openssl_spki_verify

(PHP 5 >= 5.6.0, PHP 7, PHP 8)

openssl_spki_verify — Verifica una clave pública firmada y realiza un desafío

Descripción

openssl_spki_verify(string $spki): bool

Verifica una clave pública firmada y realiza un desafío.

Parámetros

spki: Una clave pública firmada válida

Valores devueltos

Esta función retorna true en caso de éxito o false si ocurre un error.

Errores/Excepciones

Emite una alerta de nivel E_WARNING si un argumento inválido es pasado al parámetro spkac.

Ejemplos

Ejemplo #1 Ejemplo con openssl_spki_verify()

Valida una clave pública firmada existente y realiza un desafío

<?php
$pkey = openssl_pkey_new('secret password');
$spkac = openssl_spki_new($pkey, 'challenge string');

if (openssl_spki_verify(preg_replace('/SPKAC=/', '', $spkac))) {
    echo $spkac;
} else {
    echo "La validación SPKAC ha fallado";
}
?>

Ejemplo #2 Ejemplo con openssl_spki_verify() desde <keygen>

Valida una clave pública firmada existente procedente de un elemento <keygen>

<?php
if (openssl_spki_verify(preg_replace('/SPKAC=/', '', $_POST['spkac']))) {
    echo $spkac;
} else {
    echo "La validación SPKAC ha fallado";
}
?>
<keygen name="spkac" challenge="challenge string" keytype="RSA">

Ver también

openssl_spki_new() - Genera una clave pública firmada y realiza un desafío
openssl_spki_export_challenge() - Exporta el challenge asociado con la clave pública firmada
openssl_spki_export() - Exporta un PEM válido formateado como una clave pública firmada
openssl_get_md_methods() - Obtiene la lista de métodos digest disponibles
openssl_csr_new() - Genera una CSR
openssl_csr_sign() - Firma un CSR con otro certificado (o consigo mismo) y genera un certificado

Found A Problem?

Learn How To Improve This Page • Submit a Pull Request • Report a Bug

＋add a note

User Contributed Notes 2 notes

down

carloshlfzanon at gmail dot com ¶

8 years ago

This openssl_spki_* funcs are very usefull to use with <keygen/> tag in html5.

Example:

<?php
session_start();

// form submitted... (?)
if(isset($_POST['security']))
{
    // If true, the send from <keygen/> is valid and you can
    // test the challenge too
    if(openssl_spki_verify($_POST['security']))
    {
        // Gets challenge string
        $challenge = openssl_spki_export_challenge($_POST['security']);

        // If true... you are not trying to trick it.
        // If user open 2 windows to prevent data lost from a "mistake" or him just press "back" button
        //  and re-send last data... you can handle it using something like it.
        if($challenge == $_SESSION['lastForm'])
        {
            echo 'Ok, this one is valid.', '<br><br>';
        }
        else
        {
            echo 'Nice try... nice try...', '<br><br>'; 
        }
    }

}

// If you open two window, the challenge won't match!
$_SESSION['lastForm'] = hash('md5', microtime(true));

?>

<!DOCTYPE html>
<html>
<body>

<form action="/index.php" method="post">
  Encryption: <keygen name="security" keytype="rsa" challenge="<?php echo $_SESSION['lastForm']; ?>"/>
  <input type="submit">
</form>

</body>
</html>

down

neat at neato dot com ¶

5 years ago

The challenge is not how to very a "trick". It is used as a partial non-repudiation method.

The idea was the challenge could be extracted from the base64 encoded ASN.1 PKCS#1 bits provided from the 'keygen' element.

The SPKAC is a form of CSR which if the right about of information such as the commonName, emailAddress, countryName, stateOrProvinceName, localityName et al., a signed x509 could generated and provided to the requestor.

This would then be installed in the browser and if the webserver was configured to accept client x509 certificates, it would be used in lieu of a password for authentication.

A recommendation was to use the 'challenge' as a form of non-repudiation in the event someone else was on your keyboard. If the application required it could prompt you for the challenge and compare it to a hashed version it stored upon the initial SPKAC process.

Hope that helps clear it up.

＋add a note