However I had a recent requirement to use a web service that makes use of Digest Authentication. If you have look at the UTL_HTTP SET_AUTHENTICATION subprogram, it only addresses Basic authentication (and, apparently, Amazon S3 which looks intriguing).
In Basic authentication, the username and password get sent across as part of the request. Going through SSL, that doesn't seem too bad, as it is encrypted over the transfer and the certificates should ensure you are talking to the legitimate destination. However if that destination has been compromised, you've handed over your username and password. In an ideal world, the server shouldn't need to know your password, which is why database should only have hashed versions of passwords.
Outside of SSL, you might as well just print the username and password on the back of a postcard.
In Digest authentication, you get a more complex interaction that keeps the password secret. You ask for a page, the server responds with an "Authentication Required" plus some bits of information including a nonce. You come up with a hashed value based on the server nonce, your own nonce and a hash of your username and password and send it back with the next request. The server has its own record of your username/password hash and can duplicate the calculations. If everyone is happy, the server can fulfill your request and nobody ever actually needs to know the password.
Our server used SSL, and thanks to Tim's article on SSL and UTL_HTTP, it was a simple set up. I've done it before, but that was in the days when it seemed a lot hard to get certificates OUT of a browser to put them in your Oracle Wallet.
The Interwebs were a lot less forthcoming on a PL/SQL implementation of Digest authentication though. The closest I got was this discussion, which can be summed up as "This may be complex, but I do not see these offhand as being impossible to do in PL/SQL....No Digest configured web server nearby or I would definitely have had a bash at this"
A read through the Wikipedia article, and I came up with the code below:
Firstly, after the initial request, go through the header to get the 'WWW-Authenticate' item. Take the value associated with that header, and pass it to the "auth_digest" procedure.
l_max := UTL_HTTP.GET_HEADER_COUNT(l_http_response);
l_ind := 1;
l_name := '-';
while l_ind <= l_max AND l_name != 'WWW-Authenticate' LOOP
UTL_HTTP.GET_HEADER(l_http_response, l_ind, l_name, l_value);
IF l_name = 'WWW-Authenticate'
AND l_http_response.status_code = UTL_HTTP.HTTP_UNAUTHORIZED THEN
--
-- Unauthorized. Using the Authorization response header, we can come up with the
-- required values to allow a re-request with the authentication/authorisation details
--
dbms_application_info.set_action('auth:'||$$PLSQL_LINE);
UTL_HTTP.END_RESPONSE(l_http_response);
--
dbms_application_info.set_action('auth_req:'||$$PLSQL_LINE);
l_http_request := UTL_HTTP.BEGIN_REQUEST(l_server||l_method);
auth_digest (io_http_request => l_http_request, i_auth_value => l_value,
i_username => nvl(i_username,'xxxx'), i_password => nvl(i_password,'xxxx'),
i_req_path => l_method, i_client_nonce => null);
dbms_output.put_line($$PLSQL_LINE||':Get Response from authenticated request');
dbms_application_info.set_action('auth_resp:'||$$PLSQL_LINE);
l_http_response := UTL_HTTP.GET_RESPONSE(l_http_request);
dump_resp (l_http_response);
dump_hdr (l_http_response);
END IF;
l_ind := l_ind + 1;
END LOOP;
procedure extract_auth_items
(i_text in varchar2,
o_realm out varchar2, o_qop out varchar2, o_nonce out varchar2, o_opaque out varchar2) is
begin
o_realm := substr(regexp_substr(i_text, 'realm="[^"]+' ),8);
o_qop := substr(regexp_substr(i_text, 'qop="[^"]+' ),6);
o_nonce := substr(regexp_substr(i_text, 'nonce="[^"]+' ),8);
o_opaque := substr(regexp_substr(i_text, 'opaque="[^"]+'),9);
end extract_auth_items;
Next is the 'meat' where the values are combined in the various hashes. Yes, there's a hard-coded default client nonce in there that, by a strange coincidence, matches on in the wikipedia article. That's how this stuff gets developed, by following through a worked example. Just like school.
function digest_auth_md5_calcs
(i_username in varchar2, i_password in varchar2, i_req_path in varchar2,
i_realm in varchar2, i_server_nonce in varchar2,
i_qop in varchar2 default 'auth',
i_client_nonce in varchar2 default '0a4f113b',
i_req_type in varchar2 default 'GET', i_req_cnt IN NUMBER default 1)
return varchar2 is
--
v_in_str varchar2(2000);
v_in_raw raw(2000);
v_out varchar2(60);
--
v_ha1 varchar2(40);
v_ha2 varchar2(40);
v_response varchar2(40);
--
begin
--
v_in_str := i_username||':'||i_realm||':'||i_password;
v_in_raw := utl_raw.cast_to_raw(v_in_str);
v_out := DBMS_OBFUSCATION_TOOLKIT.md5(input => v_in_raw);
v_ha1 := lower(v_out);
--
v_in_str := i_req_type||':'||i_req_path;
v_in_raw := utl_raw.cast_to_raw(v_in_str);
v_out := DBMS_OBFUSCATION_TOOLKIT.md5(input => v_in_raw);
v_ha2 := lower(v_out);
--
v_in_str := v_ha1||':'||i_server_nonce||':'||lpad(i_req_cnt,8,0)||':'||
i_client_nonce||':'||i_qop||':'||v_ha2;
v_in_raw := utl_raw.cast_to_raw(v_in_str);
v_out := DBMS_OBFUSCATION_TOOLKIT.md5(input => v_in_raw);
v_response := lower(v_out);
--
return v_response;
end digest_auth_md5_calcs;
procedure auth_digest
(io_http_request in out UTL_HTTP.REQ, i_auth_value in varchar2,
i_username in varchar2, i_password in varchar2,
i_req_path in varchar2, i_qop in varchar2 default 'auth',
i_req_cnt in number default 1, i_client_nonce in varchar2 default null)
is
l_realm varchar2(400);
l_qop varchar2(30);
l_server_nonce VARCHAR2(400);
l_opaque varchar2(100);
--
l_response varchar2(40);
l_value VARCHAR2(1024);
--
l_client_nonce varchar2(30);
--
begin
--
-- Apply the username / password for Digest authentication
--
extract_auth_items (i_auth_value,
l_realm, l_qop, l_server_nonce, l_opaque);
--
IF i_client_nonce is not null then
l_client_nonce := i_client_nonce;
ELSE
l_client_nonce := lower(utl_raw.cast_to_raw(DBMS_OBFUSCATION_TOOLKIT.md5(
input_string=>dbms_random.value)));
END IF;
--
l_response := digest_auth_md5_calcs
(i_username => i_username, i_password => i_password, i_req_path => i_req_path,
i_realm => l_realm, i_server_nonce => l_server_nonce,
i_client_nonce => l_client_nonce);
--i_qop default to auth, i_req_type default to GET and i_req_cnt default to 1
--
l_value := 'Digest username="' ||i_username ||'",'||
' realm="' ||l_realm ||'",'||
' nonce="' ||l_server_nonce ||'",'||
' uri="' ||i_req_path ||'",'||
' response="' ||l_response ||'",'||
' qop=' ||i_qop ||',' ||
' nc=' ||lpad(i_req_cnt,8,0) ||',' ||
' cnonce="' ||i_client_nonce ||'"'
;
--
IF l_opaque is not null then
l_value := l_value||',opaque="'||l_opaque||'"';
END IF;
dbms_output.put_line(l_value);
UTL_HTTP.SET_HEADER(io_http_request, 'Authorization', l_value);
--
end auth_digest;
A package with the code is available from my CodeSpace page, or directly here. There's a lot of debug 'stuff' in there. The code I'm using is still tailored to my single specific need, and I've stripped specific values from this published variant. You'll need to hard-code or parameterize it for any real use. I may be able to do a 'cleaned-up' version in the future, but don't hold your breath.
1 comment:
Thanks for writing this and posting it online! You just saved me hours of work!
Post a Comment