codebeltnet · gimlichael · Apr 13, 2025 · Apr 13, 2025 · Apr 13, 2025 · Apr 13, 2025
diff --git a/src/Cuemon.AspNetCore.Authentication/Digest/DigestAuthenticationHandler.cs b/src/Cuemon.AspNetCore.Authentication/Digest/DigestAuthenticationHandler.cs
@@ -66,7 +66,7 @@ protected override async Task HandleChallengeAsync(AuthenticationProperties prop
             var nonceGenerator = Options.NonceGenerator;
             var staleNonce = Context.Items[DigestFields.Stale] as string ?? "false";
             AuthenticationHandlerFeature.Set(await HandleAuthenticateOnceSafeAsync().ConfigureAwait(false), Context); // so annoying that Microsoft does not propagate AuthenticateResult properly - other have noticed as well: https://github.com/dotnet/aspnetcore/issues/44100
-            Decorator.Enclose(Response.Headers).TryAdd(HeaderNames.WWWAuthenticate, string.Create(CultureInfo.InvariantCulture, $"{DigestAuthorizationHeader.Scheme} realm=\"{Options.Realm}\", qop=\"auth, auth-int\", nonce=\"{nonceGenerator(DateTime.UtcNow, etag, nonceSecret())}\", opaque=\"{opaqueGenerator()}\", stale={staleNonce}, algorithm={DigestAuthenticationMiddleware.ParseAlgorithm(Options.Algorithm)}"));
+            Decorator.Enclose(Response.Headers).TryAdd(HeaderNames.WWWAuthenticate, string.Create(CultureInfo.InvariantCulture, $"{DigestAuthorizationHeader.Scheme} realm=\"{Options.Realm}\", qop=\"auth, auth-int\", nonce=\"{nonceGenerator(DateTime.UtcNow, etag, nonceSecret())}\", opaque=\"{opaqueGenerator()}\", stale={staleNonce}, algorithm={DigestAuthenticationMiddleware.ParseAlgorithm(Options.DigestAlgorithm)}"));
             await base.HandleChallengeAsync(properties).ConfigureAwait(false);
         }
     }

diff --git a/src/Cuemon.AspNetCore.Authentication/Digest/DigestAuthenticationMiddleware.cs b/src/Cuemon.AspNetCore.Authentication/Digest/DigestAuthenticationMiddleware.cs
@@ -7,7 +7,6 @@
 using System.Threading.Tasks;
 using Cuemon.Collections.Generic;
 using Cuemon.IO;
-using Cuemon.Security.Cryptography;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Options;
 using Microsoft.Net.Http.Headers;
@@ -61,7 +60,7 @@ await Decorator.Enclose(context).InvokeUnauthorizedExceptionAsync(Options, princ
                     var nonceSecret = Options.NonceSecret;
                     var nonceGenerator = Options.NonceGenerator;
                     var staleNonce = dc.Items[DigestFields.Stale] as string ?? "false";
-                    Decorator.Enclose(dc.Response.Headers).TryAdd(HeaderNames.WWWAuthenticate, string.Create(CultureInfo.InvariantCulture, $"{DigestAuthorizationHeader.Scheme} realm=\"{Options.Realm}\", qop=\"auth, auth-int\", nonce=\"{nonceGenerator(DateTime.UtcNow, etag, nonceSecret())}\", opaque=\"{opaqueGenerator()}\", stale={staleNonce}, algorithm={ParseAlgorithm(Options.Algorithm)}"));
+                    Decorator.Enclose(dc.Response.Headers).TryAdd(HeaderNames.WWWAuthenticate, string.Create(CultureInfo.InvariantCulture, $"{DigestAuthorizationHeader.Scheme} realm=\"{Options.Realm}\", qop=\"auth, auth-int\", nonce=\"{nonceGenerator(DateTime.UtcNow, etag, nonceSecret())}\", opaque=\"{opaqueGenerator()}\", stale={staleNonce}, algorithm={ParseAlgorithm(Options.DigestAlgorithm)}"));
                 }).ConfigureAwait(false);
             }
 
@@ -138,14 +137,22 @@ internal static DigestAuthorizationHeader AuthorizationHeaderParser(HttpContext
             return DigestAuthorizationHeader.Create(authorizationHeader);
         }
 
-        internal static string ParseAlgorithm(UnkeyedCryptoAlgorithm algorithm)
+        internal static string ParseAlgorithm(DigestCryptoAlgorithm algorithm)
         {
             switch (algorithm)
             {
-                case UnkeyedCryptoAlgorithm.Sha256:
+                case DigestCryptoAlgorithm.Md5:
+                    return "MD5";
+                case DigestCryptoAlgorithm.Md5Session:
+                    return "MD5-sess";
+                case DigestCryptoAlgorithm.Sha256:
                     return "SHA-256";
-                case UnkeyedCryptoAlgorithm.Sha512:
+                case DigestCryptoAlgorithm.Sha256Session:
+                    return "SHA-256-sess";
+                case DigestCryptoAlgorithm.Sha512Slash256:
                     return "SHA-512-256";
+                case DigestCryptoAlgorithm.Sha512Slash256Session:
+                    return "SHA-512-256-sess";
                 default:
                     return "MD5";
             }

diff --git a/src/Cuemon.AspNetCore.Authentication/Digest/DigestAuthenticationOptions.cs b/src/Cuemon.AspNetCore.Authentication/Digest/DigestAuthenticationOptions.cs
@@ -23,14 +23,14 @@
         ///         <description>Initial Value</description>
         ///     </listheader>
         ///     <item>
-        ///         <term><see cref="Algorithm"/></term>
-        ///         <description><see cref="UnkeyedCryptoAlgorithm.Sha256"/></description>
-        ///     </item>
-        ///     <item>
         ///         <term><see cref="Authenticator"/></term>
         ///         <description><c>null</c></description>
         ///     </item>
         ///     <item>
+        ///         <term><see cref="DigestAlgorithm"/></term>
+        ///         <description><see cref="DigestCryptoAlgorithm.Sha256"/></description>
+        ///     </item>
+        ///     <item>
         ///         <term><see cref="NonceGenerator"/></term>
         ///         <description>A default implementation of a nonce generator.</description>
         ///     </item>
@@ -58,7 +58,7 @@
         /// </remarks>
         public DigestAuthenticationOptions()
         {
-            Algorithm = UnkeyedCryptoAlgorithm.Sha256;
+            DigestAlgorithm = DigestCryptoAlgorithm.Sha256;
             OpaqueGenerator = () => Generate.RandomString(32, Alphanumeric.Hexadecimal).ToLowerInvariant();
             NonceExpiredParser = (nonce, timeToLive) =>
             {
@@ -103,8 +103,14 @@
         /// </summary>
         /// <value>The algorithm of the HTTP Digest Access Authentication.</value>
         /// <remarks>Allowed values are: <see cref="UnkeyedCryptoAlgorithm.Md5"/>, <see cref="UnkeyedCryptoAlgorithm.Sha256"/> and <see cref="UnkeyedCryptoAlgorithm.Sha512"/>.</remarks>
+        [Obsolete("This member is obsolete and will be removed in a future version. Use DigestAlgorithm property instead.")]
         public UnkeyedCryptoAlgorithm Algorithm { get; set; }
 
+        /// <summary>
+        /// Specifies the cryptographic algorithm used in HTTP Digest Access Authentication. Default is <see cref="DigestCryptoAlgorithm.Sha256"/>.
+        /// </summary>
+        public DigestCryptoAlgorithm DigestAlgorithm { get; set; }
+
         /// <summary>
         /// Gets the realm that defines the protection space.
         /// </summary>
@@ -139,7 +145,7 @@
         /// Gets or sets a value indicating whether the server should bypass the calculation of HA1 password representation.
         /// </summary>
         /// <value><c>true</c> if the server should bypass the calculation of HA1 password representation; otherwise, <c>false</c>.</value>
-        /// <remarks>When enabled, the server reads the HA1 value directly from a secured storage.</remarks>
+        /// <remarks>When enabled, the server reads the HA1 value directly from a secured storage, hence this cannot be used in combination with session variants of <see cref="DigestCryptoAlgorithm"/>.</remarks>
         public bool UseServerSideHa1Storage { get; set; }
 
         /// <summary>

diff --git a/src/Cuemon.AspNetCore.Authentication/Digest/DigestAuthorizationHeaderBuilder.cs b/src/Cuemon.AspNetCore.Authentication/Digest/DigestAuthorizationHeaderBuilder.cs
@@ -1,4 +1,5 @@
 using System;
+using System.ComponentModel;
 using System.Globalization;
 using System.Net.Http.Headers;
 using System.Text;
@@ -13,16 +14,46 @@
     /// </summary>
     public class DigestAuthorizationHeaderBuilder : AuthorizationHeaderBuilder<DigestAuthorizationHeader, DigestAuthorizationHeaderBuilder>
     {
+        /// <summary>
+        /// Initializes a new instance of the <see cref="DigestAuthorizationHeaderBuilder"/> class.
+        /// </summary>
+        public DigestAuthorizationHeaderBuilder() : this(DigestCryptoAlgorithm.Sha256)
+        {
+        }
+
         /// <summary>
         /// Initializes a new instance of the <see cref="DigestAuthorizationHeaderBuilder"/> class.
         /// </summary>
         /// <param name="algorithm">The algorithm to use when computing HA1, HA2 and/or RESPONSE value(s).</param>
         /// <remarks>Allowed values for <paramref name="algorithm"/> are: <see cref="UnkeyedCryptoAlgorithm.Md5"/>, <see cref="UnkeyedCryptoAlgorithm.Sha256"/> and <see cref="UnkeyedCryptoAlgorithm.Sha512"/>.</remarks>
-        public DigestAuthorizationHeaderBuilder(UnkeyedCryptoAlgorithm algorithm = UnkeyedCryptoAlgorithm.Sha256) : base(DigestAuthorizationHeader.Scheme)
+        [Obsolete("This constructor is obsolete and will be removed in a future version. Use DigestAlgorithm variant instead.")]
+        public DigestAuthorizationHeaderBuilder(UnkeyedCryptoAlgorithm algorithm) : this(Validator.CheckParameter(
+            () =>
+            {
+                Validator.ThrowIfEqual(algorithm, UnkeyedCryptoAlgorithm.Sha1, nameof(algorithm));
+                Validator.ThrowIfEqual(algorithm, UnkeyedCryptoAlgorithm.Sha384, nameof(algorithm));
+                switch (algorithm)
+                {
+                    case UnkeyedCryptoAlgorithm.Md5:
+                        return DigestCryptoAlgorithm.Md5;
+                    case UnkeyedCryptoAlgorithm.Sha256:
+                        return DigestCryptoAlgorithm.Sha256;
+                    case UnkeyedCryptoAlgorithm.Sha512:
+                        return DigestCryptoAlgorithm.Sha512Slash256;
+                    default:
+                        throw new InvalidEnumArgumentException(nameof(algorithm), (int)algorithm, typeof(UnkeyedCryptoAlgorithm));
+                }
+            }))
         {
-            Validator.ThrowIfEqual(algorithm, UnkeyedCryptoAlgorithm.Sha1, nameof(algorithm));
-            Validator.ThrowIfEqual(algorithm, UnkeyedCryptoAlgorithm.Sha384, nameof(algorithm));
-            Algorithm = algorithm;
+        }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="DigestAuthorizationHeaderBuilder"/> class.
+        /// </summary>
+        /// <param name="algorithm">The algorithm to use when computing HA1, HA2 and/or RESPONSE value(s).</param>
+        public DigestAuthorizationHeaderBuilder(DigestCryptoAlgorithm algorithm) : base(DigestAuthorizationHeader.Scheme)
+        {
+            DigestAlgorithm = algorithm;
             MapRelation(nameof(AddResponse), DigestFields.Response);
             MapRelation(nameof(AddRealm), DigestFields.Realm);
             MapRelation(nameof(AddUserName), DigestFields.UserName);
@@ -40,7 +71,15 @@
         /// Gets the algorithm of the HTTP Digest Access Authentication.
         /// </summary>
         /// <value>The algorithm of the HTTP Digest Access Authentication.</value>
-        public UnkeyedCryptoAlgorithm Algorithm { get; private set; }
+
+        [Obsolete("This member is obsolete and will be removed in a future version. Use DigestAlgorithm property instead.")]
+        public UnkeyedCryptoAlgorithm Algorithm { get; }
+
+        /// <summary>
+        /// Gets the algorithm of the HTTP Digest Access Authentication.
+        /// </summary>
+        /// <value>The algorithm of the HTTP Digest Access Authentication.</value>
+        public DigestCryptoAlgorithm DigestAlgorithm { get; private set; }
 
         /// <summary>
         /// Associates the <see cref="DigestFields.Realm"/> field with the specified <paramref name="realm"/>.
@@ -161,7 +200,7 @@
         public DigestAuthorizationHeaderBuilder AddFromDigestAuthorizationHeader(DigestAuthorizationHeader header)
         {
             Validator.ThrowIfNull(header);
-            Algorithm = ParseAlgorithm(header.Algorithm);
+            DigestAlgorithm = ParseAlgorithm(header.Algorithm);
             AddUserName(header.UserName);
             AddRealm(header.Realm);
             AddUri(header.Uri);
@@ -172,11 +211,15 @@
             return this;
         }
 
-        private static UnkeyedCryptoAlgorithm ParseAlgorithm(string algorithm)
+        private static DigestCryptoAlgorithm ParseAlgorithm(string algorithm)
         {
-            if (algorithm.StartsWith("SHA-512", StringComparison.OrdinalIgnoreCase)) { return UnkeyedCryptoAlgorithm.Sha512; }
-            if (algorithm.StartsWith("SHA-256", StringComparison.OrdinalIgnoreCase)) { return UnkeyedCryptoAlgorithm.Sha256; }
-            return UnkeyedCryptoAlgorithm.Md5;
+            if (algorithm.Equals("MD5", StringComparison.OrdinalIgnoreCase)) { return DigestCryptoAlgorithm.Md5; }
+            if (algorithm.Equals("SHA-256", StringComparison.OrdinalIgnoreCase)) { return DigestCryptoAlgorithm.Sha256; }
+            if (algorithm.Equals("SHA-512-256", StringComparison.OrdinalIgnoreCase)) { return DigestCryptoAlgorithm.Sha512Slash256; }
+            if (algorithm.Equals("MD5-sess", StringComparison.OrdinalIgnoreCase)) { return DigestCryptoAlgorithm.Md5Session; }
+            if (algorithm.Equals("SHA-256-sess", StringComparison.OrdinalIgnoreCase)) { return DigestCryptoAlgorithm.Sha256Session; }
+            if (algorithm.Equals("SHA-512-256-sess", StringComparison.OrdinalIgnoreCase)) { return DigestCryptoAlgorithm.Sha512Slash256Session; }
+            throw new NotSupportedException($"The algorithm '{algorithm}' is not supported.");
         }
 
         /// <summary>
@@ -198,23 +241,39 @@
         /// Computes a by parameter defined <see cref="UnkeyedCryptoAlgorithm"/> hash value of the required values for the HTTP Digest access authentication HA1.
         /// </summary>
         /// <param name="password">The password to include in the HA1 computed value.</param>
-        /// <returns>A <see cref="string"/> in the format of H(<see cref="DigestFields.UserName"/>:<see cref="DigestFields.Realm"/>:<paramref name="password"/>). H is determined by <see cref="Algorithm"/>.</returns>
+        /// <returns>A <see cref="string"/> in the format of H(<see cref="DigestFields.UserName"/>:<see cref="DigestFields.Realm"/>:<paramref name="password"/>). H is determined by <see cref="DigestAlgorithm"/>.</returns>
         public virtual string ComputeHash1(string password)
         {
             Validator.ThrowIfNullOrWhitespace(password);
             ValidateData(DigestFields.UserName, DigestFields.Realm);
-            return UnkeyedHashFactory.CreateCrypto(Algorithm).ComputeHash(string.Format(CultureInfo.InvariantCulture, "{0}:{1}:{2}", Data[DigestFields.UserName], Data[DigestFields.Realm], password), o =>
+            var crypto = DigestHashFactory.CreateCrypto(DigestAlgorithm);
+
+            var ha1 = crypto.ComputeHash(string.Format(CultureInfo.InvariantCulture, "{0}:{1}:{2}", Data[DigestFields.UserName], Data[DigestFields.Realm], password), o =>
             {
                 o.Encoding = Encoding.UTF8;
             }).ToHexadecimalString();
+
+            switch (DigestAlgorithm)
+            {
+                case DigestCryptoAlgorithm.Md5Session:
+                case DigestCryptoAlgorithm.Sha256Session:
+                case DigestCryptoAlgorithm.Sha512Slash256Session:
+                    ha1 = crypto.ComputeHash(string.Format(CultureInfo.InvariantCulture, "{0}:{1}:{2}", ha1, Data[DigestFields.Nonce], Data[DigestFields.ClientNonce]), o =>
+                    {
+                        o.Encoding = Encoding.UTF8;
+                    }).ToHexadecimalString();
+                    break;
+            }
+
+            return ha1;
         }
 
         /// <summary>
         /// Computes a by parameter defined <see cref="UnkeyedCryptoAlgorithm"/> hash value of the required values for the HTTP Digest access authentication HA2.
         /// </summary>
         /// <param name="method">The HTTP method to include in the HA2 computed value.</param>
         /// <param name="entityBody">The entity body to apply in the signature when qop is set to auth-int.</param>
-        /// <returns>A <see cref="string"/> in the format of H(<paramref name="method"/>:<see cref="DigestFields.DigestUri"/>) OR H(<paramref name="method"/>:<see cref="DigestFields.DigestUri"/>:H(<paramref name="entityBody"/>)). H is determined by <see cref="Algorithm"/>.</returns>
+        /// <returns>A <see cref="string"/> in the format of H(<paramref name="method"/>:<see cref="DigestFields.DigestUri"/>) OR H(<paramref name="method"/>:<see cref="DigestFields.DigestUri"/>:H(<paramref name="entityBody"/>)). H is determined by <see cref="DigestAlgorithm"/>.</returns>
         public virtual string ComputeHash2(string method, string entityBody = null)
         {
             Validator.ThrowIfNullOrWhitespace(method);
@@ -226,8 +285,8 @@
 
             var hashFields = !hasIntegrityProtection
                 ? string.Create(CultureInfo.InvariantCulture, $"{method}:{Data[DigestFields.DigestUri]}")
-                : string.Create(CultureInfo.InvariantCulture, $"{method}:{Data[DigestFields.DigestUri]}:{UnkeyedHashFactory.CreateCrypto(Algorithm).ComputeHash(entityBody, o => o.Encoding = Encoding.UTF8).ToHexadecimalString()}");
-            return UnkeyedHashFactory.CreateCrypto(Algorithm).ComputeHash(hashFields, o =>
+                : string.Create(CultureInfo.InvariantCulture, $"{method}:{Data[DigestFields.DigestUri]}:{DigestHashFactory.CreateCrypto(DigestAlgorithm).ComputeHash(entityBody, o => o.Encoding = Encoding.UTF8).ToHexadecimalString()}");
+            return DigestHashFactory.CreateCrypto(DigestAlgorithm).ComputeHash(hashFields, o =>
             {
                 o.Encoding = Encoding.UTF8;
             }).ToHexadecimalString();
@@ -238,13 +297,13 @@
         /// </summary>
         /// <param name="hash1">The HA1 to include in the RESPONSE computed value.</param>
         /// <param name="hash2">The HA2 to include in the RESPONSE computed value.</param>
-        /// <returns>A <see cref="string"/> in the format of H(<paramref name="hash1"/>:<see cref="DigestFields.Nonce"/>:<see cref="DigestFields.NonceCount"/>:<see cref="DigestFields.ClientNonce"/>:<see cref="DigestFields.QualityOfProtection"/>:<paramref name="hash2"/>). H is determined by <see cref="Algorithm"/>.</returns>
+        /// <returns>A <see cref="string"/> in the format of H(<paramref name="hash1"/>:<see cref="DigestFields.Nonce"/>:<see cref="DigestFields.NonceCount"/>:<see cref="DigestFields.ClientNonce"/>:<see cref="DigestFields.QualityOfProtection"/>:<paramref name="hash2"/>). H is determined by <see cref="DigestAlgorithm"/>.</returns>
         public virtual string ComputeResponse(string hash1, string hash2)
         {
             Validator.ThrowIfNullOrWhitespace(hash1);
             Validator.ThrowIfNullOrWhitespace(hash2);
             ValidateData(DigestFields.Nonce, DigestFields.NonceCount, DigestFields.ClientNonce, DigestFields.QualityOfProtection);
-            return UnkeyedHashFactory.CreateCrypto(Algorithm).ComputeHash(string.Create(CultureInfo.InvariantCulture, $"{hash1}:{Data[DigestFields.Nonce]}:{Data[DigestFields.NonceCount]}:{Data[DigestFields.ClientNonce]}:{Data[DigestFields.QualityOfProtection]}:{hash2}"), o =>
+            return DigestHashFactory.CreateCrypto(DigestAlgorithm).ComputeHash(string.Create(CultureInfo.InvariantCulture, $"{hash1}:{Data[DigestFields.Nonce]}:{Data[DigestFields.NonceCount]}:{Data[DigestFields.ClientNonce]}:{Data[DigestFields.QualityOfProtection]}:{hash2}"), o =>
             {
                 o.Encoding = Encoding.UTF8;
             }).ToHexadecimalString();
@@ -257,7 +316,7 @@
        public override DigestAuthorizationHeader Build()
        {
            ValidateData(DigestFields.Realm, DigestFields.Nonce, DigestFields.UserName, DigestFields.QualityOfProtection, DigestFields.DigestUri, DigestFields.NonceCount, DigestFields.ClientNonce, DigestFields.QualityOfProtection, DigestFields.Response);
            return new DigestAuthorizationHeader(Data[DigestFields.Realm],
                Data[DigestFields.Nonce],
                Data[DigestFields.Opaque],
                Data[DigestFields.Stale],