doujing6053 2015-10-15 09:03
浏览 82

使用PHP中的证书验证消息

I have to verify a SOAP request using the certificate. Is it possible to do in PHP using openssl_verify($data, $signature, $pubkeyid)? If so, after parsing the XML(request), we will have the $BinarySecurityToken, $SignatureValue,$digestValue and $data.

Below is my code and XML. I am confused about the parameters. Is these are the parameters need to parsed from the XML and given to openssl_verify() function? Is something I am missing? 

// xml node <wsse:BinarySecurityToken>
$BinarySecurityToken = 'MIIDdjCCA3IwggJvbvaoAMCAQICBFMH6uYwDQYJKoZIhvcNAQEEBQAwezELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEDAOBgNVBAcTB1Bob2VuaXgxGTAXBgNVBAoTEEFtZXJpY2FuIEV4cHJlc3MxDDAKBgNVBAsTA0dUVDEfMB0GA1UEAwwWRGlnaXRhbFRyYXZlbFJlY29yZF9FMjAeFw0xNDAyMjIwMDEwMTRaFw0xNzAyMjEwMDEwMTRaMHsxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRAwDgYDVQQHEwdQaG9lbml4MRkwFwYDVQQKExBBbWVyaWNhbiBFeHByZXNzMQwwCgYDVQQLEwNHVFQxHzAdBgNVBAMMFkRpZ2l0YWxUcmF2ZWxSZWNvcmRfRTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZaSfXYimJ+4aikAkDcQWGf9D83yzBbESds7A3ednCH3w/inBuKs24ukAXBEQtUctCoUiWGvu2FYMVpfYGsw2sX7bmsYdMM0GC2XyG6HEIz64xXx4WEqvcoJb5+ELpO60rCD5bus1AnKt/jqNl2ntxMHDznv/2j5hE2BA+GBZS1DbJQWaVtNN0I9d8aWz+7OeqpUtv+ITLdauZdL4DovaZ4TPy9+IaITOIWgBElUWUw/zJI3YAV5vCupLgV2qAe05eFwNNxzMWvQVtslHPuSEW/ZryMA+pxrZyCFp7YQ4AwOTZL+u+LHpEwHVVfZB95EdPNo5uw+1ijmGbuaTDSjg1AgMBAAEwDQYJKoZIhvcNAQEEBQADggEBAGFTv+bULqq9sGJzmcdQMpj1fnXWqFw4w+fVoXV37RKjNlvGuwls5cHa9B0j9fTxn9fg8KE1IubS8L0jeJXXcuBhlT9RWAzCIzQDqs6TwO8Sys88EkjNMqwDZsJYjmGPFMkm8oPA11sCuy+y5m1yplN1VpO3f1Anm7j4WkZ9Cq2HRvZG5OZ45rcvPJ1+xsepz1PyLIQeMxFQJNu7YL4MyEl9UeoRxSoh9SVMaahQ2PgYc91TbCWCVwo96xkRoGPviZAFhXXxmSbjWX0OLigM8bGx2KryBOYIZfjTPfWZ1mhTWocD5URlkpx0WRUWmU2MaK9sXFuQf4UAXgu2RfIykrU=';

// xml node <ds:SignatureValue>
$SignatureValue = 'sDJwzzmPoVaV7m6cNaAReQU4l3EG98jVVff6C0MvYTTxA+fsKlANi/9cONnKxGCTT9z81DsY6uJmy/
                    72gBZhf/csNBYc+9LFAHU17Ee/dOd2AeTXr7Bge7DDDqYXwoKKQVkAsNOCFa0UIuEI3HsfUl8GNb
                    uD62v9Z9r4VpjxeLBNuE0RJxBtrPHYWCr/6MP9Q6smal5QvWnn9HkG6s4pehkdk9WkAnBPuChcF8
                    O+ojHo7wtA4EEFYh6LLQYzfcz4dkhwdxbMUpkejAWMbv8RVmdHcxvW76l84QPIqS9nn3cFviwyok
                    y1ewnR7+qZkffgTETNhjwbFeNZP6h3QiUsI0pyLUw==';
// <ds:DigestValue>
$digestValue = 'IPhyJugxYi+W+SJjydFNF/01jxg=';

// data to be parsed
$data   = 'HI';


$fp = fopen("pathto/xxx_root.pem", "r"); // this file is given by the requester. We have given out certificates to them
$cert = fread($fp, 8192);    
fclose($fp);

// state whether signature is okay or not
// use the certificate, not the public key
//$ok = openssl_verify($data, $signature, $cert);
$ok = openssl_verify($data, $SignatureValue, $cert);
if ($ok == 1) {
    echo "good";
} elseif ($ok == 0) {
    echo "bad";
} else {
    echo "ugly, error checking signature";
}

Request XML

<soapenv:Envelope xmlns:itin="http://americanexpress.com/travel/dtr/ws/itinerary" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
        <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="X509-8CD06AFAA518E6C688143339459975413">
                MIIDdjCCA3IwggJaoAMCAQICBFMH6uYwDQYJKoZIhvcNAQEEBQAwezELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEDAOBgNVBAcTB1Bob2VuaXgxGTAXBgNVBAoTEEFtZXJpY2FuIEV4cHJlc3MxDDAKBgNVBAsTA0dUVDEfMB0GA1UEAwwWRGlnaXRhbFRyYXZlbFJlY29yZF9FMjAeFw0xNDAyMjIwMDEwMTRaFw0xNzAyMjEwMDEwMTRaMHsxCzAJBgNVBAgffgrYTAlVTMRAwDgYDVQQIEwdBecml6b25hMRAwDgYDVQQHEwdQaG9lbml4MRkwFwYDVQQKExBBbWVyaWNhbiBFeHByZXNzMQwwCgYDVQQLEwNHVFQxHzAdBgNVBAMMFkRpZ2l0YWxUcmF2ZWxSZWNvcmRfRTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZaSfXYimJ+4aikAkDcQWGf9D83yzBbESds7A3ednCH3w/inBuKs24ukAXBEQtUctCoUiWGvu2FYMVpfYGsw2sX7bmsYdMM0GC2XyG6HEIz64xXx4WEqvcoJb5+ELpO60rCD5bus1AnKt/jqNl2ntxMHDznv/2j5hE2BA+GBZS1DbJQWaVtNN0I9d8aWz+7OeqpUtv+ITLdauZdL4DovaZ4TPy9+IaITOIWgBElUWUw/zJI3YAV5vCupLgV2qAe05eFwNNxzMWvQVtslHPuSEW/ZryMA+pxrZyCFp7YQ4AwOTZL+u+LHpEwHVVfZB95EdPNo5uw+1ijmGbuaTDSjg1AgMBAAEwDQYJKoZIhvcNAQEEBQADggEBAGFTv+bULqq9sGJzmcdQMpj1fnXWqFw4w+fVoXV37RKjNlvGuwls5cHa9B0j9fTxn9fg8KE1IubS8L0jeJXXcuBhlT9RWAzCIzQDqs6TwO8Sys88EkjNMqwDZsJYjmGPFMkm8oPA11sCuy+y5m1yplN1VpO3f1Anm7j4WkZ9Cq2HRvZG5OZ45rcvPJ1+xsepz1PyLIQeMxFQJNu7YL4MyEl9UeoRxSoh9SVMaahQ2PgYc91TbCWCVwo96xkRoGPviZAFhXXxmSbjWX0OLigM8bGx2KryBOYIZfjTPfWZ1mhTWocD5URlkpx0WRUWmU2MaK9sXFuQf4UAXgu2RfIykrU=</wsse:BinarySecurityToken>
            <ds:Signature Id="SIG-7" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:SignedInfo>
                    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces PrefixList="itin soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </ds:CanonicalizationMethod>
                    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                    <ds:Reference URI="#id-6">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                <ec:InclusiveNamespaces PrefixList="itin" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                            </ds:Transform>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                        <ds:DigestValue>IPhyJugxYi+W+SJjydFNF/01jxg=</ds:DigestValue>
                    </ds:Reference>
                </ds:SignedInfo>
                <ds:SignatureValue>sDJwzzmPoVaV7m6cNaAReQU4l3EG98jVV6C0MvYTTxA+fsKlANi/9cONnKxGCTT9z81DsY6uJmy/
                    72gBZhf/csNBYc+9LFAHU17Ee/dOd2AeTXr7Bge7DDDqYXwoKKQVkAsNOCFa0UIuEI3HsfUl8GNb
                    uD62v9Z9r4VpjxeLBNuE0RJxBtrPHYWCr/6MP9Q6smal5QvWnn9HkG6s4pehkdk9WkAnBPuChcF8
                    O+ojHo7wtA4EEFYh6LLQYzfcz4dkhwdxbMUpkejAWMbv8RVmdHcxvW76l84QPIqS9nn3cFviwyok
                    y1ewnR7+qZkTETNhjwbFeNZP6h3QiUsI0pyLUw==</ds:SignatureValue>
                <ds:KeyInfo Id="KI-8CD06AFAA518E6C688143339459975414">
                    <wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="STR-8CD06AFAA518E6C688143339459975415" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
                        <wsse:Reference URI="#X509-8CD06AFAA518E6C688143339459975413" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"/>
                    </wsse:SecurityTokenReference>
                </ds:KeyInfo>
            </ds:Signature>
        </wsse:Security>
    </soapenv:Header>
    <soapenv:Body wsu:Id="id-6" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <itin:ping>
            <!--Optional:-->
            <itin:param>HI</itin:param>
        </itin:ping>
    </soapenv:Body>
</soapenv:Envelope>
  • 写回答

0条回答 默认 最新

    报告相同问题?

    悬赏问题

    • ¥88 实在没有想法,需要个思路
    • ¥15 MATLAB报错输入参数太多
    • ¥15 python中合并修改日期相同的CSV文件并按照修改日期的名字命名文件
    • ¥15 有赏,i卡绘世画不出
    • ¥15 如何用stata画出文献中常见的安慰剂检验图
    • ¥15 c语言链表结构体数据插入
    • ¥40 使用MATLAB解答线性代数问题
    • ¥15 COCOS的问题COCOS的问题
    • ¥15 FPGA-SRIO初始化失败
    • ¥15 MapReduce实现倒排索引失败