signing xml in php with xmlseclibs gives bad signature

Question

I use xmlseclibs v.1.3.1

Here is how I try to sign my xml

$document = new DOMDocument();

$request  = $document->createElement('paymentRequest');

$xmlnsxsi = $document->createAttribute('xmlns:xsi');

$xmlns = $document->createAttribute('xmlns');

$xmlns->value = 'url link';

$xmlnsxsi->value = 'http://www.w3.org/2001/XMLSchema-instance';

$request->appendChild($xmlnsxsi);

$request->appendChild($xmlns);  

$pid  = $document->createElement('pid',$_SESSION['payment_info'][$_GET['object_id']]['PID']);

$senderId  = $document->createElement('senderId',$_SESSION['info'][$_GET['object']]['ID']);

$returnUrl  = $document->createElement('returnUrl',$_SESSION['info'][$_GET['object']]['RETURN']);

$amount  = $document->createElement('amount',$_POST['AMOUNT']);
$currency  = $document->createElement('currency','USD');

$language  = $document->createElement('language','EN');

$message  = $document->createElement('message','test test');

$paymentCode  = $document->createElement('paymentCode',$_SESSION['info'][$_GET['object']]['PCODE']);

$date  = $document->createElement('date','2013-12-03T15:37:19.6414668+02:00');

$correlation  = $document->createElement('correlation',$_SESSION['info'][$_GET['object']]['EXTRA']);

$request->appendChild($pid);
$request->appendChild($senderId);
$request->appendChild($returnUrl);
$request->appendChild($amount);
$request->appendChild($currency);
$request->appendChild($language);
$request->appendChild($message);
$request->appendChild($paymentCode);
$request->appendChild($date);
$request->appendChild($correlation);
$document->appendChild($request);
$xml_pay2 = $document->saveXml();


require_once('xmlseclibs.php');
$doc = new DOMDocument();
$doc->loadXML($xml_pay2);

$objDSig = new XMLSecurityDSig();

$objDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N_COMMENTS);

$objDSig->addReference($doc, XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature')); 

$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type'=>'private'));


$objKey->loadKey('system/key.pem', TRUE);

$objDSig->add509Cert(file_get_contents("system/cert.pem"));

$objDSig->sign($objKey,$doc);



$xml_pay2 = $doc->saveXML();

$doc2 = new DOMDocument();
$doc2->loadXML($xml_pay2);

$objXMLSecDSig = new XMLSecurityDSig();
$objDSig = $objXMLSecDSig->locateSignature($doc2);

if (!$objDSig) {
    echo "Cannot locate Signature Node";die();
}
$objXMLSecDSig->canonicalizeSignedInfo();

$objXMLSecDSig->idKeys = array('wsu:Id');

$objXMLSecDSig->idNS = array('wsu'=>'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd');

$retVal = $objXMLSecDSig->validateReference();
if (!$retVal) {
    die("Reference Validation Failed");
}   
$objKey = $objXMLSecDSig->locateKey();
if (!$objKey ) {
    echo "We have no idea about the key";die();
}

$key = NULL;

$objKeyInfo = XMLSecEnc::staticLocateKeyInfo($objKey, $objDSig);
if (! $objKeyInfo->key && empty($key)) {
    $objKey->loadKey('system/cert.pem', TRUE);
}

if ($objXMLSecDSig->verify($objKey)) {
        echo "Signature validated!";
} else {
    echo "Failure!!!!!!!!";
}

It always give me "Failure!!!!!!!!" result.

Answer 1

First step would be to enable error output for PHP, so you can see the real error message. It could be that you are hitting this bug but there is no way to know without the error message from PHP.