I'm trying to use the built-in SOAP client extension in PHP5 to send web service requests using SSL, a passphrase, and my keystore (X509 cert + Private Key). I'm working with the client in WSDL mode, and my WSDL is stored at an https address.

When I attempt to send a SOAP request to the web service, I see that the request is not sent using HTTPS or my SSL credentials (verified via tcpdump). The request is sent through HTTP and does not included the needed security elements like BinarySecurityToken or Signature.

Here is how I instantiate the SOAP client:

$this->_soapClient = new SoapClient($this->getWSDLLocation(), array(
	'passphrase' => $this->getSecretAccessKey(),
	'local_cert' => 'path/to/my-keystore.pem',
	'trace' => true, 
	'exceptions' => true
));

Here is how I send a request ($parameters is an associative array):

$response = $this->_soapClient->$action($parameters);

My questions are:

  1. What tips the PHP SOAP client off to use SSL?

  2. How can I get the SOAP client to use my local_cert and passphrase?

  3. Is local_cert supposed to be the absolute path to my keystore, containing something similar to this:

    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
    -----BEGIN PRIVATE KEY-----
    -----END PRIVATE KEY-----

    Note, I've tried changing PRIVATE KEY to RSA PRIVATE KEY, but with no success.

  4. Can the PHP SOAP Client add BinarySecurityTokens to the SOAP envelope? Similar to this:

    <wsse:BinarySecurityToken
      xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
      EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
      ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
      wsu:Id="CertId-1064304">

  5. Can it also add stuff like a signature (using the passphrase I suppose)?

    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod 4 http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
      <ds:SignatureMethod 5 Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>

 <ds:Reference URI="#id-17984263">
    <ds:Transforms>
      <ds:Transform 6 Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
    <ds:DigestValue>0pjZ1+TvgPf6uG7o+Yp3l2YdGZ4=</ds:DigestValue>
 </ds:Reference>

<ds:Reference URI="#id-15778003">
  <ds:Transforms>
    <ds:Transform 6 Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
  </ds:Transforms>
  <ds:DigestMethod 7 Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
  <ds:DigestValue>HhRbxBBmc2OO348f8nLNZyo4AOM=</ds:DigestValue>
</ds:Reference>

</ds:SignedInfo>

<ds:SignatureValue>bmVx24Qom4kd9QQtclxWIlgLk4QsQBPaKESi79x479xgbO9PEStXMiHZuBAi9luuKdNTcfQ8UE/d
   jjHKZKEQRCOlLVy0Dn5ZL1RlMHsv+OzJzzvIJFTq3LQKNrzJzsNe</ds:SignatureValue>

<ds:KeyInfo Id="KeyId-17007273">
  8 <wsse:SecurityTokenReference
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-22438818">
    <wsse:Reference URI="#CertId-1064304"
       ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
    </wsse:Reference>
  </wsse:SecurityTokenReference>
</ds:KeyInfo>

  </ds:Signature>

Anyone have any tips or pointers? Should I be using a different SOAP client, like nuSOAP?

Thanks
-Chewbacca

    Write a Reply...