dual signature

[magnusc...@gmail.com]

hi rob...  hope things are going well for you in the new year...

i have written you in the past here - via this group - about some help with the wse-php scripts used to make signed soap calls and your help was very much appreciated.. 

i have a new assignment to make the same calls now but i'd have to use a "dual signing model". that involves aes symetric key to sign the soap message that has to be itself encrypted with a public certificate and passed on with the call...

was wondering if the wse-php can handle that kind of request and if you can point me in the right direction... i'd appreciate any help i can get... 

thanks... 

[magnusc...@gmail.com]

hi there...  any help on this? anybody?...   thanks... 

[Rob Richards]

The library currently doesn't currently support signing with symmetric keys. If you want to look at adding it, take a look at the signData() method in the XMLSecurityKey class; otherwise please feel free to open a feature request ticket.

Rob

--
You received this message because you are subscribed to the Google Groups "wse-php" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wse-php+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[magnusc...@gmail.com]

hi rob...

i'm very much interested in adding the support for the symmetric key signing within this library but i will need you help since signing soap documents is still a bit murky for me.

here are the exact instructions i have:

The SOAP message must have all its parts signed with an AES 256 session key generated by the client (Signature 1). 

This symmetric key is to be encrypted and put into the SOAP security header (Encrypted Key). 

It will be encrypted with the provided signing certificate public key, and signed with the client’s certificate (Signature 2)

here is how i'm trying to achieve this using your library:

$doc = new DOMDocument('1.0');

$doc->loadXML($request);

$objWSSE = new WSSESoap($doc);

$objWSSE->addTimestamp();

/* symmetric key */

$s_key = new XMLSecurityKey(XMLSecurityKey::AES256_CBC);

$s_key->generateSessionKey();

/* signing soap document */

$options = array("insertBefore" => FALSE);

$objWSSE->signSoapDoc($s_key, $options);

/* load public signing key to encrypt the symmetric key */

$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type'=>'private'));

$objKey->loadKey(PRIVATE_KEY, TRUE);

/* encrypt symmetric key here */

$enc = new XMLSecEnc();

$enc->encryptKey($siteKey, $objKey, FALSE);

/* load certificate to sign symmetric key*/

$k_objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type'=>'private'));

$k_objKey->loadKey(CERT_FILE, TRUE);

?!   signData($k_objKey, SYMMETRIC_KEY);  ?!

.... this is where i'm not sure how to sign the encrypted key. i did look at the signData() you are referring to. there are 2 of them within xmlseclibs.php with different signatures. one of them has only one parameter ($data) and it goes through signOpenSSL. i would probably need to use the other one:

    public function signData($objKey, $data) {

        return $objKey->signData($data);

    }

but not sure about the $data parameter as represented by "SYMMETRIC_KEY" above. 

can you please let me know if this is the correct path to follow to match the requirements above and if so how do i make the final signing of the symmetric key... 

i'd appreciate any help i can get...  thanks....

On Friday, January 22, 2016 at 12:46:25 PM UTC-5, magnusc...@gmail.com wrote:

[don magnify]

hi rob...

long time...

i've been hacking away on your libraries since i didn't get any reply to my last post - directly or via the group - for more than a month and a half now...

what i need (from the last post):

The SOAP message must have all its parts signed with an AES 256 session key generated by the client (Signature 1). 

This symmetric key is to be encrypted and put into the SOAP security header (Encrypted Key). 

It will be encrypted with the provided signing certificate public key, and signed with the client’s certificate (Signature 2)

i think i'm pretty much there. only the last part is missing - sign the encrypted key header with the "client’s certificate"...  

there is a minor snag however in the process of adding the encrypted key header:

$tokenURI = '#'.$token->getAttributeNS(WSSESoap::WSUNS, "Id");

this generates:

Fatal error:  Call to undefined method XMLSecurityKey::getAttributeNS()

it's true. there is no definition for getAttributeNS anywhere in any of the libraries. if i comment this out the thing runs and creates the request with an empty <wsse:reference uri="" /> under the encrypted key header. i guess i can hardcode that since i have to be done with this by saturday but was wondering if you'd have an updated version of your code that includes that function...  

thanks...  

--

You received this message because you are subscribed to a topic in the Google Groups "wse-php" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wse-php/hQErwKlqM4c/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wse-php+u...@googlegroups.com.

[Rob Richards]

What does $token refer to? The getAttributeNS() method needs to be used on the XML document itself as its part of the DOM library and not on an XMLSecurityKey class.

Rob

You received this message because you are subscribed to the Google Groups "wse-php" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wse-php+u...@googlegroups.com.

[don magnify]

well...  it comes from a function i had to add which is a variation of your encryptSoapDoc. it's basically the same function but instead of encrypting the the whole doc it just encrypts the key i had to generate and use to sign all the parts. 

it looks like this:

     public function encryptKyeOnly($siteKey, $objKey, $options=NULL, $encryptSignature=TRUE) {

                $enc = new XMLSecEnc();                

                $xpath = new DOMXPath($this->envelope->ownerDocument);

                $enc->encryptKey($siteKey, $objKey, false);

                $nodes = $xpath->query('//*[local-name()="Security"]');

                $signode = $nodes->item(0);

                $this->addEncryptedKey($signode, $enc, $siteKey, $options);

}

the definition of the addEncryotedKey looks like this:

public function addEncryptedKey($node, $key, $token, $options = NULL) 

so i guess it will be the $siteKey which is XMLSecurityKey instance. 

i just used your encryptSoapDoc without going through all the parts - just the key... 

also in your original code there is another reference to the $token in addEncryptedKey as XMLSecurityKey:

$x509 = openssl_x509_parse($token->getX509Certificate());

getX509Certificate is defined as XMLSecurityKey method in xmlseclibs.php

now i'm attempting adding the signature for the encrypted key into the headrs...  any advice on that?

btw: i got your book "pro php xml and web services" and was reading mostly chapter 12 - 'xml security'. i think doing this project is pretty much defined in these 2 sentences on page 442 (on my pdf): "The methods are not even remotely close to being simple. In PHP, it is possible to implement enterprise security to a point, but you may be begging for mercy by the time you are done."

i'd agree...

thanks...

[don magnify]

hi rob...   me again....  it appears both signatures are missing the SignatureValue value. the tag is there in both cases but it's empty...  any idea why?

[don magnify]

hi rob/anybody...  i need some urgent help. i have been using the function generateSessionKey in xmlseclibs.php  with MCRYPT_RIJNDAEL_128 keysize 32 to make up a AES-256 key for this project. the key is encrypted with a certificate using RSA_OAEP_MGF1P. the session key is used to sign the soap headers. when the key is decrypted on the other end it doesn't work. they are on windows with java crypt libraries. 

can anybody help explain how do i resolve this issue?