openssl_pkcs7_sign - PHP code example

PHP Function OpenSSLPKCS7_Sign

php function openssl_pkcs7_sign

The php pkcs7 function openssl_pkcs7_sign() digitally signs data that is to be signed. It can accept an OpenSSLAsymmetricKey or OpenSSLCertificate instance for the certificate and a string for the signature algorithm. The return value is the detached PKCS #7 signature of the file data.

This is an EXPERIMENTAL MODULE - meaning that ANYTHING documented here may change in a future version of PHP WITHOUT NOTICE. Use at your own risk.

if not set to 0 the output MIME format message will be encoded using opaque signing (as opposed to cleartext). This makes the message more resistant to translation by mail relays but cannot be read by non-S/MIME compliant clients.

a file containing trusted CA certificates, used only with -verify.

when signing a message the signer's certificate is normally included - with this option it is excluded. This reduces the size of the signature but requires that the verifier have a copy of the signers certificate available locally (passed using the extracerts parameter to openssl_pkcs7_verify() for example).

an x.509 certificate that is to be used with openssl_pkcs7_sign(), see Key/Certificate parameters for a list of valid values. an array of headers that are to be added to the signed data, see Headers parameters for a list of valid options.

openssl_pkcs7_sign example

$this->signOptions = $signOptions ?? \PKCS7_DETACHED;
        $this->extraCerts = $extraCerts ? realpath($extraCerts) : null;
    }

    public function sign(Message $message): Message
    {
        $bufferFile = tmpfile();
        $outputFile = tmpfile();

        $this->iteratorToFile($message->getBody()->toIterable(), $bufferFile);

        if (!@openssl_pkcs7_sign(stream_get_meta_data($bufferFile)['uri'], stream_get_meta_data($outputFile)['uri'], $this->signCertificate, $this->signPrivateKey, [], $this->signOptions, $this->extraCerts)) {
            throw new RuntimeException(sprintf('Failed to sign S/Mime message. Error: "%s".', openssl_error_string()));
        }

        return new Message($message->getHeaders(), $this->convertMessageToSMimePart($outputFile, 'multipart', 'signed'));
    }
}

try {
                if (!defined('PKCS7_TEXT')) {
                    throw new Exception($this->lang('extension_missing') . 'openssl');
                }

                $file = tempnam(sys_get_temp_dir(), 'srcsign');
                $signed = tempnam(sys_get_temp_dir(), 'mailsign');
                file_put_contents($file, $body);

                //Workaround for PHP bug https://bugs.php.net/bug.php?id=69197                 if (empty($this->sign_extracerts_file)) {
                    $sign = @openssl_pkcs7_sign(
                        $file,
                        $signed,
                        'file://' . realpath($this->sign_cert_file),
                        ['file://' . realpath($this->sign_key_file), $this->sign_key_pass],
                        []
                    );
                } else {
                    $sign = @openssl_pkcs7_sign(
                        $file,
                        $signed,
                        'file://' . realpath($this->sign_cert_file),
                        [