Jump to content

Signing and verifying data with PHP (using OpenSSL)

builderbreaker

By builderbreaker
in PHP Coding Help

 Share

Recommended Posts

builderbreaker Newbie

builderbreaker

Posted
Posted
Hi All
 
First post here. Not sure where else to ask this, after few hours of research... 
 
I am trying to create a signature file in PHP (server-side), that can be sent to and verified by a remote client (will be in C++).
 
I am using openssl_sign function (I've also written it using phpseclib - no luck there either). I am writing the signature to a file and attempting to verify with OpenSSL command line. Doesn't seem to work.
 
 
My first attempt was just to got through the motions with OpenSSL command line:
openssl rsautl -in test_data.txt -out signed_test_data.txt -inkey private.key -sign
openssl rsautl -in signed_test_data.txt -pubin -inkey public.pem -verify

First command creates a signature file; and the second verifies it. All works as expected here.

 
 
Then I moved on to signing with PHP and attempting to verify with OpenSSL (second command above):
// testing - no validation, etc. Used phpseclib as well, wit the same luck. 
function openssl_sign_data($data)
{
        $private_key_file = "/tmp/test/private.key";

        $private_key = file_get_contents($private_key_file);

        $private_key_id = openssl_get_privatekey($private_key);

        // also fiddled with passing an algorithm constant, but that's not the issue.
        openssl_sign($data, $signature, $private_key_id);

        openssl_free_key($private_key_id);

        file_put_contents("tmp/test/test.sig, $signature);
}
After I do that, verifying the output file (test.sig) via the OpenSSL command line returns junk... Or at least what looks like junk. While creating and verifying with OpenSSL CLI returns file content. 
 
My understanding is that PHP OpenSSL sign function (and based on verify function) only creates the signature, but does not pack the file content into the output data. While doing the same with OpenSSL obviously shows that data is included somehow. 
 
 
For example:
➜ echo 'SSL packs data here' > test_signature.txt
➜ cat test_signature.txt 
SSL packs data here
➜  
➜  openssl rsautl -in test_signature.txt -out test_signature.sig -inkey private.key -sign 
➜  
➜  ls -al test_signature.sig 
-rw-r--r-- 1 root root 256 Apr 18 01:21 test_signature.sig
➜  
➜  rm test_signature.txt 
➜  
➜  openssl rsautl -in test_signature.sig -pubin -inkey public.pem -verify 
SSL packs data here

I am trying to replicate this (the sign side of things) in PHP and to test, verify with OpenSSL, any help would be really appreciated.

 

 

 

Thanks 

 

Link to comment
Share on other sites
Jacques1 Prolific Member

Jacques1

Posted
Posted (edited)

openssl_private_encrypt() is the equivalent of your OpenSSL commands.

 

Note that this calculates an RSA signature of the raw input, which only makes sense in very exotic scenarios. If you want to sign data, this is not the right approach. So make sure you fully understand the cryptographic background.

Edited by Jacques1
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.