Add support for non-printable HTTP passwords

robert-s-ubi · robert-s-ubi · commit f7af06d4d266 · 2021-05-21T14:13:31.000+02:00
The OCPP 1.6 Security Whitepaper foresees that the AuthorizationKey,
which is a hexadecimal string representation of the HTTP Basic
Authentication password to be used, may use the full byte range, i.e.
including non-printable characters. Thus, passing it as a Java String
object is not suitable.

In contrast, OCPP 2.0.1 specifies the password as being a string of
printable UTF-8 characters. The library already supports that.

To accomodate both, take advantage of the fact that JSONConfiguration
treats all parameters as Objects, so either a String or a byte array can
be set.

Change the code adding the credentials to the HTTP header to correctly
generate the Base64 encoded credentials from either a password string or
a byte array, depending on the object type that was set as the password.
diff --git a/OCPP-J/src/main/java/eu/chargetime/ocpp/WebSocketTransmitter.java b/OCPP-J/src/main/java/eu/chargetime/ocpp/WebSocketTransmitter.java
@@ -31,6 +31,7 @@ of this software and associated documentation files (the "Software"), to deal
 import java.net.ConnectException;
 import java.net.Proxy;
 import java.net.URI;
+import java.nio.charset.StandardCharsets;
 import java.util.Base64;
 import java.util.HashMap;
 import java.util.Map;
@@ -68,10 +69,18 @@ public void connect(String uri, RadioEvents events) {
 
     Map<String, String> httpHeaders = new HashMap<>();
     String username = configuration.getParameter(JSONConfiguration.USERNAME_PARAMETER);
-    String password = configuration.getParameter(JSONConfiguration.PASSWORD_PARAMETER);
+    Object password = configuration.getParameter(JSONConfiguration.PASSWORD_PARAMETER);
+    byte[] credentials = null;
     if (username != null && password != null) {
-      String credentials = username + ":" + password;
-      byte[] base64Credentials = Base64.getEncoder().encode(credentials.getBytes());
+      if (password instanceof String) {
+        credentials = (username + ":" + password).getBytes(StandardCharsets.UTF_8);
+      } else if (password instanceof byte[]) {
+        credentials =
+            joinByteArrays((username + ":").getBytes(StandardCharsets.UTF_8), (byte[]) password);
+      }
+    }
+    if (credentials != null) {
+      byte[] base64Credentials = Base64.getEncoder().encode(credentials);
       httpHeaders.put("Authorization", "Basic " + new String(base64Credentials));
     }
 
@@ -132,6 +141,13 @@ public void onError(Exception ex) {
     }
   }
 
+  byte[] joinByteArrays(byte[] a, byte[] b) {
+    byte[] result = new byte[a.length + b.length];
+    System.arraycopy(a, 0, result, 0, a.length);
+    System.arraycopy(b, 0, result, a.length, b.length);
+    return result;
+  }
+
   void configure() {
     client.setReuseAddr(configuration.getParameter(JSONConfiguration.REUSE_ADDR_PARAMETER, false));
     client.setTcpNoDelay(
