Update dependency SCRAM 3.0 and support channel binding

jorsol · jorsol · commit 351bef77cdcb · 2024-04-06T13:36:56.000+02:00
Signed-off-by: Jorge Solórzano &lt;jorsol@gmail.com&gt;
diff --git a/vertx-pg-client/pom.xml b/vertx-pg-client/pom.xml
@@ -64,8 +64,8 @@
     <!-- sasl scram authentication -->
     <dependency>
       <groupId>com.ongres.scram</groupId>
-      <artifactId>client</artifactId>
-      <version>2.1</version>
+      <artifactId>scram-client</artifactId>
+      <version>3.0</version>
       <optional>true</optional>
     </dependency>
 
diff --git a/vertx-pg-client/src/main/asciidoc/index.adoc b/vertx-pg-client/src/main/asciidoc/index.adoc
@@ -233,30 +233,27 @@ $ PGUSER=user \
 
 === SASL SCRAM-SHA-256 authentication mechanism.
 
-To use the sasl SCRAM-SHA-256 authentication add the following dependency to the _dependencies_ section of your build descriptor:
+To use the SASL `SCRAM-SHA-256` authentication add the following dependency to the _dependencies_ section of your build descriptor:
 
 * Maven (in your `pom.xml`):
 
 [source,xml]
 ----
 <dependency>
   <groupId>com.ongres.scram</groupId>
-  <artifactId>client</artifactId>
-  <version>2.1</version>
+  <artifactId>scram-client</artifactId>
+  <version>3.0</version>
 </dependency>
 ----
 * Gradle (in your `build.gradle` file):
 
 [source,groovy]
 ----
 dependencies {
-  compile 'com.ongres.scram:client:2.1'
+  compile 'com.ongres.scram:scram-client:3.0'
 }
 ----
 
-NOTE: SCRAM-SHA-256-PLUS (added in Postgresql 11) is not supported.
-
-
 include::queries.adoc[leveloffset=1]
 
 == Returning clauses
diff --git a/vertx-pg-client/src/main/java/io/vertx/pgclient/impl/codec/InitCommandCodec.java b/vertx-pg-client/src/main/java/io/vertx/pgclient/impl/codec/InitCommandCodec.java
@@ -57,8 +57,9 @@ public void handleAuthenticationClearTextPassword() {
 
   @Override
   void handleAuthenticationSasl(ByteBuf in) {
-    scramAuthentication = new ScramAuthentication(cmd.username(), cmd.password());
-    encoder.writeScramClientInitialMessage(scramAuthentication.createInitialSaslMessage(in));
+    scramAuthentication = new ScramAuthentication(cmd.username(), cmd.password().toCharArray());
+    encoder.writeScramClientInitialMessage(
+        scramAuthentication.createInitialSaslMessage(in, encoder.channelHandlerContext()));
     encoder.flush();
   }
 
diff --git a/vertx-pg-client/src/main/java/io/vertx/pgclient/impl/codec/PgEncoder.java b/vertx-pg-client/src/main/java/io/vertx/pgclient/impl/codec/PgEncoder.java
@@ -30,7 +30,6 @@
 import io.vertx.sqlclient.impl.RowDesc;
 import io.vertx.sqlclient.impl.command.*;
 
-import java.util.ArrayDeque;
 import java.util.Map;
 
 import static io.vertx.pgclient.impl.util.Util.writeCString;
diff --git a/vertx-pg-client/src/main/java/io/vertx/pgclient/impl/util/ScramAuthentication.java b/vertx-pg-client/src/main/java/io/vertx/pgclient/impl/util/ScramAuthentication.java
@@ -18,31 +18,35 @@
 package io.vertx.pgclient.impl.util;
 
 import java.nio.charset.StandardCharsets;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.List;
 
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLException;
+
 import com.ongres.scram.client.ScramClient;
-import com.ongres.scram.client.ScramSession;
-import com.ongres.scram.common.exception.ScramException;
+import com.ongres.scram.common.StringPreparation;
 import com.ongres.scram.common.exception.ScramInvalidServerSignatureException;
 import com.ongres.scram.common.exception.ScramParseException;
 import com.ongres.scram.common.exception.ScramServerErrorException;
-import com.ongres.scram.common.stringprep.StringPreparations;
+import com.ongres.scram.common.util.TlsServerEndpoint;
 
 import io.netty.buffer.ByteBuf;
+import io.netty.channel.Channel;
+import io.netty.channel.ChannelHandlerContext;
+import io.netty.handler.ssl.SslHandler;
 import io.vertx.pgclient.impl.codec.ScramClientInitialMessage;
 
 public class ScramAuthentication {
 
-  private static final String SCRAM_SHA_256 = "SCRAM-SHA-256";
-
   private final String username;
-  private final String password;
-  private ScramSession scramSession;
-  private ScramSession.ClientFinalProcessor clientFinalProcessor;
+  private final char[] password;
+  private ScramClient scramClient;
 
-
-  public ScramAuthentication(String username, String password) {
+  public ScramAuthentication(String username, char[] password) {
     this.username = username;
     this.password = password;
   }
@@ -53,39 +57,37 @@ public ScramAuthentication(String username, String password) {
    * The message includes the name of the selected mechanism, and
    *  an optional Initial Client Response, if the selected mechanism uses that.
    */
-  public ScramClientInitialMessage createInitialSaslMessage(ByteBuf in) {
+  public ScramClientInitialMessage createInitialSaslMessage(ByteBuf in, ChannelHandlerContext ctx) {
     List<String> mechanisms = new ArrayList<>();
 
     while (0 != in.getByte(in.readerIndex())) {
-       String mechanism = Util.readCStringUTF8(in);
-         mechanisms.add(mechanism);
+      String mechanism = Util.readCStringUTF8(in);
+      mechanisms.add(mechanism);
     }
 
     if (mechanisms.isEmpty()) {
       throw new UnsupportedOperationException("SASL Authentication : the server returned no mechanism");
     }
 
-    // SCRAM-SHA-256-PLUS added in postgresql 11 is not supported
-    if (!mechanisms.contains(SCRAM_SHA_256)) {
-        throw new UnsupportedOperationException("SASL Authentication : only SCRAM-SHA-256 is currently supported, server wants " + mechanisms);
-    }
-
-
-    ScramClient scramClient = ScramClient
-          .channelBinding(ScramClient.ChannelBinding.NO)
-          .stringPreparation(StringPreparations.NO_PREPARATION)
-          .selectMechanismBasedOnServerAdvertised(mechanisms.toArray(new String[0]))
-          .setup();
-
-
-    // this user name will be ignored, the user name that was already sent in the startup message is used instead
-    // see https://www.postgresql.org/docs/11/sasl-authentication.html#SASL-SCRAM-SHA-256 §53.3.1
-    scramSession = scramClient.scramSession(this.username);
-
-    return new ScramClientInitialMessage(scramSession.clientFirstMessage(), scramClient.getScramMechanism().getName());
+    byte[] channelBindingData = extractChannelBindingData(ctx);
+    this.scramClient = ScramClient.builder()
+        .advertisedMechanisms(mechanisms)
+        .username(username)
+        .password(password)
+        .stringPreparation(StringPreparation.POSTGRESQL_PREPARATION)
+        .channelBinding(TlsServerEndpoint.TLS_SERVER_END_POINT, channelBindingData)
+        .build();
+
+    // this user name will be ignored, the user name that was already sent in the
+    // startup message is used instead
+    // see
+    // https://www.postgresql.org/docs/11/sasl-authentication.html#SASL-SCRAM-SHA-256
+    // §53.3.1
+
+    return new ScramClientInitialMessage(scramClient.clientFirstMessage().toString(),
+        scramClient.getScramMechanism().getName());
   }
 
-
   /*
    * One or more server-challenge and client-response message will follow.
    * Each server-challenge is sent in an AuthenticationSASLContinue message,
@@ -95,16 +97,13 @@ public ScramClientInitialMessage createInitialSaslMessage(ByteBuf in) {
   public String receiveServerFirstMessage(ByteBuf in)  {
     String serverFirstMessage = in.readCharSequence(in.readableBytes(), StandardCharsets.UTF_8).toString();
 
-    ScramSession.ServerFirstProcessor serverFirstProcessor = null;
     try {
-      serverFirstProcessor = scramSession.receiveServerFirstMessage(serverFirstMessage);
-    } catch (ScramException e) {
+      scramClient.serverFirstMessage(serverFirstMessage);
+    } catch (ScramParseException e) {
       throw new UnsupportedOperationException(e);
     }
 
-    clientFinalProcessor = serverFirstProcessor.clientFinalProcessor(password);
-
-    return clientFinalProcessor.clientFinalMessage();
+    return scramClient.clientFinalMessage().toString();
   }
 
   /*
@@ -119,9 +118,31 @@ public void checkServerFinalMessage(ByteBuf in) {
     String serverFinalMessage = in.readCharSequence(in.readableBytes(), StandardCharsets.UTF_8).toString();
 
     try {
-      clientFinalProcessor.receiveServerFinalMessage(serverFinalMessage);
+      scramClient.serverFinalMessage(serverFinalMessage);
     } catch (ScramParseException | ScramServerErrorException | ScramInvalidServerSignatureException e) {
       throw new UnsupportedOperationException(e);
     }
   }
+
+  private byte[] extractChannelBindingData(ChannelHandlerContext ctx) {
+    Channel channel = ctx.channel();
+    SslHandler handler = channel.pipeline().get(SslHandler.class);
+    if (handler != null) {
+      SSLEngine engine = handler.engine();
+      try {
+        // Get the certificate chain from the session
+        Certificate[] certificates = engine.getSession().getPeerCertificates();
+        if (certificates != null && certificates.length > 0) {
+          Certificate peerCert = certificates[0]; // First certificate is the peer's certificate
+          if (peerCert instanceof X509Certificate) {
+            X509Certificate cert = (X509Certificate) peerCert;
+            return TlsServerEndpoint.getChannelBindingData(cert);
+          }
+        }
+      } catch (CertificateEncodingException | SSLException e) {
+        // IGNORE
+      }
+    }
+    return new byte[0]; // handle as no channel binding available
+  }
 }
