I need to validate a digital signature (RSA256) using
openssl_verify function. To validate digital signature, one of course needs to know a public key, which is provided to me in the form of PFX certificate.
openssl_verify expects a so-called resource key identifier object as an input parameter, and it simply cannot use the key from PFX certificate directly.
I was hoping that function
openssl_pkey_get_public would work - according to documentation it returns a positive key resource identifier on success, or FALSE on error.
However, in my tests function
openssl_pkey_get_public is always returning FALSE without any additional error messages or anything. Here is my code:
$publicKeyRes = openssl_pkey_get_public(file_get_contents('certificate.pfx')); $success = openssl_verify('SomeMessage', 'SomeSignature', $publicKeyRes, OPENSSL_ALGO_SHA256);
How can I validate digital signature using public key from PFX certificate?
It looks like you cannot use PFX certificate with
openssl_pkey_get_public. You need to convert your certificate from PFX to PEM format, and then extract the public key from PEM into PUB file, and then use PUB file with
openssl_pkey_get_public. Here it is one more time:
Extract public key from PEM certificate using the following command:
openssl rsa -in privkey.pem -pubout > key.pub
** Please note the command above is a Unix shell command, and I used Bash console to execute this command in Windows. Bash console is being installed together with GIT for Windows - Git for Windows provides a BASH emulation used to run Git from the command line. Or alternatively you could use any other Unix shell implementation for Windows - there are many.
After you have done all of the above (it needs to be done one time only), change the 1st line your code to use
key.pub file like this:
$publicKeyRes = openssl_pkey_get_public(file_get_contents('key.pub'));
Now it should return proper resource key identifier object that could be used with
openssl_verify function to verify your RSA signature.
Hope this helps!