我有两个XML文件,结构如下:
我的钥匙
<RSAKeyValue>
<Modulus> ... </Modulus>
<Exponent> ... </Exponent>
<P> ... </P>
<Q> ... </Q>
<DP> ... </DP>
<DQ> ... </DQ>
<InverseQ> ... </InverseQ>
<D> ... </D>
</RSAKeyValue>
公钥
<RSAKeyValue>
<Modulus> ... </Modulus>
<Exponent> ... </Exponent>
</RSAKeyValue>
我正在使用xmlseclibsRobert Richards 的库,它需要密钥的.PEM表示才能加密和解密.
作为加密新手,我不知道从哪里开始,粗略的谷歌搜索没有透露任何特别明显的东西......
谢谢!
我目前正在开发一个WS客户端,需要在将请求发送到服务器之前对其进行签名.我有一个私钥和证书用于此目的,但我正在努力与安全标头.输出XML的预期结构应该是这样的:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header><wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-
1.0.xsd"><wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-45..."
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-
1.0.xsd"> ... </wsse:BinarySecurityToken><ds:Signature Id="Signature-13"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-14">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>62...</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
...
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-...">
<wsse:SecurityTokenReference wsu:Id="STRId-..." xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-
wss-wssecurity-utility-1.0.xsd"><wsse:Reference URI="#CertId-..." ValueType="http://docs.oasis-
open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature></wsse:Security></soapenv:Header>
<soapenv:Body wsu:Id="id-14" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
我尝试使用xmlseclibs但我无法弄清楚如何包含所有必需的信息,因为这些示例非常基本.
我想我可以采用DIY方式并手动构建标题,但我希望尽可能简单.
有线索吗?
我目前正在使用SoapClient执行此任务.事情是,我不知道该怎么做.我发送的XML需要签名其内容,我手动完成(使用c14n函数并计算其摘要..).但是,为了对整个身体做同样的事情,我需要访问原始XML(我想),所以我认为这不会起作用.
我没有尝试手动创建SOAP标头,因为我试图避免任何黑客攻击.我正在寻找既易于实现又易于使用的东西.
我的代码目前看起来像这样(将其保持在最低限度以提高可读性):
$context = stream_context_create(array(
'ssl' => array(
'verify_peer' => false,
'allow_self_signed' => true,
'ciphers'=>'SSLv3'
)
));
$client = new SoapClient($url, array(
//'connection_timeout' => 100,
/* …我遇到了验证SAML 2.0 Assertion XML签名的问题.我正在使用simpleSAMLphp项目中的SAML2库,而后者又使用PHP xmlseclibs库来签名XML并验证签名.
我收到了我的合作伙伴的以下断言:
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_c43265fe-8cd5-410f-b63d-dac9f266d4c9" IssueInstant="2015-01-23T17:46:28.456Z"><saml:Issuer>uat.test.com/saml2.0</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI="#_c43265fe-8cd5-410f-b63d-dac9f266d4c9"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default saml ds xs xsi"/></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>mFKEIdw+cEielORqscbHuAJhI58=</DigestValue></Reference></SignedInfo><SignatureValue>kEZHloxYJVqDg8oxLNpl+sbJYhv9r7yYU5yQi71gCNm/Cdtj9/P2LR5cnopKZZu+7j3PVimeZoir6RTTrdVKTLkp+PmvOmTlLH/LVtntQZ68TaUxUd3BvtQiKuJ8KFwWPmQ+W3RIKv4ySAsy6PUiWPcr8eIYpIiUA6rxCuSEpdA=</SignatureValue><KeyInfo><X509Data><X509Certificate>MIICczCCAdygAwIBAgIEdWfFczANBgkqhkiG9w0BAQUFADB0MQswCQYDVQQIEwJNQTEQMA4GA1UEBxMHTm9yd29vZDEPMA0GA1UEChMGTWVyY2VyMRswGQYDVQQLExJNZXJjZXIgSFIgU2VydmljZXMxJTAjBgNVBAMTHE1lcmNlciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDcwNjI5MDI1NTQxWhcNMTcwNzI5MDQwMDAwWjB2MQswCQYDVQQIEwJNQTEQMA4GA1UEBxMHTm9yd29vZDEPMA0GA1UEChMGTWVyY2VyMRswGQYDVQQLExJNZXJjZXIgSFIgU2VydmljZXMxJzAlBgNVBAMTHk1lcmNlciBIdW1hbiBSZXNvdXJjZSBTZXJ2aWNlczCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAm9KNx7UmRbWwJ0gmIV9sZzMDH4uz+o6ZmOxVRLvrO0Yzc9Qsc+7f+jIEGsVpbeaj5zx+4c8g46QqGam/Ap+4peewduVAN7GwK8UrmveASQH1Y/byTVGhyndfEtHfauresYpNDbgCn/iq/cXNapuFaTB4U0MPtz8Bqds1871hNasCAwEAAaMQMA4wDAYDVR0PBAUDAwf/gDANBgkqhkiG9w0BAQUFAAOBgQBR5wV43k1XcIM7z24SBvpEDWgEawXZ3TjTI9/54v/ZAdzXAiYfLKVV+hiyum+QP9jezDUH+Wz2bqzjlxOSU7HvUn4MwN+88a1hvSXpPxsp7y4d7juVt66aip/9NuSWbNqUPdhgK/KvMHrZpksCoxUJG2+Q1Jz7aNiBQvONRRPdTg==</X509Certificate></X509Data></KeyInfo></Signature><saml:Subject><saml:NameID>000786320</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2015-01-23T17:51:28.471Z" Recipient="https://test.com/sso"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2015-01-23T17:41:28.456Z" NotOnOrAfter="2015-01-23T17:51:28.456Z"><saml:AudienceRestriction><saml:Audience>test.com:saml2.0</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2015-01-23T17:46:28.456Z" SessionIndex="SI-8bd89651-62da-4b7d-9a54-04eb2eb90784"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="email"><saml:AttributeValue>invalidemail@invalid.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="firstName"><saml:AttributeValue>Diane</saml:AttributeValue></saml:Attribute><saml:Attribute Name="lastname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="lastname"><saml:AttributeValue>Test</saml:AttributeValue></saml:Attribute><saml:Attribute Name="zipCode" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="zipCode"><saml:AttributeValue>02062</saml:AttributeValue></saml:Attribute><saml:Attribute Name="businessUnit" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="businessUnit"><saml:AttributeValue>78945</saml:AttributeValue></saml:Attribute><saml:Attribute Name="employeeID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="employeeID"><saml:AttributeValue>000786320</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>
签名元素请求独占的C14N规范化.该xmlseclibs库库canonicalizes此如下:
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_c43265fe-8cd5-410f-b63d-dac9f266d4c9" IssueInstant="2015-01-23T17:46:28.456Z" Version="2.0"><saml:Issuer>uat.test.com/saml2.0</saml:Issuer><saml:Subject><saml:NameID>000786320</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2015-01-23T17:51:28.471Z" Recipient="https://test.com/sso"></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2015-01-23T17:41:28.456Z" NotOnOrAfter="2015-01-23T17:51:28.456Z"><saml:AudienceRestriction><saml:Audience>test.com:saml2.0</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2015-01-23T17:46:28.456Z" SessionIndex="SI-8bd89651-62da-4b7d-9a54-04eb2eb90784"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute FriendlyName="email" Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue>invalidemail@invalid.com</saml:AttributeValue></saml:Attribute><saml:Attribute FriendlyName="firstName" Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue>Diane</saml:AttributeValue></saml:Attribute><saml:Attribute FriendlyName="lastname" Name="lastname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue>Test</saml:AttributeValue></saml:Attribute><saml:Attribute FriendlyName="zipCode" Name="zipCode" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue>02062</saml:AttributeValue></saml:Attribute><saml:Attribute FriendlyName="businessUnit" Name="businessUnit" …我需要使用PHP验证在Windows 8应用程序服务器端进行的应用内购买.MSDN的文档页面仅在C#中有一个示例.现在我花了一整天的时间来寻找一种在PHP中实现它的方法.没有成功.在整个互联网上,只有这个主题的.NET示例.
我发现了一些有关已签名的XML和x509的部分信息,一些库(xmlseclibs - 无用,使用不支持sha256的openssl_*函数; phpseclib - 看起来很有前途,但他们的文档和示例很差,没有任何帮助).
是否有可能在不学习有关签名XML,RSA和x509的所有内容的情况下以某种方式完成?现在我几乎读过所有内容,但到处都是关于编码的信息.没有关于验证的事情.
我已经签署了 XML,但我不知道如何在签名中包含 KeyValue 元素。拥有一些文档会节省很多时间。
下面的代码(如果您感兴趣的话)是我迄今为止使用 xmlseclibs 所做的事情:
<?php
require('xmlseclibs.php');
XML字符串
$getToken = '<getToken>
<item>
<Semilla>Random string</Semilla>
</item>
</getToken>';
创建 XML 对象(用于签名)
$getToken_DOMDocument = new DOMDocument();
$getToken_DOMDocument -> loadXml($getToken);
使用 xmlseclibs 创建签名对象
$getToken_XMLSecurityDSig = new XMLSecurityDSig();
$getToken_XMLSecurityDSig -> setCanonicalMethod(XMLSecurityDSig::C14N);
尝试关闭 ds: 前缀,但不起作用
$options['prefix'] = '';
$options['prefix_ns'] = '';
$options['force_uri'] = TRUE;
$options['id_name'] = 'ID';
$getToken_XMLSecurityDSig -> addReference($getToken_DOMDocument, XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', 'http://www.w3.org/TR/2001/REC-xml-c14n-20010315'), $options);
访问必要的关键数据
$XMLSecurityKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type'=>'private'));
$XMLSecurityKey -> loadKey('../../DTE/certificado/firma/certificado.pem', TRUE);
/* if key has Passphrase, set it using $objKey -> …xmlseclibs ×5
php ×4
xml ×3
pem ×1
rsa ×1
security ×1
signedxml ×1
soap-client ×1
windows-8 ×1