There is an example that explains this in the PHP manual using hash
on the link: http://php.net/manual/en/function.openssl-verify.php
See if it can help you, it explains how the method works, and how to use it code:
<?php
//data you want to sign
$data = 'my data';
//create new private and public key
$private_key_res = openssl_pkey_new(array(
"private_key_bits" => 2048,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
));
$details = openssl_pkey_get_details($private_key_res);
$public_key_res = openssl_pkey_get_public($details['key']);
//create signature
openssl_sign($data, $signature, $private_key_res, "sha1WithRSAEncryption");
//verify signature
$ok = openssl_verify($data, $signature, $public_key_res, OPENSSL_ALGO_SHA1);
if ($ok == 1) {
echo "valid";
} elseif ($ok == 0) {
echo "invalid";
} else {
echo "error: ".openssl_error_string();
}
If you know what kind of hash was used to encrypt your signature, just pass it by parameter in openssl_verify as in the example, the encryption hash is usually specified in the integration manual you are trying to perform.
The pro problem is how I will get this data. The $data is the PDF?
– Epitácio Bessa
This @Epitáciobessa the $data would be your PDF (unsigned), it will compare with the variable $Signature (signed file) using the key and the hash, ai if they are equal, return true.
– wmengue
Let’s say I already have this PDF signed, how do I know if it has been modified or is authentic to the original? I know you need the hash generated by the signature and the document, then you apply a hash function with the public key in this signature, then you apply another function has in the document and you make the comparisons, if they are equal you are authentic, if not, the document has been modified.
– Epitácio Bessa
I just don’t know how I do it in php, I’m not sure if the
openssl_verify
does this, in background.– Epitácio Bessa
I see that would not be this function, because according to the PHP manual the function openssl_verify serves to verify that the output (signed) is correct. The manual definition says: Checks that the signature is correct for the specified data using the public key associated with pub_key_id. This must be the public key corresponding to the private key used to sign. It’s more to see if the public key used matches the private one used to sign. So if you want to do the reverse process without owning the original file, it won’t be that function.
– wmengue