I want to verify the signature for a soap request on a soap server implemented in php.
Server Code:
$Server = new SoapServer(); $d = new DOMDocument(); $d->load('php://input'); $s = new WSSESoapServer($d); try { if($s->process()) { // Valid signature $Server->handle($s->saveXML()); } else { throw new Exception('Invalid signature'); } } catch (Exception $e) { echo "server exception: " . $e; }
Error:
exception 'Exception' with message 'Error loading key to handle Signature' in /<path>/wse/src/WSSESoapServer.php:146
I have implemented a client for signing SOAP requests using this library: https://github.com/robrichards/wse-php . There are no examples of how to implement a server ...
How to download a public key to verify a signature?
[Edit] Now I was able to download the attached key using
$key = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'public')); $key->loadKey(CERT, true);
I do not receive an error when verifying a signature:
$x = new XMLSecurityDSig(); $d = $x->locateSignature($soapDoc); $valid = $x->verify($key);
However, the value of $ valid is always false. I have no idea whether this is due to the key being loaded incorrectly or actually invalid. I can find very little information about implementing a SOAP server with PHP and no information about implementing a SOAP server that relies on verifying a signed request.
EXPLANATION
My client is talking to a remote web service and receiving a confirmation.
Then the remote server takes some time to process my request.
The remote client (which I do not control) then makes a request to my service.
The last step is where I am having trouble verifying the signature
source share