在 PHP 中实现 WS-Security 中的安全令牌交换
我正在尝试与 .NET 开发的 Web 服务进行通信,并且我正在用 PHP 编写我的客户端。目前令人头痛的问题之一是生成 SignatureValue 和 SignedInfo。
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<Reference URI="#_0">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>CwMGnFZklO7XsDfFguzl0tw7iHM=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>nXJEN8p1nupMA/00TK03VZlADkU=</SignatureValue>
有一个熵发送到服务器,并且从服务器接收到熵...... 发送到服务器:
<t:Entropy>
<t:BinarySecret u:Id="uuid-6d32fbfc-2a74-422f-8b0b-3089db58f6ec-1"
Type="http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce">
grrlUUfhuNwlvQzQ4bV6TT3wA8ieZPltIf4+H7nIvCE=
</t:BinarySecret>
</t:Entropy>
从服务器接收:
<t:Entropy>
<t:BinarySecret u:Id="uuid-8aebe294-15d0-4233-a3b1-ddd9a0d43d98-4"
Type="http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce">
YLABh3ZmZyiO5gvVLZe9J4JPd9w59KGeTFwE85XlzxE=
</t:BinarySecret>
</t:Entropy>
根据我的阅读,我假设使用 PSHA1 生成共享密钥,然后在聚合的 SignedInfo 上运行 HMAC_SHA1 以生成签名值。使用这两个熵,预期值为 nXJEN8p1nupMA/00TK03VZlADkU= 但我永远无法生成该值...
我的 psha1_derive 参数是 psha1_derive($entropySentByMe (as $secret), 'WS- SecureConversationWS-SecureConversation', $entropyReturnedByServer (作为 $seed), '' (作为时间戳), 长度为 32 (256 位));
如果有人有关于如何使用 PSHA1 派生共享密钥的更多信息或如何生成签名值,请告诉我!
I am trying to communicate with a web service that is developed by .NET, and I am writing my client in PHP. One of the headache right now, is generating the SignatureValue and for SignedInfo.
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<Reference URI="#_0">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>CwMGnFZklO7XsDfFguzl0tw7iHM=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>nXJEN8p1nupMA/00TK03VZlADkU=</SignatureValue>
There was an Entropy sent to the server and and Entropy received from the server...
Sent to server:
<t:Entropy>
<t:BinarySecret u:Id="uuid-6d32fbfc-2a74-422f-8b0b-3089db58f6ec-1"
Type="http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce">
grrlUUfhuNwlvQzQ4bV6TT3wA8ieZPltIf4+H7nIvCE=
</t:BinarySecret>
</t:Entropy>
received from server:
<t:Entropy>
<t:BinarySecret u:Id="uuid-8aebe294-15d0-4233-a3b1-ddd9a0d43d98-4"
Type="http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce">
YLABh3ZmZyiO5gvVLZe9J4JPd9w59KGeTFwE85XlzxE=
</t:BinarySecret>
</t:Entropy>
From what I read, I am suppose to use PSHA1 to generate a shared key and then run HMAC_SHA1 on the conocalized SignedInfo to generate signed value. Using these two entropies, the expected value is nXJEN8p1nupMA/00TK03VZlADkU= but I could never generate that...
My parameter to psha1_derive is psha1_derive($entropySentByMe (as $secret), 'WS-SecureConversationWS-SecureConversation', $entropyReturnedByServer (as $seed), '' (as timestamp), and length is 32 (256 bits));
If anyone has more information on how to use PSHA1 to derive the shared key or how to generate the signature value, please let me know!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
Node.js 有一个 npm 模块,可以使用 PSHA1 算法创建共享密钥来获取计算出的密钥。 GitHub 链接。
There is an npm module for node.js to make a shared secret using the PSHA1 algorithm to obtain the computed key. GitHub Link.