openssl_sign

(PHP 4 >= 4.0.4, PHP 5)

openssl_sign — Generate signature

说明

bool openssl_sign ( string $data , string &$signature , mixed $priv_key_id [, mixed $signature_alg = OPENSSL_ALGO_SHA1 ] )

openssl_sign() computes a signature for the specified data by generating a cryptographic digital signature using the private key associated with priv_key_id. Note that the data itself is not encrypted.

参数

data

The string of data you wish to sign

signature

If the call was successful the signature is returned in signature.

priv_key_id

resource - a key, returned by openssl_get_privatekey()

string - a PEM formatted key

signature_alg

int - one of these Signature Algorithms.

string - a valid string returned by openssl_get_md_methods() example, "sha256WithRSAEncryption" or "sha384".

返回值

成功时返回 TRUE ，或者在失败时返回 FALSE 。

范例

Example #1 openssl_sign() example

  <?php
 // $data is assumed to contain the data to be signed

// fetch private key from file and ready it
 $pkeyid  =  openssl_pkey_get_private ( "file://src/openssl-0.9.6/demos/sign/key.pem" );

 // compute signature
 openssl_sign ( $data ,  $signature ,  $pkeyid );

 // free the key from memory
 openssl_free_key ( $pkeyid );
 ?>

Example #2 openssl_sign() example

  <?php
 //data you want to sign
 $data  =  'my data' ;

 //create new private and public key
 $new_key_pair  =  openssl_pkey_new (array(
     "private_key_bits"  =>  2048 ,
     "private_key_type"  =>  OPENSSL_KEYTYPE_RSA ,
));
 openssl_pkey_export ( $new_key_pair ,  $private_key_pem );

 $details  =  openssl_pkey_get_details ( $new_key_pair );
 $public_key_pem  =  $details [ 'key' ];

 //create signature
 openssl_sign ( $data ,  $signature ,  $private_key_pem ,  OPENSSL_ALGO_SHA256 );

 //save for later
 file_put_contents ( 'private_key.pem' ,  $private_key_pem );
 file_put_contents ( 'public_key.pem' ,  $public_key_pem );
 file_put_contents ( 'signature.dat' ,  $signature );

 //verify signature
 $r  =  openssl_verify ( $data ,  $signature ,  $public_key_pem ,  "sha256WithRSAEncryption" );
 var_dump ( $r );
 ?>

参见

openssl_verify() - Verify signature

用户评论:

[#1] Chris Kistner [2010-07-20 05:53:20]

The list of Signature Algorithms (constants) is very limited! Fortunately the newer versions of php/openssl allow you to specify the signature algorithm as a string.

You can use the 'openssl_get_md_methods' method to get a list of digest methods. Only some of them may be used to sign with RSA private keys.

Those that can be used to sign with RSA private keys are: md4, md5, ripemd160, sha, sha1, sha224, sha256, sha384, sha512

Here's the modified Example #1 with SHA-512 hash:
<?php // $data is assumed to contain the data to be signed // fetch private key from file and ready it $fp = fopen("/src/openssl-0.9.6/demos/sign/key.pem", "r"); $priv_key = fread($fp, 8192); fclose($fp); $pkeyid = openssl_get_privatekey($priv_key); // compute signature with SHA-512 openssl_sign($data, $signature, $pkeyid, "sha512"); // free the key from memory openssl_free_key($pkeyid); ?>

[#2] edmarw at yahoo dot com [2007-09-04 09:22:37]

This may help if you just want a real-simple private/public key pair:

<?php $data = "Beeeeer is really good.. hic..."; // You can get a simple private/public key pair using: // openssl genrsa 512 >private_key.txt // openssl rsa -pubout <private_key.txt >public_key.txt // IMPORTANT: The key pair below is provided for testing only. // For security reasons you must get a new key pair // for production use, obviously. $private_key = <<<EOD -----BEGIN RSA PRIVATE KEY----- MIIBOgIBAAJBANDiE2+Xi/WnO+s120NiiJhNyIButVu6zxqlVzz0wy2j4kQVUC4Z RZD80IY+4wIiX2YxKBZKGnd2TtPkcJ/ljkUCAwEAAQJAL151ZeMKHEU2c1qdRKS9 sTxCcc2pVwoAGVzRccNX16tfmCf8FjxuM3WmLdsPxYoHrwb1LFNxiNk1MXrxjH3R 6QIhAPB7edmcjH4bhMaJBztcbNE1VRCEi/bisAwiPPMq9/2nAiEA3lyc5+f6DEIJ h1y6BWkdVULDSM+jpi1XiV/DevxuijMCIQCAEPGqHsF+4v7Jj+3HAgh9PU6otj2n Y79nJtCYmvhoHwIgNDePaS4inApN7omp7WdXyhPZhBmulnGDYvEoGJN66d0CIHra I2SvDkQ5CmrzkW5qPaE2oO7BSqAhRZxiYpZFb5CI -----END RSA PRIVATE KEY----- EOD; $public_key = <<<EOD -----BEGIN PUBLIC KEY----- MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDiE2+Xi/WnO+s120NiiJhNyIButVu6 zxqlVzz0wy2j4kQVUC4ZRZD80IY+4wIiX2YxKBZKGnd2TtPkcJ/ljkUCAwEAAQ== -----END PUBLIC KEY----- EOD; $binary_signature = ""; // At least with PHP 5.2.2 / OpenSSL 0.9.8b (Fedora 7) // there seems to be no need to call openssl_get_privatekey or similar. // Just pass the key as defined above openssl_sign($data, $binary_signature, $private_key, OPENSSL_ALGO_SHA1); // Check signature $ok = openssl_verify($data, $binary_signature, $public_key, OPENSSL_ALGO_SHA1); echo "check #1: "; if ($ok == 1) { echo "signature ok (as it should be)\n"; } elseif ($ok == 0) { echo "bad (there's something wrong)\n"; } else { echo "ugly, error checking signature\n"; } $ok = openssl_verify('tampered'.$data, $binary_signature, $public_key, OPENSSL_ALGO_SHA1); echo "check #2: "; if ($ok == 1) { echo "ERROR: Data has been tampered, but signature is still valid! Argh!\n"; } elseif ($ok == 0) { echo "bad signature (as it should be, since data has beent tampered)\n"; } else { echo "ugly, error checking signature\n"; } ?>

[#3] adam dot mansfeld at gmail dot com [2005-10-19 00:50:56]

Hello,

the fourth parameter 'signature_alg' to choose the signature algorithm can be one of:

OPENSSL_ALGO_SHA1
OPENSSL_ALGO_MD5
OPENSSL_ALGO_MD4
OPENSSL_ALGO_MD2

Just for the case that somebody needs this.

Regards