytes = signature.sign();
String finalsignature =  Base64.getEncoder().encodeToString(sigBytes);

I already check AuthenticationUtil.java from the Admintool (controller package) and supposedly is verified using the same class and instance. However, probably I'm missing something..

Any idea?

Thanks and best regards!

You want to concatenate 4 byte arrays:

(1) the bytes of the password

(2) the bytes of the server nonce---not the bytes of its Base64 encoding

(3) the bytes of the client nonce---not the bytes of its Base64 encoding

(4) the bytes of the password

Here's some Java code to produce the digest:

        byte[] 
serverNonce = Base64.getDecoder().decode("0K8M9tweMjqguVkD7NGtWA==");

        byte[] 
clientNonce = Base64.getDecoder().decode("sCXDGrQTeYTL+LMhTPTJpw==");

        byte[] 
password = "admin".getBytes(StandardCharsets.UTF_8);

        ByteArrayOutputStream outputStream =
new ByteArrayOutputStream( );

        outputStream.write(password);

        outputStream.write(serverNonce);

        outputStream.write(clientNonce);

        outputStream.write(password);

        byte[] 
bytesToDigest = outputStream.toByteArray();

        MessageDigest digester = MessageDigest.getInstance("SHA-1");

        digester.update(bytesToDigest);

        byte[] 
digestBytes = digester.digest();

        String digestString = Base64.getEncoder().encodeToString(digestBytes);

        System.out.println(digestString);

There are better ways to verify a password; PBKDF2-HMAC-SHA1 is the best supported by the current generation of handle servers.  But I'd encourage you to use a public/private keypair instead anyway.

Robert

On Mar 20, 2017, at 7:04 AM, Ruiz-Zafra, Angel <a.ruiz-zafra@ucl.ac.uk> wrote:

Hi there!.

I'm trying to use REST API through Java Http-request but so far I'm doing something wrong because I'm not able to do it. I think the error is related with the encryption algorithms/libs.

Here is what I do, considering I would like to authenticate in the Handle 55555/ADMIN, with the password "admin".

1º Make a Authorization basic request to get the 401 response code, getting the sessions id and the nonce parameters:

WWW-Authenticate Basic realm="handle"

WWW-Authenticate Handle sessionId="1tqk8ujryccel1y0hmtguqxjct", nonce="0K8M9tweMjqguVkD7NGtWA==", error="Identity not verified"

2º Now, taking sessionId and the nonce, construct the new authorization request with the different parameters specified in the documentation:

2.1- sessionId = "1tqk8ujryccel1y0hmtguqxjct" (match session id get in the first request)

2.2- id="300:55555/ADMIN"

In this point, y already use id="300%3A55555/ADMIN" but doesn't work

2.3. type="HS_SECKEY"

2.4. cnonce = "sCXDGrQTeYTL+LMhTPTJpw=="

I used this source code to generate cnonce, using bouncycastel lib to get the cnonce Base64 string:

byte[] b = new byte[16];
 new Random().nextBytes(b);
 String cnonce=org.bouncycastle.util.encoders.Base64.toBase64String(b);

2.5. alg = "SHA1"

2.6. signature =jgrVoaw8D4MI3QROaRWoEDzyVEY="

For the signature I tried different strings:

String aux = password.concat(header.getNonce()).concat(header.getCnonce()).concat(password);
String aux2 = password+"+"+header.getNonce()+"+"+header.getCnonce()+"+"+password;
String aux3 = password+header.getNonce()+header.getCnonce()+password;

 I already tried concatenating the bytes of each string:

ByteArrayOutputStream outputStream = new ByteArrayOutputStream( );
outputStream.write(password.getBytes(Common.DEFAULT_ENCODING));
outputStream.write(header.getNonce().getBytes(Common.DEFAULT_ENCODING));
outputStream.write(header.getCnonce().getBytes(Common.DEFAULT_ENCODING));
outputStream.write(password.getBytes(Common.DEFAULT_ENCODING));
And finally, the application of SHA1 using bouncycastle lib to one of the previous strings (aux,aux2, aux3):

SHA1Digest digest = new SHA1Digest();

digest.update(t.getBytes(Common.DEFAULT_ENCODING), 0, t.getBytes().length);
byte[] digestOctets = new byte[digest.getDigestSize()];
digest.doFinal(digestOctets, 0);

return org.bouncycastle.util.encoders.Base64.toBase64String(digestOctets);
Returning the String that represents the signature showed above.
Making this request I get again not just 401 error code, I already get a new sessionId and a new nonce parameter.
Any idea? Probably one the encryptiong methods that I'm using isn't the right one?
Best regards!

_______________________________________________
Handle-Info mailing list
Handle-Info@cnri.reston.va.us
http://www.handle.net/mailman/listinfo/handle-info