What exactly is the principle of signing a SOAP request?

A

alexkst2021-01-27 23:55:15

PHP

alexkst, 2021-01-27 23:55:15

I have a working demo code that sends a SOAP request to a server.
The problem is that I need to change some variables to my own.

I don’t understand at all what is in the $token line (is it an SSL certificate?) and what is the principle of request signing?

$number = '500';

$token = 'MIIF1DCCBLygAwIBAgIDHSh4MA0GCSqGSIb3.......L7dZPKj+Shw=';
$DigestValue = '/yN46vA4Z95xaGyXq3b14bw9ybg=';
$SignatureValue = 'QwJID1jLRvWlXJ4alQ2lYk2BYQxchQ.......13vZnLRxFHw==';

$envelope = '<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
                <s:Header>
                    <wsa:Action>urn:landskra-wse:property/Number</wsa:Action>
                    <wsa:To>http://ws-test.demo.com/data/property.asmx</wsa:To>
                    <BillingInfo xmlns:h="urn:landskra-wse:property" xmlns="urn:landskra-wse:property" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
                        <companyId>1</companyId>
                        <userId>1</userId>
                    </BillingInfo>
                    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" s:mustUnderstand="1">
                        <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="Id-RequestToken">'.$token.'</wsse:BinarySecurityToken>
                        <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
                            <SignedInfo>
                                <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                                <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                                <Reference URI="#Id-RequestBody">
                                    <Transforms>
                                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                                    </Transforms>
                                    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                                    <DigestValue>'.$DigestValue.'</DigestValue>
                                </Reference>
                            </SignedInfo>
                            <SignatureValue>'.$SignatureValue.'</SignatureValue>
                            <KeyInfo>
                                <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                                    <wsse:Reference URI="#Id-RequestToken" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
                                </wsse:SecurityTokenReference>
                            </KeyInfo>
                        </Signature>
                    </wsse:Security>
                </s:Header>
                <s:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-RequestBody">
                    <Number xmlns="urn:landskra-wse:property">
                        <number>'.$number.'</number>
                    </Number>
                </s:Body>
             </s:Envelope>';

Where to dig to sign requests with any $number?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

T

toxa82, 2021-01-28
@toxa82

You need to see the description of the Soap api you are using. It should describe how to generate a signature token. And it's better to use the SoapClient class.