CODEWITHSUNDEEP
phpxmldigital-signaturexml-dsig
Karsten Thoft Fisker
Karsten Thoft Fisker

Reputation: 11

Signing is not valid using RobRichards\XMLSecLibs

I am currently working on a project requirering signing of xml.

I have used a lot of time on the XMLSecLibs and cannot get it to work properly. It seems like the project is no longer updated and i think my problems can be related to some of the unresolved issues in this project as the signing performed by this library will fail validation.

I use this php-script to make and sign an xml:

<?php
require $_SERVER['DOCUMENT_ROOT'].'/xmlseclibs-3.1.0/xmlseclibs.php';

// Create XML document
$dom = new DOMDocument('1.0', 'utf-8');
$dom->preserveWhiteSpace = true; 
$dom->formatOutput = false; 

// Create envelope
$envelope = $dom->createElementNS('http://schemas.xmlsoap.org/soap/envelope/', 'soapenv:Envelope');

// Create header with MessageID and Action
$header = $dom->createElement('soapenv:Header');

$messageid = $dom->createElement('wsa:MessageID', 'uuid:'.createUuid());
$messageid->setAttributeNS('http://www.w3.org/2000/xmlns/', 'xmlns:wsa', 'http://www.w3.org/2005/08/addressing');
$header->appendChild($messageid);

$action = $dom->createElement('wsa:Action', 'urn:#BilSummariskHent');
$action->setAttribute('xmlns:wsa', 'http://www.w3.org/2005/08/addressing');
$header->appendChild($action);

// Create body
$body = $dom->createElement('soapenv:Body');

// Create BilSummariskHent
$BilSummariskHent = $dom->createElement('BilSummariskHent');
$BilSummariskHent->setAttribute('xsi:schemaLocation', 'http://rep.oio.dk/tinglysning.dk/service/message/elektroniskakt/1/ http://rep.oio.dk/tinglysning.dk/service/message/elektroniskakt/1/BilSummariskHent.xsd');
$BilSummariskHent->setAttribute('xmlns', 'http://rep.oio.dk/tinglysning.dk/service/message/elektroniskakt/1/');
$BilSummariskHent->setAttribute('xmlns:eakt', 'http://rep.oio.dk/tinglysning.dk/schema/elektroniskakt/1/');
$BilSummariskHent->setAttribute('xmlns:model', 'http://rep.oio.dk/tinglysning.dk/schema/model/1/');
$BilSummariskHent->setAttribute('xmlns:ds', 'http://www.w3.org/2000/09/xmldsig#');
$BilSummariskHent->setAttribute('xmlns:xsi', 'http://www.w3.org/2001/XMLSchema-instance');

$BilIdentifikator = $dom->createElement('model:BilIdentifikator');
$Stelnummer = $dom->createElement('model:Stelnummer', 'WVGZZZ1TZ5W144478');
$BilIdentifikator->appendChild($Stelnummer);
$BilSummariskHent->appendChild($BilIdentifikator);

$body->appendChild($BilSummariskHent);
$envelope->appendChild($header);
$envelope->appendChild($body);
$dom->appendChild($envelope);

// Sign
use RobRichards\XMLSecLibs\XMLSecurityDSig;
use RobRichards\XMLSecLibs\XMLSecurityKey;

$objDSig = new XMLSecurityDSig('');
$objDSig->setCanonicalMethod(XMLSecurityDSig::C14N);

$objDSig->addReference($dom, XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature'), array('force_uri' => true));
$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type'=>'private'));

$objKey->loadKey('s2s_87638273_priv.pem', TRUE); // Private key
$objDSig->sign($objKey);

$objDSig->add509Cert(file_get_contents('s2s_87638273_pub.pem')); // Public key
$objDSig->appendSignature($BilSummariskHent);
$outXML = $dom->saveXML();

// Do request
$client = new SoapClient(null, array(
    'location'     => 'https://test.tinglysning.dk/etl/services/ElektroniskAkt/',
    'uri'          => 'https://test.tinglysning.dk/etl/services/',
    'soap_version' => SOAP_1_1,
    'encoding'     => 'UTF-8',
    'trace'        => true,
    'local_cert'   => 's2s_87638273_priv.pem'
));

$return = $client->__doRequest($outXML, 'https://test.tinglysning.dk/etl/services/ElektroniskAkt', 'urn:#BilSummariskHent', SOAP_1_1, false);

// Handle the response as needed
echo $return;
?>

Resulting in this XML:

<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soapenv:Header>
    <wsa:MessageID xmlns:wsa="http://www.w3.org/2005/08/addressing">uuid:1cda8469-9f78-4c4f-ad37-619807e3ff5d</wsa:MessageID>
    <wsa:Action xmlns:wsa="http://www.w3.org/2005/08/addressing">urn:#BilSummariskHent</wsa:Action>
  </soapenv:Header>
  <soapenv:Body>
    <BilSummariskHent xmlns="http://rep.oio.dk/tinglysning.dk/service/message/elektroniskakt/1/" xmlns:eakt="http://rep.oio.dk/tinglysning.dk/schema/elektroniskakt/1/" xmlns:model="http://rep.oio.dk/tinglysning.dk/schema/model/1/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://rep.oio.dk/tinglysning.dk/service/message/elektroniskakt/1/ http://rep.oio.dk/tinglysning.dk/service/message/elektroniskakt/1/BilSummariskHent.xsd">
      <model:BilIdentifikator>
        <model:Stelnummer>WVGZZZ1TZ5W144478</model:Stelnummer>
      </model:BilIdentifikator>
      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="ID12345678">
        <SignedInfo>
          <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
          <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <Reference URI="">
            <Transforms>
              <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <DigestValue>nXV07Jwmzx2xPxtuPNqjDHg1qUM=</DigestValue>
          </Reference>
        </SignedInfo>
        <SignatureValue>keBN1rIO/vpeDCmx0IV6tjMui0cfZwPkizM3U7nWoIVOkiYCbxNezw+cdNxZ18jqIyqVyKHfa1s51q9wS/pDmTswV6sjtNzHgWruEtrgviiOHmhugwBc2Z+2ZRxqEDuha1uEJ3UFZ/9n+qAIdKz5+8G3UkD3HzxRXG/fXj7zENibhMruoGMpuNiq3eFuu12G/07UdF+8YOMZSJsXeiHS7ptTp8iIagw90Yr8z0KESnD8PMJEi30Z43vgC1LWj9osAZU9Sl4r5MkSRz/yvJr82lkaeJYa/EsnvtXD6RSE3SLBceUzrWNb7SROW05Briih2eIGsa4W8WtHCI4d09J6v43m+en2HJvxJOlNTyncRqmBitOGmHdE6Bs0ItumrXcwoZx+wzlM+r29qGAAyX9nQ28BiE0liIvQ5s/BQV1LMtTKo4Pln9lbTAu5eqK9S0BjTlXbyFeBTxm2Xf+hx+qmiX2qTSBaGSgF9MlIM+/zGDbodfhJ75qFl9V6VNzvRx8Q</SignatureValue>
        <KeyInfo>
          <X509Data>
            <X509Certificate>MIIGgTCCBLWgAwIBAgIUVS47HGyzQw6rRXb6Mg/Me2n5PlswQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgMGsxLTArBgNVBAMMJERlbiBEYW5za2UgU3RhdCBPQ0VTIHVkc3RlZGVuZGUtQ0EgMTETMBEGA1UECwwKVGVzdCAtIGN0aTEYMBYGA1UECgwPRGVuIERhbnNrZSBTdGF0MQswCQYDVQQGEwJESzAeFw0yMzEyMDYxMzE4MzlaFw0yNjEyMDUxMzE4MzhaMIGXMR0wGwYDVQQDDBRTMlMgc3lzdGVtY2VydGlmaWthdDE3MDUGA1UEBRMuVUk6REstTzpHOjVjYjYxZGViLTI3ODktNGQ5NC04YTRkLTA2ZDI0NmE3MWViMzEXMBUGA1UECgwOVExSIHN5c3RlbXRlc3QxFzAVBgNVBGEMDk5UUkRLLTg3NjM4MjczMQswCQYDVQQGEwJESzCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALZdWE/f7RawlAk0GccBNNM6/6uk1W5cy61zTsHBMzXfHLrMoHDN5cZmtSCMOPZlOf/BObAL3AogxbV+ZNRU2FqGR8CLqRw3dFRGDFSuW1T/3oDa4mxwRZTp011GcEaouA7NZaIfTJDGN/djipy/hkK2v7jxkl7X3YSAVm/mEppjHB9fKeAERh6Lw/UZmlk1zriO3pHKV6WGf2oS3AAZJzPuPQVNh9BIb1HfcTi64wagKM51Bi1KUrYhzTx8+ankMcwo7CnOVwtye+sqNPTyHY30JMNoSYNkp8D+Kg8OIqbYC/VizbvEeiqcjZisLxde7eUiEEMiUhKYdzIeL7CaeaDAMT7puF5wDk0MCAhdt5wFytC6cFnSVPCUZM+jYrlgluU0CTP3oePmAKHTy2Vz2ID1TSSGfkGv5e8AIG/yfAE/tbWXNC8cwnxlp4ht0lolVjFRTE7ivdTGZuLfTS5nQdQv+RC6SjB5WHh+gzKF4ZFDR7VIpBgKNNAH/UKpQRxOAwIDAQABo4IBhjCCAYIwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBR/KJ/ZcZlC4nXn1zV2Lk0IJW12XjB7BggrBgEFBQcBAQRvMG0wQwYIKwYBBQUHMAKGN2h0dHA6Ly9jYTEuY3RpLWdvdi5kay9vY2VzL2lzc3VpbmcvMS9jYWNlcnQvaXNzdWluZy5jZXIwJgYIKwYBBQUHMAGGGmh0dHA6Ly9jYTEuY3RpLWdvdi5kay9vY3NwMCEGA1UdIAQaMBgwCAYGBACPegEBMAwGCiqBUIEpAQEBAwcwOwYIKwYBBQUHAQMELzAtMCsGCCsGAQUFBwsCMB8GBwQAi+xJAQIwFIYSaHR0cHM6Ly91aWQuZ292LmRrMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jYTEuY3RpLWdvdi5kay9vY2VzL2lzc3VpbmcvMS9jcmwvaXNzdWluZy5jcmwwHQYDVR0OBBYEFM9JjtBb7pxgzQQpKrQYhBoE4ZoDMA4GA1UdDwEB/wQEAwIFoDBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASADggGBAF3ZBCKs7+PRJNWOP2XUxZrZ3ec2+jF4OIqUZBG2bFk/vjw0RWhUBN+0nW/htEWkTVcV7L6oOHhC+Iw0IyaN2dxltl9EeTznGQjIAGFqYghCX3MnSw/9eUjRTFOjX8JIcJuWj8cmENTtRHJhHDy612eJRNgT+2hnya1Xxw4oId+VNtUoRDfR6vKlqQvxLJPk6Ri8ocjZCyYsKIb8/IBJHPB1+LI+43628t6UomI/OTQ0NhnLMUfRQlfAj5FWWPSAKUglzMKERZMKkD0ywmCVYppO+ZmwDJ+9T2/FvSy1vpq+MY1h091TtRJngWhZsKiUpSdI3mOSbIg00FB6gOYuRUZvMQM6HsBhLG4kYpRGM+daw5VYmj2cEjr5Eose1e3jkDtKXyadFDY+NnVzIVVEKeeyDoYe60b26/qOc0S5U+aOGtezC5wSZ7kKVC+V9NMiHNz1YYj7Gr3Ut2sg5mKTkKS56czeCCxhZ7BK9wl+K+lEPrSDUPtTB0QXkadxKk8jaQ==</X509Certificate>
          </X509Data>
        </KeyInfo>
      </Signature>
    </BilSummariskHent>
  </soapenv:Body>
</soapenv:Envelope>

I get an signing-error from the service and have been in contact with the supplier of the service i am trying to use. Their response was:

After trying a number of different approaches to generate and sign the request, I can conclude that xmlseclibs-3.1.0/PHP does not handle the signing correctly. I suspect this is due to poor handling of http://www.w3.org/2001/10/xml-exc-c14n# as well as some other inconsistencies in the library that I can see on GitHub that others are also struggling with. I have implemented the logic for signing in Java via the official javax.xml APIs etc. Here, with the same signature parameters, I get a different signature than the one from xmlseclibs-3.1.0, and this is valid. So you should either find an alternative to xmlseclibs-3.1.0 or use something other than PHP.

Any suggestions on how to fix the signing?

The supplier of the service has confirmed, that the certificate used are exported correct. The certificates are OCES3 (a danish MitID systemcertificate).

Upvotes: 0

Views: 269

Answers (0)

Related Questions