RFC 7616: honour charset=UTF-8 in Digest auth #2068

Author: pratt4

client/src/main/java/org/asynchttpclient/Realm.java

@@ -24,14 +24,14 @@
 
 import java.nio.charset.Charset;
 import java.security.MessageDigest;
+import java.util.Arrays;
 import java.util.Map;
 import java.util.concurrent.ThreadLocalRandom;
 
 import static java.nio.charset.StandardCharsets.ISO_8859_1;
 import static java.nio.charset.StandardCharsets.UTF_8;
 import static java.util.Objects.requireNonNull;
 import static org.asynchttpclient.util.HttpConstants.Methods.GET;
-import static org.asynchttpclient.util.MessageDigestUtils.pooledMd5MessageDigest;
 import static org.asynchttpclient.util.MiscUtils.isNonEmpty;
 import static org.asynchttpclient.util.StringUtils.appendBase16;
 import static org.asynchttpclient.util.StringUtils.toHexString;
@@ -272,17 +272,19 @@ public static class Builder {
         private String methodName = GET;
         private boolean usePreemptive;
         private String ntlmDomain = System.getProperty("http.auth.ntlm.domain");
-        private Charset charset = UTF_8;
+        private static Charset charset = UTF_8;
         private String ntlmHost = "localhost";
         private boolean useAbsoluteURI;
         private boolean omitQuery;
+        private Charset digestCharset = ISO_8859_1;   // RFC default
         /**
          * Kerberos/Spnego properties
          */
         private @Nullable Map<String, String> customLoginConfig;
         private @Nullable String servicePrincipalName;
         private boolean useCanonicalHostname;
         private @Nullable String loginContextName;
+        private @Nullable String cs;
 
         public Builder() {
             principal = null;
@@ -425,6 +427,10 @@ public Builder parseWWWAuthenticateHeader(String headerLine) {
                     .setOpaque(match(headerLine, "opaque"))
                     .setScheme(isNonEmpty(nonce) ? AuthScheme.DIGEST : AuthScheme.BASIC);
             String algorithm = match(headerLine, "algorithm");
+            String cs = match(headerLine, "charset");
+            if ("UTF-8".equalsIgnoreCase(cs)) {
+                this.digestCharset = UTF_8;
+            }
             if (isNonEmpty(algorithm)) {
                 setAlgorithm(algorithm);
             }
@@ -471,17 +477,20 @@ public Builder parseProxyAuthenticateHeader(String headerLine) {
         private void newCnonce(MessageDigest md) {
             byte[] b = new byte[8];
             ThreadLocalRandom.current().nextBytes(b);
-            b = md.digest(b);
-            cnonce = toHexString(b);
+            byte[] full = md.digest(b);
+            // trim to first 8 bytes → 16 hex chars
+            byte[] small = Arrays.copyOf(full, Math.min(8, full.length));
+            cnonce = toHexString(small);
         }
 
-        private static byte[] digestFromRecycledStringBuilder(StringBuilder sb, MessageDigest md) {
-            md.update(StringUtils.charSequence2ByteBuffer(sb, ISO_8859_1));
+        private static byte[] digestFromRecycledStringBuilder(StringBuilder sb, MessageDigest md, Charset enc) {
+            md.update(StringUtils.charSequence2ByteBuffer(sb, enc));
             sb.setLength(0);
             return md.digest();
         }
 
         private static MessageDigest getDigestInstance(String algorithm) {
+            if ("SHA-512/256".equalsIgnoreCase(algorithm)) algorithm = "SHA-512-256";
             if (algorithm == null || "MD5".equalsIgnoreCase(algorithm) || "MD5-sess".equalsIgnoreCase(algorithm)) {
                 return MessageDigestUtils.pooledMd5MessageDigest();
             } else if ("SHA-256".equalsIgnoreCase(algorithm) || "SHA-256-sess".equalsIgnoreCase(algorithm)) {
@@ -500,7 +509,7 @@ private byte[] ha1(StringBuilder sb, MessageDigest md) {
             // passwd ) ":" nonce-value ":" cnonce-value
 
             sb.append(principal).append(':').append(realmName).append(':').append(password);
-            byte[] core = digestFromRecycledStringBuilder(sb, md);
+            byte[] core = digestFromRecycledStringBuilder(sb, md, digestCharset);
 
             if (algorithm == null || "MD5".equalsIgnoreCase(algorithm) || "SHA-256".equalsIgnoreCase(algorithm) || "SHA-512-256".equalsIgnoreCase(algorithm)) {
                 // A1 = username ":" realm-value ":" passwd
@@ -510,7 +519,7 @@ private byte[] ha1(StringBuilder sb, MessageDigest md) {
                 // A1 = HASH(username ":" realm-value ":" passwd ) ":" nonce ":" cnonce
                 appendBase16(sb, core);
                 sb.append(':').append(nonce).append(':').append(cnonce);
-                return digestFromRecycledStringBuilder(sb, md);
+                return digestFromRecycledStringBuilder(sb, md, digestCharset);
             }
             throw new UnsupportedOperationException("Digest algorithm not supported: " + algorithm);
         }
@@ -530,7 +539,7 @@ private byte[] ha2(StringBuilder sb, String digestUri, MessageDigest md) {
                 throw new UnsupportedOperationException("Digest qop not supported: " + qop);
             }
 
-            return digestFromRecycledStringBuilder(sb, md);
+            return digestFromRecycledStringBuilder(sb, md, digestCharset);
         }
 
         private void appendMiddlePart(StringBuilder sb) {
@@ -557,7 +566,7 @@ private void newResponse(MessageDigest md) {
                 appendMiddlePart(sb);
                 appendBase16(sb, ha2);
 
-                byte[] responseDigest = digestFromRecycledStringBuilder(sb, md);
+                byte[] responseDigest = digestFromRecycledStringBuilder(sb, md, digestCharset);
                 response = toHexString(responseDigest);
             }
         }
@@ -591,7 +600,7 @@ public Realm build() {
                     cnonce,
                     uri,
                     usePreemptive,
-                    charset,
+                    (scheme == AuthScheme.DIGEST ? digestCharset : charset),
                     ntlmDomain,
                     ntlmHost,
                     useAbsoluteURI,

client/src/main/java/org/asynchttpclient/util/AuthenticatorUtils.java

@@ -82,14 +82,20 @@ private static String computeDigestAuthentication(Realm realm, Uri uri) {
         if (realm.getOpaque() != null) {
             append(builder, "opaque", realm.getOpaque(), true);
         }
+        if (realm.getScheme() == Realm.AuthScheme.DIGEST && realm.getCharset() == StandardCharsets.UTF_8) {
+            append(builder, "charset", "UTF-8", false);
+        }
         if (realm.getQop() != null) {
             append(builder, "qop", realm.getQop(), false);
             append(builder, "nc", realm.getNc(), false);
             append(builder, "cnonce", realm.getCnonce(), true);
         }
         // RFC7616: userhash parameter (optional, not implemented yet)
         builder.setLength(builder.length() - 2); // remove tailing ", "
-        return new String(StringUtils.charSequence2Bytes(builder, ISO_8859_1), StandardCharsets.UTF_8);
+        Charset wireCs = (realm.getCharset() == StandardCharsets.UTF_8)
+                ? StandardCharsets.UTF_8
+                : ISO_8859_1;
+        return new String(StringUtils.charSequence2Bytes(builder, wireCs), wireCs);
     }
 
     private static void append(StringBuilder builder, String name, @Nullable String value, boolean quoted) {

client/src/main/java/org/asynchttpclient/util/MessageDigestUtils.java

@@ -18,6 +18,13 @@
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 
+/**
+ * Thread-safety: Each digest is kept in a ThreadLocal. This
+ * class is intended for use on long-lived threads (e.g., Netty event loops).
+ * If you call it from a short-lived or unbounded thread pool, you may
+ * inadvertently retain one MessageDigest instance per thread, leading
+ * to memory leaks.
+ */
 public final class MessageDigestUtils {
 
     private static final ThreadLocal<MessageDigest> MD5_MESSAGE_DIGESTS = ThreadLocal.withInitial(() -> {
@@ -68,6 +75,7 @@ private MessageDigestUtils() {
     public static MessageDigest pooledMessageDigest(String algorithm) {
         String alg = algorithm.replace("_", "-").toUpperCase();
         MessageDigest md;
+        if ("SHA-512-256".equals(alg)) alg = "SHA-512/256";
         switch (alg) {
             case "MD5":
                 md = MD5_MESSAGE_DIGESTS.get();