How to perform Aadhaar eKYC Authentication via UIDAI and retrieve user details (Name, DOB, Address) with user permitted and OTP verification done?

Question

Concept - I am making web portal in which i want to add aadhaar authentication and get user detail( name, dob and address), if user permitted and verifies OTP then only.

language use - php, curl

Simple Example - EPFO portal user enter his aadhaar number and check, user receive OTP from UIDAI. if valid then get name, birthdate, addresss, like this simple functionality want to build in PHP.

Error is -

Error Number - 6 Could not resolve host: auth.uidai.gov.in; Name or service not known here

I refer below link --

1. https://uidai.gov.in/images/resource/Aadhaar_Authentication_API-2.5_Revision-1_of_January_2022.pdf
2. https://www.uidai.gov.in/en/916-developer-section/data-and-downloads-section/11350-testing-data-and-license-keys.html
3. uidai.gov.in/images/resource/aadhaar_otp_request_api_2_5.pdf
4. Similar functionality already exist in https://unifiedportal-mem.epfindia.gov.in/memberinterface/ -- to verify aadhaar and get his detail once user permitted, i need similar functionality , when user permitted then only get name, DOB, address.

I tried below code but not work,

 <?php
/** * https://uidai.gov.in/images/resource/Aadhaar_Authentication_API-2.5_Revision-1_of_January_2022.pdf */
$adhar_card_no = "123456789012";
 
function checkurl($adhar_card_no)
{
    $host = "https://auth.uidai.gov.in";
    $version = "2.5";
    $aua = "public";
    $asalk = "MAvSQG0jKTW4XxQc2cI-oXZYxYH-zi7IWmsQY1q3JNLlC8VOWOHYGj8";
    $uid = str_split($adhar_card_no);
    $url =  $host."/".$version."/".$aua."/".$uid[0]."/".$uid[1]."/".$asalk;
    return $url;
}

$request_url = checkurl($adhar_card_no);

function requestDataBuilder($uid)
{
    $encrypted_encoded_session_key = "";
    $encrypted_pid_block = "";
    $sha256_pid_bloc_encrypted_encoded= "";
    $digital_aua_signatrure= "";
  
    $auth_data = [
        "uid" => $uid, //Adhaar Card No.
        "tid" => "", //Terminal Id for registered device else public
        "ac" => "", //10 char unique code, public for testing
        "sa" => "", //max length 10, same as ac possible
        "ver" => 1.6, //Current version
        "txn" => "", //AUA transaction  identifier. max length 50, not U*
        "lk" => "", //Valid License Key, max length 64
    ];
    $uses_data = [ "pi" => "n", "pa" => "n", "pfa" => "n", "bio" => "n", "bt" => "n", "pin" => "n", "otp" => "n" ];
    
    $tkn_data = [
        "type" => "001", //only this option available for now which is mobile no.
        "value" => "9595792282" //Mobile no. 10 digit only no prefix
    ];
    $meta_data = [
        "udc" => "123456477699", //[vendorcode][date of deployment][serial number] max length 20
        "fdc" => "NA", //Fingerprint device code. use NA or NC or given code
        "idc" => "NA", //Iris device  code,  us na or NC
        "pip" => "NA", //Public IP address of the device, or NA
        "lot" => "P", //G -lat long format. p for pincode format
        "lov" => "110025" // value as per G and P- my pin change it
    ];
    $skey_data = [
        "ci" => "", //Public key certificate Identifier --mandatory
        "ki" => "" //This is for advanced use only, --optional
    ];

    $format = '<Auth uid="'.$auth_data['uid'].'" tid ="'.$auth_data['tid'].'" ac="'.$auth_data['ac'].'" sa="'.$auth_data['sa'].'" ver="'.$auth_data['ver'].'" txn="'.$auth_data['txn'].'" lk="'.$auth_data['lk'].'">';
    $format.= '<Uses pi="'.$uses_data['pi'].'" pa="'.$uses_data['pa'].'" pfa="'.$uses_data['pfa'].'" bio="'.$uses_data['bio'].'" bt="'.$uses_data['bt'].'" pin="'.$uses_data['pin'].'" otp="'.$uses_data['otp'].'"/>';
    $format.= '<Tkn type="'.$tkn_data['type'].'" value="'.$tkn_data['value'].'"/>';
    $format.= '<Meta udc="'.$meta_data['udc'].'" fdc="'.$meta_data['fdc'].'" idc="'.$meta_data['idc'].'" pip="'.$meta_data['pip'].'" lot="'.$meta_data['lot'].'" lov="'.$meta_data['lov'].'"/>';
    $format.= '<Skey ci="'.$skey_data['ci'].'" ki="'.$skey_data['ci'].'">'.$encrypted_encoded_session_key.'</Skey>';
    $format.= '<Data type="X">'.$encrypted_pid_block.'</Data>';
    $format.= '<Hmac>'.$sha256_pid_bloc_encrypted_encoded.'</Hmac>';
    $format.= '<Signature>'.$digital_aua_signatrure.'</Signature></Auth>';
    return $format;

}
$request_url = checkurl($adhar_card_no);
$data_to_send = requestDataBuilder($adhar_card_no);
//setting the curl parameters.
$ch = curl_init();
$curl_options = [ CURLOPT_URL => $request_url, CURLOPT_VERBOSE => 1, CURLOPT_SSL_VERIFYHOST => 0, CURLOPT_SSL_VERIFYPEER => 0, CURLOPT_POST => 1, CURLOPT_RETURNTRANSFER => 1, CURLOPT_HTTPHEADER => array('Content-Type: application/xml'), CURLOPT_POSTFIELDS => $data_to_send ];



curl_setopt_array($ch, $curl_options);
curl_setopt( $ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
$response = curl_exec($ch);

if (curl_errno($ch)) {
// moving to display page to display curl errors
    echo 'Error Number - '.curl_errno($ch).'<br/>';
    echo curl_error($ch);
    echo '<br/> here'; 
} else {
    
    echo $response;
    print_r($response);

}
curl_close($ch);
?>

this code not get any OTP , name, DOB from aadhaar.

please help someone, any suggestion.

Answer 1

Refer to this sample code. It has the logic of encrypting the XML body. Just download the staging/testing certificates from the official documentation.

<?php
require_once 'xmlseclibs/xmlseclibs.php';
use RobRichards\XMLSecLibs\XMLSecurityDSig;
use RobRichards\XMLSecLibs\XMLSecurityKey;

// certificate file locations
$public_certif = 'uidai_auth_stage.cer';
$stag_sign_file = 'Staging_Signature_PrivateKey.p12';

// set variables
$aadhaar_no = '999999990019';
$api_version = "2.5";
$asa_license_key = "MMxNu7a6589B5x5RahDW-zNP7rhGbZb5HsTRwbi-VVNxkoFmkHGmYKM";
$lk = "MBni88mRNM18dKdiVyDYCuddwXEQpl68dZAGBQ2nsOlGMzC9DkOVL5s";
$ac = "public";
$sa = "public";
$tid = "public";
$txn = "AuthDemoClient:public:".date("Ymdhms");
$ts = date('Y-m-d').'T'.date('H:i:s');

// PID Block
$pid_block='<?xml version="1.0"?><ns2:Pid ts="'.$ts.'" xmlns:ns2="http://www.uidai.gov.in/authentication/uid-auth-request-data/1.0"><ns2:Demo><ns2:Pi ms="E" mv="100" name="Shivshankar Choudhury"/></ns2:Demo></ns2:Pid>';

// generate aes-256 session key
$session_key = openssl_random_pseudo_bytes(32);


// generate auth xml
$auth_xml = '<?xml version="1.0" encoding="UTF-8"?><Auth uid="'.$aadhaar_no.'" ac="'.$ac.'" lk="'.$lk.'" sa="'.$sa.'" tid="'.$tid.'" txn="'.$txn.'" ver="'.$api_version.'" xmlns="http://www.uidai.gov.in/authentication/uid-auth-request/1.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><Uses bio="n" otp="n" pa="n" pfa="n" pi="y" pin="n"/><Meta fdc="NA" idc="NA" lot="P" lov="560094" pip="NA" udc="1122"/><Skey ci="'.certif_expire().'">'.encrypt_session_key($session_key).'</Skey><Data type="X">'.encrypt_pid($pid_block, $session_key).'</Data><Hmac>'.calculate_hmac($pid_block, $session_key).'</Hmac></Auth>';

//echo $auth_xml;
 //die();
// $xml=simplexml_load_string($auth_xml) or die("Error: Cannot create object");
//print_r($xml);

// xmldsig the auth xml
$doc = new DOMDocument();
$doc->loadXML($auth_xml);
$objDSig = new XMLSecurityDSig();
$objDSig->setCanonicalMethod(XMLSecurityDSig::C14N);
$objDSig->addReference(
    $doc,
    XMLSecurityDSig::SHA256,
    array(
        'http://www.w3.org/2000/09/xmldsig#enveloped-signature',
        'http://www.w3.org/2001/10/xml-exc-c14n#'
    ),
    array('force_uri' => true)
);
$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA256, array('type'=>'private'));
openssl_pkcs12_read(file_get_contents($stag_sign_file), $key, "public");
$objKey->loadKey($key["pkey"]);
$objDSig->add509Cert($key["cert"]);
$objDSig->sign($objKey, $doc->documentElement);


// make a request to uidai
$ch = curl_init("http://auth.uidai.gov.in/$api_version/public/".$aadhaar_no[0]."/".$aadhaar_no[0]."/$asa_license_key");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $doc->saveXML());
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
  "Accept: application/xml",
  "Content-Type: application/xml"
));
echo "\nRequest XML\n";
echo $doc->saveXML();
echo "\n\n";
echo "Response from UIDAI\n";
echo htmlspecialchars_decode(curl_exec($ch));



function encrypt_pid($pid_block, $session_key)
{
    return encrypt_by_session_key($pid_block, $session_key);
}

function encrypt_by_session_key($data, $session_key)
{
    global $public_certif;
    $fp=fopen($public_certif, "r");
    $pub_key_string=fread($fp,8192);
    openssl_public_encrypt($data, $encrypted_data, $pub_key_string, OPENSSL_PKCS1_PADDING);
    return $encrypted_data;
    }
function generateRandomString($length = 32) {
    $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
    $charactersLength = strlen($characters);
    $randomString = '';
    for ($i = 0; $i < $length; $i++) {
        $randomString .= $characters[rand(0, $charactersLength - 1)];
    }
    return $randomString;

}

function calculate_hmac($data, $session_key)
{
    return encrypt_by_session_key(hash('sha256', $data, true), $session_key);
}

function certif_expire()
{
    global $public_certif;
    $certinfo = openssl_x509_parse(file_get_contents($public_certif));
    return date('Ymd', $certinfo['validTo_time_t']);
}

function encrypt_session_key($session_key)
{
    global $public_certif;
    $pub_key = openssl_pkey_get_public(file_get_contents($public_certif));
    $keyData = openssl_pkey_get_details($pub_key);
    openssl_public_encrypt($session_key, $encrypted_session_key, $keyData['key'], OPENSSL_PKCS1_PADDING);
    return base64_encode($encrypted_session_key);
}

Answer 2

Encourage private companies, such as Surepass and Signzy, to provide API gateways.

Given the sensitivity of Aadhar data, the government is not permitting its use for testing purposes in this context.

Although we attempted to use API-Setu, we encountered frequent service disruptions.