ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <>
Subject [jira] Commented: (WSS-239) Need ability to handle password "equivalent" between WSPasswordCallback and UsernameToken when it's binary data
Date Mon, 01 Nov 2010 22:32:24 GMT


Colm O hEigeartaigh commented on WSS-239:

Hi Patrick,

The intent of the patch you submitted is different from the original patch as supplied by

The original patch is to handle this kind of computation: 


whereas your patch handles this scenario:


According to the link Jim provided (
it is incorrect to Base64 the binary data (sha-1(password)). It would probably be better to
modify the existing code to accomadate setting the password as binary data.


> Need ability to handle password "equivalent" between WSPasswordCallback and UsernameToken
when it's binary data
> ---------------------------------------------------------------------------------------------------------------
>                 Key: WSS-239
>                 URL:
>             Project: WSS4J
>          Issue Type: Improvement
>          Components: WSS4J Core
>    Affects Versions: 1.5.8
>            Reporter: Jim Utter
>            Assignee: Ruchith Udayanga Fernando
>         Attachments: WSS-239-1_5_x-fixes.patch, wss4j-1.5.9-password-equivalence.patch
> Per the oasis spec, the UsernamePassword is summarized by the algorithm:
>    base64(sha-1(nonce+created+password))
> But, in some scenarios you don't store cleartext passwords - only the sha-1 hash
> of them.  The oasis spec allows this via what they claim as "..password
> equivalent".  The problem I'm running into is that the password equivalent
> is sha-1(password) or ultimately this equivalent:
>    base64(sha-1(nonce+created+sha-1(password)))
> When the applicability of this approach was questioned to the oasis list,
> they confirmed it:
> But, when using the wss4j WSPasswordCallback mechanism, the call expects the
> password to be a string but the binary output of the digest if converted to
> a string, then back to the bytes (by UsernameToken.doPasswordDigest()) does
> not result in the original byte array - causing any digest calculations to
> fail.
> This was originally posted in the mailing list below where Colm suggested I provide a

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message