PHP openssl_pkcs7_verify 不工作
PHP openssl_pkcs7_verify Not Working
我正在使用 pkcs7 签署文档,一切正常,问题是验证签名的命令不起作用,总是 return 错误。我尝试在文件中使用终端命令并且工作正常。
签名命令:
openssl_pkcs7_sign(
$tempdoc,
$tempsign,
$this->signature_data['signcert'],
array($this->signature_data['privkey'],
$this->signature_data['password']),
array(),
PKCS7_BINARY | PKCS7_DETACHED);
验证命令:
openssl_pkcs7_verify($tempsign, PKCS7_NOVERIFY)
终端命令:
openssl pkcs7 -inform DER -in signature.pkcs7 -print_certs -text
编辑 1
我在我的代码中进行测试,发现如果我只使用 PKCS7_DETACHED 或 PKCS7_BINARY 创建我的符号,那么 verify 可以正常工作,但两者一起我收到错误。为什么会这样?
这里 PHP 7 我可以重现你的问题。对于这两个标志,验证都失败了。
也许THIS URL可以帮到你,这部分讲一下。
SMIME -sign "detached" "attaches" content similarly as-is with
-binary and text-canonicalized without, and signs that. SMIME -verify recognizes "detached", but (in multi_split) always canonicalizes both
parts before using them. For content that was sent noncanonical (with
-sign -binary or equivalent) this changes the signed content, and verify fails. Content that was canonical as sent (originally
canonical or canonicalized by sender) does verify and similarly is
output without determining if sender changed it.
在 docs 中,您可以看到解析器不是那么智能:
BUGS
The MIME parser isn't very clever: it seems to handle most messages
that I've thrown at it but it may choke on others.
希望对您有所帮助!
我正在使用 pkcs7 签署文档,一切正常,问题是验证签名的命令不起作用,总是 return 错误。我尝试在文件中使用终端命令并且工作正常。
签名命令:
openssl_pkcs7_sign(
$tempdoc,
$tempsign,
$this->signature_data['signcert'],
array($this->signature_data['privkey'],
$this->signature_data['password']),
array(),
PKCS7_BINARY | PKCS7_DETACHED);
验证命令:
openssl_pkcs7_verify($tempsign, PKCS7_NOVERIFY)
终端命令:
openssl pkcs7 -inform DER -in signature.pkcs7 -print_certs -text
编辑 1
我在我的代码中进行测试,发现如果我只使用 PKCS7_DETACHED 或 PKCS7_BINARY 创建我的符号,那么 verify 可以正常工作,但两者一起我收到错误。为什么会这样?
这里 PHP 7 我可以重现你的问题。对于这两个标志,验证都失败了。
也许THIS URL可以帮到你,这部分讲一下。
SMIME -sign "detached" "attaches" content similarly as-is with -binary and text-canonicalized without, and signs that. SMIME -verify recognizes "detached", but (in multi_split) always canonicalizes both parts before using them. For content that was sent noncanonical (with -sign -binary or equivalent) this changes the signed content, and verify fails. Content that was canonical as sent (originally canonical or canonicalized by sender) does verify and similarly is output without determining if sender changed it.
在 docs 中,您可以看到解析器不是那么智能:
BUGS
The MIME parser isn't very clever: it seems to handle most messages that I've thrown at it but it may choke on others.
希望对您有所帮助!