How to Decode Password Digest

[CVVDN-S]

From the Onvif Documents, formula to get the Password Digest was obtained as follows :
Digest = B64ENCODE( SHA1( B64DECODE( Nonce ) + Date + Password ) )

I have ref camera, with the following details :
Digest : JRxYtIDJPbbd2cNy7DSUBc9jfm4=
Nonce : XOzsWFDjHUCy2Kftff1WljwAAAAAAA==
Date : 2021-10-08T06:30:37.019Z
Password : admin123

Im not able to get the Digest with the above details using online b64encode/b64decode tools

Is there any detailed steps how to generate this Digest value when Nonce, Date and Password is known to us?

[michael-msi]

Where did you get that formula? I do not think that is not how one calculates a digest response.

[kieran242]

You can use a third party software package such as gSoap (Genivia) to allow you to make SOAP calls in Digest or Username Token to an ONVIF device. The package can be purchased with a commercial license or if you are a student or non-commercial entity you could download an open source version which has some restrictions.

Finally for full references to the "Username Token" they are documented within the "ONVIF Core Specification" , Oasis document (http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf) and rfc2617 specification (https://datatracker.ietf.org/doc/html/rfc2617).

[kieran242]

Sorry closed by accident.

[CVVDN-S]

Gsoap toolkit was used to generate the codes, which enabels the communication with Digest and Username Token.
Also received the following from Client for a device with password admin1234#,

admin
3mF2UUI1049sVDGRmhezP+i2x0s=
e981h0a8bEGhh6nTZgYHesoAAAAAAA==
2021-10-22T07:35:37.097Z

Password Digest : 3mF2UUI1049sVDGRmhezP+i2x0s=
Nonce : e981h0a8bEGhh6nTZgYHesoAAAAAAA==
Date : 2021-10-22T07:35:37.097Z

Password of the device : admin1234#

as per the document, digest formula is like
Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) )

Then a/c to the device details,
nonce + created + password will be => e981h0a8bEGhh6nTZgYHesoAAAAAAA==2021-10-22T07:35:37.097Zadmin1234#
sha-1 (nonce + created + password) will be => 981h0a8bEGhh6nTZgYHesoAAAAAAA==2021-10-22T07:35:37.097Zadmin1234#
sha-1 (nonce + created + password) will be => a8557925411a2e02a6b3a589c96c95c5aab56688
Base64(sha-1 (nonce + created + password)) will be => YTg1NTc5MjU0MTFhMmUwMmE2YjNhNTg5Yzk2Yzk1YzVhYWI1NjY4OA==

this doesnt match with the Password Digest from the CLients.

Is this the way, password digest is found, Im working on the server side, to check whether the Password given from the client is valid. Not able to obtain the password digest correctly. Am doing missing out anything. Please help on this.

[jflevesque]

I think you are looking at the wrong RFC. Digest has a few, but the one mentionned in the ONVIF documentation is https://datatracker.ietf.org/doc/html/rfc2617 which uses MD5 for the hashing algorithm and not SHA-1.

[CVVDN-S]

Will check that and get back to you again.

[kieran242]

Yep, if you read my comments above I said the same as Jean-Francois and also supplied the Oasis document for WS_UsernameToken. He is correct not "SHA1" but "MD5".

You said you used the gSoap engine. There are various plugin's available to handle UsernameToken such as "http_da" (https://www.genivia.com/doc/httpda/html/httpda.html) which provide methods to handle WSSE as part of ONVIF Soap Requests.

[CVVDN-S]

I tried MD5 method instead of SHA-1, still i couldn't get same as that in password digest format. Any other way to decrypt this password digest properly?