在工作​​算法PasswordDigest的WS-Security [英] Working algorithm for PasswordDigest in WS-Security

问题描述

我在与WS-Security的麻烦，并创建一个随机数和密码摘要这是正确的。

I'm having trouble with WS-Security, and creating a nonce and password digest that is correct.

我成功地利用了SoapUI将数据发送到Oracle系统。所以我能够拦截了SoapUI的号召（其他城市代理为127.0.0.1端口8888来使用Fiddler它失败，因为它是通过SSL） - 拦截是非常重要的，因为这些值只能使用一次。然后，我可以抓住现时，创建时间戳和密码摘要把它们放到我的代码（我只带了30秒这样做的价值不长久！），我获得了成功。

I am successfully using SoapUI to send data to an Oracle system. So I'm able to intercept SoapUI's call (change proxy to 127.0.0.1 port 8888 to use Fiddler where it fails because it's over SSL) - intercepting is important because these values can only be used once. I can then grab the nonce, created timestamp and password digest put them into my code (I've only got 30 seconds to do this as the values don't last!) and I get a success.

所以我知道这是没有别的 - 仅仅是密码摘要

So I know it's nothing else - just the Password Digest.

我用的是下面的值：

Nonce: UIYifr1SPoNlrmmKGSVOug==
Created Timestamp: 2009-12-03T16:14:49Z
Password: test8
Required Password Digest: yf2yatQzoaNaC8BflCMatVch/B8=

我知道创建摘要的算法是：

I know the algorithm for creating the Digest is:

Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) )

使用下面的代码（从的里克施特拉尔的帖子）

using the following code (from Rick Strahl's post)

protected string GetSHA1String(string phrase)
{
    SHA1CryptoServiceProvider sha1Hasher = new SHA1CryptoServiceProvider();
    byte[] hashedDataBytes = sha1Hasher.ComputeHash(Encoding.UTF8.GetBytes(phrase));
    return Convert.ToBase64String(hashedDataBytes);
}

我得到：

I get:

GetSHA1String("UIYifr1SPoNlrmmKGSVOug==" + "2009-12-03T16:14:49Z" + "test8") = "YoQKI3ERlMDGEXHlztIelsgL50M="

我曾尝试过各种SHA1方式，都返回相同的结果（这是我想个好东西！）：

I have tried various SHA1 methods, all return the same results (which is a good thing I guess!):

SHA1 sha1 = SHA1.Create();
SHA1 sha1 = SHA1Managed.Create();

// Bouncy Castle:
protected string GetSHA1usingBouncyCastle(string phrase)
{
    IDigest digest = new Sha1Digest();
    byte[] resBuf = new byte[digest.GetDigestSize()];
    byte[] bytes = Encoding.UTF8.GetBytes(phrase);
    digest.BlockUpdate(bytes, 0, bytes.Length);
    digest.DoFinal(resBuf, 0);
    return Convert.ToBase64String(resBuf);
}

如何得到正确的哈希？

Any ideas on how to get the correct hash?

推荐答案

的问题是随机数。

我试图用一个随机数是已经一直Base64编码。如果你想使用一个随机数是在形式的UIYifr1SPoNlrmmKGSVOug ==那么你需要对它进行解码。

I was trying to use a nonce that had already been Base64 encoded. If you want to use a Nonce that is in the form "UIYifr1SPoNlrmmKGSVOug==" then you need to decode it.

Convert.FromBase64String（ 。UIYifr1SPoNlrmmKGSVOug ==）
这是一个字节数组

Convert.FromBase64String("UIYifr1SPoNlrmmKGSVOug==") which is a byte array.

因此，我们需要一种新的方法：

So we need a new method:

public string CreatePasswordDigest(byte[] nonce, string createdTime, string password)
{
    // combine three byte arrays into one
    byte[] time = Encoding.UTF8.GetBytes(createdTime);
    byte[] pwd = Encoding.UTF8.GetBytes(password);
    byte[] operand = new byte[nonce.Length + time.Length + pwd.Length];
    Array.Copy(nonce, operand, nonce.Length);
    Array.Copy(time, 0, operand, nonce.Length, time.Length);
    Array.Copy(pwd, 0, operand, nonce.Length + time.Length, pwd.Length);

    // create the hash
    var sha1Hasher = new SHA1CryptoServiceProvider();
    byte[] hashedDataBytes = sha1Hasher.ComputeHash(operand);
    return Convert.ToBase64String(hashedDataBytes);
}

CreatePasswordDigest(Convert.FromBase64String("UIYifr1SPoNlrmmKGSVOug=="), "2009-12-03T16:14:49Z", "test8")

返回yf2yatQzoaNaC8BflCMatVch / B8 =因为我们想要的。

which returns yf2yatQzoaNaC8BflCMatVch/B8= as we want.

记住使用在消化相同createdTime你把在XML，这听起来很明显，但有些人包括它们的时间戳毫秒，有些则没有 - 它并不重要，它只是需要保持一致

Remember to use the same createdTime in the digest as you put in the XML, this might sound obvious, but some people include milliseconds on their timestamps and some don't - it doesn't matter, it just needs to be consistent.

另外，在UsernameToken的XML中的Id字段无关紧要 - 它并不需要改变

Also the Id field in the UsernameToken XML doesn't matter - it doesn't need to change.

下面是创建一个方法像上面的一个随机数，如果你不希望使用的GUID像里克用途：

Here's a method to create a Nonce like the one above, if you don't want to use GUIDs like Rick uses:

private byte[] CreateNonce()
{
    var Rand = new RNGCryptoServiceProvider();
    //make random octets
    byte[] buf = new byte[0x10];
    Rand.GetBytes(buf);
    return buf;
}

我希望可以帮助别人 - 我花了很多的挫折，试错，搜索网页，和一般的头/撞墙。

I hope that helps someone - it took me lots of frustration, trial and error, searching web pages, and general head/wall banging.

这篇关于在工作​​算法PasswordDigest的WS-Security的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！