From 61c0fbc5eb9d24267d4ca24cdebe4566e959bd02 Mon Sep 17 00:00:00 2001 From: Thomas <> Date: Thu, 29 Aug 2024 09:52:25 +0200 Subject: feat(utils): add RFC7636 (Outh2 PKCE) implementation --- .../gv/egiz/eaaf/core/impl/utils/Rfc7636Utils.java | 141 +++++++++++++++++++++ 1 file changed, 141 insertions(+) create mode 100644 eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/Rfc7636Utils.java (limited to 'eaaf_core_utils/src/main') diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/Rfc7636Utils.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/Rfc7636Utils.java new file mode 100644 index 00000000..b213d932 --- /dev/null +++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/Rfc7636Utils.java @@ -0,0 +1,141 @@ +package at.gv.egiz.eaaf.core.impl.utils; + +import java.nio.charset.StandardCharsets; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; +import java.util.Base64; + +import lombok.Builder; +import lombok.Getter; + +/** + * Implements OAuth2 PKCE from RFC7636. + */ +public class Rfc7636Utils { + + private SecureRandom random; + private static Rfc7636Utils instance = null; + + public static final String PARAM_NAME_VERIFIER = "code_verifier"; + public static final String PARAM_NAME_CHALLENGE = "code_challenge"; + public static final String PARAM_NAME_METHOD = "code_challenge_method"; + + /** + * Get an instance of RFC7636 implementation for PKCE. + * + * @return {@link Rfc7636Utils} + * @throws NoSuchAlgorithmException In case of Secure-Random problems + */ + public static Rfc7636Utils getInstance() throws NoSuchAlgorithmException { + if (instance == null) { + instance = new Rfc7636Utils(); + + } + return instance; + + } + + /** + * Generates a new pair of PKCE information. + * + *

+ * Using S256 as method. + *

+ * + * @return PKCE data that can be directly used + * @throws NoSuchAlgorithmException In case of SHA-256 problem + */ + public PkceInfo generate() throws NoSuchAlgorithmException { + return generate(Method.S256); + + } + + /** + * Generates a new pair of PKCE information. + * + * @param method Challenge generation method + * @return PKCE data that can be directly used + * @throws NoSuchAlgorithmException In case of SHA-256 problem + */ + public PkceInfo generate(Method method) throws NoSuchAlgorithmException { + String value = generateNewRandomValue(); + return PkceInfo.builder() + .codeMethod(method) + .codeVerifier(value) + .codeChallenge(calculateChallenge(value, method)) + .build(); + + } + + /** + * Verify PKCE information. + * + * @param input Set of PKCE infos + * @return true if infos a valid, otherwise false + * @throws NoSuchAlgorithmException In case of SHA-256 problem + */ + public boolean verify(PkceInfo input) throws NoSuchAlgorithmException { + return input.codeChallenge.equals( + calculateChallenge(input.codeVerifier, input.codeMethod)); + + } + + private String calculateChallenge(String value, Method method) throws NoSuchAlgorithmException { + if (Method.PLAIN.equals(method)) { + return value; + + } else { + return encodeB64(MessageDigest.getInstance("SHA-256").digest( + value.getBytes(StandardCharsets.US_ASCII))); + + } + } + + private String generateNewRandomValue() { + byte[] values = new byte[20]; + random.nextBytes(values); + return encodeB64(values); + + } + + private String encodeB64(byte[] input) { + return Base64.getUrlEncoder().withoutPadding().encodeToString(input); + } + + private Rfc7636Utils() throws NoSuchAlgorithmException { + random = SecureRandom.getInstanceStrong(); + + } + + public enum Method { + S256, PLAIN + } + + /** + * Holds a fresh pair of PKCE information. + * + * @author tlenz + */ + @Getter + @Builder(toBuilder = true) + public static class PkceInfo { + + String codeVerifier; + + String codeChallenge; + + Method codeMethod; + + /** + * Get PKCE method as String regarding to RFC7636. + * + * @return PKCE method + */ + public String getMethod() { + return codeMethod.toString(); + + } + + } +} -- cgit v1.2.3