php openssl asymmetric decrypt - php

I was hopping someone could help me to understand how to decrypt a xml file that was previously encrypted with a public key. The file is devided into two sections, the AuthenticatedPublic section and the AuthenticatedPrivate section, inside the latter, there are specific tags like CipherValue, X509Certificate that are suppose to be decrypted with my private key. The steps i have tried were:
Parse the entire xml file with XmlToArray.
Got one of the tags i need to decrypt, which was the cyphervalue.
Then i tried many things like trying to to decrypt using:(i´m using php, so this is inside a function)
openssl rsautl -decrypt -inkey "'.$privkey.'" -in "'.$tag.'" -out decrypted.xml
But the result is an empty decrypted.xml file. I have also tried converting to base64, and then tried to decrypt also, but then i reach an error:
rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error:.\crypto\rsa\rsa_pk1.c:273:
5612:error:04065072:rsa routines:RSA_EAY_PRIVATE_DECRYPT:padding check failed:.\crypto\rsa\rsa_eay.c:602:
In fact, i´m not really sure if this is the way to decrypt the xml. Any thoughts?
Thanks for your time, Regards
EDIT
Has Pak Uula suggested, below is a more detailed information about my xml file, please note that i have hide some of the data for obvious reasons:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<DCinemaSecurityMessage xmlns="http://www.smpte-ra.org/schemas/430-3/2006/ETM" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:enc="http://www.w3.org/2001/04/xmlenc#">
<AuthenticatedPublic Id="ID_AuthenticatedPublic">
...(keys hidded for brevity)
<RequiredExtensions>
<KDMRequiredExtensions xmlns="http://www.smpte-ra.org/schemas/430-1/2006/KDM">
...(keys hidded for brevity)
....(below some of the keys that i need to decrypt)
<CompositionPlaylistId>urn:uuid:d932f6a0-094b-etc-etc-etc</CompositionPlaylistId>
<ContentTitleText>...</ContentTitleText>
..
<AuthorizedDeviceInfo>
<DeviceListIdentifier>urn:uuid:31949239-a1f9-etc-etc-etc</DeviceListIdentifier>
<DeviceList>
<CertificateThumbprint>2jmj7l5rSw0yVb/vlW-etc-etc-etc</CertificateThumbprint>
</DeviceList>
</AuthorizedDeviceInfo>
<KeyIdList>
<TypedKeyId>
<KeyType>MDIK</KeyType>
<KeyId>urn:uuid:154727b3-890c-etc-etc-etc</KeyId>
</TypedKeyId>
<TypedKeyId>
<KeyType>MDAK</KeyType>
<KeyId>urn:uuid:682c2ff0-9b1d-etc-etc-etc</KeyId>
</TypedKeyId>
</KeyIdList>
</KDMRequiredExtensions>
</RequiredExtensions>
<NonCriticalExtensions />
</AuthenticatedPublic>
<AuthenticatedPrivate Id="ID_AuthenticatedPrivate">
<enc:EncryptedKey xmlns:enc="http://www.w3.org/2001/04/xmlenc#">
...(keys hidded for brevity)
....(below some of the keys that i need to decrypt)
<enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" />
<enc:CipherData>
<enc:CipherValue>lwYdkG5Q5wfW/S7UzZDtnJMcAng3w3ketzkh68y1BeX+okNEj48b5rSWUC/4mNhT
N2QsHxOCkvKDavIGGSAP23tdp0VtdeHTNAszcgK4Xzc8VHGUEiswONCOxTzNWuwj
...etc etc
zfHceeHN50b8vzM/Rt/jTUq54eC3nE+lP3eTXbLj/YvpPo8H45Sti9YP9WZixGHz
Uvf6Go31+3JwsXXIUl3O+w==</enc:CipherValue>
</enc:CipherData>
</enc:EncryptedKey>
<enc:EncryptedKey xmlns:enc="http://www.w3.org/2001/04/xmlenc#">
<enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" />
<enc:CipherData>
<enc:CipherValue>TvC1LCspgTsXqM1b8ClPCtAkAdXXzxe+Av7LMxYtUaqUbd8HeBuaS1cx3WwoVRDr
TWcrBEnv24GbIB5ygcMFW3DlGsXfmWJGnRNx/6xT/U15RQPgoD9AP4WFEHxthzP0
...etc etc
1ajG5lDjEu4TqjdL7DPGNu9HfI9boerJ5FUFQ/fMdD4xbDHdc4DgIQdTUgLFGHJz
RwOyfOAcSNoO/fpAkMXoEw==</enc:CipherValue>
</enc:CipherData>
</enc:EncryptedKey>
</AuthenticatedPrivate>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#ID_AuthenticatedPublic">
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>KJ37JaHCdMo5dq3TmIaxF+A+lpuoVG-etc-etc-etc</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#ID_AuthenticatedPrivate">
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>rcIAaHZoc80XqB70S2oZEp6IziDrVgwt-etc-etc-etc</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>hcOaWg8mzwc61XkyqXxy6+cuuGtrsDjTVzFeSv4ZAs6INQBTYChGiHD00lE8ud02
uG/bbjcqHiMVAFdhZIjw1xIs0FrAh3EdO7eJtiyGl1CpK9z5X9VXizkkhf4wWAZS
....etc etc
0i9iV4sMJlZn4j9glWiTgA==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>dnQualifier=4py0tKtJ07bHLNbK-etc-etc-etc,OU=...,O=...,CN=...</ds:X509IssuerName>
<ds:X509SerialNumber>167201700</ds:X509SerialNumber>
</ds:X509IssuerSerial>
<ds:X509Certificate>MIIEZDCCA0ygAwIBAgIECfdLpDANBgkqhkiG9w0BAQsFADBzMRIwEAYDVQQDEwku
VmltcDE2MDQxEzARBgNVBAoTCi5EQy5DQS5SdVMxITAfBgNVBAsTGC5DbGlwc3Rl
ci5GQk1TLkRDLkNBLlJ1UzElMCMGA1UELhMcNHB5MHRLdEowN2JITE5iS2VwdTRG
-etc-etc-etc
/g07WLzKPQmLxR8I/8GhdyI3Nez+16rJPKMJ3eUV7qLuvA1B2VQ93jBzC4fVvzfI
xFYzYV2RO+VquC/dcgPHKLZPhR1Rp4zP74lGAPIloQa1kpVzjoGypK7QDWLFg+IG
XBtw1dtscIywnqTxYXaxXwic9OlQ2mcmMS7sh2ke2xB9CLYD9JmjPaV71A4J2Y2Y
eF6WeFKIzkKp0fJffqDbFFvKfap3K9e000K/Yno5fFurWW/fagdGEHAXB0zHCj7k
d14u2vegqToKdMsybcA5RngZ7YWYQZKJ
</ds:X509Certificate>
</ds:X509Data>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>dnQualifier=wiwAlHjwPoipV-etc-etc-etc,OU=....,O=....,CN=...</ds:X509IssuerName>
<ds:X509SerialNumber>9714</ds:X509SerialNumber>
</ds:X509IssuerSerial>
<ds:X509Certificate>MIIELDCCAxSgAwIBAgICJfIwDQYJKoZIhvcNAQELBQAwajESMBAGA1UEAxMJLkNs
aXBzdGVyMRMwEQYDVQQKEwouREMuQ0EuUnVTMRgwFgYDVQQLEw8uRkJNUy5EQy5D
QS5SdVMxJTAjBgNVBC4THHdpd0FsSGp3UG9pcFY1d3ZEd1pZMFhUYWlNTT0wHhcN
-etc-etc-etc
fiZ3Ljj0uayRAaJtOpflj8RYgWgf2oQvA3vIdc35J2WCea9xm+MLBjycJeaHqgcb
h1hh4qWtaINElm2sdf1p8/feBU0vBV/4ey0TR86tF0FhuVBCg4v9HqrFMY+m4/xJ
wyMCysIxr7ZgszAMOgarYD6JfhNGWm+1VAyI7lR/VspPj6FV0hVOwCb9QZHA/c1Z
5vMeW+Wx3C+1q4HBYHm+ryc7lTt045w7HilTig07g0K6DMaf8G3V5kxZpOQcVWn3
iNFT6Fzg+bE9YD2FdhnVOQ==
</ds:X509Certificate>
</ds:X509Data>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>dnQualifier=JknMF1MuF3k1Jg-etc-etc-etc=,OU=...,O=...,CN=...</ds:X509IssuerName>
<ds:X509SerialNumber>9712</ds:X509SerialNumber>
</ds:X509IssuerSerial>
<ds:X509Certificate>MIIEGjCCAwKgAwIBAgICJfAwDQYJKoZIhvcNAQELBQAwYTEOMAwGA1UEAxMFLkZC
TVMxEzARBgNVBAoTCi5EQy5DQS5SdVMxEzARBgNVBAsTCi5EQy5DQS5SdVMxJTAj
BgNVBC4THEprbk1GMU11RjNrMUpnL2JFZm1uWjVpNnlmcz0wHhcNMTUxMDAxMDAw
-etc-etc-etc
+mMkPdu2GuXJj4BBQY0ayoixrSyHg3stATcdeEbU1WESEsmztT8coXMLrd3/W0I6
ahe/dQyOSnZtv8RBL/Zb3Mnih+BQGSbiKlpWNoev71/r5JxA4/grffAfeFjnWy8E
zhAKe9wGx+wR+yQhSBUTHtGE/cA9NfOvOnRvO3BEXsfcJASFXITayaZ7MxP3Mgl/
4RnNxmgKFVY62LLZRo+DmXHhnilVBxrk1YEtBq/mb9R7SYtI5AmfL+B0TUJWGQ==
</ds:X509Certificate>
</ds:X509Data>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>dnQualifier=JknMF1MuF3k1Jg-etc-etc-etc,OU=...,O=....,CN=....</ds:X509IssuerName>
<ds:X509SerialNumber>9711</ds:X509SerialNumber>
</ds:X509IssuerSerial>
<ds:X509Certificate>MIIEETCCAvmgAwIBAgICJe8wDQYJKoZIhvcNAQELBQAwYTEOMAwGA1UEAxMFLkZC
TVMxEzARBgNVBAoTCi5EQy5DQS5SdVMxEzARBgNVBAsTCi5EQy5DQS5SdVMxJTAj
BgNVBC4THEprbk1GMU11RjNrMUpnL2JFZm1uWjVpNnlmcz0wHhcNMTUxMDAxMDAw
-etc-etc-etc
iFwmmsU6j0BosEVv/NcdmyoZ68rY0xrjSiCLY7lreHec58ZFXOxNKQsfNJGriyrg
30nMPjp/tgaHK6RZ+XL8sRX9NY+ySBeS/uQtCeH5CtCavIwPrurv5BUbzNmIB5FK
m4wvtXmfVcxTnL4lYHvyhqieDsm+Uwv7Fwt03ygqXeW5IPCs7nqcLwYzhm/7Mn5d
3YBiLH4B0+W2Mq5px0Hrm/2pOVEXv67mbSgdGsHnAYu/f0xN2A==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</DCinemaSecurityMessage>

Related

Sign xml with XADES-EPES using PHP

I need to sign a document using XADES-EPES and I am using PHP for that purpose.
Using the xml below, I have been able to calculate the digest value <ds:DigestValue>ql0urtXTsc9W0GMIhTdzYHXnQYfnieoIttOBn9fGw7A=</ds:DigestValue> in the example given below, but I wonder how the other <ds:DigestValue>5JVZPTwN5Lj0sGTfFzaUeMKCo/xbCAj7fw6TLUFtZIk=</ds:DigestValue> is calculated.
I am using this XML as a test case:
<?xml version="1.0" encoding="UTF-8" xs:xmlns="https://tribunet.hacienda.go.cr/docs/esquemas/2016/v4.2/FacturaElectronica_V.4.2.xsd"?>
<FacturaElectronica>
<Clave>1</Clave>
<NumeroConsecutivo>1</NumeroConsecutivo>
<FechaEmision>1</FechaEmision>
<Emisor>1</Emisor>
<Receptor>1</Receptor>
<CondicionVenta>1</CondicionVenta>
<CondicionVenta>1</CondicionVenta>
<MedioPago>1</MedioPago>
<DetalleServicio>1</DetalleServicio>
<ResumenFactura>1</ResumenFactura>
<Normativa>1</Normativa>
</FacturaElectronica>
I am supposed to sign it with something similar to this (note: the SignatureValue and the X509Certificate have been truncated):
<ds:Signature Id="id-e34ffbff277e8d1432e864436aa11882" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference Id="r-id-1" Type="" URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
<ds:XPath>not(ancestor-or-self::ds:Signature)</ds:XPath>
</ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>ql0urtXTsc9W0GMIhTdzYHXnQYfnieoIttOBn9fGw7A=</ds:DigestValue>
</ds:Reference>
<ds:Reference Type="http://uri.etsi.org/01903#SignedProperties" URI="#xades-ide34ffbff277e8d1432e864436aa11882">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>5JVZPTwN5Lj0sGTfFzaUeMKCo/xbCAj7fw6TLUFtZIk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue Id="value-ide34ffbff277e8d1432e864436aa11882">Mt1TUuPK3W8/0eRtJX5t45GV9bHvMjw....</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIFpTCCBI2gAwIBAgIKK+...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<ds:Object>
<xades:QualifyingProperties xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Target="#ide34ffbff277e8d1432e864436aa11882">
<xades:SignedProperties Id="xades-id-e34ffbff277e8d1432e864436aa11882">
<xades:SignedSignatureProperties>
<xades:SigningTime>2016-11-25T16:35:06Z</xades:SigningTime>
<xades:SigningCertificate>
<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>LoXZC86JwDL7zWC35qj7Q4AzrRQ=</ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerial>
<ds:X509IssuerName>CN=CA SINPE - PERSONA FISICA,OU=DIVISION DE SERVICIOS FINANCIEROS,O=BANCO CENTRAL DE COSTA RICA,C=CR,2.5.4.5=#130c342d3030302d303034303137</ds:X509IssuerName>
<ds:X509SerialNumber>207422209224813750547132</ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>
</xades:SigningCertificate>
<xades:SignaturePolicyIdentifier>
<xades:SignaturePolicyId>
<xades:SigPolicyId>
<xades:Identifier>https://tribunet.hacienda.go.cr/docs/esquemas/2016/v4.1/Resolucion_Comprobantes_Electronicos_DGT-R-48-2016.pdf</xades:Identifier>
</xades:SigPolicyId>
<xades:SigPolicyHash>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>NmI5Njk1ZThkNzI0MmIzMGJmZDAyNDc4YjUwNzkzODM2NTBiOWUxNTBkMmI2YjgzYzZjM2I5NTZlNDQ4OWQzMQ==</ds:DigestValue>
</xades:SigPolicyHash>
</xades:SignaturePolicyId>
</xades:SignaturePolicyIdentifier>
</xades:SignedSignatureProperties>
<xades:SignedDataObjectProperties>
<xades:DataObjectFormat ObjectReference="#r-id-1">
<xades:MimeType>application/octet-stream</xades:MimeType>
</xades:DataObjectFormat>
</xades:SignedDataObjectProperties>
</xades:SignedProperties>
</xades:QualifyingProperties>
</ds:Object>
</ds:Signature>
From what I read here and here, I stand by what I described previously: it's the hash of the node SignedProperties. This hash is part of the SignedInfo node, which is the one that gets signed afterwards. The first link is a blog in polish. It's not perfect, but Google Translate is doing a quite decent job and the info in the blog helped me to understand more clearly.
Make sure to get the node canonicalized and base64_encoded
P.S.: Suerte con la implementación que está desarrollando para la factura electrónica en Costa Rica ;-D
I just started reading into a similar topic, so it's just an idea and I have not tried it, but I believe the second hash comes from the xades:SignedProperties node that is part of the ds:Object.
At least the id (xades-id-e34ff...) in the object and in the reference are identical.
Hope this gives you (and me :-D ) a hint.
Regards,
Sebastian

PHP soap wrong digest hash

I'm trying to send a SOAP message from PHP to a server, and I'm stuck at generating a SHA256 hash of the data being sent. Here is an example request provided by server owner:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-16FE2A6FC1AFE42BE9146412186273511">...</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-16FE2A6FC1AFE42BE9146412186273615">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">...</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#id-16FE2A6FC1AFE42BE9146412186273614">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>/CJj9686ARgbV/YmDrr+1yhcaJuXu022cADK/M8efQs=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
Ii+W0EB2V6GJo4jMGwK1HCRdt6+r9TkgfhXyAuY8FNCXhPOtfoUi/Bw31U4Hm7SLscM/8klrQI3Z2vSfdNe3oDi1cm2Qouv1sOBK17VSg/IgKN92BC8kUaoF5W5ZBEcZr0WHjDWasSYEerZQ3Q+ZIJzt6cbS+cLZfQkLFg1UDOi5qLUkWE1pQ9AVYCvwrOFj/hFQx5koQTpigyG/DPlyoh2xOh/DAh6U/P5p+IiQwwCMdo1Rh2czUVpRCr3Cnz97AlQ8G6IGAtWNykXorVYZ1tGnXEaRngzjsn5RE/zCcRkqRpFaiEQuYly1I6YtFOEYIPXskE5oMZkCLINebu1Law==
</ds:SignatureValue>
<ds:KeyInfo Id="KI-16FE2A6FC1AFE42BE9146412186273512">
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STR-16FE2A6FC1AFE42BE9146412186273513">
<wsse:Reference URI="#X509-16FE2A6FC1AFE42BE9146412186273511" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</SOAP-ENV:Header>
<soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-16FE2A6FC1AFE42BE9146412186273614">
<Trzba xmlns="http://fs.mfcr.cz/eet/schema/v2">
<Hlavicka dat_odesl="2016-09-19T19:06:37+01:00" prvni_zaslani="false" uuid_zpravy="9edeb22b-4234-4047-869c-3a76f86c20d3"/>
<Data celk_trzba="34113.00" cerp_zuct="679.00" cest_sluz="5460.00" dan1="-172.39" dan2="-530.73" dan3="975.65" dat_trzby="2016-01-05T00:30:12+01:00" dic_popl="CZ00000019" id_pokl="/5546/RO24" id_provoz="273" porad_cis="0/6460/ZQ42" pouzit_zboz1="784.00" pouzit_zboz2="967.00" pouzit_zboz3="189.00" rezim="0" urceno_cerp_zuct="324.00" zakl_dan1="-820.92" zakl_dan2="-3538.20" zakl_dan3="9756.46" zakl_nepodl_dph="3036.00"/>
<KontrolniKody>
<pkp cipher="RSA2048" digest="SHA256" encoding="base64">
W7UlA4hXNsDLvCj/eeRAYeOAsNsgMSdltcJNIW98KQRsfspTMW0Lr/OGQgRHZfO5KjolZgzN3k9mgzrVoX2+N90fCNEnOri2kjrW5vzTgMK6OZ9IryAEg0xFZjjjCQ0qKsQsVi8OLQOn3ZnN/BUGG2SIduER+iIOrhfOmes7OXaa5/2jQSfPTHZHZ/Bxhqld3gL4PHvd7sevZYUupHpE1fM7Uw1+lu8i1YOdghZoMyOfKw7FcqvRJpHrW/JZL5Dr5iCgu5ClmhZrb3hZavsxlDG7P2cUhSQgmEVTxJ2n38q/Cf91KE8e52SODN4Q8BfncXpmtkQ7Go3KsRsY3xN7xg==
</pkp>
<bkp digest="SHA1" encoding="base16">1F1A2D90-4EAD34A8-411CFB0B-EB17616E-B2CE8114</bkp>
</KontrolniKody>
</Trzba>
</soap:Body>
</soap:Envelope>
And here my code:
$text = '<Trzba xmlns="http://fs.mfcr.cz/eet/schema/v2"><Hlavicka dat_odesl="2016-09-19T19:06:37+01:00" prvni_zaslani="false" uuid_zpravy="9edeb22b-4234-4047-869c-3a76f86c20d3"/><Data celk_trzba="34113.00" cerp_zuct="679.00" cest_sluz="5460.00" dan1="-172.39" dan2="-530.73" dan3="975.65" dat_trzby="2016-01-05T00:30:12+01:00" dic_popl="CZ00000019" id_pokl="/5546/RO24" id_provoz="273" porad_cis="0/6460/ZQ42" pouzit_zboz1="784.00" pouzit_zboz2="967.00" pouzit_zboz3="189.00" rezim="0" urceno_cerp_zuct="324.00" zakl_dan1="-820.92" zakl_dan2="-3538.20" zakl_dan3="9756.46" zakl_nepodl_dph="3036.00"/><KontrolniKody><pkp cipher="RSA2048" digest="SHA256" encoding="base64">W7UlA4hXNsDLvCj/eeRAYeOAsNsgMSdltcJNIW98KQRsfspTMW0Lr/OGQgRHZfO5KjolZgzN3k9mgzrVoX2+N90fCNEnOri2kjrW5vzTgMK6OZ9IryAEg0xFZjjjCQ0qKsQsVi8OLQOn3ZnN/BUGG2SIduER+iIOrhfOmes7OXaa5/2jQSfPTHZHZ/Bxhqld3gL4PHvd7sevZYUupHpE1fM7Uw1+lu8i1YOdghZoMyOfKw7FcqvRJpHrW/JZL5Dr5iCgu5ClmhZrb3hZavsxlDG7P2cUhSQgmEVTxJ2n38q/Cf91KE8e52SODN4Q8BfncXpmtkQ7Go3KsRsY3xN7xg==</pkp><bkp digest="SHA1" encoding="base16">1F1A2D90-4EAD34A8-411CFB0B-EB17616E-B2CE8114</bkp></KontrolniKody></Trzba>';
$doc = new DOMDocument();
$doc->loadXML($text);
$text = $doc->C14N(true, true);
$hash = base64_encode(hash('sha256', $text, true));
echo $hash;
But I'm getting this hash: sQMcQ4plFh9J9ovXzCUmVcMPofSWlr93Ag+72o8761o=, however according to the example document, I should get this: /CJj9686ARgbV/YmDrr+1yhcaJuXu022cADK/M8efQs=.
So, what am I doing wrong?
I know this post is old but...
But I write here because I have the same issue even I use base64_encode()
I find a digested value but not the same as example.
But I don't know if I must encode my data on UTF-8 before like that
$digestedValue = base64_encode(hash('sha256',utf8_encode($doxXml->C14N()),true));
Or like that with another function
$digestedValue = base64_encode(openssl_digest(utf8_encode($doxXml->C14N()),'sha256',true));
Using encode_utf8() changes the digested value if any characters that need to be encoded in UTF8 are present... So... Should we use... or not?

sImplexml_load_string doesn't fully load XAdES-BES signature XML

I've got XML containing XAdES-BES digita signature:
<?xml version="1.0" encoding="UTF-8"?>
<Signatures Id="ID-222cf3cf-0f0b-49d2-b7cb-4cf47bb373cb">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="ID-9a61610b-c8e3-4201-bf41-a174cbc21634">
<ds:SignedInfo Id="ID-8ebe3e85-1413-4fec-a14c-7264546ab770">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference Id="ID-e751928b-6823-47ad-a5ae-b7ccdf301751" URI="#ID-e37958b8-134c-4f51-9b25-8274fd1edce7">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>Z7q3zqS5FTNPP/mj0rDmUV5PdZQ=</ds:DigestValue>
</ds:Reference>
<ds:Reference Id="ID-396858b0-7e4b-42e1-ba5f-18368f90f0df" URI="#ID-90b9721b-1d1c-4104-ae2c-ebb6b251cf2b" Type="http://uri.etsi.org/01903#SignedProperties">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>H7EeV4pPoJ6WhWFnVSo3WNu3Yj8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue Id="ID-949000f9-85bc-435e-b387-8f7aa5551d75">a0cc/hQYjmwQC8ssBzolLyArUqOVi+s6cP+lbxku69qGleBUroQlvD6o+GpIxSJB6wlWwic3YjuxDxn9
mfW2jCLYEEM1RB277ChnHASakC+vbBP03LWC+GxsOe0seKMVsCc0EPwS5kk5RfvrUN6sTxWSW/2MOIXG
4fW1cAtjh1SjDN9Ij38SIuWpW8guJ9EGEVyTUuTiZ5dbpHfxftgKfHmr16aMpXk0ta46X2UuGTQRB+E/
0W+RpLqdmTP5VG0CxT8Z2H4n6puGL0yC20SsZZDethL/Vnr67EXTPmHFUwoZOGNu+0IFdBJW4HvLA5rF
czL82MOsCoFXqzMVxGxiqw==</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>AL4k+zz02RytjonBY0af0dfuuDJhNg0dypClqzkLyyLjkTa9QUbtdtA20lRuogjFqb6CVpqQ/PEdXDK5
bN6qGBQGsmdqkgru6A8aAc57QawEcbEL+rDue1L+mqM/JVnr+DAWOehITd8HzS0JQTQcxF1Lv0L1GNbJ
P8/bo8Coj2EVtKZ9tBI9+AZUdZ11uKBYj9uvKy0VGufjoljIIrQASIft4nw8a/WF+beEYOrl3PqnBcAo
Lc/CJiNsnsASws0a/EKuaP3vQbIo36s7FVH7U4x/8ypcAPsmtgi9LbH+v9Ugc2CiCj7krJIT3X9EwkjC
FUq+MykmVvfW0D0bOTP2X5k=</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
<ds:X509Data>
<ds:X509Certificate>MIIGETCCBPmgAwIBAgIUaQ+g3SS0YfvHQus43mbJ+4FSYegwDQYJKoZIhvcNAQEFBQAwczELMAkGA1UE
BhMCUEwxKDAmBgNVBAoMH0tyYWpvd2EgSXpiYSBSb3psaWN6ZW5pb3dhIFMuQS4xJDAiBgNVBAMMG0NP
UEUgU1pBRklSIC0gS3dhbGlmaWtvd2FueTEUMBIGA1UEBRMLTnIgd3Bpc3U6IDYwHhcNMTUxMDA4MTIw
MDAwWhcNMTYxMDA4MTIwMDAwWjB2MQswCQYDVQQGEwJQTDEbMBkGA1UEBRMSUEVTRUw6IDg2MDYxMzE0
Mzk3MR8wHQYDVQQDDBZLYW1pbCBTZWJhc3RpYW4gTWlqYWN6MRgwFgYDVQQqDA9LYW1pbCBTZWJhc3Rp
YW4xDzANBgNVBAQMBk1pamFjejCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL4k+zz02Ryt
jonBY0af0dfuuDJhNg0dypClqzkLyyLjkTa9QUbtdtA20lRuogjFqb6CVpqQ/PEdXDK5bN6qGBQGsmdq
kgru6A8aAc57QawEcbEL+rDue1L+mqM/JVnr+DAWOehITd8HzS0JQTQcxF1Lv0L1GNbJP8/bo8Coj2EV
tKZ9tBI9+AZUdZ11uKBYj9uvKy0VGufjoljIIrQASIft4nw8a/WF+beEYOrl3PqnBcAoLc/CJiNsnsAS
ws0a/EKuaP3vQbIo36s7FVH7U4x/8ypcAPsmtgi9LbH+v9Ugc2CiCj7krJIT3X9EwkjCFUq+MykmVvfW
0D0bOTP2X5kCAwEAAaOCApgwggKUMAwGA1UdEwEB/wQCMAAwggFPBgNVHSABAf8EggFDMIIBPzCCATsG
CSqEaAGG9yMBATCCASwwgd0GCCsGAQUFBwICMIHQDIHNRGVrbGFyYWNqYSB0YSBqZXN0IG/Fm3dpYWRj
emVuaWVtIHd5ZGF3Y3ksIMW8ZSB0ZW4gY2VydHlmaWthdCB6b3N0YcWCIHd5ZGFueSBqYWtvIGNlcnR5
ZmlrYXQga3dhbGlmaWtvd2FueSB6Z29kbmllIHogd3ltYWdhbmlhbWkgdXN0YXd5IG8gcG9kcGlzaWUg
ZWxla3Ryb25pY3pueW0gb3JheiB0b3dhcnp5c3rEhWN5bWkgamVqIHJvenBvcnrEhWR6ZW5pYW1pLjBK
BggrBgEFBQcCARY+aHR0cDovL3d3dy5lbGVrdHJvbmljem55cG9kcGlzLnBsL2luZm9ybWFjamUvZG9r
dW1lbnR5LWktdW1vd3kwCQYDVR0JBAIwADAhBgNVHREEGjAYgRZrYW1pbC5taWphY3pAZ21haWwuY29t
MA4GA1UdDwEB/wQEAwIGQDCBsAYDVR0jBIGoMIGlgBTMQSp2mC5KehnakTbf2H85P9TCrqF3pHUwczEL
MAkGA1UEBhMCUEwxKDAmBgNVBAoMH0tyYWpvd2EgSXpiYSBSb3psaWN6ZW5pb3dhIFMuQS4xJDAiBgNV
BAMMG0NPUEUgU1pBRklSIC0gS3dhbGlmaWtvd2FueTEUMBIGA1UEBRMLTnIgd3Bpc3U6IDaCFH18c1x7
vNOu01acH+WfGYiAcun0MEAGA1UdHwQ5MDcwNaAzoDGGL2h0dHA6Ly9lbGVrdHJvbmljem55cG9kcGlz
LnBsL2NybC9jcmxfb3prNTIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQAP0zddWprl5hpXiIiMGcC5D7ob
/nj3wvfOUm0QCf7+ZEorfr6EC96B6F/cNtZ1wXtAQXkf5Zm3gPhbKXY6XWM2NDWadZrDV9zV75Ab06dQ
5qmDfuMGTfPUdH3+QBmW7YnniWPCGuMzGNlP9DpZ45YrgRnwlsZSHMhX0HiEeDfYKAkGhIaJ7lcPlZrj
zWBdhUOgYm06pYf8NEKVWzu808iIHIvCBot0ADcZ8ypxDyQsco/RSRGY0EO8FATCH3j2Oe/+7FGRjRQK
XczBsKu6G8GQ6b/eGuWD7NNAuBX4UJu9jXRo9mzo7zKj01/SPfE4kHTHfHr9yi9BBkzAmaAxQpT5</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<ds:Object>
<xades:QualifyingProperties xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Id="ID-04b0ddeb-914c-419f-acb2-780dae2ee890" Target="#ID-9a61610b-c8e3-4201-bf41-a174cbc21634">
<xades:SignedProperties Id="ID-90b9721b-1d1c-4104-ae2c-ebb6b251cf2b">
<xades:SignedSignatureProperties>
<xades:SigningTime>2015-12-08T13:37:16Z</xades:SigningTime>
<xades:SigningCertificate>
<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>+6UE5SSks6Cn6++o8CAkSO/NMWk=</ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerial>
<ds:X509IssuerName>serialNumber=Nr wpisu: 6,CN=COPE SZAFIR - Kwalifikowany,O=Krajowa Izba Rozliczeniowa S.A.,C=PL</ds:X509IssuerName>
<ds:X509SerialNumber>599792555331422089182929030726347827824527827432</ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>
</xades:SigningCertificate>
</xades:SignedSignatureProperties>
<xades:SignedDataObjectProperties>
<xades:DataObjectFormat ObjectReference="#ID-e751928b-6823-47ad-a5ae-b7ccdf301751">
<xades:Description>Dokument w formacie xml [XML]</xades:Description>
<xades:MimeType>text/plain</xades:MimeType>
<xades:Encoding>http://www.w3.org/2000/09/xmldsig#base64</xades:Encoding>
</xades:DataObjectFormat>
</xades:SignedDataObjectProperties>
</xades:SignedProperties>
</xades:QualifyingProperties>
</ds:Object>
<ds:Object Encoding="http://www.w3.org/2000/09/xmldsig#base64" Id="ID-e37958b8-134c-4f51-9b25-8274fd1edce7" MimeType="text/plain">PFRyZXNjUGlzbWE+DQogIDxTeWduYXR1cmFBa3Q+QUJDWFlaMTIzPC9TeWduYXR1cmFBa3Q+DQogIDxQ
b2RtaW90eT4NCiAgICA8UG9kbWlvdD4NCiAgICAgIDxPc29iYUZpenljem5hPg0KICAgICAgICA8SW1p
ZT5KYW51c3o8L0ltaWU+DQogICAgICAgIDxOYXp3aXNrbz5Ob3dhazwvTmF6d2lza28+DQogICAgICAg
IDxPem5hY3plbmllPg0KICAgICAgICAgIDxQZXNlbD44OTEwMDEwMDYxNjwvUGVzZWw+DQogICAgICAg
IDwvT3puYWN6ZW5pZT4NCiAgICAgIDwvT3NvYmFGaXp5Y3puYT4NCiAgICA8L1BvZG1pb3Q+DQogIDwv
UG9kbWlvdHk+DQogIDxQb2RzdGF3YVByYXduYT4NCiAgICA8UG9kc3Rhd2E+UFBfMDA0PC9Qb2RzdGF3
YT4NCiAgPC9Qb2RzdGF3YVByYXduYT4NCjwvVHJlc2NQaXNtYT4=</ds:Object>
</ds:Signature>
</Signatures>
When I load it with simplexml_load_string, var_dump shows:
object(SimpleXMLElement)#212 (1) {
["#attributes"] => array(1) {
["Id"] => string(39) "ID-222cf3cf-0f0b-49d2-b7cb-4cf47bb373cb"
}
}
There's no nested nodes of "Signatures" data.
However, when I remove "ds" namespaces from tags, it works great.
How can I get them without changing document?
Thanks to the michi's comment, I found a solution. Namespaced nodes should be accessed differently than nodes without namespace.
So, basing on the example above, when I want to use Signature node, I can do it like this:
$xml = simplexml_load_string($content);
$signatureNode = $xml->children('ds', true)->Signature;

xmldsig php do not add signing info in XML

sorry of my English :) .
I neeed to write signing block in XML like it:
ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#gost34310-gost34311"/>
<ds:Reference>
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#gost34311"/>
<ds:DigestValue>drvEZVSz3nSXHVI6+iRSDXZDGud9Ay56LLfMkpQkRp4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>/4ASSFXCsdsdMuwM9kw0riDbhhtLR/+UKZKNO51HbACu5DM
SLmmAmp5FwFHdsGtBQ==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
I find this in GIT : https://github.com/Maks3w/xmldsig
my code is:
$data = new DOMDocument();
$data->load(__DIR__ . '/newdata.xml');
$xmlTool = new FR3D\XmlDSig\Adapter\XmlseclibsAdapter();
$xmlTool->setPrivateKey(file_get_contents('C:\xampp\htdocs\EgovPayments\private1.pem'));
$publicKey=$xmlTool->getPublicKey();
//echo 'public key is:'.$publicKey;
$xmlTool->setPublicKey($publicKey);
$xmlTool->addTransform(FR3D\XmlDSig\Adapter\AdapterInterface::ENVELOPED);
$xmlTool->setCanonicalMethod('http://www.w3.org/2001/10/xml-exc-c14n#');
$xmlTool->sign($data);
$data->saveXML();
But nothing changed in newdata.xml, how it work with xmldsig in PHP?
thx
The function DOMDocument::saveXML() returns string. It is not to update file.
http://php.net/manual/en/domdocument.savexml.php
i've got the same problem - but find the following function "insertSignature" in the seclib.
if you use the Adapter add the following line to the end of the verify-function:
$objXMLSecDSig->insertSignature($data->getElementsByTagName("Security")->item(0));

XPath for Assertion Token

I am writing a PHP script which needs to get an Assertion token as part of a process to log into SharePoint online. I am able to get an envelope response which includes the token I need.
How would I parse out the saml:Assertion portion of this response?
<s:Envelope xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue</a:Action>
<o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1">
<u:Timestamp u:Id="_0">
<u:Created>2014-07-01T13:50:22.480Z</u:Created>
<u:Expires>2014-07-01T13:55:22.480Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body>
<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<t:Lifetime>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2014-07-01T13:50:22.476Z</wsu:Created>
<wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2014-07-01T14:50:22.476Z</wsu:Expires>
</t:Lifetime>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>urn:federation:MicrosoftOnline</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<t:RequestedSecurityToken>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_56f0eee3-ca21-4885-a40d-4ae543e9bfc8" Issuer="http://paychex.com/adfs/services/trust/" IssueInstant="2014-07-01T13:50:22.480Z">
<saml:Conditions NotBefore="2014-07-01T13:50:22.476Z" NotOnOrAfter="2014-07-01T14:50:22.476Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>urn:federation:MicrosoftOnline</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">qo3X1/EAe0Ci5pXaS+p8JA==</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="UPN" AttributeNamespace="http://schemas.xmlsoap.org/claims">
<saml:AttributeValue>email#email.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="ImmutableID" AttributeNamespace="http://schemas.microsoft.com/LiveID/Federation/2008/05">
<saml:AttributeValue>qo3X1/p8JA==</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="2014-07-01T13:50:22.473Z">
<saml:Subject>
<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">qo3X1/EAe0p8JA==</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_56f0eee3-ca21-4885-a40d-4ae543e9bfc8">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>ZzoryFYQWfks=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>UnHrvM3vUE6l4HlpsuBX7E79750MNWASBuVNIVJ01QJSID8w3IHkjfMWCjidty7F96obL5Ah6o/UY55dMjbiyWt9gyToQPrGBPjG+VX3pEz8XpXV4jrYYXJ/YMpHxdzD/OBzR/bpA+lzebkuP19woqV49ScmJ5TN4b26LEW/ynogYnNl7EEBAJR0wL9CjY6uQCNaERY0X29nyNusQyNTNW4jGeMyBu9KnfVRpVyROd4QxfwV/F8OwGlePRGPypN/VYnLRjfizS674XJ31VmLERwxgn5Xx/0bKDsNw7c5G2qFZmSi7YUxccwMxU6Ypih7D5i73uPrk7oMnRbMHsyxCQ==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIC3DCCAcSgAwIBAgIQXIfoKmHCypFBv4Ze44WbzzANBgkqhkiG9w0BAQsFADAqMSgwJgYDVQQDEx9BREZTIFNpZ25pbmcgLSBhZGZzLnBheWNoZXguY29tMB4XDTE0MDQyNDAyMDY1NloXDTE5MDQyMzAyMDY1NlowKjEoMCYGA1UEAxMfQURkhc6NJSB8fJK+Uf/ldkC8VISTp7CW9S3TwXHKn4plqMLSY7NRYII4OPDkLXA9dGx3FQGNQoTe/uH1JGaNZlAGJp4W2Sz9r1i9Ry4lu+L0G3Q==</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
</saml:Assertion>
</t:RequestedSecurityToken>
<t:RequestedAttachedReference>
<o:SecurityTokenReference xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_56f0eee3-ca21-4885-a40d-4ae543e9bfc8</o:KeyIdentifier>
</o:SecurityTokenReference>
</t:RequestedAttachedReference>
<t:RequestedUnattachedReference>
<o:SecurityTokenReference xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_56f0eee3-ca21-4885-a40d-4ae543e9bfc8</o:KeyIdentifier>
</o:SecurityTokenReference>
</t:RequestedUnattachedReference>
<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
</t:RequestSecurityTokenResponse>
</s:Body>
</s:Envelope>
My PHP code snippet to parse this response is:
// Parse security token from response
$xml = new DOMDocument();
$xml->loadXML($result);
$xpath = new DOMXPath($xml);
$nodelist = $xpath->query("/*[local-name()='name']:Body/*[local-name()='name']:RequestSecurityTokenResponse/*[local-name()='name']:RequestedSecurityToken/*[local-name()='name']:Assertion");
foreach ($nodelist as $n){
return $n->nodeValue;
break;
}
Thanks for all your help,
Tim
I tried using //saml:Assertion but it did not work
You need to register the namespace prefix first - XPath expressions do not care what prefixes were used in the original document, you need to bind prefixes to namespaces yourself.
$xpath->registerNamespace("s", "urn:oasis:names:tc:SAML:1.0:assertion");
$nodelist = $xpath->query("//s:Assertion");
But this will probably still give you null because the "node value" of an element node in the DOM is defined in the spec to always be null. If you want the text inside an element node then you need to use textContent instead of nodeValue, but in this case you'll probably have to dig deeper into the tree to find the bit you actually want.
To simply extract the value, in XPath 1.0 you can use the following expression, which ignores namespaces:
/*[local-name()='Envelope']
/*[local-name()='Body']
/*[local-name()='RequestSecurityTokenResponse']
/*[local-name()='RequestedSecurityToken']
/*[local-name()='Assertion']
or using the descendant axis:
//*[local-name()='Assertion']
Ignoring namespaces should be a second option. If you can register them as suggested by #IanRoberts in the other answer it is better.
Any of these expressions will return a node-set containing all the Assertion elements found (the whole tree). The node value or text content of these nodes may not be what you want to select. For example, if you want to get the X509Certificate you should use a contextual XPath expression to that element and extract its text(). Same strategy should be used if you want an attribute of a child element.
Update The PHP code you added uses a for loop just to extract the first node. You could use item(0) for that. Assuming there is only one assertion, key, certificate, etc, in each document, you can use XPath expressions to extract exactly what you want. For example, to get the X509Certificate text (ignoring namespaces and intermediate location steps) you could use:
$key_cert = $xpath->query("//*[local-name()='X509Certificate']")->item(0)->textContent

Categories