SCRAM v2: adding support for Java7 and SaslPrep - Mailing list pgsql-jdbc
| From | Álvaro Hernández |
|---|---|
| Subject | SCRAM v2: adding support for Java7 and SaslPrep |
| Date | |
| Msg-id | 8d3e1d34-d6e9-7448-fe38-a11fea2c63c3@ongres.com Whole thread Raw |
| List | pgsql-jdbc |
Hi list. We have been working on significant changes to the SCRAM library, that has been included in the pgJDBC driver. The most notable changes are: - Moved development to GitLab: https://gitlab.com/ongresinc/scram/ - Added support to Java7, to widen the user base. This meant slight changes to the "public facing" API and as such the library version is bumped to v2.0. - Added proper support for SaslPrep. Previous implementation just supported the "NO PREP" algorithm. This may cause problems with usernames and/or passwords that contain varied characters (say tildes, accents or general UTF-8 characters). Please note that we believe SaslPrep should also be code reusable by third parties, and as such it has been: * Developed on a separate repository: https://gitlab.com/ongresinc/stringprep * Added as a new (shaded) dependency. - More tests have been added. Since this code works with Java7, we have created 2 PRs: one for pgjdbc, one for pgjdcb-jre7. They are for SCRAM version 1.9 (which added Java7 but not the stringprep dependency), and we plan to update them to the 2.0beta1 version, which is ready as of today. But there are two observed problems, where we need your input/coordination. Please check the currently submitted PRs: * https://github.com/pgjdbc/pgjdbc/pull/1520 * https://github.com/pgjdbc/pgjdbc-jre7/pull/3 PR currently does not pass two CI jobs: * https://travis-ci.org/pgjdbc/pgjdbc/jobs/552706535: Seems that the script failed for some reasons not appearing in the job log. May be restarted? * https://travis-ci.org/pgjdbc/pgjdbc/jobs/552706542: build for Java7 is failing since there is another PR for pgjdbc-jre7 that fixes missing dependencies (scram). The only options I see to move on would be to ignore this build or to re-run the failed job pointing to the cloned repo with the pgjdbc-jre7 patch (maybe doable with a Travis CI custom build?). In other words, we have here a bit of a chicken-and-egg problem due to the way the pgjdbc / pgjdbc-jre7 split works currently. Ideas are welcome. Waiting for your comments. Regards, Álvaro P.S. Follows a slightly more detailed changelog, FYI: # Scram 2.0-beta1 - This version replaces the saslprep implementation with a dependency to an external library from a separated repository. The library is our clean room implementation of the stringprep (https://tools.ietf.org/html/rfc3454), put in a separate module to allow easy extension of other modules that depends on stringprep, as long as the saslprep (https://tools.ietf.org/html/rfc4013). The library source code can be found at https://gitlab.com/ongresinc/stringprep. The library stringprep has been implemented using Apache Velocity to generate the code with the rules of each step as thay appear in the stringprep RFC. - Add test of Scram-SaslPrep The library contains tests of each rule and saslprep (example of https://tools.ietf.org/html/rfc4013). # Scram 1.9-beta1 The changes included backport the library to work with Java 7 and add standard saslprep implementation. To do that, it has been necessary: - Remove all the Java 8 features. - Replace the crypto algorithm Base64 encode/decode and PBKDF2WithHmacSHA256 (no available in all versions of Java7). These crypto algorithms has been replaced with some classes from the project bouncy castle (They can be found into the folder common/src/main/java/com/ongres/scram/common/bouncycastle). Scram has been modified to try to use with all the security protocol implementation from the JVM and, in case PBKDF2WithHmacSHA256 is not available (like for Oracle JRE 7), use the implementation from bouncy castle. - Add new tests with SHA-256 (example of https://tools.ietf.org/html/rfc7677). - Include saslprep standard algorithm. Files common/src/main/java/com/ongres/scram/common/stringprep/SaslPrep.java and common/src/test/java/com/ongres/scram/common/stringprep/SaslPrepTest.java are copied from project saslprep developed by Tom Bentley (https://github.com/tombentley/saslprep). - Include saslprep tests (from https://tools.ietf.org/html/4013). -- Alvaro Hernandez ----------- OnGres
pgsql-jdbc by date: