eclipse-vertx · tsegismont · Dec 12, 2025 · Apr 6, 2024
diff --git a/vertx-pg-client/pom.xml b/vertx-pg-client/pom.xml
@@ -64,8 +64,8 @@
     <!-- sasl scram authentication -->
     <dependency>
       <groupId>com.ongres.scram</groupId>
-      <artifactId>client</artifactId>
-      <version>2.1</version>
+      <artifactId>scram-client</artifactId>
+      <version>3.2</version>
       <optional>true</optional>
     </dependency>
 
@@ -196,6 +196,21 @@
               </environmentVariables>
             </configuration>
           </execution>
+          <execution>
+            <id>missing-scram-test</id>
+            <goals>
+              <goal>integration-test</goal>
+            </goals>
+            <phase>integration-test</phase>
+            <configuration>
+              <includes>
+                <include>io/vertx/pgclient/it/MissingScramTest.java</include>
+              </includes>
+              <classpathDependencyExcludes>
+                <classpathDependencyExclude>com.ongres.scram:scram-client</classpathDependencyExclude>
+              </classpathDependencyExcludes>
+            </configuration>
+          </execution>
         </executions>
       </plugin>
     </plugins>

diff --git a/vertx-pg-client/src/main/asciidoc/index.adoc b/vertx-pg-client/src/main/asciidoc/index.adoc
@@ -233,29 +233,28 @@ $ PGUSER=user \
 
 === SASL SCRAM-SHA-256 authentication mechanism.
 
-To use the sasl SCRAM-SHA-256 authentication add the following dependency to the _dependencies_ section of your build descriptor:
+To use the SASL `SCRAM-SHA-256` authentication add the following dependency to the _dependencies_ section of your build descriptor:
 
 * Maven (in your `pom.xml`):
 
 [source,xml]
 ----
 <dependency>
   <groupId>com.ongres.scram</groupId>
-  <artifactId>client</artifactId>
-  <version>2.1</version>
+  <artifactId>scram-client</artifactId>
+  <version>3.2</version>
 </dependency>
 ----
 * Gradle (in your `build.gradle` file):
 
 [source,groovy]
 ----
 dependencies {
-  compile 'com.ongres.scram:client:2.1'
+  compile 'com.ongres.scram:scram-client:3.2'
 }
 ----
 
-NOTE: SCRAM-SHA-256-PLUS (added in Postgresql 11) is not supported.
-
+When the database requires a scram authentication and the scram client jar is not on the class/module path, the connection will be closed by the client.
 
 include::queries.adoc[leveloffset=1]
 

diff --git a/vertx-pg-client/src/main/java/io/vertx/pgclient/impl/auth/scram/ScramAuthentication.java b/vertx-pg-client/src/main/java/io/vertx/pgclient/impl/auth/scram/ScramAuthentication.java
@@ -0,0 +1,31 @@
+package io.vertx.pgclient.impl.auth.scram;
+
+import com.ongres.scram.client.ScramClient;
+import io.vertx.core.impl.logging.Logger;
+import io.vertx.core.impl.logging.LoggerFactory;
+
+public class ScramAuthentication {
+
+  private static final Logger logger = LoggerFactory.getLogger(ScramAuthentication.class);
+
+  public static ScramAuthentication INSTANCE;
+
+  static {
+    ScramAuthentication instance;
+    try {
+      ScramClient.MechanismsBuildStage builder = ScramClient.builder();
+      logger.debug("Scram authentication is available " + builder);
+      instance = new ScramAuthentication();
+    } catch (Throwable notFound) {
+      instance = null;
+    }
+    INSTANCE = instance;
+  }
+
+  private ScramAuthentication() {
+  }
+
+  public ScramSession session(String username, char[] password) {
+    return new ScramSessionImpl(username, password);
+  }
+}
diff --git a/vertx-pg-client/src/main/java/io/vertx/pgclient/impl/auth/scram/ScramSession.java b/vertx-pg-client/src/main/java/io/vertx/pgclient/impl/auth/scram/ScramSession.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2017 Julien Viet
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package io.vertx.pgclient.impl.auth.scram;
+
+import io.netty.buffer.ByteBuf;
+import io.netty.channel.ChannelHandlerContext;
+import io.vertx.pgclient.impl.codec.ScramClientInitialMessage;
+
+public interface ScramSession {
+
+  /*
+   * The client selects one of the supported mechanisms from the list,
+   *  and sends a SASLInitialResponse message to the server.
+   * The message includes the name of the selected mechanism, and
+   *  an optional Initial Client Response, if the selected mechanism uses that.
+   */
+  ScramClientInitialMessage createInitialSaslMessage(ByteBuf in, ChannelHandlerContext ctx);
+
+  /*
+   * One or more server-challenge and client-response message will follow.
+   * Each server-challenge is sent in an AuthenticationSASLContinue message,
+   *   followed by a response from client in an SASLResponse message.
+   * The particulars of the messages are mechanism specific.
+   */
+  String receiveServerFirstMessage(ByteBuf in);
+
+  /*
+   * Finally, when the authentication exchange is completed successfully,
+   *   the server sends an AuthenticationSASLFinal message, followed immediately by an AuthenticationOk message.
+   * The AuthenticationSASLFinal contains additional server-to-client data,
+   *   whose content is particular to the selected authentication mechanism.
+   * If the authentication mechanism doesn't use additional data that's sent at completion,
+   *   the AuthenticationSASLFinal message is not sent
+   */
+  void checkServerFinalMessage(ByteBuf in);
+
+}
diff --git a/...client/impl/util/ScramAuthentication.java → ...ent/impl/auth/scram/ScramSessionImpl.java b/...client/impl/util/ScramAuthentication.java → ...ent/impl/auth/scram/ScramSessionImpl.java
@@ -15,34 +15,36 @@
  *
  */
 
-package io.vertx.pgclient.impl.util;
-
-import java.nio.charset.StandardCharsets;
-import java.util.ArrayList;
-import java.util.List;
+package io.vertx.pgclient.impl.auth.scram;
 
 import com.ongres.scram.client.ScramClient;
-import com.ongres.scram.client.ScramSession;
-import com.ongres.scram.common.exception.ScramException;
+import com.ongres.scram.common.StringPreparation;
 import com.ongres.scram.common.exception.ScramInvalidServerSignatureException;
 import com.ongres.scram.common.exception.ScramParseException;
 import com.ongres.scram.common.exception.ScramServerErrorException;
-import com.ongres.scram.common.stringprep.StringPreparations;
-
+import com.ongres.scram.common.util.TlsServerEndpoint;
 import io.netty.buffer.ByteBuf;
+import io.netty.channel.ChannelHandlerContext;
+import io.netty.handler.ssl.SslHandler;
 import io.vertx.pgclient.impl.codec.ScramClientInitialMessage;
+import io.vertx.pgclient.impl.util.Util;
 
-public class ScramAuthentication {
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLSession;
+import java.nio.charset.StandardCharsets;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.List;
 
-  private static final String SCRAM_SHA_256 = "SCRAM-SHA-256";
+public class ScramSessionImpl implements ScramSession {
 
   private final String username;
-  private final String password;
-  private ScramSession scramSession;
-  private ScramSession.ClientFinalProcessor clientFinalProcessor;
+  private final char[] password;
+  private ScramClient scramClient;
 
-
-  public ScramAuthentication(String username, String password) {
+  public ScramSessionImpl(String username, char[] password) {
     this.username = username;
     this.password = password;
   }
@@ -53,39 +55,31 @@ public ScramAuthentication(String username, String password) {
    * The message includes the name of the selected mechanism, and
    *  an optional Initial Client Response, if the selected mechanism uses that.
    */
-  public ScramClientInitialMessage createInitialSaslMessage(ByteBuf in) {
+  public ScramClientInitialMessage createInitialSaslMessage(ByteBuf in, ChannelHandlerContext ctx) {
     List<String> mechanisms = new ArrayList<>();
 
     while (0 != in.getByte(in.readerIndex())) {
-       String mechanism = Util.readCStringUTF8(in);
-         mechanisms.add(mechanism);
+      String mechanism = Util.readCStringUTF8(in);
+      mechanisms.add(mechanism);
     }
 
     if (mechanisms.isEmpty()) {
       throw new UnsupportedOperationException("SASL Authentication : the server returned no mechanism");
     }
 
-    // SCRAM-SHA-256-PLUS added in postgresql 11 is not supported
-    if (!mechanisms.contains(SCRAM_SHA_256)) {
-        throw new UnsupportedOperationException("SASL Authentication : only SCRAM-SHA-256 is currently supported, server wants " + mechanisms);
-    }
-
-
-    ScramClient scramClient = ScramClient
-          .channelBinding(ScramClient.ChannelBinding.NO)
-          .stringPreparation(StringPreparations.NO_PREPARATION)
-          .selectMechanismBasedOnServerAdvertised(mechanisms.toArray(new String[0]))
-          .setup();
-
-
-    // this user name will be ignored, the user name that was already sent in the startup message is used instead
-    // see https://www.postgresql.org/docs/11/sasl-authentication.html#SASL-SCRAM-SHA-256 §53.3.1
-    scramSession = scramClient.scramSession(this.username);
-
-    return new ScramClientInitialMessage(scramSession.clientFirstMessage(), scramClient.getScramMechanism().getName());
+    byte[] channelBindingData = extractChannelBindingData(ctx);
+    this.scramClient = ScramClient.builder()
+        .advertisedMechanisms(mechanisms)
+        .username(username) // ignored by the server, use startup message
+        .password(password)
+        .stringPreparation(StringPreparation.POSTGRESQL_PREPARATION)
+        .channelBinding(TlsServerEndpoint.TLS_SERVER_END_POINT, channelBindingData)
+        .build();
+
+    return new ScramClientInitialMessage(scramClient.clientFirstMessage().toString(),
+        scramClient.getScramMechanism().getName());
   }
 
-
   /*
    * One or more server-challenge and client-response message will follow.
    * Each server-challenge is sent in an AuthenticationSASLContinue message,
@@ -95,16 +89,13 @@ public ScramClientInitialMessage createInitialSaslMessage(ByteBuf in) {
   public String receiveServerFirstMessage(ByteBuf in)  {
     String serverFirstMessage = in.readCharSequence(in.readableBytes(), StandardCharsets.UTF_8).toString();
 
-    ScramSession.ServerFirstProcessor serverFirstProcessor = null;
     try {
-      serverFirstProcessor = scramSession.receiveServerFirstMessage(serverFirstMessage);
-    } catch (ScramException e) {
+      scramClient.serverFirstMessage(serverFirstMessage);
+    } catch (ScramParseException e) {
       throw new UnsupportedOperationException(e);
     }
 
-    clientFinalProcessor = serverFirstProcessor.clientFinalProcessor(password);
-
-    return clientFinalProcessor.clientFinalMessage();
+    return scramClient.clientFinalMessage().toString();
   }
 
   /*
@@ -119,9 +110,33 @@ public void checkServerFinalMessage(ByteBuf in) {
     String serverFinalMessage = in.readCharSequence(in.readableBytes(), StandardCharsets.UTF_8).toString();
 
     try {
-      clientFinalProcessor.receiveServerFinalMessage(serverFinalMessage);
+      scramClient.serverFinalMessage(serverFinalMessage);
     } catch (ScramParseException | ScramServerErrorException | ScramInvalidServerSignatureException e) {
       throw new UnsupportedOperationException(e);
     }
   }
+
+  private byte[] extractChannelBindingData(ChannelHandlerContext ctx) {
+    SslHandler sslHandler = ctx.channel().pipeline().get(SslHandler.class);
+    if (sslHandler != null) {
+      SSLSession sslSession = sslHandler.engine().getSession();
+      if (sslSession != null && sslSession.isValid()) {
+        try {
+          // Get the certificate chain from the session
+          Certificate[] certificates = sslSession.getPeerCertificates();
+          if (certificates != null && certificates.length > 0) {
+            Certificate peerCert = certificates[0]; // First certificate is the peer's certificate
+            if (peerCert instanceof X509Certificate) {
+              X509Certificate cert = (X509Certificate) peerCert;
+              return TlsServerEndpoint.getChannelBindingData(cert);
+            }
+          }
+        } catch (CertificateEncodingException | SSLException e) {
+          // Cannot extract X509Certificate from SSL session
+          // handle as no channel binding available
+        }
+      }
+    }
+    return new byte[0]; // handle as no channel binding available
+  }
 }
diff --git a/vertx-pg-client/src/main/java/io/vertx/pgclient/impl/codec/InitCommandCodec.java b/vertx-pg-client/src/main/java/io/vertx/pgclient/impl/codec/InitCommandCodec.java
@@ -16,22 +16,24 @@
  */
 package io.vertx.pgclient.impl.codec;
 
-import java.nio.charset.Charset;
-import java.nio.charset.StandardCharsets;
-
 import io.netty.buffer.ByteBuf;
+import io.vertx.core.VertxException;
 import io.vertx.pgclient.impl.PgDatabaseMetadata;
 import io.vertx.pgclient.impl.PgSocketConnection;
-import io.vertx.pgclient.impl.util.ScramAuthentication;
+import io.vertx.pgclient.impl.auth.scram.ScramAuthentication;
+import io.vertx.pgclient.impl.auth.scram.ScramSession;
 import io.vertx.sqlclient.impl.Connection;
 import io.vertx.sqlclient.impl.command.CommandResponse;
 import io.vertx.sqlclient.impl.command.InitCommand;
 
+import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
+
 class InitCommandCodec extends PgCommandCodec<Connection, InitCommand> {
 
   private PgEncoder encoder;
   private String encoding;
-  private ScramAuthentication scramAuthentication;
+  private ScramSession scramSession;
 
   InitCommandCodec(InitCommand cmd) {
     super(cmd);
@@ -57,20 +59,26 @@ public void handleAuthenticationClearTextPassword() {
 
   @Override
   void handleAuthenticationSasl(ByteBuf in) {
-    scramAuthentication = new ScramAuthentication(cmd.username(), cmd.password());
-    encoder.writeScramClientInitialMessage(scramAuthentication.createInitialSaslMessage(in));
+    ScramAuthentication scramAuth = ScramAuthentication.INSTANCE;
+    if (scramAuth == null) {
+      // This will close the connection
+      throw new VertxException("Scram authentication not supported, missing com.ongres.scram:scram-client on the class/module path");
+    }
+    scramSession = scramAuth.session(cmd.username(), cmd.password().toCharArray());
+    encoder.writeScramClientInitialMessage(
+      scramSession.createInitialSaslMessage(in, encoder.channelHandlerContext()));
     encoder.flush();
   }
 
   @Override
   void handleAuthenticationSaslContinue(ByteBuf in) {
-    encoder.writeScramClientFinalMessage(new ScramClientFinalMessage(scramAuthentication.receiveServerFirstMessage(in)));
+    encoder.writeScramClientFinalMessage(new ScramClientFinalMessage(scramSession.receiveServerFirstMessage(in)));
     encoder.flush();
   }
 
   @Override
   void handleAuthenticationSaslFinal(ByteBuf in) {
-    scramAuthentication.checkServerFinalMessage(in);
+    scramSession.checkServerFinalMessage(in);
   }
 
   @Override

diff --git a/vertx-pg-client/src/main/java/io/vertx/pgclient/impl/codec/PgEncoder.java b/vertx-pg-client/src/main/java/io/vertx/pgclient/impl/codec/PgEncoder.java
@@ -30,7 +30,6 @@
 import io.vertx.sqlclient.impl.RowDesc;
 import io.vertx.sqlclient.impl.command.*;
 
-import java.util.ArrayDeque;
 import java.util.Map;
 
 import static io.vertx.pgclient.impl.util.Util.writeCString;