The PHP Function OpenSSL_Verify
The php function openssl_verify allows you to verify a signature for an object. This is useful for ensuring that an API request has not been tampered with or come from an unauthorized source.
This article shows how to design and implement an API signature verification function in PHP using OpenSSL. It covers creating a private key pair, generating a signature function, and building an SDK to simplify usage. The article also discusses potential attacks and vulnerabilities associated with using this method of API security.
A note of caution: This function is EXPERIMENTAL. This means that the behavior of this function, the name of this function, or anything else documented about this function may change in a future release of PHP without notice. Use it at your own risk.
Function Description
openssl_verify() verifies that the signature for the data passed in s is correct by using the public key associated with pub_key_id. The function assumes that the data was signed using a SHA-1 digest and that it was signed with a private key whose corresponding public key is stored in the database (see Signing Algorithms).
The function returns 1 if the signature is valid, 0 if it is not, or -1 if there is an error. It is possible to attack this function by exhausting the service provider’s memory during a validation phase while a message with an invalid signature is being validated, but such attacks are difficult to execute and require precise control over the service provider.