ChargeTimeEU · TVolden · Nov 4, 2021 · Nov 3, 2021 · Nov 3, 2021 · Nov 3, 2021
diff --git a/OCPP-J/src/main/java/eu/chargetime/ocpp/WebSocketListener.java b/OCPP-J/src/main/java/eu/chargetime/ocpp/WebSocketListener.java
@@ -50,6 +50,8 @@ public class WebSocketListener implements Listener {
 
   private static final int TIMEOUT_IN_MILLIS = 10000;
 
+  private static final int OCPPJ_CP_PASSWORD_LENGTH = 20;
+
   private final ISessionFactory sessionFactory;
   private final List<Draft> drafts;
 
@@ -122,19 +124,25 @@ public ServerHandshakeBuilder onWebsocketHandshakeReceivedAsServer(WebSocket web
                             .InternetAddress(webSocket.getRemoteSocketAddress())
                             .build();
 
-            String username = null, password = null;
+            byte[] username = null, password = null;
             if (clientHandshake.hasFieldValue("Authorization")) {
               String authorization = clientHandshake.getFieldValue("Authorization");
               if (authorization != null && authorization.toLowerCase().startsWith("basic")) {
                 // Authorization: Basic base64credentials
                 String base64Credentials = authorization.substring("Basic".length()).trim();
                 byte[] credDecoded = Base64.getDecoder().decode(base64Credentials);
-                String credentials = new String(credDecoded, StandardCharsets.UTF_8);
-                // credentials = username:password
-                final String[] values = credentials.split(":", 2);
-                if (values.length >= 1) username = values[0];
-                if (values.length >= 2) password = values[1];
+                // split credentials on username and password
+                for (int i = 0; i < credDecoded.length; i++) {
+                  if (credDecoded[i] == ':') {
+                    username = Arrays.copyOfRange(credDecoded, 0, i);
+                    if (i != credDecoded.length - 1) {
+                      password = Arrays.copyOfRange(credDecoded, i + 1, credDecoded.length);
+                    }
+                    break;
+                  }
+                }
               }
+              if (password == null || password.length != OCPPJ_CP_PASSWORD_LENGTH) throw new InvalidDataException(401, "Invalid password length");
             }
 
             try {

diff --git a/ocpp-common/src/main/java/eu/chargetime/ocpp/ListenerEvents.java b/ocpp-common/src/main/java/eu/chargetime/ocpp/ListenerEvents.java
@@ -28,6 +28,6 @@ of this software and associated documentation files (the "Software"), to deal
 import eu.chargetime.ocpp.model.SessionInformation;
 
 public interface ListenerEvents {
-  void authenticateSession(SessionInformation information, String username, String password) throws AuthenticationException;
+  void authenticateSession(SessionInformation information, byte[] username, byte[] password) throws AuthenticationException;
   void newSession(ISession session, SessionInformation information);
 }
diff --git a/ocpp-common/src/main/java/eu/chargetime/ocpp/Server.java b/ocpp-common/src/main/java/eu/chargetime/ocpp/Server.java
@@ -83,7 +83,7 @@ public void open(String hostname, int port, ServerEvents serverEvents) {
         new ListenerEvents() {
 
           @Override
-          public void authenticateSession(SessionInformation information, String username, String password) throws AuthenticationException {
+          public void authenticateSession(SessionInformation information, byte[] username, byte[] password) throws AuthenticationException {
             serverEvents.authenticateSession(information, username, password);
           }
 

diff --git a/ocpp-common/src/main/java/eu/chargetime/ocpp/ServerEvents.java b/ocpp-common/src/main/java/eu/chargetime/ocpp/ServerEvents.java
@@ -29,7 +29,7 @@ of this software and associated documentation files (the "Software"), to deal
 import java.util.UUID;
 
 public interface ServerEvents {
-  void authenticateSession(SessionInformation information, String username, String password) throws AuthenticationException;
+  void authenticateSession(SessionInformation information, byte[] username, byte[] password) throws AuthenticationException;
 
   void newSession(UUID sessionIndex, SessionInformation information);
 

diff --git a/ocpp-v1_6-test/src/main/java/eu/chargetime/ocpp/test/DummyHandlers.java b/ocpp-v1_6-test/src/main/java/eu/chargetime/ocpp/test/DummyHandlers.java
@@ -26,6 +26,7 @@ of this software and associated documentation files (the "Software"), to deal
    SOFTWARE.
 */
 
+import eu.chargetime.ocpp.AuthenticationException;
 import eu.chargetime.ocpp.ServerEvents;
 import eu.chargetime.ocpp.feature.profile.ServerCoreEventHandler;
 import eu.chargetime.ocpp.feature.profile.ServerFirmwareManagementEventHandler;
@@ -162,6 +163,9 @@ public FirmwareStatusNotificationConfirmation handleFirmwareStatusNotificationRe
 
   public ServerEvents generateServerEventsHandler() {
     return new ServerEvents() {
+      @Override
+      public void authenticateSession(SessionInformation information, byte[] username, byte[] password) throws AuthenticationException {}
+
       @Override
       public void newSession(UUID sessionIndex, SessionInformation information) {
         currentSessionIndex = sessionIndex;

diff --git a/ocpp-v2_0-test/src/main/java/eu/chargetime/ocpp/test/FakeCentralSystem.java b/ocpp-v2_0-test/src/main/java/eu/chargetime/ocpp/test/FakeCentralSystem.java
@@ -65,6 +65,9 @@ public void started() throws Exception {
           host,
           port,
           new ServerEvents() {
+            @Override
+            public void authenticateSession(SessionInformation information, byte[] username, byte[] password) throws AuthenticationException {}
+
             @Override
             public void newSession(UUID sessionIndex, SessionInformation information) {
               currentSession = sessionIndex;