I’m interested in url signing (e.g. http://…/?somearg=value&anotherarg=anothervalue&sig=aSKS9F3KL5xc), but I have a few requirements which have left me without a solution yet.

• I’ll be using either PHP or Python for pages, so I’ll need to be able to sign and verify a signature using one of the two.
• My plan was to use a priv/pub key scheme to sign some data, and be able to verify that the signature is valid, but here’s where it gets complicated:
• The data is not known when the verification is happening (it is not just somearg=value&anotherarg=anothervalue)

My first instinct was to use OpenSSL, e.g. with a RSA keypair, to do something along the lines of signing by: openssl rsautl -sign -inkey private.pem -in sensitive -out privsigned and verifying based on the privsigned data and key ONLY: openssl rsautl -verify -inkey public.pem -in privsigned -pubin.

Using PHP’s openssl_get_privatekey() and openssl_sign() signs the data just fine, but I need to know the (decrypted!) data in order to verify (which I will not have): openssl_get_publickey() and openssl_verify($data, $signature, $pubkeyid); from http://php.net/openssl_verify.

Or am I missing something here?

So I looked into HMAC, but although many hash function are available in both Python and PHP, I’m baffled as to how I’d go about verifying the hash.
PHP‘s hash_hmac() allows me to create a hash using a “key” (or in this case a string-key). But how do I go about verifying that a hash is valid (i.e. &sig= hasn’t just been manually put in by the end user &sig=abcdefg1234.

So to sum up (sorry for the long question): How can I verify that a signature/hash has been made by my server’s (cert/string)key (given I can not verify by redoing the hash of said data)? And do you have any preferences as to which route I should chose, Priv/pub-key or HMAC?

Any pointers big or small is greatly appreciated!
Thanks in advance,

• Josh