Reputation: 11
I want to sign an XML document using certificate. It should looks like:
<soapenv:Envelope xmlns:obs="" xmlns:soapenv="">
<soapenv:Header><wsse:Security xmlns:wsse="" xmlns:wsu=""><wsse:BinarySecurityToken EncodingType="" ValueType="" wsu:Id="X509-UUU09456789100000">XXXX==</wsse:BinarySecurityToken><ds:Signature xmlns:ds=""><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=""><ec:InclusiveNamespaces PrefixList="obs soapenv" xmlns:ec=""/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm=""/><ds:Reference URI="#id-XYZXYZ1234567890000"><ds:Transforms><ds:Transform Algorithm=""><ec:InclusiveNamespaces PrefixList="obs" xmlns:ec=""/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm=""/><ds:DigestValue>vVYVY4CXo60TYkSZ8S/LQJo/8Zc=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>SIGNATURExxxx</ds:SignatureValue><ds:KeyInfo><wsse:SecurityTokenReference wsse11:TokenType="" xmlns:wsse11=""><wsse:Reference URI="#X509-UUU09456789100000" ValueType=""/></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soapenv:Header>
<soapenv:Body wsu:Id="id-XYZXYZ1234567890000" xmlns:wsu="">
I've tried to use an XMLSecLibs but unfortunatelly it doesn't work well. The first, I don't know how to add inclusive-namespaces with that tool and maybe that is the key for properly signing? I also tried to copy the digest value and signature value with changing the references to above template, but it doesn't work (I've got message from SOAP server: "A security error was encountered when verifying the message Caused by: The signature or decryption was invalid").
There is some ugly code tries to sign:
$communicateFile = __DIR__ . 'template-3.xml';
$pemFilePrv = __DIR__ . '/../cert/15.pem';
$xml = trim(file_get_contents($communicateFile));
$wsseNamespace = '';
$wsuNamespace = '';
$doc = new \DOMDocument();
$xp = new \DOMXPath($doc);
$xp->registerNamespace('soapenv', '');
$securityNode = $xp->query('//wsse:Security')->item(0);
$bodyNode = $xp->query('//soapenv:Body')->item(0);
$objDSig = new XMLSecurityDSig();
$objDSig->addReference($bodyNode, XMLSecurityDSig::SHA1,NULL,
$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type'=>'private'));
$objKey->passphrase = 'XXXXX';
$objKey->loadKey($pemFilePrv, TRUE);
Could anyone help me? Maybe there is only missing an incluseNamespaces? I count on you, becouse I'm out of ideas..
Best Regards
Upvotes: 1
Views: 1711
Reputation: 60
This example is a project of its own that is in production. I hope I can help you.
$context = stream_context_create([
'ssl' => [
'verify_peer' => false,
'verify_peer_name' => false,
'local_cert' => LOCAL_CERT,
$client = new BinarySignedSoapClient($wsdl , ['trace' => 1, 'stream_context' => $context]);
Call to:
class BinarySignedSoapClient extends \SoapClient
function __construct($wsdl, $context, $params) {
$this->crt_cert_file = array_key_exists('crt_cert_file', $params) ? $params['crt_cert_file'] : null;
$this->private_key_passphrase = array_key_exists('private_key_passphrase', $params) ? $params['private_key_passphrase'] : null;
$this->private_key_file = array_key_exists('private_key_file', $params) ? $params['private_key_file'] : null;
parent::__construct($wsdl, $context);
public function __doRequest($request, $location, $saction, $version, $one_way = 0)
$doc = new \DOMDocument('1.0');
$objWSSE = new \WSSESoap($doc);
/* add Timestamp with no expiration timestamp */
/* create new XMLSec Key using RSA_SHA1 and type is private key */
$objKey = new \XMLSecurityKey(\XMLSecurityKey::RSA_SHA1, ['type' => 'private']);
/* load the private key from file - last arg is bool if key in file (true) or is string (false) */
$objKey->passphrase = $this->private_key_passphrase;
$objKey->loadKey(__DIR__ ."/../localssl/". $this->private_key_file, true, false);
/* Sign the message - also signs appropiate WS-Security items */
$options = array("insertBefore" => false);
$objWSSE->signSoapDoc($objKey, $options);
/* Add certificate (BinarySecurityToken) to the message */
$token = $objWSSE->addBinaryToken(file_get_contents(__DIR__ ."/../localssl/". $this->crt_cert_file));
/* Attach pointer to Signature */
$retVal = parent::__doRequest($objWSSE->saveXML(), $location, $saction, $version);
$doc = new \DOMDocument();
$options = ["keys" => ["private" => ["key" => __DIR__ . $this->private_key_file, "isFile" => true, "isCert" => false]]];
$objWSSE->decryptSoapDoc($doc, $options);
return $doc->saveXML();
Upvotes: 1