PHPackages snowiow/x509ds - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. snowiow/x509ds ActiveLibrary[Security](/categories/security) snowiow/x509ds ============== X509 signing lib 0.1.0(7y ago)12.6k1MITPHPPHP ^7.1 Since Jun 7Pushed 7y ago2 watchersCompare [ Source](https://github.com/snowiow/x509ds)[ Packagist](https://packagist.org/packages/snowiow/x509ds)[ RSS](/packages/snowiow-x509ds/feed)WikiDiscussions master Synced 2mo ago READMEChangelog (1)Dependencies (2)Versions (3)Used By (0) X509DS - Digital Signature generation Library for XML Requests ============================================================== [](#x509ds---digital-signature-generation-library-for-xml-requests) [![Build Status](https://camo.githubusercontent.com/edf58769d25c94a1f1f5e9fec10e3ed3155615cdd9c026a1d2b220e6ffa586f1/68747470733a2f2f7472617669732d63692e636f6d2f736e6f77696f772f7835303964732e7376673f6272616e63683d6d6173746572)](https://travis-ci.com/snowiow/x509ds)[![Coverage Status](https://camo.githubusercontent.com/c06e187793a42cc740c1a95c18f6c0816a6286fde4268cc5d2b65f041283ad4e/68747470733a2f2f636f766572616c6c732e696f2f7265706f732f6769746875622f736e6f77696f772f7835303964732f62616467652e7376673f6272616e63683d6d6173746572)](https://coveralls.io/github/snowiow/x509ds?branch=master) Introduction ------------ [](#introduction) X509DS is a library to help with the tedious process of appending a digital signature node to a X509 authentication request. A X509 request normally looks something like this: ``` http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT 2015-12-16T13:39:36Z 2015-12-16T13:44:36Z MII... http://schemas.xmlsoap.org/ws/2005/02/sc/sct http://schemas.xmlsoap.org/ws/2005/02/trust/Issue ``` Most of the time you want to append a signature into the header, which hashes and canonizes some of the nodes of the XML document. Ultimatelly the whole signature node woll be signed by private key of your x509 certificate. The resulting XML document would look like this: ``` http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT 2015-12-16T13:39:36Z 2015-12-16T13:44:36Z Emk... 2TR... /Ntf... tuO... http://schemas.xmlsoap.org/ws/2005/02/sc/sct http://schemas.xmlsoap.org/ws/2005/02/trust/Issue ``` The process of creating the signature is rather tedious, because you need to deal with the encryption and [openssl](https://secure.php.net/manual/en/openssl.installation.php) on the one hand and with the PHP \[\]DOMDocument\]() on the other. This library is there to provide an easy interface for creating digital signatures. The corresponding PHP code for creating a digital signature like in the example before, would look like this: ``` use X509DS\Signer; $signer = Signer::fromPrivateKey('path/to/pkey'); $signer->setTags( [ 'Body' => '#body', 'Timestamp' => '#timestamp', 'BinarySecurityToken' => '#binarytoken', ] ); $signer->setCanonization(Canonization::C14N_EXCLUSIVE); $document = $signer->sign(self::XML); //The signed DOMDocument $document->saveXml(); //The signed XML document as a string ``` As you can see the whole process doesn't take more than 4 statements. Of course you can configure different things on how the signature is built. More on this topic in the advanced usage part. Requirements ------------ [](#requirements) - At least PHP 7.1 - dom.so extension enabled in the php.ini ([Installation instructions](https://secure.php.net/manual/en/dom.setup.php)) - openssl.so extension enabled in the php.ini ([Installation instructions](https://secure.php.net/manual/en/openssl.installation.php)) Installation ------------ [](#installation) Via composer: `composer require snowiow/x509ds` Usage ----- [](#usage) ### Create a Signer object: [](#create-a-signer-object) Either from a private key or pfx. #### Private Key [](#private-key) ``` // Either from the path of the private key $signer = Signer::fromPrivateKey('path/to/pkey'); // or the string content of the private key $signer = Signer::fromPrivateKey(file_get_contents('path/to/pkey')); // or an openssl resource $signer = Signer::fromPrivateKey(openssl_pkey_get_private(file_get_contents('path/to/pkey'))); ``` #### Pfx File [](#pfx-file) ``` // Either from the path of the pfx file $signer = Signer::fromPfx('/path/to/pfx', 'password of pfx'); // or the string content of the pfx file $signer = Signer::fromPfx(file_get_contents('/path/to/pfx'), 'password of pfx'); ``` ### Set the canonization method. DEFAULT: C14N [](#set-the-canonization-method-default-c14n) ``` // Can be one of $signer->setCanonization(Canonization::C14N); //Default $signer->setCanonization(Canonization::C14N_EXCLUSIVE); $signer->setCanonization(Canonization::C14N_WITH_COMMENTS); $signer->setCanonization(Canonization::C14N_WITH_COMMENTS_EXCLUSIVE); ``` ### Set the digest method. DEFAULT: SHA1 [](#set-the-digest-method-default-sha1) ``` // Can be one of $signer->setDigestMethod(Digest::SHA1); //Default $signer->setDigestMethod(Digest::SHA256); $signer->setDigestMethod(Digest::SHA512); $signer->setDigestMethod(Digest::RIPEMD160); ``` ### Set the signature method. DEFAULT: SHA1 [](#set-the-signature-method-default-sha1) ``` // Can be one of $signer->setSignatureMethod(Digest::SHA1); //Default $signer->setSignatureMethod(Digest::SHA256); $signer->setSignatureMethod(Digest::SHA512); $signer->setSignatureMethod(Digest::RIPEMD160); ``` ### Set a target. DEFAULT: Header [](#set-a-target-default-header) The signature node can be appended to an arbitrary node as a child. ``` // Example values (namespace doesn't need to be given) $signer->setTarget('Header'); //Default $signer->setTarget('Body'); ``` ### Set the tags. DEFAULT: \[\] [](#set-the-tags-default-) Set the names of the nodes, of which you need digest values in your signature. The method is called setTags, because the nodes will be searched via the DOMDocument method `getElementsByTagName`. Additonal methods like `getElementsByTagNameNS` and `getElementById` will be added in a later version. The tags are required as an array, where the key is the node name and the value is the uri, which will be set as an attribute in the reference node of the digest value. ``` // Example $signer->setTag( [ 'Body' => '#body', 'Timestamp' => '#timestamp', 'BinarySecurityToken' => '#binarytoken', ] ); ``` ### Set a Security Token Reference Node (Optional) [](#set-a-security-token-reference-node-optional) Sometimes an additional SecurityTokenReference node is needed. The node will be added to the signature and looks like this: ``` ``` The uri can be configured: ``` // Example $signer->setSecurityTokenReference('#binarySecurityToken'); ``` ### Sign a document [](#sign-a-document) Finally you can sign your XML document. This will return the modified DOMDocument with the signature node: ``` $signedDoc = $signer->sign('path/to/xml'); // from a path $signedDoc = $signer->sign(file_get_contents('path/to/xml')); // from a content string // or from a DOMDocument $document = new DOMDocument(); $document->load('path/to/xml'); $signedDoc = $signer->sign($document); ``` ### Get certificate from pfx file [](#get-certificate-from-pfx-file) Because a pfx file contains both, the private key and the certificate you can also retrieve the extracted certificate and use it for example to insert it into the BinaraySecurityToken node: ``` $signer = Signer::fromPfx('/path/to/pfx', 'password of pfx'); $cert = $signer->getCertificate(); ``` ### Health Score 26 — LowBetter than 43% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity18 Limited adoption so far Community9 Small or concentrated contributor base Maturity49 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 2894d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/3df21318d6e32e332306e732c086f4ccc139faba358ae8364918153933785450?d=identicon)[snowiow](/maintainers/snowiow) --- Top Contributors [![snowiow](https://avatars.githubusercontent.com/u/3718461?v=4)](https://github.com/snowiow "snowiow (24 commits)") ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/snowiow-x509ds/health.svg) ``` [![Health](https://phpackages.com/badges/snowiow-x509ds/health.svg)](https://phpackages.com/packages/snowiow-x509ds) ``` ### Alternatives [defuse/php-encryption Secure PHP Encryption Library 3.9k162.4M213](/packages/defuse-php-encryption)[roave/security-advisories Prevents installation of composer packages with known security vulnerabilities: no API, simply require it 2.9k97.3M6.4k](/packages/roave-security-advisories)[mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M112](/packages/mews-purifier)[robrichards/xmlseclibs A PHP library for XML Security 41278.1M118](/packages/robrichards-xmlseclibs)[bjeavons/zxcvbn-php Realistic password strength estimation PHP library based on Zxcvbn JS 86917.5M63](/packages/bjeavons-zxcvbn-php)[enlightn/security-checker A PHP dependency vulnerabilities scanner based on the Security Advisories Database. 33732.2M110](/packages/enlightn-security-checker) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)