After reading RFC5802 I'm not convinced this approach can be salvaged (in a sensible amount of time) so let's replace it with something that is a simple demo.

Simon MacMullen · Simon MacMullen · commit 61d9d02ca702 · 2010-11-16T11:07:41.000Z
diff --git a/src/com/rabbitmq/client/impl/CRDemoSaslClient.java b/src/com/rabbitmq/client/impl/CRDemoSaslClient.java
@@ -13,31 +13,22 @@
 import javax.security.sasl.SaslException;
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
 import java.util.Arrays;
 
 /**
+    Provides equivalent security to PLAIN but demos use of Connection.Secure(Ok)
     START-OK: Username
-    SECURE: {Salt1, Salt2} (where Salt1 is the salt from the db and
-    Salt2 differs every time)
-    SECURE-OK: md5(Salt2 ++ md5(Salt1 ++ Password))
-
-    The second salt is there to defend against replay attacks. The
-    first is needed since the passwords are salted in the db.
-
-    This is only somewhat improved security over PLAIN (if you can
-    break MD5 you can still replay attack) but it's better than nothing
-    and mostly there to prove the use of SECURE / SECURE-OK frames.
+    SECURE: "Please tell me your password"
+    SECURE-OK: Password
 */
 
-public class ScramMD5SaslClient implements SaslClient {
-    private static final String NAME = "RABBIT-SCRAM-MD5";
+public class CRDemoSaslClient implements SaslClient {
+    private static final String NAME = "RABBIT-CR-DEMO";
 
     private CallbackHandler handler;
     private int round = 0;
 
-    public ScramMD5SaslClient(CallbackHandler handler) {
+    public CRDemoSaslClient(CallbackHandler handler) {
         this.handler = handler;
     }
 
@@ -57,12 +48,9 @@ public byte[] evaluateChallenge(byte[] challenge) throws SaslException {
                 handler.handle(new Callback[]{nc});
                 resp = nc.getName().getBytes("utf-8");
             } else {
-                byte[] salt1 = Arrays.copyOfRange(challenge, 0, 4);
-                byte[] salt2 = Arrays.copyOfRange(challenge, 4, 8);
                 PasswordCallback pc = new PasswordCallback("Password:", false);
                 handler.handle(new Callback[]{pc});
-                byte[] pw = new String(pc.getPassword()).getBytes("utf-8");
-                resp = digest(salt2, digest(salt1, pw));
+                resp = new String(pc.getPassword()).getBytes("utf-8");
             }
         } catch (UnsupportedEncodingException e) {
             throw new RuntimeException(e);
@@ -96,32 +84,16 @@ public void dispose() throws SaslException {
         // NOOP
     }
 
-    private static byte[] digest(byte[] arr1, byte[] arr2) {
-        try {
-            MessageDigest digest = MessageDigest.getInstance("MD5");
-            return digest.digest(concat(arr1, arr2));
-
-        } catch (NoSuchAlgorithmException e) {
-            throw new RuntimeException(e);
-        }
-    }
-
-    private static byte[] concat(byte[] first, byte[] second) {
-        byte[] result = Arrays.copyOf(first, first.length + second.length);
-        System.arraycopy(second, 0, result, first.length, second.length);
-        return result;
-    }
-
-    public static class ScramMD5SaslConfig implements SaslConfig {
+    public static class CRDemoSaslConfig implements SaslConfig {
         private ConnectionFactory factory;
 
-        public ScramMD5SaslConfig(ConnectionFactory factory) {
+        public CRDemoSaslConfig(ConnectionFactory factory) {
             this.factory = factory;
         }
 
         public SaslClient getSaslClient(String[] mechanisms) throws SaslException {
             if (Arrays.asList(mechanisms).contains(NAME)) {
-                return new ScramMD5SaslClient(new UsernamePasswordCallbackHandler(factory));
+                return new CRDemoSaslClient(new UsernamePasswordCallbackHandler(factory));
             }
             else {
                 return null;
