CanonicalizationMethod node ends up enveloping SignatureMethod
55 views
Skip to first unread message
Grace Cortright
Sep 8, 2023, 1:26:00 PM9/8/23
to wse-php
Hi,
I'm using wes-php to sign a specific header (wsa:To). However, I am running into an issue with the structure of the dom document after the security node is inserted into the owning document:
<ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:signedinfo><ds:canonicalizationmethod algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ds:signaturemethod algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256">
<ds:reference uri="#pfx8f883a8e-c05c-76b3-3ccd-36ee46498445"><ds:transforms><ds:transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:transform></ds:transforms><ds:digestmethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1"><ds:digestvalue>+NPCw2mcg9eJjOdVf5r5y95iN/w=</ds:digestvalue></ds:digestmethod></ds:reference></ds:signaturemethod></ds:canonicalizationmethod></ds:signedinfo><ds:signaturevalue>NkIWtDbzED4oVpQVsj0Af7ieRJOiXbv0ZsRBVSaQg17w6/f9QN1lMNCE5XweumZ0akLOCLf2W9WJehoeHqY4MDrq1XGQfV/zPDbhYwCDsVUloXiUfdfecOZrRsUk1VMoubWnSR55ohqysjFRoiviXfIFdSTqVmMJWeyKxJVhISxC9dVXoiKX6jIa6vXyb3YA58sZg1J6Car7Pm7zq9eTOgblgEBCDpWqNXmBYww2MxXQgEYMrngIPKw96woRMLZEtGFaqSO5gDnblz1NdWjkG7YQouiPr4EFJB+yepDd1u5laRTeDj+39PEAM9V/H+qkVVKnb4JgZZ+tqQ7yN/fjYpjm9gpMoOhzURU3ZASeGiBtKMg2qL0W8LwVpoh8T8g8598tU6WY1h+ECqz+QG+8CpdbCJR6/324FryXTqopEWkRfBm/FEB7HHE1Nlk3znCeTClTeUj0FcHwGbgQ7L/BpSVYo00N6MNtY+OlOqwc02UlHPIVsDhesENj52RC8eWo</ds:signaturevalue>
<ds:keyinfo><wsse:securitytokenreference><wsse:reference valuetype="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" uri="#pfxc76cc54f-3deb-1dee-4ed8-d179d50e57f8"></wsse:reference></wsse:securitytokenreference></ds:keyinfo></ds:signature>
I'm not sure why, but the CanonicalizationMethod has become a parent to SignatureMethod.
My calling class extends SoapClient and my __doRequest method is as follows:
public function __doRequest($request, $location, $saction, $version)
{
$dom = new \DOMDocument();
$dom->loadXML($request);
$objWSA = new WSASoap($dom);
$objWSA->addAction($saction);
$objWSA->addTo($location);
$dom = $objWSA->getDoc();
$objWSSE = new WSSESoap($dom);
$objWSSE->signBody = false;
$objWSSE->signAllHeaders = false;
$objWSSE->addTimestamp();
$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA256, array('type' => 'private'));
$objKey->loadKey($this->privateKey, true);
$objWSSE->signSoapDoc($objKey,['signSpecificHeaders' => ["http://schemas.xmlsoap.org/ws/2004/08/addressing" => ["To" => $location] ]]);
$token = $objWSSE->addBinaryToken(file_get_contents($this->pPublicKey));
$objWSSE->attachTokentoSig($token);
$request = $objWSSE->saveXML();
return parent::__doRequest($request, $location, $saction, $version);
}
Any idea why this might be the case?
Best,
Grace
I'm using wes-php to sign a specific header (wsa:To). However, I am running into an issue with the structure of the dom document after the security node is inserted into the owning document:
<ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:signedinfo><ds:canonicalizationmethod algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ds:signaturemethod algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256">
<ds:reference uri="#pfx8f883a8e-c05c-76b3-3ccd-36ee46498445"><ds:transforms><ds:transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:transform></ds:transforms><ds:digestmethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1"><ds:digestvalue>+NPCw2mcg9eJjOdVf5r5y95iN/w=</ds:digestvalue></ds:digestmethod></ds:reference></ds:signaturemethod></ds:canonicalizationmethod></ds:signedinfo><ds:signaturevalue>NkIWtDbzED4oVpQVsj0Af7ieRJOiXbv0ZsRBVSaQg17w6/f9QN1lMNCE5XweumZ0akLOCLf2W9WJehoeHqY4MDrq1XGQfV/zPDbhYwCDsVUloXiUfdfecOZrRsUk1VMoubWnSR55ohqysjFRoiviXfIFdSTqVmMJWeyKxJVhISxC9dVXoiKX6jIa6vXyb3YA58sZg1J6Car7Pm7zq9eTOgblgEBCDpWqNXmBYww2MxXQgEYMrngIPKw96woRMLZEtGFaqSO5gDnblz1NdWjkG7YQouiPr4EFJB+yepDd1u5laRTeDj+39PEAM9V/H+qkVVKnb4JgZZ+tqQ7yN/fjYpjm9gpMoOhzURU3ZASeGiBtKMg2qL0W8LwVpoh8T8g8598tU6WY1h+ECqz+QG+8CpdbCJR6/324FryXTqopEWkRfBm/FEB7HHE1Nlk3znCeTClTeUj0FcHwGbgQ7L/BpSVYo00N6MNtY+OlOqwc02UlHPIVsDhesENj52RC8eWo</ds:signaturevalue>
<ds:keyinfo><wsse:securitytokenreference><wsse:reference valuetype="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" uri="#pfxc76cc54f-3deb-1dee-4ed8-d179d50e57f8"></wsse:reference></wsse:securitytokenreference></ds:keyinfo></ds:signature>
I'm not sure why, but the CanonicalizationMethod has become a parent to SignatureMethod.
My calling class extends SoapClient and my __doRequest method is as follows:
public function __doRequest($request, $location, $saction, $version)
{
$dom = new \DOMDocument();
$dom->loadXML($request);
$objWSA = new WSASoap($dom);
$objWSA->addAction($saction);
$objWSA->addTo($location);
$dom = $objWSA->getDoc();
$objWSSE = new WSSESoap($dom);
$objWSSE->signBody = false;
$objWSSE->signAllHeaders = false;
$objWSSE->addTimestamp();
$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA256, array('type' => 'private'));
$objKey->loadKey($this->privateKey, true);
$objWSSE->signSoapDoc($objKey,['signSpecificHeaders' => ["http://schemas.xmlsoap.org/ws/2004/08/addressing" => ["To" => $location] ]]);
$token = $objWSSE->addBinaryToken(file_get_contents($this->pPublicKey));
$objWSSE->attachTokentoSig($token);
$request = $objWSSE->saveXML();
return parent::__doRequest($request, $location, $saction, $version);
}
Any idea why this might be the case?
Best,
Grace
Rob
Sep 8, 2023, 2:06:12 PM9/8/23
to wse-php
Hard to tell without seeing what the document looks like when its passed to your __doRequest method. Can you try removing the $objWSSE->addTimestamp(); line and see if it changes? Thats the only place i see where it might possibly cause an issue if there is a bug somewhere in the lib
Grace Cortright
Sep 8, 2023, 2:11:10 PM9/8/23
to wse...@googlegroups.com
I’ll try removing the Timestamp, and I am happy to provide the XML, if removing the Timestamp doesn’t solve it. I’ve tried a couple different ways of generating the XML — both manually for pieces of the DOM not created by WsaSoap and WsseSoap, and through just creating the DOM doc and the envelope before using WSASoap ans WsseSoap to create the rest of the header and then using SoapClient to generate the body.
Anyway, I’ll try removing Timestamp and see how I get on and report back.
On Sep 8, 2023, at 11:06 AM, Rob <rric...@cdatazone.org> wrote:
Hard to tell without seeing what the document looks like when its passed to your __doRequest method. Can you try removing the $objWSSE->addTimestamp(); line and see if it changes? Thats the only place i see where it might possibly cause an issue if there is a bug somewhere in the lib
--
You received this message because you are subscribed to a topic in the Google Groups "wse-php" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wse-php/Yh4F3TOUVLE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wse-php+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wse-php/b2d3e04e-1dfd-4873-8c2e-c709dc2b5593n%40googlegroups.com.
Grace Cortright
Sep 8, 2023, 2:34:33 PM9/8/23
to wse...@googlegroups.com
Hi Rob,
No joy when removing addTimestamp(). The XML that is fetched from the wsdl and sent to doRequest is
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:ns1="{service contract url}"><env:Body><ns1:GetBalance></ns1:GetBalance></env:Body></env:Envelope>
(I am not passing in the request body at the moment to the SoapClient, as I just wanted to get the signature functional first)
Best,
No joy when removing addTimestamp(). The XML that is fetched from the wsdl and sent to doRequest is
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:ns1="{service contract url}"><env:Body><ns1:GetBalance></ns1:GetBalance></env:Body></env:Envelope>
(I am not passing in the request body at the moment to the SoapClient, as I just wanted to get the signature functional first)
Best,
G
Grace Cortright
Sep 12, 2023, 3:19:46 PM9/12/23
to wse...@googlegroups.com
Hi Rob,
Just wanted to follow up and see if you had any guidance here.
Best,
G
Just wanted to follow up and see if you had any guidance here.
Best,
G
Reply all
Reply to author
Forward
0 new messages