Clever Geek Handbook

Why is a message signed with openssl_pkcs7_sign not verified with openssl_pkcs7_verify?

The signing code is based on the example http://php.net/openssl-pkcs7-sign . The private key matches the public key in the certificate. The certificate is valid from a year ago until December 31, 9999, so date range is not an issue.

Do I need to install the key usage extension? And if this is a question, what does he need to establish? And if it doesn't, then what exactly do I need to do to get this to work?

Here's my code:

<?php
$data = <<<EOD

You have my authorization to spend $10,000 on dinner expenses.

The CEO
EOD;
// save message to file
$fp = fopen("msg.txt", "w");
fwrite($fp, $data);
fclose($fp);

$key = '-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCzJV1Z0UKXLkl9TrhuRR9ndtf+UpLyxduWffFiDXsruojd7B6A
XAdsnyTH+/fDpBDYBmpwnHRkh2R0OQ/0tpN6ShFcZDuBLMoNuqP3VhJZn01bjpeq
TO3Np8zYSHUrGcMv+h/f/HG1o8kKndWbAQrzj0DUOrn0Di336mULscF/gwIDAQAB
AoGACNnhwNxL8/g/fUd0aU5U/OGsTk56IDCSZt8WHAgae9CdjolqAGGLpFxAjvju
BuaGRoYaoDG6tnTSC8P9+9NBegYfzh4G2aYKtt67Qd0wgxZtIMwQjBrxPxWDEh6L
u3KkxcsA6vDuuGi7QGIpDDDvHNdqEnDWbef7jxqb5AwU9yECQQDbdDwMIJbD6F++
IpLCrbwfyhb0JOmXEyMdfin052HhaV6o/ta8KHZrUrufDh9DM/wN8Sn6Mw6ZFJ8y
A0DLhdPbAkEA0Pq3NMRyzHhMT4Jz4NfdTilbmElPsXpeG3ONd54St58y5WQ+E2f5
iC6/yG4d0YB93g6HtaB0DRjJSkAPhs4neQJBAL/zz4IcD0OUwgohW5WFOYPk1GcA
0oEecByf+jsJGIh+DhprrZAvJEWDvDDHvXiew92+ECWU+zPS4dxxE//xMvkCQQCr
7soSSNnmLcci10I9J3x1FQO9y/scGoAYd75ZPp1Jo1n9bra/wpiDGWtCHI690cg8
jJnMraEtMUpSo1fi4fOJAkBnX2woZpZvGWSTwswqGAlh1iz9+ekjY2V8TTVKcfX3
H2tHvg27KE2r/7S1N+MEcpJBF5S/zXo4hwLzrLzG3z6Y
-----END RSA PRIVATE KEY-----';

$cert = '-----BEGIN CERTIFICATE-----
MIIBwzCCASygAwIBAgIUP7VZQpJYe8YHW4Fdd+FaukIezEcwDQYJKoZIhvcNAQEF
BQAwHjEcMBoGA1UECgwTcGhwc2VjbGliIGRlbW8gY2VydDAeFw0xNTA4MDExNjA3
NDNaFw0xNjA4MDExNjA3NDNaMB4xHDAaBgNVBAoME3BocHNlY2xpYiBkZW1vIGNl
cnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALMlXVnRQpcuSX1OuG5FH2d2
1/5SkvLF25Z98WINeyu6iN3sHoBcB2yfJMf798OkENgGanCcdGSHZHQ5D/S2k3pK
EVxkO4Esyg26o/dWElmfTVuOl6pM7c2nzNhIdSsZwy/6H9/8cbWjyQqd1ZsBCvOP
QNQ6ufQOLffqZQuxwX+DAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEArmQMGP2XPQTI
b0ppXGTlAqLGx979GDYeWglCLSlUYw3Ohr3Jonhs7KnhX04Y3ePVqIKuqSDvZz/D
C3Xgaiqmq0OsHtro7O0BamauKANON6bwq/YthrbeNBUoy7XZ86WsRZGSPlts7jdQ
tiqqWvr+oWxNb8WkxqVCshifjSOTlOQ=
-----END CERTIFICATE-----';


// encrypt it
openssl_pkcs7_sign(
    'msg.txt',
    'signed.txt',
    $cert,
    $key,
    array(
        'To' => 'joes@example.com',  // keyed syntax
        'From: HQ <ceo@example.com>',// indexed syntax
        'Subject" => "Eyes only'
    )
);

echo file_get_contents('signed.txt');

var_dump(openssl_pkcs7_verify('signed.txt', 0));
+3


source to share


1 answer


This is expected behavior. You have a self-signed certificate. In your case, you should use

openssl_pkcs7_verify('signed.txt', PKCS7_NOVERIFY)


Then a self-signed certificate is acceptable.

+2


source






More articles:


All Articles