[Git][java-team/libscram-java][upstream] New upstream version 3.2
Christoph Berg (@myon)
gitlab at salsa.debian.org
Tue Sep 23 17:19:59 BST 2025
Christoph Berg pushed to branch upstream at Debian Java Maintainers / libscram-java
Commits:
1873213e by Christoph Berg at 2025-09-23T18:13:50+02:00
New upstream version 3.2
- - - - -
22 changed files:
- .github/dependabot.yml
- + .github/workflows/codeql.yml
- .github/workflows/maven.yml
- + .github/workflows/scorecard.yml
- .mvn/maven.config
- .mvn/wrapper/MavenWrapperDownloader.java
- .mvn/wrapper/maven-wrapper.properties
- CHANGELOG.md
- README.md
- + SECURITY.md
- + checks/forbiddenapis.txt
- checks/pmd-ruleset.xml
- coverage-report/pom.xml
- mvnw
- mvnw.cmd
- pom.xml
- scram-client/pom.xml
- scram-client/src/it/jpms-scram-client/pom.xml
- scram-client/src/test/java/com/example/ScramClientTest.java
- scram-common/pom.xml
- scram-common/src/main/java/com/ongres/scram/common/ScramFunctions.java
- scram-parent/pom.xml
Changes:
=====================================
.github/dependabot.yml
=====================================
@@ -5,9 +5,17 @@ updates:
- "/"
- "/scram-client/src/it/jpms-scram-client"
schedule:
- interval: "weekly"
+ interval: "monthly"
+ groups:
+ all-maven-dependencies:
+ patterns:
+ - "*"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
- interval: "weekly"
+ interval: "monthly"
+ groups:
+ all-github-actions:
+ patterns:
+ - "*"
=====================================
.github/workflows/codeql.yml
=====================================
@@ -0,0 +1,71 @@
+name: "CodeQL Advanced"
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ branches: [ "main" ]
+ schedule:
+ - cron: '42 10 * * 1'
+
+permissions: # added using https://github.com/step-security/secure-repo
+ contents: read
+
+jobs:
+ analyze:
+ name: Analyze (${{ matrix.language }})
+ # Runner size impacts CodeQL analysis time. To learn more, please see:
+ # - https://gh.io/recommended-hardware-resources-for-running-codeql
+ # - https://gh.io/supported-runners-and-hardware-resources
+ # - https://gh.io/using-larger-runners (GitHub.com only)
+ # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+ runs-on: 'ubuntu-latest'
+ permissions:
+ # required for all workflows
+ security-events: write
+
+ # required to fetch internal or private CodeQL packs
+ packages: read
+
+ # only required for workflows in private repositories
+ actions: read
+ contents: read
+
+ strategy:
+ fail-fast: false
+ matrix:
+ include:
+ - language: java-kotlin
+ build-mode: manual # This mode only analyzes Java. Set this to 'autobuild' or 'manual' to analyze Kotlin too.
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout at 08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+ # Initializes the CodeQL tools for scanning.
+ - name: Initialize CodeQL
+ uses: github/codeql-action/init at 76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3.29.8
+ with:
+ languages: ${{ matrix.language }}
+ build-mode: ${{ matrix.build-mode }}
+ # If you wish to specify custom queries, you can do so here or in a config file.
+ # By default, queries listed here will override any specified in a config file.
+ # Prefix the list here with "+" to use these queries and those in the config file.
+
+ # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+ # queries: security-extended,security-and-quality
+
+ - if: matrix.build-mode == 'manual'
+ name: Set up JDK 21
+ uses: actions/setup-java at dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
+ with:
+ java-version: '21'
+ distribution: 'temurin'
+ cache: maven
+ - if: matrix.build-mode == 'manual'
+ shell: bash
+ run: ./mvnw package -P release -DskipTests -Dmaven.javadoc.skip -Dgpg.skip
+
+ - name: Perform CodeQL Analysis
+ uses: github/codeql-action/analyze at 76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3.29.8
+ with:
+ category: "/language:${{matrix.language}}"
=====================================
.github/workflows/maven.yml
=====================================
@@ -9,13 +9,16 @@ on:
pull_request:
branches: ["main"]
+permissions: # added using https://github.com/step-security/secure-repo
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout at v4
+ - uses: actions/checkout at 08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Set up JDK 21
- uses: actions/setup-java at v4
+ uses: actions/setup-java at dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
with:
java-version: '21'
distribution: 'zulu'
@@ -29,6 +32,6 @@ jobs:
permissions:
contents: write #required for POST snapshot API https://docs.github.com/en/rest/dependency-graph/dependency-submission#create-a-snapshot-of-dependencies-for-a-repository
steps:
- - uses: actions/checkout at v4
+ - uses: actions/checkout at 08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Update dependency graph
- uses: advanced-security/maven-dependency-submission-action at 5d0f9011b55d6268922128af45275986303459c3
+ uses: advanced-security/maven-dependency-submission-action at b275d12641ac2d2108b2cbb7598b154ad2f2cee8
=====================================
.github/workflows/scorecard.yml
=====================================
@@ -0,0 +1,78 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+ # For Branch-Protection check. Only the default branch is supported. See
+ # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+ branch_protection_rule:
+ # To guarantee Maintained check is occasionally updated. See
+ # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+ schedule:
+ - cron: '20 5 * * 2'
+ push:
+ branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+ analysis:
+ name: Scorecard analysis
+ runs-on: ubuntu-latest
+ # `publish_results: true` only works when run from the default branch. conditional can be removed if disabled.
+ if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
+ permissions:
+ # Needed to upload the results to code-scanning dashboard.
+ security-events: write
+ # Needed to publish results and get a badge (see publish_results below).
+ id-token: write
+ # Uncomment the permissions below if installing in a private repository.
+ # contents: read
+ # actions: read
+
+ steps:
+ - name: "Checkout code"
+ uses: actions/checkout at 08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+ with:
+ persist-credentials: false
+
+ - name: "Run analysis"
+ uses: ossf/scorecard-action at 05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
+ with:
+ results_file: results.sarif
+ results_format: sarif
+ # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+ # - you want to enable the Branch-Protection check on a *public* repository, or
+ # - you are installing Scorecard on a *private* repository
+ # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
+ # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+ # Public repositories:
+ # - Publish results to OpenSSF REST API for easy access by consumers
+ # - Allows the repository to include the Scorecard badge.
+ # - See https://github.com/ossf/scorecard-action#publishing-results.
+ # For private repositories:
+ # - `publish_results` will always be set to `false`, regardless
+ # of the value entered here.
+ publish_results: true
+
+ # (Optional) Uncomment file_mode if you have a .gitattributes with files marked export-ignore
+ # file_mode: git
+
+ # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+ # format to the repository Actions tab.
+ - name: "Upload artifact"
+ uses: actions/upload-artifact at ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+ with:
+ name: SARIF file
+ path: results.sarif
+ retention-days: 5
+
+ # Upload the results to GitHub's code scanning dashboard (optional).
+ # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+ - name: "Upload to code-scanning"
+ uses: github/codeql-action/upload-sarif at v3
+ with:
+ sarif_file: results.sarif
=====================================
.mvn/maven.config
=====================================
@@ -4,4 +4,4 @@
--fail-fast
-DinstallAtEnd=true
-DdeployAtEnd=true
--DrootDirectory=${maven.multiModuleProjectDirectory}
+-DrootDirectory=${session.rootDirectory}
=====================================
.mvn/wrapper/MavenWrapperDownloader.java
=====================================
@@ -30,7 +30,7 @@ import java.nio.file.StandardCopyOption;
import java.util.concurrent.ThreadLocalRandom;
public final class MavenWrapperDownloader {
- private static final String WRAPPER_VERSION = "3.3.2";
+ private static final String WRAPPER_VERSION = "3.3.4";
private static final boolean VERBOSE = Boolean.parseBoolean(System.getenv("MVNW_VERBOSE"));
@@ -45,8 +45,11 @@ public final class MavenWrapperDownloader {
try {
log(" - Downloader started");
final URL wrapperUrl = URI.create(args[0]).toURL();
- final String jarPath = args[1].replace("..", ""); // Sanitize path
- final Path wrapperJarPath = Paths.get(jarPath).toAbsolutePath().normalize();
+ final Path baseDir = Paths.get(".").toAbsolutePath().normalize();
+ final Path wrapperJarPath = baseDir.resolve(args[1]).normalize();
+ if (!wrapperJarPath.startsWith(baseDir)) {
+ throw new IOException("Invalid path: outside of allowed directory");
+ }
downloadFileFromURL(wrapperUrl, wrapperJarPath);
log("Done");
} catch (IOException e) {
=====================================
.mvn/wrapper/maven-wrapper.properties
=====================================
@@ -1,23 +1,7 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-wrapperVersion=3.3.2
+wrapperVersion=3.3.4
distributionType=source
-distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.8/apache-maven-3.9.8-bin.zip
-distributionSha256Sum=8351955a9acf2f83c136c4eee0f6db894ab6265fdbe0a94b32a380307dbaa3e1
-wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar
-wrapperSha256Sum=3d8f20ce6103913be8b52aef6d994e0c54705fb527324ceb9b835b338739c7a8
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.11/apache-maven-3.9.11-bin.zip
+distributionSha256Sum=0d7125e8c91097b36edb990ea5934e6c68b4440eef4ea96510a0f6815e7eeadb
+wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.3.4/maven-wrapper-3.3.4.jar
+wrapperSha256Sum=4e2fbf6554bc8a4702cdfdd3bef464f423393d784ddbb037216320ce55d5e4e1
alwaysUnpack=true
=====================================
CHANGELOG.md
=====================================
@@ -3,6 +3,14 @@ All notable changes to this project will be documented in this file.
## [Unreleased]
+## [3.2] - 2025-09-16
+### :lock: Security
+- Fix Timing Attack Vulnerability in SCRAM Authentication
+
+### :ghost: Maintenance
+- Updated dependencies and maven plugins.
+- Use `central-publishing-maven-plugin` to deploy to Maven Central.
+
## [3.1] - 2024-06-26
### :building_construction: Improvements
- Ensure the `LICENSE` file is included in the Jar file.
@@ -38,4 +46,5 @@ All notable changes to this project will be documented in this file.
[3.0]: https://github.com/ongres/scram/compare/2.1...3.0
[3.1]: https://github.com/ongres/scram/compare/3.0...3.1
-[Unreleased]: https://github.com/ongres/scram/compare/3.1...main
+[3.2]: https://github.com/ongres/scram/compare/3.1...3.2
+[Unreleased]: https://github.com/ongres/scram/compare/3.2...main
=====================================
README.md
=====================================
@@ -1,8 +1,16 @@
# SCRAM Java Implementation
+
+[](https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/com/ongres/scram/README.md)
+
+
+> Salted Challenge Response Authentication Mechanism (SCRAM)
+
+## Overview
+
SCRAM (Salted Challenge Response Authentication Mechanism) is part of the family of
Simple Authentication and Security Layer
-([SASL, RFC 4422](https://datatracker.ietf.org/doc/html/rfc44222)) authentication mechanisms. It is described as part of [RFC 5802](https://datatracker.ietf.org/doc/html/rfc5802) and
+([SASL, RFC 4422](https://datatracker.ietf.org/doc/html/rfc4422)) authentication mechanisms. It is described as part of [RFC 5802](https://datatracker.ietf.org/doc/html/rfc5802) and
[RFC 7677](https://datatracker.ietf.org/doc/html/rfc7677).
This project provides a robust and well-tested implementation of the Salted Challenge
@@ -25,6 +33,8 @@ The code is licensed under the BSD "Simplified 2 Clause" license (see [LICENSE](
## How to use the SCRAM Client API
+[](https://maven-badges.herokuapp.com/maven-central/com.ongres.scram/scram-client)
+
Javadoc: [](http://javadoc.io/doc/com.ongres.scram/scram-client)
### Example of use:
=====================================
SECURITY.md
=====================================
@@ -0,0 +1,25 @@
+# Security Policy
+
+## Supported Versions
+
+The following table outlines which versions of `scram` are actively supported with security updates. Please upgrade to a supported release to ensure you receive patches for any security issues.
+
+| Version | Supported | Java support |
+| ------- | ------------------ | ------------ |
+| 3.x | :white_check_mark: | Java 8+ |
+| < 3.0 | :x: | Java 7+ |
+
+## Reporting a Vulnerability
+
+If you believe you have found a security vulnerability, please report it to us privately through GitHub’s security advisory system:
+[Report a vulnerability](../../security/advisories/new)
+
+We will investigate promptly and work with you to fix the issue.
+
+---
+
+## Security Best Practices for Users
+
+- Always use the latest supported version of `scram`.
+- Monitor [GitHub Releases](https://github.com/ongres/scram/releases) for security patches.
+- Consider subscribing to repository notifications for updates.
=====================================
checks/forbiddenapis.txt
=====================================
@@ -0,0 +1,2 @@
+
+java.util.Arrays#equals(byte[],byte[]) @ Replace with java.security.MessageDigest#isEqual(byte[],byte[])
=====================================
checks/pmd-ruleset.xml
=====================================
@@ -15,6 +15,7 @@
<exclude name="ForLoopVariableCount" />
<exclude name="AvoidReassigningLoopVariables" />
<exclude name="AccessorClassGeneration" />
+ <exclude name="ImplicitFunctionalInterface" />
</rule>
<rule ref="category/java/errorprone.xml">
@@ -23,6 +24,12 @@
<exclude name="AvoidFieldNameMatchingMethodName" />
</rule>
+ <rule ref="category/java/errorprone.xml/AssignmentInOperand">
+ <properties>
+ <property name="allowIncrementDecrement" value="true" />
+ </properties>
+ </rule>
+
<rule ref="category/java/multithreading.xml" />
<rule ref="category/java/performance.xml">
=====================================
coverage-report/pom.xml
=====================================
@@ -5,7 +5,7 @@
<parent>
<groupId>com.ongres.scram</groupId>
<artifactId>scram-parent</artifactId>
- <version>3.1</version>
+ <version>3.2</version>
<relativePath>../scram-parent/pom.xml</relativePath>
</parent>
=====================================
mvnw
=====================================
@@ -19,7 +19,7 @@
# ----------------------------------------------------------------------------
# ----------------------------------------------------------------------------
-# Apache Maven Wrapper startup batch script, version 3.3.2
+# Apache Maven Wrapper startup batch script, version 3.3.4
#
# Required ENV vars:
# ------------------
@@ -201,6 +201,14 @@ MAVEN_PROJECTBASEDIR=${MAVEN_BASEDIR:-"$BASE_DIR"}
export MAVEN_PROJECTBASEDIR
log "$MAVEN_PROJECTBASEDIR"
+trim() {
+ # MWRAPPER-139:
+ # Trims trailing and leading whitespace, carriage returns, tabs, and linefeeds.
+ # Needed for removing poorly interpreted newline sequences when running in more
+ # exotic environments such as mingw bash on Windows.
+ printf "%s" "${1}" | tr -d '[:space:]'
+}
+
##########################################################################################
# Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
# This allows using the maven wrapper in projects that prohibit checking in binary data.
@@ -212,15 +220,13 @@ else
log "Couldn't find $wrapperJarPath, downloading it ..."
if [ -n "$MVNW_REPOURL" ]; then
- wrapperUrl="$MVNW_REPOURL/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar"
+ wrapperUrl="$MVNW_REPOURL/org/apache/maven/wrapper/maven-wrapper/3.3.4/maven-wrapper-3.3.4.jar"
else
- wrapperUrl="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar"
+ wrapperUrl="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.3.4/maven-wrapper-3.3.4.jar"
fi
while IFS="=" read -r key value; do
- # Remove '\r' from value to allow usage on windows as IFS does not consider '\r' as a separator ( considers space, tab, new line ('\n'), and custom '=' )
- safeValue=$(echo "$value" | tr -d '\r')
case "$key" in wrapperUrl)
- wrapperUrl="$safeValue"
+ wrapperUrl=$(trim "${value-}")
break
;;
esac
@@ -235,17 +241,17 @@ else
log "Found wget ... using wget"
[ "$MVNW_VERBOSE" = true ] && QUIET="" || QUIET="--quiet"
if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
- wget $QUIET "$wrapperUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath"
+ wget ${QUIET:+"$QUIET"} "$wrapperUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath"
else
- wget $QUIET --http-user="$MVNW_USERNAME" --http-password="$MVNW_PASSWORD" "$wrapperUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath"
+ wget ${QUIET:+"$QUIET"} --http-user="$MVNW_USERNAME" --http-password="$MVNW_PASSWORD" "$wrapperUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath"
fi
elif command -v curl >/dev/null; then
log "Found curl ... using curl"
[ "$MVNW_VERBOSE" = true ] && QUIET="" || QUIET="--silent"
if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
- curl $QUIET -o "$wrapperJarPath" "$wrapperUrl" -f -L || rm -f "$wrapperJarPath"
+ curl ${QUIET:+"$QUIET"} -o "$wrapperJarPath" "$wrapperUrl" -f -L || rm -f "$wrapperJarPath"
else
- curl $QUIET --user "$MVNW_USERNAME:$MVNW_PASSWORD" -o "$wrapperJarPath" "$wrapperUrl" -f -L || rm -f "$wrapperJarPath"
+ curl ${QUIET:+"$QUIET"} --user "$MVNW_USERNAME:$MVNW_PASSWORD" -o "$wrapperJarPath" "$wrapperUrl" -f -L || rm -f "$wrapperJarPath"
fi
else
log "Falling back to using Java to download"
@@ -276,7 +282,7 @@ fi
wrapperSha256Sum=""
while IFS="=" read -r key value; do
case "$key" in wrapperSha256Sum)
- wrapperSha256Sum=$value
+ wrapperSha256Sum=$(trim "${value-}")
break
;;
esac
@@ -284,7 +290,7 @@ done <"$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.properties"
if [ -n "$wrapperSha256Sum" ]; then
wrapperSha256Result=false
if command -v sha256sum >/dev/null; then
- if echo "$wrapperSha256Sum $wrapperJarPath" | sha256sum -c >/dev/null 2>&1; then
+ if echo "$wrapperSha256Sum $wrapperJarPath" | sha256sum -c - >/dev/null 2>&1; then
wrapperSha256Result=true
fi
elif command -v shasum >/dev/null; then
=====================================
mvnw.cmd
=====================================
@@ -18,7 +18,7 @@
@REM ----------------------------------------------------------------------------
@REM ----------------------------------------------------------------------------
- at REM Apache Maven Wrapper startup batch script, version 3.3.2
+ at REM Apache Maven Wrapper startup batch script, version 3.3.4
@REM
@REM Required ENV vars:
@REM JAVA_HOME - location of a JDK home dir
@@ -119,7 +119,7 @@ SET MAVEN_JAVA_EXE="%JAVA_HOME%\bin\java.exe"
set WRAPPER_JAR="%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.jar"
set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
-set WRAPPER_URL="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar"
+set WRAPPER_URL="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.3.4/maven-wrapper-3.3.4.jar"
FOR /F "usebackq tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO (
IF "%%A"=="wrapperUrl" SET WRAPPER_URL=%%B
@@ -133,7 +133,7 @@ if exist %WRAPPER_JAR% (
)
) else (
if not "%MVNW_REPOURL%" == "" (
- SET WRAPPER_URL="%MVNW_REPOURL%/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar"
+ SET WRAPPER_URL="%MVNW_REPOURL%/org/apache/maven/wrapper/maven-wrapper/3.3.4/maven-wrapper-3.3.4.jar"
)
if "%MVNW_VERBOSE%" == "true" (
echo Couldn't find %WRAPPER_JAR%, downloading it ...
=====================================
pom.xml
=====================================
@@ -5,7 +5,7 @@
<parent>
<groupId>com.ongres.scram</groupId>
<artifactId>scram-parent</artifactId>
- <version>3.1</version>
+ <version>3.2</version>
<relativePath>scram-parent/pom.xml</relativePath>
</parent>
=====================================
scram-client/pom.xml
=====================================
@@ -5,7 +5,7 @@
<parent>
<groupId>com.ongres.scram</groupId>
<artifactId>scram-parent</artifactId>
- <version>3.1</version>
+ <version>3.2</version>
<relativePath>../scram-parent/pom.xml</relativePath>
</parent>
=====================================
scram-client/src/it/jpms-scram-client/pom.xml
=====================================
@@ -7,7 +7,7 @@
<groupId>com.ongres.scram.it</groupId>
<artifactId>jpms-scram-client</artifactId>
<name>JPMS Scram Client</name>
- <version>3.1</version>
+ <version>3.2</version>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
@@ -25,7 +25,7 @@
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter</artifactId>
- <version>5.10.2</version>
+ <version>5.13.4</version>
<scope>test</scope>
</dependency>
</dependencies>
@@ -34,7 +34,7 @@
<plugins>
<plugin>
<artifactId>maven-compiler-plugin</artifactId>
- <version>3.13.0</version>
+ <version>3.14.0</version>
</plugin>
<plugin>
<artifactId>maven-jar-plugin</artifactId>
@@ -42,7 +42,7 @@
</plugin>
<plugin>
<artifactId>maven-surefire-plugin</artifactId>
- <version>3.3.0</version>
+ <version>3.5.4</version>
</plugin>
</plugins>
</build>
=====================================
scram-client/src/test/java/com/example/ScramClientTest.java
=====================================
@@ -15,11 +15,9 @@ import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
-import java.util.Base64;
import com.ongres.scram.client.ScramClient;
import com.ongres.scram.common.ClientFinalMessage;
-import com.ongres.scram.common.exception.ScramParseException;
import com.ongres.scram.common.util.TlsServerEndpoint;
import org.junit.jupiter.api.Test;
@@ -76,4 +74,38 @@ class ScramClientTest {
}
return cert;
}
+
+ @Test
+ void iterationTest()
+ throws CertificateException, IOException {
+ final X509Certificate cert = getCert();
+ final byte[] channelBindingData = TlsServerEndpoint.getChannelBindingData(cert);
+
+ ScramClient scramSession = ScramClient.builder()
+ .advertisedMechanisms(Arrays.asList("SCRAM-SHA-256"))
+ .username("postgres")
+ .password("pencil".toCharArray())
+ .channelBinding(TlsServerEndpoint.TLS_SERVER_END_POINT, channelBindingData)
+ .nonceSupplier(() -> "1q^MGrWUi{etW+H7(#k431kB")
+ .build();
+ assertEquals("SCRAM-SHA-256", scramSession.getScramMechanism().getName());
+ assertEquals("y,,n=postgres,r=1q^MGrWUi{etW+H7(#k431kB",
+ scramSession.clientFirstMessage().toString());
+
+ assertDoesNotThrow(
+ () -> scramSession.serverFirstMessage(
+ "r=1q^MGrWUi{etW+H7(#k431kBdAr3CWX7B6houDP4f7Z2XEpZ,"
+ + "s=Fgh8JU2AlRjBHUsIU/GgtQ==,"
+ + "i=1000000"));
+
+ ClientFinalMessage clientFinalMessage = scramSession.clientFinalMessage();
+ assertEquals(
+ "c=eSws,"
+ + "r=1q^MGrWUi{etW+H7(#k431kBdAr3CWX7B6houDP4f7Z2XEpZ,"
+ + "p=vQ3IyYl3LvjWOlK2c0IP5QAi6XB7Dm0Axo0V51DcHZA=",
+ clientFinalMessage.toString());
+
+ assertDoesNotThrow(
+ () -> scramSession.serverFinalMessage("v=sz/isCwVSUn/TBWeYABz6WaoZIcfsui9NPaJCoxxAjY="));
+ }
}
=====================================
scram-common/pom.xml
=====================================
@@ -5,7 +5,7 @@
<parent>
<groupId>com.ongres.scram</groupId>
<artifactId>scram-parent</artifactId>
- <version>3.1</version>
+ <version>3.2</version>
<relativePath>../scram-parent/pom.xml</relativePath>
</parent>
=====================================
scram-common/src/main/java/com/ongres/scram/common/ScramFunctions.java
=====================================
@@ -7,8 +7,8 @@ package com.ongres.scram.common;
import static java.nio.charset.StandardCharsets.UTF_8;
+import java.security.MessageDigest;
import java.security.SecureRandom;
-import java.util.Arrays;
import com.ongres.scram.common.util.Preconditions;
import org.jetbrains.annotations.NotNull;
@@ -190,8 +190,7 @@ public final class ScramFunctions {
byte[] clientSignature = clientSignature(scramMechanism, storedKey, authMessage);
byte[] clientKey = CryptoUtil.xor(clientSignature, clientProof);
byte[] computedStoredKey = hash(scramMechanism, clientKey);
-
- return Arrays.equals(storedKey, computedStoredKey);
+ return MessageDigest.isEqual(storedKey, computedStoredKey);
}
/**
@@ -205,7 +204,8 @@ public final class ScramFunctions {
*/
public static boolean verifyServerSignature(
ScramMechanism scramMechanism, byte[] serverKey, String authMessage, byte[] serverSignature) {
- return Arrays.equals(serverSignature(scramMechanism, serverKey, authMessage), serverSignature);
+ byte[] computedServerSignature = serverSignature(scramMechanism, serverKey, authMessage);
+ return MessageDigest.isEqual(serverSignature, computedServerSignature);
}
/**
=====================================
scram-parent/pom.xml
=====================================
@@ -4,7 +4,7 @@
<groupId>com.ongres.scram</groupId>
<artifactId>scram-parent</artifactId>
- <version>3.1</version>
+ <version>3.2</version>
<packaging>pom</packaging>
<name>SCRAM - Parent</name>
@@ -44,7 +44,7 @@
<scm child.scm.connection.inherit.append.path="false" child.scm.developerConnection.inherit.append.path="false" child.scm.url.inherit.append.path="false">
<connection>scm:git:https://github.com/ongres/scram.git</connection>
<developerConnection>scm:git:git at github.com:ongres/scram.git</developerConnection>
- <tag>3.1</tag>
+ <tag>3.2</tag>
<url>https://github.com/ongres/scram</url>
</scm>
@@ -53,59 +53,46 @@
<url>https://github.com/ongres/scram/issues</url>
</issueManagement>
- <distributionManagement>
- <repository>
- <id>ossrh</id>
- <name>OSSRH Release repository</name>
- <url>https://oss.sonatype.org/service/local/staging/deploy/maven2</url>
- </repository>
- <snapshotRepository>
- <id>ossrh</id>
- <name>OSSRH Snapshot repository</name>
- <url>https://oss.sonatype.org/content/repositories/snapshots</url>
- </snapshotRepository>
- </distributionManagement>
-
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<base.java.version>8</base.java.version>
<maven.compiler.source>${base.java.version}</maven.compiler.source>
<maven.compiler.target>${base.java.version}</maven.compiler.target>
- <project.build.outputTimestamp>2024-06-26T00:50:00Z</project.build.outputTimestamp>
+ <project.build.outputTimestamp>2025-09-16T20:00:00Z</project.build.outputTimestamp>
<!-- Dependency versions -->
- <jetbrains-annotations.version>24.1.0</jetbrains-annotations.version>
- <junit5.version>5.10.2</junit5.version>
+ <jetbrains-annotations.version>26.0.2-1</jetbrains-annotations.version>
+ <junit5.version>5.13.4</junit5.version>
<saslprep.version>2.2</saslprep.version>
<!-- Plugins versions -->
- <compiler-plugin.version>3.13.0</compiler-plugin.version>
+ <compiler-plugin.version>3.14.0</compiler-plugin.version>
<jar-plugin.version>3.4.2</jar-plugin.version>
<source-plugin.version>3.3.1</source-plugin.version>
- <javadoc-plugin.version>3.7.0</javadoc-plugin.version>
- <clean-plugin.version>3.4.0</clean-plugin.version>
+ <javadoc-plugin.version>3.11.3</javadoc-plugin.version>
+ <clean-plugin.version>3.5.0</clean-plugin.version>
<resources-plugin.version>3.3.1</resources-plugin.version>
- <surefire-plugin.version>3.3.0</surefire-plugin.version>
- <failsafe-plugin.version>3.3.0</failsafe-plugin.version>
- <enforcer-plugin.version>3.5.0</enforcer-plugin.version>
- <install-plugin.version>3.1.2</install-plugin.version>
- <deploy-plugin.version>3.1.2</deploy-plugin.version>
- <invoker-plugin.version>3.7.0</invoker-plugin.version>
- <gpg-plugin.version>3.2.4</gpg-plugin.version>
- <jacoco-plugin.verson>0.8.12</jacoco-plugin.verson>
- <flatten-maven-plugin.version>1.6.0</flatten-maven-plugin.version>
+ <surefire-plugin.version>3.5.4</surefire-plugin.version>
+ <failsafe-plugin.version>3.5.4</failsafe-plugin.version>
+ <enforcer-plugin.version>3.6.1</enforcer-plugin.version>
+ <install-plugin.version>3.1.4</install-plugin.version>
+ <central-publishing-maven-plugin.version>0.8.0</central-publishing-maven-plugin.version>
+ <invoker-plugin.version>3.9.1</invoker-plugin.version>
+ <gpg-plugin.version>3.2.8</gpg-plugin.version>
+ <jacoco-plugin.verson>0.8.13</jacoco-plugin.verson>
+ <flatten-maven-plugin.version>1.7.2</flatten-maven-plugin.version>
<jdeps-plugin.version>3.1.2</jdeps-plugin.version>
<sortpom-plugin.version>4.0.0</sortpom-plugin.version>
- <cyclonedx-plugin.version>2.8.0</cyclonedx-plugin.version>
+ <cyclonedx-plugin.version>2.9.1</cyclonedx-plugin.version>
<!-- Checkstyle, SpotBugs and PMD properties -->
- <checkstyle.version>10.17.0</checkstyle.version>
- <checkstyle-plugin.version>3.4.0</checkstyle-plugin.version>
- <errorprone.version>2.28.0</errorprone.version>
- <spotbugs.version>4.8.6</spotbugs.version>
- <spotbugs-plugin.version>4.8.5.0</spotbugs-plugin.version>
- <findsecbugs.version>1.13.0</findsecbugs.version>
- <pmd.version>7.2.0</pmd.version>
- <pmd-plugin.version>3.23.0</pmd-plugin.version>
- <forbiddenapis.version>3.7</forbiddenapis.version>
+ <checkstyle.version>11.0.1</checkstyle.version>
+ <checkstyle-plugin.version>3.6.0</checkstyle-plugin.version>
+ <errorprone.version>2.41.0</errorprone.version>
+ <spotbugs.version>4.9.5</spotbugs.version>
+ <spotbugs-plugin.version>4.9.5.0</spotbugs-plugin.version>
+ <findsecbugs.version>1.14.0</findsecbugs.version>
+ <pmd.version>7.17.0</pmd.version>
+ <pmd-plugin.version>3.27.0</pmd-plugin.version>
+ <forbiddenapis.version>3.9</forbiddenapis.version>
<checks.location>${rootDirectory}/checks</checks.location>
<checkstyle.config.location>${checks.location}/checkstyle.xml</checkstyle.config.location>
<checkstyle.suppressions.location>${checks.location}/checkstyle-suppressions.xml</checkstyle.suppressions.location>
@@ -353,9 +340,13 @@
<version>${install-plugin.version}</version>
</plugin>
<plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-deploy-plugin</artifactId>
- <version>${deploy-plugin.version}</version>
+ <groupId>org.sonatype.central</groupId>
+ <artifactId>central-publishing-maven-plugin</artifactId>
+ <version>${central-publishing-maven-plugin.version}</version>
+ <extensions>true</extensions>
+ <configuration>
+ <publishingServerId>central</publishingServerId>
+ </configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
@@ -375,7 +366,7 @@
<configuration>
<rules>
<requireMavenVersion>
- <version>[3.9.7,)</version>
+ <version>[3.9.9,)</version>
</requireMavenVersion>
<requireJavaVersion>
<version>[21,)</version>
@@ -487,6 +478,7 @@
<compilerArgs>
<arg>-Xlint:all</arg>
<arg>-XDcompilePolicy=simple</arg>
+ <arg>--should-stop=ifError=FLOW</arg>
<arg>-Xplugin:ErrorProne -XepAllErrorsAsWarnings -XepDisableWarningsInGeneratedCode</arg>
<!-- Required on JDK 16+ due to JEP 396 -->
<arg>-J--add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED</arg>
@@ -529,6 +521,9 @@
<!-- don't allow System.out or System.err: -->
<bundledSignature>jdk-system-out</bundledSignature>
</bundledSignatures>
+ <signaturesFiles>
+ <signaturesFile>${checks.location}/forbiddenapis.txt</signaturesFile>
+ </signaturesFiles>
</configuration>
<executions>
<execution>
@@ -695,6 +690,10 @@
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
</plugin>
+ <plugin>
+ <groupId>org.sonatype.central</groupId>
+ <artifactId>central-publishing-maven-plugin</artifactId>
+ </plugin>
</plugins>
</build>
</profile>
View it on GitLab: https://salsa.debian.org/java-team/libscram-java/-/commit/1873213ee3df8064d7d1d7624a0fa4cd4c14f5a7
--
View it on GitLab: https://salsa.debian.org/java-team/libscram-java/-/commit/1873213ee3df8064d7d1d7624a0fa4cd4c14f5a7
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20250923/e546a827/attachment.htm>
More information about the pkg-java-commits
mailing list