I`m using pkcs7 to sign a document and everything works fine, the problem is that the command to verify the sign is not working, always return false. I try to use the terminal command into the file and works fine.
Sign command:
openssl_pkcs7_sign(
$tempdoc,
$tempsign,
$this->signature_data['signcert'],
array($this->signature_data['privkey'],
$this->signature_data['password']),
array(),
PKCS7_BINARY | PKCS7_DETACHED);
Verify command:
openssl_pkcs7_verify($tempsign, PKCS7_NOVERIFY)
Terminal command:
openssl pkcs7 -inform DER -in signature.pkcs7 -print_certs -text
EDIT 1
I make tests in my code and discover if i create my sign with only PKCS7_DETACHED or PKCS7_BINARY works fine the verify, but both together i receive the error. Why this is happening?
Here with PHP 7 i can reproduce your problem. With both flags the verify fails.
Maybe THIS URL can help you., this part talks about it.
SMIME -sign "detached" "attaches" content similarly as-is with -binary and text-canonicalized without, and signs that. SMIME -verify recognizes "detached", but (in multi_split) always canonicalizes both parts before using them. For content that was sent noncanonical (with -sign -binary or equivalent) this changes the signed content, and verify fails. Content that was canonical as sent (originally canonical or canonicalized by sender) does verify and similarly is output without determining if sender changed it.
In the docs you can read that the parser isn't that smart:
BUGS
The MIME parser isn't very clever: it seems to handle most messages that I've thrown at it but it may choke on others.
Hope it helps!
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With