[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2141
  • Last Modified:

Signing a Soap Message in PHP returns a fault

We need help understanding our error in sending a signed SOAP message using PHP to a partner site.

No one at the partner knows the details of their SOAP processor.
The partner says they are using a v1.1 SOAP processor.
The partner has only tested using a Java library, but we must use PHP.

When we send the below message, the response is "Signature verification failed".
I hope that someone can parse our message and tell us of any issues that are seen.

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:add="http://www.americanexpress.com/PAYVE/OrganizationManagementService/V1/addOrganizationInfo" xmlns:v4="http://www.americanexpress.com/PAYVE/ServiceHeader/V4">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-0cc4833c058d39310000887b60a60349">
MIICyDCCAjGgAwIBAgICBc0wDQYJKoZIhvcNAQEFBQAwaTEMMAoGA1UEBhMDVVNBMRAwDgYDVQQIDAdBcml6b25hMRAwDgYDVQQHDAdQaG9lbml4MRkwFwYDVQQKDBBBbWVyaWNhbiBFeHByZXNzMQwwCgYDVQQLDANUU08xDDAKBgNVBAMMA1dTTTAeFw0xMjA0MjMwNzIxMzFaFw0xNTA0MDEwMDAwMDBaMGYxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJBWjEMMAoGA1UEBxMDUEhYMRgwFgYDVQQKEw9BbWVyaWNhbkV4cHJlc3MxDjAMBgNVBAsTBWR1bW15MRIwEAYDVQQDDAlkdW1teV9tc2cwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCVcjutypRXka37XAEy6TojqWZRUo0DnP6NOlP2FIUH/5osdA0RLz5yOgF3FGt9R5s8houKjlkXJBtVVVTuq+8b2i38TadXtYNe0itq+5nsxekJMcdTNDTMf6OP9DVHTRwEbhsvdCE96WTHbCfqiI1JmL1yVzz2pVpfl/HNdwpVdDBNEhXl9bwjxmZXxr70ji1NMXqwNRLSIsvtNvK09+Q4bmMr43EbhgLAt0s4MzUJAz50I2o704ef9Zu/daMjjiOVd2sIDI4uOgs5LkTkE8rIqb7zdEXKfqbaYTGV788GKhgBM0R0aTX6MkEA3tayJri0LLYnfHC8ScWXJ1/JN/rtAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAC/pB6cHoBjnM1bRR/i5CeDqm43AA3TL4CvlGrhE772sKjCnxKhp2udWyytbjeDyw9D6paZ3MdWN+bayup/8AUw06UXOpxOM06N+9qEGhfr/vxjq7UOB1+GWn6zBggi0LotcswhjXMnmpToczII6UjtUjx9AXlcCJNl+4hxuzSb8=</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-6b819be0863586280000065a73ef65b3">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="add soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#reqBody">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="add" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>
lkeA5TqwqnyHSSXj8oFEG5kHSwQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
PV5JuunxFMgEBr3jUTbyELQ61kQiqmHKfAWdGqsbpOV3QuhCtsNX0FQHH8dGm6xDUuOqcrkn569t0BD/tc4Ld8lTHstDrHZUI7qIdZBK54TNETGSZCGhrIjJqkgITGkrXj4deY0+rfDWBZIA7aoxMgzG2zffYSNGjJFJ5fk2/k6AGpoYaVPdjRQly4D4cq8umbR/yP38yvHYCu16KDWP0F97wVSUOvZ5mGR//4CDWCclpFnFTp998s1Iolefuf2FVO33ra4aZwqZGO67v1xgukawb9E8fLwTQWxOQ6qrfSGkIkRkHXjfhAusTYyBtWcYe5tKRO6/r4oMIBHI88pAig==</ds:SignatureValue>
<ds:KeyInfo Id="KI-5f258aa7bb6b422a000073ec6c47f1dd">
<wsse:SecurityTokenReference wsu:Id="STR-c1605b6a9033ecc50000ed544348b4ea">
<wsse:Reference URI="#X509-0cc4833c058d39310000887b60a60349" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="reqBody" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<add:addOrganizationInfo>
  <add:Request>
    <add:ServiceAttributesGrp>
      <add:MinorVer>?</add:MinorVer>
    </add:ServiceAttributesGrp>
    <add:AddOrganizationInfoReqGrp>
      <add:TxnIdentifier>test-trx-114</add:TxnIdentifier>
      <add:OrganizationInfo>
        <add:PartnerEntityId>test-partner-111</add:PartnerEntityId>
        <add:OrgNm>test-org-114</add:OrgNm>
        <add:OrgId>test-orgid-114</add:OrgId>
        <add:PaymentMethods>
          <add:PaymentMethod>CH</add:PaymentMethod>
        </add:PaymentMethods>
        <add:CustFeeBillInd>?</add:CustFeeBillInd>
        <add:ContactDetail>
          <add:PrimaryEmailID>testemail114@me.com</add:PrimaryEmailID>
          <add:PrimaryPhone>1111111114</add:PrimaryPhone>
        </add:ContactDetail>
        <add:OrganizationAddr>
          <add:Address1>test line 1</add:Address1>
          <add:Address2>test line 2</add:Address2>
          <add:City>San Jose</add:City>
          <add:State>CA</add:State>
          <add:Country>USA</add:Country>
          <add:ZipCd>95112</add:ZipCd>
        </add:OrganizationAddr>
        <add:CheckDetails>
          <add:CheckSettings/>
        </add:CheckDetails>
      </add:OrganizationInfo>
    </add:AddOrganizationInfoReqGrp>
  </add:Request>
</add:addOrganizationInfo>
</soapenv:Body>
</soapenv:Envelope>

Open in new window

0
Robert Kleinschmidt
Asked:
Robert Kleinschmidt
  • 2
  • 2
2 Solutions
 
Slick812Commented:
greetings Robert Kleinschmidt, , not sure I can help you with this, as trying to work with SOAP server exchanges, is a very COMPLEX , time consuming and headache work. OK to start I went to this web addy -
    http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd
which gives the order and elements-types specifications for the "schema" OBJECT used in this, take a look at it, it is a COMPLEX source definition.

Next I went to -
    http://www.w3.org/TR/2002/REC-xml-exc-c14n-20020718/
which gives the specifications for the "Canonicalization" used in this. Also this is not a simple specification.

next I went to the web addys for the xmlns:add=
   http://www.americanexpress.com/PAYVE/OrganizationManagementService/V1/addOrganizationInfo
   http://www.americanexpress.com/PAYVE/ServiceHeader/V4

and These web addys are NOT IN EXISTENCE at www.americanexpress.com (404 error),
this may or may not be a problem, BUT this indicates that whoever is running this SOAP is not any good at having correct  specifications in their XML.

any way there is this -
    <add:addOrganizationInfo>
which, from what I know about SOAP, would definitely depend on the  xmlns:add=   , and the  xmlns:add=  is likely UNDEFINED because of the missing http://www.americanexpress.com files.

I also tried this addy -
    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
I also got a 404 , file does not exist for that.

I looked over the XML you gave for this, and for the most part the tags seem to be matched (open tag has a close tag),. . .

But It is my limited view, that without the specific and precise SOAP example code from the SOAP SERVER, that no one could begin to figure this out, as to what may or may-not contribute to the error message of -
    "Signature verification failed"
it may be a single typing error (you left out a :  or put an unnecessary / )  OR it could be several many things, all the XML may be correct but if you have incorrect value for "SignatureValue",  "DigestValue", "BinarySecurityToken", "KeyInfo Id" or several many other values it would fail, AND it could be an XML error AND a value error, or an error at the SOAP SERVER that you sent this too, because you forgot to sign in or do some initialization.

If your "partner site" has not got the service techs to get you doing the correct code, then you may not be able to figure this out, but I could be wrong. If you can, ,  you should try and find some server web service, that does what your "partner site" does and use them instead.
0
 
Robert KleinschmidtAuthor Commented:
We adapted an open source code base to sign the message. Here are the details:

The source code was from the following link:
https://code.google.com/p/wse-php/source/browse/

The files we used were:
soap-wsse.php
xmlseclibs.php

We hooked up to the event handled in the SoapClient object just before the message was sent across the wires.

The working code to sign the message body was as follows:
The $request variable was the message body XML string that we want to sign. PRIVATE_KEY is the private key associated with the message. PUBLIC_CRT is the corresponding public certificate file associated with the soap message.

       
        $doc = new DOMDocument('1.0');
        $doc->loadXML($request);

        $objWSSE = new WSSESoap($doc);
        $objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type'=>'private'));

        /* load the private key from file - last arg is bool if key in file (TRUE) or is string (FALSE) */
        $objKey->loadKey(self::PRIVATE_KEY, TRUE);
        /* Sign the message - also signs appropriate WS-Security items */
        $options = array("insertBefore" => FALSE);
        $objWSSE->signSoapDoc($objKey, $options);
        /* Add certificate (BinarySecurityToken) to the message */
        $token = $objWSSE->addBinaryToken(file_get_contents(self::PUBLIC_CRT));
        /* Attach pointer to Signature */
        $objWSSE->attachTokentoSig($token);
        $soapMsg = $objWSSE->saveXML();

Open in new window

0
 
Slick812Commented:
Glad you got it to work, it looks like the most code from -
   https://code.google.com/p/wse-php/source/browse/examples/soap-sign-encrypt.php

but I was not familiar with that library, sorry.

as I said, SOAP is usually a non- simple, , trial and error tournament with all involved.
0
 
Robert KleinschmidtAuthor Commented:
While the slick812 did not provide the complete solution, the input helped us to the solution.
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now