Edit report at https://bugs.php.net/bug.php?id=60936&edit=1
ID: 60936 Comment by: terrafr...@php.net Reported by: baylina at uniclau dot com Summary: openssl_verify does not work ok. Status: Not a bug Type: Bug Package: OpenSSL related Operating System: Any PHP Version: 5.3.9 Block user comment: N Private report: N New Comment: It's not an OpenSSL issue either. Both PHP and OpenSSL are behaving as they should. "openssl rsautl -verify" is decrypting test_err.sig and checks to see if the hash contained within the ciphertextmatches test_err.sha1. That's not what "openssl dgst" or openssl_verify() do. They just verify the hash. Hash verification is it's own operation in the PKCS#1 standards distinct from decryption. That the second example yields a match is just dumb luck. Previous Comments: ------------------------------------------------------------------------ [2012-01-31 07:56:43] paj...@php.net Openssl issue (if any), not php. ------------------------------------------------------------------------ [2012-01-31 07:35:28] baylina at uniclau dot com I have investigated a litle more, and if you do $ openssl dgst -sha1 -verify test.pub -signature test_ok.sig test_ok.txt Verified OK $openssl dgst -sha1 -verify test.pub -signature test_err.sig test_err.txt Verification Failure So it seems that it is an openSSL problem. ------------------------------------------------------------------------ [2012-01-31 00:12:35] baylina at uniclau dot com Description: ------------ Some times, openssl_verify does not recognize a valid signature. The same input in the openssl command line works ok. See the case. You can verify with command line ssh that both signatures are ok: $ echo "-----BEGIN PUBLIC KEY----- MIGeMA0GCSqGSIb3DQEBAQUAA4GMADCBiAKBgGLgfmIN4O+aqfPGN1BkWW1hzCdj XqozEKyFnOTWCyp+H301nILC6JFV1WAEQnCZE/B8VTArlSYnOySU+MjU11jRSYTz nHokHLhCVkH/o/4ZqL1s0rtoJ62f6Loc3mZHRX7l2PJGTXNQJGTNRTh1kdJthA3S LMwa4ReOEyjIG7e7AgMBAAE= -----END PUBLIC KEY-----" > test.pub $ echo -n "1327943790" > test_err.txt $ openssl dgst -sha1 -binary -out test_err.sha1 test_err.txt $ echo "SEjTquEPcqY0V90KYvDi7ofGiKlc53T4XzHwHtIgcN5wuOg4JxffK trLN9Tq+8c/045m15JXULJUMkN7fdDUqtxFyIBSEt4nqhvZgLDVQBIBXJRF8 c32CBaLsG837hZra8/nD5b4T+sCyEXRUMmcfflhJiMIr7l72sOxgRmzTw==" > test_err.sig.64 $ base64 -D -i test_err.sig.64 -o test_err.sig $ openssl rsautl -verify -inkey test.pub -pkcs -pubin -in test_err.sig -out test_err.sha1.calc $ hexdump test_err.sha1 0000000 d8 44 89 0c 34 cb 0d 64 23 28 56 56 85 25 c8 46 0000010 f4 e8 f8 3d 0000014 $ hexdump test_err.sha1.calc 0000000 30 21 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 d8 0000010 44 89 0c 34 cb 0d 64 23 28 56 56 85 25 c8 46 f4 0000020 e8 f8 3d 0000023 // You can see that the last bytes (the dgst) are the same. $ echo -n "1327943823" > test_ok.txt $ openssl dgst -sha1 -binary -out test_ok.sha1 test_ok.txt $ echo "GURbsl4CFPCG83RCZxsEpoRleXicXQhH1OC4Fk77b7EMj2g8aHUhD/L+sm oGSVpuEwup1fmkZBADXwBel8UKsmxgTLRX+vlGgyTr1XPqqHFNjtL33fd5 7NuKBqaJjwSp7D5xVMeVdQtQQbsKuKx5AvOPPyZfdtdyoJw/all1tl4=" > test_ok.sig.64 $ base64 -D -i test_ok.sig.64 -o test_ok.sig $ openssl rsautl -verify -inkey test.pub -pkcs -pubin -in test_ok.sig -out test_ok.sha1.calc $ hexdump test_ok.sha1 0000000 08 a8 55 9c d4 43 f9 cb ec 9f 04 f4 f2 dc aa 1f 0000010 7f e9 e1 11 0000014 $ hexdump test_ok.sha1.calc 0000000 30 21 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 08 0000010 a8 55 9c d4 43 f9 cb ec 9f 04 f4 f2 dc aa 1f 7f 0000020 e9 e1 11 0000023 Test script: --------------- <?php $PublicKey="-----BEGIN PUBLIC KEY----- MIGeMA0GCSqGSIb3DQEBAQUAA4GMADCBiAKBgGLgfmIN4O+aqfPGN1BkWW1hzCdj XqozEKyFnOTWCyp+H301nILC6JFV1WAEQnCZE/B8VTArlSYnOySU+MjU11jRSYTz nHokHLhCVkH/o/4ZqL1s0rtoJ62f6Loc3mZHRX7l2PJGTXNQJGTNRTh1kdJthA3S LMwa4ReOEyjIG7e7AgMBAAE= -----END PUBLIC KEY-----"; $Data_err="1327943790"; $Signature_err_b64="SEjTquEPcqY0V90KYvDi7ofGiKlc53T4XzHwHtIgcN5wuOg4JxffKtrLN 9Tq+8c/045m15JXULJUMkN7fdDUqtxFyIBSEt4nqhvZgLDVQBIBXJRF8c32CBaLsG837hZra8/nD5 b4T+sCyEXRUMmcfflhJiMIr7l72sOxgRmzTw=="; $Signature_err=base64_decode($Signature_err_b64); echo openssl_verify($Data_err, $Signature_err, $PublicKey); //It should return 1 echo "\n"; $Data_ok="1327943823"; $Signature_ok_b64="GURbsl4CFPCG83RCZxsEpoRleXicXQhH1OC4Fk77b7EMj2g8aHUhD/L+smo GSVpuEwup1fmkZBADXwBel8UKsmxgTLRX+vlGgyTr1XPqqHFNjtL33fd57NuKBqaJjwSp7D5xVMeVd QtQQbsKuKx5AvOPPyZfdtdyoJw/all1tl4="; $Signature_ok=base64_decode($Signature_ok_b64); echo openssl_verify($Data_ok, $Signature_ok, $PublicKey); ?> Expected result: ---------------- 1 1 Actual result: -------------- 0 1 ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=60936&edit=1