openssl_pkcs7_verify

(PHP 4 >= 4.0.6, PHP 5, PHP 7, PHP 8)

openssl_pkcs7_verify — 校验一个已签名的 S/MIME 消息的签名

说明

openssl_pkcs7_verify(
    string $input_filename,
    int $flags,
    ?string $signers_certificates_filename = null,
    array $ca_info = [],
    ?string $untrusted_certificates_filename = null,
    ?string $content = null,
    ?string $output_filename = null
): bool|int

openssl_pkcs7_verify() 读取给定文件中的 S/MIME 消息并且检查数字签名。

参数

input_filename: 消息的路径。
flags: flags 可以用来影响如何校验签名 - 参见 PKCS7 常量获取更多信息。
signers_certificates_filename: 如果已指定 signers_certificates_filename 输出文件，它应该是一个用以保存文件的字符串名称，签名消息的个人证书将以 PEM 的格式保存起来。
ca_info: 如果 ca_info 被指定了，它应该保存关于受信任的CA证书的信息供在验证过程中使用 - 参见证书校验获取关于该参数的更多信息。
untrusted_certificates_filename: 如果 untrusted_certificates_filename 被指定了，该文件包含了一堆会被作为不受信任的ca使用的证书。
content: 你可以使用 content 来指定带有已被验证数据的文件名，该文件内容已去掉了签名信息。
output_filename

返回值

如果签名已被认证，返回 true, 如果不正确 (消息已被篡改或者签名证书不可用) 则返回 false, 或者 - 错误时返回1.

更新日志

版本	说明
8.0.0	`signers_certificates_filename`、`untrusted_certificates_filename`、`content` 和 `output_filename` 现在可为 null。
7.2.0	新增 `output_filename` 参数。

注释

注意: 正如 RFC 2045 中指定的，input_filename 参数最多不可超过 76 个字符串。

＋add a note

User Contributed Notes 2 notes

down

reg1barclay at REMOVETHIS dot live dot it ¶

5 years ago

To verify a .p7m file with openssl_pkcs7_verify() you must convert it to S/MIME format. For example...
<?php
function der2smime($file)
{
    $to=<<<TXT
MIME-Version: 1.0
Content-Disposition: attachment; filename="smime.p7m"
Content-Type: application/x-pkcs7-mime; smime-type=signed-data; name="smime.p7m"
Content-Transfer-Encoding: base64
\n
TXT;
    $from=file_get_contents($file);
    $to.=chunk_split(base64_encode($from));
    return file_put_contents($file,$to);
}
?>

down

-3

Krzychu ¶

9 years ago

To read signed message in base64 (not encrypted with priv&pub key):

You can just decode content by "base64_decode" or "imap_base64" functions and then erase by hand(regexp) sign from bottom of mail. Unfortunately  in my case (mail from Outlook) that  message (decoded by "base64_decode") has some additional special chars in some places (ie. before every attachment encoded base_64) what make message e-mail unable to parse.

After couple of hours I solved this:
It's needed to save single e-mail and use 2x "openssl_pkcs7_verify" function in row on original email (with headers and content in base64 ):
  1st use - extract sign (certificate) from e-mail and save to file *.cert
  2nd use - extract (with use that *.cert file) decoded message to  file*.out

Code:
  $handle  =  imap_open('mailbox.eml', '', '');

  $msg = 'home/john/tmp/email1.eml';
  imap_savebody($handle, $msg,  1);

  openssl_pkcs7_verify($msg, 0, $msg . '.cert');
  openssl_pkcs7_verify($msg, 0, $msg . '.cert', array(), $msg . '.cert', $msg.'.out');

  $email_content = file_get_contents($msg . '.out');

＋add a note