How to verify a signature via PHP that was created on the OpenSSL command line?
It seems that PHP's openssl_sign
and openssl_verify
functions perform hashing of the data before signing, due to size restrictions, so I've tried emulating this on the command line.
Signing via openssl:
echo "foo" | opens开发者_JS百科sl dgst -sha1 -binary | openssl rsautl -inkey priv.pem -sign > sig.bin
then verifying via PHP
$key = openssl_pkey_get_public('pub.pem');
$ver = openssl_verify( "foo\n", file_get_contents('sig.bin'), $key, OPENSSL_ALGO_SHA1 );
// $ver always 0
I've tried numerous combinations, binary and hex forms of the hash, with and without the trailing newline, and even hashing before passing into php function
My findings are that PHP's sign and verify are not interoperable with openssl's rsautl -sign
and -verify
options. PHP seems to add some meta data, (an extra 15 bytes) although I don't know what it means.
My solution: I am using encrypt and decrypt functions directly and handling the hashing myself.
This way, the command line -verify
option is analogous to "decrypt with public key".
By the same token -sign
is analogous to "encrypt with public key"
In fact, this way you can define your own signature format, for example including a date along with the hash
精彩评论