php - 无法使用 PHP SOAP 扩展通过 WS-Security 连接到 SSL Web 服务 - 证书、复杂的 WSDL

Question

使用 PHP5 SOAP 扩展，我无法连接到具有 https 端点、客户端证书和使用 WS-Security 的 Web 服务，尽管我可以使用具有完全相同 wsdl 和客户端证书的soapUI 进行连接，并获得对的正常响应请求。没有 HTTP 身份验证，也没有涉及代理。我收到的消息是“无法连接到主机”。已经能够验证我没有击中主机服务器。（之前我错误地说我正在访问服务器。）

自签名客户端 SSL 证书是由 openssl 从 .p12 密钥库转换的 .pem 文件，而该文件又由 keytool 从 .jks 密钥库转换而来，该密钥库具有由私钥和客户端证书组成的单个条目。

在soapUI 中我不需要提供服务器私有证书，我给它的唯一两个文件是wdsl 和pem。我确实必须提供 pem 及其密码才能连接。我推测尽管有错误消息，但我的问题实际上可能在于 XML 请求的形成，而不是 SSL 连接本身。

我得到的 wsdl 具有嵌套的复杂类型。php 服务器在我的带有 IIS 的 Windows XP 笔记本电脑上。

代码、数据值和 WSDL 提取如下所示。（WSSoapClient 类只是简单地扩展了 SoapClient，添加了一个带有 mustUnderstand = true 的 WS-Security Username Token 标头并包括一个 nonce，soapUI 调用都需要这两者。）

非常感谢任何帮助。我是一个陷入困境的新手，以及如何！在这方面做了很多天的大量谷歌搜索，遵循了许多建议，并阅读了 Kevin McArthur 的 Pro PHP。使用类图代替嵌套数组的尝试也失败了。

---

编码

class STEeService
{


public function invokeWebService(array $connection, $operation, array $request)
 {
  try
   {  
    $localCertificateFilespec = $connection['localCertificateFilespec'];
$localCertificatePassphrase = $connection['localCertificatePassphrase'];

$sslOptions = array(
   'ssl' => array(
     'local_cert' => $localCertificateFilespec,
     'passphrase' => $localCertificatePassphrase,
     'allow_self-signed' => true,
     'verify_peer' => false
             )
          );  
$sslContext = stream_context_create($sslOptions);

$clientArguments = array(
    'stream_context' => $sslContext,
    'local_cert' => $localCertificateFilespec,    
    'passphrase' => $localCertificatePassphrase,
    'trace' => true,
    'exceptions' => true,   
    'encoding' => 'UTF-8',
    'soap_version' => SOAP_1_1
   );

$oClient = new WSSoapClient($connection['wsdlFilespec'], $clientArguments); 
$oClient->__setUsernameToken($connection['username'], $connection['password']);        

   return $oClient->__soapCall($operation, $request);      
   }
   catch (exception $e)
   {
    throw new Exception("Exception in eServices " . $operation . " ," . $e->getMessage(), "\n");
   }

 }
}

---

$连接如下：

array(5) { ["username"]=> string(8) "DFU00050" 
["password"]=> string(10) "Fabricate1" 
["wsdlFilespec"]=> 
string (63) "c:/inetpub/wwwroot/DMZExternalService_Concrete_WSDL_Staging.xml" 
["localCertificateFilespec"]=> string(37) 
"c:/inetpub/wwwroot/ClientKeystore.pem"
["localCertificatePassphrase"]=> string(14) "password123456" }

$clientArguments 如下：

array(7) { ["stream_context"]=> resource(8) of type (stream-context) 
["local_cert"]=> string(37) "c:/inetpub/wwwroot/ClientKeystore.pem" 
["passphrase"]=> string(14) "password123456" 
["trace"]=> bool(true) ["exceptions"]=> bool(true) ["encoding"]=> string(5) "UTF-8" 
["soap_version"]=> int(1) }

$操作如下：

'getConsignmentDetails'

$请求如下：

array(1) { [0]=> array(2) { ["header"]=> array(2) { 
["source"]=> string(9) "customerA" ["accountNo"]=> string(8) "10072906" } 
["consignmentId"]=> string(11) "GKQ00000085" } }

请注意如何有一个额外的嵌套级别，一个包装请求的数组，它本身就是一个数组。这是在帖子中提出的，虽然我没有看到原因，但它似乎有助于避免其他例外情况。

---

___soapCall 抛出的异常如下：

    object(SoapFault)#6 (9) { ["message":protected]=> 
string(25) "Could not connect to host" ["string":"Exception":private]=> string(0) "" 
    ["code":protected]=> int(0) ["file":protected]=> string(43) "C:\Inetpub\wwwroot\eServices\WSSecurity.php" 
    ["line":protected]=> int(85) ["trace":"Exception":private]=> array(5) { [0]=> array(6) { 
    ["file"]=> string(43) "C:\Inetpub\wwwroot\eServices\WSSecurity.php" ["line"]=> int(85) ["function"]=> string(11) "__doRequest" 
    ["class"]=> string(10) "SoapClient" ["type"]=> string(2) "->" ["args"]=> array(4) { 
    [0]=> string(1240) " DFU00050 Fabricate1 E0ByMUA= 2010-10-28T13:13:52Z customerA10072906GKQ00000085 " 
    [1]=> string(127) "https://services.startrackexpress.com.au:7560/DMZExternalService/InterfaceServices/ExternalOps.serviceagent/OperationsEndpoint1" 
    [2]=> string(104) "/DMZExternalService/InterfaceServices/ExternalOps.serviceagent/OperationsEndpoint1/getConsignmentDetails" [3]=> int(1) } } 
    [1]=> array(4) { ["function"]=> string(11) "__doRequest" ["class"]=> string(39) "startrackexpress\eservices\WSSoapClient" 
    ["type"]=> string(2) "->" ["args"]=> array(5) { [0]=> string(1240) " DFU00050 Fabricate1 E0ByMUA= 2010-10-28T13:13:52Z customerA10072906GKQ00000085 " 
    [1]=> string(127) "https://services.startrackexpress.com.au:7560/DMZExternalService/InterfaceServices/ExternalOps.serviceagent/OperationsEndpoint1" 
    [2]=> string(104) "/DMZExternalService/InterfaceServices/ExternalOps.serviceagent/OperationsEndpoint1/getConsignmentDetails" [3]=> int(1) [4]=> int(0) } }
    [2]=> array(6) { ["file"]=> string(43) "C:\Inetpub\wwwroot\eServices\WSSecurity.php" ["line"]=> int(70) ["function"]=> string(10) "__soapCall" 
    ["class"]=> string(10) "SoapClient" ["type"]=> string(2) "->" ["args"]=> array(4) { [0]=> string(21) "getConsignmentDetails" [1]=> array(1) { 
    [0]=> array(2) { ["header"]=> array(2) { ["source"]=> string(9) "customerA" ["accountNo"]=> string(8) "10072906" } 
    ["consignmentId"]=> string(11) "GKQ00000085" } } [2]=> NULL [3]=> object(SoapHeader)#5 (4) { 
    ["namespace"]=> string(81) "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" ["name"]=> string(8) "Security" 
    ["data"]=> object(SoapVar)#4 (2) { ["enc_type"]=> int(147) ["enc_value"]=> string(594) " DFU00050 Fabricate1 E0ByMUA= 2010-10-28T13:13:52Z " } 
    ["mustUnderstand"]=> bool(true) } } } [3]=> array(6) { ["file"]=> string(42) "C:\Inetpub\wwwroot\eServices\eServices.php" 
    ["line"]=> int(87) ["function"]=> string(10) "__soapCall" ["class"]=> string(39) "startrackexpress\eservices\WSSoapClient" 
    ["type"]=> string(2) "->" ["args"]=> array(2) { [0]=> string(21) "getConsignmentDetails" [1]=> array(1) { [0]=> array(2) { 
    ["header"]=> array(2) { ["source"]=> string(9) "customerA" ["accountNo"]=> string(8) "10072906" } ["consignmentId"]=> string(11) "GKQ00000085" } } } } 
    [4]=> array(6) { ["file"]=> string(58) "C:\Inetpub\wwwroot\eServices\EnquireConsignmentDetails.php" ["line"]=> int(44) 
    ["function"]=> string(16) "invokeWebService" ["class"]=> string(38) "startrackexpress\eservices\STEeService" ["type"]=> string(2) "->" 
    ["args"]=> array(3) { [0]=> array(5) { ["username"]=> string(10) "DFU00050 " ["password"]=> string(12) "Fabricate1 " 
    ["wsdlFilespec"]=> string(63) "c:/inetpub/wwwroot/DMZExternalService_Concrete_WSDL_Staging.xml" 
    ["localCertificateFilespec"]=> string(37) "c:/inetpub/wwwroot/ClientKeystore.pem" ["localCertificatePassphrase"]=> string(14) "password123456" } 
    [1]=> string(21) "getConsignmentDetails" [2]=> array(1) { [0]=> array(2) { ["header"]=> array(2) { ["source"]=> string(9) "customerA" 
    ["accountNo"]=> string(8) "10072906" } ["consignmentId"]=> string(11) "GKQ00000085" } } } } } 
    ["previous":"Exception":private]=> NULL ["faultstring"]=> string(25) "Could not connect to host" ["faultcode"]=> string(4) "HTTP" }

---

以下是一些 WSDL 摘录（TIBCO BusinessWorks）：

            <xsd:complexType name="TransactionHeaderType">
            <xsd:sequence>
                <xsd:element name="source" type="xsd:string"/>
                <xsd:element name="accountNo" type="xsd:integer"/>
                <xsd:element name="userId" type="xsd:string" minOccurs="0"/>
                <xsd:element name="transactionId" type="xsd:string" minOccurs="0"/>
                <xsd:element name="transactionDatetime" type="xsd:dateTime" minOccurs="0"/>
            </xsd:sequence>
        </xsd:complexType>

---

       <xsd:element name="getConsignmentDetailRequest">
            <xsd:complexType>
                <xsd:sequence>
                    <xsd:element name="header" type="prim:TransactionHeaderType"/>
                    <xsd:element name="consignmentId" type="prim:ID" maxOccurs="unbounded"/>
                </xsd:sequence>
            </xsd:complexType>
        </xsd:element>
        <xsd:element name="getConsignmentDetailResponse">
            <xsd:complexType>
                <xsd:sequence>
                    <xsd:element name="consignment" type="freight:consignmentType" minOccurs="0" maxOccurs="unbounded"/>
                </xsd:sequence>
            </xsd:complexType>
        </xsd:element>

---

        <xsd:element name="getConsignmentDetailRequest">
            <xsd:complexType>
                <xsd:sequence>
                    <xsd:element name="header" type="prim:TransactionHeaderType"/>
                    <xsd:element name="consignmentId" type="prim:ID" maxOccurs="unbounded"/>
                </xsd:sequence>
            </xsd:complexType>
        </xsd:element>
        <xsd:element name="getConsignmentDetailResponse">
            <xsd:complexType>
                <xsd:sequence>
                    <xsd:element name="consignment" type="freight:consignmentType" minOccurs="0" maxOccurs="unbounded"/>
                </xsd:sequence>
            </xsd:complexType>
        </xsd:element>

---

    <wsdl:operation name="getConsignmentDetails">
        <wsdl:input message="tns:getConsignmentDetailsRequest"/>
        <wsdl:output message="tns:getConsignmentDetailsResponse"/>
        <wsdl:fault name="fault1" message="tns:fault"/>
    </wsdl:operation>

---

<wsdl:service name="ExternalOps">
    <wsdl:port name="OperationsEndpoint1" binding="tns:OperationsEndpoint1Binding">
        <soap:address location="https://services.startrackexpress.com.au:7560/DMZExternalService/InterfaceServices/ExternalOps.serviceagent/OperationsEndpoint1"/>
    </wsdl:port>
</wsdl:service>

---

如果它是相关的，这里是 WSSoapClient 类：

    <?PHP
namespace startrackexpress\eservices;
use SoapClient, SoapVar, SoapHeader;

class WSSoapClient extends SoapClient
{
 private $username;
 private $password;

/*Generates a WS-Security header*/
 private function wssecurity_header()
 {
  $timestamp = gmdate('Y-m-d\TH:i:s\Z');
  $nonce = mt_rand(); 
  $passdigest = base64_encode(pack('H*', sha1(pack('H*', $nonce).pack('a*', $timestamp).pack('a*', $this->password))));

  $auth = '
<wsse:Security SOAP-ENV:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken>
    <wsse:Username>' . $this->username . '</wsse:Username>
    <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">' . 
 $this->password . '</wsse:Password>
    <wsse:Nonce>' . base64_encode(pack('H*', $nonce)).'</wsse:Nonce>
    <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">' . $timestamp . '</wsu:Created>
   </wsse:UsernameToken>
</wsse:Security>
';
  $authvalues = new SoapVar($auth, XSD_ANYXML); 
  $header = new SoapHeader("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "Security",$authvalues, true);

  return $header;
 }

 // Sets a username and passphrase
 public function __setUsernameToken($username,$password)
 {
  $this->username=$username;
  $this->password=$password;
 }

 // Overwrites the original method, adding the security header
 public function __soapCall($function_name, $arguments, $options=null, $input_headers=null, $output_headers=null)
 {
  try
  {
    $result = parent::__soapCall($function_name, $arguments, $options, $this->wssecurity_header());
    return $result;
  }
  catch (exception $e)
  {
   throw new Exception("Exception in __soapCall, " . $e->getMessage(), "\n");
  }
 }
}
?>

更新：

请求 XML 将如下所示：

<?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://startrackexpress/Common/Primitives/v1" xmlns:ns2="http://startrackexpress/Common/actions/externals/Consignment/v1" xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <SOAP-ENV:Header> <wsse:Security SOAP-ENV:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> 
<wsse:UsernameToken> <wsse:Username>DFU00050</wsse:Username> 
    <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">Fabricate1</wsse:Password> 
    <wsse:Nonce>M4FIeGA=</wsse:Nonce> 
    <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2010-10-29T14:05:27Z</wsu:Created> 
    </wsse:UsernameToken> 
    </wsse:Security> </SOAP-ENV:Header>
    <SOAP-ENV:Body><ns2:getConsignmentDetailRequest>
    <ns2:header><ns1:source>customerA</ns1:source><ns1:accountNo>10072906</ns1:accountNo></ns2:header>
    <ns2:consignmentId>GKQ00000085</ns2:consignmentId>
    </ns2:getConsignmentDetailRequest></SOAP-ENV:Body>
    </SOAP-ENV:Envelope>

这是通过 WSSoapClient 中的以下代码获得的：

public function __doRequest($request, $location, $action, $version)         {
    echo "<p> " . htmlspecialchars($request) . " </p>" ;    
    return parent::__doRequest($request, $location, $action, $version);
}

Answer 1

对于其他在 starttrack API 中苦苦挣扎的人。这是我写的通过 CURL 编写的课程。

Instructions: 

Add the attached file to:
Client/Executables 

Change line 28 from 

class WSSoapClient extends SoapClient

To:

require('SoapClientCurl.class.php');
class WSSoapClient extends SoapClientCurl

<?php

/**
 * Override to overcome problems with Startrack Self Signed SSL Certificates on
 * certain server configurations.
 *
 * The important options here that aren't available in the SoapClient options are
 * CURLOPT_SSLVERSION       - Forces the SSl Version to 3
 * CURLOPT_SSL_VERIFYHOST   - Tells ssl not to care that the Startrack SSL certificate is for a different domain
 * CURLOPT_SSL_VERIFYPEER   - Tells ssl not to care that the Startrack SSL certificate is from a bogus CA (I think)
 *
 */
class SoapClientCurl extends SoapClient
{
    /**
     *
     * @param string $request       - The XML SOAP request.
     * @param string $location      - The URL to request.
     * @param string $action        - The SOAP action.
     * @param int $version          - The SOAP version.
     * @param boolean $one_way      - If one_way is set to 1, this method returns nothing. Use this where a response is not expected.
     * @throws SoapFault
     * @return string|void
     */
    public function __doRequest($request, $location, $action, $version, $one_way = 0)
    {
        $handle = curl_init();

        curl_setopt($handle, CURLOPT_URL, $location);
        curl_setopt($handle, CURLOPT_HTTPHEADER, array(
                'Content-type: text/xml;charset="utf-8"',
                'Accept: text/xml',
                'Cache-Control: no-cache',
                'Pragma: no-cache',
                'SOAPAction: '.$action,
                'Content-length: '.strlen($request))
        );

        curl_setopt($handle, CURLOPT_RETURNTRANSFER,    true);
        curl_setopt($handle, CURLOPT_POSTFIELDS,        $request);
        curl_setopt($handle, CURLOPT_SSLVERSION,        3);
        curl_setopt($handle, CURLOPT_PORT,              443);
        curl_setopt($handle, CURLOPT_POST,              true );
        curl_setopt($handle, CURLOPT_SSL_VERIFYHOST,    false);
        curl_setopt($handle, CURLOPT_SSL_VERIFYPEER,    false);

        $response = curl_exec($handle);

        if(empty($response))
        {
            throw new SoapFault('CURL error: '.curl_error($handle), curl_errno($handle));
        }

        curl_close($handle);

        if(1 !== $one_way)
        {
            return $response;
        }
    }
}

Answer 2

当我在 Apache（使用 XAMPP）下运行代码时，它第一次工作。我的问题一定出在 IIS 或 PHP 的配置中。

有一个错字，但不是最重要的：

'allow_self-signed' => true

应该

'allow_self_signed' => true

Answer 3

鉴于您收到的错误消息以及您正在访问目标服务器的事实，我猜想 SSL 客户端证书搞砸了。我注意到您指定了两次——一次直接在 SOAP 客户端参数中，一次在流上下文中——这是必要的吗？您是否尝试过省略流上下文并仅使用 SoapClient 参数？您必须使用客户端证书吗？