WS-Security using security token
75 views
Skip to first unread message
Alex Andreu
Sep 8, 2023, 1:25:50 PM9/8/23
to wse-php
Hi there,
I'm really struggling with a SOAP service provided by the Spanish transportation adminitration and I'd appreciate your help with finding the proper solution.
I'm able to request the service NO PROBLEM with SOAP UI, signing everything an getting a valid response.
My trouble comes in the PHP code I've created where I'm not able to understand the WS implementation.
Here's a valid header:
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"
wsu:Id="X509-E64B294D465FB37C911692801364876325">
MIIVGDCCBYMwggNroAMCAQICD12TjTBnNsgGHRrHVIRpBzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJFUzERMA8GA1UECgwIRk5NVC1SQ00xGTAXBgNVBAsMEEFDIFJBSVogRk5NVC1SQ00wHhcNMDgxMDI5MTU1OTU2WhcNMzAwMTAxMDAwMDAwWjA7MQswCQYDVQQGEwJFUzERMA8GA1UECgwIRk5NVC1SQ00xGTAXBgNVBAsMEEFDIFJBSVogRk5NVC1SQ00wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC6cYB6TIZuf8gTbcDGfRwAl48sDCO7EJpAqRq3h4j4m1Zq++Z7jouSjqclXVkR2zYut1EXH6kIHwQXJFiqN0oY3+U51Ff918EskQGR4iLUA8BY/HdH7I8+dEO6rDSNTTh2Z46wyG8wM1hxXLT1a27UAVC4E35sSqNJ0SAZ7rzAKRhlp97+790KkCHnGmeSQhCYX08wvD4cRbQQ12hAFMBA+ud3F3rmC49lWzzZmlLbtb2eRs8965EFAsCWsnZMTRCWO5L6nH8Pmd++IzVFHgJc/rWom5kl2l7zIsM59eQqLtPGH8RsqsUcagEFSi/SxcGoNCZdZqXSAiH5GLcG9U6Zb6irTFHoz1AYxXfIOQksSZIymai7Fxd5sFrF5qPEWWVHNYNeqeg1C5m75M0gxptKBjm1aPwiuu5VjCtO6vOx4/y2mZrVQvpxTQjPhx5qcX3507TppXGBe8JOR5al9naFoyiP6YBugVOlbV+4SPnC+TamLkn/uJbCjAezm4hY/OsbHN4tcOKXkjChieO8Vagn1kvtkK2L+mMlWS2oNd3KlzO85c3HndHs714OSpAGJmOtudk1LQe6dmUsrFePffQHlNeBApZdowdJ1XrQV/kb51NGdaqweULLaHEI6WC9OWnO9K/DVkDHrVKiCeRvhkeKH+soJ12DIK8EyWxWmotG9QIDAQABo4GDMIGAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBT3fcX9xOiaG3dkp/UdoMy/h2CabTA+BgNVHSAENzA1MDMGBFUdIAAwKzApBggrBgEFBQcCARYdaHR0cDovL3d3dy5jZXJ0LmZubXQuZXMvZHBjcy8wDQYJKoZIhvcNAQELBQADggIBAAeQSt/zI07ww5xRZZucIqKKDIXzcylrTf4B4qkMYwG/BGelnZhf/QET+uyaYumG/rZi0m5MlPvAdUV8ZQz4sjfPrA/PjW/5GfeP7B7ycJ7wyrjvt/92N3Zb9m6I869iMiKTDTpqjhRmDC1TdFdlHtWy3SOBO6VmIydnCY/hd6pDzWVRCO1RWP7mOfnLR4SkFfF2u6TupDvEX++yM5YRGLfJZb4Y4aOk3PoY+dO8E5s5ejS600H7+jKKKrcrhgtpgzi+zYouC3CtjSaS7h71ASsK2daXm27gqBkcOiGLDB5ArQPn3WZ+9bkgDQPolvmCRdQ54KAAXdeY5n2eZ3PDmir3q4uhOhTvNLxSDomYmgRAhB1+RWmTV87rzvhQfE8cbgRDm/nWOyMY6eqO0U1GjfE75GrKuvsjt5v6mQEpWlhaLeP51G0OJq3BbjS8MvgMBfplo9s7N4Mi6dbccjP9XfIgvXY8I9oo9/kb61lk1dxfcn4g/M2JtZBnTWJ6P06tHcM5/nr0KBbfQfZIgAXXD1F5rBCr1OwDZuZqsLoxkkJAar4603LhajdVvKwdlbdpYfJDkXTmoNMKJEahCK/W2kUZltRTHVuEefDA90fvi4/FBq6dTGKd/0YE+NPJthAlQHX+FqrJSmCGL7rvMHfkVOK4hJlYgKoTi1E6T0j2i7azMIIG3DCCBMSgAwIBAgIQYcLU1PaprndVkma5ja/WITANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJFUzERMA8GA1UECgwIRk5NVC1SQ00xGTAXBgNVBAsMEEFDIFJBSVogRk5NVC1SQ00wHhcNMTUwNjMwMDk1MTUzWhcNMjkxMjMxMTA1MTUzWjBNMQswCQYDVQQGEwJFUzERMA8GA1UECgwIRk5NVC1SQ00xDjAMBgNVBAsMBUNFUkVTMRswGQYDVQQDDBJBQyBSZXByZXNlbnRhY2nDs24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCO7E+oUYbuTJaWkEQtIFgcRHD/kHavy+XBFdfCdUzDh9w7Yq4kYckBPW/YU1QRa4v35HbajEMCs4cyLnoJy8Wyzq7qrSwmNHhMYDjtGywJXbCo5SZVbIwyagWig8Nb/x9Y5WGWIY76E9agPAoEYOxOG8h1J6ipNoBbq0R+4N4ODaq57ABY7mUSXb4WgjoVg4WxxZw0GGLuc8R1idoX1G/VqxvNymeCZ7o1bEwbs7X3NhRsK21w3ju8pkUNZXN6Pkflh9qIslOLiokKbiDwwAZE4nvU//B8Q8FLYk1sgTQTLET2EQZ308FlECRp3i6Ay4iezc0Yd3FKIDmOxCdDUcDAgMBAAGjggLIMIICxDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU3FCWn9cxickR5O+WX/ZfglJGYlMwgZgGCCsGAQUFBwEBBIGLMIGIMEkGCCsGAQUFBzABhj1odHRwOi8vb2NzcGZubXRyY21jYS5jZXJ0LmZubXQuZXMvb2NzcGZubXRyY21jYS9PY3NwUmVzcG9uZGVyMDsGCCsGAQUFBzAChi9odHRwOi8vd3d3LmNlcnQuZm5tdC5lcy9jZXJ0cy9BQ1JBSVpGTk1UUkNNLmNydDAfBgNVHSMEGDAWgBT3fcX9xOiaG3dkp/UdoMy/h2CabTCB6wYDVR0gBIHjMIHgMIHdBgRVHSAAMIHUMCkGCCsGAQUFBwIBFh1odHRwOi8vd3d3LmNlcnQuZm5tdC5lcy9kcGNzLzCBpgYIKwYBBQUHAgIwgZkMgZZTdWpldG8gYSBsYXMgY29uZGljaW9uZXMgZGUgdXNvIGV4cHVlc3RhcyBlbiBsYSBEZWNsYXJhY2nDs24gZGUgUHLDoWN0aWNhcyBkZSBDZXJ0aWZpY2FjacOzbiBkZSBsYSBGTk1ULVJDTSAoIEMvIEpvcmdlIEp1YW4sIDEwNi0yODAwOS1NYWRyaWQtRXNwYcOxYSkwgdQGA1UdHwSBzDCByTCBxqCBw6CBwIaBkGxkYXA6Ly9sZGFwZm5tdC5jZXJ0LmZubXQuZXMvQ049Q1JMLE9VPUFDJTIwUkFJWiUyMEZOTVQtUkNNLE89Rk5NVC1SQ00sQz1FUz9hdXRob3JpdHlSZXZvY2F0aW9uTGlzdDtiaW5hcnk/YmFzZT9vYmplY3RjbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludIYraHR0cDovL3d3dy5jZXJ0LmZubXQuZXMvY3Jscy9BUkxGTk1UUkNNLmNybDANBgkqhkiG9w0BAQsFAAOCAgEApS/HpvFq3S42VmjXtoNVxdh+m1/NdjoWVY6M2o9c+UZofrZWbaiQ+aNOn6/+Qf/LZk41jD+nEa/O1GkPyAineYtjyW6Ae7ltVPIVIWQa3fALcgyN7s/U31qPooU7Zv7a5mghpxapWHvtL9yxpLjrtGsZD32qysIJ2pjDqJa5WeWVKF2RS1zy6Bm/9JzlxzTCH03kivP5ltp+cHik/KzJZ+HgPv6BLwO+OYrJ19vGbPuDGgOj7uJTG3XQIlZchTltgCmNRPKs/HOGOyDmWxm07FmrADQ1NWag3gjoH8xcfAlp9aBnm/UXFJuAkGOq8ASr+A5dpJeDP/rlKphDdxJpG5YKRwRSb7PnAccstmGxynL+K/0ofxAhbWqC6z7KeGyZBTeVIilPhp+xZzJnvFVBjN6s2j7W3+esQkiT4SdY9RN+c3tBuWF54UNc7YVe6KVTjzkpev9szp6vUNQ+A45i2KGXRLN6/16nA9fujzITRWmX4tOGABo0aL/wBrf3Po89gvZwZRaVQ9Bw/KfEF8eZDhA1MgQKSPJLSXSl58elHGFLUR2CQMGl+mgfPB0qZUUkRG/RYpZLocczAz6pfkxA3Mt3DfIyVtA/YJ0O4ZYpdbH9zdJZI1RQEWmFrMOrEAWmGIG0SmNpARqOPJsTQJomUcvd3EvA7so2LzLJ+Sjj2SowggitMIIHlaADAgECAhByhCsqXRay32Ognsr637bzMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNVBAYTAkVTMREwDwYDVQQKDAhGTk1ULVJDTTEOMAwGA1UECwwFQ0VSRVMxGzAZBgNVBAMMEkFDIFJlcHJlc2VudGFjacOzbjAeFw0yMjEyMTkxNzI2MzRaFw0yNDEyMTkxNzI2MzRaMIIBEjFZMFcGA1UEDQxQUmVnOjI5MDIzIC9Ib2phOk1BLTE3MDg1NCAvVG9tbzo2MjU2IC9Gb2xpbzoyMCAvRmVjaGE6MTIvMTIvMjAyMiAvSW5zY3JpcGNpw7NuOjExGDAWBgNVBAUTD0lEQ0VTLVk2OTMyNDc3UzESMBAGA1UEKgwJQU5BIE1BUklBMQ8wDQYDVQQEDAZUSEFNRVMxMjAwBgNVBAMMKVk2OTMyNDc3UyBBTkEgTUFSSUEgVEhBTUVTIChSOiBCNzI2MTU4NjcpMRgwFgYDVQRhDA9WQVRFUy1CNzI2MTU4NjcxGzAZBgNVBAoMElRSQU5TRkVSIFRIQU1FUyBTTDELMAkGA1UEBhMCRVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqNJ2O48v6jPoYBDp7Wb4PcpE/jUmckHpouwvhvJOL1ZMn1nkSScn/ST8ZonklmLD6dnhCYxYreq16E55nBai2jBInB6SMwSnLA+VEPgcQSTyvjpvaBd5N4OrG1KGL2JWIxzuBESjRTuJUT1Xp3RIam1cD8e5CT50RUIkjzfc6CVwYWzDDEXMjGK073g4Y2rshRzNmU5NR/xMV+Qmbbf5PETpcMxYd7Jbq0DpIp7jr29MJj6DLhwWX+WqfksyaBAvCr/++ioDibuUbKMmGwsSH/sb8zDTB3Ub5gEDxxUBzz462dWdUbtLvh2t8Fre2MLaLkhFJTcGgxNx4gHLYqgJHAgMBAAGjggTAMIIEvDCB5wYDVR0RBIHfMIHcgRtMQUJPUkFMQEFTRVNPUklBRVNURUJBTi5DT02kgbwwgbkxIzAhBgkrBgEEAaxmARQMFEFkbWluaXN0cmFkb3Igw7puaWNvMR4wHAYJKwYBBAGsZgEHDA9WQVRFUy1CNzI2MTU4NjcxITAfBgkrBgEEAaxmAQYMElRSQU5TRkVSIFRIQU1FUyBTTDEeMBwGCSsGAQQBrGYBBAwPSURDRVMtWTY5MzI0NzdTMRUwEwYJKwYBBAGsZgECDAZUSEFNRVMxGDAWBgkrBgEEAaxmAQEMCUFOQSBNQVJJQTAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwgYIGCCsGAQUFBwEBBHYwdDA9BggrBgEFBQcwAYYxaHR0cDovL29jc3ByZXAuY2VydC5mbm10LmVzL29jc3ByZXAvT2NzcFJlc3BvbmRlcjAzBggrBgEFBQcwAoYnaHR0cDovL3d3dy5jZXJ0LmZubXQuZXMvY2VydHMvQUNSRVAuY3J0MB0GA1UdDgQWBBRCh59d8yLWcMSNeOeVczNqBji8szCCAT8GA1UdIASCATYwggEyMIIBGAYKKwYBBAGsZgMLATCCAQgwKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cuY2VydC5mbm10LmVzL2RwY3MvMIHaBggrBgEFBQcCAjCBzQyBykNlcnRpZmljYWRvIGN1YWxpZmljYWRvIGRlIHJlcHJlc2VudGFudGUgZGUgcC4ganVyw61kaWNhIChyZWxhY2nDs24gY29uIEFBUFAgeSBjb250cmF0YWNpw7NuKS4gU3VqZXRvIGEgY29uZGljaW9uZXMgZGUgdXNvIHNlZ8O6biBEUEMgZGUgRk5NVC1SQ00sIE5JRjogUTI4MjYwMDQtSiAoQy9Kb3JnZSBKdWFuIDEwNi0yODAwOS1NYWRyaWQtRXNwYcOxYSkwCQYHBACL7EABADAJBgdghVQBAwUIMIGmBggrBgEFBQcBAwSBmTCBljAIBgYEAI5GAQEwEwYGBACORgEGMAkGBwQAjkYBBgEwaAYGBACORgEFMF4wLRYnaHR0cHM6Ly93d3cuY2VydC5mbm10LmVzL3Bkcy9QRFNfZXMucGRmEwJlczAtFidodHRwczovL3d3dy5jZXJ0LmZubXQuZXMvcGRzL1BEU19lbi5wZGYTAmVuMAsGBgQAjkYBAwIBDzAfBgNVHSMEGDAWgBTcUJaf1zGJyRHk75Zf9l+CUkZiUzCB4QYDVR0fBIHZMIHWMIHToIHQoIHNhoGdbGRhcDovL2xkYXByZXAuY2VydC5mbm10LmVzL0NOPUNSTDE4ODYsT1U9QUMlMjBSZXByZXNlbnRhY2lvbixPVT1DRVJFUyxPPUZOTVQtUkNNLEM9RVM/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdDtiaW5hcnk/YmFzZT9vYmplY3RjbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludIYraHR0cDovL3d3dy5jZXJ0LmZubXQuZXMvY3Jsc3JlcC9DUkwxODg2LmNybDANBgkqhkiG9w0BAQsFAAOCAQEAjrhB6oQ3KVbBKasaLDnu8qkFg3q74WmQn1RgvcERsFR6IkjDH1kWSvCQL2VfugnYAXGx2eT4E+oOyjHi0hh0BYIi12QmVAaGNySUfUmEUeltYJLO/sqngyb0wEPl/r86djyRgVMP04h0nNkLboWUL4jGOqY4siPiPkZmXYW4thEfBvKNtHJmsRCI8Fz5rbRALSWeaefGB/nmweNPJFZkfjNFAMTGKK9XBi/fSPqL/2i9cA5iBAkAHHNUbRObUH7/fWOZjuyqkSHBstMRMH62jQhOXBmFhQG+VH72xKJef1UnaFjxu/D11xbZFwx4CftIwUsfXz7wH107BF+iz8Yy2Q==
</wsse:BinarySecurityToken>
<ds:Signature Id="SIG-E64B294D465FB37C911692801364892328" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ec:InclusiveNamespaces PrefixList="soapenv vtc"
</ds:CanonicalizationMethod>
<ds:Reference URI="#id-E64B294D465FB37C911692715667411308">
<ds:Transforms>
<ec:InclusiveNamespaces PrefixList="vtc"
</ds:Transform>
</ds:Transforms>
<ds:DigestValue>K1bB+1+IZrQ5C713dPkWDluJrq4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
odrWULFZzE1IvBN5Pp3pcnTM8A2qViF2VkOITcVRslUYRzaYJ1V2QDjgZ0SKyl994LcztN0F4SwAY/d90PgFbPFc/l/q7Ab+CctFyS0WHc599BdSIXEXR2Gkm7HdytwE+JocBSS8URb0vzyYAEP7aRVbmLz0X5QooiukTkH70m1XkVZ68w4SvZmDbU2GG5KUa2wd5Nrd2Gmedj52uyi50AJ6hqfvcJyGJZS8BFAqQVr4bkLshGr/GUiHvzFWDAoqQb5nXXh54xVaJYQF+E0Ks7jG3qygGgRDHomx2hZe+V7c9crkDyTX+taESltwng5cqTAiuBlc0cCY3Ek0cU1Exw==
</ds:SignatureValue>
<ds:KeyInfo Id="KI-E64B294D465FB37C911692801364877326">
<wsse:SecurityTokenReference
wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"
wsu:Id="STR-E64B294D465FB37C911692801364877327"
<wsse:Reference URI="#X509-E64B294D465FB37C911692801364876325"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
From this what I understand I should do is:
- Get the CN14 of soapenv:Body
- openssl_digest the body (in binary)
- base64_encode the digest and add it to DigestValue
- Take the Signature element with SignatureValue empty but present
- CN14 it
- openssl_digest it in binary
- openssl_sign the digested result
- add it to SignatureValue
Send the request.
Well, the above steps fail.
Here's the Starting point in SOAP UI (and in my php code) for a successfull request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:vtc="http://mfom.com/vtc">
<soapenv:Header/>
<soapenv:Body>
<vtc:qaltavtc>
<header version="?" versionsender="?" fecha="?"/>
<body>
<vtcservicio matricula="?" niftitular="?" nif="?" nom="?" nombtitular="?" cgprovcontrato="?" cgmunicontrato="?" numa="?" fcontrato="?" cgprovinicio="?" cgmuniinicio="?" direccioninicio="?" fprevistainicio="?" finicio="?" cgprovfin="?" cgmunifin="?" direccionfin="?" ffin="?" cgprovlejano="?" cgmunilejano="?" direccionlejano="?" fanulacion="?" veraz="?"/>
</body>
</vtc:qaltavtc>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Header/>
<soapenv:Body>
<vtc:qaltavtc>
<header version="?" versionsender="?" fecha="?"/>
<body>
<vtcservicio matricula="?" niftitular="?" nif="?" nom="?" nombtitular="?" cgprovcontrato="?" cgmunicontrato="?" numa="?" fcontrato="?" cgprovinicio="?" cgmuniinicio="?" direccioninicio="?" fprevistainicio="?" finicio="?" cgprovfin="?" cgmunifin="?" direccionfin="?" ffin="?" cgprovlejano="?" cgmunilejano="?" direccionlejano="?" fanulacion="?" veraz="?"/>
</body>
</vtc:qaltavtc>
</soapenv:Body>
</soapenv:Envelope>
I'd appreciate any clues on what I'm missing here.
Thanks!
Rob
Sep 8, 2023, 1:52:05 PM9/8/23
to wse-php
What does your php code currently look like for this? Are you using the wse-php library or trying to do this manually as using the library you dont need to worry about the soap structure just the data in the body and possibly header if you need WSA or other extensions.
Reply all
Reply to author
Forward
0 new messages