We Keep Coding

php openssl asymmetric decrypt

I was hopping someone could help me to understand how to decrypt a xml file that was previously encrypted with a public key. The file is devided into two sections, the AuthenticatedPublic section and the AuthenticatedPrivate section, inside the latter, there are specific tags like CipherValue, X509Certificate that are suppose to be decrypted with my private key. The steps i have tried were:
Parse the entire xml file with XmlToArray.
Got one of the tags i need to decrypt, which was the cyphervalue.
Then i tried many things like trying to to decrypt using:(i´m using php, so this is inside a function)
openssl rsautl -decrypt -inkey "'.$privkey.'" -in "'.$tag.'" -out decrypted.xml
But the result is an empty decrypted.xml file. I have also tried converting to base64, and then tried to decrypt also, but then i reach an error:
rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error:.\crypto\rsa\rsa_pk1.c:273:
5612:error:04065072:rsa routines:RSA_EAY_PRIVATE_DECRYPT:padding check failed:.\crypto\rsa\rsa_eay.c:602:
In fact, i´m not really sure if this is the way to decrypt the xml. Any thoughts?
Thanks for your time, Regards
EDIT
Has Pak Uula suggested, below is a more detailed information about my xml file, please note that i have hide some of the data for obvious reasons:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<DCinemaSecurityMessage xmlns="http://www.smpte-ra.org/schemas/430-3/2006/ETM" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:enc="http://www.w3.org/2001/04/xmlenc#">
<AuthenticatedPublic Id="ID_AuthenticatedPublic">
...(keys hidded for brevity)
<RequiredExtensions>
<KDMRequiredExtensions xmlns="http://www.smpte-ra.org/schemas/430-1/2006/KDM">
...(keys hidded for brevity)
....(below some of the keys that i need to decrypt)
<CompositionPlaylistId>urn:uuid:d932f6a0-094b-etc-etc-etc</CompositionPlaylistId>
<ContentTitleText>...</ContentTitleText>
..
<AuthorizedDeviceInfo>
<DeviceListIdentifier>urn:uuid:31949239-a1f9-etc-etc-etc</DeviceListIdentifier>
<DeviceList>
<CertificateThumbprint>2jmj7l5rSw0yVb/vlW-etc-etc-etc</CertificateThumbprint>
</DeviceList>
</AuthorizedDeviceInfo>
<KeyIdList>
<TypedKeyId>
<KeyType>MDIK</KeyType>
<KeyId>urn:uuid:154727b3-890c-etc-etc-etc</KeyId>
</TypedKeyId>
<TypedKeyId>
<KeyType>MDAK</KeyType>
<KeyId>urn:uuid:682c2ff0-9b1d-etc-etc-etc</KeyId>
</TypedKeyId>
</KeyIdList>
</KDMRequiredExtensions>
</RequiredExtensions>
<NonCriticalExtensions />
</AuthenticatedPublic>
<AuthenticatedPrivate Id="ID_AuthenticatedPrivate">
<enc:EncryptedKey xmlns:enc="http://www.w3.org/2001/04/xmlenc#">
...(keys hidded for brevity)
....(below some of the keys that i need to decrypt)
<enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" />
<enc:CipherData>
<enc:CipherValue>lwYdkG5Q5wfW/S7UzZDtnJMcAng3w3ketzkh68y1BeX+okNEj48b5rSWUC/4mNhT
N2QsHxOCkvKDavIGGSAP23tdp0VtdeHTNAszcgK4Xzc8VHGUEiswONCOxTzNWuwj
...etc etc
zfHceeHN50b8vzM/Rt/jTUq54eC3nE+lP3eTXbLj/YvpPo8H45Sti9YP9WZixGHz
Uvf6Go31+3JwsXXIUl3O+w==</enc:CipherValue>
</enc:CipherData>
</enc:EncryptedKey>
<enc:EncryptedKey xmlns:enc="http://www.w3.org/2001/04/xmlenc#">
<enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" />
<enc:CipherData>
<enc:CipherValue>TvC1LCspgTsXqM1b8ClPCtAkAdXXzxe+Av7LMxYtUaqUbd8HeBuaS1cx3WwoVRDr
TWcrBEnv24GbIB5ygcMFW3DlGsXfmWJGnRNx/6xT/U15RQPgoD9AP4WFEHxthzP0
...etc etc
1ajG5lDjEu4TqjdL7DPGNu9HfI9boerJ5FUFQ/fMdD4xbDHdc4DgIQdTUgLFGHJz
RwOyfOAcSNoO/fpAkMXoEw==</enc:CipherValue>
</enc:CipherData>
</enc:EncryptedKey>
</AuthenticatedPrivate>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#ID_AuthenticatedPublic">
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>KJ37JaHCdMo5dq3TmIaxF+A+lpuoVG-etc-etc-etc</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#ID_AuthenticatedPrivate">
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>rcIAaHZoc80XqB70S2oZEp6IziDrVgwt-etc-etc-etc</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>hcOaWg8mzwc61XkyqXxy6+cuuGtrsDjTVzFeSv4ZAs6INQBTYChGiHD00lE8ud02
uG/bbjcqHiMVAFdhZIjw1xIs0FrAh3EdO7eJtiyGl1CpK9z5X9VXizkkhf4wWAZS
....etc etc
0i9iV4sMJlZn4j9glWiTgA==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>dnQualifier=4py0tKtJ07bHLNbK-etc-etc-etc,OU=...,O=...,CN=...</ds:X509IssuerName>
<ds:X509SerialNumber>167201700</ds:X509SerialNumber>
</ds:X509IssuerSerial>
<ds:X509Certificate>MIIEZDCCA0ygAwIBAgIECfdLpDANBgkqhkiG9w0BAQsFADBzMRIwEAYDVQQDEwku
VmltcDE2MDQxEzARBgNVBAoTCi5EQy5DQS5SdVMxITAfBgNVBAsTGC5DbGlwc3Rl
ci5GQk1TLkRDLkNBLlJ1UzElMCMGA1UELhMcNHB5MHRLdEowN2JITE5iS2VwdTRG
-etc-etc-etc
/g07WLzKPQmLxR8I/8GhdyI3Nez+16rJPKMJ3eUV7qLuvA1B2VQ93jBzC4fVvzfI
xFYzYV2RO+VquC/dcgPHKLZPhR1Rp4zP74lGAPIloQa1kpVzjoGypK7QDWLFg+IG
XBtw1dtscIywnqTxYXaxXwic9OlQ2mcmMS7sh2ke2xB9CLYD9JmjPaV71A4J2Y2Y
eF6WeFKIzkKp0fJffqDbFFvKfap3K9e000K/Yno5fFurWW/fagdGEHAXB0zHCj7k
d14u2vegqToKdMsybcA5RngZ7YWYQZKJ
</ds:X509Certificate>
</ds:X509Data>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>dnQualifier=wiwAlHjwPoipV-etc-etc-etc,OU=....,O=....,CN=...</ds:X509IssuerName>
<ds:X509SerialNumber>9714</ds:X509SerialNumber>
</ds:X509IssuerSerial>
<ds:X509Certificate>MIIELDCCAxSgAwIBAgICJfIwDQYJKoZIhvcNAQELBQAwajESMBAGA1UEAxMJLkNs
aXBzdGVyMRMwEQYDVQQKEwouREMuQ0EuUnVTMRgwFgYDVQQLEw8uRkJNUy5EQy5D
QS5SdVMxJTAjBgNVBC4THHdpd0FsSGp3UG9pcFY1d3ZEd1pZMFhUYWlNTT0wHhcN
-etc-etc-etc
fiZ3Ljj0uayRAaJtOpflj8RYgWgf2oQvA3vIdc35J2WCea9xm+MLBjycJeaHqgcb
h1hh4qWtaINElm2sdf1p8/feBU0vBV/4ey0TR86tF0FhuVBCg4v9HqrFMY+m4/xJ
wyMCysIxr7ZgszAMOgarYD6JfhNGWm+1VAyI7lR/VspPj6FV0hVOwCb9QZHA/c1Z
5vMeW+Wx3C+1q4HBYHm+ryc7lTt045w7HilTig07g0K6DMaf8G3V5kxZpOQcVWn3
iNFT6Fzg+bE9YD2FdhnVOQ==
</ds:X509Certificate>
</ds:X509Data>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>dnQualifier=JknMF1MuF3k1Jg-etc-etc-etc=,OU=...,O=...,CN=...</ds:X509IssuerName>
<ds:X509SerialNumber>9712</ds:X509SerialNumber>
</ds:X509IssuerSerial>
<ds:X509Certificate>MIIEGjCCAwKgAwIBAgICJfAwDQYJKoZIhvcNAQELBQAwYTEOMAwGA1UEAxMFLkZC
TVMxEzARBgNVBAoTCi5EQy5DQS5SdVMxEzARBgNVBAsTCi5EQy5DQS5SdVMxJTAj
BgNVBC4THEprbk1GMU11RjNrMUpnL2JFZm1uWjVpNnlmcz0wHhcNMTUxMDAxMDAw
-etc-etc-etc
+mMkPdu2GuXJj4BBQY0ayoixrSyHg3stATcdeEbU1WESEsmztT8coXMLrd3/W0I6
ahe/dQyOSnZtv8RBL/Zb3Mnih+BQGSbiKlpWNoev71/r5JxA4/grffAfeFjnWy8E
zhAKe9wGx+wR+yQhSBUTHtGE/cA9NfOvOnRvO3BEXsfcJASFXITayaZ7MxP3Mgl/
4RnNxmgKFVY62LLZRo+DmXHhnilVBxrk1YEtBq/mb9R7SYtI5AmfL+B0TUJWGQ==
</ds:X509Certificate>
</ds:X509Data>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>dnQualifier=JknMF1MuF3k1Jg-etc-etc-etc,OU=...,O=....,CN=....</ds:X509IssuerName>
<ds:X509SerialNumber>9711</ds:X509SerialNumber>
</ds:X509IssuerSerial>
<ds:X509Certificate>MIIEETCCAvmgAwIBAgICJe8wDQYJKoZIhvcNAQELBQAwYTEOMAwGA1UEAxMFLkZC
TVMxEzARBgNVBAoTCi5EQy5DQS5SdVMxEzARBgNVBAsTCi5EQy5DQS5SdVMxJTAj
BgNVBC4THEprbk1GMU11RjNrMUpnL2JFZm1uWjVpNnlmcz0wHhcNMTUxMDAxMDAw
-etc-etc-etc
iFwmmsU6j0BosEVv/NcdmyoZ68rY0xrjSiCLY7lreHec58ZFXOxNKQsfNJGriyrg
30nMPjp/tgaHK6RZ+XL8sRX9NY+ySBeS/uQtCeH5CtCavIwPrurv5BUbzNmIB5FK
m4wvtXmfVcxTnL4lYHvyhqieDsm+Uwv7Fwt03ygqXeW5IPCs7nqcLwYzhm/7Mn5d
3YBiLH4B0+W2Mq5px0Hrm/2pOVEXv67mbSgdGsHnAYu/f0xN2A==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</DCinemaSecurityMessage>

Sign xml with XADES-EPES using PHP

I need to sign a document using XADES-EPES and I am using PHP for that purpose.
Using the xml below, I have been able to calculate the digest value <ds:DigestValue>ql0urtXTsc9W0GMIhTdzYHXnQYfnieoIttOBn9fGw7A=</ds:DigestValue> in the example given below, but I wonder how the other <ds:DigestValue>5JVZPTwN5Lj0sGTfFzaUeMKCo/xbCAj7fw6TLUFtZIk=</ds:DigestValue> is calculated.
I am using this XML as a test case:
<?xml version="1.0" encoding="UTF-8" xs:xmlns="https://tribunet.hacienda.go.cr/docs/esquemas/2016/v4.2/FacturaElectronica_V.4.2.xsd"?>
<FacturaElectronica>
<Clave>1</Clave>
<NumeroConsecutivo>1</NumeroConsecutivo>
<FechaEmision>1</FechaEmision>
<Emisor>1</Emisor>
<Receptor>1</Receptor>
<CondicionVenta>1</CondicionVenta>
<CondicionVenta>1</CondicionVenta>
<MedioPago>1</MedioPago>
<DetalleServicio>1</DetalleServicio>
<ResumenFactura>1</ResumenFactura>
<Normativa>1</Normativa>
</FacturaElectronica>
I am supposed to sign it with something similar to this (note: the SignatureValue and the X509Certificate have been truncated):
<ds:Signature Id="id-e34ffbff277e8d1432e864436aa11882" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference Id="r-id-1" Type="" URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
<ds:XPath>not(ancestor-or-self::ds:Signature)</ds:XPath>
</ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>ql0urtXTsc9W0GMIhTdzYHXnQYfnieoIttOBn9fGw7A=</ds:DigestValue>
</ds:Reference>
<ds:Reference Type="http://uri.etsi.org/01903#SignedProperties" URI="#xades-ide34ffbff277e8d1432e864436aa11882">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>5JVZPTwN5Lj0sGTfFzaUeMKCo/xbCAj7fw6TLUFtZIk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue Id="value-ide34ffbff277e8d1432e864436aa11882">Mt1TUuPK3W8/0eRtJX5t45GV9bHvMjw....</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIFpTCCBI2gAwIBAgIKK+...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<ds:Object>
<xades:QualifyingProperties xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Target="#ide34ffbff277e8d1432e864436aa11882">
<xades:SignedProperties Id="xades-id-e34ffbff277e8d1432e864436aa11882">
<xades:SignedSignatureProperties>
<xades:SigningTime>2016-11-25T16:35:06Z</xades:SigningTime>
<xades:SigningCertificate>
<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>LoXZC86JwDL7zWC35qj7Q4AzrRQ=</ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerial>
<ds:X509IssuerName>CN=CA SINPE - PERSONA FISICA,OU=DIVISION DE SERVICIOS FINANCIEROS,O=BANCO CENTRAL DE COSTA RICA,C=CR,2.5.4.5=#130c342d3030302d303034303137</ds:X509IssuerName>
<ds:X509SerialNumber>207422209224813750547132</ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>
</xades:SigningCertificate>
<xades:SignaturePolicyIdentifier>
<xades:SignaturePolicyId>
<xades:SigPolicyId>
<xades:Identifier>https://tribunet.hacienda.go.cr/docs/esquemas/2016/v4.1/Resolucion_Comprobantes_Electronicos_DGT-R-48-2016.pdf</xades:Identifier>
</xades:SigPolicyId>
<xades:SigPolicyHash>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>NmI5Njk1ZThkNzI0MmIzMGJmZDAyNDc4YjUwNzkzODM2NTBiOWUxNTBkMmI2YjgzYzZjM2I5NTZlNDQ4OWQzMQ==</ds:DigestValue>
</xades:SigPolicyHash>
</xades:SignaturePolicyId>
</xades:SignaturePolicyIdentifier>
</xades:SignedSignatureProperties>
<xades:SignedDataObjectProperties>
<xades:DataObjectFormat ObjectReference="#r-id-1">
<xades:MimeType>application/octet-stream</xades:MimeType>
</xades:DataObjectFormat>
</xades:SignedDataObjectProperties>
</xades:SignedProperties>
</xades:QualifyingProperties>
</ds:Object>
</ds:Signature>

From what I read here and here, I stand by what I described previously: it's the hash of the node SignedProperties. This hash is part of the SignedInfo node, which is the one that gets signed afterwards. The first link is a blog in polish. It's not perfect, but Google Translate is doing a quite decent job and the info in the blog helped me to understand more clearly.
Make sure to get the node canonicalized and base64_encoded
P.S.: Suerte con la implementación que está desarrollando para la factura electrónica en Costa Rica ;-D

I just started reading into a similar topic, so it's just an idea and I have not tried it, but I believe the second hash comes from the xades:SignedProperties node that is part of the ds:Object.
At least the id (xades-id-e34ff...) in the object and in the reference are identical.
Hope this gives you (and me :-D ) a hint.
Regards,
Sebastian

PHP soap wrong digest hash

I'm trying to send a SOAP message from PHP to a server, and I'm stuck at generating a SHA256 hash of the data being sent. Here is an example request provided by server owner:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="1">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-16FE2A6FC1AFE42BE9146412186273511">...</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-16FE2A6FC1AFE42BE9146412186273615">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">...</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#id-16FE2A6FC1AFE42BE9146412186273614">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>/CJj9686ARgbV/YmDrr+1yhcaJuXu022cADK/M8efQs=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
Ii+W0EB2V6GJo4jMGwK1HCRdt6+r9TkgfhXyAuY8FNCXhPOtfoUi/Bw31U4Hm7SLscM/8klrQI3Z2vSfdNe3oDi1cm2Qouv1sOBK17VSg/IgKN92BC8kUaoF5W5ZBEcZr0WHjDWasSYEerZQ3Q+ZIJzt6cbS+cLZfQkLFg1UDOi5qLUkWE1pQ9AVYCvwrOFj/hFQx5koQTpigyG/DPlyoh2xOh/DAh6U/P5p+IiQwwCMdo1Rh2czUVpRCr3Cnz97AlQ8G6IGAtWNykXorVYZ1tGnXEaRngzjsn5RE/zCcRkqRpFaiEQuYly1I6YtFOEYIPXskE5oMZkCLINebu1Law==
</ds:SignatureValue>
<ds:KeyInfo Id="KI-16FE2A6FC1AFE42BE9146412186273512">
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STR-16FE2A6FC1AFE42BE9146412186273513">
<wsse:Reference URI="#X509-16FE2A6FC1AFE42BE9146412186273511" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</SOAP-ENV:Header>
<soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-16FE2A6FC1AFE42BE9146412186273614">
<Trzba xmlns="http://fs.mfcr.cz/eet/schema/v2">
<Hlavicka dat_odesl="2016-09-19T19:06:37+01:00" prvni_zaslani="false" uuid_zpravy="9edeb22b-4234-4047-869c-3a76f86c20d3"/>
<Data celk_trzba="34113.00" cerp_zuct="679.00" cest_sluz="5460.00" dan1="-172.39" dan2="-530.73" dan3="975.65" dat_trzby="2016-01-05T00:30:12+01:00" dic_popl="CZ00000019" id_pokl="/5546/RO24" id_provoz="273" porad_cis="0/6460/ZQ42" pouzit_zboz1="784.00" pouzit_zboz2="967.00" pouzit_zboz3="189.00" rezim="0" urceno_cerp_zuct="324.00" zakl_dan1="-820.92" zakl_dan2="-3538.20" zakl_dan3="9756.46" zakl_nepodl_dph="3036.00"/>
<KontrolniKody>
<pkp cipher="RSA2048" digest="SHA256" encoding="base64">
W7UlA4hXNsDLvCj/eeRAYeOAsNsgMSdltcJNIW98KQRsfspTMW0Lr/OGQgRHZfO5KjolZgzN3k9mgzrVoX2+N90fCNEnOri2kjrW5vzTgMK6OZ9IryAEg0xFZjjjCQ0qKsQsVi8OLQOn3ZnN/BUGG2SIduER+iIOrhfOmes7OXaa5/2jQSfPTHZHZ/Bxhqld3gL4PHvd7sevZYUupHpE1fM7Uw1+lu8i1YOdghZoMyOfKw7FcqvRJpHrW/JZL5Dr5iCgu5ClmhZrb3hZavsxlDG7P2cUhSQgmEVTxJ2n38q/Cf91KE8e52SODN4Q8BfncXpmtkQ7Go3KsRsY3xN7xg==
</pkp>
<bkp digest="SHA1" encoding="base16">1F1A2D90-4EAD34A8-411CFB0B-EB17616E-B2CE8114</bkp>
</KontrolniKody>
</Trzba>
</soap:Body>
</soap:Envelope>
And here my code:
$text = '<Trzba xmlns="http://fs.mfcr.cz/eet/schema/v2"><Hlavicka dat_odesl="2016-09-19T19:06:37+01:00" prvni_zaslani="false" uuid_zpravy="9edeb22b-4234-4047-869c-3a76f86c20d3"/><Data celk_trzba="34113.00" cerp_zuct="679.00" cest_sluz="5460.00" dan1="-172.39" dan2="-530.73" dan3="975.65" dat_trzby="2016-01-05T00:30:12+01:00" dic_popl="CZ00000019" id_pokl="/5546/RO24" id_provoz="273" porad_cis="0/6460/ZQ42" pouzit_zboz1="784.00" pouzit_zboz2="967.00" pouzit_zboz3="189.00" rezim="0" urceno_cerp_zuct="324.00" zakl_dan1="-820.92" zakl_dan2="-3538.20" zakl_dan3="9756.46" zakl_nepodl_dph="3036.00"/><KontrolniKody><pkp cipher="RSA2048" digest="SHA256" encoding="base64">W7UlA4hXNsDLvCj/eeRAYeOAsNsgMSdltcJNIW98KQRsfspTMW0Lr/OGQgRHZfO5KjolZgzN3k9mgzrVoX2+N90fCNEnOri2kjrW5vzTgMK6OZ9IryAEg0xFZjjjCQ0qKsQsVi8OLQOn3ZnN/BUGG2SIduER+iIOrhfOmes7OXaa5/2jQSfPTHZHZ/Bxhqld3gL4PHvd7sevZYUupHpE1fM7Uw1+lu8i1YOdghZoMyOfKw7FcqvRJpHrW/JZL5Dr5iCgu5ClmhZrb3hZavsxlDG7P2cUhSQgmEVTxJ2n38q/Cf91KE8e52SODN4Q8BfncXpmtkQ7Go3KsRsY3xN7xg==</pkp><bkp digest="SHA1" encoding="base16">1F1A2D90-4EAD34A8-411CFB0B-EB17616E-B2CE8114</bkp></KontrolniKody></Trzba>';
$doc = new DOMDocument();
$doc->loadXML($text);
$text = $doc->C14N(true, true);
$hash = base64_encode(hash('sha256', $text, true));
echo $hash;
But I'm getting this hash: sQMcQ4plFh9J9ovXzCUmVcMPofSWlr93Ag+72o8761o=, however according to the example document, I should get this: /CJj9686ARgbV/YmDrr+1yhcaJuXu022cADK/M8efQs=.
So, what am I doing wrong?

I know this post is old but...
But I write here because I have the same issue even I use base64_encode()
I find a digested value but not the same as example.
But I don't know if I must encode my data on UTF-8 before like that
$digestedValue = base64_encode(hash('sha256',utf8_encode($doxXml->C14N()),true));
Or like that with another function
$digestedValue = base64_encode(openssl_digest(utf8_encode($doxXml->C14N()),'sha256',true));
Using encode_utf8() changes the digested value if any characters that need to be encoded in UTF8 are present... So... Should we use... or not?

xmldsig php do not add signing info in XML

sorry of my English :) .
I neeed to write signing block in XML like it:
ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#gost34310-gost34311"/>
<ds:Reference>
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#gost34311"/>
<ds:DigestValue>drvEZVSz3nSXHVI6+iRSDXZDGud9Ay56LLfMkpQkRp4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>/4ASSFXCsdsdMuwM9kw0riDbhhtLR/+UKZKNO51HbACu5DM
SLmmAmp5FwFHdsGtBQ==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
I find this in GIT : https://github.com/Maks3w/xmldsig
my code is:
$data = new DOMDocument();
$data->load(__DIR__ . '/newdata.xml');
$xmlTool = new FR3D\XmlDSig\Adapter\XmlseclibsAdapter();
$xmlTool->setPrivateKey(file_get_contents('C:\xampp\htdocs\EgovPayments\private1.pem'));
$publicKey=$xmlTool->getPublicKey();
//echo 'public key is:'.$publicKey;
$xmlTool->setPublicKey($publicKey);
$xmlTool->addTransform(FR3D\XmlDSig\Adapter\AdapterInterface::ENVELOPED);
$xmlTool->setCanonicalMethod('http://www.w3.org/2001/10/xml-exc-c14n#');
$xmlTool->sign($data);
$data->saveXML();
But nothing changed in newdata.xml, how it work with xmldsig in PHP?
thx

The function DOMDocument::saveXML() returns string. It is not to update file.
http://php.net/manual/en/domdocument.savexml.php

i've got the same problem - but find the following function "insertSignature" in the seclib.
if you use the Adapter add the following line to the end of the verify-function:
$objXMLSecDSig->insertSignature($data->getElementsByTagName("Security")->item(0));

XPath for Assertion Token

I am writing a PHP script which needs to get an Assertion token as part of a process to log into SharePoint online. I am able to get an envelope response which includes the token I need.
How would I parse out the saml:Assertion portion of this response?
<s:Envelope xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue</a:Action>
<o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1">
<u:Timestamp u:Id="_0">
<u:Created>2014-07-01T13:50:22.480Z</u:Created>
<u:Expires>2014-07-01T13:55:22.480Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body>
<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<t:Lifetime>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2014-07-01T13:50:22.476Z</wsu:Created>
<wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2014-07-01T14:50:22.476Z</wsu:Expires>
</t:Lifetime>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>urn:federation:MicrosoftOnline</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<t:RequestedSecurityToken>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_56f0eee3-ca21-4885-a40d-4ae543e9bfc8" Issuer="http://paychex.com/adfs/services/trust/" IssueInstant="2014-07-01T13:50:22.480Z">
<saml:Conditions NotBefore="2014-07-01T13:50:22.476Z" NotOnOrAfter="2014-07-01T14:50:22.476Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>urn:federation:MicrosoftOnline</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">qo3X1/EAe0Ci5pXaS+p8JA==</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="UPN" AttributeNamespace="http://schemas.xmlsoap.org/claims">
<saml:AttributeValue>email#email.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="ImmutableID" AttributeNamespace="http://schemas.microsoft.com/LiveID/Federation/2008/05">
<saml:AttributeValue>qo3X1/p8JA==</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="2014-07-01T13:50:22.473Z">
<saml:Subject>
<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">qo3X1/EAe0p8JA==</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_56f0eee3-ca21-4885-a40d-4ae543e9bfc8">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>ZzoryFYQWfks=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>UnHrvM3vUE6l4HlpsuBX7E79750MNWASBuVNIVJ01QJSID8w3IHkjfMWCjidty7F96obL5Ah6o/UY55dMjbiyWt9gyToQPrGBPjG+VX3pEz8XpXV4jrYYXJ/YMpHxdzD/OBzR/bpA+lzebkuP19woqV49ScmJ5TN4b26LEW/ynogYnNl7EEBAJR0wL9CjY6uQCNaERY0X29nyNusQyNTNW4jGeMyBu9KnfVRpVyROd4QxfwV/F8OwGlePRGPypN/VYnLRjfizS674XJ31VmLERwxgn5Xx/0bKDsNw7c5G2qFZmSi7YUxccwMxU6Ypih7D5i73uPrk7oMnRbMHsyxCQ==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIC3DCCAcSgAwIBAgIQXIfoKmHCypFBv4Ze44WbzzANBgkqhkiG9w0BAQsFADAqMSgwJgYDVQQDEx9BREZTIFNpZ25pbmcgLSBhZGZzLnBheWNoZXguY29tMB4XDTE0MDQyNDAyMDY1NloXDTE5MDQyMzAyMDY1NlowKjEoMCYGA1UEAxMfQURkhc6NJSB8fJK+Uf/ldkC8VISTp7CW9S3TwXHKn4plqMLSY7NRYII4OPDkLXA9dGx3FQGNQoTe/uH1JGaNZlAGJp4W2Sz9r1i9Ry4lu+L0G3Q==</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
</saml:Assertion>
</t:RequestedSecurityToken>
<t:RequestedAttachedReference>
<o:SecurityTokenReference xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_56f0eee3-ca21-4885-a40d-4ae543e9bfc8</o:KeyIdentifier>
</o:SecurityTokenReference>
</t:RequestedAttachedReference>
<t:RequestedUnattachedReference>
<o:SecurityTokenReference xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_56f0eee3-ca21-4885-a40d-4ae543e9bfc8</o:KeyIdentifier>
</o:SecurityTokenReference>
</t:RequestedUnattachedReference>
<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
</t:RequestSecurityTokenResponse>
</s:Body>
</s:Envelope>
My PHP code snippet to parse this response is:
// Parse security token from response
$xml = new DOMDocument();
$xml->loadXML($result);
$xpath = new DOMXPath($xml);
$nodelist = $xpath->query("/*[local-name()='name']:Body/*[local-name()='name']:RequestSecurityTokenResponse/*[local-name()='name']:RequestedSecurityToken/*[local-name()='name']:Assertion");
foreach ($nodelist as $n){
return $n->nodeValue;
break;
}
Thanks for all your help,
Tim

I tried using //saml:Assertion but it did not work
You need to register the namespace prefix first - XPath expressions do not care what prefixes were used in the original document, you need to bind prefixes to namespaces yourself.
$xpath->registerNamespace("s", "urn:oasis:names:tc:SAML:1.0:assertion");
$nodelist = $xpath->query("//s:Assertion");
But this will probably still give you null because the "node value" of an element node in the DOM is defined in the spec to always be null. If you want the text inside an element node then you need to use textContent instead of nodeValue, but in this case you'll probably have to dig deeper into the tree to find the bit you actually want.

To simply extract the value, in XPath 1.0 you can use the following expression, which ignores namespaces:
/*[local-name()='Envelope']
/*[local-name()='Body']
/*[local-name()='RequestSecurityTokenResponse']
/*[local-name()='RequestedSecurityToken']
/*[local-name()='Assertion']
or using the descendant axis:
//*[local-name()='Assertion']
Ignoring namespaces should be a second option. If you can register them as suggested by #IanRoberts in the other answer it is better.
Any of these expressions will return a node-set containing all the Assertion elements found (the whole tree). The node value or text content of these nodes may not be what you want to select. For example, if you want to get the X509Certificate you should use a contextual XPath expression to that element and extract its text(). Same strategy should be used if you want an attribute of a child element.
Update The PHP code you added uses a for loop just to extract the first node. You could use item(0) for that. Assuming there is only one assertion, key, certificate, etc, in each document, you can use XPath expressions to extract exactly what you want. For example, to get the X509Certificate text (ignoring namespaces and intermediate location steps) you could use:
$key_cert = $xpath->query("//*[local-name()='X509Certificate']")->item(0)->textContent