douba4933
2013-09-24 12:30
浏览 189
已采纳

php openssl:如何将私钥与证书相匹配

I have a self signed signature which contains the certificate itself and the private key. My purpose is to check if this private key matches with the certificate. What I do is the following:

$private = openssl_pkey_get_private("path/to/certificate");
$public  = openssl_pkey_get_public("path/to/certificate");
openssl_sign("path/to/certificate", $sig, $private);

So I create the signature based on the private and the public keys from the file. So what I need to do is to compare this signature with the existing signature in the certificate. If they match, it means that the private key matches. However, I couldn't retrieve the existing signature information from the file. I was wondering if my way is a right way to do it since I have found no information on google.

thanks.

图片转代码服务由CSDN问答提供 功能建议

我有一个自签名签名,其中包含证书本身和私钥。 我的目的是检查此私钥是否与证书匹配。 我所做的是以下内容:

  $ private = openssl_pkey_get_private(“path / to / certificate”); 
 $ public = openssl_pkey_get_public(“path / to / certificate”)  ; 
openssl_sign(“path / to / certificate”,$ sig,$ private); 
   
 
 

所以我根据私钥和公钥创建签名 文件。 所以我需要做的是将此签名与证书中的现有签名进行比较。 如果它们匹配,则表示私钥匹配。 但是,我无法从文件中检索现有的签名信息。 我想知道我的方式是否正确,因为我没有在谷歌上找到任何信息。

谢谢。

  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

3条回答 默认 最新

  • douao3063 2013-09-25 14:59
    已采纳

    I have a self signed signature which contains the certificate itself and the private key. My purpose is to check if this private key matches with the certificate. What I do is the following:

    Certificates don't contain private keys. Just public keys. They're signed by a private key (which in the case of self-signed certs would be the private key corresponding to the public key contained in the cert) but they do not contain private keys.

    So what I need to do is to compare this signature with the existing signature in the certificate. If they match, it means that the private key matches.

    They shouldn't ever match. Check out phpseclib's X.509 parser and decode the sample cert they provide with it. There are three parts at the root level. tbsCertificate, signatureAlgorithm and signature. signature is based on tbsCertificate. So you're wanting a signature of tbsCertificate to match a signature of all three fields combined. Which is pretty much never going to happen.

    As for extracting the signature itself... you can use phpseclib for that. eg.

    <?php
    include('File/X509.php');
    
    $x509 = new File_X509();
    $cert = $x509->loadX509('...');
    
    echo $cert['signature']
    
    已采纳该答案
    打赏 评论
  • douzhuangna6906 2013-09-24 14:13

    If all you want to do is check if the private key and the certificate matches, you can just call openssl_x509_check_private_key. It takes a certificate and private key as input and returns whether they both match or not. Take a look at the documentation here.

    EDIT: Also, note that, the signature in the certificate is arrived using different information that composes the certificate whereas the data that you pass to the openssl_sign function is just the path to the certificate. So, even if you do end up identifying a way to extract the signature from the certificate, it still won't match the output of openssl_sign (definitely not with the $data that you are passing to openssl_sign).

    打赏 评论
  • doukengzi3517 2013-11-24 09:17

    @Karthik:

    many thanks for your pointer to http://badpenguins.com/source/misc/isCertSigner.php?viewSource . It is a pity, that openssl-php library lacks the extractSignature function.

    I added the code found on http://badpenguins.com/source/misc/isCertSigner.php to

    打赏 评论

相关推荐 更多相似问题