Home/ Questions/Q 7663017
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T13:56:57+00:00

I want to use the PHP function openssl_verify() to verify the signatures of different

  • 0

I want to use the PHP function openssl_verify() to verify the signatures of different X.509 certificates.

I have all it needs (certificate, $data, $signature, $pub_key_id) except of the signature algorithm but which is stored in the certificate.

enter image description here

My simple question is: How can I extract signature algorithm from certificates?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Look at this question, you can do it similar, try this:

    private function GetCertSignatureAlgorithm($certSignatureBinary, $pubKeyResourceId)
{

if(false === openssl_public_decrypt($certSignatureBinary, $sigString, $pubKeyResourceId))
{
    return false;
}

if (empty($sigString) ||
    strlen($sigString) < 5)
{
    return false;
}

if (ord($sigString[0]) !== 0x30 ||
    ord($sigString[2]) !== 0x30 ||
    ord($sigString[4]) !== 0x06)
{
    return false;
}

$sigString  = substr($sigString, 4);
$len        = ord($sigString[1]);
$bytes      = 0;

if ($len & 0x80)
{
    $bytes = ($len & 0x7f);
    $len = 0;
    for ($i = 0; $i < $bytes; $i++)
    {
        $len = ($len << 8) | ord($sigString[$i + 2]);
    }
}

$oidData = substr($sigString, 2 + $bytes, $len);
$hashOid = floor(ord($oidData[0]) / 40) . '.' . ord($oidData[0]) % 40;

$value = 0;
for ($i = 1; $i < strlen($oidData); $i++)
{
    $value = $value << 7;
    $value = $value | (ord($oidData[$i]) & 0x7f);
    if (!(ord($oidData[$i]) & 0x80))
    {
        $hashOid .= '.' . $value;
        $value = 0;
    }
}

//www.iana.org/assignments/hash-function-text-names/hash-function-text-names.xml
//www.php.net/manual/en/openssl.signature-algos.php
switch($hashOid)
{
    case '1.2.840.113549.2.5':     return 'md5';
    case '1.3.14.3.2.26':          return 'sha1';
    case '2.16.840.1.101.3.4.2.1': return 'sha256';
    case '2.16.840.1.101.3.4.2.2': return 'sha384';
    case '2.16.840.1.101.3.4.2.3': return 'sha512';

    //not secure = not accepted
    //case '1.2.840.113549.2.2':     //'md2';
    //case '1.2.840.113549.2.4':     //'md4';
    //case '1.3.14.3.2.18':          //'sha';
}

throw new Exception('CertSignatureAlgorithm not found');
}
    • 0