Package com.ericsson.ssa.container

Source Code of com.ericsson.ssa.container.FlowToken

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
package com.ericsson.ssa.container;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.InetSocketAddress;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.StringTokenizer;

import javax.crypto.KeyGenerator;
import javax.crypto.Mac;
import javax.crypto.SecretKey;

import org.apache.catalina.util.Base64;
import org.jvnet.glassfish.comms.util.LogUtil;

import com.ericsson.ssa.sip.dns.SipTransports;
import com.ericsson.ssa.sip.dns.TargetTuple;

/**
* FlowToken class used for connection reuse.
* FlowToken is representing a flowtoken used to identify the flow to the UA.
* The flow to UA is used for sending responses and subsequent request.
*
* The flowtoken is generated so it can be correlated to specific connection information where the request was recieved on.
* The flowtoken is obfuscated for security reasons before it leaves the container.
*
* @author epkadsz, Adrian Szwej
* @version 1.0, 2008-09-10
*
*/
public class FlowToken {
   
    /** Reused flowtoken bytearray. */
    private static final ByteArrayOutputStream flowTokenOutput = new ByteArrayOutputStream();
   
    /** Size of the digest included in the flowtoken before it gets base64 encoded. */
    private static final int DIGEST_LENGTH = 20;
   
    /** Prepared HMAC generator with a secret key. */
    private static Mac HMAC;
   
    private static final char SEP = ':';
   
    static {
        try {
            // Generate a key for the HMAC-SHA1-80 keyed-hashing algorithm; see RFC 2104
            KeyGenerator keyGen = KeyGenerator.getInstance("HmacSHA1");
            SecretKey key = keyGen.generateKey();
           
            // Create a MAC object using HMAC-SHA1-80 and initialize with key
            HMAC = Mac.getInstance(key.getAlgorithm());
            HMAC.init(key);
        } catch (NoSuchAlgorithmException e1) {
            LogUtil.SIP_LOGGER.getLogger().severe("Missing HmacSHA1 algorithm");
        } catch (InvalidKeyException e) {
            LogUtil.SIP_LOGGER.getLogger().severe("Cannot generate secret key. Path header during outbound proxy will not be obfuscated.");
        }
    }
   
    /** Base64 encoded flow id. */
    private String flowId;
   
    /**
     * Constructor
     * @param remotePoint the UA endpoint
     * @param localPoint the container endpoint
     */
    public FlowToken(TargetTuple remotePoint, InetSocketAddress localPoint) {
        this.flowId = encodeToken(composeConnectionInfo(remotePoint, localPoint));
    }
   
    /**
     * Constructor
     * @param flow token extracted directly from the Path header.
     */
    public FlowToken(String flowToken) {
        this.flowId = flowToken;
    }
   
    public String toString() {
        return flowId;
    }
   
    /**
     * Gets the flow identifier.
     * @return Base64 encoded flowIf containing the connection information with its HMAC.
     */
    public String getEncodedFlowId() {
        return flowId;
    }
   
    /**
     * Gets the connection information forming this flow.
     * The remote is the UA address connecting the connection to the container.
     * @return the remote tuple, null if there is a problem to decode the information
     */
    public TargetTuple getRemote() {
        StringTokenizer stringToken = new StringTokenizer(decodeToken(getEncodedFlowId()), String.valueOf(SEP));

        String transport = stringToken.nextToken();
        String remoteIP = stringToken.nextToken();
        String remotePort = stringToken.nextToken();
       
        try {
            return new TargetTuple(SipTransports.getTransport(transport), remoteIP, Integer.parseInt(remotePort));
        } catch (Exception e) {
            e.printStackTrace();
        }
       
        return null;
    }
   
    /**
     * Validates the token by extracting the HMAC prefix and comparing against the HMAC calculated from the connection information.
     *
     * 1) base64 decode the flowId.
     * 2) The first 20 octets are HMAC calculated value over the remaining part of the decoded string
     *
     * @throws Exception when flowtoken is tampered
     */
    public void validate() throws Exception {
        if (HMAC != null) {
            byte[] decodedDigestB64 = Base64.decode(flowId.getBytes("UTF8"));
            if (decodedDigestB64.length <= DIGEST_LENGTH)
                throw new Exception("Flowtoken has been tampered. Flowtoken is too short.");
           
            byte[] messageCandidate = new byte[decodedDigestB64.length - DIGEST_LENGTH];
            System.arraycopy(decodedDigestB64, DIGEST_LENGTH, messageCandidate, 0, decodedDigestB64.length - DIGEST_LENGTH);
            byte[] calculatedDigest = calculateDigest(messageCandidate);
            for (int i = 0; i < DIGEST_LENGTH; i++)
                if (calculatedDigest[i] != decodedDigestB64[i])
                    throw new Exception("Flowtoken has been tampered. Flowtoken missmatch");
       
    }
   
    /**
     * Generates string token with encoded information.
     * 1) the HMAC is computed using the input together with the secret key.
     * 2) the HMAC and the input is concatenated on format: HMAC + input (where HMAC corresponds to first 20 octets)
     * 3) The result is base64 encoded and returned
     *
     * @param input used for token generation
     * @return base64 encoded string
     **/
    private static String encodeToken(String input) {
        // Encode the string into bytes using utf-8 and digest it
        if (HMAC != null) {
            byte[] flowToken;
            byte[] utf8 = null;
            byte[] digest = null;
            try {
                utf8 = input.getBytes("UTF8");
                digest = calculateDigest(utf8);
            } catch (UnsupportedEncodingException e1) {
            }
           
            synchronized (flowTokenOutput) {
                flowTokenOutput.reset();
                try {
                    flowTokenOutput.write(digest);
                    flowTokenOutput.write(utf8);
                } catch (IOException e) {
                }
               
                flowToken = flowTokenOutput.toByteArray();
            }

            return new String(Base64.encode(flowToken));
        }
        else
            return input;
    }
   
    private static byte[] calculateDigest(byte[] utf8) {
        synchronized (HMAC) {
            return HMAC.doFinal(utf8);
        }
    }
   
    /**
     * Encodes connection information on format:
     * protocol + remote IP address + remote port + local IP address + local port +
     * @return
     */
    private static String composeConnectionInfo(TargetTuple remotePoint, InetSocketAddress localPoint) {
        return remotePoint.getProtocol().name() + SEP + remotePoint.getIP() + SEP + remotePoint.getPort() + SEP + localPoint.getHostName() + SEP + localPoint.getPort();
    }
   
    /**
     * Decodes the encoded token. This method does 64 bit decode, and strips of the HMAC information.
     * @param encodedToken 64 base encoded token with HMAC
     * @return 64 decoded string without the HMAC prefix
     */
    private static String decodeToken(String encodedToken) {
        //remove the first digits
        if (HMAC != null) {
            try {
                byte[] decodedDigestB64 = Base64.decode(encodedToken.getBytes("UTF8"));
                byte[] messageCandidate = new byte[decodedDigestB64.length - DIGEST_LENGTH];
                System.arraycopy(decodedDigestB64, DIGEST_LENGTH, messageCandidate, 0, decodedDigestB64.length - DIGEST_LENGTH);
               
                return new String(messageCandidate, "UTF8");
            }
            catch (UnsupportedEncodingException e) {
                e.printStackTrace();
            }
        }
       
        return null;
    }
   
}
TOP

Related Classes of com.ericsson.ssa.container.FlowToken

  • com.ericsson.ssa.sip.dns.TargetTuple
  • java.util.StringTokenizer
    • TOP
    Copyright © 2018 www.massapi.com. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.