《Extensible Messaging and Presence Protocol (XMPP): Core》阅读笔记(二)

  服务器到服务器 SASL 验证示例:

Step 1: Server1 initiates stream to Server2:







   
     
< stream:stream
    
xmlns ='jabber:server'
    xmlns:stream
='http://etherx.jabber.org/streams'
    to
='example.com'
    version
='1.0' >

Step 2: Server2 responds with a stream tag sent to Server1:
< stream:stream
    
xmlns ='jabber:server'
    xmlns:stream
='http://etherx.jabber.org/streams'
    from
='example.com'
    id
='s2s_234'
    version
='1.0' >



Step 3: Server2 informs Server1 of available authentication mechanisms:
< stream:features >
 
< mechanisms  xmlns ='urn:ietf:params:xml:ns:xmpp-sasl' >
    
< mechanism > DIGEST-MD5 </ mechanism >
    
< mechanism > KERBEROS_V4 </ mechanism >
 
</ mechanisms >
</ stream:features >



Step 4: Server1 selects an authentication mechanism:
< auth  xmlns ='urn:ietf:params:xml:ns:xmpp-sasl'
      mechanism
='DIGEST-MD5' />
Step 5: Server2 sends a BASE64 encoded challenge to Server1:
< challenge  xmlns ='urn:ietf:params:xml:ns:xmpp-sasl' >
cmVhbG09InNvbWVyZWFsbSIsbm9uY2U9Ik9BNk1HOXRFUUdtMmhoIixxb3A9
ImF1dGgiLGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNz
</ challenge >



The decoded challenge is: 
realm="somerealm",nonce="OA6MG9tEQGm2hh","
qop="auth",charset=utf-8,algorithm=md5-sess



Step 5 (alt): Server2 returns error to Server1: 
< failure  xmlns ='urn:ietf:params:xml:ns:xmpp-sasl' >
 
< incorrect-encoding />
</ failure >
</ stream:stream >



Step 6: Server1 sends a BASE64 encoded response to the challenge: 
< response  xmlns ='urn:ietf:params:xml:ns:xmpp-sasl' >
dXNlcm5hbWU9ImV4YW1wbGUub3JnIixyZWFsbT0ic29tZXJlYWxtIixub25j
ZT0iT0E2TUc5dEVRR20yaGgiLGNub25jZT0iT0E2TUhYaDZWcVRyUmsiLG5j
PTAwMDAwMDAxLHFvcD1hdXRoLGRpZ2VzdC11cmk9InhtcHAvZXhhbXBsZS5v
cmciLHJlc3BvbnNlPWQzODhkYWQ5MGQ0YmJkNzYwYTE1MjMyMWYyMTQzYWY3
LGNoYXJzZXQ9dXRmLTgK
</ response >



The decoded response is:
username="example.org",realm="somerealm","
nonce="OA6MG9tEQGm2hh",cnonce="OA6MHXh6VqTrRk","
nc=00000001,qop=auth,digest-uri="xmpp/example.org","
response=d388dad90d4bbd760a152321f2143af7,charset=utf-8



Step 7: Server2 sends another  BASE64 encoded challenge to Server1: 
< challenge  xmlns ='urn:ietf:params:xml:ns:xmpp-sasl' >
cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZAo=
</ challenge >



The decoded challenge is: 



   
     
rspauth=ea40f60335c427b5527b84dbabcdfffd

Step 7 (alt): Server2 returns error to Server1:







   
     
< failure  xmlns ='urn:ietf:params:xml:ns:xmpp-sasl' >
 
< invalid-authzid />
</ failure >
</ stream:stream >

Step 8: Server1 responds to the challenge:



   
     
< response  xmlns ='urn:ietf:params:xml:ns:xmpp-sasl' />

Step 8 (alt): Server1 aborts negotiation:




   
     
< abort  xmlns ='urn:ietf:params:xml:ns:xmpp-sasl' />

Step 9: Server2 informs Server1 of successful authentication:




   
     
< success  xmlns ='urn:ietf:params:xml:ns:xmpp-sasl' />

Step 9 (alt): Server2 informs Server1 of failed authentication:







   
     
< failure  xmlns ='urn:ietf:params:xml:ns:xmpp-sasl' >
 
< aborted />
</ failure >
</ stream:stream >

Step 10: Server1 initiates a new stream to Server2:
< stream:stream
    
xmlns ='jabber:server'
    xmlns:stream
='http://etherx.jabber.org/streams'
    to
='example.com'
    version
='1.0' >



Step 11: Server2 responds by sending a stream header to Server1 along with any additional features (or an empty features element): 



   
     
< stream:stream
    
xmlns ='jabber:server'
    xmlns:stream
='http://etherx.jabber.org/streams'
    from
='example.com'
    id
='s2s_345'
    version
='1.0' >
< stream:features />

 

服务器回拨

      这是一种单向的,不安全的验证方式。

具体过程:
1,              服务器A发送流头部给服务器B:
< stream :stream
    xmlns
:stream = 'http: // etherx . jabber . org / streams'
    xmlns
= 'jabber :server '
    xmlns
:db = 'jabber :server:dialback ' >
 
2,服务器B回送一个应答给A,包含了此次交互的ID:
<stream:stream
    xmlns:stream='http://etherx.jabber.org/streams'
    xmlns='jabber:server'
    xmlns:db='jabber:server:dialback'
id='457F9224A0...'>
3,服务器A发送一个回拨key给B
<db:result
    to='Receiving Server'
    from='Originating Server'>
 98AF014EDC0...
</db:result>
 
4,服务器B同验证服务器C建立TCP连接,C发送流头部:
<stream:stream
    xmlns:stream='http://etherx.jabber.org/streams'
    xmlns='jabber:server'
    xmlns:db='jabber:server:dialback'>
5C回送应答:
<stream:stream
    xmlns:stream='http://etherx.jabber.org/streams'
    xmlns='jabber:server'
    xmlns:db='jabber:server:dialback'
    id='1251A342B...'>
6B发送验证key的请求
<db:verify
    from='Receiving Server'
    to='Originating Server'
    id='457F9224A0...'>
 98AF014EDC0...
</db:verify>
 

7,验证服务器验证key是否合法:

<db:verify

    from='Originating Server'

    to='Receiving Server'

    type='valid'

    id='457F9224A0...'/>

or

<db:verify

    from='Originating Server'

    to='Receiving Server'

    type='invalid'

    id='457F9224A0...'/>

8B通知A结果:

<db:result
    from='Receiving Server'
    to='Originating Server'
    type='valid'/>

上面这个示例只是验证了从AB的流是否合法,但不能保证从BA是否合法,因此需要在反方向再进行一次验证。

你可能感兴趣的:(protocol)