How is a WSSE header validated?

dmitrii_fediuk · June 2, 2017, 7:11pm

Escape\WSSEAuthenticationBundle\Security\Core\Authentication\Provider\Provider::validateDigest()

djoos/EscapeWSSEAuthenticationBundle/blob/2.2.2/Security/Core/Authentication/Provider/Provider.php#L107-L152


protected function validateDigest($digest, $nonce, $created, $secret, $salt)

{

    //check whether timestamp is formatted correctly

    if(!$this->isFormattedCorrectly($created))

    {

        throw new BadCredentialsException('Incorrectly formatted "created" in token.');

    }



    //check whether timestamp is not in the future

    if($this->isTokenFromFuture($created))

    {

        throw new BadCredentialsException('Future token detected.');

    }



    //expire timestamp after specified lifetime

    if(strtotime($this->getCurrentTime()) - strtotime($created) > $this->lifetime)

    {

        throw new CredentialsExpiredException('Token has expired.');

    }



    //validate that nonce is unique within specified lifetime

    //if it is not, this could be a replay attack

    if($this->nonceCache->contains($nonce))

    {

        throw new NonceExpiredException('Previously used nonce detected.');

    }



    $this->nonceCache->save($nonce, strtotime($this->getCurrentTime()), $this->lifetime);



    //validate secret

    $expected = $this->encoder->encodePassword(

        sprintf(

            '%s%s%s',

            base64_decode($nonce),

            $created,

            $secret

        ),

        $salt

    );



    if (class_exists('Symfony\Component\Security\Core\Util\StringUtils')) {

        return \Symfony\Component\Security\Core\Util\StringUtils::equals($expected, $digest);

    } else {

        return hash_equals($expected, $digest);

    }

}

dmitrii_fediuk · June 2, 2017, 7:13pm