From 14d60bc1f29ff518ab94e4f682595b53391a565c Mon Sep 17 00:00:00 2001 From: rpseng Date: Sat, 20 Apr 2024 11:26:35 -0300 Subject: [PATCH 1/5] Update gson due to reported vulnerability. --- OCPP-J/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/OCPP-J/build.gradle b/OCPP-J/build.gradle index 90a52275..c2fcadd2 100644 --- a/OCPP-J/build.gradle +++ b/OCPP-J/build.gradle @@ -4,7 +4,7 @@ dependencies { compile project(':common') - compile 'com.google.code.gson:gson:2.8.0' + compile 'com.google.code.gson:gson:2.8.9' compile 'org.java-websocket:Java-WebSocket:1.5.3' testCompile 'junit:junit:4.13.2' testCompile 'org.mockito:mockito-core:4.11.0' From 953f50b3e7c4b975cae5ebcb74c2bd6e381d5e23 Mon Sep 17 00:00:00 2001 From: rpseng Date: Tue, 23 Apr 2024 21:39:52 -0300 Subject: [PATCH 2/5] A single instace, otherwise a static get() method makes no sense. --- .../src/main/java/eu/chargetime/ocpp/JSONConfiguration.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/OCPP-J/src/main/java/eu/chargetime/ocpp/JSONConfiguration.java b/OCPP-J/src/main/java/eu/chargetime/ocpp/JSONConfiguration.java index 78255043..acee0395 100644 --- a/OCPP-J/src/main/java/eu/chargetime/ocpp/JSONConfiguration.java +++ b/OCPP-J/src/main/java/eu/chargetime/ocpp/JSONConfiguration.java @@ -49,8 +49,10 @@ public class JSONConfiguration { private JSONConfiguration() {} + private static final JSONConfiguration instance = new JSONConfiguration(); + public static JSONConfiguration get() { - return new JSONConfiguration(); + return instance; } public JSONConfiguration setParameter(String name, T value) { From f7b92a3d6ae51cce4e6bbdcc25148cb951e986d1 Mon Sep 17 00:00:00 2001 From: rpseng Date: Tue, 23 Apr 2024 21:41:24 -0300 Subject: [PATCH 3/5] Recommended by 1.6 spec is a 20 byte (40 chars) key. --- OCPP-J/src/main/java/eu/chargetime/ocpp/WebSocketListener.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/OCPP-J/src/main/java/eu/chargetime/ocpp/WebSocketListener.java b/OCPP-J/src/main/java/eu/chargetime/ocpp/WebSocketListener.java index 5eb06e66..346936cd 100644 --- a/OCPP-J/src/main/java/eu/chargetime/ocpp/WebSocketListener.java +++ b/OCPP-J/src/main/java/eu/chargetime/ocpp/WebSocketListener.java @@ -51,7 +51,7 @@ public class WebSocketListener implements Listener { private static final int TIMEOUT_IN_MILLIS = 10000; private static final int OCPPJ_CP_MIN_PASSWORD_LENGTH = 16; - private static final int OCPPJ_CP_MAX_PASSWORD_LENGTH = 20; + private static final int OCPPJ_CP_MAX_PASSWORD_LENGTH = 40; private static final String HTTP_HEADER_PROXIED_ADDRESS = "X-Forwarded-For"; From cf20205e849a258ee5f4893a1d916ef8091f12d1 Mon Sep 17 00:00:00 2001 From: rpseng Date: Tue, 23 Apr 2024 22:12:00 -0300 Subject: [PATCH 4/5] Fix password decoding. --- .../main/java/eu/chargetime/ocpp/WebSocketListener.java | 8 ++++---- .../src/main/java/eu/chargetime/ocpp/ListenerEvents.java | 2 +- ocpp-common/src/main/java/eu/chargetime/ocpp/Server.java | 2 +- .../src/main/java/eu/chargetime/ocpp/ServerEvents.java | 2 +- .../main/java/eu/chargetime/ocpp/test/DummyHandlers.java | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/OCPP-J/src/main/java/eu/chargetime/ocpp/WebSocketListener.java b/OCPP-J/src/main/java/eu/chargetime/ocpp/WebSocketListener.java index 346936cd..9f026cbb 100644 --- a/OCPP-J/src/main/java/eu/chargetime/ocpp/WebSocketListener.java +++ b/OCPP-J/src/main/java/eu/chargetime/ocpp/WebSocketListener.java @@ -146,7 +146,7 @@ public ServerHandshakeBuilder onWebsocketHandshakeReceivedAsServer( .build(); String username = null; - byte[] password = null; + String password = null; if (clientHandshake.hasFieldValue("Authorization")) { String authorization = clientHandshake.getFieldValue("Authorization"); if (authorization != null && authorization.toLowerCase().startsWith("basic")) { @@ -159,15 +159,15 @@ public ServerHandshakeBuilder onWebsocketHandshakeReceivedAsServer( username = new String(Arrays.copyOfRange(credDecoded, 0, i), StandardCharsets.UTF_8); if (i + 1 < credDecoded.length) { - password = Arrays.copyOfRange(credDecoded, i + 1, credDecoded.length); + password = new String(Arrays.copyOfRange(credDecoded, i + 1, credDecoded.length)); } break; } } } if (password == null - || password.length < configuration.getParameter(JSONConfiguration.OCPPJ_CP_MIN_PASSWORD_LENGTH, OCPPJ_CP_MIN_PASSWORD_LENGTH) - || password.length > configuration.getParameter(JSONConfiguration.OCPPJ_CP_MAX_PASSWORD_LENGTH, OCPPJ_CP_MAX_PASSWORD_LENGTH)) + || password.length() < configuration.getParameter(JSONConfiguration.OCPPJ_CP_MIN_PASSWORD_LENGTH, OCPPJ_CP_MIN_PASSWORD_LENGTH) + || password.length() > configuration.getParameter(JSONConfiguration.OCPPJ_CP_MAX_PASSWORD_LENGTH, OCPPJ_CP_MAX_PASSWORD_LENGTH)) throw new InvalidDataException(401, "Invalid password length"); } diff --git a/ocpp-common/src/main/java/eu/chargetime/ocpp/ListenerEvents.java b/ocpp-common/src/main/java/eu/chargetime/ocpp/ListenerEvents.java index 3e8be78d..a40da3fa 100644 --- a/ocpp-common/src/main/java/eu/chargetime/ocpp/ListenerEvents.java +++ b/ocpp-common/src/main/java/eu/chargetime/ocpp/ListenerEvents.java @@ -28,7 +28,7 @@ of this software and associated documentation files (the "Software"), to deal import eu.chargetime.ocpp.model.SessionInformation; public interface ListenerEvents { - void authenticateSession(SessionInformation information, String username, byte[] password) + void authenticateSession(SessionInformation information, String username, String password) throws AuthenticationException; void newSession(ISession session, SessionInformation information); diff --git a/ocpp-common/src/main/java/eu/chargetime/ocpp/Server.java b/ocpp-common/src/main/java/eu/chargetime/ocpp/Server.java index d62abe93..d8017116 100644 --- a/ocpp-common/src/main/java/eu/chargetime/ocpp/Server.java +++ b/ocpp-common/src/main/java/eu/chargetime/ocpp/Server.java @@ -81,7 +81,7 @@ public void open(String hostname, int port, ServerEvents serverEvents) { @Override public void authenticateSession( - SessionInformation information, String username, byte[] password) + SessionInformation information, String username, String password) throws AuthenticationException { serverEvents.authenticateSession(information, username, password); } diff --git a/ocpp-common/src/main/java/eu/chargetime/ocpp/ServerEvents.java b/ocpp-common/src/main/java/eu/chargetime/ocpp/ServerEvents.java index 2e66f0f3..593778d7 100644 --- a/ocpp-common/src/main/java/eu/chargetime/ocpp/ServerEvents.java +++ b/ocpp-common/src/main/java/eu/chargetime/ocpp/ServerEvents.java @@ -29,7 +29,7 @@ of this software and associated documentation files (the "Software"), to deal import java.util.UUID; public interface ServerEvents { - void authenticateSession(SessionInformation information, String username, byte[] password) throws AuthenticationException; + void authenticateSession(SessionInformation information, String username, String password) throws AuthenticationException; void newSession(UUID sessionIndex, SessionInformation information); diff --git a/ocpp-v1_6-test/src/main/java/eu/chargetime/ocpp/test/DummyHandlers.java b/ocpp-v1_6-test/src/main/java/eu/chargetime/ocpp/test/DummyHandlers.java index 0ec7e850..7db86d05 100644 --- a/ocpp-v1_6-test/src/main/java/eu/chargetime/ocpp/test/DummyHandlers.java +++ b/ocpp-v1_6-test/src/main/java/eu/chargetime/ocpp/test/DummyHandlers.java @@ -203,7 +203,7 @@ public ServerEvents generateServerEventsHandler() { return new ServerEvents() { @Override public void authenticateSession( - SessionInformation information, String username, byte[] password) throws AuthenticationException {} + SessionInformation information, String username, String password) throws AuthenticationException {} @Override public void newSession(UUID sessionIndex, SessionInformation information) { From fb5d0fb4c9e5cf8e1f14ab97ea5e15422fb441f4 Mon Sep 17 00:00:00 2001 From: rpseng Date: Tue, 23 Apr 2024 22:14:27 -0300 Subject: [PATCH 5/5] More password fixes. --- .../ocpp/MultiProtocolWebSocketListener.java | 12 ++++++------ .../eu/chargetime/ocpp/test/FakeCentralSystem.java | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ocpp-v2/src/main/java/eu/chargetime/ocpp/MultiProtocolWebSocketListener.java b/ocpp-v2/src/main/java/eu/chargetime/ocpp/MultiProtocolWebSocketListener.java index 47c37fe4..0b0762f1 100644 --- a/ocpp-v2/src/main/java/eu/chargetime/ocpp/MultiProtocolWebSocketListener.java +++ b/ocpp-v2/src/main/java/eu/chargetime/ocpp/MultiProtocolWebSocketListener.java @@ -165,7 +165,7 @@ public ServerHandshakeBuilder onWebsocketHandshakeReceivedAsServer( .build(); String username = null; - byte[] password = null; + String password = null; if (clientHandshake.hasFieldValue("Authorization")) { String authorization = clientHandshake.getFieldValue("Authorization"); if (authorization != null && authorization.toLowerCase().startsWith("basic")) { @@ -178,7 +178,7 @@ public ServerHandshakeBuilder onWebsocketHandshakeReceivedAsServer( username = new String(Arrays.copyOfRange(credDecoded, 0, i), StandardCharsets.UTF_8); if (i + 1 < credDecoded.length) { - password = Arrays.copyOfRange(credDecoded, i + 1, credDecoded.length); + password = new String(Arrays.copyOfRange(credDecoded, i + 1, credDecoded.length)); } break; } @@ -186,13 +186,13 @@ public ServerHandshakeBuilder onWebsocketHandshakeReceivedAsServer( } if (protocolVersion == null || protocolVersion == ProtocolVersion.OCPP1_6) { if (password == null - || password.length < configuration.getParameter(JSONConfiguration.OCPPJ_CP_MIN_PASSWORD_LENGTH, OCPPJ_CP_MIN_PASSWORD_LENGTH) - || password.length > configuration.getParameter(JSONConfiguration.OCPPJ_CP_MAX_PASSWORD_LENGTH, OCPPJ_CP_MAX_PASSWORD_LENGTH)) + || password.length() < configuration.getParameter(JSONConfiguration.OCPPJ_CP_MIN_PASSWORD_LENGTH, OCPPJ_CP_MIN_PASSWORD_LENGTH) + || password.length() > configuration.getParameter(JSONConfiguration.OCPPJ_CP_MAX_PASSWORD_LENGTH, OCPPJ_CP_MAX_PASSWORD_LENGTH)) throw new InvalidDataException(401, "Invalid password length"); } else { if (password == null - || password.length < configuration.getParameter(JSONConfiguration.OCPP2J_CP_MIN_PASSWORD_LENGTH, OCPP2J_CP_MIN_PASSWORD_LENGTH) - || password.length > configuration.getParameter(JSONConfiguration.OCPP2J_CP_MAX_PASSWORD_LENGTH, OCPP2J_CP_MAX_PASSWORD_LENGTH)) + || password.length() < configuration.getParameter(JSONConfiguration.OCPP2J_CP_MIN_PASSWORD_LENGTH, OCPP2J_CP_MIN_PASSWORD_LENGTH) + || password.length() > configuration.getParameter(JSONConfiguration.OCPP2J_CP_MAX_PASSWORD_LENGTH, OCPP2J_CP_MAX_PASSWORD_LENGTH)) throw new InvalidDataException(401, "Invalid password length"); } } diff --git a/ocpp-v2_0-test/src/main/java/eu/chargetime/ocpp/test/FakeCentralSystem.java b/ocpp-v2_0-test/src/main/java/eu/chargetime/ocpp/test/FakeCentralSystem.java index 25cae362..fdcac580 100644 --- a/ocpp-v2_0-test/src/main/java/eu/chargetime/ocpp/test/FakeCentralSystem.java +++ b/ocpp-v2_0-test/src/main/java/eu/chargetime/ocpp/test/FakeCentralSystem.java @@ -74,7 +74,7 @@ public void started() throws Exception { new ServerEvents() { @Override public void authenticateSession( - SessionInformation information, String username, byte[] password) throws AuthenticationException {} + SessionInformation information, String username, String password) throws AuthenticationException {} @Override public void newSession(UUID sessionIndex, SessionInformation information) {