Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix PasswordDigestExt algorithm #265

Open
wants to merge 3 commits into
base: next
Choose a base branch
from
Open

Fix PasswordDigestExt algorithm #265

wants to merge 3 commits into from

Conversation

gokussx4
Copy link

This fixes the PasswordDigestExt algorithm to match the definition described in the ws-security documentation (using the documentation as expectation).

Documentation:
Section about "Username" and it's configurable fields
https://www.soapui.org/soapui-projects/ws-security.html

Tested against Amadeus Web Services. Credential was always being reported invalid prior to this fix.

Zachary Pittman and others added 3 commits May 15, 2017 13:23
Fix PasswordDigestExt algorithm
ba38453 
This fixes the PasswordDigestExt algorithm to match the definition described in the ws-security documentation (using the documentation as expectation).

Documentation:
Section about "Username" and it's configurable fields
https://www.soapui.org/soapui-projects/ws-security.html

Tested against Amadeus Web Services. Credential was always being reported invalid prior to this fix.
@gokussx4
Fix PasswordDigestExt algorithm
bf7c90a 
This fixes the PasswordDigestExt algorithm to match the definition described in the ws-security documentation (using the documentation as expectation).

Documentation:
Section about "Username" and it's configurable fields
https://www.soapui.org/soapui-projects/ws-security.html

Tested against Amadeus Web Services. Credential was always being reported invalid prior to this fix.
Merge branch 'FixPasswordDigestExt' of https://github.com/gokussx4/so…
273d963 
…apui into FixPasswordDigestExt
@olensmar
Copy link
Contributor

thanks! - perhaps we need to add a setting for this as it could break usage for those that depend on unencrypted passwords!?

@gokussx4
Copy link
Author

gokussx4 commented Jun 2, 2017

Technically the current version is encrypting the password but it is also performing an additional base64 encoding on top of the sha-1 encryption of the clear text password. Without looking at the source code there would be no way to get a server side to match this nonstandard approach.

Here is what the current oasis standard is (Password Digest):
Base64 ( SHA-1 ( nonce + created + password ) )

Here is what the SoapUI documentation suggests the nonstandard interop approach is (Password Digest Ext):
Base64 ( SHA-1 ( nonce + created + SHA-1 (password) ) )

Here is what SoapUI actually does for Password Digest Ext:
Base64 ( SHA-1 ( nonce + created + Base64 (SHA-1 (password) ) ) )

If you are concerned about those that were using the Password Digest Ext successfully (could be they looked at the source code and adjusted their server side to match) there could be a Password Digest SoapUI version I suppose?

@phil-newman
Copy link

Any update on this? I am also trying to use soapui for Amadeus webservices and am experiencing the same issue.

@unalyildirim
Copy link

Dear olensmar

the fix suggested by @gokussx4 looks like correct. Since password encoded as Base64 after hash. It needs to be decode from Base64 and before merged with created and nonce values .

Could you merge it for new releases.

Thanks

@olensmar
Copy link
Contributor

olensmar commented Mar 4, 2024

Hi @unalyildirim - thanks for reaching out - unfortunately I don't have write access to this repo - you'll have to ask someone from the maintainer/smartbear team.. good luck!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@gokussx4 @olensmar @phil-newman @unalyildirim