Uploaded image for project: 'WSS4J'
  1. WSS4J
  2. WSS-239

Need ability to handle password "equivalent" between WSPasswordCallback and UsernameToken when it's binary data

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.5.8
    • 1.5.10, 1.6
    • WSS4J Core
    • None

    Description

      Per the oasis spec, the UsernamePassword is summarized by the algorithm:
      base64(sha-1(nonce+created+password))

      But, in some scenarios you don't store cleartext passwords - only the sha-1 hash
      of them. The oasis spec allows this via what they claim as "..password
      equivalent". The problem I'm running into is that the password equivalent
      is sha-1(password) or ultimately this equivalent:
      base64(sha-1(nonce+created+sha-1(password)))

      When the applicability of this approach was questioned to the oasis list,
      they confirmed it:
      http://lists.oasis-open.org/archives/wss-dev/201006/msg00003.html

      But, when using the wss4j WSPasswordCallback mechanism, the call expects the
      password to be a string but the binary output of the digest if converted to
      a string, then back to the bytes (by UsernameToken.doPasswordDigest()) does
      not result in the original byte array - causing any digest calculations to
      fail.

      This was originally posted in the mailing list below where Colm suggested I provide a patch:
      http://mail-archives.apache.org/mod_mbox/ws-wss4j-dev/201006.mbox/%3CAANLkTilnDI8iJOpHC6Lgv3mkP5_I_UtrcFeNdkDK1BA0@mail.gmail.com%3E

      Attachments

        1. WSS-239-1_5_x-fixes.patch
          60 kB
          Jim Utter
        2. wss4j-1.5.9-password-equivalence.patch
          37 kB
          Patrick Ryan
        3. wss-239-revised.patch
          31 kB
          Colm O hEigeartaigh

        Activity

          People

            coheigea Colm O hEigeartaigh
            jutter Jim Utter
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: