php openssl: how to match the private key with the certificate

Question

I have a self signed signature which contains the certificate itself and the private key. My purpose is to check if this private key matches with the certificate. What I do is the following:

$private = openssl_pkey_get_private("path/to/certificate");
$public  = openssl_pkey_get_public("path/to/certificate");
openssl_sign("path/to/certificate", $sig, $private);

So I create the signature based on the private and the public keys from the file. So what I need to do is to compare this signature with the existing signature in the certificate. If they match, it means that the private key matches. However, I couldn't retrieve the existing signature information from the file. I was wondering if my way is a right way to do it since I have found no information on google.

thanks.

Answer 1

@Karthik:

many thanks for your pointer to http://badpenguins.com/source/misc/isCertSigner.php?viewSource . It is a pity, that openssl-php library lacks the extractSignature function.

I added the code found on http://badpenguins.com/source/misc/isCertSigner.php to

• my simple certificate viewer (PHP) https://github.com/Wikinaut/MySimpleCertificateViewer .

Answer 2

I have a self signed signature which contains the certificate itself and the private key. My purpose is to check if this private key matches with the certificate. What I do is the following:

Certificates don't contain private keys. Just public keys. They're signed by a private key (which in the case of self-signed certs would be the private key corresponding to the public key contained in the cert) but they do not contain private keys.

So what I need to do is to compare this signature with the existing signature in the certificate. If they match, it means that the private key matches.

They shouldn't ever match. Check out phpseclib's X.509 parser and decode the sample cert they provide with it. There are three parts at the root level. tbsCertificate, signatureAlgorithm and signature. signature is based on tbsCertificate. So you're wanting a signature of tbsCertificate to match a signature of all three fields combined. Which is pretty much never going to happen.

As for extracting the signature itself... you can use phpseclib for that. eg.

<?php
include('File/X509.php');

$x509 = new File_X509();
$cert = $x509->loadX509('...');

echo $cert['signature']

Answer 3

If all you want to do is check if the private key and the certificate matches, you can just call openssl_x509_check_private_key. It takes a certificate and private key as input and returns whether they both match or not. Take a look at the documentation here.

EDIT: Also, note that, the signature in the certificate is arrived using different information that composes the certificate whereas the data that you pass to the openssl_sign function is just the path to the certificate. So, even if you do end up identifying a way to extract the signature from the certificate, it still won't match the output of openssl_sign (definitely not with the $data that you are passing to openssl_sign).