我想使用证书签署XML文档。看起来应该像这样:
<soapenv:Envelope xmlns:obs="http://csioz.gov.pl/zsmopl/ws/obslugakomunikatow/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="X509-UUU09456789100000">XXXX==</wsse:BinarySecurityToken><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="obs soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id-XYZXYZ1234567890000"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="obs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>vVYVY4CXo60TYkSZ8S/LQJo/8Zc=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>SIGNATURExxxx</ds:SignatureValue><ds:KeyInfo><wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"><wsse:Reference URI="#X509-UUU09456789100000" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"/></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soapenv:Header>
<soapenv:Body wsu:Id="id-XYZXYZ1234567890000" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<obs:zapiszKomunikatOS>
<komunikatOS>
...
</komunikatOS>
</obs:zapiszKomunikatOS>
</soapenv:Body>
</soapenv:Envelope>
我尝试使用XMLSecLibs,但不幸的是,它不能很好地工作。首先,我不知道如何使用该工具添加包含名称空间,也许这是正确签名的关键?我还尝试通过更改对上述模板的引用来复制摘要值和签名值,但是它不起作用(我从SOAP服务器收到消息:“验证消息时遇到安全错误,原因是:签名或解密无效”)。
有一些丑陋的代码试图签名:
$communicateFile = __DIR__ . 'template-3.xml';
$pemFilePrv = __DIR__ . '/../cert/15.pem';
$xml = trim(file_get_contents($communicateFile));
$wsseNamespace = 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd';
$wsuNamespace = 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd';
$doc = new \DOMDocument();
$doc->load($communicateFile);
$xp = new \DOMXPath($doc);
$xp->registerNamespace('soapenv', 'http://schemas.xmlsoap.org/soap/envelope/');
$xp->registerNamespace('wsse',$wsseNamespace);
$xp->registerNamespace('wsu',$wsuNamespace);
$xp->registerNamespace('ds',XMLSecurityDSig::XMLDSIGNS);
$securityNode = $xp->query('//wsse:Security')->item(0);
$bodyNode = $xp->query('//soapenv:Body')->item(0);
$objDSig = new XMLSecurityDSig();
$objDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N);
$objDSig->addReference($bodyNode, XMLSecurityDSig::SHA1,NULL,
array('prefix'=>'wsu','prefix_ns'=>$wsuNamespace));
$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type'=>'private'));
$objKey->passphrase = 'XXXXX';
$objKey->loadKey($pemFilePrv, TRUE);
$objDSig->sign($objKey);
$objDSig->insertSignature($securityNode);
有人可以帮助我吗?也许只缺少一个incluseNamespaces吗?我指望你,因为我没有主意。
最好的问候
答案 0 :(得分:0)
此示例是一个自己的项目,正在生产中。希望我能为您提供帮助。
$context = stream_context_create([
'ssl' => [
'verify_peer' => false,
'verify_peer_name' => false,
'local_cert' => LOCAL_CERT,
'passphrase' => PRIVATE_KEY_PASSPHRASE
]
]);
$client = new BinarySignedSoapClient($wsdl , ['trace' => 1, 'stream_context' => $context]);
致电:
class BinarySignedSoapClient extends \SoapClient
{
function __construct($wsdl, $context, $params) {
$this->crt_cert_file = array_key_exists('crt_cert_file', $params) ? $params['crt_cert_file'] : null;
$this->private_key_passphrase = array_key_exists('private_key_passphrase', $params) ? $params['private_key_passphrase'] : null;
$this->private_key_file = array_key_exists('private_key_file', $params) ? $params['private_key_file'] : null;
parent::__construct($wsdl, $context);
}
public function __doRequest($request, $location, $saction, $version, $one_way = 0)
{
$doc = new \DOMDocument('1.0');
$doc->loadXML($request);
$objWSSE = new \WSSESoap($doc);
/* add Timestamp with no expiration timestamp */
$objWSSE->addTimestamp();
/* create new XMLSec Key using RSA_SHA1 and type is private key */
$objKey = new \XMLSecurityKey(\XMLSecurityKey::RSA_SHA1, ['type' => 'private']);
/* load the private key from file - last arg is bool if key in file (true) or is string (false) */
$objKey->passphrase = $this->private_key_passphrase;
$objKey->loadKey(__DIR__ ."/../localssl/". $this->private_key_file, true, false);
/* Sign the message - also signs appropiate WS-Security items */
$options = array("insertBefore" => false);
$objWSSE->signSoapDoc($objKey, $options);
/* Add certificate (BinarySecurityToken) to the message */
$token = $objWSSE->addBinaryToken(file_get_contents(__DIR__ ."/../localssl/". $this->crt_cert_file));
/* Attach pointer to Signature */
$objWSSE->attachTokentoSig($token);
$retVal = parent::__doRequest($objWSSE->saveXML(), $location, $saction, $version);
$doc = new \DOMDocument();
$doc->loadXML($retVal);
$options = ["keys" => ["private" => ["key" => __DIR__ . $this->private_key_file, "isFile" => true, "isCert" => false]]];
$objWSSE->decryptSoapDoc($doc, $options);
return $doc->saveXML();
}
}