PHP Soapcall with Signed certificate

Question

I've been trying to have this working, but nothing seems to work at all...

I currently have a SOAP-service (from the government) where I can't change things. Now, I have the SOAP call working in SoapUI, but I need to have this working in code (php).

Now what they expect me to do to have the call "working" is in SoapUI to have an so called ´WS-Security Configuration´. I've set this up as follows:

The Timestamp WSS-entry has just a TTL of 60, no milliseconds precision.

Now, the request WSS configuration should be done (I have my keystore there made)

Once I go to the request, I just need to add the following body:

Now I got a response what just works like a charm lets say in SoapUI (5.5.0).

When I try to do the same exact thing in PHP, it doesn't work... I found an really old class, that should in fact authenticate the call using the PEM key and password for that certificate...

I think that does work, (not sure though)

The code that I found and modified is the following:

https://gitlab.com/snippets/1930847

I now call the code using the following code:

$client_options = [
            'ssl' => [
                'cert' => storage_path('checkinatwork/keystore.p12'),
                'certpasswd' => 'MY_PASSWORD_OF_THE_KEY'
            ]
        ];
        $client = new SignedSoapClient('https://www.url.be/registry/dbffff0b-ed82-4ac5-8422-826bad0fbcd6/SecurityTokenService/1.0/be/socialsecurity/sts/v1/SecurityTokenService_v1.wsdl', $client_options);

        $client->__setLocation('https://url.be/SecurityTokenService/v1');
        $request = $client->__soapCall('RequestSecurityToken', []);
        return $request->__getLastRequest();

The response I get from the server is the following (I use the code inside a Laravel command, so I've added the -v option.

* Expire in 0 ms for 6 (transfer 0x555976dc88a0)
* Expire in 1 ms for 1 (transfer 0x555976dc88a0)
* Expire in 0 ms for 1 (transfer 0x555976dc88a0)
* Expire in 2 ms for 1 (transfer 0x555976dc88a0)
* Expire in 0 ms for 1 (transfer 0x555976dc88a0)
* Expire in 1 ms for 1 (transfer 0x555976dc88a0)
* Expire in 4 ms for 1 (transfer 0x555976dc88a0)
* Expire in 1 ms for 1 (transfer 0x555976dc88a0)
* Expire in 1 ms for 1 (transfer 0x555976dc88a0)
* Expire in 4 ms for 1 (transfer 0x555976dc88a0)
* Expire in 2 ms for 1 (transfer 0x555976dc88a0)
* Expire in 2 ms for 1 (transfer 0x555976dc88a0)
* Expire in 4 ms for 1 (transfer 0x555976dc88a0)
* Expire in 3 ms for 1 (transfer 0x555976dc88a0)
* Expire in 3 ms for 1 (transfer 0x555976dc88a0)
* Expire in 8 ms for 1 (transfer 0x555976dc88a0)
* Expire in 4 ms for 1 (transfer 0x555976dc88a0)
* Expire in 4 ms for 1 (transfer 0x555976dc88a0)
* Expire in 16 ms for 1 (transfer 0x555976dc88a0)
* Expire in 7 ms for 1 (transfer 0x555976dc88a0)
* Expire in 7 ms for 1 (transfer 0x555976dc88a0)
* Expire in 16 ms for 1 (transfer 0x555976dc88a0)
* Expire in 9 ms for 1 (transfer 0x555976dc88a0)
* Expire in 9 ms for 1 (transfer 0x555976dc88a0)
* Expire in 16 ms for 1 (transfer 0x555976dc88a0)
* Expire in 10 ms for 1 (transfer 0x555976dc88a0)
* Expire in 10 ms for 1 (transfer 0x555976dc88a0)
* Expire in 16 ms for 1 (transfer 0x555976dc88a0)
* Expire in 14 ms for 1 (transfer 0x555976dc88a0)
* Expire in 14 ms for 1 (transfer 0x555976dc88a0)
* Expire in 16 ms for 1 (transfer 0x555976dc88a0)
* Expire in 50 ms for 1 (transfer 0x555976dc88a0)
* Expire in 50 ms for 1 (transfer 0x555976dc88a0)
* Expire in 16 ms for 1 (transfer 0x555976dc88a0)
* Expire in 50 ms for 1 (transfer 0x555976dc88a0)
* Expire in 50 ms for 1 (transfer 0x555976dc88a0)
* Expire in 32 ms for 1 (transfer 0x555976dc88a0)
* Expire in 50 ms for 1 (transfer 0x555976dc88a0)
* Expire in 50 ms for 1 (transfer 0x555976dc88a0)
* Expire in 32 ms for 1 (transfer 0x555976dc88a0)
* Expire in 50 ms for 1 (transfer 0x555976dc88a0)
* Expire in 50 ms for 1 (transfer 0x555976dc88a0)
* Expire in 64 ms for 1 (transfer 0x555976dc88a0)
* Expire in 50 ms for 1 (transfer 0x555976dc88a0)
* Expire in 50 ms for 1 (transfer 0x555976dc88a0)
* Expire in 64 ms for 1 (transfer 0x555976dc88a0)
* Expire in 50 ms for 1 (transfer 0x555976dc88a0)
* Expire in 50 ms for 1 (transfer 0x555976dc88a0)
* Expire in 64 ms for 1 (transfer 0x555976dc88a0)
* Expire in 50 ms for 1 (transfer 0x555976dc88a0)
* Expire in 50 ms for 1 (transfer 0x555976dc88a0)
* Expire in 200 ms for 1 (transfer 0x555976dc88a0)
*   Trying 85.91.178.151...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x555976dc88a0)
* Connected to domain.be (IP) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CERTIFICATE_RESPONSE_DATA
*  start date: Nov  5 10:16:25 2018 GMT
*  expire date: Nov  5 10:26:00 2020 GMT
*  subjectAltName: host "domain.be" matched cert's "domain.be"
*  issuer: ISSUER DATA
*  SSL certificate verify ok.
> POST /SecurityTokenService/v1 HTTP/1.1
Host: domain.be
Accept: */*
Content-Length: 370
Content-Type: multipart/form-data; boundary=------------------------887f9c2af3ff5bf8

< HTTP/1.1 500 Internal Server Error
HTTP/1.1 500 Internal Server Error
< Date: Fri, 17 Jan 2020 08:27:27 GMT
Date: Fri, 17 Jan 2020 08:27:27 GMT
< Server: Apache
Server: Apache
< Content-Length: 349
Content-Length: 349
< X-Powered-By: Servlet/2.5 JSP/2.1
X-Powered-By: Servlet/2.5 JSP/2.1
< Connection: close
Connection: close
< Content-Type: text/xml; charset=utf-8
Content-Type: text/xml; charset=utf-8

<
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Body><soapenv:Fault><faultcode xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">wst:RequestFailed</faultcode><faultstring>The specific request failed</faultstring></soapenv:Fault></soapenv:Body></soapenv:Envelope>* Closing connection 0

So I got an really descriptive error response... I should be able to get the same, exact request and response in PHP, as if I have in SoapUI.

Does anyone have an idea on how to solve this issue?

I also get then, when the request is finished, the following error:

SoapFault : SoapClient::__doRequest() returned non string value

But that will be a later concern I think.

So my main goal with this question is to be able to have the same request and good response as if I were using SoapUI.

Thankyou in advance!

Answer 1

The PHP SoapClient cannot handle p12 cert files. You have to convert it to a pem file. You can use the oppenssl toolkit for this purpose.

Once installed you can convert the p12 cert file with the following CLI command

openssl pkcs12 -in mycert.p12 -out mycert.pem -nodes -clcerts

After converting into a pem file change your SoapClient ssl options.

$options = [
    'local_cert' => dirname(__FILE__) . 'mycert.pem',
    'athentication' => SOAP_ATHENTICATION_DIGEST
];

$client = new SoapClient(
    $wsdl,
    $options
);

If you want to keep private key and cert file seperate use the following example.

$context = stream_context_create([
    'ssl' => [
        'local_cert' => '/path/to/cert/file',
        'local_pk'   => '/path/to/private/key'
    ]
]);

$client = new \SoapClient($wsdl, [
    'stream_context' => $context,
    // other options
]);

Hope that helps a bit ...