All geek questions in one place

How to add a digital signature (RSA, certificate, etc.) to any file using PHP?

I need to know if any type of fila can be digitally signed using RSA, certificate, etc., or if only some types of files can be signed. All this using PHP.

In the example: Is it possible to write a text file in digital form ?, What about images (png, jpeg, bmp)?

I do not need to β€œattach” the image with a graphic signature.

Thank you for your help.

+6
source share
3 answers

Using phpseclib, a pure PHP RSA implementation :

<?php include('Crypt/RSA.php'); $rsa = new Crypt_RSA(); extract($rsa->createKey()); $plaintext = 'terrafrost'; $rsa->loadKey($privatekey); $signature = $rsa->sign($plaintext); $rsa->loadKey($publickey); echo $rsa->verify($plaintext, $signature) ? 'verified' : 'unverified'; ?>

Analogue with the openssl CLI is as follows:

 openssl dgst -sha1 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -out signature.txt -sign privatekey.txt plaintext.txt openssl dgst -sha1 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -prverify privatekey.txt -signature signature.txt plaintext.txt
+8
source

Re: can any file be digitally signed using RSA, certificate, etc., or can only certain types of files be signed?

A: Yes and no. On the one hand, a standard digital signature can be computed for any set of bits, including a simple text file, image files, binary files, anything you can imagine.

But then the questions arise:

  • How do you associate a digital signature (which itself is a binary bit trigger) with a data file? Does the data file format have the ability to add a digital signature to the data? Or do you need to manage the digital signature yourself, perhaps as a separate file, perhaps using your own data format?

  • Once you have the digitally signed data and its signature, how does the recipient verify the data and their signature to guarantee to the recipient who signed the data (identity) and that the data has not been changed since it was signed (integrity)?

Digital Signature Support File Formats

The big advantage of file formats that essentially support digital signatures is that recipients can verify the digital signature and file integrity by simply receiving the signed file and then using their own verification software. The recipient does not need to install anything from the sender.

There are many supported file formats that support digital signatures. For example, pdf, Word.doc, .docx. Excel.xls, .xlsx. There is a standard for signing xml files . Its advantage is that xml can be used as an envelope for any type of data. For example, a PDF file can be digitally signed and sent to someone. The recipient can then use the standard / free Adobe Reader to open the PDF file and verify its digital signature.

The "format" for text files (a file filled with characters) does not support digital signatures. Thus, you will need an envelope for the text and its digital signature, or separately for the digital signature. In either case, the recipient will need your data verification software. (Or you will need to write it after you provide the specification for plain text and signature.)

S / MIME offers a standard way to digitally sign text or other organized email / mime data. See rfc 5751 . But it is not widely used outside of email agents that can generate or receive / check signed email messages. Outlook supports this.

+8
source

Why do you want to sign these files digitally?

There is no standard for actually modifying text files or images so that the files themselves contain some kind of digital signature.

If you want to assure users that the files were not tampered with, you can give them an MD5 hash of the file. They can use free tools to check the MD5 hash of the file they uploaded and compare it with the one you specified to make sure their file has not been modified. Typically this will be used for software / binary packages that a third party can insert malicious code.

Another possibility is that you want users to be able to authenticate certain files. In this case, the user may want to make sure that the text file or image came from you. It is almost like receiving an MD5 hash of a file with a secret key that is known only to you, so that the end user can compare the file signature with your public key to ensure that the file has not been tampered with and comes from a specific source. PGP (pretty good privacy) provides the basis for this.

I suggest you familiarize yourself with PGP intro documents for more information on this. http://www.pgpi.org/doc/pgpintro/

+1
source

Source: https://habr.com/ru/post/914690/

More articles:


All Articles