PHP gnupg签名验证的返回值是什么意思? [英] What do returned values of PHP gnupg signature verification mean?
问题描述
我想验证PHP中的pgp签名文本.遵循PHP文档并回答此问题,我使用简单的脚本进行测试gnupg库.我使用Thunderbird和Enigmail在两个电子邮件帐户之间发送了已签名的电子邮件-收到Thunderbird表示签名正确.
I want to verify pgp signed text in PHP. Following PHP documentation and answer to this question i made simple script to test gnupg library. I sent signed email between two email accounts using Thunderbird with Enigmail - receiving Thunderbird shows that signature is correct.
在PHP中,当我使用纯电子邮件文本和发件人公钥时,verify()函数将返回如下数组:
In PHP, when i use plain email text and senders public key, verify() function returns array like this:
array(1) {
[0]=>
array(5) {
["fingerprint"]=>
string(40) "468F82339FC55DE5CAFD71BB63DD32AE1308A57F"
["validity"]=>
int(0)
["timestamp"]=>
int(1443033896)
["status"]=>
int(0)
["summary"]=>
int(0)
}
}
当我更改签名消息中的单个单词时,结果将更改为:
When i change in signed message single word, result changes to:
array(1) {
[0]=>
array(5) {
["fingerprint"]=>
string(16) "63DD32AE1308A57F"
["validity"]=>
int(0)
["timestamp"]=>
int(0)
["status"]=>
int(117440520)
["summary"]=>
int(4)
}
}
最后,当我更改大量文本或破坏签名时,函数将返回false.
And finally, when i change a lot of text or broke signature, function returns false.
那么,这些数组值是什么意思?
So, what do these array values mean?
- 为什么
validity总是0? -
timestamp的值是什么时间戳?邮件签名的时间? - 为什么在第二种情况下
status的值这么大?它只是随机值还是特定的错误代码? - 与
summary一样,4的含义是什么?
- Why
validityis always0? timestampvalue is a timestamp of what? Time when message was signed?- Why
statusvalue is so big in second case? Its just random value or specific error code? - Same with
summarywhat stands value of4for?
如果我只想简单地识别文本是否正确签名,我是否可以将返回的fingerprint与公钥指纹进行比较,并检查状态和摘要是否等于0?
If i want to just simply recognize if text is signed correctly or not, can i just compare returned fingerprint with fingerprint of public key and check if status and summary are equal to 0?
推荐答案
PHP的GnuPG文档确实缺少此处的信息.查看源代码和GPGME手册,以及来源,您可以获取相关信息.
PHP's GnuPG documentation is indeed lacking information here. Looking at the source code and GPGME manual and sources, you can derive the relevant information.
免责声明:答案包含一些猜测,要是对它的发展有一定的了解,请随时提供合理的看法!
有效期
Disclaimer: The answer contains some guesswork, by sure to get a reasonable feeling about what's going on if building on it, and feel free to give feedback!
为什么有效性始终为0?
Why validity is always 0?
要验证签名的validity,您需要分配信任(因此GnuPG能够计算信任链).
For verifying the validity of a signature, you need to assign trust (so GnuPG is able to compute a trust chain). The validity is defined in following GPGME enums:
/* The available validities for a trust item or key. */
typedef enum
{
GPGME_VALIDITY_UNKNOWN = 0,
GPGME_VALIDITY_UNDEFINED = 1,
GPGME_VALIDITY_NEVER = 2,
GPGME_VALIDITY_MARGINAL = 3,
GPGME_VALIDITY_FULL = 4,
GPGME_VALIDITY_ULTIMATE = 5
}
gpgme_validity_t;
时间戳
时间戳值是什么时间戳?邮件签名的时间?
timestamp value is a timestamp of what? Time when message was signed?
是的,这很简单,这是签名创建的时间戳.请注意,时间戳通常由签名者定义,并且可以伪造为任意日期.
Yes, this one's easy, this is the signature creation timestamp. Be aware the timestamp is usually defined by the signer and can be faked to arbitrary dates.
与摘要相同,代表4的值是什么?
Same with summary what stands value of 4 for?
阅读文档(gpgme_error_t status),状态似乎在gpg-error.h中定义.这是但是,您的问题中定义的状态对我来说没有意义.
Yet, the defined status in your question does not make sense to me.
为什么状态值在第二种情况下那么大?它只是随机值还是特定的错误代码?
Why status value is so big in second case? Its just random value or specific error code?
This is a summary on the signature. Again, the summary is defined in a GPGME enum:
/* Flags used for the SUMMARY field in a gpgme_signature_t. */
typedef enum
{
GPGME_SIGSUM_VALID = 0x0001, /* The signature is fully valid. */
GPGME_SIGSUM_GREEN = 0x0002, /* The signature is good. */
GPGME_SIGSUM_RED = 0x0004, /* The signature is bad. */
GPGME_SIGSUM_KEY_REVOKED = 0x0010, /* One key has been revoked. */
GPGME_SIGSUM_KEY_EXPIRED = 0x0020, /* One key has expired. */
GPGME_SIGSUM_SIG_EXPIRED = 0x0040, /* The signature has expired. */
GPGME_SIGSUM_KEY_MISSING = 0x0080, /* Can't verify: key missing. */
GPGME_SIGSUM_CRL_MISSING = 0x0100, /* CRL not available. */
GPGME_SIGSUM_CRL_TOO_OLD = 0x0200, /* Available CRL is too old. */
GPGME_SIGSUM_BAD_POLICY = 0x0400, /* A policy was not met. */
GPGME_SIGSUM_SYS_ERROR = 0x0800 /* A system error occured. */
}
gpgme_sigsum_t;
因此,您必须将结果读取为二进制标志.状态4表示签名错误.
Thus, you've got to read the result as binary flags. A status of 4 indicates a bad signature.
第一个签名是几天前通过密钥468F82339FC55DE5CAFD71BB63DD32AE1308A57F于2015-09-23T18:44:56 + 00:00生成的,虽然是正确的签名,但可以对密钥进行验证(缺少信任路径).
The first signature was generated some days ago on 2015-09-23T18:44:56+00:00 by key 468F82339FC55DE5CAFD71BB63DD32AE1308A57F and is a correct signature, but the key could be validated (missing trust path).
第二个签名似乎是由相同的密钥发出的,但已损坏.
The second signature seems to be issued by the same key, but is broken.
如果我只想简单地识别文本是否正确签名,我是否可以将返回的指纹与公钥指纹进行比较,并检查状态和摘要是否等于0?
If i want to just simply recognize if text is signed correctly or not, can i just compare returned fingerprint with fingerprint of public key and check if status and summary are equal to 0?
据我了解发生了什么,您应该测试summary的第4位是否已设置.如果已设置,则签名不正确.请勿将其与4进行比较,而应使用位操作对单个位进行测试:
As far as I understand what's going on, you should test whether summary's bit 4 is set or not. If it is set, you've got a bad signature. Don't compare it with 4, but use bit manipulation to test against the single bit:
($summary & 0x04) == 0x04
如果您不使用信任网络和validity标志来验证签名,请确保将整个指纹与一系列信任密钥进行比较.
If you don't use the web of trust and validity flag to verify signatures, make sure to compare the whole fingerprint against a list of trusted keys.
这篇关于PHP gnupg签名验证的返回值是什么意思?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
