2017-07-02 134 views
8

我使用pkcs7來簽署一個文件,一切正常,問題是驗證標誌的命令不工作,總是返回false。我嘗試使用終端命令進入該文件並正常工作。PHP openssl_pkcs7_verify不能正常工作

註冊命令:

openssl_pkcs7_sign(
    $tempdoc, 
    $tempsign, 
    $this->signature_data['signcert'], 
    array($this->signature_data['privkey'], 
    $this->signature_data['password']), 
    array(), 
    PKCS7_BINARY | PKCS7_DETACHED); 

驗證命令:

openssl_pkcs7_verify($tempsign, PKCS7_NOVERIFY) 

終端命令:

openssl pkcs7 -inform DER -in signature.pkcs7 -print_certs -text 


編輯1
我做測試,在我的代碼,如果我創造我的標誌,只有PKCS7_DETACHED或PKCS7_BINARY工作正常的驗證探索,但都在一起,收到了錯誤。爲什麼發生這種情況?

+0

你有沒有在'tempsign'前面忘記美元? –

+0

'openssl_pkcs7_sign'確實成功了嗎?另見['PKCS7_sign'](https://www.openssl.org/docs/man1.0.2/crypto/PKCS7_sign.html)手冊頁。如果失敗,則應立即調用「ERR_get_error」以檢索錯誤。另請參閱['ERR_get_error'](https://www.openssl.org/docs/man1.0.2/crypto/ERR_get_error.html)手冊頁。 – jww

+0

他們不會失敗,因爲PDF閱讀器能成功讀取分配。而只是忘記把問題放在$,但在我的代碼是正確的。 –

回答

5

這裏用PHP 7我可以重現你的問題。使用這兩個標誌驗證失敗。

也許THIS URL可以幫到你,這部分講的很對。

SMIME -sign "detached" "attaches" content similarly as-is with -binary and text-canonicalized without, and signs that. SMIME -verify recognizes "detached", but (in multi_split) always canonicalizes both parts before using them. For content that was sent noncanonical (with -sign -binary or equivalent) this changes the signed content, and verify fails. Content that was canonical as sent (originally canonical or canonicalized by sender) does verify and similarly is output without determining if sender changed it.

docs您可以閱讀解析器是不是聰明的:

BUGS

The MIME parser isn't very clever: it seems to handle most messages that I've thrown at it but it may choke on others.

希望它能幫助!