How is «oro:wsse:generate-header» implemented?

dmitrii_fediuk · June 1, 2017, 9:25pm

`Oro\Bundle\UserBundle\Command\GenerateWSSEHeaderCommand::execute()`

oroinc/platform/blob/2.2.0/src/Oro/Bundle/UserBundle/Command/GenerateWSSEHeaderCommand.php#L30-L98


/**
 * @param InputInterface  $input
 * @param OutputInterface $output
 *
 * @throws \InvalidArgumentException
 * @return int
 */
public function execute(InputInterface $input, OutputInterface $output)
{
    /** @var ContainerInterface $container */
    $container = $this->getContainer();
    $apiKey = $input->getArgument('apiKey');
    /** @var UserApi $userApi */
    $userApi = $container->get('doctrine')->getRepository('OroUserBundle:UserApi')->findOneBy(
        ['apiKey' => $apiKey]
    );
    if (!$userApi) {
        throw new \InvalidArgumentException(
            sprintf(
                'API key "%s" does not exists',
                $apiKey
            )
        );
    }
    $user = $userApi->getUser();
    $organization = $userApi->getOrganization();
    if (!$organization->isEnabled()) {
        throw new \InvalidArgumentException(
            sprintf(
                'Organization for API key "%s" is not active',
                $apiKey
            )
        );
    }


    $created = date('c');


    // http://stackoverflow.com/questions/18117695/how-to-calculate-wsse-nonce
    $prefix = gethostname();
    $nonce  = base64_encode(substr(md5(uniqid($prefix . '_', true)), 0, 16));
    $salt   = ''; // do not use real salt here, because API key already encrypted enough


    /** @var MessageDigestPasswordEncoder $encoder */
    $encoder        = $container->get('escape_wsse_authentication.encoder.wsse_secured');
    $passwordDigest = $encoder->encodePassword(
        sprintf(
            '%s%s%s',
            base64_decode($nonce),
            $created,
            $userApi->getApiKey()
        ),
        $salt
    );


    $output->writeln('<info>To use WSSE authentication add following headers to the request:</info>');
    $output->writeln('Authorization: WSSE profile="UsernameToken"');
    $output->writeln(
        sprintf(
            'X-WSSE: UsernameToken Username="%s", PasswordDigest="%s", Nonce="%s", Created="%s"',
            $user->getUsername(),
            $passwordDigest,
            $nonce,
            $created
        )
    );
    $output->writeln('');


    return 0;
}

`escape_wsse_authentication.encoder` is the `SHA-1` hash function:

github.com

djoos/EscapeWSSEAuthenticationBundle/blob/2.2.2/Resources/config/services.yml#L16-L18


escape_wsse_authentication.encoder:
    class:  '%escape_wsse_authentication.encoder.class%'
    arguments: ['sha1', true, 1]

Symfony\Component\Security\Core\Encoder\MessageDigestPasswordEncoder::encodePassword()

github.com

symfony/security-core/blob/v2.8.13/Encoder/MessageDigestPasswordEncoder.php#L41-L63


/**
 * {@inheritdoc}
 */
public function encodePassword($raw, $salt)
{
    if ($this->isPasswordTooLong($raw)) {
        throw new BadCredentialsException('Invalid password.');
    }


    if (!in_array($this->algorithm, hash_algos(), true)) {
        throw new \LogicException(sprintf('The algorithm "%s" is not supported.', $this->algorithm));
    }


    $salted = $this->mergePasswordAndSalt($raw, $salt);
    $digest = hash($this->algorithm, $salted, true);


    // "stretch" hash
    for ($i = 1; $i < $this->iterations; ++$i) {
        $digest = hash($this->algorithm, $digest.$salted, true);
    }


    return $this->encodeHashAsBase64 ? base64_encode($digest) : bin2hex($digest);
}

The WSEE digest algorithm is described here: https://marketing.adobe.com/developer/documentation/authentication-1/wsse-authentication-2#section_827C0D230FCB467CA337929C515093DB

dmitrii_fediuk · June 2, 2017, 6:09pm

How is «oro:wsse:generate-header» implemented?

Oro\Bundle\UserBundle\Command\GenerateWSSEHeaderCommand::execute()

escape_wsse_authentication.encoder is the SHA-1 hash function:

Symfony\Component\Security\Core\Encoder\MessageDigestPasswordEncoder::encodePassword()

`Oro\Bundle\UserBundle\Command\GenerateWSSEHeaderCommand::execute()`

`escape_wsse_authentication.encoder` is the `SHA-1` hash function: