Solved

Signing a Soap Message in PHP returns a fault

Posted on 2014-07-21
4
1,740 Views
Last Modified: 2016-02-26
We need help understanding our error in sending a signed SOAP message using PHP to a partner site.

No one at the partner knows the details of their SOAP processor.
The partner says they are using a v1.1 SOAP processor.
The partner has only tested using a Java library, but we must use PHP.

When we send the below message, the response is "Signature verification failed".
I hope that someone can parse our message and tell us of any issues that are seen.

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:add="http://www.americanexpress.com/PAYVE/OrganizationManagementService/V1/addOrganizationInfo" xmlns:v4="http://www.americanexpress.com/PAYVE/ServiceHeader/V4">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-0cc4833c058d39310000887b60a60349">
MIICyDCCAjGgAwIBAgICBc0wDQYJKoZIhvcNAQEFBQAwaTEMMAoGA1UEBhMDVVNBMRAwDgYDVQQIDAdBcml6b25hMRAwDgYDVQQHDAdQaG9lbml4MRkwFwYDVQQKDBBBbWVyaWNhbiBFeHByZXNzMQwwCgYDVQQLDANUU08xDDAKBgNVBAMMA1dTTTAeFw0xMjA0MjMwNzIxMzFaFw0xNTA0MDEwMDAwMDBaMGYxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJBWjEMMAoGA1UEBxMDUEhYMRgwFgYDVQQKEw9BbWVyaWNhbkV4cHJlc3MxDjAMBgNVBAsTBWR1bW15MRIwEAYDVQQDDAlkdW1teV9tc2cwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCVcjutypRXka37XAEy6TojqWZRUo0DnP6NOlP2FIUH/5osdA0RLz5yOgF3FGt9R5s8houKjlkXJBtVVVTuq+8b2i38TadXtYNe0itq+5nsxekJMcdTNDTMf6OP9DVHTRwEbhsvdCE96WTHbCfqiI1JmL1yVzz2pVpfl/HNdwpVdDBNEhXl9bwjxmZXxr70ji1NMXqwNRLSIsvtNvK09+Q4bmMr43EbhgLAt0s4MzUJAz50I2o704ef9Zu/daMjjiOVd2sIDI4uOgs5LkTkE8rIqb7zdEXKfqbaYTGV788GKhgBM0R0aTX6MkEA3tayJri0LLYnfHC8ScWXJ1/JN/rtAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAC/pB6cHoBjnM1bRR/i5CeDqm43AA3TL4CvlGrhE772sKjCnxKhp2udWyytbjeDyw9D6paZ3MdWN+bayup/8AUw06UXOpxOM06N+9qEGhfr/vxjq7UOB1+GWn6zBggi0LotcswhjXMnmpToczII6UjtUjx9AXlcCJNl+4hxuzSb8=</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-6b819be0863586280000065a73ef65b3">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="add soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#reqBody">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="add" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>
lkeA5TqwqnyHSSXj8oFEG5kHSwQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
PV5JuunxFMgEBr3jUTbyELQ61kQiqmHKfAWdGqsbpOV3QuhCtsNX0FQHH8dGm6xDUuOqcrkn569t0BD/tc4Ld8lTHstDrHZUI7qIdZBK54TNETGSZCGhrIjJqkgITGkrXj4deY0+rfDWBZIA7aoxMgzG2zffYSNGjJFJ5fk2/k6AGpoYaVPdjRQly4D4cq8umbR/yP38yvHYCu16KDWP0F97wVSUOvZ5mGR//4CDWCclpFnFTp998s1Iolefuf2FVO33ra4aZwqZGO67v1xgukawb9E8fLwTQWxOQ6qrfSGkIkRkHXjfhAusTYyBtWcYe5tKRO6/r4oMIBHI88pAig==</ds:SignatureValue>
<ds:KeyInfo Id="KI-5f258aa7bb6b422a000073ec6c47f1dd">
<wsse:SecurityTokenReference wsu:Id="STR-c1605b6a9033ecc50000ed544348b4ea">
<wsse:Reference URI="#X509-0cc4833c058d39310000887b60a60349" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="reqBody" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<add:addOrganizationInfo>
  <add:Request>
    <add:ServiceAttributesGrp>
      <add:MinorVer>?</add:MinorVer>
    </add:ServiceAttributesGrp>
    <add:AddOrganizationInfoReqGrp>
      <add:TxnIdentifier>test-trx-114</add:TxnIdentifier>
      <add:OrganizationInfo>
        <add:PartnerEntityId>test-partner-111</add:PartnerEntityId>
        <add:OrgNm>test-org-114</add:OrgNm>
        <add:OrgId>test-orgid-114</add:OrgId>
        <add:PaymentMethods>
          <add:PaymentMethod>CH</add:PaymentMethod>
        </add:PaymentMethods>
        <add:CustFeeBillInd>?</add:CustFeeBillInd>
        <add:ContactDetail>
          <add:PrimaryEmailID>testemail114@me.com</add:PrimaryEmailID>
          <add:PrimaryPhone>1111111114</add:PrimaryPhone>
        </add:ContactDetail>
        <add:OrganizationAddr>
          <add:Address1>test line 1</add:Address1>
          <add:Address2>test line 2</add:Address2>
          <add:City>San Jose</add:City>
          <add:State>CA</add:State>
          <add:Country>USA</add:Country>
          <add:ZipCd>95112</add:ZipCd>
        </add:OrganizationAddr>
        <add:CheckDetails>
          <add:CheckSettings/>
        </add:CheckDetails>
      </add:OrganizationInfo>
    </add:AddOrganizationInfoReqGrp>
  </add:Request>
</add:addOrganizationInfo>
</soapenv:Body>
</soapenv:Envelope>

Open in new window

0
Comment
Question by:Robert Kleinschmidt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 34

Assisted Solution

by:Slick812
Slick812 earned 500 total points
ID: 40212535
greetings Robert Kleinschmidt, , not sure I can help you with this, as trying to work with SOAP server exchanges, is a very COMPLEX , time consuming and headache work. OK to start I went to this web addy -
    http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd
which gives the order and elements-types specifications for the "schema" OBJECT used in this, take a look at it, it is a COMPLEX source definition.

Next I went to -
    http://www.w3.org/TR/2002/REC-xml-exc-c14n-20020718/
which gives the specifications for the "Canonicalization" used in this. Also this is not a simple specification.

next I went to the web addys for the xmlns:add=
   http://www.americanexpress.com/PAYVE/OrganizationManagementService/V1/addOrganizationInfo
   http://www.americanexpress.com/PAYVE/ServiceHeader/V4

and These web addys are NOT IN EXISTENCE at www.americanexpress.com (404 error),
this may or may not be a problem, BUT this indicates that whoever is running this SOAP is not any good at having correct  specifications in their XML.

any way there is this -
    <add:addOrganizationInfo>
which, from what I know about SOAP, would definitely depend on the  xmlns:add=   , and the  xmlns:add=  is likely UNDEFINED because of the missing http://www.americanexpress.com files.

I also tried this addy -
    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
I also got a 404 , file does not exist for that.

I looked over the XML you gave for this, and for the most part the tags seem to be matched (open tag has a close tag),. . .

But It is my limited view, that without the specific and precise SOAP example code from the SOAP SERVER, that no one could begin to figure this out, as to what may or may-not contribute to the error message of -
    "Signature verification failed"
it may be a single typing error (you left out a :  or put an unnecessary / )  OR it could be several many things, all the XML may be correct but if you have incorrect value for "SignatureValue",  "DigestValue", "BinarySecurityToken", "KeyInfo Id" or several many other values it would fail, AND it could be an XML error AND a value error, or an error at the SOAP SERVER that you sent this too, because you forgot to sign in or do some initialization.

If your "partner site" has not got the service techs to get you doing the correct code, then you may not be able to figure this out, but I could be wrong. If you can, ,  you should try and find some server web service, that does what your "partner site" does and use them instead.
0
 

Accepted Solution

by:
Robert Kleinschmidt earned 0 total points
ID: 40232268
We adapted an open source code base to sign the message. Here are the details:

The source code was from the following link:
https://code.google.com/p/wse-php/source/browse/

The files we used were:
soap-wsse.php
xmlseclibs.php

We hooked up to the event handled in the SoapClient object just before the message was sent across the wires.

The working code to sign the message body was as follows:
The $request variable was the message body XML string that we want to sign. PRIVATE_KEY is the private key associated with the message. PUBLIC_CRT is the corresponding public certificate file associated with the soap message.

       
        $doc = new DOMDocument('1.0');
        $doc->loadXML($request);

        $objWSSE = new WSSESoap($doc);
        $objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type'=>'private'));

        /* load the private key from file - last arg is bool if key in file (TRUE) or is string (FALSE) */
        $objKey->loadKey(self::PRIVATE_KEY, TRUE);
        /* Sign the message - also signs appropriate WS-Security items */
        $options = array("insertBefore" => FALSE);
        $objWSSE->signSoapDoc($objKey, $options);
        /* Add certificate (BinarySecurityToken) to the message */
        $token = $objWSSE->addBinaryToken(file_get_contents(self::PUBLIC_CRT));
        /* Attach pointer to Signature */
        $objWSSE->attachTokentoSig($token);
        $soapMsg = $objWSSE->saveXML();

Open in new window

0
 
LVL 34

Expert Comment

by:Slick812
ID: 40232509
Glad you got it to work, it looks like the most code from -
   https://code.google.com/p/wse-php/source/browse/examples/soap-sign-encrypt.php

but I was not familiar with that library, sorry.

as I said, SOAP is usually a non- simple, , trial and error tournament with all involved.
0
 

Author Closing Comment

by:Robert Kleinschmidt
ID: 40240759
While the slick812 did not provide the complete solution, the input helped us to the solution.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In order to have all security and back ups taken care of, WordPress users can sign up for services with WP Engine.
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The purpose of this video is to demonstrate how to set up the WordPress backend so that each page automatically generates a Mailchimp signup form in the sidebar. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question