|
|
|
|
Bookmark this on Delicious
Share on Facebook
 Slashdot It!
Digg  openssl_verify
Verify signature
(PHP 4 >= 4.0.4, PHP 5)
Example 1678. openssl_verify() example<?phpCode Examples / Notes » openssl_verifydevel@no-spam
It should be noted that in order to verify a signature successfully, SHA-1 must be used to digest the data before signing. If, for example, you are using Java to create a signature and you want to verify it in PHP, you must not use "MD5withRSA" or "SHA512withRSA" as the signature algorithm. Use "SHA1withRSA" or the like... stiv
I've finally found a way to verify signature. Sample in the documentation doesn't work. Code bellow DOES work :) <?php // $data is assumed to contain the data to be signed // fetch certificate from file and ready it $fp = fopen("path/file.pem", "r"); $cert = fread($fp, 8192); fclose($fp); // state whether signature is okay or not // use the certificate, not the public key $ok = openssl_verify($data, $signature, $cert); if ($ok == 1) { echo "good"; } elseif ($ok == 0) { echo "bad"; } else { echo "ugly, error checking signature"; } ?> meint dot post
Anbybody trying to get a Win32 CryptoAPI based digital signature component to work with the openssl_verify() function should be aware that the CryptoAPI PKCS1 (RSA) method uses bytes in reverse order while the openssl_verify() method expects a correctly formatted PKCS1 digital signature (as should be). I learned this the hard way and it took me some time to dig this out. A simple solution in VBScript to reverse the byte order: N = Len(Blob.Hex) ' reverse bytes in the signature using Hex format For i = 1 To N - 1 Step 2 s = Mid(Blob, i, 2) & s Next s contains the digital signature in reverse order. Blob is an arbitrary binary container. Send the signature off in Hex format and use a hex2bin method in PHP to convert to the correct format for openssl_verify(), i.e. function hex2bin($data) { $len = strlen($data); return pack("H" . $len, $data); } That's it, hope it helps out. BTW I used ASPEncrypt to toy around with on Win32 platform. Works only with Internet Explorer but you could also use a Java applet and have none of the abovementioned problems :-) steve dot venable
A note about the openssl_verify() (and some of the other functions). The public key comes from a certificate in any of the support formats (as the example shows, use openssl_get_publickey() to get the resource id). But after some trial and error I found the signature string MUST BE BINARY. While no error occurs, passing a base64-formatted signature string (PEM format?), you simply get a mismatch. When I did the base64 decode myself, the verify returned a match (return value 1). You can simply drop the begin/end lines and take the output of the 'base64_decode()' function.
|
Change Language
openssl_csr_export_to_file openssl_csr_export openssl_csr_get_public_key openssl_csr_get_subject openssl_csr_new openssl_csr_sign openssl_error_string openssl_free_key openssl_get_privatekey openssl_get_publickey openssl_open openssl_pkcs12_export_to_file openssl_pkcs12_export openssl_pkcs12_read openssl_pkcs7_decrypt openssl_pkcs7_encrypt openssl_pkcs7_sign openssl_pkcs7_verify openssl_pkey_export_to_file openssl_pkey_export openssl_pkey_free openssl_pkey_get_details openssl_pkey_get_private openssl_pkey_get_public openssl_pkey_new openssl_private_decrypt openssl_private_encrypt openssl_public_decrypt openssl_public_encrypt openssl_seal openssl_sign openssl_verify openssl_x509_check_private_key openssl_x509_checkpurpose openssl_x509_export_to_file openssl_x509_export openssl_x509_free openssl_x509_parse openssl_x509_read |
