SCRAM v2: adding support for Java7 and SaslPrep

    Hi list.

    We have been working on significant changes to the SCRAM library,
that has been included in the pgJDBC driver. The most notable changes are:

- Moved development to GitLab: https://gitlab.com/ongresinc/scram/

- Added support to Java7, to widen the user base. This meant slight
changes to the "public facing" API and as such the library version is
bumped to v2.0.

- Added proper support for SaslPrep. Previous implementation just
supported the "NO PREP" algorithm. This may cause problems with
usernames and/or passwords that contain varied characters (say tildes,
accents or general UTF-8 characters). Please note that we believe
SaslPrep should also be code reusable by third parties, and as such it
has been:
    * Developed on a separate repository:
https://gitlab.com/ongresinc/stringprep
    * Added as a new (shaded) dependency.

- More tests have been added.

    Since this code works with Java7, we have created 2 PRs: one for
pgjdbc, one for pgjdcb-jre7. They are for SCRAM version 1.9 (which added
Java7 but not the stringprep dependency), and we plan to update them to
the 2.0beta1 version, which is ready as of today. But there are two
observed problems, where we need your input/coordination. Please check
the currently submitted PRs:

    * https://github.com/pgjdbc/pgjdbc/pull/1520
    * https://github.com/pgjdbc/pgjdbc-jre7/pull/3

    PR currently does not pass two CI jobs:

* https://travis-ci.org/pgjdbc/pgjdbc/jobs/552706535: Seems that the
script failed for some reasons not appearing in the job log. May be
restarted?
* https://travis-ci.org/pgjdbc/pgjdbc/jobs/552706542: build for Java7 is
failing since there is another PR for pgjdbc-jre7 that fixes missing
dependencies (scram). The only options I see to move on would be to
ignore this build or to re-run the failed job pointing to the cloned
repo with the pgjdbc-jre7 patch (maybe doable with a Travis CI custom
build?). In other words, we have here a bit of a chicken-and-egg problem
due to the way the pgjdbc / pgjdbc-jre7 split works currently. Ideas are
welcome.

    Waiting for your comments. Regards,

    Álvaro

P.S. Follows a slightly more detailed changelog, FYI:

# Scram 2.0-beta1

- This version replaces the saslprep implementation with a dependency to
an external library from a separated repository.
The library is our clean room implementation of the stringprep
(https://tools.ietf.org/html/rfc3454), put in a separate module to allow
easy extension of other modules that depends on stringprep, as long as
the saslprep (https://tools.ietf.org/html/rfc4013). The library source
code can be found at https://gitlab.com/ongresinc/stringprep.
The library stringprep has been implemented using Apache Velocity to
generate the code with the rules of each step as thay appear in the
stringprep RFC.

- Add test of Scram-SaslPrep
The library contains tests of each rule and saslprep (example of
https://tools.ietf.org/html/rfc4013).

# Scram 1.9-beta1

The changes included backport the library to work with Java 7 and add
standard saslprep implementation.
To do that, it has been necessary:

- Remove all the Java 8 features.

- Replace the crypto algorithm Base64 encode/decode and
PBKDF2WithHmacSHA256 (no available in all versions of Java7).
These crypto algorithms has been replaced with some classes from the
project bouncy castle (They can be found into the folder
common/src/main/java/com/ongres/scram/common/bouncycastle).
Scram has been modified to try to use with all the security protocol
implementation from the JVM and, in case PBKDF2WithHmacSHA256 is not
available (like for Oracle JRE 7), use the implementation from bouncy
castle.

- Add new tests with SHA-256 (example of
https://tools.ietf.org/html/rfc7677).

- Include saslprep standard algorithm.
Files
common/src/main/java/com/ongres/scram/common/stringprep/SaslPrep.java and
common/src/test/java/com/ongres/scram/common/stringprep/SaslPrepTest.java
are copied
from project saslprep developed by Tom Bentley
(https://github.com/tombentley/saslprep).

- Include saslprep tests (from https://tools.ietf.org/html/4013).

--

Alvaro Hernandez

-----------
OnGres