Facing Issue while using wsse-php, getting a response "Signature verification failed"

[Sahej Makkar]

Hi,

I urgently need to implement a client in PHP to use wsse SOAP. I am able to make the request run finely using SOAP - UI, with configuration "Signature" -> Key Identifier = Serial Number and Issuer Name

I generate almost similar request from WSSE-SOAP, it errors.

How can I create the similar behaviour as to SOAP client configuration for Signature => Key Identifier = Serial Number and Issuer Name  and rest defaults.

I am able to extract out the serial number and issue name correctly. I am not able to debug what can go wrong in this situation.

Please help.

Thanks and regards,

Sahej.

[Rob Richards]

I would need to see the document you need to generate as I can only
guess but assume you mean you need to generate a X509Data node as your
SecurityTokenReference. If that's the case its not currently supported
but probably easy to add as support for that already exists in the
xmlseclibs library.

Rob

[Sahej Makkar]

Hi, 

Thanks so much Rob for the quick reply :) This library looks cool, just need to know how i need to generate the DOC to pass the verification.

I kind of manually wrote the code to add the x509Data with serial number and issuer to the signature which matched exactly with SOAP UI DOC below.

But still I get verification failure response.

the document generated from SOAP UI looks like this :

<soapenv:Envelope xmlns:cor="http://www.americanexpress.com/coporateservices/opm/schema/v10/types/corpbsservices/coretypes" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">

   <soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><ds:Signature Id="SIG-A911D948F3EB9763F5155428919109962" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#pfx08bede50-761b-f313-0084-35abcca4963c"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces PrefixList="cor" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>t4BWd4wvBjDmgthz9aFe4Prsx8A=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>l3JuWq+LCkPdIFFW+kVnrInF8NweYdw7DrqiOAB8agAU2RKEZ2cJsPWL5mV83dNA/qapyAlcPCSC

d1KbpAtTPD6QUdUvF4fxkHokxtmVXWEe5/ZD3CBfqbvns0tobEfapm9Y4YEe5BpVUFsatgoXI1zN

LGvWLPmjsEJgl7nQD5p+MqFmaylUlkhrWaB2ghoeIs6wuUcXd+PjWBmXyFE4JV4qxn6S42EsPStz

cdK2cO3qAGZhkQmT7OxCQqcB69rciuRbM9styFICx82PANpsiQ9AORzyZvGsvjOuKwpNBiOWSJKL

QbJsrii10IYQxgkBr5+0f127oAr5Bk/B8O0NCg==</ds:SignatureValue><ds:KeyInfo Id="KI-A911D948F3EB9763F5155428919109860"><wsse:SecurityTokenReference wsu:Id="STR-A911D948F3EB9763F5155428919109861"><ds:X509Data><ds:X509IssuerSerial><ds:X509IssuerName>CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US</ds:X509IssuerName><ds:X509SerialNumber>10767788982478823465090431559408751727</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security>

   </soapenv:Header>

   <soapenv:Body wsu:Id="pfx08bede50-761b-f313-0084-35abcca4963c" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

      <cor:ping-request-message>Hi, This is Ping Request</cor:ping-request-message>

   </soapenv:Body>

</soapenv:Envelope>

Thanks and regards,

Sahej.

[Rob Richards]

You would need to add a new option to the KeyInfo option that's passed to the signSoapDoc method.

Would need to be something like:

if (!empty($options['KeyInfo']['X509Data'])) {

at which point you can leverage the XMLSecurityDSig::staticAdd509Cert() method to create the X509Data node for you

Rob

--
You received this message because you are subscribed to the Google Groups "wse-php" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wse-php+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Sahej Makkar]

Hi Rob, 

Thanks for the help.

It still gives the same error if I leverage the existing node. Couple of differences which I see from the SOAP UI request ,( which I am not sure if could be the reason for failure):

- the keyinfo generated from SOAPUI has wsse:SecurityTokenReference with child node wsse:reference

- there is InclusiveNamespaces  node in ds:Transform

Apart from this the request looks almost similar,

Thanks and regards,

Sahej.

[Sahej Makkar]

Hi Rob,

Just an update, was able to figure out the issue, I was reindenting the xml before firing the request which kind of made the request fail.

Thanks so much for the help and this beautiful library you have written. Really appreciate it and love it.

Thanks and regards,

Sahej.