All geek questions in one place

How to verify digital signature using openssl

I use a third-party credit card processing service (Paybox), which after a successful transaction redirects back to the site with a signature in the URL as a security measure so that people can not manipulate the data. He must prove that the request originated from this service. So my success url looks something like this:

/success.php?signature= [HUGE HASH]

I don’t know where to start by checking this signature. This service provides a public key, and I assume that I need to create a private key, but I do not know much of this.

I am very good at Linux, and I know that I will need to run some openssl commands. I am writing a script check in PHP, which also has its own openssl () functions.

If someone could push me in the right direction with some pseudo-code or even functional code, I would be very grateful. Thank.

+3
source share
3 answers

This is my code and it works for me. I hope I can help you.

$sign = "28E5FA795590066E8402B529DB027B8D082A226BE6E53F80D41F763207A11EF9..."; // inline signature. I'm using SHA512
$cert = "your certification"; // ------BEGIN..... END..----
$data = "text"; // 64 charactor for SHA512. It raw data, not hashed data
$pubkeyid = openssl_pkey_get_public($cert);
$ok = openssl_verify($data, hex2bin($sign), $pubkeyid,OPENSSL_ALGO_SHA512);
if($ok==1) return "Verify"; else return "Unverify";
+5
source

You do not need a private key. The signature is created with the private key of Paybox, so you only need their public key, data they've signedand signature. Check their documentation to see how much of the data they signed.

The PHP manual contains a complete example in the openssl_verify documentation .

+1
source

openssl_verify(), Stiv @php.net

<?php
// $data is assumed to contain the data to be signed

// fetch certificate from file and ready it
$fp = fopen("path/file.pem", "r");
$cert = fread($fp, 8192);
fclose($fp);

// state whether signature is okay or not
// use the certificate, not the public key
$ok = openssl_verify($data, $signature, $cert);
if ($ok == 1) {
    echo "good";
} elseif ($ok == 0) {
    echo "bad";
} else {
    echo "ugly, error checking signature";
}
?>

openssl_verify() : http://nl.php.net/openssl_verify

Paybox also has a zip file available for download on their website "Explanations and Samples for Verifying a Digital Sign with PAYBOX SYSTEM"

http://www1.paybox.com/telechargement_focus.aspx?cat=3

+1
source

Source: https://habr.com/ru/post/1747480/

More articles:


All Articles