無法使用PHP SOAP擴展使用WS-Security連接到SSL Web服務-證書,復雜的WSDL
[英]Can't connect to SSL web service with WS-Security using PHP SOAP extension - certificate, complex WSDL
問題描述
使用PHP5 SOAP擴展,我無法使用客戶端證書和WS-Security連接到具有https端點的Web服務,盡管我可以使用具有完全相同的wsdl和客戶端證書的soapUI進行連接,並獲得對請求。 沒有HTTP身份驗證,也沒有代理。 我收到的消息是“無法連接到主機”。 能夠驗證我沒有擊中主機服務器。 (以前我錯誤地說我在打服務器。)
自簽名客戶端SSL證書是一個.pem文件,由openssl從.p12密鑰庫轉換而來,而該文件又由keytool從.jks密鑰庫轉換而來,該.jks密鑰庫具有一個包含私鑰和客戶端證書的條目。
在soapUI中,我不需要提供服務器專用證書,我給它的僅有的兩個文件是wdsl和pem。 我確實必須提供pem及其密碼才能連接。 我推測盡管有錯誤消息,但我的問題實際上可能是XML請求而不是SSL連接本身形成的。
我得到的wsdl具有嵌套的復雜類型。 php服務器在帶有IIS的Windows XP筆記本電腦上。
代碼,數據值和WSDL提取如下所示。 (WSSoapClient類簡單地擴展了SoapClient,添加了一個具有mustUnderstand = true的WS-Security用戶名令牌標頭,並包含一個現成的值,兩個都需要soapUI調用。)
非常感謝您的幫助。 我是一個新手,怎么了! 經過許多建議,經過許多天的大量Google搜尋,並閱讀了Kevin McArthur撰寫的Pro PHP。 使用類映射代替嵌套數組的嘗試也失敗了。
編碼
class STEeService
{
public function invokeWebService(array $connection, $operation, array $request)
{
try
{
$localCertificateFilespec = $connection['localCertificateFilespec'];
$localCertificatePassphrase = $connection['localCertificatePassphrase'];
$sslOptions = array(
'ssl' => array(
'local_cert' => $localCertificateFilespec,
'passphrase' => $localCertificatePassphrase,
'allow_self-signed' => true,
'verify_peer' => false
)
);
$sslContext = stream_context_create($sslOptions);
$clientArguments = array(
'stream_context' => $sslContext,
'local_cert' => $localCertificateFilespec,
'passphrase' => $localCertificatePassphrase,
'trace' => true,
'exceptions' => true,
'encoding' => 'UTF-8',
'soap_version' => SOAP_1_1
);
$oClient = new WSSoapClient($connection['wsdlFilespec'], $clientArguments);
$oClient->__setUsernameToken($connection['username'], $connection['password']);
return $oClient->__soapCall($operation, $request);
}
catch (exception $e)
{
throw new Exception("Exception in eServices " . $operation . " ," . $e->getMessage(), "\n");
}
}
}
$ connection如下:
array(5) { ["username"]=> string(8) "DFU00050"
["password"]=> string(10) "Fabricate1"
["wsdlFilespec"]=>
string (63) "c:/inetpub/wwwroot/DMZExternalService_Concrete_WSDL_Staging.xml"
["localCertificateFilespec"]=> string(37)
"c:/inetpub/wwwroot/ClientKeystore.pem"
["localCertificatePassphrase"]=> string(14) "password123456" }
$ clientArguments如下:
array(7) { ["stream_context"]=> resource(8) of type (stream-context)
["local_cert"]=> string(37) "c:/inetpub/wwwroot/ClientKeystore.pem"
["passphrase"]=> string(14) "password123456"
["trace"]=> bool(true) ["exceptions"]=> bool(true) ["encoding"]=> string(5) "UTF-8"
["soap_version"]=> int(1) }
$ operation如下:
'getConsignmentDetails'
$ request如下:
array(1) { [0]=> array(2) { ["header"]=> array(2) {
["source"]=> string(9) "customerA" ["accountNo"]=> string(8) "10072906" }
["consignmentId"]=> string(11) "GKQ00000085" } }
請注意 ,嵌套是如何進行的,嵌套是一個包裝請求的數組,它本身就是一個數組。 盡管我不知道原因,但在帖子中建議這樣做,但這似乎有助於避免其他異常。
___soapCall引發的異常如下:
object(SoapFault)#6 (9) { ["message":protected]=>
string(25) "Could not connect to host" ["string":"Exception":private]=> string(0) ""
["code":protected]=> int(0) ["file":protected]=> string(43) "C:\Inetpub\wwwroot\eServices\WSSecurity.php"
["line":protected]=> int(85) ["trace":"Exception":private]=> array(5) { [0]=> array(6) {
["file"]=> string(43) "C:\Inetpub\wwwroot\eServices\WSSecurity.php" ["line"]=> int(85) ["function"]=> string(11) "__doRequest"
["class"]=> string(10) "SoapClient" ["type"]=> string(2) "->" ["args"]=> array(4) {
[0]=> string(1240) " DFU00050 Fabricate1 E0ByMUA= 2010-10-28T13:13:52Z customerA10072906GKQ00000085 "
[1]=> string(127) "https://services.startrackexpress.com.au:7560/DMZExternalService/InterfaceServices/ExternalOps.serviceagent/OperationsEndpoint1"
[2]=> string(104) "/DMZExternalService/InterfaceServices/ExternalOps.serviceagent/OperationsEndpoint1/getConsignmentDetails" [3]=> int(1) } }
[1]=> array(4) { ["function"]=> string(11) "__doRequest" ["class"]=> string(39) "startrackexpress\eservices\WSSoapClient"
["type"]=> string(2) "->" ["args"]=> array(5) { [0]=> string(1240) " DFU00050 Fabricate1 E0ByMUA= 2010-10-28T13:13:52Z customerA10072906GKQ00000085 "
[1]=> string(127) "https://services.startrackexpress.com.au:7560/DMZExternalService/InterfaceServices/ExternalOps.serviceagent/OperationsEndpoint1"
[2]=> string(104) "/DMZExternalService/InterfaceServices/ExternalOps.serviceagent/OperationsEndpoint1/getConsignmentDetails" [3]=> int(1) [4]=> int(0) } }
[2]=> array(6) { ["file"]=> string(43) "C:\Inetpub\wwwroot\eServices\WSSecurity.php" ["line"]=> int(70) ["function"]=> string(10) "__soapCall"
["class"]=> string(10) "SoapClient" ["type"]=> string(2) "->" ["args"]=> array(4) { [0]=> string(21) "getConsignmentDetails" [1]=> array(1) {
[0]=> array(2) { ["header"]=> array(2) { ["source"]=> string(9) "customerA" ["accountNo"]=> string(8) "10072906" }
["consignmentId"]=> string(11) "GKQ00000085" } } [2]=> NULL [3]=> object(SoapHeader)#5 (4) {
["namespace"]=> string(81) "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" ["name"]=> string(8) "Security"
["data"]=> object(SoapVar)#4 (2) { ["enc_type"]=> int(147) ["enc_value"]=> string(594) " DFU00050 Fabricate1 E0ByMUA= 2010-10-28T13:13:52Z " }
["mustUnderstand"]=> bool(true) } } } [3]=> array(6) { ["file"]=> string(42) "C:\Inetpub\wwwroot\eServices\eServices.php"
["line"]=> int(87) ["function"]=> string(10) "__soapCall" ["class"]=> string(39) "startrackexpress\eservices\WSSoapClient"
["type"]=> string(2) "->" ["args"]=> array(2) { [0]=> string(21) "getConsignmentDetails" [1]=> array(1) { [0]=> array(2) {
["header"]=> array(2) { ["source"]=> string(9) "customerA" ["accountNo"]=> string(8) "10072906" } ["consignmentId"]=> string(11) "GKQ00000085" } } } }
[4]=> array(6) { ["file"]=> string(58) "C:\Inetpub\wwwroot\eServices\EnquireConsignmentDetails.php" ["line"]=> int(44)
["function"]=> string(16) "invokeWebService" ["class"]=> string(38) "startrackexpress\eservices\STEeService" ["type"]=> string(2) "->"
["args"]=> array(3) { [0]=> array(5) { ["username"]=> string(10) "DFU00050 " ["password"]=> string(12) "Fabricate1 "
["wsdlFilespec"]=> string(63) "c:/inetpub/wwwroot/DMZExternalService_Concrete_WSDL_Staging.xml"
["localCertificateFilespec"]=> string(37) "c:/inetpub/wwwroot/ClientKeystore.pem" ["localCertificatePassphrase"]=> string(14) "password123456" }
[1]=> string(21) "getConsignmentDetails" [2]=> array(1) { [0]=> array(2) { ["header"]=> array(2) { ["source"]=> string(9) "customerA"
["accountNo"]=> string(8) "10072906" } ["consignmentId"]=> string(11) "GKQ00000085" } } } } }
["previous":"Exception":private]=> NULL ["faultstring"]=> string(25) "Could not connect to host" ["faultcode"]=> string(4) "HTTP" }
以下是一些WSDL摘錄(TIBCO BusinessWorks):
<xsd:complexType name="TransactionHeaderType">
<xsd:sequence>
<xsd:element name="source" type="xsd:string"/>
<xsd:element name="accountNo" type="xsd:integer"/>
<xsd:element name="userId" type="xsd:string" minOccurs="0"/>
<xsd:element name="transactionId" type="xsd:string" minOccurs="0"/>
<xsd:element name="transactionDatetime" type="xsd:dateTime" minOccurs="0"/>
</xsd:sequence>
</xsd:complexType>
<xsd:element name="getConsignmentDetailRequest">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="header" type="prim:TransactionHeaderType"/>
<xsd:element name="consignmentId" type="prim:ID" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<xsd:element name="getConsignmentDetailResponse">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="consignment" type="freight:consignmentType" minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<xsd:element name="getConsignmentDetailRequest">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="header" type="prim:TransactionHeaderType"/>
<xsd:element name="consignmentId" type="prim:ID" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<xsd:element name="getConsignmentDetailResponse">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="consignment" type="freight:consignmentType" minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<wsdl:operation name="getConsignmentDetails">
<wsdl:input message="tns:getConsignmentDetailsRequest"/>
<wsdl:output message="tns:getConsignmentDetailsResponse"/>
<wsdl:fault name="fault1" message="tns:fault"/>
</wsdl:operation>
<wsdl:service name="ExternalOps">
<wsdl:port name="OperationsEndpoint1" binding="tns:OperationsEndpoint1Binding">
<soap:address location="https://services.startrackexpress.com.au:7560/DMZExternalService/InterfaceServices/ExternalOps.serviceagent/OperationsEndpoint1"/>
</wsdl:port>
</wsdl:service>
如果相關,這里是WSSoapClient類:
<?PHP
namespace startrackexpress\eservices;
use SoapClient, SoapVar, SoapHeader;
class WSSoapClient extends SoapClient
{
private $username;
private $password;
/*Generates a WS-Security header*/
private function wssecurity_header()
{
$timestamp = gmdate('Y-m-d\TH:i:s\Z');
$nonce = mt_rand();
$passdigest = base64_encode(pack('H*', sha1(pack('H*', $nonce).pack('a*', $timestamp).pack('a*', $this->password))));
$auth = '
<wsse:Security SOAP-ENV:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken>
<wsse:Username>' . $this->username . '</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">' .
$this->password . '</wsse:Password>
<wsse:Nonce>' . base64_encode(pack('H*', $nonce)).'</wsse:Nonce>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">' . $timestamp . '</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
';
$authvalues = new SoapVar($auth, XSD_ANYXML);
$header = new SoapHeader("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "Security",$authvalues, true);
return $header;
}
// Sets a username and passphrase
public function __setUsernameToken($username,$password)
{
$this->username=$username;
$this->password=$password;
}
// Overwrites the original method, adding the security header
public function __soapCall($function_name, $arguments, $options=null, $input_headers=null, $output_headers=null)
{
try
{
$result = parent::__soapCall($function_name, $arguments, $options, $this->wssecurity_header());
return $result;
}
catch (exception $e)
{
throw new Exception("Exception in __soapCall, " . $e->getMessage(), "\n");
}
}
}
?>
更新:
請求XML將如下所示:
<?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://startrackexpress/Common/Primitives/v1" xmlns:ns2="http://startrackexpress/Common/actions/externals/Consignment/v1" xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<SOAP-ENV:Header> <wsse:Security SOAP-ENV:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken> <wsse:Username>DFU00050</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">Fabricate1</wsse:Password>
<wsse:Nonce>M4FIeGA=</wsse:Nonce>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2010-10-29T14:05:27Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security> </SOAP-ENV:Header>
<SOAP-ENV:Body><ns2:getConsignmentDetailRequest>
<ns2:header><ns1:source>customerA</ns1:source><ns1:accountNo>10072906</ns1:accountNo></ns2:header>
<ns2:consignmentId>GKQ00000085</ns2:consignmentId>
</ns2:getConsignmentDetailRequest></SOAP-ENV:Body>
</SOAP-ENV:Envelope>
這是通過WSSoapClient中的以下代碼獲得的:
public function __doRequest($request, $location, $action, $version) {
echo "<p> " . htmlspecialchars($request) . " </p>" ;
return parent::__doRequest($request, $location, $action, $version);
}
3 個解決方案
解決方案1
3 2011-09-16 20:24:15
對於任何其他使用startrack API的人。 這是我編寫的通過CURL代替的課程。
Instructions:
Add the attached file to:
Client/Executables
Change line 28 from
class WSSoapClient extends SoapClient
To:
require('SoapClientCurl.class.php');
class WSSoapClient extends SoapClientCurl
<?php
/**
* Override to overcome problems with Startrack Self Signed SSL Certificates on
* certain server configurations.
*
* The important options here that aren't available in the SoapClient options are
* CURLOPT_SSLVERSION - Forces the SSl Version to 3
* CURLOPT_SSL_VERIFYHOST - Tells ssl not to care that the Startrack SSL certificate is for a different domain
* CURLOPT_SSL_VERIFYPEER - Tells ssl not to care that the Startrack SSL certificate is from a bogus CA (I think)
*
*/
class SoapClientCurl extends SoapClient
{
/**
*
* @param string $request - The XML SOAP request.
* @param string $location - The URL to request.
* @param string $action - The SOAP action.
* @param int $version - The SOAP version.
* @param boolean $one_way - If one_way is set to 1, this method returns nothing. Use this where a response is not expected.
* @throws SoapFault
* @return string|void
*/
public function __doRequest($request, $location, $action, $version, $one_way = 0)
{
$handle = curl_init();
curl_setopt($handle, CURLOPT_URL, $location);
curl_setopt($handle, CURLOPT_HTTPHEADER, array(
'Content-type: text/xml;charset="utf-8"',
'Accept: text/xml',
'Cache-Control: no-cache',
'Pragma: no-cache',
'SOAPAction: '.$action,
'Content-length: '.strlen($request))
);
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
curl_setopt($handle, CURLOPT_POSTFIELDS, $request);
curl_setopt($handle, CURLOPT_SSLVERSION, 3);
curl_setopt($handle, CURLOPT_PORT, 443);
curl_setopt($handle, CURLOPT_POST, true );
curl_setopt($handle, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($handle, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($handle);
if(empty($response))
{
throw new SoapFault('CURL error: '.curl_error($handle), curl_errno($handle));
}
curl_close($handle);
if(1 !== $one_way)
{
return $response;
}
}
}
解決方案2
1 2010-11-21 23:53:53
當我在Apache(使用XAMPP)下運行代碼時,它第一次起作用。 我的問題一定是在IIS或PHP的配置中。
有一個錯別字,但不是排頭兵:
'allow_self-signed' => true
應該
'allow_self_signed' => true
解決方案3
0 2010-10-29 12:49:15
考慮到您收到的錯誤消息以及您正在攻擊目標服務器的事實,我猜想SSL客戶端證書正在搞砸了。 我注意到您指定了兩次(一次直接在SOAP客戶端參數中,一次在流上下文中),是否有必要? 您是否嘗試過省略流上下文並僅使用SoapClient參數? 您必須使用客戶證書嗎?
PHP SOAP ws-security
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.