Hi Colin, It's not clear whether users of the Java API would need to supply the salt and salted password directly, or whether the constructor of ScramCredential would take the password and perform the hashing itself.
I also wonder a little about consistency with the other APIs which have separate create/alter/delete methods. I imagine you considered exposing separate methods in the Java API, implementing them using the same RPC, but can you share your rationale? Kind regards, Tom On Mon, May 11, 2020 at 6:48 AM Cheng Tan <c...@confluent.io> wrote: > Hi Colin, > > > If I understood correctly, in your design, listScramUsers will return the > mechanism and iteration. Let’s use the field naming of RFC 5802 for this > discussion: > > SaltedPassword := Hi(Normalize(password), salt, i) > ClientKey := HMAC(SaltedPassword, "Client Key") > StoredKey := H(ClientKey) > AuthMessage := client-first-message-bare + "," + > server-first-message + "," + > client-final-message-without-proof > ClientSignature := HMAC(StoredKey, AuthMessage) > ClientProof := ClientKey XOR ClientSignature > ServerKey := HMAC(SaltedPassword, "Server Key") > ServerSignature := HMAC(ServerKey, AuthMessage) > > I think it’s also safe and useful for listScramUsers to return salt and > ServerKey. The current practice of —describe with —zookeeper is returning > these two fields (KIP-84) > > bin/kafka-configs.sh --zookeeper localhost:2181 --describe --entity-type > users --entity-name alice > Configs for user-principal 'alice' are > SCRAM-SHA-512=[salt=djR5dXdtZGNqamVpeml6NGhiZmMwY3hrbg==,stored_key=sb5jkqStV9RwPVTGxG1ZJHxF89bqjsD1jT4SFDK4An2goSnWpbNdY0nkq0fNV8xFcZqb7MVMJ1tyEgif5OXKDQ==, > server_key=3EfuHB4LPOcjDH0O5AysSSPiLskQfM5K9+mOzGmkixasmWEGJWZv7svtgkP+acO2Q9ms9WQQ9EndAJCvKHmjjg==,iterations=4096],SCRAM-SHA-256=[salt=10ibs0z7xzlu6w5ns0n188sis5,stored_key=+Acl/wi1vLZ95Uqj8rRHVcSp6qrdfQIwZbaZBwM0yvo=,server_key=nN+fZauE6vG0hmFAEj/49+2yk0803y67WSXMYkgh77k=,iterations=4096] > > > Please let me know what you think. > > Best, - Cheng Tan > > > On Apr 30, 2020, at 11:16 PM, Colin McCabe <cmcc...@apache.org> wrote: > > > > > >
