Implement full RFC 7616 HTTP Digest Authentication compliance

Author: hyperxpro

client/src/main/java/org/asynchttpclient/Dsl.java

@@ -112,7 +112,9 @@ public static Realm.Builder realm(Realm prototype) {
                 .setServicePrincipalName(prototype.getServicePrincipalName())
                 .setUseCanonicalHostname(prototype.isUseCanonicalHostname())
                 .setCustomLoginConfig(prototype.getCustomLoginConfig())
-                .setLoginContextName(prototype.getLoginContextName());
+                .setLoginContextName(prototype.getLoginContextName())
+                .setUserhash(prototype.isUserhash());
+        // Note: stale is NOT copied — it's challenge-specific, always starts false
     }
 
     public static Realm.Builder realm(AuthScheme scheme, String principal, String password) {

client/src/main/java/org/asynchttpclient/Realm.java

@@ -44,8 +44,6 @@
 public class Realm {
 
     private static final String DEFAULT_NC = "00000001";
-    // MD5("")
-    private static final String EMPTY_ENTITY_MD5 = "d41d8cd98f00b204e9800998ecf8427e";
 
     private final @Nullable String principal;
     private final @Nullable String password;
@@ -69,6 +67,8 @@ public class Realm {
     private final @Nullable String servicePrincipalName;
     private final boolean useCanonicalHostname;
     private final @Nullable String loginContextName;
+    private final boolean stale;
+    private final boolean userhash;
 
     private Realm(@Nullable AuthScheme scheme,
                   @Nullable String principal,
@@ -91,7 +91,9 @@ private Realm(@Nullable AuthScheme scheme,
                   @Nullable String servicePrincipalName,
                   boolean useCanonicalHostname,
                   @Nullable Map<String, String> customLoginConfig,
-                  @Nullable String loginContextName) {
+                  @Nullable String loginContextName,
+                  boolean stale,
+                  boolean userhash) {
 
         this.scheme = requireNonNull(scheme, "scheme");
         this.principal = principal;
@@ -115,6 +117,8 @@ private Realm(@Nullable AuthScheme scheme,
         this.useCanonicalHostname = useCanonicalHostname;
         this.customLoginConfig = customLoginConfig;
         this.loginContextName = loginContextName;
+        this.stale = stale;
+        this.userhash = userhash;
     }
 
     public @Nullable String getPrincipal() {
@@ -220,6 +224,14 @@ public boolean isUseCanonicalHostname() {
         return loginContextName;
     }
 
+    public boolean isStale() {
+        return stale;
+    }
+
+    public boolean isUserhash() {
+        return userhash;
+    }
+
     @Override
     public String toString() {
         return "Realm{" +
@@ -285,6 +297,9 @@ public static class Builder {
         private boolean useCanonicalHostname;
         private @Nullable String loginContextName;
         private @Nullable String cs;
+        private boolean stale;
+        private boolean userhash;
+        private @Nullable String entityBodyHash;
 
         public Builder() {
             principal = null;
@@ -398,6 +413,33 @@ public Builder setLoginContextName(@Nullable String loginContextName) {
             return this;
         }
 
+        public Builder setStale(boolean stale) {
+            this.stale = stale;
+            return this;
+        }
+
+        public boolean isStale() {
+            return stale;
+        }
+
+        public Builder setUserhash(boolean userhash) {
+            this.userhash = userhash;
+            return this;
+        }
+
+        public Builder setEntityBodyHash(@Nullable String entityBodyHash) {
+            this.entityBodyHash = entityBodyHash;
+            return this;
+        }
+
+        public @Nullable String getQopValue() {
+            return qop;
+        }
+
+        public @Nullable String getNonceValue() {
+            return nonce;
+        }
+
         private static @Nullable String parseRawQop(String rawQop) {
             String[] rawServerSupportedQops = rawQop.split(",");
             String[] serverSupportedQops = new String[rawServerSupportedQops.length];
@@ -422,56 +464,122 @@ public Builder setLoginContextName(@Nullable String loginContextName) {
         }
 
         public Builder parseWWWAuthenticateHeader(String headerLine) {
-            setRealmName(match(headerLine, "realm"))
-                    .setNonce(match(headerLine, "nonce"))
-                    .setOpaque(match(headerLine, "opaque"))
+            setRealmName(matchParam(headerLine, "realm"))
+                    .setNonce(matchParam(headerLine, "nonce"))
+                    .setOpaque(matchParam(headerLine, "opaque"))
                     .setScheme(isNonEmpty(nonce) ? AuthScheme.DIGEST : AuthScheme.BASIC);
-            String algorithm = match(headerLine, "algorithm");
-            String cs = match(headerLine, "charset");
+            String algorithm = matchParam(headerLine, "algorithm");
+            String cs = matchParam(headerLine, "charset");
             if ("UTF-8".equalsIgnoreCase(cs)) {
                 this.digestCharset = UTF_8;
             }
             if (isNonEmpty(algorithm)) {
                 setAlgorithm(algorithm);
             }
 
-            // FIXME qop is different with proxy?
-            String rawQop = match(headerLine, "qop");
+            String rawQop = matchParam(headerLine, "qop");
             if (rawQop != null) {
                 setQop(parseRawQop(rawQop));
             }
 
+            // Parse stale flag
+            String staleStr = matchParam(headerLine, "stale");
+            this.stale = "true".equalsIgnoreCase(staleStr);
+
+            // Parse userhash flag
+            String userhashStr = matchParam(headerLine, "userhash");
+            this.userhash = "true".equalsIgnoreCase(userhashStr);
+
             return this;
         }
 
         public Builder parseProxyAuthenticateHeader(String headerLine) {
-            setRealmName(match(headerLine, "realm"))
-                    .setNonce(match(headerLine, "nonce"))
-                    .setOpaque(match(headerLine, "opaque"))
+            setRealmName(matchParam(headerLine, "realm"))
+                    .setNonce(matchParam(headerLine, "nonce"))
+                    .setOpaque(matchParam(headerLine, "opaque"))
                     .setScheme(isNonEmpty(nonce) ? AuthScheme.DIGEST : AuthScheme.BASIC);
-            String algorithm = match(headerLine, "algorithm");
+            String algorithm = matchParam(headerLine, "algorithm");
             if (isNonEmpty(algorithm)) {
                 setAlgorithm(algorithm);
             }
-            // FIXME qop is different with proxy?
-            setQop(match(headerLine, "qop"));
+
+            String rawQop = matchParam(headerLine, "qop");
+            if (rawQop != null) {
+                setQop(parseRawQop(rawQop));
+            }
+
+            String cs = matchParam(headerLine, "charset");
+            if ("UTF-8".equalsIgnoreCase(cs)) {
+                this.digestCharset = UTF_8;
+            }
+
+            // Parse stale flag
+            String staleStr = matchParam(headerLine, "stale");
+            this.stale = "true".equalsIgnoreCase(staleStr);
+
+            // Parse userhash flag
+            String userhashStr = matchParam(headerLine, "userhash");
+            this.userhash = "true".equalsIgnoreCase(userhashStr);
 
             return this;
         }
 
         /**
          * Extracts the value of a token from a WWW-Authenticate or Proxy-Authenticate header line.
-         * Example: match('Digest realm="test", nonce="abc"', "realm") returns "test"
+         * Handles both quoted values (token="value") and unquoted values (token=value).
+         * Example: matchParam('Digest realm="test", algorithm=SHA-256', "realm") returns "test"
+         * Example: matchParam('Digest algorithm=SHA-256', "algorithm") returns "SHA-256"
          */
-        private static @Nullable String match(String headerLine, String token) {
-            if (headerLine == null || token == null) return null;
-            String pattern = token + "=\"";
-            int start = headerLine.indexOf(pattern);
-            if (start == -1) return null;
-            start += pattern.length();
-            int end = headerLine.indexOf('"', start);
-            if (end == -1) return null;
-            return headerLine.substring(start, end);
+        public static @Nullable String matchParam(String headerLine, String token) {
+            if (headerLine == null || token == null) {
+                return null;
+            }
+            // Look for token= (case-insensitive token match)
+            int len = headerLine.length();
+            int tokenLen = token.length();
+            int i = 0;
+            while (i < len) {
+                int idx = headerLine.indexOf('=', i);
+                if (idx == -1) {
+                    return null;
+                }
+                // Walk backwards from '=' to find the start of the key (skip whitespace)
+                int keyEnd = idx;
+                while (keyEnd > i && headerLine.charAt(keyEnd - 1) == ' ') {
+                    keyEnd--;
+                }
+                int keyStart = keyEnd - tokenLen;
+                if (keyStart >= 0
+                        && headerLine.regionMatches(true, keyStart, token, 0, tokenLen)
+                        && (keyStart == 0 || headerLine.charAt(keyStart - 1) == ' ' || headerLine.charAt(keyStart - 1) == ',')) {
+                    // Found matching token, now extract value
+                    int valStart = idx + 1;
+                    // skip whitespace after '='
+                    while (valStart < len && headerLine.charAt(valStart) == ' ') {
+                        valStart++;
+                    }
+                    if (valStart < len && headerLine.charAt(valStart) == '"') {
+                        // Quoted value
+                        int valEnd = headerLine.indexOf('"', valStart + 1);
+                        if (valEnd == -1) {
+                            return null;
+                        }
+                        return headerLine.substring(valStart + 1, valEnd);
+                    } else {
+                        // Unquoted value — terminated by ',' or end-of-string
+                        int valEnd = valStart;
+                        while (valEnd < len && headerLine.charAt(valEnd) != ',' && headerLine.charAt(valEnd) != ' ') {
+                            valEnd++;
+                        }
+                        if (valEnd > valStart) {
+                            return headerLine.substring(valStart, valEnd);
+                        }
+                        return null;
+                    }
+                }
+                i = idx + 1;
+            }
+            return null;
         }
 
         private void newCnonce(MessageDigest md) {
@@ -530,11 +638,13 @@ private byte[] ha2(StringBuilder sb, String digestUri, MessageDigest md) {
             // if qop is "auth-int" => A2 = Method ":" digest-uri-value ":" H(entity-body)
             sb.append(methodName).append(':').append(digestUri);
             if ("auth-int".equals(qop)) {
-                // when qop == "auth-int", A2 = Method ":" digest-uri-value ":" H(entity-body)
-                // but we don't have the request body here
-                // we would need a new API
-                sb.append(':').append(EMPTY_ENTITY_MD5);
-
+                sb.append(':');
+                if (entityBodyHash != null) {
+                    sb.append(entityBodyHash);
+                } else {
+                    // Hash of empty body using the current algorithm
+                    sb.append(toHexString(md.digest()));
+                }
             } else if (qop != null && !"auth".equals(qop)) {
                 throw new UnsupportedOperationException("Digest qop not supported: " + qop);
             }
@@ -608,7 +718,9 @@ public Realm build() {
                     servicePrincipalName,
                     useCanonicalHostname,
                     customLoginConfig,
-                    loginContextName);
+                    loginContextName,
+                    stale,
+                    userhash);
         }
     }
 }

client/src/main/java/org/asynchttpclient/netty/handler/intercept/Interceptors.java

@@ -32,15 +32,22 @@
 import org.asynchttpclient.netty.channel.ChannelManager;
 import org.asynchttpclient.netty.request.NettyRequestSender;
 import org.asynchttpclient.proxy.ProxyServer;
+import org.asynchttpclient.util.AuthenticatorUtils;
+import org.asynchttpclient.util.NonceCounter;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import static io.netty.handler.codec.http.HttpHeaderNames.SET_COOKIE;
+import static org.asynchttpclient.Dsl.realm;
 import static org.asynchttpclient.util.HttpConstants.ResponseStatusCodes.CONTINUE_100;
 import static org.asynchttpclient.util.HttpConstants.ResponseStatusCodes.OK_200;
 import static org.asynchttpclient.util.HttpConstants.ResponseStatusCodes.PROXY_AUTHENTICATION_REQUIRED_407;
 import static org.asynchttpclient.util.HttpConstants.ResponseStatusCodes.UNAUTHORIZED_401;
 
 public class Interceptors {
 
+    private static final Logger LOGGER = LoggerFactory.getLogger(Interceptors.class);
+
     private final AsyncHttpClientConfig config;
     private final Unauthorized401Interceptor unauthorized401Interceptor;
     private final ProxyUnauthorized407Interceptor proxyUnauthorized407Interceptor;
@@ -50,13 +57,15 @@ public class Interceptors {
     private final ResponseFiltersInterceptor responseFiltersInterceptor;
     private final boolean hasResponseFilters;
     private final ClientCookieDecoder cookieDecoder;
+    private final NonceCounter nonceCounter;
 
     public Interceptors(AsyncHttpClientConfig config,
                         ChannelManager channelManager,
                         NettyRequestSender requestSender) {
         this.config = config;
-        unauthorized401Interceptor = new Unauthorized401Interceptor(channelManager, requestSender);
-        proxyUnauthorized407Interceptor = new ProxyUnauthorized407Interceptor(channelManager, requestSender);
+        nonceCounter = new NonceCounter();
+        unauthorized401Interceptor = new Unauthorized401Interceptor(channelManager, requestSender, nonceCounter);
+        proxyUnauthorized407Interceptor = new ProxyUnauthorized407Interceptor(channelManager, requestSender, nonceCounter);
         continue100Interceptor = new Continue100Interceptor(requestSender);
         redirect30xInterceptor = new Redirect30xInterceptor(channelManager, config, requestSender);
         connectSuccessInterceptor = new ConnectSuccessInterceptor(channelManager, requestSender);
@@ -109,6 +118,52 @@ public boolean exitAfterIntercept(Channel channel, NettyResponseFuture<?> future
         if (httpRequest.method() == HttpMethod.CONNECT && statusCode == OK_200) {
             return connectSuccessInterceptor.exitAfterHandlingConnect(channel, future, request, proxyServer);
         }
+
+        // Process Authentication-Info / Proxy-Authentication-Info headers (RFC 7616 Section 3.5)
+        if (realm != null && realm.getScheme() == Realm.AuthScheme.DIGEST) {
+            processAuthenticationInfo(future, responseHeaders, realm, false);
+        }
+        Realm proxyRealm = future.getProxyRealm();
+        if (proxyRealm != null && proxyRealm.getScheme() == Realm.AuthScheme.DIGEST) {
+            processAuthenticationInfo(future, responseHeaders, proxyRealm, true);
+        }
+
         return false;
     }
+
+    private void processAuthenticationInfo(NettyResponseFuture<?> future, HttpHeaders responseHeaders,
+                                           Realm currentRealm, boolean proxy) {
+        String headerName = proxy ? "Proxy-Authentication-Info" : "Authentication-Info";
+        String authInfoHeader = responseHeaders.get(headerName);
+        if (authInfoHeader == null) {
+            return;
+        }
+
+        String nextnonce = Realm.Builder.matchParam(authInfoHeader, "nextnonce");
+        if (nextnonce != null) {
+            // Rotate to the new nonce
+            String oldNonce = currentRealm.getNonce();
+            if (oldNonce != null) {
+                nonceCounter.reset(oldNonce);
+            }
+            Realm newRealm = realm(currentRealm)
+                    .setNonce(nextnonce)
+                    .setNc("00000001")
+                    .build();
+            if (proxy) {
+                future.setProxyRealm(newRealm);
+            } else {
+                future.setRealm(newRealm);
+            }
+            LOGGER.debug("Rotated to nextnonce from {} header", headerName);
+        }
+
+        String rspauth = Realm.Builder.matchParam(authInfoHeader, "rspauth");
+        if (rspauth != null) {
+            String expectedRspauth = AuthenticatorUtils.computeRspAuth(currentRealm);
+            if (!rspauth.equalsIgnoreCase(expectedRspauth)) {
+                LOGGER.warn("Server rspauth mismatch: expected={}, got={}", expectedRspauth, rspauth);
+            }
+        }
+    }
 }