openssl_spki_verify

(PHP 5 >= 5.6.0, PHP 7, PHP 8)

openssl_spki_verify验证签名公钥和挑战。

说明

openssl_spki_verify ( string &$spkac ) : string

验证所提供的签名公钥和挑战。

参数

spkac

期望一个有效的签名公钥和挑战。

返回值

成功,返回true, 失败返回false.

错误/异常

如果spkac参数不是一个可用的参数,将会抛出一个 E_WARNING 等级的错误。

范例

Example #1 openssl_spki_verify() 范例:

验证现有签名公钥和挑战

<?php
$pkey 
openssl_pkey_new('secret password');
$spkac openssl_spki_new($pkey'challenge string');

if (
openssl_spki_verify(preg_replace('/SPKAC=/'''$spkac))) {
    echo 
$spkac;
} else {
    echo 
"SPKAC validation failed";
}
?>

Example #2 openssl_spki_verify() example from <keygen>

通过<keygen> 元素验证现有签名公钥和挑战

<?php
if (openssl_spki_verify(preg_replace('/SPKAC=/'''$_POST['spkac']))) {
    echo 
$spkac;
} else {
    echo 
"SPKAC validation failed";
}
?>
<keygen name="spkac" challenge="challenge string" keytype="RSA">

参见

User Contributed Notes

neat at neato dot com 25-Jun-2020 10:40
The challenge is not how to very a "trick". It is used as a partial non-repudiation method.

The idea was the challenge could be extracted from the base64 encoded ASN.1 PKCS#1 bits provided from the 'keygen' element.

The SPKAC is a form of CSR which if the right about of information such as the commonName, emailAddress, countryName, stateOrProvinceName, localityName et al., a signed x509 could generated and provided to the requestor.

This would then be installed in the browser and if the webserver was configured to accept client x509 certificates, it would be used in lieu of a password for authentication.

A recommendation was to use the 'challenge' as a form of non-repudiation in the event someone else was on your keyboard. If the application required it could prompt you for the challenge and compare it to a hashed version it stored upon the initial SPKAC process.

Hope that helps clear it up.
carloshlfzanon at gmail dot com 26-Apr-2017 08:54
This openssl_spki_* funcs are very usefull to use with <keygen/> tag in html5.

Example:

<?php
session_start
();

// form submitted... (?)
if(isset($_POST['security']))
{
   
// If true, the send from <keygen/> is valid and you can
    // test the challenge too
   
if(openssl_spki_verify($_POST['security']))
    {
       
// Gets challenge string
       
$challenge = openssl_spki_export_challenge($_POST['security']);

       
// If true... you are not trying to trick it.
        // If user open 2 windows to prevent data lost from a "mistake" or him just press "back" button
        //  and re-send last data... you can handle it using something like it.
       
if($challenge == $_SESSION['lastForm'])
        {
            echo
'Ok, this one is valid.', '<br><br>';
        }
        else
        {
            echo
'Nice try... nice try...', '<br><br>';
        }
    }

}

// If you open two window, the challenge won't match!
$_SESSION['lastForm'] = hash('md5', microtime(true));

?>

<!DOCTYPE html>
<html>
<body>

<form action="/index.php" method="post">
  Encryption: <keygen name="security" keytype="rsa" challenge="<?php echo $_SESSION['lastForm']; ?>"/>
  <input type="submit">
</form>

</body>
</html>