Buar
Buar

Reputation: 11

signing xml in php with xmlseclibs gives bad signature

I use xmlseclibs v.1.3.1

Here is how I try to sign my xml

$document = new DOMDocument();

$request  = $document->createElement('paymentRequest');

$xmlnsxsi = $document->createAttribute('xmlns:xsi');

$xmlns = $document->createAttribute('xmlns');

$xmlns->value = 'url link';

$xmlnsxsi->value = 'http://www.w3.org/2001/XMLSchema-instance';

$request->appendChild($xmlnsxsi);

$request->appendChild($xmlns);  

$pid  = $document->createElement('pid',$_SESSION['payment_info'][$_GET['object_id']]['PID']);

$senderId  = $document->createElement('senderId',$_SESSION['info'][$_GET['object']]['ID']);

$returnUrl  = $document->createElement('returnUrl',$_SESSION['info'][$_GET['object']]['RETURN']);

$amount  = $document->createElement('amount',$_POST['AMOUNT']);
$currency  = $document->createElement('currency','USD');

$language  = $document->createElement('language','EN');

$message  = $document->createElement('message','test test');

$paymentCode  = $document->createElement('paymentCode',$_SESSION['info'][$_GET['object']]['PCODE']);

$date  = $document->createElement('date','2013-12-03T15:37:19.6414668+02:00');

$correlation  = $document->createElement('correlation',$_SESSION['info'][$_GET['object']]['EXTRA']);

$request->appendChild($pid);
$request->appendChild($senderId);
$request->appendChild($returnUrl);
$request->appendChild($amount);
$request->appendChild($currency);
$request->appendChild($language);
$request->appendChild($message);
$request->appendChild($paymentCode);
$request->appendChild($date);
$request->appendChild($correlation);
$document->appendChild($request);
$xml_pay2 = $document->saveXml();


require_once('xmlseclibs.php');
$doc = new DOMDocument();
$doc->loadXML($xml_pay2);

$objDSig = new XMLSecurityDSig();

$objDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N_COMMENTS);

$objDSig->addReference($doc, XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature')); 

$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type'=>'private'));


$objKey->loadKey('system/key.pem', TRUE);

$objDSig->add509Cert(file_get_contents("system/cert.pem"));

$objDSig->sign($objKey,$doc);



$xml_pay2 = $doc->saveXML();

$doc2 = new DOMDocument();
$doc2->loadXML($xml_pay2);

$objXMLSecDSig = new XMLSecurityDSig();
$objDSig = $objXMLSecDSig->locateSignature($doc2);

if (!$objDSig) {
    echo "Cannot locate Signature Node";die();
}
$objXMLSecDSig->canonicalizeSignedInfo();

$objXMLSecDSig->idKeys = array('wsu:Id');

$objXMLSecDSig->idNS = array('wsu'=>'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd');

$retVal = $objXMLSecDSig->validateReference();
if (!$retVal) {
    die("Reference Validation Failed");
}   
$objKey = $objXMLSecDSig->locateKey();
if (!$objKey ) {
    echo "We have no idea about the key";die();
}

$key = NULL;

$objKeyInfo = XMLSecEnc::staticLocateKeyInfo($objKey, $objDSig);
if (! $objKeyInfo->key && empty($key)) {
    $objKey->loadKey('system/cert.pem', TRUE);
}

if ($objXMLSecDSig->verify($objKey)) {
        echo "Signature validated!";
} else {
    echo "Failure!!!!!!!!";
}

It always give me "Failure!!!!!!!!" result.

Upvotes: 0

Views: 2044

Answers (1)

Fuzzy76
Fuzzy76

Reputation: 911

First step would be to enable error output for PHP, so you can see the real error message. It could be that you are hitting this bug but there is no way to know without the error message from PHP.

Upvotes: -1

Related Questions