I am having trouble implementing an IdP initiated login with SimplesamlPHP.
Understanding what I have to do from the documentation is not the easiest thing.
I am redirecting the user to the IdP server and after logging in, the server sends the SP an XML file which includes the email user's address, ID and other data.
This looks like a successful login but at this point I don't know what to do with that XML. Should i parse it myself or use simplesaml for that?
How do i validate the signature?
Here is the XML I am receiving:
<samlp:Response Destination="http://example.com/auth/acs" ID="HK1goP6OuzQs2Xrd-CN9gAkRt0Z" IssueInstant="2016-05-25T13:52:32.075Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">Stage-az:sp:MediEventsregapp</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#HK1goP6OuzQs2Xrd-CN9gAkRt0Z">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>anIASGQuZD+Z7oBVc/VJ9TuTDCcddHOkUHJuo4KGE4o=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Pw5N1U+IxXAkCARDLFHkSyinhCqy5jJ8ljkJRfVSCzWl9z/gZb87aSGs+1XH+yJJs9wOKlSisnaNBHDOPocoweqXMCePskQp0d46GX8FKLKrFPwNeyta/MnC+y2ujT/mRbd8znTkXt9ZKS2WNZbQuAgRP+4mIh+C4R0J7xjzBgPhJR+IpaAeSlFuI3oS2ggh5+fe68BQtreEAcwc4ehbt93SQA5ryXgVAWRX4COeuETj/4t5dVhk1f34JdUSO0n13U6xRheAyGJJ7njRMntNQCAGkcB6F7GEK0bEnLFTfImYhJOascURyjWUnCqyZbWt5SBKUNdWL1P90W2b17eqmg==</ds:SignatureValue>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ID="VFBGJiVRjw.GE4s8KVI2G0oyIOv" IssueInstant="2016-05-25T13:52:32.106Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>Stage-az:sp:MediEventsregapp</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">john.smith#example.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2016-05-25T13:57:32.106Z" Recipient="http://example.com/auth/acs"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2016-05-25T13:47:32.106Z" NotOnOrAfter="2016-05-25T13:57:32.106Z">
<saml:AudienceRestriction>
<saml:Audience>Stage-az:sp:MediEventsregapp</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2016-05-25T13:52:32.106Z" SessionIndex="VFBGJiVRjw.GE4s8KVI2G0oyIOv">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="PRID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">kyjh364</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
simpleSAMLphp gives you the functions that you need in order to validate and process the SAMLResponse.
The IdP should be sending the SAMLResponse to the Service Provider's Assertion Consumer URL where the state is saved. All you need to do is to create a php file and use the following methods:
https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api
Related
I have been racking my brains and have been googling all day but have come to nothing, I am using an API that uses the
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd and http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd and signature values here is an example of the header i am trying to send in my request
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-91553746A32F6E86A9152119298361091">REMOVED</wsse:BinarySecurityToken>
<ds:Signature Id="SIG-91553746A32F6E86A9152119298361195" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="ser ser1 soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#id-91553746A32F6E86A9152119298361094">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="ser ser1" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>HG6Tb/IJfVWj4ZC1guDubIrFk4nw1IgoPavDqkSCrLM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue></ds:SignatureValue>
<ds:KeyInfo Id="KI-91553746A32F6E86A9152119298361092">
<wsse:SecurityTokenReference wsu:Id="STR-91553746A32F6E86A9152119298361093">
<wsse:Reference URI="#X509-91553746A32F6E86A9152119298361091" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
Is there someone out there that can help me build this using SOAP request in PHP.... i'm stumped.
I need to sign a document using XADES-EPES and I am using PHP for that purpose.
Using the xml below, I have been able to calculate the digest value <ds:DigestValue>ql0urtXTsc9W0GMIhTdzYHXnQYfnieoIttOBn9fGw7A=</ds:DigestValue> in the example given below, but I wonder how the other <ds:DigestValue>5JVZPTwN5Lj0sGTfFzaUeMKCo/xbCAj7fw6TLUFtZIk=</ds:DigestValue> is calculated.
I am using this XML as a test case:
<?xml version="1.0" encoding="UTF-8" xs:xmlns="https://tribunet.hacienda.go.cr/docs/esquemas/2016/v4.2/FacturaElectronica_V.4.2.xsd"?>
<FacturaElectronica>
<Clave>1</Clave>
<NumeroConsecutivo>1</NumeroConsecutivo>
<FechaEmision>1</FechaEmision>
<Emisor>1</Emisor>
<Receptor>1</Receptor>
<CondicionVenta>1</CondicionVenta>
<CondicionVenta>1</CondicionVenta>
<MedioPago>1</MedioPago>
<DetalleServicio>1</DetalleServicio>
<ResumenFactura>1</ResumenFactura>
<Normativa>1</Normativa>
</FacturaElectronica>
I am supposed to sign it with something similar to this (note: the SignatureValue and the X509Certificate have been truncated):
<ds:Signature Id="id-e34ffbff277e8d1432e864436aa11882" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference Id="r-id-1" Type="" URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
<ds:XPath>not(ancestor-or-self::ds:Signature)</ds:XPath>
</ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>ql0urtXTsc9W0GMIhTdzYHXnQYfnieoIttOBn9fGw7A=</ds:DigestValue>
</ds:Reference>
<ds:Reference Type="http://uri.etsi.org/01903#SignedProperties" URI="#xades-ide34ffbff277e8d1432e864436aa11882">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>5JVZPTwN5Lj0sGTfFzaUeMKCo/xbCAj7fw6TLUFtZIk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue Id="value-ide34ffbff277e8d1432e864436aa11882">Mt1TUuPK3W8/0eRtJX5t45GV9bHvMjw....</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIFpTCCBI2gAwIBAgIKK+...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<ds:Object>
<xades:QualifyingProperties xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Target="#ide34ffbff277e8d1432e864436aa11882">
<xades:SignedProperties Id="xades-id-e34ffbff277e8d1432e864436aa11882">
<xades:SignedSignatureProperties>
<xades:SigningTime>2016-11-25T16:35:06Z</xades:SigningTime>
<xades:SigningCertificate>
<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>LoXZC86JwDL7zWC35qj7Q4AzrRQ=</ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerial>
<ds:X509IssuerName>CN=CA SINPE - PERSONA FISICA,OU=DIVISION DE SERVICIOS FINANCIEROS,O=BANCO CENTRAL DE COSTA RICA,C=CR,2.5.4.5=#130c342d3030302d303034303137</ds:X509IssuerName>
<ds:X509SerialNumber>207422209224813750547132</ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>
</xades:SigningCertificate>
<xades:SignaturePolicyIdentifier>
<xades:SignaturePolicyId>
<xades:SigPolicyId>
<xades:Identifier>https://tribunet.hacienda.go.cr/docs/esquemas/2016/v4.1/Resolucion_Comprobantes_Electronicos_DGT-R-48-2016.pdf</xades:Identifier>
</xades:SigPolicyId>
<xades:SigPolicyHash>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>NmI5Njk1ZThkNzI0MmIzMGJmZDAyNDc4YjUwNzkzODM2NTBiOWUxNTBkMmI2YjgzYzZjM2I5NTZlNDQ4OWQzMQ==</ds:DigestValue>
</xades:SigPolicyHash>
</xades:SignaturePolicyId>
</xades:SignaturePolicyIdentifier>
</xades:SignedSignatureProperties>
<xades:SignedDataObjectProperties>
<xades:DataObjectFormat ObjectReference="#r-id-1">
<xades:MimeType>application/octet-stream</xades:MimeType>
</xades:DataObjectFormat>
</xades:SignedDataObjectProperties>
</xades:SignedProperties>
</xades:QualifyingProperties>
</ds:Object>
</ds:Signature>
From what I read here and here, I stand by what I described previously: it's the hash of the node SignedProperties. This hash is part of the SignedInfo node, which is the one that gets signed afterwards. The first link is a blog in polish. It's not perfect, but Google Translate is doing a quite decent job and the info in the blog helped me to understand more clearly.
Make sure to get the node canonicalized and base64_encoded
P.S.: Suerte con la implementación que está desarrollando para la factura electrónica en Costa Rica ;-D
I just started reading into a similar topic, so it's just an idea and I have not tried it, but I believe the second hash comes from the xades:SignedProperties node that is part of the ds:Object.
At least the id (xades-id-e34ff...) in the object and in the reference are identical.
Hope this gives you (and me :-D ) a hint.
Regards,
Sebastian
I'm trying to send a SOAP message from PHP to a server, and I'm stuck at generating a SHA256 hash of the data being sent. Here is an example request provided by server owner:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-16FE2A6FC1AFE42BE9146412186273511">...</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-16FE2A6FC1AFE42BE9146412186273615">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">...</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#id-16FE2A6FC1AFE42BE9146412186273614">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>/CJj9686ARgbV/YmDrr+1yhcaJuXu022cADK/M8efQs=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
Ii+W0EB2V6GJo4jMGwK1HCRdt6+r9TkgfhXyAuY8FNCXhPOtfoUi/Bw31U4Hm7SLscM/8klrQI3Z2vSfdNe3oDi1cm2Qouv1sOBK17VSg/IgKN92BC8kUaoF5W5ZBEcZr0WHjDWasSYEerZQ3Q+ZIJzt6cbS+cLZfQkLFg1UDOi5qLUkWE1pQ9AVYCvwrOFj/hFQx5koQTpigyG/DPlyoh2xOh/DAh6U/P5p+IiQwwCMdo1Rh2czUVpRCr3Cnz97AlQ8G6IGAtWNykXorVYZ1tGnXEaRngzjsn5RE/zCcRkqRpFaiEQuYly1I6YtFOEYIPXskE5oMZkCLINebu1Law==
</ds:SignatureValue>
<ds:KeyInfo Id="KI-16FE2A6FC1AFE42BE9146412186273512">
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STR-16FE2A6FC1AFE42BE9146412186273513">
<wsse:Reference URI="#X509-16FE2A6FC1AFE42BE9146412186273511" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</SOAP-ENV:Header>
<soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-16FE2A6FC1AFE42BE9146412186273614">
<Trzba xmlns="http://fs.mfcr.cz/eet/schema/v2">
<Hlavicka dat_odesl="2016-09-19T19:06:37+01:00" prvni_zaslani="false" uuid_zpravy="9edeb22b-4234-4047-869c-3a76f86c20d3"/>
<Data celk_trzba="34113.00" cerp_zuct="679.00" cest_sluz="5460.00" dan1="-172.39" dan2="-530.73" dan3="975.65" dat_trzby="2016-01-05T00:30:12+01:00" dic_popl="CZ00000019" id_pokl="/5546/RO24" id_provoz="273" porad_cis="0/6460/ZQ42" pouzit_zboz1="784.00" pouzit_zboz2="967.00" pouzit_zboz3="189.00" rezim="0" urceno_cerp_zuct="324.00" zakl_dan1="-820.92" zakl_dan2="-3538.20" zakl_dan3="9756.46" zakl_nepodl_dph="3036.00"/>
<KontrolniKody>
<pkp cipher="RSA2048" digest="SHA256" encoding="base64">
W7UlA4hXNsDLvCj/eeRAYeOAsNsgMSdltcJNIW98KQRsfspTMW0Lr/OGQgRHZfO5KjolZgzN3k9mgzrVoX2+N90fCNEnOri2kjrW5vzTgMK6OZ9IryAEg0xFZjjjCQ0qKsQsVi8OLQOn3ZnN/BUGG2SIduER+iIOrhfOmes7OXaa5/2jQSfPTHZHZ/Bxhqld3gL4PHvd7sevZYUupHpE1fM7Uw1+lu8i1YOdghZoMyOfKw7FcqvRJpHrW/JZL5Dr5iCgu5ClmhZrb3hZavsxlDG7P2cUhSQgmEVTxJ2n38q/Cf91KE8e52SODN4Q8BfncXpmtkQ7Go3KsRsY3xN7xg==
</pkp>
<bkp digest="SHA1" encoding="base16">1F1A2D90-4EAD34A8-411CFB0B-EB17616E-B2CE8114</bkp>
</KontrolniKody>
</Trzba>
</soap:Body>
</soap:Envelope>
And here my code:
$text = '<Trzba xmlns="http://fs.mfcr.cz/eet/schema/v2"><Hlavicka dat_odesl="2016-09-19T19:06:37+01:00" prvni_zaslani="false" uuid_zpravy="9edeb22b-4234-4047-869c-3a76f86c20d3"/><Data celk_trzba="34113.00" cerp_zuct="679.00" cest_sluz="5460.00" dan1="-172.39" dan2="-530.73" dan3="975.65" dat_trzby="2016-01-05T00:30:12+01:00" dic_popl="CZ00000019" id_pokl="/5546/RO24" id_provoz="273" porad_cis="0/6460/ZQ42" pouzit_zboz1="784.00" pouzit_zboz2="967.00" pouzit_zboz3="189.00" rezim="0" urceno_cerp_zuct="324.00" zakl_dan1="-820.92" zakl_dan2="-3538.20" zakl_dan3="9756.46" zakl_nepodl_dph="3036.00"/><KontrolniKody><pkp cipher="RSA2048" digest="SHA256" encoding="base64">W7UlA4hXNsDLvCj/eeRAYeOAsNsgMSdltcJNIW98KQRsfspTMW0Lr/OGQgRHZfO5KjolZgzN3k9mgzrVoX2+N90fCNEnOri2kjrW5vzTgMK6OZ9IryAEg0xFZjjjCQ0qKsQsVi8OLQOn3ZnN/BUGG2SIduER+iIOrhfOmes7OXaa5/2jQSfPTHZHZ/Bxhqld3gL4PHvd7sevZYUupHpE1fM7Uw1+lu8i1YOdghZoMyOfKw7FcqvRJpHrW/JZL5Dr5iCgu5ClmhZrb3hZavsxlDG7P2cUhSQgmEVTxJ2n38q/Cf91KE8e52SODN4Q8BfncXpmtkQ7Go3KsRsY3xN7xg==</pkp><bkp digest="SHA1" encoding="base16">1F1A2D90-4EAD34A8-411CFB0B-EB17616E-B2CE8114</bkp></KontrolniKody></Trzba>';
$doc = new DOMDocument();
$doc->loadXML($text);
$text = $doc->C14N(true, true);
$hash = base64_encode(hash('sha256', $text, true));
echo $hash;
But I'm getting this hash: sQMcQ4plFh9J9ovXzCUmVcMPofSWlr93Ag+72o8761o=, however according to the example document, I should get this: /CJj9686ARgbV/YmDrr+1yhcaJuXu022cADK/M8efQs=.
So, what am I doing wrong?
I know this post is old but...
But I write here because I have the same issue even I use base64_encode()
I find a digested value but not the same as example.
But I don't know if I must encode my data on UTF-8 before like that
$digestedValue = base64_encode(hash('sha256',utf8_encode($doxXml->C14N()),true));
Or like that with another function
$digestedValue = base64_encode(openssl_digest(utf8_encode($doxXml->C14N()),'sha256',true));
Using encode_utf8() changes the digested value if any characters that need to be encoded in UTF8 are present... So... Should we use... or not?
I've got XML containing XAdES-BES digita signature:
<?xml version="1.0" encoding="UTF-8"?>
<Signatures Id="ID-222cf3cf-0f0b-49d2-b7cb-4cf47bb373cb">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="ID-9a61610b-c8e3-4201-bf41-a174cbc21634">
<ds:SignedInfo Id="ID-8ebe3e85-1413-4fec-a14c-7264546ab770">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference Id="ID-e751928b-6823-47ad-a5ae-b7ccdf301751" URI="#ID-e37958b8-134c-4f51-9b25-8274fd1edce7">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>Z7q3zqS5FTNPP/mj0rDmUV5PdZQ=</ds:DigestValue>
</ds:Reference>
<ds:Reference Id="ID-396858b0-7e4b-42e1-ba5f-18368f90f0df" URI="#ID-90b9721b-1d1c-4104-ae2c-ebb6b251cf2b" Type="http://uri.etsi.org/01903#SignedProperties">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>H7EeV4pPoJ6WhWFnVSo3WNu3Yj8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue Id="ID-949000f9-85bc-435e-b387-8f7aa5551d75">a0cc/hQYjmwQC8ssBzolLyArUqOVi+s6cP+lbxku69qGleBUroQlvD6o+GpIxSJB6wlWwic3YjuxDxn9
mfW2jCLYEEM1RB277ChnHASakC+vbBP03LWC+GxsOe0seKMVsCc0EPwS5kk5RfvrUN6sTxWSW/2MOIXG
4fW1cAtjh1SjDN9Ij38SIuWpW8guJ9EGEVyTUuTiZ5dbpHfxftgKfHmr16aMpXk0ta46X2UuGTQRB+E/
0W+RpLqdmTP5VG0CxT8Z2H4n6puGL0yC20SsZZDethL/Vnr67EXTPmHFUwoZOGNu+0IFdBJW4HvLA5rF
czL82MOsCoFXqzMVxGxiqw==</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>AL4k+zz02RytjonBY0af0dfuuDJhNg0dypClqzkLyyLjkTa9QUbtdtA20lRuogjFqb6CVpqQ/PEdXDK5
bN6qGBQGsmdqkgru6A8aAc57QawEcbEL+rDue1L+mqM/JVnr+DAWOehITd8HzS0JQTQcxF1Lv0L1GNbJ
P8/bo8Coj2EVtKZ9tBI9+AZUdZ11uKBYj9uvKy0VGufjoljIIrQASIft4nw8a/WF+beEYOrl3PqnBcAo
Lc/CJiNsnsASws0a/EKuaP3vQbIo36s7FVH7U4x/8ypcAPsmtgi9LbH+v9Ugc2CiCj7krJIT3X9EwkjC
FUq+MykmVvfW0D0bOTP2X5k=</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
<ds:X509Data>
<ds:X509Certificate>MIIGETCCBPmgAwIBAgIUaQ+g3SS0YfvHQus43mbJ+4FSYegwDQYJKoZIhvcNAQEFBQAwczELMAkGA1UE
BhMCUEwxKDAmBgNVBAoMH0tyYWpvd2EgSXpiYSBSb3psaWN6ZW5pb3dhIFMuQS4xJDAiBgNVBAMMG0NP
UEUgU1pBRklSIC0gS3dhbGlmaWtvd2FueTEUMBIGA1UEBRMLTnIgd3Bpc3U6IDYwHhcNMTUxMDA4MTIw
MDAwWhcNMTYxMDA4MTIwMDAwWjB2MQswCQYDVQQGEwJQTDEbMBkGA1UEBRMSUEVTRUw6IDg2MDYxMzE0
Mzk3MR8wHQYDVQQDDBZLYW1pbCBTZWJhc3RpYW4gTWlqYWN6MRgwFgYDVQQqDA9LYW1pbCBTZWJhc3Rp
YW4xDzANBgNVBAQMBk1pamFjejCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL4k+zz02Ryt
jonBY0af0dfuuDJhNg0dypClqzkLyyLjkTa9QUbtdtA20lRuogjFqb6CVpqQ/PEdXDK5bN6qGBQGsmdq
kgru6A8aAc57QawEcbEL+rDue1L+mqM/JVnr+DAWOehITd8HzS0JQTQcxF1Lv0L1GNbJP8/bo8Coj2EV
tKZ9tBI9+AZUdZ11uKBYj9uvKy0VGufjoljIIrQASIft4nw8a/WF+beEYOrl3PqnBcAoLc/CJiNsnsAS
ws0a/EKuaP3vQbIo36s7FVH7U4x/8ypcAPsmtgi9LbH+v9Ugc2CiCj7krJIT3X9EwkjCFUq+MykmVvfW
0D0bOTP2X5kCAwEAAaOCApgwggKUMAwGA1UdEwEB/wQCMAAwggFPBgNVHSABAf8EggFDMIIBPzCCATsG
CSqEaAGG9yMBATCCASwwgd0GCCsGAQUFBwICMIHQDIHNRGVrbGFyYWNqYSB0YSBqZXN0IG/Fm3dpYWRj
emVuaWVtIHd5ZGF3Y3ksIMW8ZSB0ZW4gY2VydHlmaWthdCB6b3N0YcWCIHd5ZGFueSBqYWtvIGNlcnR5
ZmlrYXQga3dhbGlmaWtvd2FueSB6Z29kbmllIHogd3ltYWdhbmlhbWkgdXN0YXd5IG8gcG9kcGlzaWUg
ZWxla3Ryb25pY3pueW0gb3JheiB0b3dhcnp5c3rEhWN5bWkgamVqIHJvenBvcnrEhWR6ZW5pYW1pLjBK
BggrBgEFBQcCARY+aHR0cDovL3d3dy5lbGVrdHJvbmljem55cG9kcGlzLnBsL2luZm9ybWFjamUvZG9r
dW1lbnR5LWktdW1vd3kwCQYDVR0JBAIwADAhBgNVHREEGjAYgRZrYW1pbC5taWphY3pAZ21haWwuY29t
MA4GA1UdDwEB/wQEAwIGQDCBsAYDVR0jBIGoMIGlgBTMQSp2mC5KehnakTbf2H85P9TCrqF3pHUwczEL
MAkGA1UEBhMCUEwxKDAmBgNVBAoMH0tyYWpvd2EgSXpiYSBSb3psaWN6ZW5pb3dhIFMuQS4xJDAiBgNV
BAMMG0NPUEUgU1pBRklSIC0gS3dhbGlmaWtvd2FueTEUMBIGA1UEBRMLTnIgd3Bpc3U6IDaCFH18c1x7
vNOu01acH+WfGYiAcun0MEAGA1UdHwQ5MDcwNaAzoDGGL2h0dHA6Ly9lbGVrdHJvbmljem55cG9kcGlz
LnBsL2NybC9jcmxfb3prNTIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQAP0zddWprl5hpXiIiMGcC5D7ob
/nj3wvfOUm0QCf7+ZEorfr6EC96B6F/cNtZ1wXtAQXkf5Zm3gPhbKXY6XWM2NDWadZrDV9zV75Ab06dQ
5qmDfuMGTfPUdH3+QBmW7YnniWPCGuMzGNlP9DpZ45YrgRnwlsZSHMhX0HiEeDfYKAkGhIaJ7lcPlZrj
zWBdhUOgYm06pYf8NEKVWzu808iIHIvCBot0ADcZ8ypxDyQsco/RSRGY0EO8FATCH3j2Oe/+7FGRjRQK
XczBsKu6G8GQ6b/eGuWD7NNAuBX4UJu9jXRo9mzo7zKj01/SPfE4kHTHfHr9yi9BBkzAmaAxQpT5</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<ds:Object>
<xades:QualifyingProperties xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Id="ID-04b0ddeb-914c-419f-acb2-780dae2ee890" Target="#ID-9a61610b-c8e3-4201-bf41-a174cbc21634">
<xades:SignedProperties Id="ID-90b9721b-1d1c-4104-ae2c-ebb6b251cf2b">
<xades:SignedSignatureProperties>
<xades:SigningTime>2015-12-08T13:37:16Z</xades:SigningTime>
<xades:SigningCertificate>
<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>+6UE5SSks6Cn6++o8CAkSO/NMWk=</ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerial>
<ds:X509IssuerName>serialNumber=Nr wpisu: 6,CN=COPE SZAFIR - Kwalifikowany,O=Krajowa Izba Rozliczeniowa S.A.,C=PL</ds:X509IssuerName>
<ds:X509SerialNumber>599792555331422089182929030726347827824527827432</ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>
</xades:SigningCertificate>
</xades:SignedSignatureProperties>
<xades:SignedDataObjectProperties>
<xades:DataObjectFormat ObjectReference="#ID-e751928b-6823-47ad-a5ae-b7ccdf301751">
<xades:Description>Dokument w formacie xml [XML]</xades:Description>
<xades:MimeType>text/plain</xades:MimeType>
<xades:Encoding>http://www.w3.org/2000/09/xmldsig#base64</xades:Encoding>
</xades:DataObjectFormat>
</xades:SignedDataObjectProperties>
</xades:SignedProperties>
</xades:QualifyingProperties>
</ds:Object>
<ds:Object Encoding="http://www.w3.org/2000/09/xmldsig#base64" Id="ID-e37958b8-134c-4f51-9b25-8274fd1edce7" MimeType="text/plain">PFRyZXNjUGlzbWE+DQogIDxTeWduYXR1cmFBa3Q+QUJDWFlaMTIzPC9TeWduYXR1cmFBa3Q+DQogIDxQ
b2RtaW90eT4NCiAgICA8UG9kbWlvdD4NCiAgICAgIDxPc29iYUZpenljem5hPg0KICAgICAgICA8SW1p
ZT5KYW51c3o8L0ltaWU+DQogICAgICAgIDxOYXp3aXNrbz5Ob3dhazwvTmF6d2lza28+DQogICAgICAg
IDxPem5hY3plbmllPg0KICAgICAgICAgIDxQZXNlbD44OTEwMDEwMDYxNjwvUGVzZWw+DQogICAgICAg
IDwvT3puYWN6ZW5pZT4NCiAgICAgIDwvT3NvYmFGaXp5Y3puYT4NCiAgICA8L1BvZG1pb3Q+DQogIDwv
UG9kbWlvdHk+DQogIDxQb2RzdGF3YVByYXduYT4NCiAgICA8UG9kc3Rhd2E+UFBfMDA0PC9Qb2RzdGF3
YT4NCiAgPC9Qb2RzdGF3YVByYXduYT4NCjwvVHJlc2NQaXNtYT4=</ds:Object>
</ds:Signature>
</Signatures>
When I load it with simplexml_load_string, var_dump shows:
object(SimpleXMLElement)#212 (1) {
["#attributes"] => array(1) {
["Id"] => string(39) "ID-222cf3cf-0f0b-49d2-b7cb-4cf47bb373cb"
}
}
There's no nested nodes of "Signatures" data.
However, when I remove "ds" namespaces from tags, it works great.
How can I get them without changing document?
Thanks to the michi's comment, I found a solution. Namespaced nodes should be accessed differently than nodes without namespace.
So, basing on the example above, when I want to use Signature node, I can do it like this:
$xml = simplexml_load_string($content);
$signatureNode = $xml->children('ds', true)->Signature;
sorry of my English :) .
I neeed to write signing block in XML like it:
ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#gost34310-gost34311"/>
<ds:Reference>
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#gost34311"/>
<ds:DigestValue>drvEZVSz3nSXHVI6+iRSDXZDGud9Ay56LLfMkpQkRp4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>/4ASSFXCsdsdMuwM9kw0riDbhhtLR/+UKZKNO51HbACu5DM
SLmmAmp5FwFHdsGtBQ==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
I find this in GIT : https://github.com/Maks3w/xmldsig
my code is:
$data = new DOMDocument();
$data->load(__DIR__ . '/newdata.xml');
$xmlTool = new FR3D\XmlDSig\Adapter\XmlseclibsAdapter();
$xmlTool->setPrivateKey(file_get_contents('C:\xampp\htdocs\EgovPayments\private1.pem'));
$publicKey=$xmlTool->getPublicKey();
//echo 'public key is:'.$publicKey;
$xmlTool->setPublicKey($publicKey);
$xmlTool->addTransform(FR3D\XmlDSig\Adapter\AdapterInterface::ENVELOPED);
$xmlTool->setCanonicalMethod('http://www.w3.org/2001/10/xml-exc-c14n#');
$xmlTool->sign($data);
$data->saveXML();
But nothing changed in newdata.xml, how it work with xmldsig in PHP?
thx
The function DOMDocument::saveXML() returns string. It is not to update file.
http://php.net/manual/en/domdocument.savexml.php
i've got the same problem - but find the following function "insertSignature" in the seclib.
if you use the Adapter add the following line to the end of the verify-function:
$objXMLSecDSig->insertSignature($data->getElementsByTagName("Security")->item(0));