openssl_verify - PHP code example

The PHP Function OpenSSL_Verify

The php function openssl_verify allows you to verify a signature for an object. This is useful for ensuring that an API request has not been tampered with or come from an unauthorized source.

This article shows how to design and implement an API signature verification function in PHP using OpenSSL. It covers creating a private key pair, generating a signature function, and building an SDK to simplify usage. The article also discusses potential attacks and vulnerabilities associated with using this method of API security.

A note of caution: This function is EXPERIMENTAL. This means that the behavior of this function, the name of this function, or anything else documented about this function may change in a future release of PHP without notice. Use it at your own risk.

Function Description

openssl_verify() verifies that the signature for the data passed in s is correct by using the public key associated with pub_key_id. The function assumes that the data was signed using a SHA-1 digest and that it was signed with a private key whose corresponding public key is stored in the database (see Signing Algorithms).

The function returns 1 if the signature is valid, 0 if it is not, or -1 if there is an error. It is possible to attack this function by exhausting the service provider’s memory during a validation phase while a message with an invalid signature is being validated, but such attacks are difficult to execute and require precise control over the service provider.

openssl_verify example

$privateCertificate = file_get_contents($this->privatePath);
        /** @var \OpenSSLAsymmetricKey $privateKey */
        $privateKey = openssl_pkey_get_private($privateCertificate, $passphrase);

        openssl_sign($data, $signature, $privateKey);

        /** @var string $publicCertificate */
        $publicCertificate = file_get_contents($this->publicPath);

        static::assertEquals(
            1,
            openssl_verify($data, $signature, $publicCertificate)
        );
    }

    public function testGenerateWithoutPassphrase(): void
    {
        $this->jwtCertificateGenerator->generate(
            $this->privatePath,
            $this->publicPath,
        );

        static::assertFileExists($this->privatePath);

    public function isValid($message, $signature)
    {
        $pubkeyid = $this->getKeyResource();

        $signature = base64_decode($signature);

        // State whether signature is okay or not         $ok = openssl_verify($message, $signature, $pubkeyid);

        if ($ok === 1) {
            return true;
        }
        if ($ok === 0) {
            return false;
        }
        while ($errors[] = openssl_error_string()) {
        }
        throw new RuntimeException(sprintf("Error during private key read: \n%s", implode("\n", $errors)));
    }

public function isValid(string $message, string $signature): bool
    {
        $errors = [];
        $pubkeyid = $this->getKey();

        $signature = base64_decode($signature, true);
        if ($signature === false) {
            throw new StoreSignatureValidationException('Invalid signature');
        }

        // State whether signature is okay or not         $ok = openssl_verify($message, $signature, $pubkeyid);

        if ($ok === 1) {
            return true;
        }
        if ($ok === 0) {
            return false;
        }
        while ($errors[] = openssl_error_string()) {
        }

        throw new StoreSignatureValidationException(sprintf("Error during private key read: \n%s", implode("\n", $errors)));
    }

string $secret,
    ): void {
        $timestampedPayload = $timestamp.$payload;

        // Sendgrid provides the verification key as base64-encoded DER data. Openssl wants a PEM format, which is a multiline version of the base64 data.         $pemKey = "-----BEGIN PUBLIC KEY-----\n".chunk_split($secret, 64, "\n")."-----END PUBLIC KEY-----\n";

        if (!$publicKey = openssl_pkey_get_public($pemKey)) {
            throw new RejectWebhookException(406, 'Public key is wrong.');
        }

        if (1 !== openssl_verify($timestampedPayload, base64_decode($signature), $publicKey, \OPENSSL_ALGO_SHA256)) {
            throw new RejectWebhookException(406, 'Signature is wrong.');
        }
    }
}