generating a nonce code 2

[pushyr]

i'm trying to generate a nonce code from php. surpisingly there's very little that i found when searching google

i've found this site that generates the nonce for you using js...

http://www.teria.com/~koseki/tools/wssegen/

the way it works i insert my username and password
then select auto for both 'nonce' and 'created'
then click generate

it's the X-WSSE: line that i use
and here's the full final result that i use...

Content-type: text/plain
Authorization: WSSE profile="UsernameToken"
X-WSSE: UsernameToken Username="pushyr:Acme Ind", PasswordDigest="amY5zvhdHGdgJuhjFytu3gcC/+Y=", Nonce="UjE4KzreMzljTYUlNzT7Zf==", Created="2010-09-27T13:49:10Z"

having looked at the js source code (pasted below) i just couldn't get my head around how to adapt it to php...

obviously i don't want to keep generating the nonce by going to this site...i would like to write my own code to do that for me

your help would be really appreciated!!

// override sha1.js default setting.
b64pad  = "=";

function calc() {
     var f = document.forms['f'];
     var userName = f.elements['username'].value;
     var password = f.elements['password'].value;
     var nonce = f.elements['nonce'].value;
     var autoNonce = f.elements['autoNonce'].checked;
     if (autoNonce) {         
         nonce = generateNonce(16);
         f.elements['nonce'].value = nonce;
     }

     var nonce64 = base64encode(nonce);
     var created = f.elements['created'].value;
     var autoCreated = f.elements['autoCreated'].checked;

     if (autoCreated) {
         created = getW3CDate(new Date());
         f.elements['created'].value = created;
     }

     var before = f.elements['before'].value;
     var after = f.elements['after'].value;

     var basicUsername = f.elements['basicUsername'].value;
     var basicPassword = f.elements['basicPassword'].value;
     var basicAuth = "";
     if (basicUsername != null && basicUsername != "" ||
         basicPassword != null && basicPassword != "") {
         basicAuth = "Authorization: Basic " + base64encode(basicUsername + ":" + basicPassword) + "\n";
     }

     var passwordDigest = b64_sha1(nonce + created + password);
     f.elements['output'].value = 
         before
         + "X-WSSE: UsernameToken Username=\"" 
         + userName + "\", PasswordDigest=\""
         + passwordDigest + "\", Nonce=\""
         + nonce64 + "\", Created=\""
         + created + "\"\n"
         + basicAuth
         + after;
     
}


function generateNonce(length) {
    var nonceChars = "0123456789abcdef";
    var result = "";
    for (var i = 0; i < length; i++) {
        result += nonceChars.charAt(Math.floor(Math.random() * nonceChars.length));
    }
    return result;
}

function getW3CDate(date) {
    var yyyy = date.getUTCFullYear();
    var mm = (date.getUTCMonth() + 1);
    if (mm < 10) mm = "0" + mm;
    var dd = (date.getUTCDate());
    if (dd < 10) dd = "0" + dd;
    var hh = (date.getUTCHours());
    if (hh < 10) hh = "0" + hh;
    var mn = (date.getUTCMinutes());
    if (mn < 10) mn = "0" + mn;
    var ss = (date.getUTCSeconds());
    if (ss < 10) ss = "0" + ss;
    return yyyy+"-"+mm+"-"+dd+"T"+hh+":"+mn+":"+ss+"Z";
}

 

[jpadie]

why make a nonce so complicated?

$nonce = uniqid('nonce_', true);

then store it in a session variable for comparison against a form field.

i am currently restoring my old website which had a complete nonce implementation documented on it (as a form of captcha alternative). should be ready later this evening.

 

[pushyr]

hey jpadie.... the code didn't work for me... not sure if im doing it right, but to test to see if it works i'd echo'd out your code and produced this value...

4cac57b6adf162.01291045

i then pasted into where the nonce should go...

Content-type: text/plain
Authorization: WSSE profile="UsernameToken"
X-WSSE: UsernameToken Username="pushyr:Acme Ind", PasswordDigest="amY5zvhdHGdgJuhjFytu3gcC/+Y=", Nonce="4cac57b6adf162.01291045", Created="2010-09-27T13:49:10Z"

that didnt work and i also tried...

4cac57b6adf162.012910==

and..

4cac57b6adf162.01291045==

 

[jpadie]

that was not the point of my mail. it was more that the creation of a nonce could be done with any unique id generator.

to match the javascript code you need to produce a 16 character hexadecimal. so you could just do this

function generateNonce($length){
  $u = md5(uniqid('nonce_', true));
  return substr($u,0,$length);
}

don't forget that the form submission requires not just the nonce but also the base64 encoded nonce and the digest of the nonce, the date etc all wrapped up in a base64 encoded sha1 hash.

 

[pushyr]

hi jpadie...

i'll put my hands up, nonce's, password digests and base64's, shal1's are all new to me

so far i've produced this bit of code...

$nonceStart = 'X-WSSE: UsernameToken ';
$nonceUserName = 'Username="dbachan:Riptown Media" '; 
$nonce = ''.substr(md5(uniqid('nonce_', true)),0,16).' ';
$nonceDate = 'Created="'.date('Y-m-d').'T'.date('h:i:s').'Z"';

just trying to now make sense of this bit...

don't forget that the form submission requires not just the nonce but also the base64 encoded nonce and the digest of the nonce, the date etc all wrapped up in a base64 encoded sha1 hash.

following what you've said i understand the next bit would be this...

base64_encode($nonce);

but not sure i understand what you mean by the digest of the nonce...

then after that i kind of lose it... just need a little bit more of a detailed explanation... sorry!

 

[jpadie]

see this part of the code you posted

f.elements['output'].value = 
         before
         + "X-WSSE: UsernameToken Username=\"" 
         + userName + "\", PasswordDigest=\""
         + passwordDigest + "\", Nonce=\""
         + nonce64 + "\", Created=\""
         + created + "\"\n"
         + basicAuth
         + after;

 

[pushyr]

do you mean something like this in php....

base64_encode(sha1($nonce + date('Y-m-d').'T'.date('h:i:s') + 'myPasswordGoesHere'));

 

[pushyr]

my trouble is... i don't understand the javascript code that i pasted... the sequence of steps, and generally what's going on

just looks like everything is getting encoded and double encoded and triple encoded... and the password gets encoded with the date and the nonce...

just need some clarity... form the perspective of a complete novice

 

[jpadie]

can you take a step back and explain what you are trying to do and why?

 

[pushyr]

i'm using php curl to establish a rest connection, to do that i must provide the following...

Content-type: text/plain
Authorization: WSSE profile="UsernameToken"
X-WSSE: UsernameToken Username="pushyr:Acme Ind", PasswordDigest="amY5zvhdHGdgJuhjFytu3gcC/+Y=", Nonce="UjE4KzreMzljTYUlNzT7Zf==", Created="2010-09-27T13:49:10Z"

having looked around for nonce code generators i came across the site

http://www.teria.com/~koseki/tools/wssegen/

which generates the password digest and nonce exactly how i need it.

so this was my reason for posting the javascript source code and saying this is what i'm trying to do. however i don't need to do the form post... just generate the password digest and nonce right there in my script (along with the rest of the my curl script)

 

[jpadie]

<?php
function generateWSSEHeader($username, $password){
	$created  = date('c');
	$nonce = substr(md5(uniqid('nonce_', true)),0,16);
	$nonce64 = base64_encode($nonce);
	$passwordDigest = base64_encode(sha1($nonce . $created . $password));
	return <<<HEADER
Content-type: text/plain
Authorization: WSSE profile="UsernameToken"
X-WSSE: UsernameToken Username="{$username}", PasswordDigest="{$passwordDigest}", Nonce="{$nonce64}", Created="{$created}"	
HEADER;
}
?>

 

[pushyr]

hey jpadie,

i went silent on this one for a while but coming back to thank you!

worked perfect!