From 87e0132a20d656f84870b2409e9892abc4782b11 Mon Sep 17 00:00:00 2001 From: "Scott L. Von Duhn" Date: Thu, 5 Aug 2021 10:37:27 -0400 Subject: [PATCH 1/4] feat: Add HMAC-SHA256 signature method for OAuth 1.0 --- .../auth/oauth/OAuthHmacSha256Signer.java | 68 +++++++++++++++++++ .../auth/oauth/OAuthHmacSha256SignerTest.java | 56 +++++++++++++++ 2 files changed, 124 insertions(+) create mode 100644 google-oauth-client/src/main/java/com/google/api/client/auth/oauth/OAuthHmacSha256Signer.java create mode 100644 google-oauth-client/src/test/java/com/google/api/client/auth/oauth/OAuthHmacSha256SignerTest.java diff --git a/google-oauth-client/src/main/java/com/google/api/client/auth/oauth/OAuthHmacSha256Signer.java b/google-oauth-client/src/main/java/com/google/api/client/auth/oauth/OAuthHmacSha256Signer.java new file mode 100644 index 000000000..f79ab155a --- /dev/null +++ b/google-oauth-client/src/main/java/com/google/api/client/auth/oauth/OAuthHmacSha256Signer.java @@ -0,0 +1,68 @@ +/* + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +package com.google.api.client.auth.oauth; + +import com.google.api.client.util.Base64; +import com.google.api.client.util.Beta; +import com.google.api.client.util.StringUtils; +import java.security.GeneralSecurityException; +import javax.crypto.Mac; +import javax.crypto.SecretKey; +import javax.crypto.spec.SecretKeySpec; + +/** + * OAuth {@code "HMAC-SHA256"} signature method. + */ +@Beta +public final class OAuthHmacSha256Signer implements OAuthSigner { + + /** Client secret */ + private final String clientSharedSecret; + + /** Token secret */ + private String tokenSharedSecret; + + public void setTokenSecret(String tokenSecret) { + tokenSharedSecret = tokenSecret; + } + + public OAuthHmacSha256Signer(String clientSecret) { + this.clientSharedSecret = clientSecret; + } + + @Override + public String getSignatureMethod() { + return "HMAC-SHA256"; + } + + @Override + public String computeSignature(String signatureBaseString) throws GeneralSecurityException { + // compute key + StringBuilder keyBuffer = new StringBuilder(); + if (clientSharedSecret != null) { + keyBuffer.append(OAuthParameters.escape(clientSharedSecret)); + } + keyBuffer.append('&'); + if (tokenSharedSecret != null) { + keyBuffer.append(OAuthParameters.escape(tokenSharedSecret)); + } + String key = keyBuffer.toString(); + // sign + SecretKey secretKey = new SecretKeySpec(StringUtils.getBytesUtf8(key), "HmacSHA256"); + Mac mac = Mac.getInstance("HmacSHA256"); + mac.init(secretKey); + return Base64.encodeBase64String(mac.doFinal(StringUtils.getBytesUtf8(signatureBaseString))); + } +} diff --git a/google-oauth-client/src/test/java/com/google/api/client/auth/oauth/OAuthHmacSha256SignerTest.java b/google-oauth-client/src/test/java/com/google/api/client/auth/oauth/OAuthHmacSha256SignerTest.java new file mode 100644 index 000000000..c3fe90d63 --- /dev/null +++ b/google-oauth-client/src/test/java/com/google/api/client/auth/oauth/OAuthHmacSha256SignerTest.java @@ -0,0 +1,56 @@ +/* + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +package com.google.api.client.auth.oauth; + +import java.security.GeneralSecurityException; +import org.junit.Test; + +import static org.junit.Assert.assertEquals; + +/** + * Tests {@link OAuthHmacSha256Signer}. + */ +public class OAuthHmacSha256SignerTest { + + @Test + public void testComputeSignatureWithNullSecrets() throws GeneralSecurityException { + OAuthHmacSha256Signer signer = new OAuthHmacSha256Signer(null); + String expectedSignature = "l/Es58FI4BtBciSH9XtY/5jXFee70v7/rPiQgEpvv00="; + assertEquals(expectedSignature, signer.computeSignature("baseString")); + } + + @Test + public void testComputeSignatureWithNullClientSecret() throws GeneralSecurityException { + OAuthHmacSha256Signer signer = new OAuthHmacSha256Signer(null); + signer.setTokenSecret("tokenSecret"); + String expectedSignature = "PgNWY2qQ53qvk3WySct/f037/usxMGpNDjmJeISmgCM="; + assertEquals(expectedSignature, signer.computeSignature("baseString")); + } + + @Test + public void testComputeSignatureWithNullTokenSecret() throws GeneralSecurityException { + OAuthHmacSha256Signer signer = new OAuthHmacSha256Signer("clientSecret"); + String expectedSignature = "cNrT2sqgyQ+dd7rbAhYBFBk8o82/yZyZkavqsfMDqpo="; + assertEquals(expectedSignature, signer.computeSignature("baseString")); + } + + @Test + public void testComputeSignature() throws GeneralSecurityException { + OAuthHmacSha256Signer signer = new OAuthHmacSha256Signer("clientSecret"); + signer.setTokenSecret("tokenSecret"); + String expectedSignature = "sfnrBcfwccOs2mpc60VQ5zXx5ReP/46lgUcBhU2a4PM="; + assertEquals(expectedSignature, signer.computeSignature("baseString")); + } +} From ee68653e8d1252eee611ff0bfa8a82dcc297ffae Mon Sep 17 00:00:00 2001 From: "Scott L. Von Duhn" Date: Fri, 6 Aug 2021 17:48:28 -0400 Subject: [PATCH 2/4] Remove Beta and replace Base64 with BaseEncoding --- .../api/client/auth/oauth/OAuthHmacSha256Signer.java | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/google-oauth-client/src/main/java/com/google/api/client/auth/oauth/OAuthHmacSha256Signer.java b/google-oauth-client/src/main/java/com/google/api/client/auth/oauth/OAuthHmacSha256Signer.java index f79ab155a..03f7c2475 100644 --- a/google-oauth-client/src/main/java/com/google/api/client/auth/oauth/OAuthHmacSha256Signer.java +++ b/google-oauth-client/src/main/java/com/google/api/client/auth/oauth/OAuthHmacSha256Signer.java @@ -14,9 +14,9 @@ package com.google.api.client.auth.oauth; -import com.google.api.client.util.Base64; -import com.google.api.client.util.Beta; import com.google.api.client.util.StringUtils; +import com.google.common.io.BaseEncoding; + import java.security.GeneralSecurityException; import javax.crypto.Mac; import javax.crypto.SecretKey; @@ -25,7 +25,6 @@ /** * OAuth {@code "HMAC-SHA256"} signature method. */ -@Beta public final class OAuthHmacSha256Signer implements OAuthSigner { /** Client secret */ @@ -63,6 +62,6 @@ public String computeSignature(String signatureBaseString) throws GeneralSecurit SecretKey secretKey = new SecretKeySpec(StringUtils.getBytesUtf8(key), "HmacSHA256"); Mac mac = Mac.getInstance("HmacSHA256"); mac.init(secretKey); - return Base64.encodeBase64String(mac.doFinal(StringUtils.getBytesUtf8(signatureBaseString))); + return BaseEncoding.base64().encode(mac.doFinal(StringUtils.getBytesUtf8(signatureBaseString))); } } From 64303336c7ee16e54901106e4ed9f4569aaa7024 Mon Sep 17 00:00:00 2001 From: "Scott L. Von Duhn" Date: Fri, 6 Aug 2021 18:10:14 -0400 Subject: [PATCH 3/4] fix linter issues --- .../api/client/auth/oauth/OAuthHmacSha256Signer.java | 5 +---- .../api/client/auth/oauth/OAuthHmacSha256SignerTest.java | 8 +++----- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/google-oauth-client/src/main/java/com/google/api/client/auth/oauth/OAuthHmacSha256Signer.java b/google-oauth-client/src/main/java/com/google/api/client/auth/oauth/OAuthHmacSha256Signer.java index 03f7c2475..f93360b46 100644 --- a/google-oauth-client/src/main/java/com/google/api/client/auth/oauth/OAuthHmacSha256Signer.java +++ b/google-oauth-client/src/main/java/com/google/api/client/auth/oauth/OAuthHmacSha256Signer.java @@ -16,15 +16,12 @@ import com.google.api.client.util.StringUtils; import com.google.common.io.BaseEncoding; - import java.security.GeneralSecurityException; import javax.crypto.Mac; import javax.crypto.SecretKey; import javax.crypto.spec.SecretKeySpec; -/** - * OAuth {@code "HMAC-SHA256"} signature method. - */ +/** OAuth {@code "HMAC-SHA256"} signature method. */ public final class OAuthHmacSha256Signer implements OAuthSigner { /** Client secret */ diff --git a/google-oauth-client/src/test/java/com/google/api/client/auth/oauth/OAuthHmacSha256SignerTest.java b/google-oauth-client/src/test/java/com/google/api/client/auth/oauth/OAuthHmacSha256SignerTest.java index c3fe90d63..eed0592cc 100644 --- a/google-oauth-client/src/test/java/com/google/api/client/auth/oauth/OAuthHmacSha256SignerTest.java +++ b/google-oauth-client/src/test/java/com/google/api/client/auth/oauth/OAuthHmacSha256SignerTest.java @@ -14,14 +14,12 @@ package com.google.api.client.auth.oauth; +import static org.junit.Assert.assertEquals; + import java.security.GeneralSecurityException; import org.junit.Test; -import static org.junit.Assert.assertEquals; - -/** - * Tests {@link OAuthHmacSha256Signer}. - */ +/** Tests {@link OAuthHmacSha256Signer}. */ public class OAuthHmacSha256SignerTest { @Test From ed8d4856f69dbc8a116b5dece25bf243c27bc809 Mon Sep 17 00:00:00 2001 From: Timur Sadykov Date: Wed, 11 Aug 2021 15:17:28 -0700 Subject: [PATCH 4/4] fix: empty to restart GitHub Actions