Working example:
<?php
$data = <<< EOF
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
You have my authorization to spend 10,000 on dinner expenses.
The CEO
EOF;
$fp = fopen("msg.txt", "w");
fwrite($fp, $data);
fclose($fp);
$headers = array("From" => "me@email.com");
openssl_pkcs7_sign("msg.txt", "signed.txt", "file://email.pem", array("file://email.pem", "123456"), $headers);
$data = file_get_contents("signed.txt");
$parts = explode("\n\n", $data, 2);
mail("you@email.com", "Signed message.", $parts[1], $parts[0]);
echo "Email sent";
?>
openssl_pkcs7_sign
Description
bool openssl_pkcs7_sign ( string infilename, string outfilename, mixed signcert, mixed privkey, array headers [, int flags [, string extracerts]] )openssl_pkcs7_sign() takes the contents of the file named infilename and signs them using the certificate and its matching private key specified by signcert and privkey parameters.
headers is an array of headers that will be prepended to the data after it has been signed (see openssl_pkcs7_encrypt() for more information about the format of this parameter.
flags can be used to alter the output - see PKCS7 constants - if not specified, it defaults to PKCS7_DETACHED.
extracerts specifies the name of a file containing a bunch of extra certificates to include in the signature which can for example be used to help the recipient to verify the certificate that you used.
add a note
User Contributed Notes
dmitri at gmx dot net
05-Apr-2006 04:01
05-Apr-2006 04:01
ungdi at hotmail dot com
16-Mar-2005 07:15
16-Mar-2005 07:15
Amongst the many discussions about signing or encrypting email by itself, none really discuss the pain of having an email BOTH signed AND encrypted.
According to RFC 2311, you can encrypt then sign or sign then encrypt. However, it depends on the client in which you are programming for. In my experience, in Outlook 2000, it prefers it Encrypt then Sign. While in Outlook 2003, it is Sign then Encrypt. Generally, you want Sign then Encrypt, as it seems most logical from a snail-mail piece point of view. You first sign a letter than put it in an envelope. Certain clients complain if you do it in an order it does not like, so you may want to experiement with it.
When you perform the first function, do NOT put in any headers in the headers array parameters, you want to put it in the SECOND function you want to perform. If you put the headers in the first function, the second function will hide it from the mail servers. You do not want that. Here I will sign then encrypt.
<?
// Setup mail headers.
$headers = array("To" => "someone@nowhere.net",
"From" => "noone@somewhere.net",
"Subject" => "A signed and encrypted message.");
// Sign the message first
openssl_pkcs7_sign("msg.txt","signed.txt",
"signing_cert.pem",array("private_key.pem",
"password"),array());
// Get the public key certificate.
$pubkey = file_get_contents("cert.pem");
//encrypt the message, now put in the headers.
openssl_pkcs7_encrypt("signed.txt", "enc.txt",
$pubkey,$headers,0,1);
$data = file_get_contents("enc.txt");
// separate header and body, to use with mail function
// unfortunate but required, else we have two sets of headers
// and the email client doesn't decode the attachment
$parts = explode("\n\n", $data, 2);
// send mail (headers in the Headers parameter will override those
// generated for the To & Subject parameters)
mail($mail, $subject, $parts[1], $parts[0]);
?>
Note that if you use a function that picks up the data from the disk to be used in another function in your program, remember that you may have used the explode("\n\n",$data,2) function which may have removed the spacing between the header and the message content.
When you take the signed message and feed it in to the encryption part, you have to remember that the line spacing must also be fed AS PART OF THE MESSAGE BODY! If you plan to sign then encrypt, do not feed the header output from the signing into the encrypting as part of the headers array parameter! The output of the signing should stay as part of the message body being encrypted. (And the same is true if you are doing the reverse of encrypting then signing.) An example of both the signing and encryption function made in to a routine for reusability, and then called to sign and encrypt a message.
THIS IS WRONG!:
<?
// [0] of Array contains headers of message. [1] of Array contains signed body of message.
$signedOutputArray = signMessage($inputMessage,$headers);
// [0] of Array contains headers of message and the signing.
// [1] of Array contains encrypted body of message without the signing header.
$signedAndEncryptedArray = encryptMessage($signedOutputArray[1],
$signedOutputArray[0]);
mail($emailAddr,$subject,$signedAndEncryptedArray[1],
$signedAndEncryptedArray[0]);
?>
THIS IS CORRECT!
<?
// [0] of Array contains headers of signing.
// [1] of Array contains signed body of message.
$signedOutputArray = signMessage($inputMessage,array());
// [0] of Array contains headers of message.
// [1] of Array contains encrypted contents of both the signed message and its headers of the signing.
$signedAndEncryptedArray =
encryptMessage($signedOutputArray[0] . "\n\n" . $signedOutputArray[1],$headers);
mail($emailAddr,$subject,$signedAndEncryptedArray[1],
$signedAndEncryptedArray[0]);
?>
maarten at xolphin dot nl
11-Feb-2005 06:24
11-Feb-2005 06:24
It is also possible to sign message including attachments. An easy way to do this:
<?
$boundary = md5(uniqid(time()));
$boddy = "MIME-Version: 1.0\n";
$boddy .= "Content-Type: multipart/mixed; boundary=\"" . $boundary. "\"\n";
$boddy .= "Content-Transfer-Encoding: quoted-printable\n\n";
$boddy .= "This is a multi-part message in MIME format.\n\n";
$boddy .= "--$boundary\n";
$boddy .= "Content-Type: text/plain; charset=\"iso-8859-1\"\n";
$boddy .= "Content-Transfer-Encoding: quoted-printable\n\n";
$boddy .= $EmailText . "\n\n";
// Add the attachment to the message
do {
$boddy .= "--$boundary\n";
$boddy .= "Content-Type: application/pdf; name=\"FileName\"\n";
$boddy .= "Content-Transfer-Encoding: base64\n";
$boddy .= "Content-Disposition: attachment;\n\n";
$boddy .= chunk_split(base64_encode($file)) . "\n\n";
} while ( {files left to be attached} );
$boddy .= "--$boundary--\n";
// Save message to a file
$msg = 'msg.txt';
$signed = 'signed.txt';
$fp = fopen($msg, "w");
fwrite($fp, $boddy);
fclose($fp);
// Sign it
if (openssl_pkcs7_sign($msg, $signed, 'file://cert.pem',
array('file://key.pem', 'test'),
array("To" => "joes@example.com", // keyed syntax
"From: HQ <ceo@example.com>", // indexed syntax
"Subject" => "Eyes only"), PKCS7_DETACHED, 'intermediate_cert.pem' )) {
exec(ini_get('sendmail_path') . ' < ' . $signed);
}
?>
The same can be established by using the PEAR package Mail_Mime in combination with openssl_pkcs7_sign.
Maciej_Niemir at ilim dot poznan dot pl
17-Oct-2003 10:46
17-Oct-2003 10:46
This command doesn't work correctly on WIN32 with IIS. Mails arent interpreted correctly by IIS SMTP Server (and by Outlook too). The reason is that UNIX and WINDOWS interpret the enter to the next line ascii code in a different way.
Below I present an improved code:
<?php
$data = <<<EOD
Testing 123
This is a test
Test
EOD;
//save the message to a file
$fp = fopen("msg.txt","w");
fwrite($fp,$data);
fclose($fp);
//sign the message using the sender's keys
openssl_pkcs7_sign("msg.txt", "signed.eml", "file://c:/max/cert.pem",
array("file://c:/max/priv.pem","your_password"),
array("To" => "recipient <recipients@mail.com>",
"From" => "sender <sender@mail.com>",
"Subject" => "Order Notification - Test"),PKCS7_DETACHED,"c:\max\extra_cert.pem");
$file_arry = file("signed.eml");
$file = join ("", $file_arry);
$message = preg_replace("/\r\n|\r|\n/", "\r\n", $file);
$fp = fopen("c:\Inetpub\mailroot\Pickup\signed.eml", "wb");
flock($fp, 2);
fputs($fp, $message);
flock($fp, 3);
fclose($fp);
?>
Besides, if you want to use the keys created with Windows, you should export them (from IE) to the form of PKCS#12 file (*.pfx).
Install OpenSSLWin32 from
http://www.shininglightpro.com/search.php?searchname=Win32+OpenSSL
execute: openssl.exe
enter the commands:
pkcs12 -in <pfx-file> -nokeys -out <pem-certs-file>
pkcs12 -in <pfx-file> -nocerts -nodes -out <pem-key-file>
Next export from IE Root CA certificate as Base-64 *.cer and rename the file to *.pem
And that's all!
php at toyingwithfate dot com
24-Sep-2003 05:55
24-Sep-2003 05:55
It's probably worth noting that I had a great deal of difficulty getting either Mozilla 1.4 or Outlook Express 6 to verify signatures generated by openssl_pkcs7_sign() until I added a newline (\n) to the beginning of the message I was signing. Not sure why that is, but as soon as I made that change all problems disappeared.
del at babel dot com dot au
03-May-2002 06:09
03-May-2002 06:09
The "mycert.pem" parameters as shown in the example above are not correct. You either have to pass a string containing the PEM encoded certificate or key, or the location of a file in file://path/to/file.pem notation. See the comments on the OpenSSL functions page (the page above this one).
meint dot post at bigfoot dot com
05-Sep-2001 07:35
05-Sep-2001 07:35
If you want to integrate PKCS7 signing/verifying with a browser and it's not a problem that it's only Internet Explorer (or Netscape + ActiveX plugin) you can look at Capicom. It's a free component and available at the MSDN website.