Reputation: 2999
WSHttpBinding: Entropy.BinarySecret role in message encryption
I am writing a simple SOAP client application in Python.
WSDL file can be found here: https://clients.nationalmailing.com.au/ServiceTest/OrderService.svc?wsdl
Unfortunately the server declared usage of wsHttpBinding in its WSDL file and I had to learn how many troubles it brings to not-.NET developers.
I have working C# code (and it is pretty simple there) and used Fiddler to capture the traffic and analyze messages. Now I know the structure to follow. Client sends 2 subsequental messages.
I managed to create and send first request and receive a response from the server. BUT second request is a way more complex. I have found a library signxml which helped me to create <Signature> structure with all the fields that should present (as per captured traffic).
But the server continues to answer with "Error 500: An error occurred when verifying security for the message."
I realized that in the first message I put just random values for the following structure:
<s:Body>
<trust:RequestSecurityToken xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<trust:TokenType>http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct</trust:TokenType>
<trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
<trust:Entropy>
<trust:BinarySecret
u:Id="uuid-0649fd7a-9ae2-4f9f-964c-e3aa5d68e8cd-1"
Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce">h/MaeQVSL5Br30Hnt/SAl274flYfZVZyx2Fri9zNuEY=</trust:BinarySecret>
</trust:Entropy>
<trust:KeySize>256</trust:KeySize>
</trust:RequestSecurityToken>
</s:Body>
The value of BinarySecret is just a random string encoded with Base64. I think this should be an issue on this stage. I also do not use the same parameters from server's response.
Could anyone explain how should I use Entropy.BinarySecret - should it take part in the calculations of Signature and how it is used?
Upvotes: 0
Views: 479
Answers (1)
Reputation: 2999
Answering my own question. Yes, the issue was in improper usage of Entropy parameter.
To sign the message you need to generate a key, it consists of two parts (client entropy and server's entropy). They get combined with P_SHA1 algorithm into a key.
To anyone who find this post in the future: for Python have a look on signxml library and section 4 of ws-trust spec.
Upvotes: 0
Related Questions
- Python sign SOAP request using BinarySecurityToken
- WCF Error A SOAP 1.2 message is not valid when sent to a SOAP 1.1 only using wsHttpBinding
- How to sign XML with xmlsec (or other more appropriate package)
- How to add wsse:Security, UsernameToken header to a SOAP request in ZSI, Python?
- Why WsHttpbindings giving error as "soap header action was not understood" but not the basichttpbinding?
- Why can't I set SOAP headers in pysimplesoap?
- Message Encryption not working with wsHTTPBinding
- WSWS4117E: An attempt was made to add an SOAPEnvelope with a protocol of SOAP 1.2 Protocol to a SOAPMessage with a protocol of SOAP 1.1 Protocol
- How do i sign a BinarySecurityToken in soap message
- Extracting/Shifting bits in python for websocket RFC 6455