This openssl_spki_* funcs are very usefull to use with <keygen/> tag in html5.
Example:
<?php
session_start();
// form submitted... (?)
if(isset($_POST['security']))
{
// If true, the send from <keygen/> is valid and you can
// test the challenge too
if(openssl_spki_verify($_POST['security']))
{
// Gets challenge string
$challenge = openssl_spki_export_challenge($_POST['security']);
// If true... you are not trying to trick it.
// If user open 2 windows to prevent data lost from a "mistake" or him just press "back" button
// and re-send last data... you can handle it using something like it.
if($challenge == $_SESSION['lastForm'])
{
echo 'Ok, this one is valid.', '<br><br>';
}
else
{
echo 'Nice try... nice try...', '<br><br>';
}
}
}
// If you open two window, the challenge won't match!
$_SESSION['lastForm'] = hash('md5', microtime(true));
?>
<!DOCTYPE html>
<html>
<body>
<form action="/index.php" method="post">
Encryption: <keygen name="security" keytype="rsa" challenge="<?php echo $_SESSION['lastForm']; ?>"/>
<input type="submit">
</form>
</body>
</html>
PHP - Manual: openssl_spki_verify
2024-05-03
openssl_spki_verify
(PHP 5 >= 5.6.0, PHP 7, PHP 8)
openssl_spki_verify — 验证签名公钥和挑战。
说明
openssl_spki_verify(string
&$spkac): string验证所提供的签名公钥和挑战。
参数
-
spkac -
期望一个有效的签名公钥和挑战。
返回值
成功,返回true, 失败返回false.
错误/异常
如果spkac参数不是一个可用的参数,将会抛出一个 E_WARNING 等级的错误。
范例
示例 #1 openssl_spki_verify() 范例:
验证现有签名公钥和挑战
<?php
$pkey = openssl_pkey_new('secret password');
$spkac = openssl_spki_new($pkey, 'challenge string');
if (openssl_spki_verify(preg_replace('/SPKAC=/', '', $spkac))) {
echo $spkac;
} else {
echo "SPKAC validation failed";
}
?>
示例 #2 openssl_spki_verify() example from <keygen>
通过<keygen> 元素验证现有签名公钥和挑战
<?php
if (openssl_spki_verify(preg_replace('/SPKAC=/', '', $_POST['spkac']))) {
echo $spkac;
} else {
echo "SPKAC validation failed";
}
?>
<keygen name="spkac" challenge="challenge string" keytype="RSA">
参见
- openssl_spki_new() - 生成一个新的签名公钥和挑战
- openssl_spki_export_challenge() - 导出与签名公钥和挑战相关的挑战字符串
- openssl_spki_export() - 通过签名公钥和挑战导出一个可用的PEM格式的公钥
- openssl_md_method()
- openssl_csr_new() - 生成一个 CSR
- openssl_csr_sign() - 用另一个证书签署 CSR (或者本身) 并且生成一个证书
add a note
User Contributed Notes 2 notes
carloshlfzanon at gmail dot com ¶
5 years ago
neat at neato dot com ¶
1 year ago
The challenge is not how to very a "trick". It is used as a partial non-repudiation method.
The idea was the challenge could be extracted from the base64 encoded ASN.1 PKCS#1 bits provided from the 'keygen' element.
The SPKAC is a form of CSR which if the right about of information such as the commonName, emailAddress, countryName, stateOrProvinceName, localityName et al., a signed x509 could generated and provided to the requestor.
This would then be installed in the browser and if the webserver was configured to accept client x509 certificates, it would be used in lieu of a password for authentication.
A recommendation was to use the 'challenge' as a form of non-repudiation in the event someone else was on your keyboard. If the application required it could prompt you for the challenge and compare it to a hashed version it stored upon the initial SPKAC process.
Hope that helps clear it up.
官方地址:https://www.php.net/manual/en/function.openssl-spki-verify.php
IT
PHP
编程语言
Linux
科技
开发编程
Elasticsearch
HTML/CSS/XML
网络
JAVA
NoSQL
C/C++
面试
数据库
Golang
Git
算法
正则表达式
操作系统
Redis
互联网
MySql
JavaScript
运维
软件
架构设计
Mac OS
国际
TCP/IP
Excel
Vim
Windows
Socket
Oracle
VR
MongoDB
运营
Python
MemCache
商业
硬件
电子
设计
nginx
娱乐
摄影
游戏
WordPress
HTTP
团建
数码电器
广告
广告
广告
php7 安装fileinfo扩展
preg_split — 通过一个正则表达式分隔字符串
[PHP] inet_pton/inet_ntop IP地址转换函数
php位值,解决 PHP 中 usort 在值相同时改变原始位置的问题
PHPMailer设置utf8 PHPMailer字符集CharSet
如何在Composer中为GitLab实例设置访问令牌
array_multisort() 多字段排序
laravel框架查看sql语句方式
[原创]诡异的php-fpm超时问题
利用php soap实现web service
PHP获取指定函数定义在哪个文件中及行号
php设置cookie为httponly防止xss攻击
PHP5 扩展SOAP 调用 webservice
PHP-FPM进程数的设定
PHP - mysql_real_escape_string()与mysql_escape_string() 的区别
PHPstorm 里面Terminal 不能使用 esc键吗退出编辑模式吗
PHP7添加redis扩展
利用PHP SOAP实现WEB SERVICE
PHP7 mcrypt替代方案
纯php实现DES以及TripleDES加密算法