private void validateMessage(OAuthAccessor accessor, MessageInfo info, boolean tokenEndpoint)
throws OAuthException, IOException, URISyntaxException {
info.message.validateMessage(accessor, new FakeTimeOAuthValidator());
String bodyHash = info.message.getParameter("oauth_body_hash");
if (tokenEndpoint && bodyHash != null) {
throw new RuntimeException("Can't have body hash on token endpoints");
}
SignatureType sigType =
OAuthUtil.getSignatureType(tokenEndpoint, info.request.getHeader("Content-Type"));
switch (sigType) {
case URL_ONLY:
break;
case URL_AND_FORM_PARAMS:
if (bodyHash != null) {
throw new RuntimeException("Can't have body hash in form-encoded request");
}
break;
case URL_AND_BODY_HASH:
if (bodyHash == null) {
throw new RuntimeException("Requiring oauth_body_hash parameter");
}
byte[] received = Base64.decodeBase64(CharsetUtil.getUtf8Bytes(bodyHash));
byte[] expected = DigestUtils.sha(info.rawBody);
if (!Arrays.equals(received, expected)) {
throw new RuntimeException("oauth_body_hash mismatch");
}
}
}
public static void verifyBodyHash(HttpServletRequest request, String oauthBodyHash)
throws InvalidAuthenticationException {
// we are doing body hash signing which is not permitted for form-encoded data
if (request.getContentType() != null && request.getContentType().contains(OAuth.FORM_ENCODED)) {
throw new AuthenticationHandler.InvalidAuthenticationException(
"Cannot use oauth_body_hash with a Content-Type of application/x-www-form-urlencoded",
null);
} else {
try {
byte[] rawBody = readBody(request);
byte[] received = Base64.decodeBase64(CharsetUtil.getUtf8Bytes(oauthBodyHash));
byte[] expected = DigestUtils.sha(rawBody);
if (!Arrays.equals(received, expected)) {
throw new AuthenticationHandler.InvalidAuthenticationException(
"oauth_body_hash failed verification", null);
}
} catch (IOException ioe) {
throw new AuthenticationHandler.InvalidAuthenticationException(
"Unable to read content body for oauth_body_hash verification", null);
}
}
}
