Thursday, July 10, 2008

PKCS12 Key Store support added

WSF/PHP security API now has the pkcs12 key store support. Previously when implementing a service or a client that uses WS-Security, Sometimes it is necessary to make the service limited to a number of pre approved clients. To allow this functionality, it is necessary to obtain the approved clients public  keys and store them in a key store file in addition to the private key used by the service. PKCS12 is the commonly used file format to store X.509 private keys and public key certificates protected by a password.


Following is the API for using a PKCS12 Key store file.

WSSecurityToken object accepts an options array in its constructor. We added a new option "PKCS12KeyStore" for specifying the key store file as a string. Following is an example service using a key store file.


function echoFunction($inMessage)


$returnMessage = new WSMessage($inMessage->str);

return $returnMessage;


$keystore = file_get_contents("../keys/bob_kstore.p12");

$operations = array("echoString" => "echoFunction");

$sec_array = array("encrypt" => TRUE,

                            "algorithmSuite" => "Basic256Rsa15",

                            "securityTokenReference" => "IssuerSerial");

$actions = array("" => "echoString");

$policy = new WSPolicy(array("security"=> $sec_array));

$sec_token = new WSSecurityToken(array("PKCS12KeyStore" => $keystore,



$svr = new WSService(array("actions" => $actions,

                                             "operations" => $operations,

                                             "policy" => $policy,

                                            "securityToken" => $sec_token));



Note how the PKCS12 key store file is obtained as an string using the file_get_contents function and specified using the option "PKCS12KeyStore" option.


  1. what should we use for operation and action? i don't quite get what they mean.

  2. The operation is actually defined in the operations array which is passed as an argument to the service. So the security engagement would be for the service level and not at the operations level which is actually a short coming.

  3. Hi, i have a question. I have ws_policy.xml, .p12 and .cer files. How should the class-call look? thank you!