Can';t使用PHP SOAP扩展连接到具有WS-Security的SSL web服务-证书,复杂WSDL
使用PHP5 SOAP扩展,我无法使用客户端证书和WS-Security连接到具有https端点的web服务,尽管我可以使用完全相同的wsdl和客户端证书使用soapUI连接,并获得对请求的正常响应。没有HTTP身份验证,也不涉及代理。我收到的消息是“无法连接到主机”已经能够验证我没有攻击主机服务器。(早些时候我错误地说我正在点击服务器。) 自签名客户端SSL证书是由openssl从.p12密钥库转换而来的.pem文件,而该密钥库又由keytool从.jks密钥库转换而来,该密钥库具有一个由私钥和客户端证书组成的条目 在soapUI中,我不需要提供服务器私有证书,我只提供了wdsl和pem两个文件。我必须提供pem及其密码才能连接。我推测,尽管有错误消息,我的问题实际上可能是XML请求的形成,而不是SSL连接本身 我得到的wsdl具有嵌套的复杂类型。php服务器位于我的Windows XP笔记本电脑上,带有IIS 代码、数据值和WSDL提取如下所示。(WSSoapClient类只是扩展了SoapClient,添加了一个mustUnderstand=true的WS-Security用户名令牌头,并包含一个nonce,这两个都是soapUI调用所必需的。) 非常感谢您的帮助。我是一个新手,深陷其中,怎么可能!我已经在谷歌上做了很多天,根据许多建议,并阅读了凯文·麦克阿瑟的专业PHP。用类映射代替嵌套数组的尝试也失败了Can';t使用PHP SOAP扩展连接到具有WS-Security的SSL web服务-证书,复杂WSDL,php,soap,ssl,ws-security,client-certificates,Php,Soap,Ssl,Ws Security,Client Certificates,使用PHP5 SOAP扩展,我无法使用客户端证书和WS-Security连接到具有https端点的web服务,尽管我可以使用完全相同的wsdl和客户端证书使用soapUI连接,并获得对请求的正常响应。没有HTTP身份验证,也不涉及代理。我收到的消息是“无法连接到主机”已经能够验证我没有攻击主机服务器。(早些时候我错误地说我正在点击服务器。) 自签名客户端SSL证书是由openssl从.p12密钥库转换而来的.pem文件,而该密钥库又由keytool从.jks密钥库转换而来,该密钥库具有一个由私钥
代码
$connection如下: $clientArguments如下: 行动如下: 请求如下: 注意如何有一个额外的嵌套级别,一个数组包装请求本身就是一个数组。这是在一篇帖子中提出的,虽然我不明白原因,但它似乎有助于避免其他例外情况
_uuuusoapcall引发的异常如下所示:
以下是一些WSDL摘录(TIBCO BusinessWorks):
在这里,如果它与WSSoapClient类相关:
username'
' .
$this->password
' . base64_编码(pack('H*',$nonce))。'
' . $时间戳。”
';
$authvalues=newsoapvar($auth,XSD_ANYXML);
$header=新的SoapHeader(“http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd“,”安全性“,$authvalues,true);
返回$header;
}
//设置用户名和密码短语
公共函数\uuuu setUsernameToken($username,$password)
{
$this->username=$username;
$this->password=$password;
}
//覆盖原始方法,添加安全标头
公共函数\uuuSOAPCALL($function\u name,$arguments,$options=null,$input\u headers=null,$output\u headers=null)
{
尝试
{
$result=parent::uuSOAPCALL($function\u name,$arguments,$options,$this->wssecurity\u header());
返回$result;
}
捕获(例外$e)
{
抛出新异常(“soapCall中的异常,.$e->getMessage(),”\n”);
}
}
}
?>
<?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://startrackexpress/Common/Primitives/v1" xmlns:ns2="http://startrackexpress/Common/actions/externals/Consignment/v1" xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<SOAP-ENV:Header> <wsse:Security SOAP-ENV:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken> <wsse:Username>DFU00050</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">Fabricate1</wsse:Password>
<wsse:Nonce>M4FIeGA=</wsse:Nonce>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2010-10-29T14:05:27Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security> </SOAP-ENV:Header>
<SOAP-ENV:Body><ns2:getConsignmentDetailRequest>
<ns2:header><ns1:source>customerA</ns1:source><ns1:accountNo>10072906</ns1:accountNo></ns2:header>
<ns2:consignmentId>GKQ00000085</ns2:consignmentId>
</ns2:getConsignmentDetailRequest></SOAP-ENV:Body>
</SOAP-ENV:Envelope>
DFU00050
捏造
M4FIeGA=
2010-10-29T14:05:27Z
客户10072906
GKQ00000085
public function __doRequest($request, $location, $action, $version) {
echo "<p> " . htmlspecialchars($request) . " </p>" ;
return parent::__doRequest($request, $location, $action, $version);
}
public function\u doRequest($request、$location、$action、$version){
echo“”.htmlspecialchars($request)。“”;
返回父项::_doRequest($request、$location、$action、$version);
}
'allow_self-signed' => true
'allow_self_signed' => true
对于其他与星际轨道API斗争的人。这是我写的,通过卷曲来代替的类
Instructions:
Add the attached file to:
Client/Executables
Change line 28 from
class WSSoapClient extends SoapClient
To:
require('SoapClientCurl.class.php');
class WSSoapClient extends SoapClientCurl
<?php
/**
* Override to overcome problems with Startrack Self Signed SSL Certificates on
* certain server configurations.
*
* The important options here that aren't available in the SoapClient options are
* CURLOPT_SSLVERSION - Forces the SSl Version to 3
* CURLOPT_SSL_VERIFYHOST - Tells ssl not to care that the Startrack SSL certificate is for a different domain
* CURLOPT_SSL_VERIFYPEER - Tells ssl not to care that the Startrack SSL certificate is from a bogus CA (I think)
*
*/
class SoapClientCurl extends SoapClient
{
/**
*
* @param string $request - The XML SOAP request.
* @param string $location - The URL to request.
* @param string $action - The SOAP action.
* @param int $version - The SOAP version.
* @param boolean $one_way - If one_way is set to 1, this method returns nothing. Use this where a response is not expected.
* @throws SoapFault
* @return string|void
*/
public function __doRequest($request, $location, $action, $version, $one_way = 0)
{
$handle = curl_init();
curl_setopt($handle, CURLOPT_URL, $location);
curl_setopt($handle, CURLOPT_HTTPHEADER, array(
'Content-type: text/xml;charset="utf-8"',
'Accept: text/xml',
'Cache-Control: no-cache',
'Pragma: no-cache',
'SOAPAction: '.$action,
'Content-length: '.strlen($request))
);
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
curl_setopt($handle, CURLOPT_POSTFIELDS, $request);
curl_setopt($handle, CURLOPT_SSLVERSION, 3);
curl_setopt($handle, CURLOPT_PORT, 443);
curl_setopt($handle, CURLOPT_POST, true );
curl_setopt($handle, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($handle, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($handle);
if(empty($response))
{
throw new SoapFault('CURL error: '.curl_error($handle), curl_errno($handle));
}
curl_close($handle);
if(1 !== $one_way)
{
return $response;
}
}
}
说明:
将附加文件添加到:
客户端/可执行文件
将第28行从
类WSSoapClient扩展了SoapClient
致:
require('SoapClientCurl.class.php');
类WSSoapClient扩展了SoapClientCurl
为什么SOAP不能从背后攻击自己呢?更正:我不是在攻击服务器。使用soapUI访问服务时,我注意到soapUI对它获得的客户端证书一点也不挑剔,只要它现在或过去某个时候找到了任何类型的客户端证书。因此,我正在重新检查我的证书是否正是PHP/SOAP所期望的,它无疑是更挑剔的。谢谢Robin!不幸的是没有运气。我删除了流上下文,没有更改。T
object(SoapFault)#6 (9) { ["message":protected]=>
string(25) "Could not connect to host" ["string":"Exception":private]=> string(0) ""
["code":protected]=> int(0) ["file":protected]=> string(43) "C:\Inetpub\wwwroot\eServices\WSSecurity.php"
["line":protected]=> int(85) ["trace":"Exception":private]=> array(5) { [0]=> array(6) {
["file"]=> string(43) "C:\Inetpub\wwwroot\eServices\WSSecurity.php" ["line"]=> int(85) ["function"]=> string(11) "__doRequest"
["class"]=> string(10) "SoapClient" ["type"]=> string(2) "->" ["args"]=> array(4) {
[0]=> string(1240) " DFU00050 Fabricate1 E0ByMUA= 2010-10-28T13:13:52Z customerA10072906GKQ00000085 "
[1]=> string(127) "https://services.startrackexpress.com.au:7560/DMZExternalService/InterfaceServices/ExternalOps.serviceagent/OperationsEndpoint1"
[2]=> string(104) "/DMZExternalService/InterfaceServices/ExternalOps.serviceagent/OperationsEndpoint1/getConsignmentDetails" [3]=> int(1) } }
[1]=> array(4) { ["function"]=> string(11) "__doRequest" ["class"]=> string(39) "startrackexpress\eservices\WSSoapClient"
["type"]=> string(2) "->" ["args"]=> array(5) { [0]=> string(1240) " DFU00050 Fabricate1 E0ByMUA= 2010-10-28T13:13:52Z customerA10072906GKQ00000085 "
[1]=> string(127) "https://services.startrackexpress.com.au:7560/DMZExternalService/InterfaceServices/ExternalOps.serviceagent/OperationsEndpoint1"
[2]=> string(104) "/DMZExternalService/InterfaceServices/ExternalOps.serviceagent/OperationsEndpoint1/getConsignmentDetails" [3]=> int(1) [4]=> int(0) } }
[2]=> array(6) { ["file"]=> string(43) "C:\Inetpub\wwwroot\eServices\WSSecurity.php" ["line"]=> int(70) ["function"]=> string(10) "__soapCall"
["class"]=> string(10) "SoapClient" ["type"]=> string(2) "->" ["args"]=> array(4) { [0]=> string(21) "getConsignmentDetails" [1]=> array(1) {
[0]=> array(2) { ["header"]=> array(2) { ["source"]=> string(9) "customerA" ["accountNo"]=> string(8) "10072906" }
["consignmentId"]=> string(11) "GKQ00000085" } } [2]=> NULL [3]=> object(SoapHeader)#5 (4) {
["namespace"]=> string(81) "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" ["name"]=> string(8) "Security"
["data"]=> object(SoapVar)#4 (2) { ["enc_type"]=> int(147) ["enc_value"]=> string(594) " DFU00050 Fabricate1 E0ByMUA= 2010-10-28T13:13:52Z " }
["mustUnderstand"]=> bool(true) } } } [3]=> array(6) { ["file"]=> string(42) "C:\Inetpub\wwwroot\eServices\eServices.php"
["line"]=> int(87) ["function"]=> string(10) "__soapCall" ["class"]=> string(39) "startrackexpress\eservices\WSSoapClient"
["type"]=> string(2) "->" ["args"]=> array(2) { [0]=> string(21) "getConsignmentDetails" [1]=> array(1) { [0]=> array(2) {
["header"]=> array(2) { ["source"]=> string(9) "customerA" ["accountNo"]=> string(8) "10072906" } ["consignmentId"]=> string(11) "GKQ00000085" } } } }
[4]=> array(6) { ["file"]=> string(58) "C:\Inetpub\wwwroot\eServices\EnquireConsignmentDetails.php" ["line"]=> int(44)
["function"]=> string(16) "invokeWebService" ["class"]=> string(38) "startrackexpress\eservices\STEeService" ["type"]=> string(2) "->"
["args"]=> array(3) { [0]=> array(5) { ["username"]=> string(10) "DFU00050 " ["password"]=> string(12) "Fabricate1 "
["wsdlFilespec"]=> string(63) "c:/inetpub/wwwroot/DMZExternalService_Concrete_WSDL_Staging.xml"
["localCertificateFilespec"]=> string(37) "c:/inetpub/wwwroot/ClientKeystore.pem" ["localCertificatePassphrase"]=> string(14) "password123456" }
[1]=> string(21) "getConsignmentDetails" [2]=> array(1) { [0]=> array(2) { ["header"]=> array(2) { ["source"]=> string(9) "customerA"
["accountNo"]=> string(8) "10072906" } ["consignmentId"]=> string(11) "GKQ00000085" } } } } }
["previous":"Exception":private]=> NULL ["faultstring"]=> string(25) "Could not connect to host" ["faultcode"]=> string(4) "HTTP" }
<xsd:complexType name="TransactionHeaderType">
<xsd:sequence>
<xsd:element name="source" type="xsd:string"/>
<xsd:element name="accountNo" type="xsd:integer"/>
<xsd:element name="userId" type="xsd:string" minOccurs="0"/>
<xsd:element name="transactionId" type="xsd:string" minOccurs="0"/>
<xsd:element name="transactionDatetime" type="xsd:dateTime" minOccurs="0"/>
</xsd:sequence>
</xsd:complexType>
<xsd:element name="getConsignmentDetailRequest">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="header" type="prim:TransactionHeaderType"/>
<xsd:element name="consignmentId" type="prim:ID" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<xsd:element name="getConsignmentDetailResponse">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="consignment" type="freight:consignmentType" minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<xsd:element name="getConsignmentDetailRequest">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="header" type="prim:TransactionHeaderType"/>
<xsd:element name="consignmentId" type="prim:ID" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<xsd:element name="getConsignmentDetailResponse">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="consignment" type="freight:consignmentType" minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<wsdl:operation name="getConsignmentDetails">
<wsdl:input message="tns:getConsignmentDetailsRequest"/>
<wsdl:output message="tns:getConsignmentDetailsResponse"/>
<wsdl:fault name="fault1" message="tns:fault"/>
</wsdl:operation>
<wsdl:service name="ExternalOps">
<wsdl:port name="OperationsEndpoint1" binding="tns:OperationsEndpoint1Binding">
<soap:address location="https://services.startrackexpress.com.au:7560/DMZExternalService/InterfaceServices/ExternalOps.serviceagent/OperationsEndpoint1"/>
</wsdl:port>
</wsdl:service>
<?PHP
namespace startrackexpress\eservices;
use SoapClient, SoapVar, SoapHeader;
class WSSoapClient extends SoapClient
{
private $username;
private $password;
/*Generates a WS-Security header*/
private function wssecurity_header()
{
$timestamp = gmdate('Y-m-d\TH:i:s\Z');
$nonce = mt_rand();
$passdigest = base64_encode(pack('H*', sha1(pack('H*', $nonce).pack('a*', $timestamp).pack('a*', $this->password))));
$auth = '
<wsse:Security SOAP-ENV:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken>
<wsse:Username>' . $this->username . '</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">' .
$this->password . '</wsse:Password>
<wsse:Nonce>' . base64_encode(pack('H*', $nonce)).'</wsse:Nonce>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">' . $timestamp . '</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
';
$authvalues = new SoapVar($auth, XSD_ANYXML);
$header = new SoapHeader("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "Security",$authvalues, true);
return $header;
}
// Sets a username and passphrase
public function __setUsernameToken($username,$password)
{
$this->username=$username;
$this->password=$password;
}
// Overwrites the original method, adding the security header
public function __soapCall($function_name, $arguments, $options=null, $input_headers=null, $output_headers=null)
{
try
{
$result = parent::__soapCall($function_name, $arguments, $options, $this->wssecurity_header());
return $result;
}
catch (exception $e)
{
throw new Exception("Exception in __soapCall, " . $e->getMessage(), "\n");
}
}
}
?>
<?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://startrackexpress/Common/Primitives/v1" xmlns:ns2="http://startrackexpress/Common/actions/externals/Consignment/v1" xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<SOAP-ENV:Header> <wsse:Security SOAP-ENV:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken> <wsse:Username>DFU00050</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">Fabricate1</wsse:Password>
<wsse:Nonce>M4FIeGA=</wsse:Nonce>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2010-10-29T14:05:27Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security> </SOAP-ENV:Header>
<SOAP-ENV:Body><ns2:getConsignmentDetailRequest>
<ns2:header><ns1:source>customerA</ns1:source><ns1:accountNo>10072906</ns1:accountNo></ns2:header>
<ns2:consignmentId>GKQ00000085</ns2:consignmentId>
</ns2:getConsignmentDetailRequest></SOAP-ENV:Body>
</SOAP-ENV:Envelope>
public function __doRequest($request, $location, $action, $version) {
echo "<p> " . htmlspecialchars($request) . " </p>" ;
return parent::__doRequest($request, $location, $action, $version);
}
'allow_self-signed' => true
'allow_self_signed' => true
Instructions:
Add the attached file to:
Client/Executables
Change line 28 from
class WSSoapClient extends SoapClient
To:
require('SoapClientCurl.class.php');
class WSSoapClient extends SoapClientCurl
<?php
/**
* Override to overcome problems with Startrack Self Signed SSL Certificates on
* certain server configurations.
*
* The important options here that aren't available in the SoapClient options are
* CURLOPT_SSLVERSION - Forces the SSl Version to 3
* CURLOPT_SSL_VERIFYHOST - Tells ssl not to care that the Startrack SSL certificate is for a different domain
* CURLOPT_SSL_VERIFYPEER - Tells ssl not to care that the Startrack SSL certificate is from a bogus CA (I think)
*
*/
class SoapClientCurl extends SoapClient
{
/**
*
* @param string $request - The XML SOAP request.
* @param string $location - The URL to request.
* @param string $action - The SOAP action.
* @param int $version - The SOAP version.
* @param boolean $one_way - If one_way is set to 1, this method returns nothing. Use this where a response is not expected.
* @throws SoapFault
* @return string|void
*/
public function __doRequest($request, $location, $action, $version, $one_way = 0)
{
$handle = curl_init();
curl_setopt($handle, CURLOPT_URL, $location);
curl_setopt($handle, CURLOPT_HTTPHEADER, array(
'Content-type: text/xml;charset="utf-8"',
'Accept: text/xml',
'Cache-Control: no-cache',
'Pragma: no-cache',
'SOAPAction: '.$action,
'Content-length: '.strlen($request))
);
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
curl_setopt($handle, CURLOPT_POSTFIELDS, $request);
curl_setopt($handle, CURLOPT_SSLVERSION, 3);
curl_setopt($handle, CURLOPT_PORT, 443);
curl_setopt($handle, CURLOPT_POST, true );
curl_setopt($handle, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($handle, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($handle);
if(empty($response))
{
throw new SoapFault('CURL error: '.curl_error($handle), curl_errno($handle));
}
curl_close($handle);
if(1 !== $one_way)
{
return $response;
}
}
}