If I use openssl to create a new key pair, use the private key to sign some data, and use the public key to verify the signature... it works.
$ openssl genrsa -out mykey.pem 1024
$ openssl rsa -in mykey.pem -pubout > mypubkey.pem
$ echo 'It could be bunnies' > file.txt
$ openssl rsautl -sign -in file.txt -inkey mykey.pem -out sig.txt
$ openssl rsautl -verify -in sig.txt -inkey mypubkey.pem -pubin
It could be bunnies
However, if I try to verify the signature using the openssl library in php it fails.
$pubkey = openssl_pkey_get_public(file_get_contents('/var/key/mypubkey.pem'));
$sig = file_get_contents('/var/key/sig.txt');
$data = file_get_contents('/var/key/file.txt');
$verifyResult = (openssl_verify($data, $sig, $pubkey) == 1);
Similar story with Crypt_RSA
$pubkey = file_get_contents('/var/test/mypubkey.pem');
$sig = file_get_contents('/var/test/sig.txt');
$data = file_get_contents('/var/test/file.txt');
$rsa = new Crypt_RSA();
$rsa->loadKey($pubkey);
$rsa->verify($data, $sig);
$verifyResult = $rsa->verify($data, $sig);
How do I get php to play nicely? These examples are simplified but accurate to my needs. In the real world I will only have the data, signature, and public key...
I was really hoping someone would chime in with a definitive answer on the public key question. Seems like it should work. However, in the meantime, I've switched from a public key to a self-signed certificate. The openssl library in PHP seems happy with extracting an acceptable public key from that. Which means the real problem (verifying signed data) is solved for me. Server clients will now have the data, signature, and x.509 certificate.
Here are the code snippet(s).
$ openssl genrsa -out server.key 4096
$ openssl req -new -key server.key -out server.csr
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
$ openssl dgst -sha1 -sign server.key -out file.sha1 file.txt
...
$pubkey = openssl_pkey_get_public(file_get_contents('/var/key/server.crt'));
$sig = file_get_contents('/var/key/file.sha1');
$data = file_get_contents('/var/key/file.txt');
$verifyResult = (openssl_verify($data, $sig, $pubkey) == 1);
For phpseclib, try $rsa->setSignatureMode(CRYPT_RSA_SIGNATURE_PKCS1) before calling $rsa->verify().
Related
i try to create a signature certifications key and use him with this 3Party packege
https://github.com/tecnickcom/TCPDF
but all the time i get a InValid signature certifications
on adobe reader
i need a global signature certifications
i try to create a key from my mac terminal:
generate new .crt file, it's contained certificate & private key
openssl req -x509 -nodes -days 365000 -newkey rsa:1024 -keyout filename.crt -out filename.crt
convert .crt to binar .p12 file
openssl pkcs12 -export -in tcpdf.crt -out filename.p12
get private key from .p12 file, it will ask for passphrase/password, so the generated private key will be encrypted
openssl pkcs12 -in filename.p12 -nocerts -out filename.key
get certificate from .p12 file
openssl pkcs12 -in filename.p12 -clcerts -nokeys -out filename.crt
i try this to from adobe
https://helpx.adobe.com/il_he/acrobat/using/digital-ids.html
but im all the time get Invalid in adobe reader
like this:
enter image description here
how to create Valid signature certifications
how to decrypt using RSA OAEP with SHA256 on PHP.?
maybe using some package or manual? I dont know how to use it with PHP.
example logic :
openssl base64 -A -d -in $encrypt > $temp.bin
openssl pkeyutl -decrypt -inkey $private -in $temp.bin -out $temp.txt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
I am using the below openssl command for storing my public key into a .pem file.
openssl> x509 -in E:/mycert.pem -pubkey -out E:/mypubkey.pem
But when i try to use this command, it is storing the whole certificate info in the mypubkey.pem file.
I have seen that i can save my public key using
openssl> x509 -pubkey -noout -in cert.pem > pubkey.pem
But it is throwing an error. I can't use ">" operator.
There are a couple ways to do this.
First, instead of going into openssl command prompt mode, just enter everything on one command line from the Windows prompt:
E:\> openssl x509 -pubkey -noout -in cert.pem > pubkey.pem
If for some reason, you have to use the openssl command prompt, just enter everything up to the ">". Then OpenSSL will print out the public key info to the screen. You can then copy this and paste it into a file called pubkey.pem.
openssl> x509 -pubkey -noout -in cert.pem
Output will look something like this:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAryQICCl6NZ5gDKrnSztO
3Hy8PEUcuyvg/ikC+VcIo2SFFSf18a3IMYldIugqqqZCs4/4uVW3sbdLs/6PfgdX
7O9D22ZiFWHPYA2k2N744MNiCD1UE+tJyllUhSblK48bn+v1oZHCM0nYQ2NqUkvS
j+hwUU3RiWl7x3D2s9wSdNt7XUtW05a/FXehsPSiJfKvHJJnGOX0BgTvkLnkAOTd
OrUZ/wK69Dzu4IvrN4vs9Nes8vbwPa/ddZEzGR0cQMt0JBkhk9kU/qwqUseP1QRJ
5I1jR4g8aYPL/ke9K35PxZWuDp3U0UPAZ3PjFAh+5T+fc7gzCs9dPzSHloruU+gl
FQIDAQAB
-----END PUBLIC KEY-----
if it is a RSA key
openssl rsa -pubout -in my_rsa_key.pem
if you need it in a format for openssh , please see Use RSA private key to generate public key?
Note that public key is generated from the private key and ssh uses the identity file (private key file) to generate and send public key to server and un-encrypt the encrypted token from the server via the private key in identity file.
I am not sure why the other answers have such high upvotes. They do not solve the two problems presented in the question. A key point to the problem is the openssl command interpreter is being used and not the shell prompt.
Problem #1 - the certificate is written with the public key.
I am using the below openssl command for storing my public key into a
.pem file.
openssl> x509 -in E:/mycert.pem -pubkey -out E:/mypubkey.pem But when
i try to use this command, it is storing the whole certificate info in
the mypubkey.pem file.
The solution is to add the command argument -noout.
Problem #2 - ">" operator is not supported:
openssl> x509 -pubkey -noout -in cert.pem > pubkey.pem
But it is throwing an error. I can't use ">" operator.
The solution is to add the -out <filename> command parameter.
Solution:
openssl> x509 -pubkey -in cert.pem -noout -out pubkey.pem
$passphrase = "';__!!??()[]";
$passphrase = escapeshellarg($passphrase);
shell_exec("openssl\openssl.exe genrsa -des3 -passout pass:${passphrase} -out test.key 2048");
#Here the password works
echo system("openssl\openssl.exe rsa -in test.key -passin pass:${passphrase} -noout -text");
This code works fine to generate a key with openssl. I can also read the key without any problem. But when I want to read the key from the command line I'm unable to decrypt it. I use exactly the same command as in the code. The only difference is, that I copy the passphrase to the command line as it is written in the code. This always fails with a bad decrypt error.
How can I fix this issue?
Edit: To make this more clear. This does not work when run from terminal:
openssl\openssl.exe rsa -in test.key -passin pass:"';__!!??()[]" -noout -text
Why don't you use PHP's OpenSSL library instead of the shell?
http://php.net/manual/en/ref.openssl.php
So I have read the PHP manual (HERE) but I'm not sure if it's does exactly what I think it is supposed to do. I need to convert a PFX certificate to a PEM. My question is, does either the above mentioned method or the openssl_pkcs12_export() method do what I need, or does it simply just export the information of the pkcs12 file?
To complete what I need to do, would I need to use the exec() method and use the appropriate openssl command, such as the one listed below:
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
Unless I am mistaken in your needs... You are just slightly off...
pkcs12 -in certificate.pfx -out certificate.pem -clcerts
You may also need to
pkcs12 -in certificate.pfx -out ca-certificate.pem -cacerts
-clcerts is only for client certificates
-cacerts is for non-client