1// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "google_apis/gaia/oauth_request_signer.h" 6 7#include <cctype> 8#include <cstddef> 9#include <cstdlib> 10#include <cstring> 11#include <ctime> 12#include <map> 13#include <string> 14 15#include "base/base64.h" 16#include "base/format_macros.h" 17#include "base/logging.h" 18#include "base/rand_util.h" 19#include "base/strings/string_util.h" 20#include "base/strings/stringprintf.h" 21#include "base/time/time.h" 22#include "crypto/hmac.h" 23#include "url/gurl.h" 24 25namespace { 26 27const int kHexBase = 16; 28char kHexDigits[] = "0123456789ABCDEF"; 29const size_t kHmacDigestLength = 20; 30const int kMaxNonceLength = 30; 31const int kMinNonceLength = 15; 32 33const char kOAuthConsumerKeyLabel[] = "oauth_consumer_key"; 34const char kOAuthNonceCharacters[] = 35 "abcdefghijklmnopqrstuvwyz" 36 "ABCDEFGHIJKLMNOPQRSTUVWYZ" 37 "0123456789_"; 38const char kOAuthNonceLabel[] = "oauth_nonce"; 39const char kOAuthSignatureLabel[] = "oauth_signature"; 40const char kOAuthSignatureMethodLabel[] = "oauth_signature_method"; 41const char kOAuthTimestampLabel[] = "oauth_timestamp"; 42const char kOAuthTokenLabel[] = "oauth_token"; 43const char kOAuthVersion[] = "1.0"; 44const char kOAuthVersionLabel[] = "oauth_version"; 45 46enum ParseQueryState { 47 START_STATE, 48 KEYWORD_STATE, 49 VALUE_STATE, 50}; 51 52const std::string HttpMethodName(OAuthRequestSigner::HttpMethod method) { 53 switch (method) { 54 case OAuthRequestSigner::GET_METHOD: 55 return "GET"; 56 case OAuthRequestSigner::POST_METHOD: 57 return "POST"; 58 } 59 NOTREACHED(); 60 return std::string(); 61} 62 63const std::string SignatureMethodName( 64 OAuthRequestSigner::SignatureMethod method) { 65 switch (method) { 66 case OAuthRequestSigner::HMAC_SHA1_SIGNATURE: 67 return "HMAC-SHA1"; 68 case OAuthRequestSigner::RSA_SHA1_SIGNATURE: 69 return "RSA-SHA1"; 70 case OAuthRequestSigner::PLAINTEXT_SIGNATURE: 71 return "PLAINTEXT"; 72 } 73 NOTREACHED(); 74 return std::string(); 75} 76 77std::string BuildBaseString(const GURL& request_base_url, 78 OAuthRequestSigner::HttpMethod http_method, 79 const std::string& base_parameters) { 80 return base::StringPrintf("%s&%s&%s", 81 HttpMethodName(http_method).c_str(), 82 OAuthRequestSigner::Encode( 83 request_base_url.spec()).c_str(), 84 OAuthRequestSigner::Encode( 85 base_parameters).c_str()); 86} 87 88std::string BuildBaseStringParameters( 89 const OAuthRequestSigner::Parameters& parameters) { 90 std::string result; 91 OAuthRequestSigner::Parameters::const_iterator cursor; 92 OAuthRequestSigner::Parameters::const_iterator limit; 93 bool first = true; 94 for (cursor = parameters.begin(), limit = parameters.end(); 95 cursor != limit; 96 ++cursor) { 97 if (first) 98 first = false; 99 else 100 result += '&'; 101 result += OAuthRequestSigner::Encode(cursor->first); 102 result += '='; 103 result += OAuthRequestSigner::Encode(cursor->second); 104 } 105 return result; 106} 107 108std::string GenerateNonce() { 109 char result[kMaxNonceLength + 1]; 110 int length = base::RandUint64() % (kMaxNonceLength - kMinNonceLength + 1) + 111 kMinNonceLength; 112 result[length] = '\0'; 113 for (int index = 0; index < length; ++index) 114 result[index] = kOAuthNonceCharacters[ 115 base::RandUint64() % (sizeof(kOAuthNonceCharacters) - 1)]; 116 return result; 117} 118 119std::string GenerateTimestamp() { 120 return base::StringPrintf( 121 "%" PRId64, 122 (base::Time::NowFromSystemTime() - base::Time::UnixEpoch()).InSeconds()); 123} 124 125// Creates a string-to-string, keyword-value map from a parameter/query string 126// that uses ampersand (&) to seperate paris and equals (=) to seperate 127// keyword from value. 128bool ParseQuery(const std::string& query, 129 OAuthRequestSigner::Parameters* parameters_result) { 130 std::string::const_iterator cursor; 131 std::string keyword; 132 std::string::const_iterator limit; 133 OAuthRequestSigner::Parameters parameters; 134 ParseQueryState state; 135 std::string value; 136 137 state = START_STATE; 138 for (cursor = query.begin(), limit = query.end(); 139 cursor != limit; 140 ++cursor) { 141 char character = *cursor; 142 switch (state) { 143 case KEYWORD_STATE: 144 switch (character) { 145 case '&': 146 parameters[keyword] = value; 147 keyword = ""; 148 value = ""; 149 state = START_STATE; 150 break; 151 case '=': 152 state = VALUE_STATE; 153 break; 154 default: 155 keyword += character; 156 } 157 break; 158 case START_STATE: 159 switch (character) { 160 case '&': // Intentionally falling through 161 case '=': 162 return false; 163 default: 164 keyword += character; 165 state = KEYWORD_STATE; 166 } 167 break; 168 case VALUE_STATE: 169 switch (character) { 170 case '=': 171 return false; 172 case '&': 173 parameters[keyword] = value; 174 keyword = ""; 175 value = ""; 176 state = START_STATE; 177 break; 178 default: 179 value += character; 180 } 181 break; 182 } 183 } 184 switch (state) { 185 case START_STATE: 186 break; 187 case KEYWORD_STATE: // Intentionally falling through 188 case VALUE_STATE: 189 parameters[keyword] = value; 190 break; 191 default: 192 NOTREACHED(); 193 } 194 *parameters_result = parameters; 195 return true; 196} 197 198// Creates the value for the oauth_signature parameter when the 199// oauth_signature_method is HMAC-SHA1. 200bool SignHmacSha1(const std::string& text, 201 const std::string& key, 202 std::string* signature_return) { 203 crypto::HMAC hmac(crypto::HMAC::SHA1); 204 DCHECK(hmac.DigestLength() == kHmacDigestLength); 205 unsigned char digest[kHmacDigestLength]; 206 bool result = hmac.Init(key) && 207 hmac.Sign(text, digest, kHmacDigestLength); 208 if (result) { 209 base::Base64Encode( 210 std::string(reinterpret_cast<const char*>(digest), kHmacDigestLength), 211 signature_return); 212 } 213 return result; 214} 215 216// Creates the value for the oauth_signature parameter when the 217// oauth_signature_method is PLAINTEXT. 218// 219// Not yet implemented, and might never be. 220bool SignPlaintext(const std::string& text, 221 const std::string& key, 222 std::string* result) { 223 NOTIMPLEMENTED(); 224 return false; 225} 226 227// Creates the value for the oauth_signature parameter when the 228// oauth_signature_method is RSA-SHA1. 229// 230// Not yet implemented, and might never be. 231bool SignRsaSha1(const std::string& text, 232 const std::string& key, 233 std::string* result) { 234 NOTIMPLEMENTED(); 235 return false; 236} 237 238// Adds parameters that are required by OAuth added as needed to |parameters|. 239void PrepareParameters(OAuthRequestSigner::Parameters* parameters, 240 OAuthRequestSigner::SignatureMethod signature_method, 241 OAuthRequestSigner::HttpMethod http_method, 242 const std::string& consumer_key, 243 const std::string& token_key) { 244 if (parameters->find(kOAuthNonceLabel) == parameters->end()) 245 (*parameters)[kOAuthNonceLabel] = GenerateNonce(); 246 247 if (parameters->find(kOAuthTimestampLabel) == parameters->end()) 248 (*parameters)[kOAuthTimestampLabel] = GenerateTimestamp(); 249 250 (*parameters)[kOAuthConsumerKeyLabel] = consumer_key; 251 (*parameters)[kOAuthSignatureMethodLabel] = 252 SignatureMethodName(signature_method); 253 (*parameters)[kOAuthTokenLabel] = token_key; 254 (*parameters)[kOAuthVersionLabel] = kOAuthVersion; 255} 256 257// Implements shared signing logic, generating the signature and storing it in 258// |parameters|. Returns true if the signature has been generated succesfully. 259bool SignParameters(const GURL& request_base_url, 260 OAuthRequestSigner::SignatureMethod signature_method, 261 OAuthRequestSigner::HttpMethod http_method, 262 const std::string& consumer_key, 263 const std::string& consumer_secret, 264 const std::string& token_key, 265 const std::string& token_secret, 266 OAuthRequestSigner::Parameters* parameters) { 267 DCHECK(request_base_url.is_valid()); 268 PrepareParameters(parameters, signature_method, http_method, 269 consumer_key, token_key); 270 std::string base_parameters = BuildBaseStringParameters(*parameters); 271 std::string base = BuildBaseString(request_base_url, http_method, 272 base_parameters); 273 std::string key = consumer_secret + '&' + token_secret; 274 bool is_signed = false; 275 std::string signature; 276 switch (signature_method) { 277 case OAuthRequestSigner::HMAC_SHA1_SIGNATURE: 278 is_signed = SignHmacSha1(base, key, &signature); 279 break; 280 case OAuthRequestSigner::RSA_SHA1_SIGNATURE: 281 is_signed = SignRsaSha1(base, key, &signature); 282 break; 283 case OAuthRequestSigner::PLAINTEXT_SIGNATURE: 284 is_signed = SignPlaintext(base, key, &signature); 285 break; 286 default: 287 NOTREACHED(); 288 } 289 if (is_signed) 290 (*parameters)[kOAuthSignatureLabel] = signature; 291 return is_signed; 292} 293 294 295} // namespace 296 297// static 298bool OAuthRequestSigner::Decode(const std::string& text, 299 std::string* decoded_text) { 300 std::string accumulator; 301 std::string::const_iterator cursor; 302 std::string::const_iterator limit; 303 for (limit = text.end(), cursor = text.begin(); cursor != limit; ++cursor) { 304 char character = *cursor; 305 if (character == '%') { 306 ++cursor; 307 if (cursor == limit) 308 return false; 309 char* first = strchr(kHexDigits, *cursor); 310 if (!first) 311 return false; 312 int high = first - kHexDigits; 313 DCHECK(high >= 0 && high < kHexBase); 314 315 ++cursor; 316 if (cursor == limit) 317 return false; 318 char* second = strchr(kHexDigits, *cursor); 319 if (!second) 320 return false; 321 int low = second - kHexDigits; 322 DCHECK(low >= 0 || low < kHexBase); 323 324 char decoded = static_cast<char>(high * kHexBase + low); 325 DCHECK(!(IsAsciiAlpha(decoded) || IsAsciiDigit(decoded))); 326 DCHECK(!(decoded && strchr("-._~", decoded))); 327 accumulator += decoded; 328 } else { 329 accumulator += character; 330 } 331 } 332 *decoded_text = accumulator; 333 return true; 334} 335 336// static 337std::string OAuthRequestSigner::Encode(const std::string& text) { 338 std::string result; 339 std::string::const_iterator cursor; 340 std::string::const_iterator limit; 341 for (limit = text.end(), cursor = text.begin(); cursor != limit; ++cursor) { 342 char character = *cursor; 343 if (IsAsciiAlpha(character) || IsAsciiDigit(character)) { 344 result += character; 345 } else { 346 switch (character) { 347 case '-': 348 case '.': 349 case '_': 350 case '~': 351 result += character; 352 break; 353 default: 354 unsigned char byte = static_cast<unsigned char>(character); 355 result = result + '%' + kHexDigits[byte / kHexBase] + 356 kHexDigits[byte % kHexBase]; 357 } 358 } 359 } 360 return result; 361} 362 363// static 364bool OAuthRequestSigner::ParseAndSign(const GURL& request_url_with_parameters, 365 SignatureMethod signature_method, 366 HttpMethod http_method, 367 const std::string& consumer_key, 368 const std::string& consumer_secret, 369 const std::string& token_key, 370 const std::string& token_secret, 371 std::string* result) { 372 DCHECK(request_url_with_parameters.is_valid()); 373 Parameters parameters; 374 if (request_url_with_parameters.has_query()) { 375 const std::string& query = request_url_with_parameters.query(); 376 if (!query.empty()) { 377 if (!ParseQuery(query, ¶meters)) 378 return false; 379 } 380 } 381 std::string spec = request_url_with_parameters.spec(); 382 std::string url_without_parameters = spec; 383 std::string::size_type question = spec.find("?"); 384 if (question != std::string::npos) 385 url_without_parameters = spec.substr(0,question); 386 return SignURL(GURL(url_without_parameters), parameters, signature_method, 387 http_method, consumer_key, consumer_secret, token_key, 388 token_secret, result); 389} 390 391// static 392bool OAuthRequestSigner::SignURL( 393 const GURL& request_base_url, 394 const Parameters& request_parameters, 395 SignatureMethod signature_method, 396 HttpMethod http_method, 397 const std::string& consumer_key, 398 const std::string& consumer_secret, 399 const std::string& token_key, 400 const std::string& token_secret, 401 std::string* signed_text_return) { 402 DCHECK(request_base_url.is_valid()); 403 Parameters parameters(request_parameters); 404 bool is_signed = SignParameters(request_base_url, signature_method, 405 http_method, consumer_key, consumer_secret, 406 token_key, token_secret, ¶meters); 407 if (is_signed) { 408 std::string signed_text; 409 switch (http_method) { 410 case GET_METHOD: 411 signed_text = request_base_url.spec() + '?'; 412 // Intentionally falling through 413 case POST_METHOD: 414 signed_text += BuildBaseStringParameters(parameters); 415 break; 416 default: 417 NOTREACHED(); 418 } 419 *signed_text_return = signed_text; 420 } 421 return is_signed; 422} 423 424// static 425bool OAuthRequestSigner::SignAuthHeader( 426 const GURL& request_base_url, 427 const Parameters& request_parameters, 428 SignatureMethod signature_method, 429 HttpMethod http_method, 430 const std::string& consumer_key, 431 const std::string& consumer_secret, 432 const std::string& token_key, 433 const std::string& token_secret, 434 std::string* signed_text_return) { 435 DCHECK(request_base_url.is_valid()); 436 Parameters parameters(request_parameters); 437 bool is_signed = SignParameters(request_base_url, signature_method, 438 http_method, consumer_key, consumer_secret, 439 token_key, token_secret, ¶meters); 440 if (is_signed) { 441 std::string signed_text = "OAuth "; 442 bool first = true; 443 for (Parameters::const_iterator param = parameters.begin(); 444 param != parameters.end(); 445 ++param) { 446 if (first) 447 first = false; 448 else 449 signed_text += ", "; 450 signed_text += 451 base::StringPrintf( 452 "%s=\"%s\"", 453 OAuthRequestSigner::Encode(param->first).c_str(), 454 OAuthRequestSigner::Encode(param->second).c_str()); 455 } 456 *signed_text_return = signed_text; 457 } 458 return is_signed; 459} 460