如何使用PEM私钥通过HMAC在PHP中签名数据 [英] How to sign data in PHP with HMAC using a PEM private key

问题描述

我已经看到很多关于如何在PHP中创建HMAC的文章，但是使用的机密始终是一个简单的字符串(例如"secret").我需要做的是创建一个HMAC，其秘密是私钥，例如从包含PEM格式私钥的文件中加载.我一直无法找到有关是否可以在PHP中(使用hash_hmac)进行此操作的任何信息.

用法

在Java中创建了使用私钥的HmacSHA256签名，我想在PHP中重新创建此签名(根据我的理解，使用带有sha256哈希算法的hash_hmac)，并从文件中加载相同的私钥.

要澄清:在这种情况下，私钥用作共享密钥，这意味着有两个参与者拥有该密钥.消息验证过程包括发送带有私钥计算的消息的HMAC，而收件人则使用相同的私钥计算HMAC并根据发送的签名进行验证.

代码

Java:

  byte [] data = getDataForSignature();私钥= getPrivateKey();//从文件加载Mac mac = Mac.getInstance("HmacSHA256");mac.init(key);byte [] hmac = mac.doFinal(data);//将hmac与收到的签名字节进行比较 

PHP:

  $ key = openssl_pkey_get_private("private.key");$ sig = hash_hmac("sha256"，$ data，$ key ??，true); 

示例私钥

  ----- BEGIN RSA私钥-----MIICXgIBAAKBKBQCSWro05ZKVGxMTCqAyNZRAXp8Gd7wf6vywXRsFckm9MHOAWZL0SvFAhM6tlCthuPkQb0c + Hx9PWH1 + 4sW2u3O + VDvjQEB0ZILd79LraBEshK/36Ouxyyw2K + ghk9Yh00nJOzkkonmdZmVxr0AAzw5el2h9yDjlUa1E8BH/1LzBBwIDAQABAoGANtwXbHiZh5bMgZi8D9YRqkdNqOj89aHp8loUJOiAR5B/2x64fSYSZLLjniEqWckyYzyzIdActmtfL07l + ecuLRipsHoHuzjPiiRRnzJQbgBstnB8rHkuN275YSbC3gE7nyyX0JPEviwqHv ++ Uig0RCD1ZbrG0SBMKBlGVrFMddECQQDmVguRhRScTJHHRaXY/zjZtHp0L1dtzzSLM75 + ji2UoRy1yK9z + rnE1PM5QC8PQixbwocGwpRIwGQnhIg1YAM9AkEAoqk + VNbJ9ykoP9r + 8o1PrPR1Ff + EIhpTthRyFngHNbNnOFB0D314+ V4wyO + a/gbiIAmvTuOXV/GwOlgnfVDJkwJBAJNHd5QvxPL/3sLNXPN4ljBWP2plDwFO2Wkcx/SCEtETh5kQ3mdJbVlXVMJJsQ2PoW923gHLjydJpYDDNJj0cH0CQQCW8txHOvQ + C9GwQHirenvgExO9EFv8kdXxeNPPCiAWs6AsYGz0Gwpyz/gR4FlDN/wMozAu04IVONLDsh8jah9FAkEAsSUvlo7Nh1ITd75kUsStv7Tjxma3SuKViewWCprDolDNtncfcZC5SrilHAJEabVxGy1fJL3hYvTYfqNkeB1TcA ==-----结束RSA私钥----- 

解决方案

通常，私钥用于执行签名生成，这与创建具有对称秘密密钥的MAC的不对称等效./p>

请注意，HMAC密钥可以包含任何二进制字符串，因此原则上可以将HMAC与二进制编码的私钥一起使用.也就是说，对于HMAC使用非对称私钥是没有意义的.只有持有私钥的人才能验证生成的身份验证标签.相比之下，可以使用密钥对的公钥来验证数字签名.

---

现在，如果您在Java中使用了 secret 密钥，则需要为PHP hash_hmac 创建相同的(二进制) key 参数.code>函数.

I have seen a lot of posts about how to create a HMAC in PHP, but the used secret was always a simple string (eg. "secret"). What I need to do is create a HMAC with the secret being a private key, loaded for example from a file containing private key in PEM format. I have been unable to find any information on whether this is possible in PHP (using hash_hmac) or not.

Usage

A HmacSHA256 signature using a private key is created in Java and I would like to recreate this signature in PHP (from my understanding using hash_hmac with sha256 hashing algorithm) with the same private key loaded from a file.

To clarify: the private key in this scenario is used as a shared secret key, meaning that two parties have the key. The message verification process consists of sending a HMAC with the message, calculated with the private key, while the recipient calculates HMAC with an identical private key and verifies it against the sent signature.

Code

Java:

byte[] data = getDataForSignature();
PrivateKey key = getPrivateKey(); // loaded from a file
Mac mac = Mac.getInstance("HmacSHA256");
mac.init(key);
byte[] hmac = mac.doFinal(data);
// compare hmac with received signature bytes

PHP:

$key = openssl_pkey_get_private("private.key");
$sig = hash_hmac("sha256", $data, $key??, true);

Sample private key

-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQCSWro05ZKVGxMTCqAyNZRAXp8Gd7wf6vywXRsFckm9MHOAWZL0
SvFAhM6tlCthuPkQb0c+Hx9PWH1+4sW2u3O+VDvjQEB0ZILd79LraBEshK/36Oux
yyw2K+ghk9Yh00nJOzkkonmdZmVxr0AAzw5el2h9yDjlUa1E8BH/1LzBBwIDAQAB
AoGANtwXbHiZh5bMgZi8D9YRqkdNqOj89aHp8loUJOiAR5B/2x64fSYSZLLjniEq
WckyYzyzIdActmtfL07l+ecuLRipsHoHuzjPiiRRnzJQbgBstnB8rHkuN275YSbC
3gE7nyyX0JPEviwqHv++Uig0RCD1ZbrG0SBMKBlGVrFMddECQQDmVguRhRScTJHH
RaXY/zjZtHp0L1dtzzSLM75+ji2UoRy1yK9z+rnE1PM5QC8PQixbwocGwpRIwGQn
hIg1YAM9AkEAoqk+VNbJ9ykoP9r+8o1PrPR1Ff+EIhpTthRyFngHNbNnOFB0D314
+V4wyO+a/gbiIAmvTuOXV/GwOlgnfVDJkwJBAJNHd5QvxPL/3sLNXPN4ljBWP2pl
DwFO2Wkcx/SCEtETh5kQ3mdJbVlXVMJJsQ2PoW923gHLjydJpYDDNJj0cH0CQQCW
8txHOvQ+C9GwQHirenvgExO9EFv8kdXxeNPPCiAWs6AsYGz0Gwpyz/gR4FlDN/wM
ozAu04IVONLDsh8jah9FAkEAsSUvlo7Nh1ITd75kUsStv7Tjxma3SuKViewWCprD
olDNtncfcZC5SrilHAJEabVxGy1fJL3hYvTYfqNkeB1TcA==
-----END RSA PRIVATE KEY-----

解决方案

Usually a private key is used to perform signature generation which is the asymmetric equivalent to creating a MAC with a symmetric secret key.

Note that a HMAC key can consist of any binary string, so in principle it would be possible to use HMAC with a binary encoded private key. That said, it doesn't make sense to use a asymmetric private key for HMAC. Only the person holding the private key would be able to verify the resulting authentication tag. In comparison, digital signatures can be verified using the public key of the key pair.

---

Now if you have a secret key that was used within Java then you need to create the same (binary) key parameter for the PHP hash_hmac function.

这篇关于如何使用PEM私钥通过HMAC在PHP中签名数据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！