OpenSSL error when loading public key

[CloudWindMoonSun]

Hi,

I created public key and exported it to a file. It looks like:

 

-----BEGIN PUBLIC KEY-----

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA498EWxuZK/KsUgIEusEt
QOJulgTHwb8C4avtzJnzhosTeKooXvyGFPpex6HcQGSRqrWpNr2yhw1BvJvH2UyE
Jisl5BJA5Za+ofmbGifCFwCllZ37U1YpOmqpB2Yt+yYElGh5dp+lqs5Q3u3nPknd
nLS3bxH7qlZBvR9YPWj9x7IuSXJyopAmdJato8xeNHzmBxWD8FgQKICFpLtGsPXq
XRwT0imTs6/EcMqq6fdlp0OyBKyZjw6t47gMeqiuSYz6k41Nf/SbtIC4snUyoUgI
TvnHjWe1cY7js4kY62A9ZpHX0NpG7JXctxVb+aZOv1rS36bUjcP+bug1W3ZKrTG6
hwIDAQAB
-----END PUBLIC KEY-----

 

On server side (OSX Sierra) I need to read the key file and use it for encryption/decryption using PHP. My PHP code is as following:

$pub_key = file_get_contents("../user_pub_key.crt");
$public_key = openssl_pkey_get_public($pub_key);
var_dump($public_key);
echo openssl_error_string();

Although $public_key is apparently created and var_dump returns the resource number of it:

resource(5) of type (OpenSSL key)

but strangely enough, openssl_error_string() also shows the following error:

error:0906D06C:PEM routines:PEM_read_bio:no start line

Does it mean that OpenSSL and PHP on my Mac are not compatible? Or the problem is somewhere else?

Thanks in advance,
Hassan

[Jacques1]

The documentation is very clear: There's an error if and only if the function returns false. It doesn't matter what kind of error messages you're pulling out of the library; they say nothing about the result of this function call.

 

My guess is that the message is simply coming from a sloppy implementation. The function supports many different input formats, and it looks like the extension authors use trial-and-error to figure out the right one. Chances are they aren't properly clearing the errors in between.

 

And then of course you need to realize that the error storage is global, which means it will be affected by all prior actions. You can't just grab a message and assume it's related to the last function call.

[CloudWindMoonSun]

Hi Jacques1,
So to make sure if the error message is not from the previous calls, I clear the openssl error cache. So I tried:

$pub_key = file_get_contents("../user_pub_key.crt");  
while($message = openssl_error_string()){ 
    echo 'Clear any openssl cache' . PHP_EOL; 
} 
$public_key = openssl_pkey_get_public($pub_key);  
while($message = openssl_error_string()){ 
    echo 'openssl_pkey_get_public() -> ' . $message . PHP_EOL; 
} 
var_dump($public_key);  

Now this is what I get:
 

openssl_pkey_get_public() -> error:0906D06C:PEM routines:PEM_read_bio:no start line
resource(6) of type (OpenSSL key)

So there can be a problem with openssl_pkey_get_public() perhaps due to trial-and-error logic behind it, although apparently the OpenSSL key is generated with success afterwards, hence I get a resource(6).

 

​Is there any way that I make sure the given public key file, has created a proper key? I tried using it in my code later one (like the following digital signature verification) and I got FALSE results. I've tested $hmac and $signature are okay, and the only suspect was $public_key?

$result = openssl_verify($hmac, $signature, $public_key, "sha256WithRSAEncryption");

I'm not sure if my PHP and openssl are compatible or not? If they're not then how I can install (or even perhaps build) compatible ones.

Thanks

[Jacques1]

So to make sure if the error message is not from the previous calls, I clear the openssl error cache.

 

No. You need to stop printing error messages when there is no error.

 

 

 

Is there any way that I make sure the given public key file, has created a proper key?

 

As I already said: Check the return value. A resource means the key is valid.

 

If signature verification fails nonetheless, that's likely your fault. Maybe the input parameters don't have the right format, maybe you used a different algorithm for creating the signature, maybe there's some other problem. It's impossible to tell without concrete (example) data.

 

Try verification on the command line with OpenSSL itself.

# foo.pub is the public key in PEM format, foo.sig the binary signature, foo.txt the original data
openssl dgst -sha256 -verify foo.pub -signature foo.sig foo.txt

I'm not sure if my PHP and openssl are compatible or not?

 

Why should they not be compatible? I don't see any indication of a PHP or OpenSSL related problem. Like I said, the problem is likely on your end.

[CloudWindMoonSun]

As I already said: Check the return value. A resource means the key is valid.

 

If signature verification fails nonetheless, that's likely your fault. Maybe the input parameters don't have the right format, maybe you used a different algorithm for creating the signature, maybe there's some other problem. It's impossible to tell without concrete (example) data.

 

Try verification on the command line with OpenSSL itself.

# foo.pub is the public key in PEM format, foo.sig the binary signature, foo.txt the original data
openssl dgst -sha256 -verify foo.pub -signature foo.sig foo.txt

 

 

Thanks Jacques1. I'm now convinced that the public key is OK and the problem is somewhere else. I tried your verification command on the command line and the result was :-(

Verification Failure

I've created the public key and also digital signature in C#. I need to verify signature on server side using PHP. Although I tried to have the identical signing parameter (in C#) and verification (in PHP). Still I get failures.

 

My signing parameters in C# are:

        public byte[] SignData(byte[] hashOfDataToSign)
        {
            using (var rsa = new RSACryptoServiceProvider(2048))
            {
                rsa.PersistKeyInCsp = false;
                rsa.ImportParameters(PrivateKey);
                
                var rsaFormatter = new RSAPKCS1SignatureFormatter(rsa);                
                rsaFormatter.SetHashAlgorithm("SHA256");

                return rsaFormatter.CreateSignature(hashOfDataToSign);
            }
        } 

My verification code in PHP side is:

//verify signature
$result = openssl_verify($hmac, $signature, $userSigningPublicKey, "sha256WithRSAEncryption");

Can you spot where the problem is, please?

[CloudWindMoonSun]

 

My guess is that the message is simply coming from a sloppy implementation. The function supports many different input formats, and it looks like the extension authors use trial-and-error to figure out the right one. Chances are they aren't properly clearing the errors in between.

Thanks @Jacques1, it turned out that problem with my code wasn't due to the public key. As you mentioned above, once PHP returned a 'resource' number, your key had been successfully imported. And that the error messages are just PHP trying to find an answer by testing different scenarios.