Solved

Signing a Soap Message in PHP returns a fault

Posted on 2014-07-21
4
1,620 Views
Last Modified: 2016-02-26
We need help understanding our error in sending a signed SOAP message using PHP to a partner site.

No one at the partner knows the details of their SOAP processor.
The partner says they are using a v1.1 SOAP processor.
The partner has only tested using a Java library, but we must use PHP.

When we send the below message, the response is "Signature verification failed".
I hope that someone can parse our message and tell us of any issues that are seen.

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:add="http://www.americanexpress.com/PAYVE/OrganizationManagementService/V1/addOrganizationInfo" xmlns:v4="http://www.americanexpress.com/PAYVE/ServiceHeader/V4">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-0cc4833c058d39310000887b60a60349">
MIICyDCCAjGgAwIBAgICBc0wDQYJKoZIhvcNAQEFBQAwaTEMMAoGA1UEBhMDVVNBMRAwDgYDVQQIDAdBcml6b25hMRAwDgYDVQQHDAdQaG9lbml4MRkwFwYDVQQKDBBBbWVyaWNhbiBFeHByZXNzMQwwCgYDVQQLDANUU08xDDAKBgNVBAMMA1dTTTAeFw0xMjA0MjMwNzIxMzFaFw0xNTA0MDEwMDAwMDBaMGYxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJBWjEMMAoGA1UEBxMDUEhYMRgwFgYDVQQKEw9BbWVyaWNhbkV4cHJlc3MxDjAMBgNVBAsTBWR1bW15MRIwEAYDVQQDDAlkdW1teV9tc2cwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCVcjutypRXka37XAEy6TojqWZRUo0DnP6NOlP2FIUH/5osdA0RLz5yOgF3FGt9R5s8houKjlkXJBtVVVTuq+8b2i38TadXtYNe0itq+5nsxekJMcdTNDTMf6OP9DVHTRwEbhsvdCE96WTHbCfqiI1JmL1yVzz2pVpfl/HNdwpVdDBNEhXl9bwjxmZXxr70ji1NMXqwNRLSIsvtNvK09+Q4bmMr43EbhgLAt0s4MzUJAz50I2o704ef9Zu/daMjjiOVd2sIDI4uOgs5LkTkE8rIqb7zdEXKfqbaYTGV788GKhgBM0R0aTX6MkEA3tayJri0LLYnfHC8ScWXJ1/JN/rtAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAC/pB6cHoBjnM1bRR/i5CeDqm43AA3TL4CvlGrhE772sKjCnxKhp2udWyytbjeDyw9D6paZ3MdWN+bayup/8AUw06UXOpxOM06N+9qEGhfr/vxjq7UOB1+GWn6zBggi0LotcswhjXMnmpToczII6UjtUjx9AXlcCJNl+4hxuzSb8=</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-6b819be0863586280000065a73ef65b3">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="add soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#reqBody">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="add" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>
lkeA5TqwqnyHSSXj8oFEG5kHSwQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
PV5JuunxFMgEBr3jUTbyELQ61kQiqmHKfAWdGqsbpOV3QuhCtsNX0FQHH8dGm6xDUuOqcrkn569t0BD/tc4Ld8lTHstDrHZUI7qIdZBK54TNETGSZCGhrIjJqkgITGkrXj4deY0+rfDWBZIA7aoxMgzG2zffYSNGjJFJ5fk2/k6AGpoYaVPdjRQly4D4cq8umbR/yP38yvHYCu16KDWP0F97wVSUOvZ5mGR//4CDWCclpFnFTp998s1Iolefuf2FVO33ra4aZwqZGO67v1xgukawb9E8fLwTQWxOQ6qrfSGkIkRkHXjfhAusTYyBtWcYe5tKRO6/r4oMIBHI88pAig==</ds:SignatureValue>
<ds:KeyInfo Id="KI-5f258aa7bb6b422a000073ec6c47f1dd">
<wsse:SecurityTokenReference wsu:Id="STR-c1605b6a9033ecc50000ed544348b4ea">
<wsse:Reference URI="#X509-0cc4833c058d39310000887b60a60349" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="reqBody" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<add:addOrganizationInfo>
  <add:Request>
    <add:ServiceAttributesGrp>
      <add:MinorVer>?</add:MinorVer>
    </add:ServiceAttributesGrp>
    <add:AddOrganizationInfoReqGrp>
      <add:TxnIdentifier>test-trx-114</add:TxnIdentifier>
      <add:OrganizationInfo>
        <add:PartnerEntityId>test-partner-111</add:PartnerEntityId>
        <add:OrgNm>test-org-114</add:OrgNm>
        <add:OrgId>test-orgid-114</add:OrgId>
        <add:PaymentMethods>
          <add:PaymentMethod>CH</add:PaymentMethod>
        </add:PaymentMethods>
        <add:CustFeeBillInd>?</add:CustFeeBillInd>
        <add:ContactDetail>
          <add:PrimaryEmailID>testemail114@me.com</add:PrimaryEmailID>
          <add:PrimaryPhone>1111111114</add:PrimaryPhone>
        </add:ContactDetail>
        <add:OrganizationAddr>
          <add:Address1>test line 1</add:Address1>
          <add:Address2>test line 2</add:Address2>
          <add:City>San Jose</add:City>
          <add:State>CA</add:State>
          <add:Country>USA</add:Country>
          <add:ZipCd>95112</add:ZipCd>
        </add:OrganizationAddr>
        <add:CheckDetails>
          <add:CheckSettings/>
        </add:CheckDetails>
      </add:OrganizationInfo>
    </add:AddOrganizationInfoReqGrp>
  </add:Request>
</add:addOrganizationInfo>
</soapenv:Body>
</soapenv:Envelope>

Open in new window

0
Comment
Question by:Robert Kleinschmidt
  • 2
  • 2
4 Comments
 
LVL 33

Assisted Solution

by:Slick812
Slick812 earned 500 total points
ID: 40212535
greetings Robert Kleinschmidt, , not sure I can help you with this, as trying to work with SOAP server exchanges, is a very COMPLEX , time consuming and headache work. OK to start I went to this web addy -
    http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd
which gives the order and elements-types specifications for the "schema" OBJECT used in this, take a look at it, it is a COMPLEX source definition.

Next I went to -
    http://www.w3.org/TR/2002/REC-xml-exc-c14n-20020718/
which gives the specifications for the "Canonicalization" used in this. Also this is not a simple specification.

next I went to the web addys for the xmlns:add=
   http://www.americanexpress.com/PAYVE/OrganizationManagementService/V1/addOrganizationInfo
   http://www.americanexpress.com/PAYVE/ServiceHeader/V4

and These web addys are NOT IN EXISTENCE at www.americanexpress.com (404 error),
this may or may not be a problem, BUT this indicates that whoever is running this SOAP is not any good at having correct  specifications in their XML.

any way there is this -
    <add:addOrganizationInfo>
which, from what I know about SOAP, would definitely depend on the  xmlns:add=   , and the  xmlns:add=  is likely UNDEFINED because of the missing http://www.americanexpress.com files.

I also tried this addy -
    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
I also got a 404 , file does not exist for that.

I looked over the XML you gave for this, and for the most part the tags seem to be matched (open tag has a close tag),. . .

But It is my limited view, that without the specific and precise SOAP example code from the SOAP SERVER, that no one could begin to figure this out, as to what may or may-not contribute to the error message of -
    "Signature verification failed"
it may be a single typing error (you left out a :  or put an unnecessary / )  OR it could be several many things, all the XML may be correct but if you have incorrect value for "SignatureValue",  "DigestValue", "BinarySecurityToken", "KeyInfo Id" or several many other values it would fail, AND it could be an XML error AND a value error, or an error at the SOAP SERVER that you sent this too, because you forgot to sign in or do some initialization.

If your "partner site" has not got the service techs to get you doing the correct code, then you may not be able to figure this out, but I could be wrong. If you can, ,  you should try and find some server web service, that does what your "partner site" does and use them instead.
0
 

Accepted Solution

by:
Robert Kleinschmidt earned 0 total points
ID: 40232268
We adapted an open source code base to sign the message. Here are the details:

The source code was from the following link:
https://code.google.com/p/wse-php/source/browse/

The files we used were:
soap-wsse.php
xmlseclibs.php

We hooked up to the event handled in the SoapClient object just before the message was sent across the wires.

The working code to sign the message body was as follows:
The $request variable was the message body XML string that we want to sign. PRIVATE_KEY is the private key associated with the message. PUBLIC_CRT is the corresponding public certificate file associated with the soap message.

       
        $doc = new DOMDocument('1.0');
        $doc->loadXML($request);

        $objWSSE = new WSSESoap($doc);
        $objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type'=>'private'));

        /* load the private key from file - last arg is bool if key in file (TRUE) or is string (FALSE) */
        $objKey->loadKey(self::PRIVATE_KEY, TRUE);
        /* Sign the message - also signs appropriate WS-Security items */
        $options = array("insertBefore" => FALSE);
        $objWSSE->signSoapDoc($objKey, $options);
        /* Add certificate (BinarySecurityToken) to the message */
        $token = $objWSSE->addBinaryToken(file_get_contents(self::PUBLIC_CRT));
        /* Attach pointer to Signature */
        $objWSSE->attachTokentoSig($token);
        $soapMsg = $objWSSE->saveXML();

Open in new window

0
 
LVL 33

Expert Comment

by:Slick812
ID: 40232509
Glad you got it to work, it looks like the most code from -
   https://code.google.com/p/wse-php/source/browse/examples/soap-sign-encrypt.php

but I was not familiar with that library, sorry.

as I said, SOAP is usually a non- simple, , trial and error tournament with all involved.
0
 

Author Closing Comment

by:Robert Kleinschmidt
ID: 40240759
While the slick812 did not provide the complete solution, the input helped us to the solution.
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
php function to remove a file 31 39
Cannot call a static method on an Eloquent object 6 31
write screen output to text file 21 47
does post require a form or curl to be post 4 31
Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
To properly understand GitHub, let’s divide it into two words ‘Git’ and ‘Hub’. Git is basically a ‘Distribution Version Control’ (DVC) and ‘Source Code Management’ (SCM) system widely used by software programmers while Hub means the efficient centre…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question