I need to SOAP request https://address?wsdl which require .p12 certificate using PHP7.2.
After hours of reasearch only thing I was able to do is making this request from bash:
$ curl -k -E cert.crt.pem --key cert.key.pem https://address?wsdl
which retured WSDL. But I had to split .p12 to separate files and use -k option which makes all this stuff not secure.
Split done by this commands:
openssl pkcs12 -in mycert.p12 -out cert.key.pem -nocerts -nodes
openssl pkcs12 -in mycert.p12 -out cert.crt.pem -clcerts -nokeys
The question is:
How to request this WSDL using cURL from PHP or how to configure new \SoapClient() so it will work?
Is this possible having only .p12 file & password? Or I have to convert it?
Hope this describe what I already was able to do:
<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch,CURLOPT_SSL_VERIFYHOST,2);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_setopt($ch, CURLOPT_VERBOSE, true);
/**
* cert.p12 (with password) -> cert.pem (contains encrypted PKey & client ?unencrypted? cert)
* $ openssl pkcs12 -in cert.p12 -out cert.pem -clcerts
*
* Result:
*
* This works. But:
* - I don't have peer verification
* - Is such file safe? It has encrypted pkey & certificate (I think not encrypted).
* I don't know much about that topic. Maybe someone with more experience will be able to tell more.
* Maybe some better solution to output this. Maybe as 2 separate files?
*/
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,false); // DO NOT VERIFY!
curl_setopt($ch,CURLOPT_SSLCERT,__DIR__ . '/cert.pem');
//curl_setopt($ch, CURLOPT_SSLCERTPASSWD, $pass); // This is not required :/
curl_setopt($ch,CURLOPT_SSLKEY,__DIR__ . '/cert.pem');
curl_setopt($ch,CURLOPT_SSLKEYPASSWD, $pass);
/**
* cert.p12 (with password) -> cert.pem (contains encrypted PKey & client ?unencrypted? cert)
* $ openssl pkcs12 -in cert.p12 -out cert.pem -clcerts
*
* Result:
*
* TCP_NODELAY set
* Connected to XXX
* ALPN, offering http/1.1
* SSL certificate problem: self signed certificate in certificate chain
* stopped the pause stream!
* Closing connection 0
*/
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,true);
curl_setopt($ch,CURLOPT_SSLCERT,__DIR__ . '/cert.pem');
curl_setopt($ch,CURLOPT_SSLKEY,__DIR__ . '/cert.pem');
curl_setopt($ch,CURLOPT_SSLKEYPASSWD, $pass);
/**
* cert.p12 (with password) -> cert.pem (contains encrypted PKey & client ?unencrypted? cert)
* $ openssl pkcs12 -in cert.p12 -out cert.pem -clcerts
*
* Result:
*
* TCP_NODELAY set
* Connected to XXX
* ALPN, offering http/1.1
* ignoring certificate verify locations due to disabled peer verification
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* stopped the pause stream!
* Closing connection 0
*/
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch,CURLOPT_CAINFO,__DIR__ . '/cert.pem');
curl_setopt($ch,CURLOPT_CAPATH,__DIR__);
curl_setopt($ch,CURLOPT_KEYPASSWD,$pass);
/**
* cert.p12 (with password) -> cert.pem (contains encrypted PKey & client ?unencrypted? cert)
* $ openssl pkcs12 -in cert.p12 -out cert.pem -clcerts
*
* Result:
*
* TCP_NODELAY set
* Connected to XXX
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /www/soap/cert.pem
* CApath: /www/soap
* SSL certificate problem: self signed certificate in certificate chain
* stopped the pause stream!
* Closing connection 0
*/
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch,CURLOPT_CAINFO,__DIR__ . '/cert.pem');
curl_setopt($ch,CURLOPT_CAPATH,__DIR__);
curl_setopt($ch,CURLOPT_KEYPASSWD,$pass);
$data = curl_exec($ch);
$error = curl_error($ch);
$httpcode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
var_dump($data, $httpcode, $error);
?>
I was not able to use .p12, .pfx, pkcs12 directly is SOAP.
First we need to read p12 file and convert it to .pem. Later you can cache result ($pemCertContent) to avoid conversion each request or store it as file to use as filepaths.
$readSuccessful = openssl_pkcs12_read($content, $certData, $password);
if (!$readSuccessful) {
$msg = sprintf('Could not read pkcs12 file `%s`: `%s`.', $filePath, openssl_error_string());
throw new \Exception($msg);
}
$pemCertContent = '';
if (isset($certData['pkey'])) {
openssl_pkey_export($certData['pkey'], $pem, $pemPassword);
$pemCertContent .= $pem;
}
if (isset($certData['cert'])) {
openssl_x509_export($certData['cert'], $cert);
$pemCertContent .= $cert;
}
$pemCertContent; // This is your .pem certificate content. I store it as a file.
Depending on need you can use it like this when creating SOAP client:
$soapOptions = [
/* In some cases, when you have 2 certificates you may need to use stream context instead of 'local_cert'
'stream_context' => stream_context_create([
'ssl' => [
'cafile' => $caCert->getFilePath(), // CA Certificate
'local_cert' => $tlsCertificate->getFilePath(), // PEM certificate
'passphrase' => $tlsCertificatePass, // Pass for PEM certificate
],
]),
*/
'local_cert' => $tlsCertificate->getFilePath(),
'passphrase' => $tlsCertificatePass,
'trace' => true,
'exceptions' => true,
];
This allows to connect to SoapServer to get wsdl and do request. In my case I also have to sign whole request body with WSSE. To do it I use this with .p12 cert opened by openssl_pkcs12_read function:
RobRichards\WsePhp\WSSESoap;
RobRichards\XMLSecLibs\XMLSecurityKey;
But this is another story.