PHP WS-Security: ошибка проверки ссылки при проверке подписи запроса мыла - PullRequest
0 голосов
/ 13 марта 2019

Для подписи и проверки сообщений используются стандарты, перечисленные ниже:

• BinarySecurityToken используется для встраивания сертификата подписи с использованием PKI-пути V1, кодирующего

• Тип кодирования: Base64Binary

• Профиль токена - X509v3 (стандарт сертификата)

• Дайджест подписи создан с использованием SHA256.

• Алгоритм подписи RSA-SHA256

Запрос в формате XML:

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
        <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="X509-B28C8C415580D8AFCE155232089561314906">MIIJrzCCA5wwggKEoAMCAQICEGRg5Bz9TQ/iCDD1Zqugfs4wDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCR0IxEDAOBgNVBAoTB1R5cGUgSUkxEDAOBgNVBAsTB1R5cGUgSUkxDTALBgNVBAMTBFJvb3QwHhcNMTQwMjEzMTQ1NzQ2WhcNMzAwMzIwMTUzMTEyWjBAMQswCQYDVQQGEwJHQjEQMA4GA1UEChMHVHlwZSBJSTEQMA4GA1UECxMHVHlwZSBJSTENMAsGA1UEAxMEUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMSDQ1hTE+rJm7qyduULw4ZYOkT61FCbVA8mp0N3Cwisr59ypOsCFnvhi6Fktxmc3TH+rMxgcIZSPkYFOipvuBx7MDk4A9LKL7kCtyXwt1U5UeyR8iJWbwqHzty8EBHlEU2Ib9MuIEQ3IFM02kcGAxsRovwP6NhlGpx0SxdLUN8O10teh5qIUP/Sh2TCYlvTEKDcPaSERo9VgEuuI3BAua/sKRSQINDAr7Bk//dkCFiBrRX5fGPa2h9N0A06ABr02atUt1Q3VN9by/B8ZecYImKlmFIq1lRFytJTCsxr9wVxUvL1cDr7SWYMPuQ+Yvgc7DlY2DmLkNOATU0XS+v6l2kCAwEAAaOBkTCBjjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjArBgNVHRAEJDAigA8yMDA0MDMyMzE2MDMyMVqBDzIwMTQwMzIzMTUzMTMzWjAfBgNVHSMEGDAWgBSHXl0q7VSRWly60QWgk4GaxHpLSjAdBgNVHQ4EFgQUh15dKu1UkVpcutEFoJOBmsR6S0owDQYJKoZIhvcNAQEFBQADggEBAGwfJo2uK5t3bSZDN4kpTc7Q8AL804/2C4oLXUAkZcR8lFHbHDYuuY+X1WbZsOLSLOENuyDBpdcaxhkjXRyKQ+03/pKVPQFnhjTpwoK49w/P7jUBUNLgVU9caqrdRg28CV+bderhmmybA/Fr3dlqt0qpV1LC5DfTUz3GKGNXwbD0dHLP1LrJeMkJBaRJEvUkElZ3SqRurI4zLdv8JJgvJZ6ky3KQfpvuLPE2TeCtP7vjeyl4AtKK1ZTaqO/1VuYP5bK8zkW8CITqyflhtlfJST1s9IH/hdR4laLRKFnSX5VSbhffrrifJZS3b1Q8sE2HeCCkhmM5X9MzNmlJlEUQEmswggLyMIIB2qADAgECAhEAxe1XfZFyjG3X2TtpUNN0xjANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJHQjEQMA4GA1UEChMHVHlwZSBJSTEQMA4GA1UECxMHVHlwZSBJSTENMAsGA1UEAxMEUm9vdDAeFw0xNDAzMjEwODM2MzdaFw0zMDAzMTcxNTI5MjVaMEUxCzAJBgNVBAYTAkdCMQ8wDQYDVQQKEwZCYW5rIDIxEDAOBgNVBAsTB1R5cGUgSUkxEzARBgNVBAMTCklzc3VpbmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOWhVPVczXwuNjt52DrTVsGixJ2hwb4H4k7ARFMhgSaTK3QPmRjTjCzbTzkmjcsci2nAEmfixTZexr1IgN0ANC2C7Z3fjJ8/vG4aR95gE54qhbNOuqoMXbI44Pw2iFa13umbV7S0oHnVzNhgQxq/cE5ZeOeltbxaMG5jA5vUifW/AgMBAAGjZjBkMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgHGMB8GA1UdIwQYMBaAFIdeXSrtVJFaXLrRBaCTgZrEektKMB0GA1UdDgQWBBRb0BzJZ62opR1h4RwqFtm+GtAy9zANBgkqhkiG9w0BAQUFAAOCAQEAXluUIwo3q/qy8vs0t5XtyL4YVjOtKkqmp0koQFp+RrP2Ocd7dvyYdKm9SjBmP+cj+b7M7l2b+Dvm47IIHmliiu5d5ZGO0tAantaswArwmZvwsPcgJddPSf+FLvh6yUwYDvEAcU+ZlyVICN+lFYXS+kCMIuBPHvywKFnijjZqTfZ7xRW+eugLY4XElGm1CQvAwYKQex+BrrcPZR8XL6tr9Juf3T416BastB7K9iAJFdeYGkATFl3M68+I/1ifuMyVDA246PQqX3rwIokmrj7p8p1ovN7O4ggBp808aauj6lZ0x5KRAH3Ys8NYKD47zVmApLgu6u4m1TjVpTY2iUjotjCCAxUwggJ+oAMCAQICEBcSi7t1IZrlDmnQfmsKORAwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCR0IxDzANBgNVBAoTBkJhbmsgMjEQMA4GA1UECxMHVHlwZSBJSTETMBEGA1UEAxMKSXNzdWluZyBDQTAeFw0xNDAzMjEwODU1MzlaFw0zMDAzMTQxNTI4MDNaMEgxCzAJBgNVBAYTAkdCMQ8wDQYDVQQKEwZCYW5rIDIxEDAOBgNVBAsTB1R5cGUgSUkxFjAUBgNVBAMTDUJhbmsgMiBVc2VyIDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQClzWDOLcqpr7soqIVDjMQiYLCTHWS/GWb2mfbCsvkMUoeNLBspRedvXrSoTZZunNtvelKxZVGglpztu/QYwIWQXx8D4XFQxIUbw+Lkt41HV1Hu7r1wTJimpe7mdMO5JszNUJQi9eeB62xvAOZzqTUG7c/nidP2xDJ4KQ5fqpzflZfMey3BKTBSbw2nbCQF6OJAMr0TjOrc7GbuYKD5XYpzR7urU4Ymj8AgdoTB3PcYsn2mBfJm/la7/7XtNdl7DP0CpNCabZD6P7mHo0tzf155tevGZDJiggndkNZUQQluXjF0GUq5kXsVQ1lWovykmzpX2b8CEGz2rK59/W9kAqkbAgMBAAGjfzB9MB8GA1UdIwQYMBaAFFvQHMlnrailHWHhHCoW2b4a0DL3MA4GA1UdDwEB/wQEAwIGwDArBgNVHRAEJDAigA8yMDE0MDMyMTA4NTcyOFqBDzIwMzAwMzE0MTUyOTUyWjAdBgNVHQ4EFgQUdPDsC+MS/R/4WMLG/VAfx+DUFTYwDQYJKoZIhvcNAQEFBQADgYEAo0zeV0W8ejy/OhlY4oQ84pMAK6JEcA2hTUnko4+wVS9L0N03vCq17TAMEvLDNzpjEAxmHAvj6rKHKFfaemEs40DKmGMTD65F24URgtxwjHHZ+CDEujMrNPxunzZKn/G/+KTDB4PNfq+T/Q5WUxHZnhv6IVSGSn89Zsy9YcSyDJg=</wsse:BinarySecurityToken>
            <ds:Signature Id="SIG-B28C8C415580D8AFCE155232089561314910" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:SignedInfo>
                    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces PrefixList="soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </ds:CanonicalizationMethod>
                    <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                    <ds:Reference URI="#TS-B28C8C415580D8AFCE155232089561214905">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                <ec:InclusiveNamespaces PrefixList="wsse soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                            </ds:Transform>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <ds:DigestValue>L/u+lS/bP49HseqXp4BUGRGRn3j8BW7cBmAskwvttVI=</ds:DigestValue>
                    </ds:Reference>
                </ds:SignedInfo>
                <ds:SignatureValue>SB7CbQyzrvXHEkZyejKhMRqWeVT2rNucRYhK5FhjZF96MrZJjRhT0voha1Zaf28fzsz3RiyTrCLl5u8B6+bS8SIPwdhJvhCdl3dKJ8aXvMDYZROGFA3arvLOD4SO7GzbX291ebviCLTUq6kXkkXYELGdzDfDn/ITTWHew812VujnQTDlcwvD49KNphTb5fDrDc9135ejTvi6YDgrx21vUqar/s5Cjf44DK39YMcIK45gDSQCXR/aA7XWgdKwHgb/Y19p3ttjbNdqJRDfoIssEsBrRRWoJBu4PsmEGiCZ9YpvcMuVxwsv5XHPauL3IgAUzvxDdmvkywA2zFSY2X4znw==</ds:SignatureValue>
                <ds:KeyInfo Id="KI-B28C8C415580D8AFCE155232089561314907">
                    <wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="STR-B28C8C415580D8AFCE155232089561314908" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
                        <wsse:Reference URI="#X509-B28C8C415580D8AFCE155232089561314906" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"/>
                    </wsse:SecurityTokenReference>
                </ds:KeyInfo>
            </ds:Signature>
            <wsu:Timestamp wsu:Id="TS-B28C8C415580D8AFCE155232089561214905">
                <wsu:Created>2019-03-11T16:14:55.612Z</wsu:Created>
                <wsu:Expires>2019-03-11T16:19:55.612Z</wsu:Expires>
            </wsu:Timestamp>
        </wsse:Security>
    </soapenv:Header>
    <soapenv:Body wsu:Id="id-B28C8C415580D8AFCE155232089561314909" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    </soapenv:Body>
</soapenv:Envelope>

Я пытаюсь использовать этот пакет: https://github.com/robrichards/wse-php

Вот мой код:

$var = file_get_contents("php://input");
$doc = new DOMDocument();
$doc->loadXML($var);

$checkSignature = new WSSESoapServer($doc);
$checkSignature->process();

Ошибка: исключение: проверка ссылки не удалась: vendor\robrichards\xmlseclibs\src\XMLSecurityDSig.php on line 594
Проблема в том, что DigestValue из заголовка отличается от значения дайджеста, сгенерированного пакетом.

Добро пожаловать на сайт PullRequest, где вы можете задавать вопросы и получать ответы от других членов сообщества.
...