openssl_spki_verify
(PHP 5 >= 5.6.0, PHP 7, PHP 8)
openssl_spki_verify — 署名済みの公開鍵とチャレンジを検証する
パラメータ
spki
-
有効な署名済みの公開鍵とチャレンジ
エラー / 例外
不正な引数が spki
に渡された場合、
E_WARNING
レベルのエラーが発生します。
例
例1 openssl_spki_verify() の例
既存の署名済み公開鍵とチャレンジを検証します。
<?php
$pkey = openssl_pkey_new('secret password');
$spkac = openssl_spki_new($pkey, 'challenge string');
if (openssl_spki_verify(preg_replace('/SPKAC=/', '', $spkac))) {
echo $spkac;
} else {
echo "SPKAC validation failed";
}
?>
例2 <keygen> から openssl_spki_verify() を使う例
<keygen> 要素から発行された、既存の署名済み公開鍵とチャレンジを検証します。
<?php
if (openssl_spki_verify(preg_replace('/SPKAC=/', '', $_POST['spkac']))) {
echo $spkac;
} else {
echo "SPKAC validation failed";
}
?>
<keygen name="spkac" challenge="challenge string" keytype="RSA">
参考
- openssl_spki_new() - 署名された公開鍵とチャレンジを新規に作成する
- openssl_spki_export_challenge() - 署名済みの公開鍵とチャレンジに関連するチャレンジをエクスポートする
- openssl_spki_export() - 署名済みの公開鍵とチャレンジから、有効なPEMフォーマットの公開鍵をエクスポートする
- openssl_get_md_methods() - 利用可能なダイジェスト・メソッドを取得
- openssl_csr_new() - CSR を作成する
- openssl_csr_sign() - CSR に他の証明書(あるいは自分自身)で署名して証明書を作成する
+add a note
User Contributed Notes 2 notes
carloshlfzanon at gmail dot com ¶
7 years ago
This openssl_spki_* funcs are very usefull to use with <keygen/> tag in html5.
Example:
<?php
session_start();
// form submitted... (?)
if(isset($_POST['security']))
{
// If true, the send from <keygen/> is valid and you can
// test the challenge too
if(openssl_spki_verify($_POST['security']))
{
// Gets challenge string
$challenge = openssl_spki_export_challenge($_POST['security']);
// If true... you are not trying to trick it.
// If user open 2 windows to prevent data lost from a "mistake" or him just press "back" button
// and re-send last data... you can handle it using something like it.
if($challenge == $_SESSION['lastForm'])
{
echo 'Ok, this one is valid.', '<br><br>';
}
else
{
echo 'Nice try... nice try...', '<br><br>';
}
}
}
// If you open two window, the challenge won't match!
$_SESSION['lastForm'] = hash('md5', microtime(true));
?>
<!DOCTYPE html>
<html>
<body>
<form action="/index.php" method="post">
Encryption: <keygen name="security" keytype="rsa" challenge="<?php echo $_SESSION['lastForm']; ?>"/>
<input type="submit">
</form>
</body>
</html>
neat at neato dot com ¶
4 years ago
The challenge is not how to very a "trick". It is used as a partial non-repudiation method.
The idea was the challenge could be extracted from the base64 encoded ASN.1 PKCS#1 bits provided from the 'keygen' element.
The SPKAC is a form of CSR which if the right about of information such as the commonName, emailAddress, countryName, stateOrProvinceName, localityName et al., a signed x509 could generated and provided to the requestor.
This would then be installed in the browser and if the webserver was configured to accept client x509 certificates, it would be used in lieu of a password for authentication.
A recommendation was to use the 'challenge' as a form of non-repudiation in the event someone else was on your keyboard. If the application required it could prompt you for the challenge and compare it to a hashed version it stored upon the initial SPKAC process.
Hope that helps clear it up.
↑ and ↓ to navigate •
Enter to select •
Esc to close
Press Enter without
selection to search using Google