《Extensible Messaging and Presence Protocol (XMPP): Core》阅读笔记（二）

 服务器到服务器SASL验证示例：

Step 1: Server1 initiates stream to Server2:

<stream:stream
    xmlns='jabber:server'
    xmlns:stream='http://etherx.jabber.org/streams'
    to='example.com'
    version='1.0'>

Step 2: Server2 responds with a stream tag sent to Server1:

<stream:stream
    xmlns='jabber:server'
    xmlns:stream='http://etherx.jabber.org/streams'
    from='example.com'
    id='s2s_234'
    version='1.0'>

Step 3: Server2 informs Server1 of available authentication mechanisms:

<stream:features>
 <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
    <mechanism>DIGEST-MD5</mechanism>
    <mechanism>KERBEROS_V4</mechanism>
 </mechanisms>
</stream:features>

Step 4: Server1 selects an authentication mechanism:

<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
      mechanism='DIGEST-MD5'/>

Step 5: Server2 sends a BASE64 encoded challenge to Server1:

<challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
cmVhbG09InNvbWVyZWFsbSIsbm9uY2U9Ik9BNk1HOXRFUUdtMmhoIixxb3A9
ImF1dGgiLGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNz
</challenge>

The decoded challenge is:

realm="somerealm",nonce="OA6MG9tEQGm2hh","
qop="auth",charset=utf-8,algorithm=md5-sess

Step 5 (alt): Server2 returns error to Server1:

<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
 <incorrect-encoding/>
</failure>
</stream:stream>

Step 6: Server1 sends a BASE64 encoded response to the challenge:

<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
dXNlcm5hbWU9ImV4YW1wbGUub3JnIixyZWFsbT0ic29tZXJlYWxtIixub25j
ZT0iT0E2TUc5dEVRR20yaGgiLGNub25jZT0iT0E2TUhYaDZWcVRyUmsiLG5j
PTAwMDAwMDAxLHFvcD1hdXRoLGRpZ2VzdC11cmk9InhtcHAvZXhhbXBsZS5v
cmciLHJlc3BvbnNlPWQzODhkYWQ5MGQ0YmJkNzYwYTE1MjMyMWYyMTQzYWY3
LGNoYXJzZXQ9dXRmLTgK
</response>

The decoded response is:

username="example.org",realm="somerealm","
nonce="OA6MG9tEQGm2hh",cnonce="OA6MHXh6VqTrRk","
nc=00000001,qop=auth,digest-uri="xmpp/example.org","
response=d388dad90d4bbd760a152321f2143af7,charset=utf-8

Step 7: Server2 sends another  BASE64 encoded challenge to Server1:

<challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZAo=
</challenge>

The decoded challenge is:

rspauth=ea40f60335c427b5527b84dbabcdfffd

Step 7 (alt): Server2 returns error to Server1:

<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
 <invalid-authzid/>
</failure>
</stream:stream>

Step 8: Server1 responds to the challenge:

<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>

Step 8 (alt): Server1 aborts negotiation:

<abort xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>

Step 9: Server2 informs Server1 of successful authentication:

<success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>

Step 9 (alt): Server2 informs Server1 of failed authentication:

<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
 <aborted/>
</failure>
</stream:stream>

Step 10: Server1 initiates a new stream to Server2:

<stream:stream
    xmlns='jabber:server'
    xmlns:stream='http://etherx.jabber.org/streams'
    to='example.com'
    version='1.0'>

Step 11: Server2 responds by sending a stream header to Server1 along with any additional features (or an empty features element):

<stream:stream
    xmlns='jabber:server'
    xmlns:stream='http://etherx.jabber.org/streams'
    from='example.com'
    id='s2s_345'
    version='1.0'>
<stream:features/>

 

服务器回拨

      这是一种单向的，不安全的验证方式。

具体过程：

1，              服务器A发送流头部给服务器B:

<stream:stream
    xmlns:stream='http://etherx.jabber.org/streams'
    xmlns='jabber:server'
    xmlns:db='jabber:server:dialback'>

 

2,服务器B回送一个应答给A,包含了此次交互的ID:
<stream:stream

    xmlns:stream='http://etherx.jabber.org/streams'

    xmlns='jabber:server'

    xmlns:db='jabber:server:dialback'

id='457F9224A0...'>

3,服务器A发送一个回拨key给B

<db:result

    to='Receiving Server'

    from='Originating Server'>

 98AF014EDC0...

</db:result>

4,服务器B同验证服务器C建立TCP连接,向C发送流头部：

<stream:stream

    xmlns:stream='http://etherx.jabber.org/streams'

    xmlns='jabber:server'

    xmlns:db='jabber:server:dialback'>

5，C回送应答：

<stream:stream

    xmlns:stream='http://etherx.jabber.org/streams'

    xmlns='jabber:server'

    xmlns:db='jabber:server:dialback'

    id='1251A342B...'>

6，B发送验证key的请求

<db:verify

    from='Receiving Server'

    to='Originating Server'

    id='457F9224A0...'>

 98AF014EDC0...

</db:verify>

7，验证服务器验证key是否合法：

<db:verify

    from='Originating Server'

    to='Receiving Server'

    type='valid'

    id='457F9224A0...'/>

or

<db:verify

    from='Originating Server'

    to='Receiving Server'

    type='invalid'

    id='457F9224A0...'/>

8，B通知A结果：

<db:result

    from='Receiving Server'

    to='Originating Server'

    type='valid'/>

上面这个示例只是验证了从A到B的流是否合法，但不能保证从B到A是否合法，因此需要在反方向再进行一次验证。