From f96f49e886b9cfc2acf43899f7364b11f1a1ae8b Mon Sep 17 00:00:00 2001 From: Arturo Bernal Date: Fri, 29 Nov 2024 18:30:26 +0100 Subject: [PATCH] Add SCRAM-SHA-256 (RFC 7804) Implements HTTP SCRAM with SCRAM-SHA-256 per RFC 7804 and SCRAM mechanics per RFC 5802/7677. --- .../client5/http/auth/StandardAuthScheme.java | 8 + .../impl/DefaultAuthenticationStrategy.java | 9 +- .../hc/client5/http/impl/ScramException.java | 73 ++ .../http/impl/async/H2AsyncClientBuilder.java | 2 + .../impl/async/HttpAsyncClientBuilder.java | 2 + .../hc/client5/http/impl/auth/SaslPrep.java | 489 +++++++++++++ .../http/impl/auth/ScramExtension.java | 59 ++ .../client5/http/impl/auth/ScramScheme.java | 684 ++++++++++++++++++ .../http/impl/auth/ScramSchemeFactory.java | 62 ++ .../http/impl/classic/HttpClientBuilder.java | 2 + .../http/impl/classic/ProxyClient.java | 2 + .../client5/http/impl/auth/SaslPrepTest.java | 104 +++ .../http/impl/auth/TestScramScheme.java | 509 +++++++++++++ 13 files changed, 2001 insertions(+), 4 deletions(-) create mode 100644 httpclient5/src/main/java/org/apache/hc/client5/http/impl/ScramException.java create mode 100644 httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/SaslPrep.java create mode 100644 httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/ScramExtension.java create mode 100644 httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/ScramScheme.java create mode 100644 httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/ScramSchemeFactory.java create mode 100644 httpclient5/src/test/java/org/apache/hc/client5/http/impl/auth/SaslPrepTest.java create mode 100644 httpclient5/src/test/java/org/apache/hc/client5/http/impl/auth/TestScramScheme.java diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/auth/StandardAuthScheme.java b/httpclient5/src/main/java/org/apache/hc/client5/http/auth/StandardAuthScheme.java index 1345282c0b..4d7d34b7ea 100644 --- a/httpclient5/src/main/java/org/apache/hc/client5/http/auth/StandardAuthScheme.java +++ b/httpclient5/src/main/java/org/apache/hc/client5/http/auth/StandardAuthScheme.java @@ -82,4 +82,12 @@ private StandardAuthScheme() { @Deprecated public static final String KERBEROS = "Kerberos"; + + /** + * SCRAM with SHA-256 as defined by RFC 7804 / RFC 7677. + * + * @since 5.6 + */ + public static final String SCRAM_SHA_256 = "SCRAM-SHA-256"; + } diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/DefaultAuthenticationStrategy.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/DefaultAuthenticationStrategy.java index 9409d6cfa4..ba480f3f03 100644 --- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/DefaultAuthenticationStrategy.java +++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/DefaultAuthenticationStrategy.java @@ -67,10 +67,11 @@ public class DefaultAuthenticationStrategy implements AuthenticationStrategy { public static final DefaultAuthenticationStrategy INSTANCE = new DefaultAuthenticationStrategy(); private static final List DEFAULT_SCHEME_PRIORITY = - Collections.unmodifiableList(Arrays.asList( - StandardAuthScheme.BEARER, - StandardAuthScheme.DIGEST, - StandardAuthScheme.BASIC)); + Collections.unmodifiableList(Arrays.asList( + StandardAuthScheme.BEARER, + StandardAuthScheme.SCRAM_SHA_256, + StandardAuthScheme.DIGEST, + StandardAuthScheme.BASIC)); protected List getSchemePriority() { return DEFAULT_SCHEME_PRIORITY; diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/ScramException.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/ScramException.java new file mode 100644 index 0000000000..a53184c49d --- /dev/null +++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/ScramException.java @@ -0,0 +1,73 @@ +/* + * ==================================================================== + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * ==================================================================== + * + * This software consists of voluntary contributions made by many + * individuals on behalf of the Apache Software Foundation. For more + * information on the Apache Software Foundation, please see + * . + * + */ + +package org.apache.hc.client5.http.impl; + +import org.apache.hc.client5.http.auth.AuthenticationException; + +/** + * Represents an exception that occurs during SCRAM (Salted Challenge Response Authentication Mechanism) authentication. + *

+ * SCRAM is a family of SASL mechanisms used for secure authentication. This exception is thrown when + * an error or issue is encountered during the SCRAM authentication process. + *

+ * + * @since 5.6 + */ +public class ScramException extends AuthenticationException { + + private static final long serialVersionUID = 2491660491058647342L; + + /** + * Constructs a new {@code ScramException} with {@code null} as its detail message. + * The cause is not initialized and may be subsequently initialized by a call to {@link #initCause}. + */ + public ScramException() { + super(); + } + + /** + * Constructs a new {@code ScramException} with the specified detail message. + * The cause is not initialized and may be subsequently initialized by a call to {@link #initCause}. + * + * @param message the detail message, saved for later retrieval by the {@link #getMessage()} method. + */ + public ScramException(final String message) { + super(message); + } + + /** + * Constructs a new {@code ScramException} with the specified detail message and cause. + * + * @param message the detail message, saved for later retrieval by the {@link #getMessage()} method. + * @param cause the cause, saved for later retrieval by the {@link #getCause()} method. + * A {@code null} value indicates that the cause is nonexistent or unknown. + */ + public ScramException(final String message, final Throwable cause) { + super(message, cause); + } +} \ No newline at end of file diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/H2AsyncClientBuilder.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/H2AsyncClientBuilder.java index 37174b457b..c171e695a4 100644 --- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/H2AsyncClientBuilder.java +++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/H2AsyncClientBuilder.java @@ -60,6 +60,7 @@ import org.apache.hc.client5.http.impl.auth.BasicSchemeFactory; import org.apache.hc.client5.http.impl.auth.BearerSchemeFactory; import org.apache.hc.client5.http.impl.auth.DigestSchemeFactory; +import org.apache.hc.client5.http.impl.auth.ScramSchemeFactory; import org.apache.hc.client5.http.impl.auth.SystemDefaultCredentialsProvider; import org.apache.hc.client5.http.impl.nio.MultihomeConnectionInitiator; import org.apache.hc.client5.http.impl.routing.DefaultRoutePlanner; @@ -898,6 +899,7 @@ public CloseableHttpAsyncClient build() { .register(StandardAuthScheme.BASIC, BasicSchemeFactory.INSTANCE) .register(StandardAuthScheme.DIGEST, DigestSchemeFactory.INSTANCE) .register(StandardAuthScheme.BEARER, BearerSchemeFactory.INSTANCE) + .register(StandardAuthScheme.SCRAM_SHA_256, ScramSchemeFactory.INSTANCE) .build(); } Lookup cookieSpecRegistryCopy = this.cookieSpecRegistry; diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/HttpAsyncClientBuilder.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/HttpAsyncClientBuilder.java index 028604744e..be87bb5a85 100644 --- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/HttpAsyncClientBuilder.java +++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/HttpAsyncClientBuilder.java @@ -69,6 +69,7 @@ import org.apache.hc.client5.http.impl.auth.BasicSchemeFactory; import org.apache.hc.client5.http.impl.auth.BearerSchemeFactory; import org.apache.hc.client5.http.impl.auth.DigestSchemeFactory; +import org.apache.hc.client5.http.impl.auth.ScramSchemeFactory; import org.apache.hc.client5.http.impl.auth.SystemDefaultCredentialsProvider; import org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManagerBuilder; import org.apache.hc.client5.http.impl.routing.DefaultProxyRoutePlanner; @@ -1172,6 +1173,7 @@ public CloseableHttpAsyncClient build() { .register(StandardAuthScheme.BASIC, BasicSchemeFactory.INSTANCE) .register(StandardAuthScheme.DIGEST, DigestSchemeFactory.INSTANCE) .register(StandardAuthScheme.BEARER, BearerSchemeFactory.INSTANCE) + .register(StandardAuthScheme.SCRAM_SHA_256, ScramSchemeFactory.INSTANCE) .build(); } Lookup cookieSpecRegistryCopy = this.cookieSpecRegistry; diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/SaslPrep.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/SaslPrep.java new file mode 100644 index 0000000000..82786f6182 --- /dev/null +++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/SaslPrep.java @@ -0,0 +1,489 @@ +/* + * ==================================================================== + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * ==================================================================== + * + * This software consists of voluntary contributions made by many + * individuals on behalf of the Apache Software Foundation. For more + * information on the Apache Software Foundation, please see + * . + * + */ + +package org.apache.hc.client5.http.impl.auth; + +import java.text.Normalizer; +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; +import java.util.Map; +import java.util.SortedMap; +import java.util.TreeMap; + +import org.apache.hc.client5.http.impl.ScramException; +import org.conscrypt.Internal; + +@Internal +class SaslPrep { + + public static final SaslPrep INSTANCE = new SaslPrep(); + + private static class CharClass { + private final List tupleStart = new ArrayList<>(); + private final List tupleCount = new ArrayList<>(); + + private static CharClass fromList(final int[] charMap) { + final SortedMap mapping = new TreeMap<>(); + for (final int j : charMap) { + mapping.put(j, 1); + } + + return new CharClass(mapping); + } + + private static CharClass fromRanges(final int[] charMap) { + // There must be an even number of tuples in RANGES tables. + if ((charMap.length % 2) != 0) { + throw new IllegalArgumentException("Invalid character list size"); + } + final SortedMap mapping = new TreeMap<>(); + for (int i = 0; i < charMap.length; i += 2) { + final int start = charMap[i]; + final int end = charMap[i + 1]; + final int count = end - start + 1; + mapping.put(start, count); + } + + return new CharClass(mapping); + } + + private static CharClass fromClasses(final CharClass... classes) { + final SortedMap mapping = new TreeMap<>(); + for (final CharClass charClass : classes) { + for (int i = 0; i < charClass.tupleStart.size(); ++i) { + final int start = charClass.tupleStart.get(i); + final int count = charClass.tupleCount.get(i); + mapping.put(start, count); + } + } + + return new CharClass(mapping); + } + + private CharClass(final SortedMap mappings) { + for (final Map.Entry pair : mappings.entrySet()) { + final int start = pair.getKey(); + final int count = pair.getValue(); + + // Coalesce overlapping ranges. + if (!tupleStart.isEmpty()) { + final int prevIndex = tupleStart.size() - 1; + final int prevStart = tupleStart.get(prevIndex); + final int prevCount = tupleCount.get(prevIndex); + if (prevStart + prevCount >= start) { + final int endPos = start + count; + final int newCount = endPos - prevStart; + tupleCount.set(prevIndex, newCount); + continue; + } + } + + tupleStart.add(start); + tupleCount.add(count); + } + } + + private boolean isCharInClass(final int c) { + final int pos = Collections.binarySearch(tupleStart, c); + + if (pos >= 0) { + return true; + } + + final int insertionPoint = -pos - 1; + + if (insertionPoint == 0) { + return false; + } + + // Otherwise, check if `c` lies within the preceding range. + final int rangeIndex = insertionPoint - 1; + + final int rangeStart = tupleStart.get(rangeIndex); + final int rangeCount = tupleCount.get(rangeIndex); + + // Check if `c` lies within this range. + return c >= rangeStart && c < (rangeStart + rangeCount); + } + } + + + /** + * A.1 Unassigned code points in Unicode 3.2 + */ + private final CharClass A1 = CharClass.fromRanges(new int[]{ + 0x0221, 0x0221, 0x0234, 0x024F, 0x02AE, 0x02AF, 0x02EF, 0x02FF, 0x0350, 0x035F, 0x0370, 0x0373, + 0x0376, 0x0379, 0x037B, 0x037D, 0x037F, 0x0383, 0x038B, 0x038B, 0x038D, 0x038D, 0x03A2, 0x03A2, + 0x03CF, 0x03CF, 0x03F7, 0x03FF, 0x0487, 0x0487, 0x04CF, 0x04CF, 0x04F6, 0x04F7, 0x04FA, 0x04FF, + 0x0510, 0x0530, 0x0557, 0x0558, 0x0560, 0x0560, 0x0588, 0x0588, 0x058B, 0x0590, 0x05A2, 0x05A2, + 0x05BA, 0x05BA, 0x05C5, 0x05CF, 0x05EB, 0x05EF, 0x05F5, 0x060B, 0x060D, 0x061A, 0x061C, 0x061E, + 0x0620, 0x0620, 0x063B, 0x063F, 0x0656, 0x065F, 0x06EE, 0x06EF, 0x06FF, 0x06FF, 0x070E, 0x070E, + 0x072D, 0x072F, 0x074B, 0x077F, 0x07B2, 0x0900, 0x0904, 0x0904, 0x093A, 0x093B, 0x094E, 0x094F, + 0x0955, 0x0957, 0x0971, 0x0980, 0x0984, 0x0984, 0x098D, 0x098E, 0x0991, 0x0992, 0x09A9, 0x09A9, + 0x09B1, 0x09B1, 0x09B3, 0x09B5, 0x09BA, 0x09BB, 0x09BD, 0x09BD, 0x09C5, 0x09C6, 0x09C9, 0x09CA, + 0x09CE, 0x09D6, 0x09D8, 0x09DB, 0x09DE, 0x09DE, 0x09E4, 0x09E5, 0x09FB, 0x0A01, 0x0A03, 0x0A04, + 0x0A0B, 0x0A0E, 0x0A11, 0x0A12, 0x0A29, 0x0A29, 0x0A31, 0x0A31, 0x0A34, 0x0A34, 0x0A37, 0x0A37, + 0x0A3A, 0x0A3B, 0x0A3D, 0x0A3D, 0x0A43, 0x0A46, 0x0A49, 0x0A4A, 0x0A4E, 0x0A58, 0x0A5D, 0x0A5D, + 0x0A5F, 0x0A65, 0x0A75, 0x0A80, 0x0A84, 0x0A84, 0x0A8C, 0x0A8C, 0x0A8E, 0x0A8E, 0x0A92, 0x0A92, + 0x0AA9, 0x0AA9, 0x0AB1, 0x0AB1, 0x0AB4, 0x0AB4, 0x0ABA, 0x0ABB, 0x0AC6, 0x0AC6, 0x0ACA, 0x0ACA, + 0x0ACE, 0x0ACF, 0x0AD1, 0x0ADF, 0x0AE1, 0x0AE5, 0x0AF0, 0x0B00, 0x0B04, 0x0B04, 0x0B0D, 0x0B0E, + 0x0B11, 0x0B12, 0x0B29, 0x0B29, 0x0B31, 0x0B31, 0x0B34, 0x0B35, 0x0B3A, 0x0B3B, 0x0B44, 0x0B46, + 0x0B49, 0x0B4A, 0x0B4E, 0x0B55, 0x0B58, 0x0B5B, 0x0B5E, 0x0B5E, 0x0B62, 0x0B65, 0x0B71, 0x0B81, + 0x0B84, 0x0B84, 0x0B8B, 0x0B8D, 0x0B91, 0x0B91, 0x0B96, 0x0B98, 0x0B9B, 0x0B9B, 0x0B9D, 0x0B9D, + 0x0BA0, 0x0BA2, 0x0BA5, 0x0BA7, 0x0BAB, 0x0BAD, 0x0BB6, 0x0BB6, 0x0BBA, 0x0BBD, 0x0BC3, 0x0BC5, + 0x0BC9, 0x0BC9, 0x0BCE, 0x0BD6, 0x0BD8, 0x0BE6, 0x0BF3, 0x0C00, 0x0C04, 0x0C04, 0x0C0D, 0x0C0D, + 0x0C11, 0x0C11, 0x0C29, 0x0C29, 0x0C34, 0x0C34, 0x0C3A, 0x0C3D, 0x0C45, 0x0C45, 0x0C49, 0x0C49, + 0x0C4E, 0x0C54, 0x0C57, 0x0C5F, 0x0C62, 0x0C65, 0x0C70, 0x0C81, 0x0C84, 0x0C84, 0x0C8D, 0x0C8D, + 0x0C91, 0x0C91, 0x0CA9, 0x0CA9, 0x0CB4, 0x0CB4, 0x0CBA, 0x0CBD, 0x0CC5, 0x0CC5, 0x0CC9, 0x0CC9, + 0x0CCE, 0x0CD4, 0x0CD7, 0x0CDD, 0x0CDF, 0x0CDF, 0x0CE2, 0x0CE5, 0x0CF0, 0x0D01, 0x0D04, 0x0D04, + 0x0D0D, 0x0D0D, 0x0D11, 0x0D11, 0x0D29, 0x0D29, 0x0D3A, 0x0D3D, 0x0D44, 0x0D45, 0x0D49, 0x0D49, + 0x0D4E, 0x0D56, 0x0D58, 0x0D5F, 0x0D62, 0x0D65, 0x0D70, 0x0D81, 0x0D84, 0x0D84, 0x0D97, 0x0D99, + 0x0DB2, 0x0DB2, 0x0DBC, 0x0DBC, 0x0DBE, 0x0DBF, 0x0DC7, 0x0DC9, 0x0DCB, 0x0DCE, 0x0DD5, 0x0DD5, + 0x0DD7, 0x0DD7, 0x0DE0, 0x0DF1, 0x0DF5, 0x0E00, 0x0E3B, 0x0E3E, 0x0E5C, 0x0E80, 0x0E83, 0x0E83, + 0x0E85, 0x0E86, 0x0E89, 0x0E89, 0x0E8B, 0x0E8C, 0x0E8E, 0x0E93, 0x0E98, 0x0E98, 0x0EA0, 0x0EA0, + 0x0EA4, 0x0EA4, 0x0EA6, 0x0EA6, 0x0EA8, 0x0EA9, 0x0EAC, 0x0EAC, 0x0EBA, 0x0EBA, 0x0EBE, 0x0EBF, + 0x0EC5, 0x0EC5, 0x0EC7, 0x0EC7, 0x0ECE, 0x0ECF, 0x0EDA, 0x0EDB, 0x0EDE, 0x0EFF, 0x0F48, 0x0F48, + 0x0F6B, 0x0F70, 0x0F8C, 0x0F8F, 0x0F98, 0x0F98, 0x0FBD, 0x0FBD, 0x0FCD, 0x0FCE, 0x0FD0, 0x0FFF, + 0x1022, 0x1022, 0x1028, 0x1028, 0x102B, 0x102B, 0x1033, 0x1035, 0x103A, 0x103F, 0x105A, 0x109F, + 0x10C6, 0x10CF, 0x10F9, 0x10FA, 0x10FC, 0x10FF, 0x115A, 0x115E, 0x11A3, 0x11A7, 0x11FA, 0x11FF, + 0x1207, 0x1207, 0x1247, 0x1247, 0x1249, 0x1249, 0x124E, 0x124F, 0x1257, 0x1257, 0x1259, 0x1259, + 0x125E, 0x125F, 0x1287, 0x1287, 0x1289, 0x1289, 0x128E, 0x128F, 0x12AF, 0x12AF, 0x12B1, 0x12B1, + 0x12B6, 0x12B7, 0x12BF, 0x12BF, 0x12C1, 0x12C1, 0x12C6, 0x12C7, 0x12CF, 0x12CF, 0x12D7, 0x12D7, + 0x12EF, 0x12EF, 0x130F, 0x130F, 0x1311, 0x1311, 0x1316, 0x1317, 0x131F, 0x131F, 0x1347, 0x1347, + 0x135B, 0x1360, 0x137D, 0x139F, 0x13F5, 0x1400, 0x1677, 0x167F, 0x169D, 0x169F, 0x16F1, 0x16FF, + 0x170D, 0x170D, 0x1715, 0x171F, 0x1737, 0x173F, 0x1754, 0x175F, 0x176D, 0x176D, 0x1771, 0x1771, + 0x1774, 0x177F, 0x17DD, 0x17DF, 0x17EA, 0x17FF, 0x180F, 0x180F, 0x181A, 0x181F, 0x1878, 0x187F, + 0x18AA, 0x1DFF, 0x1E9C, 0x1E9F, 0x1EFA, 0x1EFF, 0x1F16, 0x1F17, 0x1F1E, 0x1F1F, 0x1F46, 0x1F47, + 0x1F4E, 0x1F4F, 0x1F58, 0x1F58, 0x1F5A, 0x1F5A, 0x1F5C, 0x1F5C, 0x1F5E, 0x1F5E, 0x1F7E, 0x1F7F, + 0x1FB5, 0x1FB5, 0x1FC5, 0x1FC5, 0x1FD4, 0x1FD5, 0x1FDC, 0x1FDC, 0x1FF0, 0x1FF1, 0x1FF5, 0x1FF5, + 0x1FFF, 0x1FFF, 0x2053, 0x2056, 0x2058, 0x205E, 0x2064, 0x2069, 0x2072, 0x2073, 0x208F, 0x209F, + 0x20B2, 0x20CF, 0x20EB, 0x20FF, 0x213B, 0x213C, 0x214C, 0x2152, 0x2184, 0x218F, 0x23CF, 0x23FF, + 0x2427, 0x243F, 0x244B, 0x245F, 0x24FF, 0x24FF, 0x2614, 0x2615, 0x2618, 0x2618, 0x267E, 0x267F, + 0x268A, 0x2700, 0x2705, 0x2705, 0x270A, 0x270B, 0x2728, 0x2728, 0x274C, 0x274C, 0x274E, 0x274E, + 0x2753, 0x2755, 0x2757, 0x2757, 0x275F, 0x2760, 0x2795, 0x2797, 0x27B0, 0x27B0, 0x27BF, 0x27CF, + 0x27EC, 0x27EF, 0x2B00, 0x2E7F, 0x2E9A, 0x2E9A, 0x2EF4, 0x2EFF, 0x2FD6, 0x2FEF, 0x2FFC, 0x2FFF, + 0x3040, 0x3040, 0x3097, 0x3098, 0x3100, 0x3104, 0x312D, 0x3130, 0x318F, 0x318F, 0x31B8, 0x31EF, + 0x321D, 0x321F, 0x3244, 0x3250, 0x327C, 0x327E, 0x32CC, 0x32CF, 0x32FF, 0x32FF, 0x3377, 0x337A, + 0x33DE, 0x33DF, 0x33FF, 0x33FF, 0x4DB6, 0x4DFF, 0x9FA6, 0x9FFF, 0xA48D, 0xA48F, 0xA4C7, 0xABFF, + 0xD7A4, 0xD7FF, 0xFA2E, 0xFA2F, 0xFA6B, 0xFAFF, 0xFB07, 0xFB12, 0xFB18, 0xFB1C, 0xFB37, 0xFB37, + 0xFB3D, 0xFB3D, 0xFB3F, 0xFB3F, 0xFB42, 0xFB42, 0xFB45, 0xFB45, 0xFBB2, 0xFBD2, 0xFD40, 0xFD4F, + 0xFD90, 0xFD91, 0xFDC8, 0xFDCF, 0xFDFD, 0xFDFF, 0xFE10, 0xFE1F, 0xFE24, 0xFE2F, 0xFE47, 0xFE48, + 0xFE53, 0xFE53, 0xFE67, 0xFE67, 0xFE6C, 0xFE6F, 0xFE75, 0xFE75, 0xFEFD, 0xFEFE, 0xFF00, 0xFF00, + 0xFFBF, 0xFFC1, 0xFFC8, 0xFFC9, 0xFFD0, 0xFFD1, 0xFFD8, 0xFFD9, 0xFFDD, 0xFFDF, 0xFFE7, 0xFFE7, + 0xFFEF, 0xFFF8, + 0x10000, 0x102FF, 0x1031F, 0x1031F, 0x10324, 0x1032F, 0x1034B, 0x103FF, 0x10426, 0x10427, + 0x1044E, 0x1CFFF, 0x1D0F6, 0x1D0FF, 0x1D127, 0x1D129, 0x1D1DE, 0x1D3FF, 0x1D455, 0x1D455, + 0x1D49D, 0x1D49D, 0x1D4A0, 0x1D4A1, 0x1D4A3, 0x1D4A4, 0x1D4A7, 0x1D4A8, 0x1D4AD, 0x1D4AD, + 0x1D4BA, 0x1D4BA, 0x1D4BC, 0x1D4BC, 0x1D4C1, 0x1D4C1, 0x1D4C4, 0x1D4C4, 0x1D506, 0x1D506, + 0x1D50B, 0x1D50C, 0x1D515, 0x1D515, 0x1D51D, 0x1D51D, 0x1D53A, 0x1D53A, 0x1D53F, 0x1D53F, + 0x1D545, 0x1D545, 0x1D547, 0x1D549, 0x1D551, 0x1D551, 0x1D6A4, 0x1D6A7, 0x1D7CA, 0x1D7CD, + 0x1D800, 0x1FFFD, 0x2A6D7, 0x2F7FF, 0x2FA1E, 0x2FFFD, 0x30000, 0x3FFFD, 0x40000, 0x4FFFD, + 0x50000, 0x5FFFD, 0x60000, 0x6FFFD, 0x70000, 0x7FFFD, 0x80000, 0x8FFFD, 0x90000, 0x9FFFD, + 0xA0000, 0xAFFFD, 0xB0000, 0xBFFFD, 0xC0000, 0xCFFFD, 0xD0000, 0xDFFFD, 0xE0000, 0xE0000, + 0xE0002, 0xE001F, 0xE0080, 0xEFFFD, + }); + + /** + * B.1 Commonly mapped to nothing + */ + private final CharClass B1 = CharClass.fromList(new int[]{ + 0x00AD, 0x034F, 0x1806, 0x180B, 0x180C, 0x180D, 0x200B, 0x200C, 0x200D, 0x2060, + 0xFE00, 0xFE01, 0xFE02, 0xFE03, 0xFE04, 0xFE05, 0xFE06, 0xFE07, 0xFE08, 0xFE09, + 0xFE0A, 0xFE0B, 0xFE0C, 0xFE0D, 0xFE0E, 0xFE0F, 0xFEFF, + }); + + /** + * C.1.1 ASCII space characters + */ + private final CharClass C11 = CharClass.fromList(new int[]{ + 0x0020 + }); + + /** + * C.1.2 Non-ASCII space characters + */ + private final CharClass C12 = CharClass.fromList(new int[]{ + 0x00A0, 0x1680, 0x2000, 0x2001, 0x2002, 0x2003, 0x2004, 0x2005, 0x2006, 0x2007, + 0x2008, 0x2009, 0x200A, 0x200B, 0x202F, 0x205F, 0x3000, + }); + + /** + * C.2.1 ASCII control characters + */ + private final CharClass C21 = CharClass.fromList(new int[]{ + 0x0000, 0x0001, 0x0002, 0x0003, 0x0004, 0x0005, 0x0006, 0x0007, 0x0008, 0x0009, + 0x000A, 0x000B, 0x000C, 0x000D, 0x000E, 0x000F, 0x0010, 0x0011, 0x0012, 0x0013, + 0x0014, 0x0015, 0x0016, 0x0017, 0x0018, 0x0019, 0x001A, 0x001B, 0x001C, 0x001D, + 0x001E, 0x001F, 0x007F + }); + + /** + * C.2.2 Non-ASCII control characters + */ + private final CharClass C22 = CharClass.fromList(new int[]{ + 0x0080, 0x0081, 0x0082, 0x0083, 0x0084, 0x0085, 0x0086, 0x0087, 0x0088, 0x0089, + 0x008A, 0x008B, 0x008C, 0x008D, 0x008E, 0x008F, 0x0090, 0x0091, 0x0092, 0x0093, + 0x0094, 0x0095, 0x0096, 0x0097, 0x0098, 0x0099, 0x009A, 0x009B, 0x009C, 0x009D, + 0x009E, 0x009F, 0x06DD, 0x070F, 0x180E, 0x200C, 0x200D, 0x2028, 0x2029, 0x2060, + 0x2061, 0x2062, 0x2063, 0x206A, 0x206B, 0x206C, 0x206D, 0x206E, 0x206F, 0xFEFF, + 0xFFF9, 0xFFFA, 0xFFFB, 0xFFFC, + 0x1D173, 0x1D174, 0x1D175, 0x1D176, 0x1D177, 0x1D178, 0x1D179, 0x1D17A, + }); + + /** + * C.3 Private use + */ + private final CharClass C3 = CharClass.fromRanges(new int[]{ + 0xE000, 0xF8FF, 0xF0000, 0xFFFFD, 0x100000, 0x10FFFD, + }); + + /** + * C.4 Non-character code points + */ + private final CharClass C4 = CharClass.fromRanges(new int[]{ + 0xFDD0, 0xFDEF, 0xFFFE, 0xFFFF, 0x1FFFE, 0x1FFFF, 0x2FFFE, 0x2FFFF, + 0x3FFFE, 0x3FFFF, 0x4FFFE, 0x4FFFF, 0x5FFFE, 0x5FFFF, 0x6FFFE, 0x6FFFF, + 0x7FFFE, 0x7FFFF, 0x8FFFE, 0x8FFFF, 0x9FFFE, 0x9FFFF, 0xAFFFE, 0xAFFFF, + 0xBFFFE, 0xBFFFF, 0xCFFFE, 0xCFFFF, 0xDFFFE, 0xDFFFF, 0xEFFFE, 0xEFFFF, + 0xFFFFE, 0xFFFFF, 0x10FFFE, 0x10FFFF, + }); + + /** + * C.5 Surrogate codes + */ + private final CharClass C5 = CharClass.fromRanges(new int[]{ + 0xD800, 0xDFFF, + }); + + /** + * C.6 Inappropriate for plain text + */ + private final CharClass C6 = CharClass.fromList(new int[]{ + 0xFFF9, 0xFFFA, 0xFFFB, 0xFFFC, 0xFFFD, + }); + + /** + * C.7 Inappropriate for canonical representation + */ + private final CharClass C7 = CharClass.fromList(new int[]{ + 0x2FF0, 0x2FF1, 0x2FF2, 0x2FF3, 0x2FF4, 0x2FF5, 0x2FF6, 0x2FF7, 0x2FF8, 0x2FF9, + 0x2FFA, 0x2FFB, + }); + + /** + * C.8 Change display properties or are deprecated + */ + private final CharClass C8 = CharClass.fromList(new int[]{ + 0x0340, 0x0341, 0x200E, 0x200F, 0x202A, 0x202B, 0x202C, 0x202D, 0x202E, 0x206A, + 0x206B, 0x206C, 0x206D, 0x206E, 0x206F, + }); + + /** + * C.9 Tagging characters (tuples) + */ + private final CharClass C9 = CharClass.fromRanges(new int[]{ + 0xE0001, 0xE0001, 0xE0020, 0xE007F, + }); + + /** + * D.1 Characters with bidirectional property "R" or "AL" + */ + private final CharClass D1 = CharClass.fromRanges(new int[]{ + 0x05BE, 0x05BE, 0x05C0, 0x05C0, 0x05C3, 0x05C3, 0x05D0, 0x05EA, 0x05F0, 0x05F4, + 0x061B, 0x061B, 0x061F, 0x061F, 0x0621, 0x063A, 0x0640, 0x064A, 0x066D, 0x066F, + 0x0671, 0x06D5, 0x06DD, 0x06DD, 0x06E5, 0x06E6, 0x06FA, 0x06FE, 0x0700, 0x070D, + 0x0710, 0x0710, 0x0712, 0x072C, 0x0780, 0x07A5, 0x07B1, 0x07B1, 0x200F, 0x200F, + 0xFB1D, 0xFB1D, 0xFB1F, 0xFB28, 0xFB2A, 0xFB36, 0xFB38, 0xFB3C, 0xFB3E, 0xFB3E, + 0xFB40, 0xFB41, 0xFB43, 0xFB44, 0xFB46, 0xFBB1, 0xFBD3, 0xFD3D, 0xFD50, 0xFD8F, + 0xFD92, 0xFDC7, 0xFDF0, 0xFDFC, 0xFE70, 0xFE74, 0xFE76, 0xFEFC, + }); + + /** + * D.2 Characters with bidirectional property "L" + */ + private final CharClass D2 = CharClass.fromRanges(new int[]{ + 0x0041, 0x005A, 0x0061, 0x007A, 0x00AA, 0x00AA, 0x00B5, 0x00B5, 0x00BA, 0x00BA, 0x00C0, 0x00D6, + 0x00D8, 0x00F6, 0x00F8, 0x0220, 0x0222, 0x0233, 0x0250, 0x02AD, 0x02B0, 0x02B8, 0x02BB, 0x02C1, + 0x02D0, 0x02D1, 0x02E0, 0x02E4, 0x02EE, 0x02EE, 0x037A, 0x037A, 0x0386, 0x0386, 0x0388, 0x038A, + 0x038C, 0x038C, 0x038E, 0x03A1, 0x03A3, 0x03CE, 0x03D0, 0x03F5, 0x0400, 0x0482, 0x048A, 0x04CE, + 0x04D0, 0x04F5, 0x04F8, 0x04F9, 0x0500, 0x050F, 0x0531, 0x0556, 0x0559, 0x055F, 0x0561, 0x0587, + 0x0589, 0x0589, 0x0903, 0x0903, 0x0905, 0x0939, 0x093D, 0x0940, 0x0949, 0x094C, 0x0950, 0x0950, + 0x0958, 0x0961, 0x0964, 0x0970, 0x0982, 0x0983, 0x0985, 0x098C, 0x098F, 0x0990, 0x0993, 0x09A8, + 0x09AA, 0x09B0, 0x09B2, 0x09B2, 0x09B6, 0x09B9, 0x09BE, 0x09C0, 0x09C7, 0x09C8, 0x09CB, 0x09CC, + 0x09D7, 0x09D7, 0x09DC, 0x09DD, 0x09DF, 0x09E1, 0x09E6, 0x09F1, 0x09F4, 0x09FA, 0x0A05, 0x0A0A, + 0x0A0F, 0x0A10, 0x0A13, 0x0A28, 0x0A2A, 0x0A30, 0x0A32, 0x0A33, 0x0A35, 0x0A36, 0x0A38, 0x0A39, + 0x0A3E, 0x0A40, 0x0A59, 0x0A5C, 0x0A5E, 0x0A5E, 0x0A66, 0x0A6F, 0x0A72, 0x0A74, 0x0A83, 0x0A83, + 0x0A85, 0x0A8B, 0x0A8D, 0x0A8D, 0x0A8F, 0x0A91, 0x0A93, 0x0AA8, 0x0AAA, 0x0AB0, 0x0AB2, 0x0AB3, + 0x0AB5, 0x0AB9, 0x0ABD, 0x0AC0, 0x0AC9, 0x0AC9, 0x0ACB, 0x0ACC, 0x0AD0, 0x0AD0, 0x0AE0, 0x0AE0, + 0x0AE6, 0x0AEF, 0x0B02, 0x0B03, 0x0B05, 0x0B0C, 0x0B0F, 0x0B10, 0x0B13, 0x0B28, 0x0B2A, 0x0B30, + 0x0B32, 0x0B33, 0x0B36, 0x0B39, 0x0B3D, 0x0B3E, 0x0B40, 0x0B40, 0x0B47, 0x0B48, 0x0B4B, 0x0B4C, + 0x0B57, 0x0B57, 0x0B5C, 0x0B5D, 0x0B5F, 0x0B61, 0x0B66, 0x0B70, 0x0B83, 0x0B83, 0x0B85, 0x0B8A, + 0x0B8E, 0x0B90, 0x0B92, 0x0B95, 0x0B99, 0x0B9A, 0x0B9C, 0x0B9C, 0x0B9E, 0x0B9F, 0x0BA3, 0x0BA4, + 0x0BA8, 0x0BAA, 0x0BAE, 0x0BB5, 0x0BB7, 0x0BB9, 0x0BBE, 0x0BBF, 0x0BC1, 0x0BC2, 0x0BC6, 0x0BC8, + 0x0BCA, 0x0BCC, 0x0BD7, 0x0BD7, 0x0BE7, 0x0BF2, 0x0C01, 0x0C03, 0x0C05, 0x0C0C, 0x0C0E, 0x0C10, + 0x0C12, 0x0C28, 0x0C2A, 0x0C33, 0x0C35, 0x0C39, 0x0C41, 0x0C44, 0x0C60, 0x0C61, 0x0C66, 0x0C6F, + 0x0C82, 0x0C83, 0x0C85, 0x0C8C, 0x0C8E, 0x0C90, 0x0C92, 0x0CA8, 0x0CAA, 0x0CB3, 0x0CB5, 0x0CB9, + 0x0CBE, 0x0CBE, 0x0CC0, 0x0CC4, 0x0CC7, 0x0CC8, 0x0CCA, 0x0CCB, 0x0CD5, 0x0CD6, 0x0CDE, 0x0CDE, + 0x0CE0, 0x0CE1, 0x0CE6, 0x0CEF, 0x0D02, 0x0D03, 0x0D05, 0x0D0C, 0x0D0E, 0x0D10, 0x0D12, 0x0D28, + 0x0D2A, 0x0D39, 0x0D3E, 0x0D40, 0x0D46, 0x0D48, 0x0D4A, 0x0D4C, 0x0D57, 0x0D57, 0x0D60, 0x0D61, + 0x0D66, 0x0D6F, 0x0D82, 0x0D83, 0x0D85, 0x0D96, 0x0D9A, 0x0DB1, 0x0DB3, 0x0DBB, 0x0DBD, 0x0DBD, + 0x0DC0, 0x0DC6, 0x0DCF, 0x0DD1, 0x0DD8, 0x0DDF, 0x0DF2, 0x0DF4, 0x0E01, 0x0E30, 0x0E32, 0x0E33, + 0x0E40, 0x0E46, 0x0E4F, 0x0E5B, 0x0E81, 0x0E82, 0x0E84, 0x0E84, 0x0E87, 0x0E88, 0x0E8A, 0x0E8A, + 0x0E8D, 0x0E8D, 0x0E94, 0x0E97, 0x0E99, 0x0E9F, 0x0EA1, 0x0EA3, 0x0EA5, 0x0EA5, 0x0EA7, 0x0EA7, + 0x0EAA, 0x0EAB, 0x0EAD, 0x0EB0, 0x0EB2, 0x0EB3, 0x0EBD, 0x0EBD, 0x0EC0, 0x0EC4, 0x0EC6, 0x0EC6, + 0x0ED0, 0x0ED9, 0x0EDC, 0x0EDD, 0x0F00, 0x0F17, 0x0F1A, 0x0F34, 0x0F36, 0x0F36, 0x0F38, 0x0F38, + 0x0F3E, 0x0F47, 0x0F49, 0x0F6A, 0x0F7F, 0x0F7F, 0x0F85, 0x0F85, 0x0F88, 0x0F8B, 0x0FBE, 0x0FC5, + 0x0FC7, 0x0FCC, 0x0FCF, 0x0FCF, 0x1000, 0x1021, 0x1023, 0x1027, 0x1029, 0x102A, 0x102C, 0x102C, + 0x1031, 0x1031, 0x1038, 0x1038, 0x1040, 0x1057, 0x10A0, 0x10C5, 0x10D0, 0x10F8, 0x10FB, 0x10FB, + 0x1100, 0x1159, 0x115F, 0x11A2, 0x11A8, 0x11F9, 0x1200, 0x1206, 0x1208, 0x1246, 0x1248, 0x1248, + 0x124A, 0x124D, 0x1250, 0x1256, 0x1258, 0x1258, 0x125A, 0x125D, 0x1260, 0x1286, 0x1288, 0x1288, + 0x128A, 0x128D, 0x1290, 0x12AE, 0x12B0, 0x12B0, 0x12B2, 0x12B5, 0x12B8, 0x12BE, 0x12C0, 0x12C0, + 0x12C2, 0x12C5, 0x12C8, 0x12CE, 0x12D0, 0x12D6, 0x12D8, 0x12EE, 0x12F0, 0x130E, 0x1310, 0x1310, + 0x1312, 0x1315, 0x1318, 0x131E, 0x1320, 0x1346, 0x1348, 0x135A, 0x1361, 0x137C, 0x13A0, 0x13F4, + 0x1401, 0x1676, 0x1681, 0x169A, 0x16A0, 0x16F0, 0x1700, 0x170C, 0x170E, 0x1711, 0x1720, 0x1731, + 0x1735, 0x1736, 0x1740, 0x1751, 0x1760, 0x176C, 0x176E, 0x1770, 0x1780, 0x17B6, 0x17BE, 0x17C5, + 0x17C7, 0x17C8, 0x17D4, 0x17DA, 0x17DC, 0x17DC, 0x17E0, 0x17E9, 0x1810, 0x1819, 0x1820, 0x1877, + 0x1880, 0x18A8, 0x1E00, 0x1E9B, 0x1EA0, 0x1EF9, 0x1F00, 0x1F15, 0x1F18, 0x1F1D, 0x1F20, 0x1F45, + 0x1F48, 0x1F4D, 0x1F50, 0x1F57, 0x1F59, 0x1F59, 0x1F5B, 0x1F5B, 0x1F5D, 0x1F5D, 0x1F5F, 0x1F7D, + 0x1F80, 0x1FB4, 0x1FB6, 0x1FBC, 0x1FBE, 0x1FBE, 0x1FC2, 0x1FC4, 0x1FC6, 0x1FCC, 0x1FD0, 0x1FD3, + 0x1FD6, 0x1FDB, 0x1FE0, 0x1FEC, 0x1FF2, 0x1FF4, 0x1FF6, 0x1FFC, 0x200E, 0x200E, 0x2071, 0x2071, + 0x207F, 0x207F, 0x2102, 0x2102, 0x2107, 0x2107, 0x210A, 0x2113, 0x2115, 0x2115, 0x2119, 0x211D, + 0x2124, 0x2124, 0x2126, 0x2126, 0x2128, 0x2128, 0x212A, 0x212D, 0x212F, 0x2131, 0x2133, 0x2139, + 0x213D, 0x213F, 0x2145, 0x2149, 0x2160, 0x2183, 0x2336, 0x237A, 0x2395, 0x2395, 0x249C, 0x24E9, + 0x3005, 0x3007, 0x3021, 0x3029, 0x3031, 0x3035, 0x3038, 0x303C, 0x3041, 0x3096, 0x309D, 0x309F, + 0x30A1, 0x30FA, 0x30FC, 0x30FF, 0x3105, 0x312C, 0x3131, 0x318E, 0x3190, 0x31B7, 0x31F0, 0x321C, + 0x3220, 0x3243, 0x3260, 0x327B, 0x327F, 0x32B0, 0x32C0, 0x32CB, 0x32D0, 0x32FE, 0x3300, 0x3376, + 0x337B, 0x33DD, 0x33E0, 0x33FE, 0x3400, 0x4DB5, 0x4E00, 0x9FA5, 0xA000, 0xA48C, 0xAC00, 0xD7A3, + 0xD800, 0xFA2D, 0xFA30, 0xFA6A, 0xFB00, 0xFB06, 0xFB13, 0xFB17, 0xFF21, 0xFF3A, 0xFF41, 0xFF5A, + 0xFF66, 0xFFBE, 0xFFC2, 0xFFC7, 0xFFCA, 0xFFCF, 0xFFD2, 0xFFD7, 0xFFDA, 0xFFDC, + 0x10300, 0x1031E, 0x10320, 0x10323, 0x10330, 0x1034A, 0x10400, 0x10425, 0x10428, 0x1044D, + 0x1D000, 0x1D0F5, 0x1D100, 0x1D126, 0x1D12A, 0x1D166, 0x1D16A, 0x1D172, 0x1D183, 0x1D184, + 0x1D18C, 0x1D1A9, 0x1D1AE, 0x1D1DD, 0x1D400, 0x1D454, 0x1D456, 0x1D49C, 0x1D49E, 0x1D49F, + 0x1D4A2, 0x1D4A2, 0x1D4A5, 0x1D4A6, 0x1D4A9, 0x1D4AC, 0x1D4AE, 0x1D4B9, 0x1D4BB, 0x1D4BB, + 0x1D4BD, 0x1D4C0, 0x1D4C2, 0x1D4C3, 0x1D4C5, 0x1D505, 0x1D507, 0x1D50A, 0x1D50D, 0x1D514, + 0x1D516, 0x1D51C, 0x1D51E, 0x1D539, 0x1D53B, 0x1D53E, 0x1D540, 0x1D544, 0x1D546, 0x1D546, + 0x1D54A, 0x1D550, 0x1D552, 0x1D6A3, 0x1D6A8, 0x1D7C9, 0x20000, 0x2A6D6, 0x2F800, 0x2FA1D, + 0xF0000, 0xFFFFD, 0x100000, 0x10FFFD, + }); + + /** + * rfc4013 2.3. Prohibited Output + */ + private final CharClass saslProhibited = CharClass.fromClasses(C21, C22, C3, C4, C5, C6, C7, C8, C9); + + + private String applyMapTo(final String s, final CharClass mapFrom, final String mapTo) { + final StringBuilder result = new StringBuilder(); + for (int i = 0; i < s.length(); ) { + final int c = Character.codePointAt(s, i); + final int charCount = Character.charCount(c); + if (mapFrom.isCharInClass(c)) + result.append(mapTo); + else + result.append(s, i, i + charCount); + i += charCount; + } + + return result.toString(); + } + + + /** + * Return the first character index in s which is in {@link CharClass}, or -1 if + * no character is in the class. + */ + private int containsCharacterInClass(final String s, final CharClass charClass) { + for (int i = 0; i < s.length(); ) { + final int c = Character.codePointAt(s, i); + if (charClass.isCharInClass(c)) + return i; + + i += Character.charCount(c); + } + return -1; + } + + + private void verifyRTL(final String s) throws ScramException { + final int containsRAL = containsCharacterInClass(s, D1); + if (containsRAL != -1) { + if (containsCharacterInClass(s, D2) != -1) { + throw new ScramException("String contains both RandALCat and LCat characters, which is not allowed."); + } + if (containsRAL != 0) { + throw new ScramException("String contains RandALCat character but does not start with one, which is required."); + } + // FIX: last code point, not last char + final int lastCp = Character.codePointBefore(s, s.length()); + if (!D1.isCharInClass(lastCp)) { + throw new ScramException("String contains RandALCat character but does not end with one, which is required."); + } + } + } + + + /** + * Apply SASLPrep and return the result. {@code} is treated as a stored string. + */ + public String prepAsStoredString(final String s) throws ScramException { + final String copy = prepAsQueryString(s); + final int idx = containsCharacterInClass(copy, A1); + if (idx != -1) { + throw new ScramException("Stored string contains an unassigned code point at index " + idx + "."); + } + return copy; + } + + + public String prepAsQueryString(final String s) throws ScramException { + String copy = s; + + // 1) Map (REQUIRED) + copy = applyMapTo(copy, B1, ""); // commonly mapped to nothing + copy = applyMapTo(copy, C12, " "); // non-ASCII spaces → ASCII space + + // 2) Normalize (REQUIRED): NFKC (Compatibility Composition) + if (!Normalizer.isNormalized(copy, Normalizer.Form.NFKC)) { + copy = Normalizer.normalize(copy, Normalizer.Form.NFKC); + } + + // 3) Prohibit (REQUIRED) + final int bad = containsCharacterInClass(copy, saslProhibited); + if (bad != -1) { + throw new ScramException( + "The string contains a prohibited character at index " + bad + ", which is not allowed per RFC 4013."); + } + + // 4) BiDi (REQUIRED) — use last code point, not charAt + verifyRTL(copy); // your version that uses codePointBefore() + + return copy; + } + + +} diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/ScramExtension.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/ScramExtension.java new file mode 100644 index 0000000000..1064d1fd5b --- /dev/null +++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/ScramExtension.java @@ -0,0 +1,59 @@ +/* + * ==================================================================== + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * ==================================================================== + * + * This software consists of voluntary contributions made by many + * individuals on behalf of the Apache Software Foundation. For more + * information on the Apache Software Foundation, please see + * . + * + */ +package org.apache.hc.client5.http.impl.auth; + +import org.apache.hc.client5.http.auth.AuthenticationException; +import org.apache.hc.core5.http.protocol.HttpContext; + +/** + * Extension hook for optional SCRAM attributes. + * + * @since 5.6 + */ +public interface ScramExtension { + + /** + * Process an extension attribute. + * + * @param name attribute name + * @param value attribute value or {@code null} + * @param context HTTP context + * @return true if processed, false to ignore + * @throws AuthenticationException on processing error + * @since 5.6 + */ + boolean process(String name, String value, HttpContext context) throws AuthenticationException; + + /** + * Whether this extension supports the given attribute name. + * + * @param name attribute name + * @return true if supported + * @since 5.6 + */ + boolean supports(String name); +} diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/ScramScheme.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/ScramScheme.java new file mode 100644 index 0000000000..1c1224de53 --- /dev/null +++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/ScramScheme.java @@ -0,0 +1,684 @@ +/* + * ==================================================================== + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * ==================================================================== + * + * This software consists of voluntary contributions made by many + * individuals on behalf of the Apache Software Foundation. For more + * information on the Apache Software Foundation, please see + * . + * + */ +package org.apache.hc.client5.http.impl.auth; + +import java.nio.charset.StandardCharsets; +import java.security.GeneralSecurityException; +import java.security.MessageDigest; +import java.security.Principal; +import java.security.SecureRandom; +import java.util.Arrays; +import java.util.Base64; +import java.util.HashMap; +import java.util.LinkedHashMap; +import java.util.List; +import java.util.Locale; +import java.util.Map; + +import javax.crypto.Mac; +import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.PBEKeySpec; +import javax.crypto.spec.SecretKeySpec; + +import org.apache.hc.client5.http.auth.AuthChallenge; +import org.apache.hc.client5.http.auth.AuthScheme; +import org.apache.hc.client5.http.auth.AuthScope; +import org.apache.hc.client5.http.auth.AuthenticationException; +import org.apache.hc.client5.http.auth.Credentials; +import org.apache.hc.client5.http.auth.CredentialsProvider; +import org.apache.hc.client5.http.auth.MalformedChallengeException; +import org.apache.hc.client5.http.auth.StandardAuthScheme; +import org.apache.hc.client5.http.auth.UsernamePasswordCredentials; +import org.apache.hc.client5.http.protocol.HttpClientContext; +import org.apache.hc.core5.annotation.Contract; +import org.apache.hc.core5.annotation.Experimental; +import org.apache.hc.core5.annotation.ThreadingBehavior; +import org.apache.hc.core5.http.HttpHost; +import org.apache.hc.core5.http.HttpRequest; +import org.apache.hc.core5.http.NameValuePair; +import org.apache.hc.core5.http.protocol.HttpContext; +import org.apache.hc.core5.util.Args; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + + +/** + * Strict HTTP SCRAM client implementing {@code SCRAM-SHA-256} per RFC 7804 + * with SCRAM core per RFC 5802/7677. + *

HTTP SCRAM uses no channel binding (GS2 header {@code "n,,"}; {@code c=biws}).

+ *

Experimental: This API is work in progress and may change without notice in a future release.

+ * + * @since 5.6 + */ +@Contract(threading = ThreadingBehavior.UNSAFE) +@Experimental +public final class ScramScheme implements AuthScheme { + + private static final Logger LOG = LoggerFactory.getLogger(ScramScheme.class); + + // RFC 7804 / RFC 5802 fixed no-CB GS2 header and its base64 value for 'c=' + private static final String GS2_HEADER = "n,,"; + private static final String C_BIND_B64 = "biws"; // base64("n,,") + + private static final Base64.Encoder B64 = Base64.getEncoder().withoutPadding(); + private static final Base64.Decoder B64D = Base64.getDecoder(); + + private enum State { + INIT, + ANNOUNCED, // after 401 challenge without data + CLIENT_FIRST_SENT, // after Authorization with client-first + SERVER_FIRST_RCVD, // after 401 with data (r,s,i) + CLIENT_FINAL_SENT, // after Authorization with client-final (p=...) + COMPLETE, // after 2xx with matching v + FAILED + } + + private final SecureRandom secureRandom; + private final int warnMinIterations; + private final int minIterationsRequired; + + private State state = State.INIT; + private boolean complete; + + private String realm; + private String sid; + + private String username; // SASLprep (query) + private char[] password; // SASLprep (stored), zeroed after use + private Principal principal; + + private String clientNonce; + private String clientFirstBare; + private String serverFirstRaw; + private String serverNonce; + private byte[] salt; + private int iterations; + + // Expected server signature (raw bytes) for constant-time check on Authentication-Info + // (may appear on any final response status code) + private byte[] expectedV; + + /** + * Default policy: warn if {@code i < 4096}, no hard enforcement; SHA-256 only. + * + * @since 5.6 + */ + public ScramScheme() { + this(4096, 0, null); + } + + /** + * Constructor with custom iteration policy. + * + * @param warnMinIterations warn if iteration count is lower than this (0 disables warnings) + * @param minIterationsRequired fail if iteration count is lower than this (0 disables enforcement) + * @param rnd optional secure random source (null uses system default) + * @since 5.6 + */ + public ScramScheme(final int warnMinIterations, final int minIterationsRequired, final SecureRandom rnd) { + this.warnMinIterations = Math.max(0, warnMinIterations); + this.minIterationsRequired = Math.max(0, minIterationsRequired); + this.secureRandom = rnd != null ? rnd : new SecureRandom(); + } + + /** + * Returns textual designation of the scheme. + * + * @since 5.6 + */ + @Override + public String getName() { + return StandardAuthScheme.SCRAM_SHA_256; + } + + /** + * SCRAM is per-request (no connection binding). + * + * @since 5.6 + */ + @Override + public boolean isConnectionBased() { + return false; + } + + /** + * SCRAM must inspect final responses to verify {@code v=} in {@code Authentication-Info}. + * + * @since 5.6 + */ + @Override + public boolean isChallengeExpected() { + return true; + } + + /** + * Legacy entry point: wraps {@link AuthenticationException} as {@link MalformedChallengeException}. + * + * @since 5.6 + */ + @Override + public void processChallenge(final AuthChallenge authChallenge, final HttpContext context) + throws MalformedChallengeException { + try { + processChallenge(null, true, authChallenge, context); + } catch (final AuthenticationException ex) { + throw new MalformedChallengeException(ex.getMessage(), ex); + } + } + + /** + * Handles 401 challenges (with/without {@code data}) and final responses carrying + * {@code Authentication-Info} (any status code). + * + * @since 5.6 + */ + @Override + public void processChallenge( + final HttpHost host, + final boolean challenged, + final AuthChallenge authChallenge, + final HttpContext context) throws MalformedChallengeException, AuthenticationException { + + Args.notNull(context, "HTTP context"); + + if (authChallenge == null) { + if (!challenged) { + // Final response with no Authentication-Info: nothing to do + return; + } + throw new MalformedChallengeException("Null SCRAM challenge"); + } + + final Map params = toParamMap(authChallenge.getParams()); + + if (challenged) { + // --- 401 path (WWW-Authenticate) --- + final String scheme = authChallenge.getSchemeName(); + if (scheme == null || !StandardAuthScheme.SCRAM_SHA_256.equalsIgnoreCase(scheme)) { + throw new MalformedChallengeException("Unexpected scheme: " + scheme); + } + + final String data = params.get("data"); + if (data == null) { + // initial announce (no data) + this.realm = params.get("realm"); + this.state = State.ANNOUNCED; + this.complete = false; + zeroAndClearExpectedV(); + return; + } + + // server-first (data present) + final String decoded = b64ToString(data); + this.serverFirstRaw = decoded; + final Map attrs = parseAttrs(decoded); + + final String r = attrs.get("r"); + final String s = attrs.get("s"); + final String i = attrs.get("i"); + if (r == null || r.isEmpty() || s == null || s.isEmpty() || i == null || i.isEmpty()) { + this.state = State.FAILED; + throw new MalformedChallengeException("SCRAM server-first missing r/s/i"); + } + if (this.clientNonce == null || !r.startsWith(this.clientNonce)) { + this.state = State.FAILED; + throw new AuthenticationException("SCRAM server nonce does not start with client nonce"); + } + + this.sid = params.get("sid"); + try { + this.salt = B64D.decode(s); + if (this.salt.length == 0) { + throw new IllegalArgumentException("empty salt"); + } + } catch (final IllegalArgumentException e) { + this.state = State.FAILED; + throw new MalformedChallengeException("Invalid base64 salt", e); + } + try { + this.iterations = Integer.parseInt(i); + if (this.iterations <= 0) { + throw new NumberFormatException("i<=0"); + } + } catch (final NumberFormatException e) { + this.state = State.FAILED; + throw new MalformedChallengeException("Invalid iteration count", e); + } + + if (this.minIterationsRequired > 0 && this.iterations < this.minIterationsRequired) { + this.state = State.FAILED; + throw new AuthenticationException( + "SCRAM iteration count below required minimum: " + this.iterations + " < " + this.minIterationsRequired); + } + if (this.warnMinIterations > 0 && this.iterations < this.warnMinIterations && LOG.isWarnEnabled()) { + LOG.warn("SCRAM iteration count ({}) lower than recommended ({})", this.iterations, warnMinIterations); + } + + this.serverNonce = r; + this.state = State.SERVER_FIRST_RCVD; + this.complete = false; + zeroAndClearExpectedV(); + return; + } + + // --- final-response path (Authentication-Info on any status) --- + // For Authentication-Info, RFC 7804 does NOT mandate a scheme token; do NOT enforce scheme name here. + final String data = params.get("data"); + if (data == null) { + return; + } + final String decoded = b64ToString(data); + final Map attrs = parseAttrs(decoded); + final String err = attrs.get("e"); + if (err != null) { + this.state = State.FAILED; + if (err.isEmpty()) { + throw new MalformedChallengeException("SCRAM server error attribute 'e' is empty"); + } + throw new AuthenticationException("SCRAM server error: " + err); + } + final String vB64 = attrs.get("v"); + if (vB64 == null) { + return; + } + + // compare 'v' in constant time; treat bad base64 for v as a signature mismatch (tests expect "signature") + final byte[] expected = this.expectedV; + this.expectedV = null; // clear reference early + + byte[] vBytes = null; + boolean match; + try { + vBytes = B64D.decode(vB64); + match = expected != null && MessageDigest.isEqual(expected, vBytes); + } catch (final IllegalArgumentException e) { + match = false; // invalid base64 for v -> treat as mismatch + } finally { + zero(vBytes); + zero(expected); + } + + if (!match) { + this.state = State.FAILED; + throw new MalformedChallengeException("SCRAM server signature mismatch"); + } + this.complete = true; + this.state = State.COMPLETE; + } + + /** + * @since 5.6 + */ + @Override + public boolean isChallengeComplete() { + return this.complete || this.state == State.COMPLETE || this.state == State.FAILED; + } + + /** + * @since 5.6 + */ + @Override + public String getRealm() { + return this.realm; + } + + /** + * Allow response when: + * - INIT (preemptive client-first) — only if creds have been prepared + * - ANNOUNCED (401 without data) + * - SERVER_FIRST_RCVD (ready to send client-final) + * + * @since 5.6 + */ + @Override + public boolean isResponseReady( + final HttpHost host, + final CredentialsProvider credentialsProvider, + final HttpContext context) throws AuthenticationException { + + Args.notNull(credentialsProvider, "Credentials provider"); + + final HttpClientContext clientContext = HttpClientContext.cast(context); + final AuthScope scope = new AuthScope(host, this.realm, getName()); + final Credentials creds = credentialsProvider.getCredentials(scope, clientContext); + if (!(creds instanceof UsernamePasswordCredentials)) { + return false; + } + final UsernamePasswordCredentials up = (UsernamePasswordCredentials) creds; + + // SASLprep: username as query, password as stored + final String preppedUser; + final char[] passChars = up.getUserPassword() != null ? up.getUserPassword().clone() : null; + try { + preppedUser = SaslPrep.INSTANCE.prepAsQueryString(up.getUserName()); + final String preppedPassStr = SaslPrep.INSTANCE.prepAsStoredString( + passChars != null ? new String(passChars) : null); + this.username = preppedUser; + this.password = preppedPassStr != null ? preppedPassStr.toCharArray() : null; + } catch (final Exception e) { + throw new AuthenticationException("SASLprep failed", e); + } finally { + if (passChars != null) { + Arrays.fill(passChars, '\0'); + } + } + + this.principal = new SimplePrincipal(this.username); + + switch (this.state) { + case INIT: // allow preemptive + case ANNOUNCED: + case SERVER_FIRST_RCVD: + return true; + default: + return false; + } + } + + /** + * @since 5.6 + */ + @Override + public String generateAuthResponse( + final HttpHost host, + final HttpRequest request, + final HttpContext context) throws AuthenticationException { + + switch (this.state) { + case INIT: + // Allow preemptive only if credentials were prepared already + if (this.username == null) { + this.state = State.FAILED; + throw new AuthenticationException("SCRAM state out of sequence: INIT without credentials"); + } + return buildClientFirst(); + case ANNOUNCED: + return buildClientFirst(); + case SERVER_FIRST_RCVD: + return buildClientFinalAndExpectV(); + default: + this.state = State.FAILED; + throw new AuthenticationException("SCRAM state out of sequence: " + this.state); + } + } + + /** + * Returns {@link Principal} whose credentials are used. + * + * @since 5.6 + */ + @Override + public Principal getPrincipal() { + return this.principal; + } + + // ---------------- internals ---------------- + + private String buildClientFirst() { + this.clientNonce = genNonce(); + final String escUser = escapeUser(this.username); + this.clientFirstBare = "n=" + escUser + ",r=" + this.clientNonce; + + // RFC 7804: data = base64(GS2 header + client-first-bare) + final String data = stringToB64(GS2_HEADER + this.clientFirstBare); + + final StringBuilder sb = new StringBuilder(64); + sb.append(StandardAuthScheme.SCRAM_SHA_256).append(' '); + if (this.realm != null) { + sb.append("realm=").append(quoteParam(this.realm)).append(", "); + } + sb.append("data=").append(quoteParam(data)); // quoted per RFC 7804 + this.state = State.CLIENT_FIRST_SENT; + this.complete = false; + zeroAndClearExpectedV(); + return sb.toString(); + } + + private String buildClientFinalAndExpectV() throws AuthenticationException { + byte[] salted = null, clientKey = null, storedKey = null, clientSignature = null, + clientProof = null, serverKey = null, serverSignature = null; + + try { + // HTTP SCRAM: no CB -> c=biws + final String clientFinalNoProof = "c=" + C_BIND_B64 + ",r=" + this.serverNonce; + final String authMessage = this.clientFirstBare + "," + this.serverFirstRaw + "," + clientFinalNoProof; + + salted = hiPBKDF2(this.password, this.salt, this.iterations, 32); + clientKey = hmac(salted, "Client Key"); + storedKey = sha256(clientKey); + clientSignature = hmac(storedKey, authMessage); + clientProof = xor(clientKey, clientSignature); + final String pB64 = B64.encodeToString(clientProof); + + serverKey = hmac(salted, "Server Key"); + serverSignature = hmac(serverKey, authMessage); + + // Stash expected v (raw) for constant-time check on 2xx + zeroAndClearExpectedV(); + this.expectedV = serverSignature.clone(); + + final String clientFinal = clientFinalNoProof + ",p=" + pB64; + final String data = stringToB64(clientFinal); + + final StringBuilder sb = new StringBuilder(64); + sb.append(StandardAuthScheme.SCRAM_SHA_256).append(' '); + if (this.sid != null) { + sb.append("sid=").append(quoteParam(this.sid)).append(", "); + } + sb.append("data=").append(quoteParam(data)); // quoted + + this.state = State.CLIENT_FINAL_SENT; + this.complete = false; + return sb.toString(); + } catch (final GeneralSecurityException e) { + this.state = State.FAILED; + throw new AuthenticationException("SCRAM crypto failure", e); + } finally { + if (this.password != null) { + Arrays.fill(this.password, '\0'); + this.password = null; + } + zero(salted); + zero(clientKey); + zero(storedKey); + zero(clientSignature); + zero(clientProof); + zero(serverKey); + // clone held in expectedV + zero(serverSignature); + } + } + + private static void zero(final byte[] a) { + if (a != null) { + Arrays.fill(a, (byte) 0); + } + } + + private void zeroAndClearExpectedV() { + if (this.expectedV != null) { + zero(this.expectedV); + this.expectedV = null; + } + } + + private static Map toParamMap(final List pairs) { + final Map m = new HashMap<>(); + if (pairs != null) { + for (final NameValuePair p : pairs) { + if (p != null && p.getName() != null) { + m.put(p.getName().toLowerCase(Locale.ROOT), p.getValue()); + } + } + } + return m; + } + + // Parse "k=v(,k=v)*" with RFC 5802 escapes: "=2C"/"=2c" -> ",", "=3D"/"=3d" -> "=" + private static Map parseAttrs(final String s) throws MalformedChallengeException { + final Map out = new LinkedHashMap<>(); + int i = 0; + while (i < s.length()) { + if (i + 2 > s.length() || s.charAt(i + 1) != '=') { + throw new MalformedChallengeException("Bad SCRAM attr at index " + i); + } + final String k = String.valueOf(s.charAt(i)); + i += 2; + final StringBuilder v = new StringBuilder(); + while (i < s.length()) { + final char c = s.charAt(i); + if (c == ',') { + i++; + break; + } + if (c == '=' && i + 2 < s.length()) { + final String esc = s.substring(i, i + 3); + if ("=2C".equalsIgnoreCase(esc)) { + v.append(','); + i += 3; + continue; + } + if ("=3D".equalsIgnoreCase(esc)) { + v.append('='); + i += 3; + continue; + } + } + v.append(c); + i++; + } + out.put(k, v.toString()); + } + return out; + } + + private String genNonce() { + final byte[] buf = new byte[16]; + this.secureRandom.nextBytes(buf); + final StringBuilder sb = new StringBuilder(buf.length * 2); + for (final byte b : buf) { + final int v = b & 0xff; + if (v < 0x10) { + sb.append('0'); + } + sb.append(Integer.toHexString(v)); + } + return sb.toString(); + } + + private static String escapeUser(final String user) { + if (user == null) { + // Defensive for tests that skip isResponseReady() before client-first + return ""; + } + final StringBuilder sb = new StringBuilder(user.length() + 8); + for (int i = 0; i < user.length(); i++) { + final char c = user.charAt(i); + if (c == ',') { + sb.append("=2C"); + } else if (c == '=') { + sb.append("=3D"); + } else { + sb.append(c); + } + } + return sb.toString(); + } + + private static String quoteParam(final String v) { + if (v == null) { + return "\"\""; + } + final StringBuilder sb = new StringBuilder(v.length() + 2); + sb.append('"'); + for (int i = 0; i < v.length(); i++) { + final char c = v.charAt(i); + if (c == '\\' || c == '"') { + sb.append('\\'); + } + sb.append(c); + } + sb.append('"'); + return sb.toString(); + } + + private static byte[] hiPBKDF2(final char[] password, final byte[] salt, final int iterations, final int dkLen) + throws GeneralSecurityException { + final PBEKeySpec spec = new PBEKeySpec(password, salt, iterations, dkLen * 8); + return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256").generateSecret(spec).getEncoded(); + } + + private static byte[] hmac(final byte[] key, final String msg) throws GeneralSecurityException { + final Mac mac = Mac.getInstance("HmacSHA256"); + mac.init(new SecretKeySpec(key, "HmacSHA256")); + return mac.doFinal(msg.getBytes(StandardCharsets.UTF_8)); + } + + private static byte[] sha256(final byte[] in) throws GeneralSecurityException { + return MessageDigest.getInstance("SHA-256").digest(in); + } + + private static byte[] xor(final byte[] a, final byte[] b) { + final int len = Math.min(a.length, b.length); + final byte[] out = new byte[len]; + for (int i = 0; i < len; i++) { + out[i] = (byte) (a[i] ^ b[i]); + } + return out; + } + + private static String stringToB64(final String s) { + return B64.encodeToString(s.getBytes(StandardCharsets.UTF_8)); + } + + private static String b64ToString(final String b64) throws MalformedChallengeException { + try { + return new String(B64D.decode(b64), StandardCharsets.UTF_8); + } catch (final IllegalArgumentException e) { + throw new MalformedChallengeException("Bad base64 'data' value", e); + } + } + + private static final class SimplePrincipal implements Principal { + private final String name; + + private SimplePrincipal(final String name) { + this.name = name; + } + + @Override + public String getName() { + return this.name; + } + + @Override + public String toString() { + return this.name; + } + } + +} diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/ScramSchemeFactory.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/ScramSchemeFactory.java new file mode 100644 index 0000000000..b25e0bfa53 --- /dev/null +++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/ScramSchemeFactory.java @@ -0,0 +1,62 @@ +/* + * ==================================================================== + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * ==================================================================== + * + * This software consists of voluntary contributions made by many + * individuals on behalf of the Apache Software Foundation. For more + * information on the Apache Software Foundation, please see + * . + * + */ + +package org.apache.hc.client5.http.impl.auth; + +import org.apache.hc.client5.http.auth.AuthScheme; +import org.apache.hc.client5.http.auth.AuthSchemeFactory; +import org.apache.hc.core5.annotation.Experimental; +import org.apache.hc.core5.http.protocol.HttpContext; + +/** + * Factory for creating instances of {@link ScramScheme}. + * + * @since 5.6 + */ +@Experimental +public final class ScramSchemeFactory implements AuthSchemeFactory { + + /** + * Singleton instance. + */ + public static final ScramSchemeFactory INSTANCE = new ScramSchemeFactory(); + + private ScramSchemeFactory() { + } + + /** + * Creates a new {@link ScramScheme}. + * + * @param context the HTTP context (unused) + * @return a new {@link ScramScheme} instance + * @since 5.6 + */ + @Override + public AuthScheme create(final HttpContext context) { + return new ScramScheme(); + } +} diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/HttpClientBuilder.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/HttpClientBuilder.java index 9d17ff78d7..ef4b2ef4b1 100644 --- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/HttpClientBuilder.java +++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/HttpClientBuilder.java @@ -72,6 +72,7 @@ import org.apache.hc.client5.http.impl.auth.BasicSchemeFactory; import org.apache.hc.client5.http.impl.auth.BearerSchemeFactory; import org.apache.hc.client5.http.impl.auth.DigestSchemeFactory; +import org.apache.hc.client5.http.impl.auth.ScramSchemeFactory; import org.apache.hc.client5.http.impl.auth.SystemDefaultCredentialsProvider; import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManagerBuilder; import org.apache.hc.client5.http.impl.routing.DefaultProxyRoutePlanner; @@ -1077,6 +1078,7 @@ public CloseableHttpClient build() { .register(StandardAuthScheme.BASIC, BasicSchemeFactory.INSTANCE) .register(StandardAuthScheme.DIGEST, DigestSchemeFactory.INSTANCE) .register(StandardAuthScheme.BEARER, BearerSchemeFactory.INSTANCE) + .register(StandardAuthScheme.SCRAM_SHA_256, ScramSchemeFactory.INSTANCE) .build(); } Lookup cookieSpecRegistryCopy = this.cookieSpecRegistry; diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/ProxyClient.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/ProxyClient.java index 5d0a6f747b..651f352bb0 100644 --- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/ProxyClient.java +++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/ProxyClient.java @@ -47,6 +47,7 @@ import org.apache.hc.client5.http.impl.auth.BasicCredentialsProvider; import org.apache.hc.client5.http.impl.auth.BasicSchemeFactory; import org.apache.hc.client5.http.impl.auth.DigestSchemeFactory; +import org.apache.hc.client5.http.impl.auth.ScramSchemeFactory; import org.apache.hc.client5.http.impl.io.ManagedHttpClientConnectionFactory; import org.apache.hc.client5.http.io.ManagedHttpClientConnection; import org.apache.hc.client5.http.protocol.HttpClientContext; @@ -114,6 +115,7 @@ public ProxyClient( this.authSchemeRegistry = RegistryBuilder.create() .register(StandardAuthScheme.BASIC, BasicSchemeFactory.INSTANCE) .register(StandardAuthScheme.DIGEST, DigestSchemeFactory.INSTANCE) + .register(StandardAuthScheme.SCRAM_SHA_256, ScramSchemeFactory.INSTANCE) .build(); this.reuseStrategy = DefaultClientConnectionReuseStrategy.INSTANCE; } diff --git a/httpclient5/src/test/java/org/apache/hc/client5/http/impl/auth/SaslPrepTest.java b/httpclient5/src/test/java/org/apache/hc/client5/http/impl/auth/SaslPrepTest.java new file mode 100644 index 0000000000..be7d92f802 --- /dev/null +++ b/httpclient5/src/test/java/org/apache/hc/client5/http/impl/auth/SaslPrepTest.java @@ -0,0 +1,104 @@ +/* + * ==================================================================== + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * ==================================================================== + * + * This software consists of voluntary contributions made by many + * individuals on behalf of the Apache Software Foundation. For more + * information on the Apache Software Foundation, please see + * . + * + */ + +package org.apache.hc.client5.http.impl.auth; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.junit.jupiter.api.Assertions.assertTrue; + +import org.apache.hc.client5.http.impl.ScramException; +import org.junit.jupiter.api.Test; + + +class SaslPrepTest { + + @Test + void testValidString() throws ScramException { + // A valid string with no prohibited or unassigned characters + final String validInput = "ValidTestString123"; + final String result = SaslPrep.INSTANCE.prepAsStoredString(validInput); + assertEquals(validInput, result, "Valid string should pass without modifications."); + } + + @Test + void testStringWithUnassignedCodePoint() { + // A string with an unassigned Unicode code point + final String invalidInput = "Invalid\u0221String"; + final ScramException exception = assertThrows(ScramException.class, () -> { + SaslPrep.INSTANCE.prepAsStoredString(invalidInput); + }); + assertTrue(exception.getMessage().contains("unassigned code point"), "Exception should indicate unassigned code point."); + } + + @Test + void testStringWithProhibitedCharacter() { + // A string with prohibited characters + final String invalidInput = "Invalid\u0000String"; + final ScramException exception = assertThrows(ScramException.class, () -> SaslPrep.INSTANCE.prepAsQueryString(invalidInput)); + assertTrue(exception.getMessage().contains("prohibited character"), "Exception should indicate prohibited character."); + } + + @Test + void testStringWithBidiViolation() { + // A string with bidirectional rule violation + final String invalidInput = "\u0627InvalidString\u0041"; // RandALCat + LCat + final ScramException exception = assertThrows(ScramException.class, () -> SaslPrep.INSTANCE.prepAsQueryString(invalidInput)); + assertTrue(exception.getMessage().contains("RandALCat"), "Exception should indicate Bidi rule violation."); + } + + @Test + void testUnicodeNormalizationFailure() { + // Invalid characters for SASLprep (e.g., unassigned Unicode code points) + final String invalidUsername = "\uFFF9"; // U+FFF9 (interlinear annotation anchor) + final String invalidPassword = "\uFFFA"; // U+FFFA (interlinear annotation separator) + + assertThrows(ScramException.class, + () -> SaslPrep.INSTANCE.prepAsQueryString(invalidUsername), "Invalid username should throw an exception"); + + assertThrows(ScramException.class, + () -> SaslPrep.INSTANCE.prepAsStoredString(invalidPassword), "Invalid password should throw an exception"); + } + + + @Test + void testMixedRandALCatAndLCat() { + // A string with both RandALCat and LCat characters + final String invalidRTLString = "\u0627Invalid\u0041"; // RandALCat + LCat + final ScramException exception = assertThrows(ScramException.class, () -> SaslPrep.INSTANCE.prepAsQueryString(invalidRTLString)); + assertTrue(exception.getMessage().contains("RandALCat"), "Exception should indicate mixed RandALCat and LCat."); + } + + @Test + void testNotEndRandALCat() { + // A string with both RandALCat and LCat characters + final String invalidRTLString = "\u0627\u06270"; + final ScramException exception = assertThrows(ScramException.class, () -> SaslPrep.INSTANCE.prepAsQueryString(invalidRTLString)); + assertTrue(exception.getMessage().contains("RandALCat"), "Exception should indicate mixed RandALCat and LCat."); + } + +} \ No newline at end of file diff --git a/httpclient5/src/test/java/org/apache/hc/client5/http/impl/auth/TestScramScheme.java b/httpclient5/src/test/java/org/apache/hc/client5/http/impl/auth/TestScramScheme.java new file mode 100644 index 0000000000..ae383e529b --- /dev/null +++ b/httpclient5/src/test/java/org/apache/hc/client5/http/impl/auth/TestScramScheme.java @@ -0,0 +1,509 @@ +/* + * ==================================================================== + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * ==================================================================== + * + * This software consists of voluntary contributions made by many + * individuals on behalf of the Apache Software Foundation. For more + * information on the Apache Software Foundation, please see + * . + * + */ + +package org.apache.hc.client5.http.impl.auth; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertNotNull; +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.junit.jupiter.api.Assertions.assertTrue; + +import java.nio.charset.StandardCharsets; +import java.security.GeneralSecurityException; +import java.util.Base64; +import java.util.HashMap; +import java.util.LinkedHashMap; +import java.util.Locale; +import java.util.Map; + +import javax.crypto.Mac; +import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.PBEKeySpec; +import javax.crypto.spec.SecretKeySpec; + +import org.apache.hc.client5.http.auth.AuthChallenge; +import org.apache.hc.client5.http.auth.AuthScope; +import org.apache.hc.client5.http.auth.AuthenticationException; +import org.apache.hc.client5.http.auth.ChallengeType; +import org.apache.hc.client5.http.auth.MalformedChallengeException; +import org.apache.hc.client5.http.auth.UsernamePasswordCredentials; +import org.apache.hc.client5.http.protocol.HttpClientContext; +import org.apache.hc.core5.http.HttpHost; +import org.apache.hc.core5.http.message.BasicNameValuePair; +import org.junit.jupiter.api.Test; + +final class TestScramScheme { + + private static final HttpHost HOST = new HttpHost("https", "example.test"); + private static final String REALM = "s1"; + private static final String USER = "u"; + private static final String PASS = "p"; + + + static String b64(final byte[] b) { + return Base64.getEncoder().withoutPadding().encodeToString(b); + } + + static byte[] b64d(final String s) { + return Base64.getDecoder().decode(s); + } + + static String b64s(final String s) { + return b64(s.getBytes(StandardCharsets.UTF_8)); + } + + static String deb64s(final String s) { + return new String(b64d(s), StandardCharsets.UTF_8); + } + + static Map parseCsvAttrs(final String s) { + final Map m = new LinkedHashMap<>(); + int i = 0; + while (i < s.length()) { + final int eq = s.indexOf('=', i); + if (eq < 0) break; + final String k = s.substring(i, eq); + i = eq + 1; + final StringBuilder v = new StringBuilder(); + while (i < s.length()) { + final char c = s.charAt(i); + if (c == ',') { + i++; + break; + } + v.append(c); + i++; + } + m.put(k, v.toString()); + } + return m; + } + + static Map splitHeader(final String header) { + // "SCRAM-SHA-256 realm="...", data="..."" -> name/value map (lowercase keys) + final int sp = header.indexOf(' '); + final String params = header.substring(sp + 1); + final Map map = new HashMap<>(); + for (String part : params.split(",")) { + part = part.trim(); + final int eq = part.indexOf('='); + if (eq > 0) { + final String k = part.substring(0, eq).toLowerCase(Locale.ROOT); + String v = part.substring(eq + 1); + if (v.length() >= 2 && v.startsWith("\"") && v.endsWith("\"")) { + v = v.substring(1, v.length() - 1); + } + map.put(k, v); + } + } + return map; + } + + static byte[] pbkdf2(final char[] password, final byte[] salt, final int iter, final int dkLen) + throws GeneralSecurityException { + final PBEKeySpec spec = new PBEKeySpec(password, salt, iter, dkLen * 8); + return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256").generateSecret(spec).getEncoded(); + } + + static byte[] hmac(final byte[] key, final String msg) throws GeneralSecurityException { + final Mac mac = Mac.getInstance("HmacSHA256"); + mac.init(new SecretKeySpec(key, "HmacSHA256")); + return mac.doFinal(msg.getBytes(StandardCharsets.UTF_8)); + } + + + @Test + void strictScram_fullRoundtrip_completes() throws Exception { + final ScramScheme scheme = new ScramScheme(); + final BasicCredentialsProvider creds = new BasicCredentialsProvider(); + creds.setCredentials(new AuthScope(HOST, REALM, scheme.getName()), + new UsernamePasswordCredentials(USER, PASS.toCharArray())); + final HttpClientContext ctx = HttpClientContext.create(); + + // 401 announce (no data) + scheme.processChallenge(HOST, true, + new AuthChallenge(ChallengeType.TARGET, scheme.getName(), + new BasicNameValuePair("realm", REALM)), + ctx); + assertTrue(scheme.isResponseReady(HOST, creds, ctx)); + + // Authorization (client-first) + final String authz1 = scheme.generateAuthResponse(HOST, null, ctx); + final Map h1 = splitHeader(authz1); + assertEquals(REALM, h1.get("realm")); + final String clientFirst = deb64s(h1.get("data")); + assertTrue(clientFirst.startsWith("n,,"), "GS2 header missing"); + final String clientFirstBare = clientFirst.substring("n,,".length()); + final Map cf1 = parseCsvAttrs(clientFirstBare); + final String clientNonce = cf1.get("r"); + assertNotNull(clientNonce); + + // 401 server-first + final String saltB64 = b64("salt-256".getBytes(StandardCharsets.UTF_8)); + final int iters = 4096; + final String serverFirst = "r=" + clientNonce + "XYZ,s=" + saltB64 + ",i=" + iters; + scheme.processChallenge(HOST, true, + new AuthChallenge(ChallengeType.TARGET, scheme.getName(), + new BasicNameValuePair("sid", "sid-1"), + new BasicNameValuePair("data", b64(serverFirst.getBytes(StandardCharsets.UTF_8)))), + ctx); + + final String authz2 = scheme.generateAuthResponse(HOST, null, ctx); + final Map h2 = splitHeader(authz2); + assertEquals("sid-1", h2.get("sid")); + final String clientFinal = deb64s(h2.get("data")); + final Map cf2 = parseCsvAttrs(clientFinal); + assertEquals("biws", cf2.get("c")); // Base64("n,,") + + final String clientFinalNoProof = "c=" + cf2.get("c") + ",r=" + cf2.get("r"); + final String authMessage = clientFirstBare + "," + serverFirst + "," + clientFinalNoProof; + final byte[] salted = pbkdf2(PASS.toCharArray(), b64d(saltB64), iters, 32); + final byte[] serverKey = hmac(salted, "Server Key"); + final String vB64 = b64(hmac(serverKey, authMessage)); + + scheme.processChallenge(HOST, false, + new AuthChallenge(ChallengeType.TARGET, scheme.getName(), + new BasicNameValuePair("data", b64(("v=" + vB64).getBytes(StandardCharsets.UTF_8)))), + ctx); + + assertTrue(scheme.isChallengeComplete()); + } + + @Test + void strictScram_invalidServerNonce_rejectedAt401() throws Exception { + final ScramScheme scheme = new ScramScheme(); + final BasicCredentialsProvider creds = new BasicCredentialsProvider(); + creds.setCredentials(new AuthScope(HOST, REALM, scheme.getName()), + new UsernamePasswordCredentials(USER, PASS.toCharArray())); + final HttpClientContext ctx = HttpClientContext.create(); + + // 401 announce + scheme.processChallenge(HOST, true, + new AuthChallenge(ChallengeType.TARGET, scheme.getName(), + new BasicNameValuePair("realm", REALM)), + ctx); + assertTrue(scheme.isResponseReady(HOST, creds, ctx)); + + // Send client-first so the client nonce is generated and state is correct. + // We don't need the header content here. + scheme.generateAuthResponse(HOST, null, ctx); + + // Bad server-first: nonce does NOT start with the client nonce + final String badServerFirst = "r=NOTPREFIXED,s=" + b64("salt".getBytes(StandardCharsets.UTF_8)) + ",i=4096"; + + final AuthenticationException ex = assertThrows(AuthenticationException.class, () -> + scheme.processChallenge(HOST, true, + new AuthChallenge(ChallengeType.TARGET, scheme.getName(), + new BasicNameValuePair("data", b64(badServerFirst.getBytes(StandardCharsets.UTF_8)))), + ctx)); + + assertTrue(ex.getMessage().toLowerCase(Locale.ROOT).contains("nonce")); + } + + + @Test + void strictScram_lowIterations_warnsButSucceeds() throws Exception { + final ScramScheme scheme = new ScramScheme(4096, 0, null); // warn only + final BasicCredentialsProvider creds = new BasicCredentialsProvider(); + creds.setCredentials(new AuthScope(HOST, REALM, scheme.getName()), + new UsernamePasswordCredentials(USER, PASS.toCharArray())); + final HttpClientContext ctx = HttpClientContext.create(); + + scheme.processChallenge(HOST, true, + new AuthChallenge(ChallengeType.TARGET, scheme.getName(), + new BasicNameValuePair("realm", REALM)), + ctx); + assertTrue(scheme.isResponseReady(HOST, creds, ctx)); + + final String authz1 = scheme.generateAuthResponse(HOST, null, ctx); + final String clientFirstBare = deb64s(splitHeader(authz1).get("data")).substring("n,,".length()); + final String clientNonce = parseCsvAttrs(clientFirstBare).get("r"); + + // server-first with i=1024 (below warn threshold) + final String saltB64 = b64("salt-low".getBytes(StandardCharsets.UTF_8)); + final String serverFirst = "r=" + clientNonce + "Z,s=" + saltB64 + ",i=1024"; + scheme.processChallenge(HOST, true, + new AuthChallenge(ChallengeType.TARGET, scheme.getName(), + new BasicNameValuePair("data", b64(serverFirst.getBytes(StandardCharsets.UTF_8)))), + ctx); + + final String authz2 = scheme.generateAuthResponse(HOST, null, ctx); + final String clientFinal = deb64s(splitHeader(authz2).get("data")); + final Map cf = parseCsvAttrs(clientFinal); + final String clientFinalNoProof = "c=" + cf.get("c") + ",r=" + cf.get("r"); + final String authMessage = clientFirstBare + "," + serverFirst + "," + clientFinalNoProof; + + final byte[] salted = pbkdf2(PASS.toCharArray(), b64d(saltB64), 1024, 32); + final byte[] serverKey = hmac(salted, "Server Key"); + final String vB64 = b64(hmac(serverKey, authMessage)); + + // 2xx with v -> success + scheme.processChallenge(HOST, false, + new AuthChallenge(ChallengeType.TARGET, scheme.getName(), + new BasicNameValuePair("data", b64(("v=" + vB64).getBytes(StandardCharsets.UTF_8)))), + ctx); + + assertTrue(scheme.isChallengeComplete()); + } + + @Test + void strictScram_minIterations_enforced() throws Exception { + final ScramScheme scheme = new ScramScheme(4096, 4096, null); // hard min 4096 + final BasicCredentialsProvider creds = new BasicCredentialsProvider(); + creds.setCredentials(new AuthScope(HOST, REALM, scheme.getName()), + new UsernamePasswordCredentials(USER, PASS.toCharArray())); + final HttpClientContext ctx = HttpClientContext.create(); + + scheme.processChallenge(HOST, true, + new AuthChallenge(ChallengeType.TARGET, scheme.getName(), + new BasicNameValuePair("realm", REALM)), + ctx); + assertTrue(scheme.isResponseReady(HOST, creds, ctx)); + + final String authz1 = scheme.generateAuthResponse(HOST, null, ctx); + final String clientFirstBare = deb64s(splitHeader(authz1).get("data")).substring("n,,".length()); + final String clientNonce = parseCsvAttrs(clientFirstBare).get("r"); + + // server-first with i=1024 (below hard min) -> fail immediately at processChallenge(401) + final String serverFirst = "r=" + clientNonce + "Z,s=" + b64("salt".getBytes(StandardCharsets.UTF_8)) + ",i=1024"; + final AuthenticationException ex = assertThrows(AuthenticationException.class, () -> + scheme.processChallenge(HOST, true, + new AuthChallenge(ChallengeType.TARGET, scheme.getName(), + new BasicNameValuePair("data", b64(serverFirst.getBytes(StandardCharsets.UTF_8)))), + ctx)); + assertTrue(ex.getMessage().toLowerCase(Locale.ROOT).contains("iteration")); + } + + @Test + void strictScram_authInfo_mismatchV_fails() throws Exception { + final ScramScheme scheme = new ScramScheme(); + final BasicCredentialsProvider creds = new BasicCredentialsProvider(); + creds.setCredentials(new AuthScope(HOST, REALM, scheme.getName()), + new UsernamePasswordCredentials(USER, PASS.toCharArray())); + final HttpClientContext ctx = HttpClientContext.create(); + + scheme.processChallenge(HOST, true, + new AuthChallenge(ChallengeType.TARGET, scheme.getName(), + new BasicNameValuePair("realm", REALM)), + ctx); + assertTrue(scheme.isResponseReady(HOST, creds, ctx)); + + final String authz1 = scheme.generateAuthResponse(HOST, null, ctx); + final String clientFirstBare = deb64s(splitHeader(authz1).get("data")).substring("n,,".length()); + final String clientNonce = parseCsvAttrs(clientFirstBare).get("r"); + + final String serverFirst = "r=" + clientNonce + "Z,s=" + b64("salt".getBytes(StandardCharsets.UTF_8)) + ",i=4096"; + scheme.processChallenge(HOST, true, + new AuthChallenge(ChallengeType.TARGET, scheme.getName(), + new BasicNameValuePair("data", b64(serverFirst.getBytes(StandardCharsets.UTF_8)))), + ctx); + + // client-final + scheme.generateAuthResponse(HOST, null, ctx); + + // 2xx with wrong v + final MalformedChallengeException ex = assertThrows(MalformedChallengeException.class, () -> + scheme.processChallenge(HOST, false, + new AuthChallenge(ChallengeType.TARGET, scheme.getName(), + new BasicNameValuePair("data", b64("v=WRONG".getBytes(StandardCharsets.UTF_8)))), + ctx)); + assertTrue(ex.getMessage().toLowerCase(Locale.ROOT).contains("signature")); + } + + @Test + void strictScram_authInfo_errorE_fails() throws Exception { + final ScramScheme scheme = new ScramScheme(); + final BasicCredentialsProvider creds = new BasicCredentialsProvider(); + creds.setCredentials(new AuthScope(HOST, REALM, scheme.getName()), + new UsernamePasswordCredentials(USER, PASS.toCharArray())); + final HttpClientContext ctx = HttpClientContext.create(); + + scheme.processChallenge(HOST, true, + new AuthChallenge(ChallengeType.TARGET, scheme.getName(), + new BasicNameValuePair("realm", REALM)), + ctx); + assertTrue(scheme.isResponseReady(HOST, creds, ctx)); + + final String authz1 = scheme.generateAuthResponse(HOST, null, ctx); + final String clientFirstBare = deb64s(splitHeader(authz1).get("data")).substring("n,,".length()); + final String clientNonce = parseCsvAttrs(clientFirstBare).get("r"); + + final String serverFirst = "r=" + clientNonce + "Z,s=" + b64("salt".getBytes(StandardCharsets.UTF_8)) + ",i=4096"; + scheme.processChallenge(HOST, true, + new AuthChallenge(ChallengeType.TARGET, scheme.getName(), + new BasicNameValuePair("data", b64(serverFirst.getBytes(StandardCharsets.UTF_8)))), + ctx); + + scheme.generateAuthResponse(HOST, null, ctx); + + // 2xx with e= + final AuthenticationException ex = assertThrows(AuthenticationException.class, () -> + scheme.processChallenge(HOST, false, + new AuthChallenge(ChallengeType.TARGET, scheme.getName(), + new BasicNameValuePair("data", b64("e=server-fail".getBytes(StandardCharsets.UTF_8)))), + ctx)); + assertTrue(ex.getMessage().contains("server error")); + } + + @Test + void strictScram_badBase64In401Data_isMalformed() { + final ScramScheme scheme = new ScramScheme(); + final HttpClientContext ctx = HttpClientContext.create(); + + final MalformedChallengeException ex = assertThrows(MalformedChallengeException.class, () -> + scheme.processChallenge(HOST, true, + new AuthChallenge(ChallengeType.TARGET, scheme.getName(), + new BasicNameValuePair("data", "%%%not-base64%%%")), + ctx)); + assertTrue(ex.getMessage().toLowerCase(Locale.ROOT).contains("base64")); + } + + @Test + void strictScram_missingAttrsInServerFirst_isMalformed() { + final ScramScheme scheme = new ScramScheme(); + final HttpClientContext ctx = HttpClientContext.create(); + + final MalformedChallengeException ex = assertThrows(MalformedChallengeException.class, () -> + scheme.processChallenge(HOST, true, + new AuthChallenge(ChallengeType.TARGET, scheme.getName(), + new BasicNameValuePair("data", b64("r=only".getBytes(StandardCharsets.UTF_8)))), + ctx)); + assertTrue(ex.getMessage().toLowerCase(Locale.ROOT).contains("missing")); + } + + @Test + void testPreemptiveAuthentication() throws Exception { + final ScramScheme scheme = new ScramScheme(); + final BasicCredentialsProvider creds = new BasicCredentialsProvider(); + creds.setCredentials(new AuthScope(HOST, REALM, scheme.getName()), + new UsernamePasswordCredentials(USER, PASS.toCharArray())); + final HttpClientContext ctx = HttpClientContext.create(); + + // Test that we can generate a response without receiving a challenge first + assertTrue(scheme.isResponseReady(HOST, creds, ctx)); + final String response = scheme.generateAuthResponse(HOST, null, ctx); + assertNotNull(response); + assertTrue(response.contains("data=")); + } + + @Test + void testNullCredentialsProvider() { + final ScramScheme scheme = new ScramScheme(); + final HttpClientContext ctx = HttpClientContext.create(); + + assertThrows(NullPointerException.class, () -> scheme.isResponseReady(HOST, null, ctx)); + } + + @Test + void testInvalidBase64InAuthInfo() throws Exception { + final ScramScheme scheme = new ScramScheme(); + final BasicCredentialsProvider creds = new BasicCredentialsProvider(); + creds.setCredentials(new AuthScope(HOST, REALM, scheme.getName()), + new UsernamePasswordCredentials(USER, PASS.toCharArray())); + final HttpClientContext ctx = HttpClientContext.create(); + + // Go through the initial flow + scheme.processChallenge(HOST, true, + new AuthChallenge(ChallengeType.TARGET, scheme.getName(), + new BasicNameValuePair("realm", REALM)), + ctx); + scheme.generateAuthResponse(HOST, null, ctx); + + // Test with invalid base64 in Authentication-Info + final MalformedChallengeException ex = assertThrows(MalformedChallengeException.class, () -> + scheme.processChallenge(HOST, false, + new AuthChallenge(ChallengeType.TARGET, scheme.getName(), + new BasicNameValuePair("data", "invalid-base64")), + ctx)); + assertTrue(ex.getMessage().toLowerCase(Locale.ROOT).contains("base64")); + } + + @Test + void testInvalidStateTransition() throws Exception { + final ScramScheme scheme = new ScramScheme(); + final BasicCredentialsProvider creds = new BasicCredentialsProvider(); + creds.setCredentials(new AuthScope(HOST, REALM, scheme.getName()), + new UsernamePasswordCredentials(USER, PASS.toCharArray())); + final HttpClientContext ctx = HttpClientContext.create(); + + // Try to generate a response without proper state setup + final AuthenticationException ex = assertThrows(AuthenticationException.class, () -> + scheme.generateAuthResponse(HOST, null, ctx)); + assertTrue(ex.getMessage().toLowerCase(Locale.ROOT).contains("sequence")); + } + + @Test + void testEmptyPassword() throws Exception { + final ScramScheme scheme = new ScramScheme(); + final BasicCredentialsProvider creds = new BasicCredentialsProvider(); + creds.setCredentials(new AuthScope(HOST, REALM, scheme.getName()), + new UsernamePasswordCredentials(USER, "".toCharArray())); + final HttpClientContext ctx = HttpClientContext.create(); + + // This should work without throwing exceptions + scheme.processChallenge(HOST, true, + new AuthChallenge(ChallengeType.TARGET, scheme.getName(), + new BasicNameValuePair("realm", REALM)), + ctx); + assertTrue(scheme.isResponseReady(HOST, creds, ctx)); + } + + @Test + void testSpecialCharacters() throws Exception { + final ScramScheme scheme = new ScramScheme(); + final BasicCredentialsProvider creds = new BasicCredentialsProvider(); + final String specialUser = "user@domain.com"; + final String specialPass = "p@ssw0rd!"; + creds.setCredentials(new AuthScope(HOST, REALM, scheme.getName()), + new UsernamePasswordCredentials(specialUser, specialPass.toCharArray())); + final HttpClientContext ctx = HttpClientContext.create(); + + // Test the full flow with special characters + scheme.processChallenge(HOST, true, + new AuthChallenge(ChallengeType.TARGET, scheme.getName(), + new BasicNameValuePair("realm", REALM)), + ctx); + assertTrue(scheme.isResponseReady(HOST, creds, ctx)); + + final String response = scheme.generateAuthResponse(HOST, null, ctx); + assertNotNull(response); + assertTrue(response.contains("data=")); + } + + @Test + void testIsConnectionBased() { + final ScramScheme scheme = new ScramScheme(); + assertFalse(scheme.isConnectionBased()); + } + + @Test + void testIsChallengeExpected() { + final ScramScheme scheme = new ScramScheme(); + assertTrue(scheme.isChallengeExpected()); + } +}