From dev-return-9935-apmail-ws-dev-archive=ws.apache.org@ws.apache.org Tue Nov 02 15:12:28 2010 Return-Path: Delivered-To: apmail-ws-dev-archive@www.apache.org Received: (qmail 70547 invoked from network); 2 Nov 2010 15:12:24 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 2 Nov 2010 15:12:24 -0000 Received: (qmail 59029 invoked by uid 500); 2 Nov 2010 15:12:53 -0000 Delivered-To: apmail-ws-dev-archive@ws.apache.org Received: (qmail 57795 invoked by uid 500); 2 Nov 2010 15:12:50 -0000 Mailing-List: contact dev-help@ws.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ws.apache.org Delivered-To: mailing list dev@ws.apache.org Received: (qmail 57784 invoked by uid 99); 2 Nov 2010 15:12:49 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 02 Nov 2010 15:12:49 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.22] (HELO thor.apache.org) (140.211.11.22) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 02 Nov 2010 15:12:47 +0000 Received: from thor (localhost [127.0.0.1]) by thor.apache.org (8.13.8+Sun/8.13.8) with ESMTP id oA2FCP99021230 for ; Tue, 2 Nov 2010 15:12:25 GMT Message-ID: <27544961.196771288710745552.JavaMail.jira@thor> Date: Tue, 2 Nov 2010 11:12:25 -0400 (EDT) From: "Colm O hEigeartaigh (JIRA)" To: dev@ws.apache.org Subject: [jira] Assigned: (WSS-239) Need ability to handle password "equivalent" between WSPasswordCallback and UsernameToken when it's binary data MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/WSS-239?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh reassigned WSS-239: --------------------------------------- Assignee: Colm O hEigeartaigh (was: Ruchith Udayanga Fernando) > Need ability to handle password "equivalent" between WSPasswordCallback and UsernameToken when it's binary data > --------------------------------------------------------------------------------------------------------------- > > Key: WSS-239 > URL: https://issues.apache.org/jira/browse/WSS-239 > Project: WSS4J > Issue Type: Improvement > Components: WSS4J Core > Affects Versions: 1.5.8 > Reporter: Jim Utter > Assignee: Colm O hEigeartaigh > Attachments: WSS-239-1_5_x-fixes.patch, wss4j-1.5.9-password-equivalence.patch > > > Per the oasis spec, the UsernamePassword is summarized by the algorithm: > base64(sha-1(nonce+created+password)) > But, in some scenarios you don't store cleartext passwords - only the sha-1 hash > of them. The oasis spec allows this via what they claim as "..password > equivalent". The problem I'm running into is that the password equivalent > is sha-1(password) or ultimately this equivalent: > base64(sha-1(nonce+created+sha-1(password))) > When the applicability of this approach was questioned to the oasis list, > they confirmed it: > http://lists.oasis-open.org/archives/wss-dev/201006/msg00003.html > But, when using the wss4j WSPasswordCallback mechanism, the call expects the > password to be a string but the binary output of the digest if converted to > a string, then back to the bytes (by UsernameToken.doPasswordDigest()) does > not result in the original byte array - causing any digest calculations to > fail. > This was originally posted in the mailing list below where Colm suggested I provide a patch: > http://mail-archives.apache.org/mod_mbox/ws-wss4j-dev/201006.mbox/%3CAANLkTilnDI8iJOpHC6Lgv3mkP5_I_UtrcFeNdkDK1BA0@mail.gmail.com%3E -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.