From 6ca8cd72656fa0ba3603025327e625436a5e1e6c Mon Sep 17 00:00:00 2001 From: shikong <919411476@qq.com> Date: Thu, 10 Aug 2023 15:53:42 +0800 Subject: [PATCH] =?UTF-8?q?=E8=AE=BE=E5=A4=87=E6=B3=A8=E5=86=8C=20?= =?UTF-8?q?=E6=9C=AA=E5=AE=8C?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../core/sip/listener/SipListenerImpl.java | 2 +- .../DigestServerAuthenticationHelper.java | 229 ++++++++++++++++++ .../message/processor/MessageProcessor.java | 28 +++ .../request/RegisterRequestProcessor.java | 31 +++ .../core/sip/service/SipServiceImpl.java | 4 +- .../gb28181/core/sip/utils/SipUtil.java | 2 +- 6 files changed, 292 insertions(+), 4 deletions(-) create mode 100644 gb28181-service/src/main/java/cn/skcks/docking/gb28181/core/sip/message/auth/DigestServerAuthenticationHelper.java diff --git a/gb28181-service/src/main/java/cn/skcks/docking/gb28181/core/sip/listener/SipListenerImpl.java b/gb28181-service/src/main/java/cn/skcks/docking/gb28181/core/sip/listener/SipListenerImpl.java index a4b0876..3b58ac4 100644 --- a/gb28181-service/src/main/java/cn/skcks/docking/gb28181/core/sip/listener/SipListenerImpl.java +++ b/gb28181-service/src/main/java/cn/skcks/docking/gb28181/core/sip/listener/SipListenerImpl.java @@ -26,7 +26,7 @@ public class SipListenerImpl implements SipListener { @Async(DefaultSipExecutor.EXECUTOR_BEAN_NAME) public void processRequest(RequestEvent requestEvent) { String method = requestEvent.getRequest().getMethod(); - log.debug("method => {}",method); + log.debug("传入请求 method => {}",method); Optional.ofNullable(processor.get(method)).ifPresent(processor -> { processor.process(requestEvent); }); diff --git a/gb28181-service/src/main/java/cn/skcks/docking/gb28181/core/sip/message/auth/DigestServerAuthenticationHelper.java b/gb28181-service/src/main/java/cn/skcks/docking/gb28181/core/sip/message/auth/DigestServerAuthenticationHelper.java new file mode 100644 index 0000000..134db14 --- /dev/null +++ b/gb28181-service/src/main/java/cn/skcks/docking/gb28181/core/sip/message/auth/DigestServerAuthenticationHelper.java @@ -0,0 +1,229 @@ +/* + * Conditions Of Use + * + * This software was developed by employees of the National Institute of + * Standards and Technology (NIST), an agency of the Federal Government. + * Pursuant to title 15 Untied States Code Section 105, works of NIST + * employees are not subject to copyright protection in the United States + * and are considered to be in the public domain. As a result, a formal + * license is not needed to use the software. + * + * This software is provided by NIST as a service and is expressly + * provided "AS IS." NIST MAKES NO WARRANTY OF ANY KIND, EXPRESS, IMPLIED + * OR STATUTORY, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTY OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT + * AND DATA ACCURACY. NIST does not warrant or make any representations + * regarding the use of the software or the results thereof, including but + * not limited to the correctness, accuracy, reliability or usefulness of + * the software. + * + * Permission to use this software is contingent upon your acceptance + * of the terms of this agreement + * + * . + * + */ +package cn.skcks.docking.gb28181.core.sip.message.auth; + +import gov.nist.core.InternalErrorHandler; +import lombok.extern.slf4j.Slf4j; +import org.apache.commons.lang3.ObjectUtils; + +import javax.sip.address.URI; +import javax.sip.header.AuthorizationHeader; +import javax.sip.header.HeaderFactory; +import javax.sip.header.WWWAuthenticateHeader; +import javax.sip.message.Request; +import javax.sip.message.Response; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.time.Instant; +import java.util.Random; + +/** + * Implements the HTTP digest authentication method server side functionality. + * + * @author M. Ranganathan + * @author Marc Bednarek + */ +@Slf4j +public class DigestServerAuthenticationHelper { + private static final MessageDigest messageDigest; + + public static final String DEFAULT_ALGORITHM = "MD5"; + public static final String DEFAULT_SCHEME = "Digest"; + + + /** to hex converter */ + private static final char[] toHex = { '0', '1', '2', '3', '4', '5', '6', + '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' }; + + /** + * Default constructor. + * @throws NoSuchAlgorithmException + */ + static{ + try { + messageDigest = MessageDigest.getInstance(DEFAULT_ALGORITHM); + } catch (NoSuchAlgorithmException e) { + throw new RuntimeException(e); + } + } + + public static String toHexString(byte b[]) { + int pos = 0; + char[] c = new char[b.length * 2]; + for (int i = 0; i < b.length; i++) { + c[pos++] = toHex[(b[i] >> 4) & 0x0F]; + c[pos++] = toHex[b[i] & 0x0f]; + } + return new String(c); + } + + /** + * Generate the challenge string. + * + * @return a generated nonce. + */ + private static String generateNonce() { + long time = Instant.now().toEpochMilli(); + Random rand = new Random(); + long pad = rand.nextLong(); + String nonceString = Long.valueOf(time).toString() + + Long.valueOf(pad).toString(); + byte[] mdBytes = messageDigest.digest(nonceString.getBytes()); + return toHexString(mdBytes); + } + + public static void generateChallenge(HeaderFactory headerFactory, Response response, String realm) { + try { + WWWAuthenticateHeader proxyAuthenticate = headerFactory + .createWWWAuthenticateHeader(DEFAULT_SCHEME); + proxyAuthenticate.setParameter("realm", realm); + proxyAuthenticate.setParameter("qop", "auth"); + proxyAuthenticate.setParameter("nonce", generateNonce()); + proxyAuthenticate.setParameter("algorithm", DEFAULT_ALGORITHM); + + response.setHeader(proxyAuthenticate); + } catch (Exception ex) { + InternalErrorHandler.handleException(ex); + } + } + /** + * Authenticate the inbound request. + * + * @param request - the request to authenticate. + * @param hashedPassword -- the MD5 hashed string of username:realm:plaintext password. + * + * @return true if authentication succeded and false otherwise. + */ + public boolean doAuthenticateHashedPassword(Request request, String hashedPassword) { + AuthorizationHeader authHeader = (AuthorizationHeader) request.getHeader(AuthorizationHeader.NAME); + if ( authHeader == null ) { + return false; + } + String realm = authHeader.getRealm(); + String username = authHeader.getUsername(); + + if ( username == null || realm == null ) { + return false; + } + + String nonce = authHeader.getNonce(); + URI uri = authHeader.getURI(); + if (uri == null) { + return false; + } + + String A2 = request.getMethod().toUpperCase() + ":" + uri; + String HA1 = hashedPassword; + + byte[] mdbytes = messageDigest.digest(A2.getBytes()); + String HA2 = toHexString(mdbytes); + + String cnonce = authHeader.getCNonce(); + String KD = HA1 + ":" + nonce; + if (cnonce != null) { + KD += ":" + cnonce; + } + KD += ":" + HA2; + mdbytes = messageDigest.digest(KD.getBytes()); + String mdString = toHexString(mdbytes); + String response = authHeader.getResponse(); + + + return mdString.equals(response); + } + + /** + * Authenticate the inbound request given plain text password. + * + * @param request - the request to authenticate. + * @param pass -- the plain text password. + * + * @return true if authentication succeded and false otherwise. + */ + public boolean doAuthenticatePlainTextPassword(Request request, String pass) { + AuthorizationHeader authHeader = (AuthorizationHeader) request.getHeader(AuthorizationHeader.NAME); + if ( authHeader == null || authHeader.getRealm() == null) { + return false; + } + String realm = authHeader.getRealm().trim(); + String username = authHeader.getUsername().trim(); + + if(ObjectUtils.anyNull(username,realm)){ + return false; + } + + String nonce = authHeader.getNonce(); + URI uri = authHeader.getURI(); + if (uri == null) { + return false; + } + // qop 保护质量 包含auth(默认的)和auth-int(增加了报文完整性检测)两种策略 + String qop = authHeader.getQop(); + + // 客户端随机数,这是一个不透明的字符串值,由客户端提供,并且客户端和服务器都会使用,以避免用明文文本。 + // 这使得双方都可以查验对方的身份,并对消息的完整性提供一些保护 + String cnonce = authHeader.getCNonce(); + + // nonce计数器,是一个16进制的数值,表示同一nonce下客户端发送出请求的数量 + int nc = authHeader.getNonceCount(); + String ncStr = String.format("%08x", nc).toUpperCase(); + String A1 = String.join(":",username , realm , pass); + String A2 = String.join(":",request.getMethod().toUpperCase() , uri.toString()); + + byte[] mdbytes = messageDigest.digest(A1.getBytes()); + String HA1 = toHexString(mdbytes); + log.debug("A1: " + A1); + log.debug("A2: " + A2); + mdbytes = messageDigest.digest(A2.getBytes()); + String HA2 = toHexString(mdbytes); + log.debug("HA1: " + HA1); + log.debug("HA2: " + HA2); + // String cnonce = authHeader.getCNonce(); + log.debug("nonce: " + nonce); + log.debug("nc: " + ncStr); + log.debug("cnonce: " + cnonce); + log.debug("qop: " + qop); + String KD = HA1 + ":" + nonce; + + if (qop != null && qop.equalsIgnoreCase("auth") ) { + if (nc != -1) { + KD += ":" + ncStr; + } + if (cnonce != null) { + KD += ":" + cnonce; + } + KD += ":" + qop; + } + KD += ":" + HA2; + log.debug("KD: " + KD); + mdbytes = messageDigest.digest(KD.getBytes()); + String mdString = toHexString(mdbytes); + log.debug("mdString: " + mdString); + String response = authHeader.getResponse(); + log.debug("response: " + response); + return mdString.equals(response); + } +} diff --git a/gb28181-service/src/main/java/cn/skcks/docking/gb28181/core/sip/message/processor/MessageProcessor.java b/gb28181-service/src/main/java/cn/skcks/docking/gb28181/core/sip/message/processor/MessageProcessor.java index 1195844..2d3a8e6 100644 --- a/gb28181-service/src/main/java/cn/skcks/docking/gb28181/core/sip/message/processor/MessageProcessor.java +++ b/gb28181-service/src/main/java/cn/skcks/docking/gb28181/core/sip/message/processor/MessageProcessor.java @@ -1,7 +1,35 @@ package cn.skcks.docking.gb28181.core.sip.message.processor; +import lombok.extern.slf4j.Slf4j; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import javax.sip.PeerUnavailableException; import javax.sip.RequestEvent; +import javax.sip.SipFactory; +import javax.sip.header.HeaderFactory; +import javax.sip.message.MessageFactory; public interface MessageProcessor { + Logger log = LoggerFactory.getLogger(MessageProcessor.class); + void process(RequestEvent requestEvent); + + default MessageFactory getMessageFactory() { + try { + return SipFactory.getInstance().createMessageFactory(); + } catch (PeerUnavailableException e) { + log.error("未处理的异常 ", e); + } + return null; + } + + default HeaderFactory getHeaderFactory() { + try { + return SipFactory.getInstance().createHeaderFactory(); + } catch (PeerUnavailableException e) { + log.error("未处理的异常 ", e); + } + return null; + } } diff --git a/gb28181-service/src/main/java/cn/skcks/docking/gb28181/core/sip/message/processor/request/RegisterRequestProcessor.java b/gb28181-service/src/main/java/cn/skcks/docking/gb28181/core/sip/message/processor/request/RegisterRequestProcessor.java index 04fab40..f99f617 100644 --- a/gb28181-service/src/main/java/cn/skcks/docking/gb28181/core/sip/message/processor/request/RegisterRequestProcessor.java +++ b/gb28181-service/src/main/java/cn/skcks/docking/gb28181/core/sip/message/processor/request/RegisterRequestProcessor.java @@ -1,13 +1,24 @@ package cn.skcks.docking.gb28181.core.sip.message.processor.request; +import cn.skcks.docking.gb28181.config.sip.SipConfig; +import cn.skcks.docking.gb28181.core.sip.dto.RemoteInfo; import cn.skcks.docking.gb28181.core.sip.listener.SipListener; +import cn.skcks.docking.gb28181.core.sip.message.auth.DigestServerAuthenticationHelper; import cn.skcks.docking.gb28181.core.sip.message.processor.MessageProcessor; +import cn.skcks.docking.gb28181.core.sip.utils.SipUtil; +import gov.nist.javax.sip.address.SipUri; +import gov.nist.javax.sip.header.Authorization; +import gov.nist.javax.sip.message.SIPRequest; import jakarta.annotation.PostConstruct; import lombok.RequiredArgsConstructor; +import lombok.SneakyThrows; import lombok.extern.slf4j.Slf4j; import org.springframework.stereotype.Component; import javax.sip.RequestEvent; +import javax.sip.address.Address; +import javax.sip.header.FromHeader; +import javax.sip.message.Response; @Slf4j @RequiredArgsConstructor @@ -17,13 +28,33 @@ public class RegisterRequestProcessor implements MessageProcessor { private final SipListener sipListener; + private final SipConfig sipConfig; + @PostConstruct private void init(){ sipListener.addProcessor(METHOD,this); } + @SneakyThrows @Override public void process(RequestEvent requestEvent) { + SIPRequest request = (SIPRequest)requestEvent.getRequest(); + FromHeader fromHeader = request.getFrom(); + Address address = fromHeader.getAddress(); + log.debug("From {}",address); + SipUri uri = (SipUri)address.getURI(); + String deviceId = uri.getUser(); + log.debug("请求注册 设备id => {}", deviceId); + + RemoteInfo remoteInfo = SipUtil.getRemoteInfoFromRequest(request, false); + log.debug("远程连接信息 => {}", remoteInfo); + + String password = sipConfig.getPassword(); + Authorization authorization = request.getAuthorization(); + log.debug("认证信息 => {}", authorization); + + Response response = getMessageFactory().createResponse(Response.UNAUTHORIZED, request); + DigestServerAuthenticationHelper.generateChallenge(getHeaderFactory(),response,sipConfig.getDomain()); } } diff --git a/gb28181-service/src/main/java/cn/skcks/docking/gb28181/core/sip/service/SipServiceImpl.java b/gb28181-service/src/main/java/cn/skcks/docking/gb28181/core/sip/service/SipServiceImpl.java index 472c9b8..9ac9782 100644 --- a/gb28181-service/src/main/java/cn/skcks/docking/gb28181/core/sip/service/SipServiceImpl.java +++ b/gb28181-service/src/main/java/cn/skcks/docking/gb28181/core/sip/service/SipServiceImpl.java @@ -65,7 +65,7 @@ public class SipServiceImpl implements SipService { sipStack.setMessageParserFactory(new GbStringMsgParserFactory()); // sipStack.setMessageProcessorFactory(); try { - ListeningPoint tcpListen = sipStack.createListeningPoint(ip, port, "TCP"); + ListeningPoint tcpListen = sipStack.createListeningPoint(ip, port, ListeningPoint.TCP); SipProviderImpl tcpSipProvider = (SipProviderImpl) sipStack.createSipProvider(tcpListen); tcpSipProvider.setDialogErrorsAutomaticallyHandled(); tcpSipProvider.addSipListener(sipListener); @@ -78,7 +78,7 @@ public class SipServiceImpl implements SipService { } try { - ListeningPoint udpListen = sipStack.createListeningPoint(ip, port, "UDP"); + ListeningPoint udpListen = sipStack.createListeningPoint(ip, port, ListeningPoint.UDP); SipProviderImpl udpSipProvider = (SipProviderImpl) sipStack.createSipProvider(udpListen); udpSipProvider.addSipListener(sipListener); pool.add(udpSipProvider); diff --git a/gb28181-service/src/main/java/cn/skcks/docking/gb28181/core/sip/utils/SipUtil.java b/gb28181-service/src/main/java/cn/skcks/docking/gb28181/core/sip/utils/SipUtil.java index 9362eed..c7a33bb 100644 --- a/gb28181-service/src/main/java/cn/skcks/docking/gb28181/core/sip/utils/SipUtil.java +++ b/gb28181-service/src/main/java/cn/skcks/docking/gb28181/core/sip/utils/SipUtil.java @@ -103,7 +103,7 @@ public class SipUtil implements ApplicationContextAware { remoteAddress = request.getPeerPacketSourceAddress().getHostAddress(); remotePort = request.getPeerPacketSourcePort(); - }else { + } else { // 判断RPort是否改变,改变则说明路由nat信息变化,修改设备信息 // 获取到通信地址等信息 remoteAddress = request.getTopmostViaHeader().getReceived();