Solved

Signing a Soap Message in PHP returns a fault

Posted on 2014-07-21
4
1,565 Views
Last Modified: 2016-02-26
We need help understanding our error in sending a signed SOAP message using PHP to a partner site.

No one at the partner knows the details of their SOAP processor.
The partner says they are using a v1.1 SOAP processor.
The partner has only tested using a Java library, but we must use PHP.

When we send the below message, the response is "Signature verification failed".
I hope that someone can parse our message and tell us of any issues that are seen.

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:add="http://www.americanexpress.com/PAYVE/OrganizationManagementService/V1/addOrganizationInfo" xmlns:v4="http://www.americanexpress.com/PAYVE/ServiceHeader/V4">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-0cc4833c058d39310000887b60a60349">
MIICyDCCAjGgAwIBAgICBc0wDQYJKoZIhvcNAQEFBQAwaTEMMAoGA1UEBhMDVVNBMRAwDgYDVQQIDAdBcml6b25hMRAwDgYDVQQHDAdQaG9lbml4MRkwFwYDVQQKDBBBbWVyaWNhbiBFeHByZXNzMQwwCgYDVQQLDANUU08xDDAKBgNVBAMMA1dTTTAeFw0xMjA0MjMwNzIxMzFaFw0xNTA0MDEwMDAwMDBaMGYxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJBWjEMMAoGA1UEBxMDUEhYMRgwFgYDVQQKEw9BbWVyaWNhbkV4cHJlc3MxDjAMBgNVBAsTBWR1bW15MRIwEAYDVQQDDAlkdW1teV9tc2cwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCVcjutypRXka37XAEy6TojqWZRUo0DnP6NOlP2FIUH/5osdA0RLz5yOgF3FGt9R5s8houKjlkXJBtVVVTuq+8b2i38TadXtYNe0itq+5nsxekJMcdTNDTMf6OP9DVHTRwEbhsvdCE96WTHbCfqiI1JmL1yVzz2pVpfl/HNdwpVdDBNEhXl9bwjxmZXxr70ji1NMXqwNRLSIsvtNvK09+Q4bmMr43EbhgLAt0s4MzUJAz50I2o704ef9Zu/daMjjiOVd2sIDI4uOgs5LkTkE8rIqb7zdEXKfqbaYTGV788GKhgBM0R0aTX6MkEA3tayJri0LLYnfHC8ScWXJ1/JN/rtAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAC/pB6cHoBjnM1bRR/i5CeDqm43AA3TL4CvlGrhE772sKjCnxKhp2udWyytbjeDyw9D6paZ3MdWN+bayup/8AUw06UXOpxOM06N+9qEGhfr/vxjq7UOB1+GWn6zBggi0LotcswhjXMnmpToczII6UjtUjx9AXlcCJNl+4hxuzSb8=</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-6b819be0863586280000065a73ef65b3">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="add soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#reqBody">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="add" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>
lkeA5TqwqnyHSSXj8oFEG5kHSwQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
PV5JuunxFMgEBr3jUTbyELQ61kQiqmHKfAWdGqsbpOV3QuhCtsNX0FQHH8dGm6xDUuOqcrkn569t0BD/tc4Ld8lTHstDrHZUI7qIdZBK54TNETGSZCGhrIjJqkgITGkrXj4deY0+rfDWBZIA7aoxMgzG2zffYSNGjJFJ5fk2/k6AGpoYaVPdjRQly4D4cq8umbR/yP38yvHYCu16KDWP0F97wVSUOvZ5mGR//4CDWCclpFnFTp998s1Iolefuf2FVO33ra4aZwqZGO67v1xgukawb9E8fLwTQWxOQ6qrfSGkIkRkHXjfhAusTYyBtWcYe5tKRO6/r4oMIBHI88pAig==</ds:SignatureValue>
<ds:KeyInfo Id="KI-5f258aa7bb6b422a000073ec6c47f1dd">
<wsse:SecurityTokenReference wsu:Id="STR-c1605b6a9033ecc50000ed544348b4ea">
<wsse:Reference URI="#X509-0cc4833c058d39310000887b60a60349" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="reqBody" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<add:addOrganizationInfo>
  <add:Request>
    <add:ServiceAttributesGrp>
      <add:MinorVer>?</add:MinorVer>
    </add:ServiceAttributesGrp>
    <add:AddOrganizationInfoReqGrp>
      <add:TxnIdentifier>test-trx-114</add:TxnIdentifier>
      <add:OrganizationInfo>
        <add:PartnerEntityId>test-partner-111</add:PartnerEntityId>
        <add:OrgNm>test-org-114</add:OrgNm>
        <add:OrgId>test-orgid-114</add:OrgId>
        <add:PaymentMethods>
          <add:PaymentMethod>CH</add:PaymentMethod>
        </add:PaymentMethods>
        <add:CustFeeBillInd>?</add:CustFeeBillInd>
        <add:ContactDetail>
          <add:PrimaryEmailID>testemail114@me.com</add:PrimaryEmailID>
          <add:PrimaryPhone>1111111114</add:PrimaryPhone>
        </add:ContactDetail>
        <add:OrganizationAddr>
          <add:Address1>test line 1</add:Address1>
          <add:Address2>test line 2</add:Address2>
          <add:City>San Jose</add:City>
          <add:State>CA</add:State>
          <add:Country>USA</add:Country>
          <add:ZipCd>95112</add:ZipCd>
        </add:OrganizationAddr>
        <add:CheckDetails>
          <add:CheckSettings/>
        </add:CheckDetails>
      </add:OrganizationInfo>
    </add:AddOrganizationInfoReqGrp>
  </add:Request>
</add:addOrganizationInfo>
</soapenv:Body>
</soapenv:Envelope>

Open in new window

0
Comment
Question by:Robert Kleinschmidt
  • 2
  • 2
4 Comments
 
LVL 33

Assisted Solution

by:Slick812
Slick812 earned 500 total points
ID: 40212535
greetings Robert Kleinschmidt, , not sure I can help you with this, as trying to work with SOAP server exchanges, is a very COMPLEX , time consuming and headache work. OK to start I went to this web addy -
    http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd
which gives the order and elements-types specifications for the "schema" OBJECT used in this, take a look at it, it is a COMPLEX source definition.

Next I went to -
    http://www.w3.org/TR/2002/REC-xml-exc-c14n-20020718/
which gives the specifications for the "Canonicalization" used in this. Also this is not a simple specification.

next I went to the web addys for the xmlns:add=
   http://www.americanexpress.com/PAYVE/OrganizationManagementService/V1/addOrganizationInfo
   http://www.americanexpress.com/PAYVE/ServiceHeader/V4

and These web addys are NOT IN EXISTENCE at www.americanexpress.com (404 error),
this may or may not be a problem, BUT this indicates that whoever is running this SOAP is not any good at having correct  specifications in their XML.

any way there is this -
    <add:addOrganizationInfo>
which, from what I know about SOAP, would definitely depend on the  xmlns:add=   , and the  xmlns:add=  is likely UNDEFINED because of the missing http://www.americanexpress.com files.

I also tried this addy -
    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
I also got a 404 , file does not exist for that.

I looked over the XML you gave for this, and for the most part the tags seem to be matched (open tag has a close tag),. . .

But It is my limited view, that without the specific and precise SOAP example code from the SOAP SERVER, that no one could begin to figure this out, as to what may or may-not contribute to the error message of -
    "Signature verification failed"
it may be a single typing error (you left out a :  or put an unnecessary / )  OR it could be several many things, all the XML may be correct but if you have incorrect value for "SignatureValue",  "DigestValue", "BinarySecurityToken", "KeyInfo Id" or several many other values it would fail, AND it could be an XML error AND a value error, or an error at the SOAP SERVER that you sent this too, because you forgot to sign in or do some initialization.

If your "partner site" has not got the service techs to get you doing the correct code, then you may not be able to figure this out, but I could be wrong. If you can, ,  you should try and find some server web service, that does what your "partner site" does and use them instead.
0
 

Accepted Solution

by:
Robert Kleinschmidt earned 0 total points
ID: 40232268
We adapted an open source code base to sign the message. Here are the details:

The source code was from the following link:
https://code.google.com/p/wse-php/source/browse/

The files we used were:
soap-wsse.php
xmlseclibs.php

We hooked up to the event handled in the SoapClient object just before the message was sent across the wires.

The working code to sign the message body was as follows:
The $request variable was the message body XML string that we want to sign. PRIVATE_KEY is the private key associated with the message. PUBLIC_CRT is the corresponding public certificate file associated with the soap message.

       
        $doc = new DOMDocument('1.0');
        $doc->loadXML($request);

        $objWSSE = new WSSESoap($doc);
        $objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type'=>'private'));

        /* load the private key from file - last arg is bool if key in file (TRUE) or is string (FALSE) */
        $objKey->loadKey(self::PRIVATE_KEY, TRUE);
        /* Sign the message - also signs appropriate WS-Security items */
        $options = array("insertBefore" => FALSE);
        $objWSSE->signSoapDoc($objKey, $options);
        /* Add certificate (BinarySecurityToken) to the message */
        $token = $objWSSE->addBinaryToken(file_get_contents(self::PUBLIC_CRT));
        /* Attach pointer to Signature */
        $objWSSE->attachTokentoSig($token);
        $soapMsg = $objWSSE->saveXML();

Open in new window

0
 
LVL 33

Expert Comment

by:Slick812
ID: 40232509
Glad you got it to work, it looks like the most code from -
   https://code.google.com/p/wse-php/source/browse/examples/soap-sign-encrypt.php

but I was not familiar with that library, sorry.

as I said, SOAP is usually a non- simple, , trial and error tournament with all involved.
0
 

Author Closing Comment

by:Robert Kleinschmidt
ID: 40240759
While the slick812 did not provide the complete solution, the input helped us to the solution.
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
object oriented programming comparison 5 54
Saving image into server to get url later 1 31
SQL XML ALL Nodes Compare in function 2 17
PHP get array item with custom id 4 22
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
The purpose of this video is to demonstrate how to set up the WordPress backend so that each page automatically generates a Mailchimp signup form in the sidebar. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome…
The viewer will learn how to count occurrences of each item in an array.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now