I need to implement WS-Security password digest on PHP-Soap webservice. I looked everywhere on how to do it and I've found nothing. through trial and error I've found out that PHP Soap server will call a "Secutity" function implemented in Service class where verification will be performed. For now my function looks like this:
public function Security($UsernameToken)
{
$this->log($UsernameToken);
$loggHelper = [];
$loggHelper['nonce'] = unpack('H*', base64_decode($UsernameToken->Nonce))[1];
$loggHelper['created'] = pack('a*', $UsernameToken->Created);
$loggHelper['password'] = pack('a*', 'test');
$loggHelper['passhash1'] = base64_encode(pack('H*',sha1($loggHelper['nonce'].$UsernameToken->Created.$loggHelper['password'])));
$this->log($loggHelper);
if($UsernameToken->Password==$loggHelper['passhash1'])
return true;
else
{
return new SoapFault("401", "Prohibited");
}
}
The problem is, that my Digest is not the same as the password provided by test client (SoapUI)
Log output looks like this:
$UsernameToken = {"Username":"test","Password":"HMxOK\/pg3mOq71N2F5Znb7xDdcw=","Nonce":"BgbT8vrQb\/afX7OC3KPb0Q==","Created":"2020-06-24T07:31:11.731Z"}
$loggerHelper = {"nonce":"0606d3f2fad06ff69f5fb382dca3dbd1","created":"2020-06-24T07:31:11.731Z","password":"test","passhash1":"gJGXpD3yYDmLY6qMhRtKYWr33IA="}
First some remarks:
I would suggest to use
for encryption, which is contained in PHP itself.
Or you use a framework which handles security under the hood. As an example (but I am not sure) symfony should do this automatically for you - please read more at https://symfony.com/doc/current/controller/soap_web_service.html