README

特性

使用数字签名签署XML文档 (XMLDSIG)
验证XML文档的数字签名
ECDSA (SHA256) 签名

要求

PHP 8.1+
openssl 扩展
一个X.509数字证书

安装

composer require selective/xmldsig

用法

使用数字签名签署XML文档

输入文件: example.xml

<?xml version="1.0"?>
<root>
    <creditcard>
        <number>19834209</number>
        <expiry>02/02/2025</expiry>
    </creditcard>
</root>

加载并添加私钥到PrivateKeyStore

use Selective\XmlDSig\PrivateKeyStore;
// ...

$privateKeyStore = new PrivateKeyStore();

// load a private key from a string
$privateKeyStore->loadFromPem('private key content', 'password');

// or load a private key from a PEM file
$privateKeyStore->loadFromPem(file_get_contents('filename.pem'), 'password');

// load pfx PKCS#12 certificate from a string
$privateKeyStore->loadFromPkcs12('pfx content', 'password');

// or load PKCS#12 certificate from a file
$privateKeyStore->loadFromPkcs12(file_get_contents('filename.p12'), 'password');

定义摘要方法: sha1, sha224, sha256, sha384, sha512

use Selective\XmlDSig\Algorithm;

$algorithm = new Algorithm(Algorithm::METHOD_SHA1);

创建一个CryptoSigner实例

use Selective\XmlDSig\CryptoSigner;

$cryptoSigner = new CryptoSigner($privateKeyStore, $algorithm);

签名

use Selective\XmlDSig\XmlSigner;

// Create a XmlSigner and pass the crypto signer
$xmlSigner = new XmlSigner($cryptoSigner);

// Optional: Set reference URI
$xmlSigner->setReferenceUri('');

// Create a signed XML string
$signedXml = $xmlSigner->signXml('<?xml ...');

// or sign an XML file
$signedXml = $xmlSigner->signXml(file_get_contents($filename));

// or sign an DOMDocument
$xml = new DOMDocument();
$xml->preserveWhiteSpace = true;
$xml->formatOutput = false;
$xml->loadXML($data);

$signedXml = $xmlSigner->signDocument($xml);

输出

<?xml version="1.0"?>
<root>
    <creditcard>
        <number>19834209</number>
        <expiry>02/02/2025</expiry>
    </creditcard>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
            <Reference URI="">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
                <DigestValue>Base64EncodedValue==</DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>AnotherBase64EncodedValue===</SignatureValue>
    </Signature>
</root>

仅签署XML文档的特定部分

示例

use Selective\XmlDSig\Algorithm;
use Selective\XmlDSig\CryptoSigner;
use Selective\XmlDSig\PrivateKeyStore;
use Selective\XmlDSig\XmlSigner;
use DOMDocument;
use DOMXPath;
// ...

// Load the XML content you want to sign
$xml = new DOMDocument();
$xml->preserveWhiteSpace = true;
$xml->formatOutput = false;
$xml->loadXML($data);

// Create a XPATH query to select the element you want to sign 
$xpath = new DOMXPath($xml);

// Change this query according to your requirements
$referenceUri = '#1';
$elementToSign = $xpath->query( '//*[@Id="'. $referenceUri .'"]' )->item(0);

// Add private key
$privateKeyStore = new PrivateKeyStore();
$privateKeyStore->loadPrivateKey('private key content', 'password');

$cryptoSigner = new CryptoSigner($privateKeyStore, new Algorithm(Algorithm::METHOD_SHA1));

// Sign the element
$xmlSigner = new XmlSigner($cryptoSigner);
$signedXml = $xmlSigner->signDocument($xml, $elementToSign);

使用ECDSA SHA256签署XML文档

椭圆曲线数字签名算法（ECDSA）是数字签名算法（DSA）的椭圆曲线对应物。

它与OpenSSL兼容，并使用如雅可比坐标等优雅的数学方法来加速纯PHP上的ECDSA。

要求

必须安装并启用GMP扩展。

要使用Composer安装此包，请运行

composer require starkbank/ecdsa

示例

注意，您可以使用ECDSA签署XML 签名。不支持使用ECDSA进行摘要。

您可以在XmlEcdsaTest测试类中找到一个完整的工作示例。

验证XML文档的数字签名

加载公钥

use Selective\XmlDSig\PublicKeyStore;
use Selective\XmlDSig\CryptoVerifier;
use Selective\XmlDSig\XmlSignatureVerifier;

$publicKeyStore = new PublicKeyStore();

// load a public key from a string
$publicKeyStore->loadFromPem('public key content');

// or load a public key file
$publicKeyStore->loadFromPem(file_get_contents('cacert.pem'));

// or load a public key from a PKCS#12 certificate string
$publicKeyStore->loadFromPkcs12('public key content', 'password');

// or load a public key from a PKCS#12 certificate file
$publicKeyStore->loadFromPkcs12(file_get_contents('filename.pfx'), 'password');

// Load public keys from DOMDocument X509Certificate nodes
$publicKeyStore->loadFromDocument($xml);

// Load public key from existing OpenSSLCertificate resource
$publicKeyStore->loadFromCertificate($certificate);

创建一个CryptoVerifier实例

use Selective\XmlDSig\CryptoVerifier;

$cryptoVerifier = new CryptoVerifier($publicKeyStore);

验证

use Selective\XmlDSig\XmlSignatureVerifier;

// Create a verifier instance and pass the crypto decoder
$xmlSignatureVerifier = new XmlSignatureVerifier($cryptoVerifier);

// Verify XML from a string
$isValid = $xmlSignatureVerifier->verifyXml($signedXml);

// or verify a XML file
$isValid = $xmlSignatureVerifier->verifyXml(file_get_contents('signed.xml'));

// or verifying an DOMDocument instance
$xml = new DOMDocument();
$xml->preserveWhiteSpace = true;
$xml->formatOutput = false;
$xml->loadXML($data);

$isValid = $xmlSignatureVerifier->verifyDocument($xml);

if ($isValid === true) {
    echo 'The XML signature is valid.';
} else {
    echo 'The XML signature is not valid.';
}

在线XML数字签名验证器

尝试这些优秀的在线工具来验证XML签名

类似库

https://github.com/robrichards/xmlseclibs

许可

MIT许可（MIT）。请参阅许可文件获取更多信息。

selective / xmldsig

维护者

详细信息