Search code examples
pythonsoapwshttpbindingwsse

WSHttpBinding: Entropy.BinarySecret role in message encryption

I am writing a simple SOAP client application in Python.

WSDL file can be found here: https://clients.nationalmailing.com.au/ServiceTest/OrderService.svc?wsdl

Unfortunately the server declared usage of wsHttpBinding in its WSDL file and I had to learn how many troubles it brings to not-.NET developers.

I have working C# code (and it is pretty simple there) and used Fiddler to capture the traffic and analyze messages. Now I know the structure to follow. Client sends 2 subsequental messages.

I managed to create and send first request and receive a response from the server. BUT second request is a way more complex. I have found a library signxml which helped me to create <Signature> structure with all the fields that should present (as per captured traffic).

But the server continues to answer with "Error 500: An error occurred when verifying security for the message."

I realized that in the first message I put just random values for the following structure:

<s:Body>
        <trust:RequestSecurityToken xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
            <trust:TokenType>http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct</trust:TokenType>
            <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
            <trust:Entropy>
                <trust:BinarySecret
                 u:Id="uuid-0649fd7a-9ae2-4f9f-964c-e3aa5d68e8cd-1" 
                 Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce">h/MaeQVSL5Br30Hnt/SAl274flYfZVZyx2Fri9zNuEY=</trust:BinarySecret>
            </trust:Entropy>
            <trust:KeySize>256</trust:KeySize>
        </trust:RequestSecurityToken>
    </s:Body>

The value of BinarySecret is just a random string encoded with Base64. I think this should be an issue on this stage. I also do not use the same parameters from server's response.

Could anyone explain how should I use Entropy.BinarySecret - should it take part in the calculations of Signature and how it is used?

Solution

  • Answering my own question. Yes, the issue was in improper usage of Entropy parameter.

    To sign the message you need to generate a key, it consists of two parts (client entropy and server's entropy). They get combined with P_SHA1 algorithm into a key.

    To anyone who find this post in the future: for Python have a look on signxml library and section 4 of ws-trust spec.