有人可以告诉我我的openssl_sign示例有什么问题 [英] Can someone tell me what's wrong with my openssl_sign example

问题描述

这里是php演示代码用私人2048位dsa键签名数据：

Here's php demo code to sign data with private 2048 bit dsa key:

$priv_key = '-----BEGIN DSA PRIVATE KEY-----
MIIDVQIBAAKCAQEA/uhSKJA6k5sSnYo+uBgi+mzJ72hqZrWgc+dNLpiiKoHsqDZ6
7kGW0J3wnhU0FxpV2SVL57SfG6dC7GvwsJYBidSEJqe3bARP8WI4yL9wm1PVTqFD
4zNkj1+zUZDWQWpJxaA8I10sJR08/WbwgD63bD6jg4JiPaowFMOrufYAW92hjANQ
D7eZ+t0GXAoDB5L6q8btVRfJrGOvkdDN6eyzc7kpJEVC9g1J9Q6glnHQRIGdW4Ot
ys/bpv2mGMfEykyTWhcMSLaAZ0YLTyKRfjYm8g7dCFWo3i8Fu0Jr+N3IWZI9Jgw5
lGyUSX8x89gjMsqtcOzcrjOtC51oAh+pio8jaQIhAM2VbbgAoxSSVO3Nd5y2mPiO
k62rr9cCj4tNy0MtYG3rAoIBABnMeAAeJpNpe3UhmWrGSJN/nQe76FSIhV/0wsu4
Xu65tW610i+uf8t0ZDqHCrbF9LSvk6vPiBydKhOmmStCa/aJJZhCKYI9/8WgtXG8
kSvAzLTNnozSLeHkapZHJwqY1wT+qxElheXjHJBRzgXVqwB+0CeJokJYlWiaPfuN
n3H1GDekuYXSFAaK4bC4TEsctQH1/403ljSbv99aXVDTVSnW0hdbokyLSPsiJjvz
w6GkyEiK/j6V2dTrIRn2X2ftzbTsE+0vEenHosIzJwM8+zUrhLvVvPBARWnbmsQ/
YstGs7WERGQzkFSsuPsWCN53Os4NnBEPiYg8//Cy1EHat3ACggEAD3mqwlAaPixs
Up49/HYlGqrU4e862rWY7mb5XRJ7AY9t70C5hhZrVO/DTgpGkwO0Yi/cYo6W0g//
cP73Nb2KZwaiyTCet2VsXb0H/8gvi8OqlidEpormedYW1T0DoyVrw57gXF0hp0D8
scfZBg0hFM/hHlmqHPKYiZtDp5imk5TeSyIoLdyJjW8jII2ni8ryStjvZ61aAPyK
VH8in3DpVANpn3MSGv1Hv1RYxaago71fVUyOkm1/pFNqBNIwBAxBIUsIPdNpjoGB
bLKXDshCfdXkQJxnx80nVDslEkv10BapLqIr98uswU/bBYMduF6Xrg5pdugDG3Cw
X8n3glog8QIgayYvNGvBvrDp9piq8RDg9mQJsd4IFBlpF7MnqIc749M=
-----END DSA PRIVATE KEY-----
';

$pkeyid = openssl_get_privatekey($priv_key);
if(empty($pkeyid)){
    die("Can't load key id");
}
$data = $_GET['i'];
// compute signature
if(!openssl_sign($data, $signature, $pkeyid,OPENSSL_ALGO_SHA1)){
    echo "Failed to sign data: $data";
}
// free the key from memory
openssl_free_key($pkeyid);
echo $signature;

脚本始终在openssl_sign失败。
我没有收到错误或失败，只是在openssl_sign的输出中为FALSE，$ signature为空

The script always fails at openssl_sign. I'm getting no errors or failures, just FALSE at the output of openssl_sign and the $signature is empty

我已经用

I've generated the key with

openssl dsaparam -out dsaparam.pem 2048
openssl gendsa -out privkey.pem dsaparam.pem

可能有什么问题？

推荐答案

使用DSA签名时，您需要使用OPENSSL_ALGO_DSS1而不是OPENSSL_ALGO_SHA1作为散列算法。

When using DSA to sign things, you need to use OPENSSL_ALGO_DSS1 not OPENSSL_ALGO_SHA1 as the hashing algorithm.

OpenSSL的帮助文件命令行版本说：

如果您希望使用DSA算法签署或验证数据，那么dss1摘要必须使用。

If you wish to sign or verify data using the DSA algorithm then the dss1 digest must be used.

这是OpenSSL库的特质，DSS1与SHA1实际上是一样的算法，但OpenSSL坚持要求是DSS1，如果您使用DSA！

This is an idiosyncrasy of the OpenSSL library, DSS1 is actually the same algorithm as SHA1 but OpenSSL insists that you call is DSS1 if you're using it with DSA!

这篇关于有人可以告诉我我的openssl_sign示例有什么问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！