Signing a Soap Message in PHP returns a fault

We need help understanding our error in sending a signed SOAP message using PHP to a partner site.

No one at the partner knows the details of their SOAP processor.
The partner says they are using a v1.1 SOAP processor.
The partner has only tested using a Java library, but we must use PHP.

When we send the below message, the response is "Signature verification failed".
I hope that someone can parse our message and tell us of any issues that are seen.

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:add="http://www.americanexpress.com/PAYVE/OrganizationManagementService/V1/addOrganizationInfo" xmlns:v4="http://www.americanexpress.com/PAYVE/ServiceHeader/V4">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-0cc4833c058d39310000887b60a60349">
MIICyDCCAjGgAwIBAgICBc0wDQYJKoZIhvcNAQEFBQAwaTEMMAoGA1UEBhMDVVNBMRAwDgYDVQQIDAdBcml6b25hMRAwDgYDVQQHDAdQaG9lbml4MRkwFwYDVQQKDBBBbWVyaWNhbiBFeHByZXNzMQwwCgYDVQQLDANUU08xDDAKBgNVBAMMA1dTTTAeFw0xMjA0MjMwNzIxMzFaFw0xNTA0MDEwMDAwMDBaMGYxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJBWjEMMAoGA1UEBxMDUEhYMRgwFgYDVQQKEw9BbWVyaWNhbkV4cHJlc3MxDjAMBgNVBAsTBWR1bW15MRIwEAYDVQQDDAlkdW1teV9tc2cwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCVcjutypRXka37XAEy6TojqWZRUo0DnP6NOlP2FIUH/5osdA0RLz5yOgF3FGt9R5s8houKjlkXJBtVVVTuq+8b2i38TadXtYNe0itq+5nsxekJMcdTNDTMf6OP9DVHTRwEbhsvdCE96WTHbCfqiI1JmL1yVzz2pVpfl/HNdwpVdDBNEhXl9bwjxmZXxr70ji1NMXqwNRLSIsvtNvK09+Q4bmMr43EbhgLAt0s4MzUJAz50I2o704ef9Zu/daMjjiOVd2sIDI4uOgs5LkTkE8rIqb7zdEXKfqbaYTGV788GKhgBM0R0aTX6MkEA3tayJri0LLYnfHC8ScWXJ1/JN/rtAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAC/pB6cHoBjnM1bRR/i5CeDqm43AA3TL4CvlGrhE772sKjCnxKhp2udWyytbjeDyw9D6paZ3MdWN+bayup/8AUw06UXOpxOM06N+9qEGhfr/vxjq7UOB1+GWn6zBggi0LotcswhjXMnmpToczII6UjtUjx9AXlcCJNl+4hxuzSb8=</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-6b819be0863586280000065a73ef65b3">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="add soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#reqBody">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="add" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>
lkeA5TqwqnyHSSXj8oFEG5kHSwQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
PV5JuunxFMgEBr3jUTbyELQ61kQiqmHKfAWdGqsbpOV3QuhCtsNX0FQHH8dGm6xDUuOqcrkn569t0BD/tc4Ld8lTHstDrHZUI7qIdZBK54TNETGSZCGhrIjJqkgITGkrXj4deY0+rfDWBZIA7aoxMgzG2zffYSNGjJFJ5fk2/k6AGpoYaVPdjRQly4D4cq8umbR/yP38yvHYCu16KDWP0F97wVSUOvZ5mGR//4CDWCclpFnFTp998s1Iolefuf2FVO33ra4aZwqZGO67v1xgukawb9E8fLwTQWxOQ6qrfSGkIkRkHXjfhAusTYyBtWcYe5tKRO6/r4oMIBHI88pAig==</ds:SignatureValue>
<ds:KeyInfo Id="KI-5f258aa7bb6b422a000073ec6c47f1dd">
<wsse:SecurityTokenReference wsu:Id="STR-c1605b6a9033ecc50000ed544348b4ea">
<wsse:Reference URI="#X509-0cc4833c058d39310000887b60a60349" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="reqBody" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<add:addOrganizationInfo>
  <add:Request>
    <add:ServiceAttributesGrp>
      <add:MinorVer>?</add:MinorVer>
    </add:ServiceAttributesGrp>
    <add:AddOrganizationInfoReqGrp>
      <add:TxnIdentifier>test-trx-114</add:TxnIdentifier>
      <add:OrganizationInfo>
        <add:PartnerEntityId>test-partner-111</add:PartnerEntityId>
        <add:OrgNm>test-org-114</add:OrgNm>
        <add:OrgId>test-orgid-114</add:OrgId>
        <add:PaymentMethods>
          <add:PaymentMethod>CH</add:PaymentMethod>
        </add:PaymentMethods>
        <add:CustFeeBillInd>?</add:CustFeeBillInd>
        <add:ContactDetail>
          <add:PrimaryEmailID>testemail114@me.com</add:PrimaryEmailID>
          <add:PrimaryPhone>1111111114</add:PrimaryPhone>
        </add:ContactDetail>
        <add:OrganizationAddr>
          <add:Address1>test line 1</add:Address1>
          <add:Address2>test line 2</add:Address2>
          <add:City>San Jose</add:City>
          <add:State>CA</add:State>
          <add:Country>USA</add:Country>
          <add:ZipCd>95112</add:ZipCd>
        </add:OrganizationAddr>
        <add:CheckDetails>
          <add:CheckSettings/>
        </add:CheckDetails>
      </add:OrganizationInfo>
    </add:AddOrganizationInfoReqGrp>
  </add:Request>
</add:addOrganizationInfo>
</soapenv:Body>
</soapenv:Envelope>

Open in new window

Robert KleinschmidtAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Slick812Commented:
greetings Robert Kleinschmidt, , not sure I can help you with this, as trying to work with SOAP server exchanges, is a very COMPLEX , time consuming and headache work. OK to start I went to this web addy -
    http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd
which gives the order and elements-types specifications for the "schema" OBJECT used in this, take a look at it, it is a COMPLEX source definition.

Next I went to -
    http://www.w3.org/TR/2002/REC-xml-exc-c14n-20020718/
which gives the specifications for the "Canonicalization" used in this. Also this is not a simple specification.

next I went to the web addys for the xmlns:add=
   http://www.americanexpress.com/PAYVE/OrganizationManagementService/V1/addOrganizationInfo
   http://www.americanexpress.com/PAYVE/ServiceHeader/V4

and These web addys are NOT IN EXISTENCE at www.americanexpress.com (404 error),
this may or may not be a problem, BUT this indicates that whoever is running this SOAP is not any good at having correct  specifications in their XML.

any way there is this -
    <add:addOrganizationInfo>
which, from what I know about SOAP, would definitely depend on the  xmlns:add=   , and the  xmlns:add=  is likely UNDEFINED because of the missing http://www.americanexpress.com files.

I also tried this addy -
    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
I also got a 404 , file does not exist for that.

I looked over the XML you gave for this, and for the most part the tags seem to be matched (open tag has a close tag),. . .

But It is my limited view, that without the specific and precise SOAP example code from the SOAP SERVER, that no one could begin to figure this out, as to what may or may-not contribute to the error message of -
    "Signature verification failed"
it may be a single typing error (you left out a :  or put an unnecessary / )  OR it could be several many things, all the XML may be correct but if you have incorrect value for "SignatureValue",  "DigestValue", "BinarySecurityToken", "KeyInfo Id" or several many other values it would fail, AND it could be an XML error AND a value error, or an error at the SOAP SERVER that you sent this too, because you forgot to sign in or do some initialization.

If your "partner site" has not got the service techs to get you doing the correct code, then you may not be able to figure this out, but I could be wrong. If you can, ,  you should try and find some server web service, that does what your "partner site" does and use them instead.
0
Robert KleinschmidtAuthor Commented:
We adapted an open source code base to sign the message. Here are the details:

The source code was from the following link:
https://code.google.com/p/wse-php/source/browse/

The files we used were:
soap-wsse.php
xmlseclibs.php

We hooked up to the event handled in the SoapClient object just before the message was sent across the wires.

The working code to sign the message body was as follows:
The $request variable was the message body XML string that we want to sign. PRIVATE_KEY is the private key associated with the message. PUBLIC_CRT is the corresponding public certificate file associated with the soap message.

       
        $doc = new DOMDocument('1.0');
        $doc->loadXML($request);

        $objWSSE = new WSSESoap($doc);
        $objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type'=>'private'));

        /* load the private key from file - last arg is bool if key in file (TRUE) or is string (FALSE) */
        $objKey->loadKey(self::PRIVATE_KEY, TRUE);
        /* Sign the message - also signs appropriate WS-Security items */
        $options = array("insertBefore" => FALSE);
        $objWSSE->signSoapDoc($objKey, $options);
        /* Add certificate (BinarySecurityToken) to the message */
        $token = $objWSSE->addBinaryToken(file_get_contents(self::PUBLIC_CRT));
        /* Attach pointer to Signature */
        $objWSSE->attachTokentoSig($token);
        $soapMsg = $objWSSE->saveXML();

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Slick812Commented:
Glad you got it to work, it looks like the most code from -
   https://code.google.com/p/wse-php/source/browse/examples/soap-sign-encrypt.php

but I was not familiar with that library, sorry.

as I said, SOAP is usually a non- simple, , trial and error tournament with all involved.
0
Robert KleinschmidtAuthor Commented:
While the slick812 did not provide the complete solution, the input helped us to the solution.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
XML

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.