FlexibleFactory

A couple of years ago I had the dubious pleasure of working with WSSE and the as3corelib library which implements some of the required functionality for communicating with WSSE enhanced web services in AS3. I was accessing a .NET application which exposed such web services and ‘consuming’ them with Flex. After hacking the code in this library a little so that it actually did what I needed (generating WSSE security headers for the SOAP messages), it turned out something was very much amiss. All the data getting sent looked good, but requests were rejected with an ‘InvalidSecurityToken’ or somesuch exception. After a lot of detective work, it turned out that this bug was squarely to blame.

In getUsernameToken, the nonce is base64-encoded. This encoded value is
then used in determining the password digest. This is not according to the
WS-Security UsernameToken specification: the password digest is based on
the unencoded nonce value.

from http://code.google.com/p/as3corelib/issues/detail?id=25

Now the fix for this is truly trivial, moving a single line of code in getUsernameToken , however I would forgive anyone facing this problem for simply giving up, the problem is so obscure (and unlikely).

Corrected code
var password64:String = getBase64Digest(nonce, created, password);
nonce = base64Encode(nonce);

Original incorrect code
nonce = base64Encode(nonce);
var password64:String = getBase64Digest(nonce,created,password);

TWO YEARS have passed since this bug was reported. It’s status is still ‘New’. It still doesn’t even have an owner. There is a patch for it though, which was submitted more than six months ago now, but still not has found its way into the trunk.

I bring this up now because I recently had the pleasure of sharing this esoteric information with another developer who was facing similar issues.

The thing is, how did this code ever end up being published? It is simply wrong. Have any of the orginal developers actually tested this code against a real implementation of WSSE? I don’t see how it could ever have worked, or how it ended up being published, and with the fix yet to be rolled into the trunk, every developer who has ever called the getUsernameToken method must be scratching their head.

Of course, I know that bugs can and do find their way into release software, it’s a fact of life. Hey, maybe it was a slip of the mouse at the last minute But show stopping bugs that are still there two years after they are reported, I cannot understand.

If you ever work with this library, do read http://code.google.com/p/as3corelib/issues/list because other issues that may also impact on WSSE also have fixes attached there.

This entry was posted on Sunday, July 26th, 2009 at 3:02 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.