Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to validate Signature #98

Open
kirensiva opened this issue Mar 29, 2016 · 4 comments · May be fixed by #178
Open

Unable to validate Signature #98

kirensiva opened this issue Mar 29, 2016 · 4 comments · May be fixed by #178

Comments

@kirensiva
Copy link

This is my request:

<?xml version="1.0" encoding="UTF-8" ?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" SOAP-ENV:mustUnderstand="1"><wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-A4D7664DDF9C52D67F1458258956993738">MIIFyDCCBLCgAwIBAgIQFHdeJw+nqh1Zp6nsZD3ADDANBgkqhkiG9w0BAQsFADBnMTAwLgYDVQQKEydBbWVyaWNhbiBFeHByZXNzIEdsb2JhbCBCdXNpbmVzcyBUcmF2ZWwxMzAxBgNVBAMTKkFtZXJpY2FuIEV4cHJlc3MgR2xvYmFsIEJ1c2luZXNzIFRyYXZlbCBDQTAeFw0xNTEyMDQwMDAwMDBaFw0xODEyMDMyMzU5NTlaMGoxMTAvBgNVBAMMKEdCVCBJbnRlZ3JhdGlvbiBQbGF0Zm9ybSAtIFRlc3QgYW5kIENlcnQxHTAbBgNVBAsMFEVudGVycHJpc2UgVXRpbGl0aWVzMRYwFAYDVQQLDA1NVUxUSS1BTExPV0VEMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuytS/2dnsYZxtFAiUcn7cTknkdOOneSwr5lzCNLy+s0CDdH4/5q2o/DkSStd0eZ1UE3EehPLxs/NBSqTYo4n4GH0HQxOhgfLUKvK+Y3X9LIgRbISsyTDVJuhWJPju1HOMbe8O/zMO3miN760auXgGe+nDzMug8ucaeXv9dnAWm83RIYH9yLdDe1hsdGKfIbt5BL9fGhKmSPqWj/jdgjIn8PBLQMQAetUIM0wYhMj9lSAFveWxyX97VOEZy1PYZjBckyvcslvKD7j5oPUEU2FZthMchtqe1VEvIeOwBro8aQwAa6espwA2932zSY6kxCLxx9GQgGjvG08gofMG3K+3QIDAQABo4ICazCCAmcwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFL1dco4BvedwqclLkj4yY3QO6Vj6MDMGA1UdEQQsMCqCKEdCVCBJbnRlZ3JhdGlvbiBQbGF0Zm9ybSAtIFRlc3QgYW5kIENlcnQwLAYKYIZIAYb4RQEQAwQeMBwGEmCGSAGG+EUBEAEFAwEBq72KQhYGNjM1NjI0MDkGCmCGSAGG+EUBEAUEKzApAgEAFiRhSFIwY0hNNkx5OXdhMmt0Y21FdWMzbHRZWFYwYUM1amIyMD0wXQYDVR0fBFYwVDBSoFCgToZMaHR0cDovL3BraS1jcmwuc3ltYXV0aC5jb20vY2FfMGY5YTNlZDg5NjUzNDFmNjA0MzcxYTdmZmE3Y2JlODUvTGF0ZXN0Q1JMLmNybDCB+gYIKwYBBQUHAQEEge0wgeowJwYIKwYBBQUHMAGGG2h0dHA6Ly9wa2ktb2NzcC5zeW1hdXRoLmNvbTCBvgYIKwYBBQUHMAKGgbFsZGFwOi8vZGlyZWN0b3J5LnZlcmlzaWduLmNvbS9DTiUyMCUzRCUyMEFtZXJpY2FuJTIwRXhwcmVzcyUyMEdsb2JhbCUyMEJ1c2luZXNzJTIwVHJhdmVsJTIwQ0ElMkMlMjBPJTIwJTNEJTIwQW1lcmljYW4lMjBFeHByZXNzJTIwR2xvYmFsJTIwQnVzaW5lc3MlMjBUcmF2ZWw/Y0FDZXJ0aWZpY2F0ZTtiaW5hcnkwHwYDVR0jBBgwFoAUvIKbpqazRZ5jN4R+TpyV98g9NrkwDQYJKoZIhvcNAQELBQADggEBAKfF0YGGmKtWKASijF0Y17cZ+wpeRbfdlVD0K5c/6IKRy5sr+3ttL3pV1+tpwEILNRdd5/7hvQ66Loi+WvCx80tsN+a26T01v740Vxpp/ByMVEBfNLItp6NnVFD0lhERPFvolDcKjHJtU7z13C4N5+RXLobZNVra2bwLT7FfdjirJVzKC9bWRSVcXcT+K7fcUs4XjwQo02XCoRKKPGrcLKAfQsl5BrHpsUD4cx/ua4gNAqezw09XhWkxdWhlz/lw+gg4vc0X3IwoBm42pzXFNWujvuEmPj6z2JpanrQwxp8uYiGshfZ8V6WKohTQb42L/ZKHU2RiFrCkdYaXSEZCmHI=</wsse:BinarySecurityToken><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-A4D7664DDF9C52D67F1458258956995742"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="SOAP-ENV" /></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#id-A4D7664DDF9C52D67F1458258956993741"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="" /></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>Prs+alNqhL9hIHGKrQkjxhPx4vOIY6RNMnZ5YQUpXt8=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>B/dINeUJgAfI9PyVqj4rahX1X1cah2KfWR10P4z32Q5UKDoWxNVP4h97SXok3JYCg4h75xiK1HyH
qtvpsAk8wi8y/UScnh6MhOahMBZp2Vyj9xBRjHVg46euRYSHVwiv5ahwF8JyvEUPXc0BdDg/Sqqc
lmmm0LpVlQYeoQODGalaBGPd13FugXR6zvx6bjeW0Z4Y/QY2FAzvKydOMxP4dq7M/7IiE2Cucn0J
k1EGmK6oqGvVAOSA8qakb/2HOEtVv9+VZ0VbzmmhGfi0Ubk5/m+hUpHvekeCL2wYzzQIN9TGd7sT
KOPaZ2KI70Re7Zt38Ysz4a75lGEn3FUY+moLkw==</ds:SignatureValue><ds:KeyInfo Id="KI-A4D7664DDF9C52D67F1458258956993739"><wsse:SecurityTokenReference wsu:Id="STR-A4D7664DDF9C52D67F1458258956993740"><wsse:Reference URI="#X509-A4D7664DDF9C52D67F1458258956993738" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></SOAP-ENV:Header><SOAP-ENV:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-A4D7664DDF9C52D67F1458258956993741"><ping xmlns="http://americanexpress.com/travel/dtr/ws/itinerary"><param>PING</param></ping></SOAP-ENV:Body></SOAP-ENV:Envelope>

My Code is given below:

$var = file_get_contents("php://input");
$doc = new DOMDocument();
$doc->loadXML($var);
$server = new WSSESoapServer($doc);
$isValid = $server->process();

Then it throws the exception Unable to validate Signature.

Can you please guide me to tackle the issue?

Same code was successfully validating for the request given below.

<?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:BinarySecurityToken wsu:Id="SecurityToken-e7f3feb1-5b50-45d2-beba-e3acb1936a73" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIIE5DCCA8ygAwIBAgIOAQAAAAABP2HertA8fb0wDQYJKoZIhvcNAQEFBQAwRzEXMBUGA1UEChMOQ3liZXJ0cnVzdCBJbmMxLDAqBgNVBAMTI0N5YmVydHJ1c3QgUHVibGljIFN1cmVDcmVkZW50aWFsIENBMB4XDTEzMDYyMDE0MDExOVoXDTE2MDYyMDE0MDExOVowgcsxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRAwDgYDVQQHEwdQaG9lbml4MRgwFgYDVQQKEw9BbWVyaWNhbkV4cHJlc3MxHjAcBgkqhkiG9w0BCQEWD3dzdGVjaEBhZXhwLmNvbTEUMBIGA1UEAxMLRTMgTGFzdE1pbGUxEDAOBgNVBAkTB1NpZ25pbmcxDDAKBgNVBAsTA1dTTTEUMBIGA1UEBRMLRTMgTGFzdE1pbGUxEjAQBgNVBBETCTE1MDc2MzM3MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALOD7Fu36eK2l8xuQYl4JFaNbJgwzomC/FvFLWSflCkfeucnzRc/UMe2mNCYcOKq9y0tdS9XT1mK/D76I+TAYXwRa6x/w8cTfpY1PSZALO+ITfq9FqhPjBpjGgiiWpmhWiode2V5bChpZsHU8KzrNjBBwlqBH8a1gns7WuNmtsRiQP7V1A+gUBz7zbOghDNMqlNxflwVfbCiU7kz6Q0n18HuDxBHweMNFhemC2sY5/OvR58TdaYLQK49MHA+TdGoR4Q0r+7xVu7S6aY75BdKsyuUP9jQDmETxCk/DrlnjoyAlcXD9IfdkByxPh7uk/xQ4KATOcQz1gDkfKdEAaTFDjsCAwEAAaOCAUcwggFDMB8GA1UdIwQYMBaAFDqXGWfB+51uXOyjXEz09AqmIrUrMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwub21uaXJvb3QuY29tL1B1YmxpY1N1cmVDcmVkZW50aWFsLmNybDAdBgNVHQ4EFgQUItnDpvgDt45zFH0Zj210wFJAwEcwDwYDVR0TAQH/BAUwAwIBADAOBgNVHQ8BAf8EBAMCBPAwEQYJYIZIAYb4QgEBBAQDAgWgME8GCCsGAQUFBwEBBEMwQTA/BggrBgEFBQcwAoYzaHR0cDovL2NhY2VydC5vbW5pcm9vdC5jb20vUHVibGljU3VyZUNyZWRlbnRpYWwuY3J0MBoGA1UdEQQTMBGBD3dzdGVjaEBhZXhwLmNvbTAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJKoZIhvcNAQEFBQADggEBABZUF1NtovZdbQux3ca8i2BP31sh9O59BmaNLpI6rtMUn/02VhdG2AJt6hEspY8Kp16eyxwF4ZHpJwyE6MEIICIwWYwurl8kE+8ol+O+tLibUV8zyV7dE9rpdN90gDo+PaXEE4TUnhQ2mZbW/kUwo9/gKKXbcxoB2UF19+E71aQhOok+UwQ5xX9V1vHXqfKkNTmUai+TWrdoyztBdkUzH8cLgYhN/hCjZzVJZT2BVrdPkex5NSUjaO3BruQc9NzqUYMxwM1PUuFrjMO0bcs1MEKwiHSxR6JlHMLqgYZNKkSzwVQqBA0gGlsZcvRh6nSTmTqTy7cu7T+OFDesrY8sZdM=</wsse:BinarySecurityToken><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <Reference URI="#Body-8aba243f-1fce-48ef-9965-dd4eb7e4782d"> <Transforms> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>MZlhT0MiKkVCUMChVkTeqHbnruk=</DigestValue> </Reference> </SignedInfo> <SignatureValue>huA7bmo0F9SyY7TCnUjBT3L0uoS30v0CIsfxeytvuu2bf3E4wRbBfgGDDl4klwdngC93mpEWQYdFmdmVCJlQaQOdzsS3mQJofgSFdVFbBx1StJqgTTzKr0vzaEkE0nzmwbKKWpZUYjVvbv5pobMo0ugMXVEDSToPS4HovJNj8OoPjb04ooLZ9M54G/zGgUcIZfldk5ynGdIz8L6CU/WkjstKkulzcyNt9UcKU7qqk/YvyO7kl+NEg0voPK5/cyjMbEg+oAGryGZvlBXJR4A7b9hL3EVQw6Dih1Lqd0Z3CkW20saMquqMEpQx3UBJHNArUuRoICswwxRL7riOXcA9ZA==</SignatureValue><KeyInfo><wsse:SecurityTokenReference xmlns=""><wsse:Reference URI="#SecurityToken-e7f3feb1-5b50-45d2-beba-e3acb1936a73" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference></KeyInfo></Signature></wsse:Security></soapenv:Header><soapenv:Body wsu:Id="Body-8aba243f-1fce-48ef-9965-dd4eb7e4782d" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><ping xmlns="http://americanexpress.com/travel/dtr/ws/itinerary"><param>PING</param></ping></soapenv:Body></soapenv:Envelope>

@robrichards
Copy link
Owner

What version of xmlseclibs are you using? Try using the latest master or add this change to your current version:
63e2846

I'm guessing this is due to the formatted cert

@kirensiva
Copy link
Author

I tried with the new version but still getting the same error. I am new to the SOAP and WSS.
I have 2 certs given by other party.

  1. PROD_PUB_KEY_FOR_SIGNATURE_VALIDATION.cer // base64decoded
  2. Signing_Public.cer // -----BEGIN CERTIFICATE----- XXXX -----END CERTIFICATE-----

This is what I am doing to validate the request.

$var = file_get_contents("php://input");
$doc = new DOMDocument();
$doc->loadXML($var);
$server = new WSSESoapServer($doc);
$isValid = $server->process();

Do we need to use any of the above certificates to validate the request? I think in WSSESoapServer we are currently using the BinarySecurityToken from the request itself. Also what is the relationship between BinarySecurityToken and certificates? Please clarify.

EDIT: openssl_verify() prams are given below

$data = "<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="SOAP-ENV"></ec:InclusiveNamespaces></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod><ds:Reference URI="#id-A4D7664DDF9C52D67F1458258956993741"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""></ec:InclusiveNamespaces></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod><ds:DigestValue>Prs+alNqhL9hIHGKrQkjxhPx4vOIY6RNMnZ5YQUpXt8=</ds:DigestValue></ds:Reference></ds:SignedInfo>";

$signature= "B/dINeUJgAfI9PyVqj4rahX1X1cah2KfWR10P4z32Q5UKDoWxNVP4h97SXok3JYCg4h75xiK1HyHqtvpsAk8wi8y/UScnh6MhOahMBZp2Vyj9xBRjHVg46euRYSHVwiv5ahwF8JyvEUPXc0BdDg/Sqqclmmm0LpVlQYeoQODGalaBGPd13FugXR6zvx6bjeW0Z4Y/QY2FAzvKydOMxP4dq7M/7IiE2Cucn0Jk1EGmK6oqGvVAOSA8qakb/2HOEtVv9+VZ0VbzmmhGfi0Ubk5/m+hUpHvekeCL2wYzzQIN9TGd7sTKOPaZ2KI70Re7Zt38Ysz4a75lGEn3FUY+moLkw==";

$this->key = Resource id #1;

$algo= 'SHA256';

openssl_verify($data, $signature, $this->key, $algo);

Note: Attached the certificates and request. Certificates are in .cer extension and request is in .xml extension.
PROD_PUB_KEY_FOR_SIGNATURE_VALIDATION.txt
Signing_Public.txt
request_.txt

@KlavsKlavsen
Copy link

it seems xml signatures with URI's in them does not work with this library ? the tests in the test folder uses signatures that does not have URI..
Also see someone else who seems to have had the same issue in december 2015: http://www.ikriv.com/blog/?p=1827

We seem to have the exact same issue today, with latest xmlseclibs. :(

@robrichards
Copy link
Owner

The problem appears to be the use of the InclusiveNamespaces element within the CanonicalizationMethod element. InclusiveNamespaces are currently handled when defined within the Transforms elements but the library doesn't yet have support for the higher level define. I will look into this but may need more varying examples of this usage to get it working properly.

@JD-Robbs JD-Robbs mentioned this issue Sep 5, 2017
Open
@yamitenshi yamitenshi linked a pull request Oct 1, 2018 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@robrichards @KlavsKlavsen @kirensiva