[WSS-239] Need ability to handle password "equivalent" between WSPasswordCallback and UsernameToken when it's binary data - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.5.8
Fix Version/s: 1.5.10, 1.6
Component/s: WSS4J Core
Labels:
None

Description

Per the oasis spec, the UsernamePassword is summarized by the algorithm:
base64(sha-1(nonce+created+password))

But, in some scenarios you don't store cleartext passwords - only the sha-1 hash
of them. The oasis spec allows this via what they claim as "..password
equivalent". The problem I'm running into is that the password equivalent
is sha-1(password) or ultimately this equivalent:
base64(sha-1(nonce+created+sha-1(password)))

When the applicability of this approach was questioned to the oasis list,
they confirmed it:
http://lists.oasis-open.org/archives/wss-dev/201006/msg00003.html

But, when using the wss4j WSPasswordCallback mechanism, the call expects the
password to be a string but the binary output of the digest if converted to
a string, then back to the bytes (by UsernameToken.doPasswordDigest()) does
not result in the original byte array - causing any digest calculations to
fail.

This was originally posted in the mailing list below where Colm suggested I provide a patch:
http://mail-archives.apache.org/mod_mbox/ws-wss4j-dev/201006.mbox/%3CAANLkTilnDI8iJOpHC6Lgv3mkP5_I_UtrcFeNdkDK1BA0@mail.gmail.com%3E

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

wss-239-revised.patch
02/Nov/10 15:15
31 kB
Colm O hEigeartaigh
wss4j-1.5.9-password-equivalence.patch
16/Oct/10 16:10
37 kB
Patrick Ryan
WSS-239-1_5_x-fixes.patch
03/Aug/10 19:43
60 kB
Jim Utter

Activity

People

Assignee:: Colm O hEigeartaigh

Reporter:: Jim Utter

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 02/Aug/10 22:56

Updated:: 09/Nov/10 12:56

Resolved:: 09/Nov/10 12:55