phpsoapws-securitysoapserver

Verify WS-security password digest in PHP SOAP SERVER


I need to implement WS-Security password digest on PHP-Soap webservice. I looked everywhere on how to do it and I've found nothing. through trial and error I've found out that PHP Soap server will call a "Secutity" function implemented in Service class where verification will be performed. For now my function looks like this:

public function Security($UsernameToken)
{

    $this->log($UsernameToken);
    $loggHelper = [];
    $loggHelper['nonce'] = unpack('H*', base64_decode($UsernameToken->Nonce))[1];
    $loggHelper['created'] = pack('a*', $UsernameToken->Created);
    $loggHelper['password'] = pack('a*', 'test');
    $loggHelper['passhash1'] = base64_encode(pack('H*',sha1($loggHelper['nonce'].$UsernameToken->Created.$loggHelper['password'])));
    $this->log($loggHelper);
    if($UsernameToken->Password==$loggHelper['passhash1'])
        return true;
    else
    {
        return new SoapFault("401", "Prohibited");
    }

}

The problem is, that my Digest is not the same as the password provided by test client (SoapUI)

Log output looks like this:

$UsernameToken = {"Username":"test","Password":"HMxOK\/pg3mOq71N2F5Znb7xDdcw=","Nonce":"BgbT8vrQb\/afX7OC3KPb0Q==","Created":"2020-06-24T07:31:11.731Z"}

$loggerHelper = {"nonce":"0606d3f2fad06ff69f5fb382dca3dbd1","created":"2020-06-24T07:31:11.731Z","password":"test","passhash1":"gJGXpD3yYDmLY6qMhRtKYWr33IA="}

Solution

  • First some remarks:

    I would suggest to use

    for encryption, which is contained in PHP itself.

    Or you use a framework which handles security under the hood. As an example (but I am not sure) symfony should do this automatically for you - please read more at https://symfony.com/doc/current/controller/soap_web_service.html