我需要使用 PHP7.2 来获取https://address?wsdl
证书的SOAP请求.p12
。
经过几个小时的研究后,我唯一能做的就是从bash发出这个请求:
$ curl -k -E cert.crt.pem --key cert.key.pem https://address?wsdl
退回了WSDL。但我不得不将.p12
拆分为单独的文件并使用-k
选项,这使得所有这些内容都不安全。
通过以下命令完成拆分:
openssl pkcs12 -in mycert.p12 -out cert.key.pem -nocerts -nodes
openssl pkcs12 -in mycert.p12 -out cert.crt.pem -clcerts -nokeys
问题是:
如何使用PHP中的cURL
请求此WSDL或如何配置new \SoapClient()
以便它可以工作?
这可能只有.p12
档案&密码?或者我必须转换它?
希望这能描述我已经能够做到的事情:
<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch,CURLOPT_SSL_VERIFYHOST,2);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_setopt($ch, CURLOPT_VERBOSE, true);
/**
* cert.p12 (with password) -> cert.pem (contains encrypted PKey & client ?unencrypted? cert)
* $ openssl pkcs12 -in cert.p12 -out cert.pem -clcerts
*
* Result:
*
* This works. But:
* - I don't have peer verification
* - Is such file safe? It has encrypted pkey & certificate (I think not encrypted).
* I don't know much about that topic. Maybe someone with more experience will be able to tell more.
* Maybe some better solution to output this. Maybe as 2 separate files?
*/
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,false); // DO NOT VERIFY!
curl_setopt($ch,CURLOPT_SSLCERT,__DIR__ . '/cert.pem');
//curl_setopt($ch, CURLOPT_SSLCERTPASSWD, $pass); // This is not required :/
curl_setopt($ch,CURLOPT_SSLKEY,__DIR__ . '/cert.pem');
curl_setopt($ch,CURLOPT_SSLKEYPASSWD, $pass);
/**
* cert.p12 (with password) -> cert.pem (contains encrypted PKey & client ?unencrypted? cert)
* $ openssl pkcs12 -in cert.p12 -out cert.pem -clcerts
*
* Result:
*
* TCP_NODELAY set
* Connected to XXX
* ALPN, offering http/1.1
* SSL certificate problem: self signed certificate in certificate chain
* stopped the pause stream!
* Closing connection 0
*/
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,true);
curl_setopt($ch,CURLOPT_SSLCERT,__DIR__ . '/cert.pem');
curl_setopt($ch,CURLOPT_SSLKEY,__DIR__ . '/cert.pem');
curl_setopt($ch,CURLOPT_SSLKEYPASSWD, $pass);
/**
* cert.p12 (with password) -> cert.pem (contains encrypted PKey & client ?unencrypted? cert)
* $ openssl pkcs12 -in cert.p12 -out cert.pem -clcerts
*
* Result:
*
* TCP_NODELAY set
* Connected to XXX
* ALPN, offering http/1.1
* ignoring certificate verify locations due to disabled peer verification
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* stopped the pause stream!
* Closing connection 0
*/
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch,CURLOPT_CAINFO,__DIR__ . '/cert.pem');
curl_setopt($ch,CURLOPT_CAPATH,__DIR__);
curl_setopt($ch,CURLOPT_KEYPASSWD,$pass);
/**
* cert.p12 (with password) -> cert.pem (contains encrypted PKey & client ?unencrypted? cert)
* $ openssl pkcs12 -in cert.p12 -out cert.pem -clcerts
*
* Result:
*
* TCP_NODELAY set
* Connected to XXX
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /www/soap/cert.pem
* CApath: /www/soap
* SSL certificate problem: self signed certificate in certificate chain
* stopped the pause stream!
* Closing connection 0
*/
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch,CURLOPT_CAINFO,__DIR__ . '/cert.pem');
curl_setopt($ch,CURLOPT_CAPATH,__DIR__);
curl_setopt($ch,CURLOPT_KEYPASSWD,$pass);
$data = curl_exec($ch);
$error = curl_error($ch);
$httpcode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
var_dump($data, $httpcode, $error);
?>
答案 0 :(得分:1)
我无法直接使用.p12
,.pfx
,pkcs12
是SOAP。
首先,我们需要读取p12
文件并将其转换为.pem
。稍后,您可以缓存结果($pemCertContent
)以避免转换每个请求,也可以将其存储为文件以用作文件路径。
$readSuccessful = openssl_pkcs12_read($content, $certData, $password);
if (!$readSuccessful) {
$msg = sprintf('Could not read pkcs12 file `%s`: `%s`.', $filePath, openssl_error_string());
throw new \Exception($msg);
}
$pemCertContent = '';
if (isset($certData['pkey'])) {
openssl_pkey_export($certData['pkey'], $pem, $pemPassword);
$pemCertContent .= $pem;
}
if (isset($certData['cert'])) {
openssl_x509_export($certData['cert'], $cert);
$pemCertContent .= $cert;
}
$pemCertContent; // This is your .pem certificate content. I store it as a file.
根据需要,可以在创建SOAP客户端时像这样使用它:
$soapOptions = [
/* In some cases, when you have 2 certificates you may need to use stream context instead of 'local_cert'
'stream_context' => stream_context_create([
'ssl' => [
'cafile' => $caCert->getFilePath(), // CA Certificate
'local_cert' => $tlsCertificate->getFilePath(), // PEM certificate
'passphrase' => $tlsCertificatePass, // Pass for PEM certificate
],
]),
*/
'local_cert' => $tlsCertificate->getFilePath(),
'passphrase' => $tlsCertificatePass,
'trace' => true,
'exceptions' => true,
];
这允许连接到SoapServer以获取wsdl并执行请求。就我而言,我还必须使用WSSE
签署整个请求正文。为此,我将其与.p12
函数打开的openssl_pkcs12_read
证书一起使用:
RobRichards\WsePhp\WSSESoap;
RobRichards\XMLSecLibs\XMLSecurityKey;
但这是另一个故事。
答案 1 :(得分:0)
随着当今安全技术的需求,使EDI功能轻松工作变得越来越困难。我一直在努力使用php肥皂和证书几个月,但仍然无法正常工作。似乎来自php的开发人员似乎无法完成其soap功能的这一部分-或无法正确完成它。
到目前为止,我只读到它可用于curl和pem证书,不幸的是,我需要一个受密码保护的pfx证书。我目前正在寻找不同的语言来完成它。
很抱歉,我建议不要在php上找到解决方案的时间浪费