《Extensible Messaging and Presence Protocol (XMPP): Core》阅读笔记(二)

 服务器到服务器SASL验证示例:

Step 1: Server1 initiates stream to Server2: 




复制代码
<stream:stream

    xmlns='jabber:server'

    xmlns:stream='http://etherx.jabber.org/streams'

    to='example.com'

    version='1.0'>


复制代码



Step 2: Server2 responds with a stream tag sent to Server1: 


复制代码
<stream:stream

    xmlns='jabber:server'

    xmlns:stream='http://etherx.jabber.org/streams'

    from='example.com'

    id='s2s_234'

    version='1.0'>


复制代码





Step 3: Server2 informs Server1 of available authentication mechanisms:


复制代码
<stream:features>

 <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>

    <mechanism>DIGEST-MD5</mechanism>

    <mechanism>KERBEROS_V4</mechanism>

 </mechanisms>

</stream:features>


复制代码





Step 4: Server1 selects an authentication mechanism:


<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'

      mechanism='DIGEST-MD5'/>



Step 5: Server2 sends a BASE64 encoded challenge to Server1: 


复制代码
<challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>

cmVhbG09InNvbWVyZWFsbSIsbm9uY2U9Ik9BNk1HOXRFUUdtMmhoIixxb3A9

ImF1dGgiLGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNz

</challenge>


复制代码





The decoded challenge is: 


realm="somerealm",nonce="OA6MG9tEQGm2hh","

qop="auth",charset=utf-8,algorithm=md5-sess







Step 5 (alt): Server2 returns error to Server1: 


复制代码
<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>

 <incorrect-encoding/>

</failure>

</stream:stream>


复制代码





Step 6: Server1 sends a BASE64 encoded response to the challenge: 


复制代码
<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>

dXNlcm5hbWU9ImV4YW1wbGUub3JnIixyZWFsbT0ic29tZXJlYWxtIixub25j

ZT0iT0E2TUc5dEVRR20yaGgiLGNub25jZT0iT0E2TUhYaDZWcVRyUmsiLG5j

PTAwMDAwMDAxLHFvcD1hdXRoLGRpZ2VzdC11cmk9InhtcHAvZXhhbXBsZS5v

cmciLHJlc3BvbnNlPWQzODhkYWQ5MGQ0YmJkNzYwYTE1MjMyMWYyMTQzYWY3

LGNoYXJzZXQ9dXRmLTgK

</response>


复制代码





The decoded response is:


复制代码
username="example.org",realm="somerealm","

nonce="OA6MG9tEQGm2hh",cnonce="OA6MHXh6VqTrRk","

nc=00000001,qop=auth,digest-uri="xmpp/example.org","

response=d388dad90d4bbd760a152321f2143af7,charset=utf-8


复制代码





Step 7: Server2 sends another  BASE64 encoded challenge to Server1: 


<challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>

cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZAo=

</challenge>







The decoded challenge is: 




rspauth=ea40f60335c427b5527b84dbabcdfffd




Step 7 (alt): Server2 returns error to Server1: 







复制代码
<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>

 <invalid-authzid/>

</failure>

</stream:stream>


复制代码



Step 8: Server1 responds to the challenge: 




<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>




Step 8 (alt): Server1 aborts negotiation: 




<abort xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>




Step 9: Server2 informs Server1 of successful authentication: 




<success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>




Step 9 (alt): Server2 informs Server1 of failed authentication: 







复制代码
<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>

 <aborted/>

</failure>

</stream:stream>


复制代码



Step 10: Server1 initiates a new stream to Server2: 


复制代码
<stream:stream

    xmlns='jabber:server'

    xmlns:stream='http://etherx.jabber.org/streams'

    to='example.com'

    version='1.0'>


复制代码





Step 11: Server2 responds by sending a stream header to Server1 along with any additional features (or an empty features element): 




复制代码
<stream:stream

    xmlns='jabber:server'

    xmlns:stream='http://etherx.jabber.org/streams'

    from='example.com'

    id='s2s_345'

    version='1.0'>

<stream:features/>


复制代码



 

服务器回拨


      这是一种单向的,不安全的验证方式。





具体过程:


1,              服务器A发送流头部给服务器B:


复制代码
<stream:stream

    xmlns:stream='http://etherx.jabber.org/streams'

    xmlns='jabber:server'

    xmlns:db='jabber:server:dialback'>


复制代码

 


2,服务器B回送一个应答给A,包含了此次交互的ID:

<stream:stream


    xmlns:stream='http://etherx.jabber.org/streams'


    xmlns='jabber:server'


    xmlns:db='jabber:server:dialback'


id='457F9224A0...'>


3,服务器A发送一个回拨key给B


<db:result


    to='Receiving Server'


    from='Originating Server'>


 98AF014EDC0...


</db:result>


 


4,服务器B同验证服务器C建立TCP连接,C发送流头部:


<stream:stream


    xmlns:stream='http://etherx.jabber.org/streams'


    xmlns='jabber:server'


    xmlns:db='jabber:server:dialback'>


5C回送应答:


<stream:stream


    xmlns:stream='http://etherx.jabber.org/streams'


    xmlns='jabber:server'


    xmlns:db='jabber:server:dialback'


    id='1251A342B...'>


6B发送验证key的请求


<db:verify


    from='Receiving Server'


    to='Originating Server'


    id='457F9224A0...'>


 98AF014EDC0...


</db:verify>


 


7,验证服务器验证key是否合法:


<db:verify


    from='Originating Server'


    to='Receiving Server'


    type='valid'


    id='457F9224A0...'/>


or 


<db:verify


    from='Originating Server'


    to='Receiving Server'


    type='invalid'


    id='457F9224A0...'/>


8B通知A结果:


<db:result


    from='Receiving Server'


    to='Originating Server'


    type='valid'/>


上面这个示例只是验证了从AB的流是否合法,但不能保证从BA是否合法,因此需要在反方向再进行一次验证。








        

            posted on 
 
Phinecos(洞庭散人) 
阅读(498) 
评论(0编辑 
收藏 
举报

        

    











    
    

    
    



    

        
    

        

            
                
                
            
        

    

编辑推荐:



· 如何编写易于单元测试的代码
    

· 10年+ .NET Coder 心语,封装的思维:从隐藏、稳定开始理解其本质意义
    

· .NET Core 中如何实现缓存的预热?
    

· 从 HTTP 原因短语缺失研究 HTTP/2 和 HTTP/3 的设计差异
    

· AI与.NET技术实操系列:向量存储与相似性搜索在 .NET 中的实现
    



    

    阅读排行:
    

 ·          周边上新:园子的第一款马克杯温暖上架
        

 ·          Open-Sora 2.0 重磅开源!
        

 ·          .NET周刊【3月第1期 2025-03-02】
        

 ·          分享 3 个 .NET 开源的文件压缩处理库,助力快速实现文件压缩解压功能!
        

 ·          [AI/GPT/综述] AI Agent的设计模式综述
        



    

    





	






	
		
		

导航




		

统计




		

		































                    
	


			
			
			
			
			 

	



    

    
    








  

  
点击右上角即可分享

  微信分享提示

   
    
AI IDE Trae