[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Handle-info] Handle-Info Digest, Vol 22, Issue 9

Confirmed.
On Tue, Mar 21, 2017 at 9:45 AM <handle-info-request@cnri.reston.va.us> wrote:
Send Handle-Info mailing list submissions to
        handle-info@cnri.reston.va.us

To subscribe or unsubscribe via the World Wide Web, visit
        http://www.handle.net/mailman/listinfo/handle-info
or, via email, send a message with subject or body 'help' to
        handle-info-request@cnri.reston.va.us

You can reach the person managing the list at
        handle-info-owner@cnri.reston.va.us

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Handle-Info digest..."


Today's Topics:

   1. Re: Authentication HS_SECKEY/PUBKEY via Authorization:Handle
      (Robert Tupelo-Schneck)


----------------------------------------------------------------------

Message: 1
Date: Tue, 21 Mar 2017 10:44:51 -0400
From: Robert Tupelo-Schneck <schneck@cnri.reston.va.us>
To: "Ruiz-Zafra, Angel" <a.ruiz-zafra@ucl.ac.uk>
Cc: "handle-info@cnri.reston.va.us" <handle-info@cnri.reston.va.us>
Subject: Re: [Handle-info] Authentication HS_SECKEY/PUBKEY via
        Authorization:Handle
Message-ID: <232927A2-FA5A-4BDB-A5AA-60CF038521DF@cnri.reston.va.us" class="gmail_msg" target="_blank">232927A2-FA5A-4BDB-A5AA-60CF038521DF@cnri.reston.va.us>
Content-Type: text/plain; charset="utf-8"

The Java SHA1withRSA algorithm already includes the digest using SHA1; you don't need to digest before signing.

    Signature signature = Signature.getInstance("SHA1withRSA");
    signature.initSign(privKey);
    signature.update(serverNonce);
    signature.update(clientNonce);
    byte[] sigBytes = signature.sign();

Here, you should probably prefer SHA256withRSA instead.

Robert

> On 2017-03-21, at 09:16, Ruiz-Zafra, Angel <a.ruiz-zafra@ucl.ac.uk> wrote:
>
> Hello Robert.
>
> Thank you very much!. It works, although I have to change:
>
> byte[] password = "admin".getBytes(StandardCharsets.UTF_8);
>
> to
>
> byte[] password = Encoder.encodeSecretKey("admin".getBytes(StandardCharsets.UTF_8),true);
>
>
> because HS_SECKEY is encrypted as well (just in case someone has or could have the same issue).
>
> In addition, and about with the private/public key method, I'm following now the documentation as well as the several examples of the "Community Software". However I get 401 error code -_-'.
>
> This is what I get (I'm using of course other handle with HS_PUBKEY as authentication method):
> 1? Load private key
> PrivateKey privkey = Util.getPrivateKeyFromFileWithPassphrase(new File(path),passphrase);
> 2? Concat nonce + cnonce and digest the result using algorithm (SHA1 in this case).
> byte[] serverNonce = Base64.getDecoder().decode("whatevernonce");
> byte[] clientNonce = Base64.getDecoder().decode("whatevercnonce);
> ByteArrayOutputStream outputStream = new ByteArrayOutputStream( );
> outputStream.write(serverNonce);
> outputStream.write(clientNonce);
> MessageDigest digester = MessageDigest.getInstance("SHA-1");
> digester.update(outputStream.toByteArray());
> byte[] digestBytes =  digester.digest();
>
> 3?Sign the digest using the privatekey
> Signature signature = Signature.getInstance("SHA1withRSA");
> signature.initSign(privkey);
> signature.update(digestBytes);
> byte[] sigBytes = signature.sign();
> String finalsignature =  Base64.getEncoder().encodeToString(sigBytes);
> I already check AuthenticationUtil.java from the Admintool (controller package) and supposedly is verified using the same class and instance. However, probably I'm missing something..
>
> Any idea?
>
> Thanks and best regards!
>
>
> De: Robert R Tupelo-Schneck <schneck@cnri.reston.va.us <mailto:schneck@cnri.reston.va.us>>
> Enviado: martes, 21 de marzo de 2017 4:05:02
> Para: Ruiz-Zafra, Angel
> Cc: handle-info@cnri.reston.va.us
> Asunto: Re: [Handle-info] Authentication HS_SECKEY/PUBKEY via Authorization:Handle
>
> You want to concatenate 4 byte arrays:
>
> (1) the bytes of the password
> (2) the bytes of the server nonce---not the bytes of its Base64 encoding
> (3) the bytes of the client nonce---not the bytes of its Base64 encoding
> (4) the bytes of the password
>
> Here's some Java code to produce the digest:
>
>         byte[] serverNonce = Base64.getDecoder().decode("0K8M9tweMjqguVkD7NGtWA==");
>         byte[] clientNonce = Base64.getDecoder().decode("sCXDGrQTeYTL+LMhTPTJpw==");
>         byte[] password = "admin".getBytes(StandardCharsets.UTF_8);
>         ByteArrayOutputStream outputStream = new ByteArrayOutputStream( );
>         outputStream.write(password);
>         outputStream.write(serverNonce);
>         outputStream.write(clientNonce);
>         outputStream.write(password);
>         byte[] bytesToDigest = outputStream.toByteArray();
>         MessageDigest digester = MessageDigest.getInstance("SHA-1");
>         digester.update(bytesToDigest);
>         byte[] digestBytes = digester.digest();
>         String digestString = Base64.getEncoder().encodeToString(digestBytes);
>         System.out.println(digestString);
>
> There are better ways to verify a password; PBKDF2-HMAC-SHA1 is the best supported by the current generation of handle servers.  But I'd encourage you to use a public/private keypair instead anyway.
>
> Robert
>
>> On Mar 20, 2017, at 7:04 AM, Ruiz-Zafra, Angel <a.ruiz-zafra@ucl.ac.uk <mailto:a.ruiz-zafra@ucl.ac.uk>> wrote:
>>
>> Hi there!.
>>
>> I'm trying to use REST API through Java Http-request but so far I'm doing something wrong because I'm not able to do it. I think the error is related with the encryption algorithms/libs.
>>
>> Here is what I do, considering I would like to authenticate in the Handle 55555/ADMIN, with the password "admin".
>>
>> 1? Make a Authorization basic request to get the 401 response code, getting the sessions id and the nonce parameters:
>>
>> WWW-Authenticate   Basic realm="handle"
>> WWW-Authenticate   Handle sessionId="1tqk8ujryccel1y0hmtguqxjct", nonce="0K8M9tweMjqguVkD7NGtWA==", error="Identity not verified"
>>
>> 2? Now, taking sessionId and the nonce, construct the new authorization request with the different parameters specified in the documentation:
>> 2.1- sessionId = "1tqk8ujryccel1y0hmtguqxjct" (match session id get in the first request)
>> 2.2- id="300:55555/ADMIN"
>> In this point, y already use id="300%3A55555/ADMIN" but doesn't work
>> 2.3. type="HS_SECKEY"
>> 2.4. cnonce = "sCXDGrQTeYTL+LMhTPTJpw=="
>>
>> I used this source code to generate cnonce, using bouncycastel lib to get the cnonce Base64 string:
>> byte[] b = new byte[16];
>>  new Random().nextBytes(b);
>>  String cnonce=org.bouncycastle.util.encoders.Base64.toBase64String(b);
>> 2.5. alg = "SHA1"
>> 2.6. signature =jgrVoaw8D4MI3QROaRWoEDzyVEY="
>>
>> For the signature I tried different strings:
>> String aux = password.concat(header.getNonce()).concat(header.getCnonce()).concat(password);
>> String aux2 = password+"+"+header.getNonce()+"+"+header.getCnonce()+"+"+password;
>> String aux3 = password+header.getNonce()+header.getCnonce()+password;
>>  I already tried concatenating the bytes of each string:
>> ByteArrayOutputStream outputStream = new ByteArrayOutputStream( );
>> outputStream.write(password.getBytes(Common.DEFAULT_ENCODING));
>> outputStream.write(header.getNonce().getBytes(Common.DEFAULT_ENCODING));
>> outputStream.write(header.getCnonce().getBytes(Common.DEFAULT_ENCODING));
>> outputStream.write(password.getBytes(Common.DEFAULT_ENCODING));
>> And finally, the application of SHA1 using bouncycastle lib to one of the previous strings (aux,aux2, aux3):
>> SHA1Digest digest = new SHA1Digest();
>>
>> digest.update(t.getBytes(Common.DEFAULT_ENCODING), 0, t.getBytes().length);
>> byte[] digestOctets = new byte[digest.getDigestSize()];
>> digest.doFinal(digestOctets, 0);
>>
>> return org.bouncycastle.util.encoders.Base64.toBase64String(digestOctets);
>> Returning the String that represents the signature showed above.
>> Making this request I get again not just 401 error code, I already get a new sessionId and a new nonce parameter.
>> Any idea? Probably one the encryptiong methods that I'm using isn't the right one?
>> Best regards!
>>
>>
>> _______________________________________________
>> Handle-Info mailing list
>> Handle-Info@cnri.reston.va.us <mailto:Handle-Info@cnri.reston.va.us>
>> http://www.handle.net/mailman/listinfo/handle-info <http://www.handle.net/mailman/listinfo/handle-info>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.handle.net/mailman/private/handle-info/attachments/20170321/060b739a/attachment.html>

------------------------------

_______________________________________________
Handle-Info mailing list
Handle-Info@cnri.reston.va.us
http://www.handle.net/mailman/listinfo/handle-info


End of Handle-Info Digest, Vol 22, Issue 9
******************************************
--

Brian Bolden

University of Texas at San Antonio

College of Business (COB)

Senior 

Dek142@my.utsa.edu


_______________________________________________
Handle-Info mailing list
Handle-Info@cnri.reston.va.us
http://www.handle.net/mailman/listinfo/handle-info