Search code examples
phpsoapws-securityrampart

How to sign outgoing soap request without using wsf/php?


I am looking how to sign soap header using PHP.

The soap service is built by apache rampart, which is exactly same as sample 2 in https://axis.apache.org/axis2/java/rampart/samples.html.

Now, I have a soap client develop by using PHP. I have no idea how to sign the entire headers and body.

I can make my soap request as following

<?xml version="1.0" encoding="UTF-8" ?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://ws.globesteel.com" xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <SOAP-ENV:Header>
    <ns3:Security SOAP-ENV:mustUnderstand="1">
      <ns2:Timestamp>
        <ns2:Created>2016-07-13T08:16:02Z</ns2:Created>
        <ns2:Expires>2016-07-20T06:56:02Z</ns2:Expires>
      </ns2:Timestamp>
      <ns3:Signature>
        <ns3:SignedInfo>
          <Signature>
            <SignedInfo>
              <CanonicalizationMethod>
                <Algorithm>http://www.w3.org/2001/10/xml-exc-c14n#</Algorithm>
              </CanonicalizationMethod>
              <SignatureMethod>
                <Algorithm>http://www.w3.org/2000/09/xmldsig#rsa-sha1</Algorithm>
              </SignatureMethod>
              <Reference>
                <SOAP-ENC:Struct>
                  <Transforms>
                    <SOAP-ENC:Struct>
                      <Algorithm>http://www.w3.org/2001/10/xml-exc-c14n#</Algorithm>
                    </SOAP-ENC:Struct>
                  </Transforms>
                  <DigestMethod>
                    <Algorithm>http://www.w3.org/2000/09/xmldsig#sha1</Algorithm>
                  </DigestMethod>
                  <DigestValue>8f6c3a934fc237673e9f1a12793f5507b8103e4a</DigestValue>
                  <URI>#_body</URI>
                  <Id/>
                </SOAP-ENC:Struct>
                <SOAP-ENC:Struct>
                  <Transforms>
                    <SOAP-ENC:Struct>
                      <Algorithm>http://www.w3.org/2001/10/xml-exc-c14n#</Algorithm>
                    </SOAP-ENC:Struct>
                  </Transforms>
                  <DigestMethod>
                    <Algorithm>http://www.w3.org/2000/09/xmldsig#sha1</Algorithm>
                  </DigestMethod>
                  <DigestValue></DigestValue>
                  <URI>#_control</URI>
                  <Id/>
                </SOAP-ENC:Struct>
              </Reference>
            </SignedInfo>
            <SignatureValue>Yu/DkCbKXAoalySGM2XdieRYhk1rnwhFKNcklXn5l+YgNk3AXEnpr4yDAlReYgU3FGOZh0XGUn8hGWwEs28S+xjrROgb3G/SYKVKbS3EmAU/vLBa+lABn/0NDoGdR/iIv9C7XAr/OBhE++cHA+lktZSS1SUPtfG5BAifN/RtfkE=</SignatureValue>
            <KeyInfo>aqePjuZzE1lzwMMtquksvNJsbmI=</KeyInfo>
          </Signature>
        </ns3:SignedInfo>
      </ns3:Signature>
    </ns3:Security>
  </SOAP-ENV:Header>
  <SOAP-ENV:Body>
    <ns1:GetAvailableSecurityQuestions/>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

But I still get error return "Message is not signed".


Solution

  • After 2 weeks of pain, I finally solved this by using https://github.com/robrichards/xmlseclibs