Implement SASL SCRAM SHA 256 PLUS #21
Comments
|
Implementing the PLUS version of SASL SCRAM would be amazing! I tried it once but didn't manage to make it work. Could you please take this file as a reference? https://github.com/igrishaev/pg2/blob/master/pg-core/src/java/org/pg/auth/ScramSha256.java Ideally, your implementation should follow it's structure. It's a static file with methods called step1, step2, etc. Then you reuse that class in the auth pipeline: https://github.com/igrishaev/pg2/blob/master/pg-core/src/java/org/pg/Connection.java#L766 In the "handleAuthenticationSASL" method of the Connection class, you extend the "isScramSha256Plus" branch. |
|
I know that SASL SCRAM PLUS is implemented in Python, Node.JS, and Rust drivers for Postgres. Perhaps you can peek the details from there. |
|
https://github.com/ongres/scram would you be willing to accept a PR that uses this dependency, instead of hand-rolling this auth method? PGJdbc uses the same library. |
|
I'd like to clarify: do you really get an error when connecting a neon.tech-hosted database? I've checked the docs and they say, they use SCRAM 256. They don't mention the PLUS version of the algorithm: https://neon.tech/blog/serverless-driver-for-postgres Could please share an error that appears when connecting the database? |
|
Sure, here you go: Using these connect params: When connecting with psql, this is the SSL connection that's built up: |
|
Grief, they don't allow the standard "SCRAM-SHA-256" algorithm. I spent some time on looking at the library you shared above. In general, implementing our own version of -PLUS algorithm won't be difficult because I already have non-PLUS code working. The real problem is, the -PLUS method accepts something which is called |
|
The most critical part of the code is the following: SSLSession session = ((SSLSocket) socket).getSession();
try {
Certificate[] certificates = session.getPeerCertificates();
if (certificates != null && certificates.length > 0) {
Certificate peerCert = certificates[0]; // First certificate is the peer's certificate
if (peerCert instanceof X509Certificate) {
X509Certificate cert = (X509Certificate) peerCert;
return TlsServerEndpoint.getChannelBindingData(cert);
}
}and here is an excerpt from the library: public static byte @NotNull [] getChannelBindingData(final @NotNull X509Certificate serverCert)
throws CertificateEncodingException {
MessageDigest digestAlgorithm = getDigestAlgorithm(serverCert.getSigAlgName());
if (digestAlgorithm == null) {
return new byte[0];
}
return digestAlgorithm.digest(serverCert.getEncoded());
}If I have this working in PG2, than I'll be able to implement the -PLUS version of SCRUM |
|
I'm going to register a free neon.tech installation and reproduce it locally. Don't know how long it will take, I'll keep posting my updated here. |
|
OK so I've fixed it. There was a bug in the Connection.java class. Although the PLUS method is not implemented yet, the code tried to use it even when the non-PLUS version of SCRAM was available. It was a messy if/else branching. I've setup a database on neon.tech site and managed to reach it from REPL with this config: {:host "ep-fancy-queen-a2kw7zqr.eu-central-1.aws.neon.tech"
:port 5432
:user "test_owner"
:password "<my password>"
:database "test"
:use-ssl? true} ;; mandatory!Could you please try it with the latest release 0.1.19? |
|
@thenonameguy Once you confirm it works, I'll close that issue and will create another one to implement -PLUS version of SCRAM. |
|
Works, thanks so much! |
|
Cool, closing in favor of #22 |
|
@igrishaev: Good job for your commits! Merged commits: Linked to: |
It's currently not possible to connect to neon.tech Postgres databases, for the lack of this support.
I'll have a stab at implementing it, will open a PR.
The text was updated successfully, but these errors were encountered: