Example 1 with ServerFinalMessage
use of org.apache.kafka.common.security.scram.ScramMessages.ServerFinalMessage in project kafka by apache.
the class ScramFormatterTest method rfc7677Example.
/**
* Tests that the formatter implementation produces the same values for the
* example included in <a href="https://tools.ietf.org/html/rfc5802#section-5">RFC 7677</a>
*/
@Test
public void rfc7677Example() throws Exception {
ScramFormatter formatter = new ScramFormatter(ScramMechanism.SCRAM_SHA_256);
String password = "pencil";
String c1 = "n,,n=user,r=rOprNGfwEbeRWgbNEkqO";
String s1 = "r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,s=W22ZaJ0SNY7soEsUEjb6gQ==,i=4096";
String c2 = "c=biws,r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,p=dHzbZapWIk4jUhN+Ute9ytag9zjfMHgsqmmiz7AndVQ=";
String s2 = "v=6rriTRBi23WpRR/wtup+mMhUZUn/dB5nLTJRsjl95G4=";
ClientFirstMessage clientFirst = new ClientFirstMessage(formatter.toBytes(c1));
ServerFirstMessage serverFirst = new ServerFirstMessage(formatter.toBytes(s1));
ClientFinalMessage clientFinal = new ClientFinalMessage(formatter.toBytes(c2));
ServerFinalMessage serverFinal = new ServerFinalMessage(formatter.toBytes(s2));
String username = clientFirst.saslName();
assertEquals("user", username);
String clientNonce = clientFirst.nonce();
assertEquals("rOprNGfwEbeRWgbNEkqO", clientNonce);
String serverNonce = serverFirst.nonce().substring(clientNonce.length());
assertEquals("%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0", serverNonce);
byte[] salt = serverFirst.salt();
assertArrayEquals(DatatypeConverter.parseBase64Binary("W22ZaJ0SNY7soEsUEjb6gQ=="), salt);
int iterations = serverFirst.iterations();
assertEquals(4096, iterations);
byte[] channelBinding = clientFinal.channelBinding();
assertArrayEquals(DatatypeConverter.parseBase64Binary("biws"), channelBinding);
byte[] serverSignature = serverFinal.serverSignature();
assertArrayEquals(DatatypeConverter.parseBase64Binary("6rriTRBi23WpRR/wtup+mMhUZUn/dB5nLTJRsjl95G4="), serverSignature);
byte[] saltedPassword = formatter.saltedPassword(password, salt, iterations);
byte[] serverKey = formatter.serverKey(saltedPassword);
byte[] computedProof = formatter.clientProof(saltedPassword, clientFirst, serverFirst, clientFinal);
assertArrayEquals(clientFinal.proof(), computedProof);
byte[] computedSignature = formatter.serverSignature(serverKey, clientFirst, serverFirst, clientFinal);
assertArrayEquals(serverFinal.serverSignature(), computedSignature);
// Minimum iterations defined in RFC-7677
assertEquals(4096, ScramMechanism.SCRAM_SHA_256.minIterations());
}
Also used :
ClientFinalMessage(org.apache.kafka.common.security.scram.ScramMessages.ClientFinalMessage)
ClientFirstMessage(org.apache.kafka.common.security.scram.ScramMessages.ClientFirstMessage)
ServerFinalMessage(org.apache.kafka.common.security.scram.ScramMessages.ServerFinalMessage)
ServerFirstMessage(org.apache.kafka.common.security.scram.ScramMessages.ServerFirstMessage)
Test(org.junit.Test)
Example 2 with ServerFinalMessage
use of org.apache.kafka.common.security.scram.ScramMessages.ServerFinalMessage in project kafka by apache.
the class ScramSaslClient method evaluateChallenge.
@Override
public byte[] evaluateChallenge(byte[] challenge) throws SaslException {
try {
switch(state) {
case SEND_CLIENT_FIRST_MESSAGE:
if (challenge != null && challenge.length != 0)
throw new SaslException("Expected empty challenge");
clientNonce = formatter.secureRandomString();
NameCallback nameCallback = new NameCallback("Name:");
try {
callbackHandler.handle(new Callback[] { nameCallback });
} catch (IOException | UnsupportedCallbackException e) {
throw new SaslException("User name could not be obtained", e);
}
String username = nameCallback.getName();
String saslName = formatter.saslName(username);
this.clientFirstMessage = new ScramMessages.ClientFirstMessage(saslName, clientNonce);
setState(State.RECEIVE_SERVER_FIRST_MESSAGE);
return clientFirstMessage.toBytes();
case RECEIVE_SERVER_FIRST_MESSAGE:
this.serverFirstMessage = new ServerFirstMessage(challenge);
if (!serverFirstMessage.nonce().startsWith(clientNonce))
throw new SaslException("Invalid server nonce: does not start with client nonce");
if (serverFirstMessage.iterations() < mechanism.minIterations())
throw new SaslException("Requested iterations " + serverFirstMessage.iterations() + " is less than the minimum " + mechanism.minIterations() + " for " + mechanism);
PasswordCallback passwordCallback = new PasswordCallback("Password:", false);
try {
callbackHandler.handle(new Callback[] { passwordCallback });
} catch (IOException | UnsupportedCallbackException e) {
throw new SaslException("User name could not be obtained", e);
}
this.clientFinalMessage = handleServerFirstMessage(passwordCallback.getPassword());
setState(State.RECEIVE_SERVER_FINAL_MESSAGE);
return clientFinalMessage.toBytes();
case RECEIVE_SERVER_FINAL_MESSAGE:
ServerFinalMessage serverFinalMessage = new ServerFinalMessage(challenge);
if (serverFinalMessage.error() != null)
throw new SaslException("Sasl authentication using " + mechanism + " failed with error: " + serverFinalMessage.error());
handleServerFinalMessage(serverFinalMessage.serverSignature());
setState(State.COMPLETE);
return null;
default:
throw new IllegalSaslStateException("Unexpected challenge in Sasl client state " + state);
}
} catch (SaslException e) {
setState(State.FAILED);
throw e;
}
}
Also used :
NameCallback(javax.security.auth.callback.NameCallback)
ServerFinalMessage(org.apache.kafka.common.security.scram.ScramMessages.ServerFinalMessage)
PasswordCallback(javax.security.auth.callback.PasswordCallback)
ServerFirstMessage(org.apache.kafka.common.security.scram.ScramMessages.ServerFirstMessage)
IOException(java.io.IOException)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
IllegalSaslStateException(org.apache.kafka.common.errors.IllegalSaslStateException)
SaslException(javax.security.sasl.SaslException)
Example 3 with ServerFinalMessage
use of org.apache.kafka.common.security.scram.ScramMessages.ServerFinalMessage in project kafka by apache.
the class ScramSaslServer method evaluateResponse.
@Override
public byte[] evaluateResponse(byte[] response) throws SaslException {
try {
switch(state) {
case RECEIVE_CLIENT_FIRST_MESSAGE:
this.clientFirstMessage = new ClientFirstMessage(response);
serverNonce = formatter.secureRandomString();
try {
String saslName = clientFirstMessage.saslName();
this.username = formatter.username(saslName);
NameCallback nameCallback = new NameCallback("username", username);
ScramCredentialCallback credentialCallback = new ScramCredentialCallback();
callbackHandler.handle(new Callback[] { nameCallback, credentialCallback });
this.scramCredential = credentialCallback.scramCredential();
if (scramCredential == null)
throw new SaslException("Authentication failed: Invalid user credentials");
if (scramCredential.iterations() < mechanism.minIterations())
throw new SaslException("Iterations " + scramCredential.iterations() + " is less than the minimum " + mechanism.minIterations() + " for " + mechanism);
this.serverFirstMessage = new ServerFirstMessage(clientFirstMessage.nonce(), serverNonce, scramCredential.salt(), scramCredential.iterations());
setState(State.RECEIVE_CLIENT_FINAL_MESSAGE);
return serverFirstMessage.toBytes();
} catch (IOException | NumberFormatException | UnsupportedCallbackException e) {
throw new SaslException("Authentication failed: Credentials could not be obtained", e);
}
case RECEIVE_CLIENT_FINAL_MESSAGE:
try {
ClientFinalMessage clientFinalMessage = new ClientFinalMessage(response);
verifyClientProof(clientFinalMessage);
byte[] serverKey = scramCredential.serverKey();
byte[] serverSignature = formatter.serverSignature(serverKey, clientFirstMessage, serverFirstMessage, clientFinalMessage);
ServerFinalMessage serverFinalMessage = new ServerFinalMessage(null, serverSignature);
setState(State.COMPLETE);
return serverFinalMessage.toBytes();
} catch (InvalidKeyException e) {
throw new SaslException("Authentication failed: Invalid client final message", e);
}
default:
throw new IllegalSaslStateException("Unexpected challenge in Sasl server state " + state);
}
} catch (SaslException e) {
setState(State.FAILED);
throw e;
}
}
Also used :
ClientFirstMessage(org.apache.kafka.common.security.scram.ScramMessages.ClientFirstMessage)
IOException(java.io.IOException)
IllegalSaslStateException(org.apache.kafka.common.errors.IllegalSaslStateException)
SaslException(javax.security.sasl.SaslException)
InvalidKeyException(java.security.InvalidKeyException)
NameCallback(javax.security.auth.callback.NameCallback)
ClientFinalMessage(org.apache.kafka.common.security.scram.ScramMessages.ClientFinalMessage)
ServerFinalMessage(org.apache.kafka.common.security.scram.ScramMessages.ServerFinalMessage)
ServerFirstMessage(org.apache.kafka.common.security.scram.ScramMessages.ServerFirstMessage)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
Example 4 with ServerFinalMessage
use of org.apache.kafka.common.security.scram.ScramMessages.ServerFinalMessage in project kafka by apache.
the class ScramMessagesTest method validServerFinalMessage.
@Test
public void validServerFinalMessage() throws SaslException {
String serverSignature = randomBytesAsString();
ServerFinalMessage m = new ServerFinalMessage("unknown-user", null);
checkServerFinalMessage(m, "unknown-user", null);
m = new ServerFinalMessage(null, toBytes(serverSignature));
checkServerFinalMessage(m, null, serverSignature);
// Default format used by Kafka clients for successful final message
String str = String.format("v=%s", serverSignature);
m = createScramMessage(ServerFinalMessage.class, str);
checkServerFinalMessage(m, null, serverSignature);
m = new ServerFinalMessage(m.toBytes());
checkServerFinalMessage(m, null, serverSignature);
// Default format used by Kafka clients for final message with error
str = "e=other-error";
m = createScramMessage(ServerFinalMessage.class, str);
checkServerFinalMessage(m, "other-error", null);
m = new ServerFinalMessage(m.toBytes());
checkServerFinalMessage(m, "other-error", null);
// Optional extension
for (String extension : VALID_EXTENSIONS) {
str = String.format("v=%s,%s", serverSignature, extension);
checkServerFinalMessage(createScramMessage(ServerFinalMessage.class, str), null, serverSignature);
}
}
Also used :
ServerFinalMessage(org.apache.kafka.common.security.scram.ScramMessages.ServerFinalMessage)
Test(org.junit.Test)
Aggregations
ServerFinalMessage (org.apache.kafka.common.security.scram.ScramMessages.ServerFinalMessage)4
ServerFirstMessage (org.apache.kafka.common.security.scram.ScramMessages.ServerFirstMessage)3
IOException (java.io.IOException)2
NameCallback (javax.security.auth.callback.NameCallback)2
UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)2
SaslException (javax.security.sasl.SaslException)2
IllegalSaslStateException (org.apache.kafka.common.errors.IllegalSaslStateException)2
ClientFinalMessage (org.apache.kafka.common.security.scram.ScramMessages.ClientFinalMessage)2
ClientFirstMessage (org.apache.kafka.common.security.scram.ScramMessages.ClientFirstMessage)2
Test (org.junit.Test)2
InvalidKeyException (java.security.InvalidKeyException)1
PasswordCallback (javax.security.auth.callback.PasswordCallback)1
