(PHP ActiveX) Signed Zip as Base64 with XAdES-BES

This example is to help companies implement a solution for sending XAdES-BES to the Polish government for reporting purposes. Specifically:

Przed podpisaniem deklaracja zbiorcza (PIT-11Z, PIT-8CZ, PIT-40Z, PIT-RZ) musi zostać
umieszczona w archiwum ZIP. W tym przypadku, podpisywany jest plik archiwum ZIP,
przyjmujący w podpisie XAdES-BES formę zakodowaną base64.

The example demonstrates the following:

Zip an XML file (PIT-11Z.xml is zipped to PIT-11Z.zip)
Create XML to be signed, where the XML contains the base64 encoded content of the PIT-11Z.zip archive.
XAdES-BES sign the XML containing the base64 zip.

This example will also show the reverse:

Verify the signed XML.
Extract the PIT-11z.zip from the signed XML.
Unzip the PIT-11Z.zip to get the original PIT-11Z.xml

Chilkat ActiveX Downloads

ActiveX for 32-bit and 64-bit Windows

Note: The php_com_dotnet.dll may need to be enabled inside of php.ini.

<?php

// This example assumes the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.

// Zip the PIT-11Z.xml to create PIT-11Z.zip (not as a .zip file, but in-memory).
// For versions of Chilkat < 10.0.0, use new COM('Chilkat_9_5_0.Chilkat.StringBuilder')
$sbXmlToZip = new COM("Chilkat.StringBuilder");
$success = $sbXmlToZip->LoadFile('qa_data/xml/PIT-11Z.xml','utf-8');
if ($success != 1) {
    print 'Failed to load the XML to be zipped.' . "\n";
    exit;
}

// For versions of Chilkat < 10.0.0, use new COM('Chilkat_9_5_0.Chilkat.Zip')
$zip = new COM("Chilkat.Zip");

// Initialize the zip object. No file is created in this call.
// It should always return 1.
$success = $zip->NewZip('PIT-11Z.zip');

// Add the XML to be zipped.
// entry is a Chilkat.ZipEntry
$entry = $zip->AppendString('PIT-11Z.xml',$sbXmlToZip->getAsString());

// Write the zip to a BinData object.
// For versions of Chilkat < 10.0.0, use new COM('Chilkat_9_5_0.Chilkat.BinData')
$bdZip = new COM("Chilkat.BinData");
$zip->WriteBd($bdZip);
// The contents of the bdZip will be retrieved in base64 format when needed below..

// For versions of Chilkat < 10.0.0, use new COM('Chilkat_9_5_0.Chilkat.XmlDSigGen')
$gen = new COM("Chilkat.XmlDSigGen");

$gen->SigLocation = '';
$gen->SigLocationMod = 0;

$gen->SigId = 'Signature_2a8df7f8-b958-40cc-83f6-edb53b837347_19';
$gen->SigNamespacePrefix = 'ds';
$gen->SigNamespaceUri = 'http://www.w3.org/2000/09/xmldsig#';
$gen->SigValueId = 'SignatureValue_2a8df7f8-b958-40cc-83f6-edb53b837347_52';
$gen->SignedInfoId = 'SignedInfo_2a8df7f8-b958-40cc-83f6-edb53b837347_41';
$gen->SignedInfoCanonAlg = 'C14N';
$gen->SignedInfoDigestMethod = 'sha1';

// Set the KeyInfoId before adding references..
$gen->KeyInfoId = 'KeyInfo_2a8df7f8-b958-40cc-83f6-edb53b837347_24';

// Create an Object to be added to the Signature.
// For versions of Chilkat < 10.0.0, use new COM('Chilkat_9_5_0.Chilkat.Xml')
$object1 = new COM("Chilkat.Xml");
$object1->Tag = 'xades:QualifyingProperties';
$object1->AddAttribute('xmlns:xades','http://uri.etsi.org/01903/v1.3.2#');
$object1->AddAttribute('Id','QualifyingProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_43');
$object1->AddAttribute('Target','#Signature_2a8df7f8-b958-40cc-83f6-edb53b837347_19');
$object1->UpdateAttrAt('xades:SignedProperties',1,'Id','SignedProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_4e');
$object1->UpdateAttrAt('xades:SignedProperties|xades:SignedSignatureProperties',1,'Id','SignedSignatureProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_0a');
// Chilkat will replace the strings "TO BE GENERATED BY CHILKAT" with actual values when the signature is created.
$object1->UpdateChildContent('xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningTime','TO BE GENERATED BY CHILKAT');
// Note: It may be that http://www.w3.org/2001/04/xmlenc#sha256 is needed in the following line instead of http://www.w3.org/2000/09/xmldsig#sha1
$object1->UpdateAttrAt('xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert|xades:CertDigest|ds:DigestMethod',1,'Algorithm','http://www.w3.org/2000/09/xmldsig#sha1');
$object1->UpdateChildContent('xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert|xades:CertDigest|ds:DigestValue','TO BE GENERATED BY CHILKAT');
$object1->UpdateChildContent('xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert|xades:IssuerSerial|ds:X509IssuerName','TO BE GENERATED BY CHILKAT');
$object1->UpdateChildContent('xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert|xades:IssuerSerial|ds:X509SerialNumber','TO BE GENERATED BY CHILKAT');
$object1->UpdateAttrAt('xades:SignedProperties|xades:SignedDataObjectProperties',1,'Id','SignedDataObjectProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_4b');
$object1->UpdateAttrAt('xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat',1,'ObjectReference','#Reference1_2a8df7f8-b958-40cc-83f6-edb53b837347_27');
$object1->UpdateChildContent('xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:Description','MIME-Version: 1.0\r\nContent-Type: application/zip\r\nContent-Transfer-Encoding: binary\r\nContent-Disposition: filename=&quot;PIT-11Z.zip&quot;');
$object1->UpdateAttrAt('xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:ObjectIdentifier|xades:Identifier',1,'Qualifier','OIDAsURI');
$object1->UpdateChildContent('xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:ObjectIdentifier|xades:Identifier','http://www.certum.pl/OIDAsURI/signedFile/1.2.616.1.113527.3.1.1.3.1');
$object1->UpdateChildContent('xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:ObjectIdentifier|xades:Description','Opis formatu dokumentu oraz jego pelna nazwa');
$object1->UpdateChildContent('xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:ObjectIdentifier|xades:DocumentationReferences|xades:DocumentationReference','http://www.certum.pl/OIDAsURI/signedFile.pdf');
$object1->UpdateChildContent('xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:MimeType','application/zip');
$object1->UpdateChildContent('xades:SignedProperties|xades:SignedDataObjectProperties|xades:CommitmentTypeIndication|xades:CommitmentTypeId|xades:Identifier','http://uri.etsi.org/01903/v1.2.2#ProofOfApproval');
$object1->UpdateChildContent('xades:SignedProperties|xades:SignedDataObjectProperties|xades:CommitmentTypeIndication|xades:AllSignedDataObjects','');
$object1->UpdateAttrAt('xades:UnsignedProperties',1,'Id','UnsignedProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_55');

// Emit XML in compact (single-line) format to avoid whitespace problems.
$object1->EmitCompact = 1;
$gen->AddObject('',$object1->getXml(),'','');

// Create an Object to be added to the Signature.
// This is where we add the base64 representation of the PIT-11Z.zip
$gen->AddObject('Object1_2a8df7f8-b958-40cc-83f6-edb53b837347',$bdZip->getEncoded('base64'),'','http://www.w3.org/2000/09/xmldsig#base64');

// -------- Reference 1 --------
$gen->AddObjectRef('Object1_2a8df7f8-b958-40cc-83f6-edb53b837347','sha1','C14N_WithComments','','');
$gen->SetRefIdAttr('Object1_2a8df7f8-b958-40cc-83f6-edb53b837347','Reference1_2a8df7f8-b958-40cc-83f6-edb53b837347_27');

// -------- Reference 2 --------
$gen->AddObjectRef('SignedProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_4e','sha1','','','http://uri.etsi.org/01903#SignedProperties');
$gen->SetRefIdAttr('SignedProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_4e','SignedProperties-Reference_2a8df7f8-b958-40cc-83f6-edb53b837347_28');

// Provide a certificate + private key. (PFX password is test123)
// For versions of Chilkat < 10.0.0, use new COM('Chilkat_9_5_0.Chilkat.Cert')
$cert = new COM("Chilkat.Cert");
$success = $cert->LoadPfxFile('qa_data/pfx/cert_test123.pfx','test123');
if ($success != 1) {
    print $cert->LastErrorText . "\n";
    exit;
}

$gen->SetX509Cert($cert,1);

$gen->KeyInfoType = 'X509Data';
$gen->X509Type = 'Certificate';

// This will be an enveloping signature where the Signature element
// is the XML document root, the signed data is contained within Object
// tag(s) within the Signature.
// Therefore, pass an empty sbXml to CreateXmlDsigSb.
// For versions of Chilkat < 10.0.0, use new COM('Chilkat_9_5_0.Chilkat.StringBuilder')
$sbXml = new COM("Chilkat.StringBuilder");

// The Polish government's XmlDSig implementation requires that we reproduce an attribute-sorting error.
// (This is an error in the XML canonicalization that is not noticed when both the signature-creation code and signature-verification code use
// the same XML canonicalization implementation w/ the bug.)
$gen->Behaviors = 'AttributeSortingBug,CompactSignedXml';

// Sign the XML...
$success = $gen->CreateXmlDSigSb($sbXml);
if ($success != 1) {
    print $gen->LastErrorText . "\n";
    exit;
}

// -----------------------------------------------

// Save the signed XML to a file.
$success = $sbXml->WriteFile('qa_output/signedXml.xml','utf-8',0);

print $sbXml->getAsString() . "\n";

// ----------------------------------------
// Verify the signature we just produced...
// For versions of Chilkat < 10.0.0, use new COM('Chilkat_9_5_0.Chilkat.XmlDSig')
$verifier = new COM("Chilkat.XmlDSig");
$success = $verifier->LoadSignatureSb($sbXml);
if ($success != 1) {
    print $verifier->LastErrorText . "\n";
    exit;
}

$verified = $verifier->VerifySignature(1);
if ($verified != 1) {
    print $verifier->LastErrorText . "\n";
    exit;
}

print 'This signature was successfully verified.' . "\n";

// ------------------------------------
// Finally, let's extract the .zip from the signed XML, and then unzip the original PIT-11Z.xml from the in-memory zip.
// For versions of Chilkat < 10.0.0, use new COM('Chilkat_9_5_0.Chilkat.Xml')
$xml = new COM("Chilkat.Xml");
$xml->LoadSb($sbXml,1);

// The base64 image of the PIT-11Z.zip is in the 2nd ds:Object child of the ds:Signature (the ds:Signature is the root element of the signed XML).
// (ds:Object[0] would be the 1st ds:Object child.  Index 1 is the 2nd ds:Object child.)
$strZipBase64 = $xml->getChildContent('ds:Object[1]');

$bdZip->Clear();
$bdZip->AppendEncoded($strZipBase64,'base64');
if ($bdZip->NumBytes == 0) {
    print 'Something went wrong.. we dont' have any data..' . "\n";
    exit;
}

$success = $zip->OpenBd($bdZip);
if ($success != 1) {
    print $zip->LastErrorText . "\n";
    exit;
}

// Get the 1st file in the zip, which should be the PIT-11Z.xml
// entry is a Chilkat.ZipEntry
$entry = $zip->GetEntryByIndex(0);
if ($zip->LastMethodSuccess != 1) {
    print 'Zip contains no files...' . "\n";
    exit;
}

// Get the XML:
$origXml = $entry->unzipToString(0,'utf-8');
print 'Original XML extracted from base64 zip:' . "\n";
print $origXml . "\n";


?>