Generating signature using self signed certificate












1















I have the following sample code which I made for generating a signature using self signed certificate



public static String generateSignature(String data) throws Exception {



        System.out.println("@@inside generateSignature: " + data);



        String signature;



        String jksFilepath = "E:\test.jks";



        try {

            // Adding Security Provider for PKCS 12

            Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());

            // Setting password for the e-Token



            // logging into token

            ks = KeyStore.getInstance("jks");





            FileInputStream fileInputStream = new FileInputStream(jksFilepath);



            // Loading Keystore

            // System.out.println("loading keystore");

            ks.load(fileInputStream, JKSPassword);

            Enumeration<String> e = ks.aliases();



            while (e.hasMoreElements()) {

                alias = e.nextElement();

                // System.out.println("Alias of the e-Token : "+ alias);



                UserCert = (X509Certificate) ks.getCertificate(alias);



                UserCertPubKey = (PublicKey) ks.getCertificate(alias).getPublicKey();



                // System.out.println("loading Private key");

                UserCertPrivKey = (PrivateKey) ks.getKey(alias, JKSPassword);

            }



            // Method Call to generate Signature

            signature = MakeSignature(data);



            return signature;



        } catch (Exception e) {

            e.printStackTrace();

            System.out.println("generateSignature" + e.getCause());

            throw new Exception();

        }



    }



    private static String MakeSignature(String data) {



        System.out.println("@@inside MakeSignature...");



        try {

            PrivateKey privateKey = (PrivateKey) ks.getKey(alias, JKSPassword);

            myPubCert = (X509Certificate) ks.getCertificate(alias);

            Store certs = new JcaCertStore(Arrays.asList(myPubCert));



            CMSSignedDataGenerator generator = new CMSSignedDataGenerator();



            generator.addSignerInfoGenerator(new JcaSimpleSignerInfoGeneratorBuilder().setProvider("BC").build("SHA256withRSA", privateKey, myPubCert));



            generator.addCertificates(certs);



            CMSTypedData data1 = new CMSProcessableByteArray(data.getBytes());



            CMSSignedData signed = generator.generate(data1, true);



            BASE64Encoder encoder = new BASE64Encoder();



            String signedContent = encoder.encode((byte) signed.getSignedContent().getContent());



            String envelopedData = encoder.encode(signed.getEncoded());



            return envelopedData;

        } catch (Exception e) {

            e.printStackTrace();

            System.out.println("MakeSignature ==" + e.getCause());

            return "";

        }

    }


There are some associated functions as well, but for the sake of giving brief I am not adding it.



Now I want to do the exact same things using PHP.



JKS doesnt work on PHP as its keystore for Java.



I tried open_ssl functions with different sets of encryption methods. But I am not getting the expected result which is as same as what I get via this java code ("not same" is about the bit rate and length of generated signature).



Can someone help me to implement the same signature generation in PHP, please?






java php x509certificate self-signed-certificate







share|improve this question

























  • You could call the java, as a self contained executable, from PHP :-)

    – Nic3500
    Nov 15 '18 at 14:37











  • @Nic3500 :P true but dont want to do that, if it can be done directly in PHP

    – Ajeesh
    Nov 15 '18 at 14:40











  • try this example-code.com/phpExt/jks_listContents.asp

    – Sid Malani
    Nov 20 '18 at 4:10











  • By "not same" you really mean "the Java based signature can be validated in PHP and vice versa but the signature strings don't match"?

    – dpr
    Nov 21 '18 at 11:31











  • maybe it's "just the base64 encoding" (which is applied in java (to the "dumped" key ... MakeSignature()), but missing/invisible in php (sample) code ..)!?

    – xerx593
    Nov 22 '18 at 8:53


















1















I have the following sample code which I made for generating a signature using self signed certificate



public static String generateSignature(String data) throws Exception {



        System.out.println("@@inside generateSignature: " + data);



        String signature;



        String jksFilepath = "E:\test.jks";



        try {

            // Adding Security Provider for PKCS 12

            Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());

            // Setting password for the e-Token



            // logging into token

            ks = KeyStore.getInstance("jks");





            FileInputStream fileInputStream = new FileInputStream(jksFilepath);



            // Loading Keystore

            // System.out.println("loading keystore");

            ks.load(fileInputStream, JKSPassword);

            Enumeration<String> e = ks.aliases();



            while (e.hasMoreElements()) {

                alias = e.nextElement();

                // System.out.println("Alias of the e-Token : "+ alias);



                UserCert = (X509Certificate) ks.getCertificate(alias);



                UserCertPubKey = (PublicKey) ks.getCertificate(alias).getPublicKey();



                // System.out.println("loading Private key");

                UserCertPrivKey = (PrivateKey) ks.getKey(alias, JKSPassword);

            }



            // Method Call to generate Signature

            signature = MakeSignature(data);



            return signature;



        } catch (Exception e) {

            e.printStackTrace();

            System.out.println("generateSignature" + e.getCause());

            throw new Exception();

        }



    }



    private static String MakeSignature(String data) {



        System.out.println("@@inside MakeSignature...");



        try {

            PrivateKey privateKey = (PrivateKey) ks.getKey(alias, JKSPassword);

            myPubCert = (X509Certificate) ks.getCertificate(alias);

            Store certs = new JcaCertStore(Arrays.asList(myPubCert));



            CMSSignedDataGenerator generator = new CMSSignedDataGenerator();



            generator.addSignerInfoGenerator(new JcaSimpleSignerInfoGeneratorBuilder().setProvider("BC").build("SHA256withRSA", privateKey, myPubCert));



            generator.addCertificates(certs);



            CMSTypedData data1 = new CMSProcessableByteArray(data.getBytes());



            CMSSignedData signed = generator.generate(data1, true);



            BASE64Encoder encoder = new BASE64Encoder();



            String signedContent = encoder.encode((byte) signed.getSignedContent().getContent());



            String envelopedData = encoder.encode(signed.getEncoded());



            return envelopedData;

        } catch (Exception e) {

            e.printStackTrace();

            System.out.println("MakeSignature ==" + e.getCause());

            return "";

        }

    }


There are some associated functions as well, but for the sake of giving brief I am not adding it.



Now I want to do the exact same things using PHP.



JKS doesnt work on PHP as its keystore for Java.



I tried open_ssl functions with different sets of encryption methods. But I am not getting the expected result which is as same as what I get via this java code ("not same" is about the bit rate and length of generated signature).



Can someone help me to implement the same signature generation in PHP, please?






java php x509certificate self-signed-certificate







share|improve this question

























  • You could call the java, as a self contained executable, from PHP :-)

    – Nic3500
    Nov 15 '18 at 14:37











  • @Nic3500 :P true but dont want to do that, if it can be done directly in PHP

    – Ajeesh
    Nov 15 '18 at 14:40











  • try this example-code.com/phpExt/jks_listContents.asp

    – Sid Malani
    Nov 20 '18 at 4:10











  • By "not same" you really mean "the Java based signature can be validated in PHP and vice versa but the signature strings don't match"?

    – dpr
    Nov 21 '18 at 11:31











  • maybe it's "just the base64 encoding" (which is applied in java (to the "dumped" key ... MakeSignature()), but missing/invisible in php (sample) code ..)!?

    – xerx593
    Nov 22 '18 at 8:53
















1












1








1








I have the following sample code which I made for generating a signature using self signed certificate



public static String generateSignature(String data) throws Exception {



        System.out.println("@@inside generateSignature: " + data);



        String signature;



        String jksFilepath = "E:\test.jks";



        try {

            // Adding Security Provider for PKCS 12

            Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());

            // Setting password for the e-Token



            // logging into token

            ks = KeyStore.getInstance("jks");





            FileInputStream fileInputStream = new FileInputStream(jksFilepath);



            // Loading Keystore

            // System.out.println("loading keystore");

            ks.load(fileInputStream, JKSPassword);

            Enumeration<String> e = ks.aliases();



            while (e.hasMoreElements()) {

                alias = e.nextElement();

                // System.out.println("Alias of the e-Token : "+ alias);



                UserCert = (X509Certificate) ks.getCertificate(alias);



                UserCertPubKey = (PublicKey) ks.getCertificate(alias).getPublicKey();



                // System.out.println("loading Private key");

                UserCertPrivKey = (PrivateKey) ks.getKey(alias, JKSPassword);

            }



            // Method Call to generate Signature

            signature = MakeSignature(data);



            return signature;



        } catch (Exception e) {

            e.printStackTrace();

            System.out.println("generateSignature" + e.getCause());

            throw new Exception();

        }



    }



    private static String MakeSignature(String data) {



        System.out.println("@@inside MakeSignature...");



        try {

            PrivateKey privateKey = (PrivateKey) ks.getKey(alias, JKSPassword);

            myPubCert = (X509Certificate) ks.getCertificate(alias);

            Store certs = new JcaCertStore(Arrays.asList(myPubCert));



            CMSSignedDataGenerator generator = new CMSSignedDataGenerator();



            generator.addSignerInfoGenerator(new JcaSimpleSignerInfoGeneratorBuilder().setProvider("BC").build("SHA256withRSA", privateKey, myPubCert));



            generator.addCertificates(certs);



            CMSTypedData data1 = new CMSProcessableByteArray(data.getBytes());



            CMSSignedData signed = generator.generate(data1, true);



            BASE64Encoder encoder = new BASE64Encoder();



            String signedContent = encoder.encode((byte) signed.getSignedContent().getContent());



            String envelopedData = encoder.encode(signed.getEncoded());



            return envelopedData;

        } catch (Exception e) {

            e.printStackTrace();

            System.out.println("MakeSignature ==" + e.getCause());

            return "";

        }

    }


There are some associated functions as well, but for the sake of giving brief I am not adding it.



Now I want to do the exact same things using PHP.



JKS doesnt work on PHP as its keystore for Java.



I tried open_ssl functions with different sets of encryption methods. But I am not getting the expected result which is as same as what I get via this java code ("not same" is about the bit rate and length of generated signature).



Can someone help me to implement the same signature generation in PHP, please?






java php x509certificate self-signed-certificate







share|improve this question
















I have the following sample code which I made for generating a signature using self signed certificate



public static String generateSignature(String data) throws Exception {



        System.out.println("@@inside generateSignature: " + data);



        String signature;



        String jksFilepath = "E:\test.jks";



        try {

            // Adding Security Provider for PKCS 12

            Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());

            // Setting password for the e-Token



            // logging into token

            ks = KeyStore.getInstance("jks");





            FileInputStream fileInputStream = new FileInputStream(jksFilepath);



            // Loading Keystore

            // System.out.println("loading keystore");

            ks.load(fileInputStream, JKSPassword);

            Enumeration<String> e = ks.aliases();



            while (e.hasMoreElements()) {

                alias = e.nextElement();

                // System.out.println("Alias of the e-Token : "+ alias);



                UserCert = (X509Certificate) ks.getCertificate(alias);



                UserCertPubKey = (PublicKey) ks.getCertificate(alias).getPublicKey();



                // System.out.println("loading Private key");

                UserCertPrivKey = (PrivateKey) ks.getKey(alias, JKSPassword);

            }



            // Method Call to generate Signature

            signature = MakeSignature(data);



            return signature;



        } catch (Exception e) {

            e.printStackTrace();

            System.out.println("generateSignature" + e.getCause());

            throw new Exception();

        }



    }



    private static String MakeSignature(String data) {



        System.out.println("@@inside MakeSignature...");



        try {

            PrivateKey privateKey = (PrivateKey) ks.getKey(alias, JKSPassword);

            myPubCert = (X509Certificate) ks.getCertificate(alias);

            Store certs = new JcaCertStore(Arrays.asList(myPubCert));



            CMSSignedDataGenerator generator = new CMSSignedDataGenerator();



            generator.addSignerInfoGenerator(new JcaSimpleSignerInfoGeneratorBuilder().setProvider("BC").build("SHA256withRSA", privateKey, myPubCert));



            generator.addCertificates(certs);



            CMSTypedData data1 = new CMSProcessableByteArray(data.getBytes());



            CMSSignedData signed = generator.generate(data1, true);



            BASE64Encoder encoder = new BASE64Encoder();



            String signedContent = encoder.encode((byte) signed.getSignedContent().getContent());



            String envelopedData = encoder.encode(signed.getEncoded());



            return envelopedData;

        } catch (Exception e) {

            e.printStackTrace();

            System.out.println("MakeSignature ==" + e.getCause());

            return "";

        }

    }


There are some associated functions as well, but for the sake of giving brief I am not adding it.



Now I want to do the exact same things using PHP.



JKS doesnt work on PHP as its keystore for Java.



I tried open_ssl functions with different sets of encryption methods. But I am not getting the expected result which is as same as what I get via this java code ("not same" is about the bit rate and length of generated signature).



Can someone help me to implement the same signature generation in PHP, please?






java php x509certificate self-signed-certificate




java php x509certificate self-signed-certificate






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 15 '18 at 14:57









Bsquare ℬℬ

3,65491535




3,65491535










asked Nov 15 '18 at 14:09









AjeeshAjeesh

1,17461636




1,17461636













  • You could call the java, as a self contained executable, from PHP :-)

    – Nic3500
    Nov 15 '18 at 14:37











  • @Nic3500 :P true but dont want to do that, if it can be done directly in PHP

    – Ajeesh
    Nov 15 '18 at 14:40











  • try this example-code.com/phpExt/jks_listContents.asp

    – Sid Malani
    Nov 20 '18 at 4:10











  • By "not same" you really mean "the Java based signature can be validated in PHP and vice versa but the signature strings don't match"?

    – dpr
    Nov 21 '18 at 11:31











  • maybe it's "just the base64 encoding" (which is applied in java (to the "dumped" key ... MakeSignature()), but missing/invisible in php (sample) code ..)!?

    – xerx593
    Nov 22 '18 at 8:53





















  • You could call the java, as a self contained executable, from PHP :-)

    – Nic3500
    Nov 15 '18 at 14:37











  • @Nic3500 :P true but dont want to do that, if it can be done directly in PHP

    – Ajeesh
    Nov 15 '18 at 14:40











  • try this example-code.com/phpExt/jks_listContents.asp

    – Sid Malani
    Nov 20 '18 at 4:10











  • By "not same" you really mean "the Java based signature can be validated in PHP and vice versa but the signature strings don't match"?

    – dpr
    Nov 21 '18 at 11:31











  • maybe it's "just the base64 encoding" (which is applied in java (to the "dumped" key ... MakeSignature()), but missing/invisible in php (sample) code ..)!?

    – xerx593
    Nov 22 '18 at 8:53



















You could call the java, as a self contained executable, from PHP :-)

– Nic3500
Nov 15 '18 at 14:37





You could call the java, as a self contained executable, from PHP :-)

– Nic3500
Nov 15 '18 at 14:37













@Nic3500 :P true but dont want to do that, if it can be done directly in PHP

– Ajeesh
Nov 15 '18 at 14:40





@Nic3500 :P true but dont want to do that, if it can be done directly in PHP

– Ajeesh
Nov 15 '18 at 14:40













try this example-code.com/phpExt/jks_listContents.asp

– Sid Malani
Nov 20 '18 at 4:10





try this example-code.com/phpExt/jks_listContents.asp

– Sid Malani
Nov 20 '18 at 4:10













By "not same" you really mean "the Java based signature can be validated in PHP and vice versa but the signature strings don't match"?

– dpr
Nov 21 '18 at 11:31





By "not same" you really mean "the Java based signature can be validated in PHP and vice versa but the signature strings don't match"?

– dpr
Nov 21 '18 at 11:31













maybe it's "just the base64 encoding" (which is applied in java (to the "dumped" key ... MakeSignature()), but missing/invisible in php (sample) code ..)!?

– xerx593
Nov 22 '18 at 8:53







maybe it's "just the base64 encoding" (which is applied in java (to the "dumped" key ... MakeSignature()), but missing/invisible in php (sample) code ..)!?

– xerx593
Nov 22 '18 at 8:53














2 Answers
2






active

oldest

votes


















5





+100









I think the PHP official document is very clear: http://php.net/manual/en/function.openssl-csr-new.php



Example #1 Creating a self-signed certificate



<?php

$dn = array(

    "countryName" => "GB",

    "stateOrProvinceName" => "Somerset",

    "localityName" => "Glastonbury",

    "organizationName" => "The Brain Room Limited",

    "organizationalUnitName" => "PHP Documentation Team",

    "commonName" => "Wez Furlong",

    "emailAddress" => "wez@example.com"

);



// Generate a new private (and public) key pair

$privkey = openssl_pkey_new(array(

    "private_key_bits" => 2048,

    "private_key_type" => OPENSSL_KEYTYPE_RSA,

));



// Generate a certificate signing request

$csr = openssl_csr_new($dn, $privkey, array('digest_alg' => 'sha256'));



// Generate a self-signed cert, valid for 365 days

$x509 = openssl_csr_sign($csr, null, $privkey, $days=365, array('digest_alg' => 'sha256'));



// Save your private key, CSR and self-signed cert for later use

openssl_csr_export($csr, $csrout) and var_dump($csrout);

openssl_x509_export($x509, $certout) and var_dump($certout);

openssl_pkey_export($privkey, $pkeyout, "mypassword") and var_dump($pkeyout);



// Show any errors that occurred here

while (($e = openssl_error_string()) !== false) {

    echo $e . "n";

}


Then you can call openssl_sign: http://php.net/manual/en/function.openssl-sign.php , use the generated private key to sign.



If you want to use the Java(JKS)'s key in PHP code, you should export the keys first, and then use PHP function load the keys.






share|improve this answer
























  • This didn't work as expected. Didnt got expected result. The signed content I recieved is HJEN4z2zWIhHvpNnWB6DM13j1Mxd05TnvYg47x5gVZSw2B8yRAlPK8yQtSDvd1JJbvTx4SiQN4qU5ROhB3ts9QjbShUUgtD5jLAu94GiIG9zSqtBknc5ab/CXUiJIzxOGW0OBxNme+a9SHL3Z6QjFKbtbopO0sEr3k7JYpx8wQbqrH1Zp45MYdvrcknIlpUbb4pvEZhUuMPcxuI/CpbmgdGm7Ep+DD9ecMsdVtgCmvQiLFAxOoaRa3gtr/cxrj29nIfFKAxtqHgapEb6eETM5JGwsDJEquFjbxCgtKL1XkbV9xJyTAHL7PpNWgHXzn7PZaHnKA+qX1xrgDRZNhBlNg==

    – Ajeesh
    Nov 20 '18 at 4:42











  • Please provide Minimal Reproducible Example stackoverflow.com/help/mcve

    – shawn
    Nov 20 '18 at 6:35



















2














The following code Java and PHP takes a private key from a PKCS12 keystore (keystore.pfx) and signs the content of the data.txt file. Using the same keystore and data both implementations return exactly the same output:



I used plain Java only (no bouncycastle) as the java.security classes can handle PKCS12 input very well:



public static void main(String args) throws Exception {



    String keyStoreFile = "keystore.pfx";

    char password = "password".toCharArray();



    String dataFile = "data.txt";



    PrivateKey priv = loadPrivateKey(keyStoreFile, password);



    byte signature = signData(priv, dataFile);



    System.out.println(Base64.getEncoder().encodeToString(signature));

}



private static byte signData(PrivateKey priv, String dataFile) throws Exception {

    Signature dsa = Signature.getInstance("SHA256withRSA");



    dsa.initSign(priv);



    try (FileInputStream fis = new FileInputStream(dataFile);

         BufferedInputStream bufin = new BufferedInputStream(fis);) {



        byte buffer = new byte[1024];

        int len;

        while ((len = bufin.read(buffer)) >= 0) {

            dsa.update(buffer, 0, len);

        }



        bufin.close();



        byte realSig = dsa.sign();

        return realSig;

    }

}



private static PrivateKey loadPrivateKey(String keyStoreFile, char password) throws Exception {

    try (FileInputStream fin = new FileInputStream(keyStoreFile)) {

        KeyStore ks = KeyStore.getInstance("PKCS12", "SunJSSE");

        ks.load(fin, password);

        PrivateKey priv = (PrivateKey) ks.getKey("1", password);

        return priv;

    }

}


And the PHP version:



<?php

//data you want to sign

$data = file_get_contents("data.txt");



$cert_store = file_get_contents("keystore.pfx");

openssl_pkcs12_read($cert_store, $cert_info, "password");



//create signature

openssl_sign($data, $signature, $cert_info['pkey'], OPENSSL_ALGO_SHA256);



//finally encode

$r = base64_encode($signature);

print $r;

?>


I used OpenSSL to generate the PKCS12 keystore.pfx file:



# generate new RSA private key

openssl genrsa -out private.pem 1024

# CSR and signed certificate are needed to export as PKCS12 store

openssl req -new -key private.pem -out certificate.csr

openssl x509 -req -days 365 -in certificate.csr -signkey private.pem -out certificate.crt

# export as PKCS12 keystore

openssl pkcs12 -export -out keystore.pfx -inkey private.pem -in certificate.crt -passout pass:password


You can sign the data.txt using OpenSSL as well:



openssl dgst -sha256 -sign private.pem < data.txt | openssl base64


All version will output the same result.



If you have a JKS keystore and want to use the private key stored in this keystore, you can export the JKS keystore to PKCS12:



keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.pfx 

    -srcstoretype JKS -deststoretype PKCS12 -deststorepass password 

    -srcalias alias -destalias 1



One more thing to note as this always seems to be confused:



You don't sign data using a certificate. You sign data using a (private) key. A certificate is more or less simply a piece of data signed with a private key. A self-signed certificate is signed with your own private key. While a certificate issued by a certificate authority (CA) is signed with the CA's private key.



In the above example the generated certificate signing request (CSR) and certificate and basically only created to import the private key into the PKCS12 keystore. You could use the plain private.pem key file as well for the signing purpose, but as you were using a PKCS12 keystore I did the same.






share|improve this answer

























    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53321299%2fgenerating-signature-using-self-signed-certificate%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    5





    +100









    I think the PHP official document is very clear: http://php.net/manual/en/function.openssl-csr-new.php



    Example #1 Creating a self-signed certificate



    <?php
    
$dn = array(
    
    "countryName" => "GB",
    
    "stateOrProvinceName" => "Somerset",
    
    "localityName" => "Glastonbury",
    
    "organizationName" => "The Brain Room Limited",
    
    "organizationalUnitName" => "PHP Documentation Team",
    
    "commonName" => "Wez Furlong",
    
    "emailAddress" => "wez@example.com"
    
);
    

    
// Generate a new private (and public) key pair
    
$privkey = openssl_pkey_new(array(
    
    "private_key_bits" => 2048,
    
    "private_key_type" => OPENSSL_KEYTYPE_RSA,
    
));
    

    
// Generate a certificate signing request
    
$csr = openssl_csr_new($dn, $privkey, array('digest_alg' => 'sha256'));
    

    
// Generate a self-signed cert, valid for 365 days
    
$x509 = openssl_csr_sign($csr, null, $privkey, $days=365, array('digest_alg' => 'sha256'));
    

    
// Save your private key, CSR and self-signed cert for later use
    
openssl_csr_export($csr, $csrout) and var_dump($csrout);
    
openssl_x509_export($x509, $certout) and var_dump($certout);
    
openssl_pkey_export($privkey, $pkeyout, "mypassword") and var_dump($pkeyout);
    

    
// Show any errors that occurred here
    
while (($e = openssl_error_string()) !== false) {
    
    echo $e . "n";
    
}


    Then you can call openssl_sign: http://php.net/manual/en/function.openssl-sign.php , use the generated private key to sign.



    If you want to use the Java(JKS)'s key in PHP code, you should export the keys first, and then use PHP function load the keys.






    share|improve this answer
























    • This didn't work as expected. Didnt got expected result. The signed content I recieved is HJEN4z2zWIhHvpNnWB6DM13j1Mxd05TnvYg47x5gVZSw2B8yRAlPK8yQtSDvd1JJbvTx4SiQN4qU5ROhB3ts9QjbShUUgtD5jLAu94GiIG9zSqtBknc5ab/CXUiJIzxOGW0OBxNme+a9SHL3Z6QjFKbtbopO0sEr3k7JYpx8wQbqrH1Zp45MYdvrcknIlpUbb4pvEZhUuMPcxuI/CpbmgdGm7Ep+DD9ecMsdVtgCmvQiLFAxOoaRa3gtr/cxrj29nIfFKAxtqHgapEb6eETM5JGwsDJEquFjbxCgtKL1XkbV9xJyTAHL7PpNWgHXzn7PZaHnKA+qX1xrgDRZNhBlNg==

      – Ajeesh
      Nov 20 '18 at 4:42











    • Please provide Minimal Reproducible Example stackoverflow.com/help/mcve

      – shawn
      Nov 20 '18 at 6:35
















    5





    +100









    I think the PHP official document is very clear: http://php.net/manual/en/function.openssl-csr-new.php



    Example #1 Creating a self-signed certificate



    <?php
    
$dn = array(
    
    "countryName" => "GB",
    
    "stateOrProvinceName" => "Somerset",
    
    "localityName" => "Glastonbury",
    
    "organizationName" => "The Brain Room Limited",
    
    "organizationalUnitName" => "PHP Documentation Team",
    
    "commonName" => "Wez Furlong",
    
    "emailAddress" => "wez@example.com"
    
);
    

    
// Generate a new private (and public) key pair
    
$privkey = openssl_pkey_new(array(
    
    "private_key_bits" => 2048,
    
    "private_key_type" => OPENSSL_KEYTYPE_RSA,
    
));
    

    
// Generate a certificate signing request
    
$csr = openssl_csr_new($dn, $privkey, array('digest_alg' => 'sha256'));
    

    
// Generate a self-signed cert, valid for 365 days
    
$x509 = openssl_csr_sign($csr, null, $privkey, $days=365, array('digest_alg' => 'sha256'));
    

    
// Save your private key, CSR and self-signed cert for later use
    
openssl_csr_export($csr, $csrout) and var_dump($csrout);
    
openssl_x509_export($x509, $certout) and var_dump($certout);
    
openssl_pkey_export($privkey, $pkeyout, "mypassword") and var_dump($pkeyout);
    

    
// Show any errors that occurred here
    
while (($e = openssl_error_string()) !== false) {
    
    echo $e . "n";
    
}


    Then you can call openssl_sign: http://php.net/manual/en/function.openssl-sign.php , use the generated private key to sign.



    If you want to use the Java(JKS)'s key in PHP code, you should export the keys first, and then use PHP function load the keys.






    share|improve this answer
























    • This didn't work as expected. Didnt got expected result. The signed content I recieved is HJEN4z2zWIhHvpNnWB6DM13j1Mxd05TnvYg47x5gVZSw2B8yRAlPK8yQtSDvd1JJbvTx4SiQN4qU5ROhB3ts9QjbShUUgtD5jLAu94GiIG9zSqtBknc5ab/CXUiJIzxOGW0OBxNme+a9SHL3Z6QjFKbtbopO0sEr3k7JYpx8wQbqrH1Zp45MYdvrcknIlpUbb4pvEZhUuMPcxuI/CpbmgdGm7Ep+DD9ecMsdVtgCmvQiLFAxOoaRa3gtr/cxrj29nIfFKAxtqHgapEb6eETM5JGwsDJEquFjbxCgtKL1XkbV9xJyTAHL7PpNWgHXzn7PZaHnKA+qX1xrgDRZNhBlNg==

      – Ajeesh
      Nov 20 '18 at 4:42











    • Please provide Minimal Reproducible Example stackoverflow.com/help/mcve

      – shawn
      Nov 20 '18 at 6:35














    5





    +100







    5





    +100



    5




    +100





    I think the PHP official document is very clear: http://php.net/manual/en/function.openssl-csr-new.php



    Example #1 Creating a self-signed certificate



    <?php
    
$dn = array(
    
    "countryName" => "GB",
    
    "stateOrProvinceName" => "Somerset",
    
    "localityName" => "Glastonbury",
    
    "organizationName" => "The Brain Room Limited",
    
    "organizationalUnitName" => "PHP Documentation Team",
    
    "commonName" => "Wez Furlong",
    
    "emailAddress" => "wez@example.com"
    
);
    

    
// Generate a new private (and public) key pair
    
$privkey = openssl_pkey_new(array(
    
    "private_key_bits" => 2048,
    
    "private_key_type" => OPENSSL_KEYTYPE_RSA,
    
));
    

    
// Generate a certificate signing request
    
$csr = openssl_csr_new($dn, $privkey, array('digest_alg' => 'sha256'));
    

    
// Generate a self-signed cert, valid for 365 days
    
$x509 = openssl_csr_sign($csr, null, $privkey, $days=365, array('digest_alg' => 'sha256'));
    

    
// Save your private key, CSR and self-signed cert for later use
    
openssl_csr_export($csr, $csrout) and var_dump($csrout);
    
openssl_x509_export($x509, $certout) and var_dump($certout);
    
openssl_pkey_export($privkey, $pkeyout, "mypassword") and var_dump($pkeyout);
    

    
// Show any errors that occurred here
    
while (($e = openssl_error_string()) !== false) {
    
    echo $e . "n";
    
}


    Then you can call openssl_sign: http://php.net/manual/en/function.openssl-sign.php , use the generated private key to sign.



    If you want to use the Java(JKS)'s key in PHP code, you should export the keys first, and then use PHP function load the keys.






    share|improve this answer













    I think the PHP official document is very clear: http://php.net/manual/en/function.openssl-csr-new.php



    Example #1 Creating a self-signed certificate



    <?php
    
$dn = array(
    
    "countryName" => "GB",
    
    "stateOrProvinceName" => "Somerset",
    
    "localityName" => "Glastonbury",
    
    "organizationName" => "The Brain Room Limited",
    
    "organizationalUnitName" => "PHP Documentation Team",
    
    "commonName" => "Wez Furlong",
    
    "emailAddress" => "wez@example.com"
    
);
    

    
// Generate a new private (and public) key pair
    
$privkey = openssl_pkey_new(array(
    
    "private_key_bits" => 2048,
    
    "private_key_type" => OPENSSL_KEYTYPE_RSA,
    
));
    

    
// Generate a certificate signing request
    
$csr = openssl_csr_new($dn, $privkey, array('digest_alg' => 'sha256'));
    

    
// Generate a self-signed cert, valid for 365 days
    
$x509 = openssl_csr_sign($csr, null, $privkey, $days=365, array('digest_alg' => 'sha256'));
    

    
// Save your private key, CSR and self-signed cert for later use
    
openssl_csr_export($csr, $csrout) and var_dump($csrout);
    
openssl_x509_export($x509, $certout) and var_dump($certout);
    
openssl_pkey_export($privkey, $pkeyout, "mypassword") and var_dump($pkeyout);
    

    
// Show any errors that occurred here
    
while (($e = openssl_error_string()) !== false) {
    
    echo $e . "n";
    
}


    Then you can call openssl_sign: http://php.net/manual/en/function.openssl-sign.php , use the generated private key to sign.



    If you want to use the Java(JKS)'s key in PHP code, you should export the keys first, and then use PHP function load the keys.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Nov 19 '18 at 6:45









    shawnshawn

    3,320618




    3,320618













    • This didn't work as expected. Didnt got expected result. The signed content I recieved is HJEN4z2zWIhHvpNnWB6DM13j1Mxd05TnvYg47x5gVZSw2B8yRAlPK8yQtSDvd1JJbvTx4SiQN4qU5ROhB3ts9QjbShUUgtD5jLAu94GiIG9zSqtBknc5ab/CXUiJIzxOGW0OBxNme+a9SHL3Z6QjFKbtbopO0sEr3k7JYpx8wQbqrH1Zp45MYdvrcknIlpUbb4pvEZhUuMPcxuI/CpbmgdGm7Ep+DD9ecMsdVtgCmvQiLFAxOoaRa3gtr/cxrj29nIfFKAxtqHgapEb6eETM5JGwsDJEquFjbxCgtKL1XkbV9xJyTAHL7PpNWgHXzn7PZaHnKA+qX1xrgDRZNhBlNg==

      – Ajeesh
      Nov 20 '18 at 4:42











    • Please provide Minimal Reproducible Example stackoverflow.com/help/mcve

      – shawn
      Nov 20 '18 at 6:35



















    • This didn't work as expected. Didnt got expected result. The signed content I recieved is HJEN4z2zWIhHvpNnWB6DM13j1Mxd05TnvYg47x5gVZSw2B8yRAlPK8yQtSDvd1JJbvTx4SiQN4qU5ROhB3ts9QjbShUUgtD5jLAu94GiIG9zSqtBknc5ab/CXUiJIzxOGW0OBxNme+a9SHL3Z6QjFKbtbopO0sEr3k7JYpx8wQbqrH1Zp45MYdvrcknIlpUbb4pvEZhUuMPcxuI/CpbmgdGm7Ep+DD9ecMsdVtgCmvQiLFAxOoaRa3gtr/cxrj29nIfFKAxtqHgapEb6eETM5JGwsDJEquFjbxCgtKL1XkbV9xJyTAHL7PpNWgHXzn7PZaHnKA+qX1xrgDRZNhBlNg==

      – Ajeesh
      Nov 20 '18 at 4:42











    • Please provide Minimal Reproducible Example stackoverflow.com/help/mcve

      – shawn
      Nov 20 '18 at 6:35

















    This didn't work as expected. Didnt got expected result. The signed content I recieved is HJEN4z2zWIhHvpNnWB6DM13j1Mxd05TnvYg47x5gVZSw2B8yRAlPK8yQtSDvd1JJbvTx4SiQN4qU5ROhB3ts9QjbShUUgtD5jLAu94GiIG9zSqtBknc5ab/CXUiJIzxOGW0OBxNme+a9SHL3Z6QjFKbtbopO0sEr3k7JYpx8wQbqrH1Zp45MYdvrcknIlpUbb4pvEZhUuMPcxuI/CpbmgdGm7Ep+DD9ecMsdVtgCmvQiLFAxOoaRa3gtr/cxrj29nIfFKAxtqHgapEb6eETM5JGwsDJEquFjbxCgtKL1XkbV9xJyTAHL7PpNWgHXzn7PZaHnKA+qX1xrgDRZNhBlNg==

    – Ajeesh
    Nov 20 '18 at 4:42





    This didn't work as expected. Didnt got expected result. The signed content I recieved is HJEN4z2zWIhHvpNnWB6DM13j1Mxd05TnvYg47x5gVZSw2B8yRAlPK8yQtSDvd1JJbvTx4SiQN4qU5ROhB3ts9QjbShUUgtD5jLAu94GiIG9zSqtBknc5ab/CXUiJIzxOGW0OBxNme+a9SHL3Z6QjFKbtbopO0sEr3k7JYpx8wQbqrH1Zp45MYdvrcknIlpUbb4pvEZhUuMPcxuI/CpbmgdGm7Ep+DD9ecMsdVtgCmvQiLFAxOoaRa3gtr/cxrj29nIfFKAxtqHgapEb6eETM5JGwsDJEquFjbxCgtKL1XkbV9xJyTAHL7PpNWgHXzn7PZaHnKA+qX1xrgDRZNhBlNg==

    – Ajeesh
    Nov 20 '18 at 4:42













    Please provide Minimal Reproducible Example stackoverflow.com/help/mcve

    – shawn
    Nov 20 '18 at 6:35





    Please provide Minimal Reproducible Example stackoverflow.com/help/mcve

    – shawn
    Nov 20 '18 at 6:35













    2














    The following code Java and PHP takes a private key from a PKCS12 keystore (keystore.pfx) and signs the content of the data.txt file. Using the same keystore and data both implementations return exactly the same output:



    I used plain Java only (no bouncycastle) as the java.security classes can handle PKCS12 input very well:



    public static void main(String args) throws Exception {
    

    
    String keyStoreFile = "keystore.pfx";
    
    char password = "password".toCharArray();
    

    
    String dataFile = "data.txt";
    

    
    PrivateKey priv = loadPrivateKey(keyStoreFile, password);
    

    
    byte signature = signData(priv, dataFile);
    

    
    System.out.println(Base64.getEncoder().encodeToString(signature));
    
}
    

    
private static byte signData(PrivateKey priv, String dataFile) throws Exception {
    
    Signature dsa = Signature.getInstance("SHA256withRSA");
    

    
    dsa.initSign(priv);
    

    
    try (FileInputStream fis = new FileInputStream(dataFile);
    
         BufferedInputStream bufin = new BufferedInputStream(fis);) {
    

    
        byte buffer = new byte[1024];
    
        int len;
    
        while ((len = bufin.read(buffer)) >= 0) {
    
            dsa.update(buffer, 0, len);
    
        }
    

    
        bufin.close();
    

    
        byte realSig = dsa.sign();
    
        return realSig;
    
    }
    
}
    

    
private static PrivateKey loadPrivateKey(String keyStoreFile, char password) throws Exception {
    
    try (FileInputStream fin = new FileInputStream(keyStoreFile)) {
    
        KeyStore ks = KeyStore.getInstance("PKCS12", "SunJSSE");
    
        ks.load(fin, password);
    
        PrivateKey priv = (PrivateKey) ks.getKey("1", password);
    
        return priv;
    
    }
    
}


    And the PHP version:



    <?php
    
//data you want to sign
    
$data = file_get_contents("data.txt");
    

    
$cert_store = file_get_contents("keystore.pfx");
    
openssl_pkcs12_read($cert_store, $cert_info, "password");
    

    
//create signature
    
openssl_sign($data, $signature, $cert_info['pkey'], OPENSSL_ALGO_SHA256);
    

    
//finally encode
    
$r = base64_encode($signature);
    
print $r;
    
?>


    I used OpenSSL to generate the PKCS12 keystore.pfx file:



    # generate new RSA private key
    
openssl genrsa -out private.pem 1024
    
# CSR and signed certificate are needed to export as PKCS12 store
    
openssl req -new -key private.pem -out certificate.csr
    
openssl x509 -req -days 365 -in certificate.csr -signkey private.pem -out certificate.crt
    
# export as PKCS12 keystore
    
openssl pkcs12 -export -out keystore.pfx -inkey private.pem -in certificate.crt -passout pass:password


    You can sign the data.txt using OpenSSL as well:



    openssl dgst -sha256 -sign private.pem < data.txt | openssl base64


    All version will output the same result.



    If you have a JKS keystore and want to use the private key stored in this keystore, you can export the JKS keystore to PKCS12:



    keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.pfx 
    
    -srcstoretype JKS -deststoretype PKCS12 -deststorepass password 
    
    -srcalias alias -destalias 1



    One more thing to note as this always seems to be confused:



    You don't sign data using a certificate. You sign data using a (private) key. A certificate is more or less simply a piece of data signed with a private key. A self-signed certificate is signed with your own private key. While a certificate issued by a certificate authority (CA) is signed with the CA's private key.



    In the above example the generated certificate signing request (CSR) and certificate and basically only created to import the private key into the PKCS12 keystore. You could use the plain private.pem key file as well for the signing purpose, but as you were using a PKCS12 keystore I did the same.






    share|improve this answer






























      2














      The following code Java and PHP takes a private key from a PKCS12 keystore (keystore.pfx) and signs the content of the data.txt file. Using the same keystore and data both implementations return exactly the same output:



      I used plain Java only (no bouncycastle) as the java.security classes can handle PKCS12 input very well:



      public static void main(String args) throws Exception {
      

      
    String keyStoreFile = "keystore.pfx";
      
    char password = "password".toCharArray();
      

      
    String dataFile = "data.txt";
      

      
    PrivateKey priv = loadPrivateKey(keyStoreFile, password);
      

      
    byte signature = signData(priv, dataFile);
      

      
    System.out.println(Base64.getEncoder().encodeToString(signature));
      
}
      

      
private static byte signData(PrivateKey priv, String dataFile) throws Exception {
      
    Signature dsa = Signature.getInstance("SHA256withRSA");
      

      
    dsa.initSign(priv);
      

      
    try (FileInputStream fis = new FileInputStream(dataFile);
      
         BufferedInputStream bufin = new BufferedInputStream(fis);) {
      

      
        byte buffer = new byte[1024];
      
        int len;
      
        while ((len = bufin.read(buffer)) >= 0) {
      
            dsa.update(buffer, 0, len);
      
        }
      

      
        bufin.close();
      

      
        byte realSig = dsa.sign();
      
        return realSig;
      
    }
      
}
      

      
private static PrivateKey loadPrivateKey(String keyStoreFile, char password) throws Exception {
      
    try (FileInputStream fin = new FileInputStream(keyStoreFile)) {
      
        KeyStore ks = KeyStore.getInstance("PKCS12", "SunJSSE");
      
        ks.load(fin, password);
      
        PrivateKey priv = (PrivateKey) ks.getKey("1", password);
      
        return priv;
      
    }
      
}


      And the PHP version:



      <?php
      
//data you want to sign
      
$data = file_get_contents("data.txt");
      

      
$cert_store = file_get_contents("keystore.pfx");
      
openssl_pkcs12_read($cert_store, $cert_info, "password");
      

      
//create signature
      
openssl_sign($data, $signature, $cert_info['pkey'], OPENSSL_ALGO_SHA256);
      

      
//finally encode
      
$r = base64_encode($signature);
      
print $r;
      
?>


      I used OpenSSL to generate the PKCS12 keystore.pfx file:



      # generate new RSA private key
      
openssl genrsa -out private.pem 1024
      
# CSR and signed certificate are needed to export as PKCS12 store
      
openssl req -new -key private.pem -out certificate.csr
      
openssl x509 -req -days 365 -in certificate.csr -signkey private.pem -out certificate.crt
      
# export as PKCS12 keystore
      
openssl pkcs12 -export -out keystore.pfx -inkey private.pem -in certificate.crt -passout pass:password


      You can sign the data.txt using OpenSSL as well:



      openssl dgst -sha256 -sign private.pem < data.txt | openssl base64


      All version will output the same result.



      If you have a JKS keystore and want to use the private key stored in this keystore, you can export the JKS keystore to PKCS12:



      keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.pfx 
      
    -srcstoretype JKS -deststoretype PKCS12 -deststorepass password 
      
    -srcalias alias -destalias 1



      One more thing to note as this always seems to be confused:



      You don't sign data using a certificate. You sign data using a (private) key. A certificate is more or less simply a piece of data signed with a private key. A self-signed certificate is signed with your own private key. While a certificate issued by a certificate authority (CA) is signed with the CA's private key.



      In the above example the generated certificate signing request (CSR) and certificate and basically only created to import the private key into the PKCS12 keystore. You could use the plain private.pem key file as well for the signing purpose, but as you were using a PKCS12 keystore I did the same.






      share|improve this answer




























        2












        2








        2







        The following code Java and PHP takes a private key from a PKCS12 keystore (keystore.pfx) and signs the content of the data.txt file. Using the same keystore and data both implementations return exactly the same output:



        I used plain Java only (no bouncycastle) as the java.security classes can handle PKCS12 input very well:



        public static void main(String args) throws Exception {
        

        
    String keyStoreFile = "keystore.pfx";
        
    char password = "password".toCharArray();
        

        
    String dataFile = "data.txt";
        

        
    PrivateKey priv = loadPrivateKey(keyStoreFile, password);
        

        
    byte signature = signData(priv, dataFile);
        

        
    System.out.println(Base64.getEncoder().encodeToString(signature));
        
}
        

        
private static byte signData(PrivateKey priv, String dataFile) throws Exception {
        
    Signature dsa = Signature.getInstance("SHA256withRSA");
        

        
    dsa.initSign(priv);
        

        
    try (FileInputStream fis = new FileInputStream(dataFile);
        
         BufferedInputStream bufin = new BufferedInputStream(fis);) {
        

        
        byte buffer = new byte[1024];
        
        int len;
        
        while ((len = bufin.read(buffer)) >= 0) {
        
            dsa.update(buffer, 0, len);
        
        }
        

        
        bufin.close();
        

        
        byte realSig = dsa.sign();
        
        return realSig;
        
    }
        
}
        

        
private static PrivateKey loadPrivateKey(String keyStoreFile, char password) throws Exception {
        
    try (FileInputStream fin = new FileInputStream(keyStoreFile)) {
        
        KeyStore ks = KeyStore.getInstance("PKCS12", "SunJSSE");
        
        ks.load(fin, password);
        
        PrivateKey priv = (PrivateKey) ks.getKey("1", password);
        
        return priv;
        
    }
        
}


        And the PHP version:



        <?php
        
//data you want to sign
        
$data = file_get_contents("data.txt");
        

        
$cert_store = file_get_contents("keystore.pfx");
        
openssl_pkcs12_read($cert_store, $cert_info, "password");
        

        
//create signature
        
openssl_sign($data, $signature, $cert_info['pkey'], OPENSSL_ALGO_SHA256);
        

        
//finally encode
        
$r = base64_encode($signature);
        
print $r;
        
?>


        I used OpenSSL to generate the PKCS12 keystore.pfx file:



        # generate new RSA private key
        
openssl genrsa -out private.pem 1024
        
# CSR and signed certificate are needed to export as PKCS12 store
        
openssl req -new -key private.pem -out certificate.csr
        
openssl x509 -req -days 365 -in certificate.csr -signkey private.pem -out certificate.crt
        
# export as PKCS12 keystore
        
openssl pkcs12 -export -out keystore.pfx -inkey private.pem -in certificate.crt -passout pass:password


        You can sign the data.txt using OpenSSL as well:



        openssl dgst -sha256 -sign private.pem < data.txt | openssl base64


        All version will output the same result.



        If you have a JKS keystore and want to use the private key stored in this keystore, you can export the JKS keystore to PKCS12:



        keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.pfx 
        
    -srcstoretype JKS -deststoretype PKCS12 -deststorepass password 
        
    -srcalias alias -destalias 1



        One more thing to note as this always seems to be confused:



        You don't sign data using a certificate. You sign data using a (private) key. A certificate is more or less simply a piece of data signed with a private key. A self-signed certificate is signed with your own private key. While a certificate issued by a certificate authority (CA) is signed with the CA's private key.



        In the above example the generated certificate signing request (CSR) and certificate and basically only created to import the private key into the PKCS12 keystore. You could use the plain private.pem key file as well for the signing purpose, but as you were using a PKCS12 keystore I did the same.






        share|improve this answer















        The following code Java and PHP takes a private key from a PKCS12 keystore (keystore.pfx) and signs the content of the data.txt file. Using the same keystore and data both implementations return exactly the same output:



        I used plain Java only (no bouncycastle) as the java.security classes can handle PKCS12 input very well:



        public static void main(String args) throws Exception {
        

        
    String keyStoreFile = "keystore.pfx";
        
    char password = "password".toCharArray();
        

        
    String dataFile = "data.txt";
        

        
    PrivateKey priv = loadPrivateKey(keyStoreFile, password);
        

        
    byte signature = signData(priv, dataFile);
        

        
    System.out.println(Base64.getEncoder().encodeToString(signature));
        
}
        

        
private static byte signData(PrivateKey priv, String dataFile) throws Exception {
        
    Signature dsa = Signature.getInstance("SHA256withRSA");
        

        
    dsa.initSign(priv);
        

        
    try (FileInputStream fis = new FileInputStream(dataFile);
        
         BufferedInputStream bufin = new BufferedInputStream(fis);) {
        

        
        byte buffer = new byte[1024];
        
        int len;
        
        while ((len = bufin.read(buffer)) >= 0) {
        
            dsa.update(buffer, 0, len);
        
        }
        

        
        bufin.close();
        

        
        byte realSig = dsa.sign();
        
        return realSig;
        
    }
        
}
        

        
private static PrivateKey loadPrivateKey(String keyStoreFile, char password) throws Exception {
        
    try (FileInputStream fin = new FileInputStream(keyStoreFile)) {
        
        KeyStore ks = KeyStore.getInstance("PKCS12", "SunJSSE");
        
        ks.load(fin, password);
        
        PrivateKey priv = (PrivateKey) ks.getKey("1", password);
        
        return priv;
        
    }
        
}


        And the PHP version:



        <?php
        
//data you want to sign
        
$data = file_get_contents("data.txt");
        

        
$cert_store = file_get_contents("keystore.pfx");
        
openssl_pkcs12_read($cert_store, $cert_info, "password");
        

        
//create signature
        
openssl_sign($data, $signature, $cert_info['pkey'], OPENSSL_ALGO_SHA256);
        

        
//finally encode
        
$r = base64_encode($signature);
        
print $r;
        
?>


        I used OpenSSL to generate the PKCS12 keystore.pfx file:



        # generate new RSA private key
        
openssl genrsa -out private.pem 1024
        
# CSR and signed certificate are needed to export as PKCS12 store
        
openssl req -new -key private.pem -out certificate.csr
        
openssl x509 -req -days 365 -in certificate.csr -signkey private.pem -out certificate.crt
        
# export as PKCS12 keystore
        
openssl pkcs12 -export -out keystore.pfx -inkey private.pem -in certificate.crt -passout pass:password


        You can sign the data.txt using OpenSSL as well:



        openssl dgst -sha256 -sign private.pem < data.txt | openssl base64


        All version will output the same result.



        If you have a JKS keystore and want to use the private key stored in this keystore, you can export the JKS keystore to PKCS12:



        keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.pfx 
        
    -srcstoretype JKS -deststoretype PKCS12 -deststorepass password 
        
    -srcalias alias -destalias 1



        One more thing to note as this always seems to be confused:



        You don't sign data using a certificate. You sign data using a (private) key. A certificate is more or less simply a piece of data signed with a private key. A self-signed certificate is signed with your own private key. While a certificate issued by a certificate authority (CA) is signed with the CA's private key.



        In the above example the generated certificate signing request (CSR) and certificate and basically only created to import the private key into the PKCS12 keystore. You could use the plain private.pem key file as well for the signing purpose, but as you were using a PKCS12 keystore I did the same.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Nov 23 '18 at 5:58

























        answered Nov 22 '18 at 19:12









        dprdpr

        4,71311645




        4,71311645






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53321299%2fgenerating-signature-using-self-signed-certificate%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Bressuire

            Image
            Subprefecture and commune in Nouvelle-Aquitaine, France Bressuire Subprefecture and commune Chateau de Bressuire and the Eglise Notre-Dame Coat of arms Location of Bressuire Bressuire Show map of France Bressuire Show map of Nouvelle-Aquitaine Coordinates: 46°50′27″N 0°29′14″W  /  46.8408°N 0.4872°W  / 46.8408; -0.4872 Coordinates: 46°50′27″N 0°29′14″W  /  46.8408°N 0.4872°W  / 46.8408; -0.4872 Country France Region Nouvelle-Aquitaine Department Deux-Sèvres Arrondissement Bressuire Canton Bressuire Government  • Mayor .mw-parser-output .nobold{font-weight:normal} (2014–20) Jean Michel Bernier Area 1 180.59 km 2 (69.73 sq mi) Population (2014) 2 19,300  • Density 110/km 2 (280/sq mi) Time zone UTC+01:00 (CET)  • Summer (DST) UTC+02:00 (CEST) INSEE/Postal code 79049 /79300 Elevation 98–236 m (322–774 ft) (avg. 173 m or 568 ft) 1 French Land Register data, which exclude
            Read more

            Vorschmack

            Image
            Vorschmack Ukrainian Jewish-style vorschmack served on rye bread Course Hors d'oeuvre Region or state Eastern Europe Associated national cuisine Ashkenazi Jewish, Finnish, German, Ukrainian, Polish, Russian Main ingredients Ground meat and/or fish Cookbook: Vorschmack   Media: Vorschmack Vorschmack or forshmak (Yiddish: פֿאָרשמאַק ‎, from archaic German Vorschmack , "foretaste" [1] or "appetizer" [2] ) is an originally East European dish made of salty minced fish or meat. Different variants of this dish are especially common in Ashkenazi Jewish and Finnish cuisine. Some varieties are also known in Russian and Polish cuisine. Contents 1 In Jewish cuisine 2 In Russian cuisine 3 In Polish cuisine 4 In Finnish cuisine 5 See also 6 References In Jewish cuisine According to Gil Marks, the German name points to the possible Germanic origin of this dish. [1] William Pokhlyobkin descr
            Read more

            Quarantine

            Image
            For other uses, see Quarantine (disambiguation). Signal flag "Lima" called the "Yellow Jack" which when flown in harbor means ship is under quarantine. A simple yellow flag (also called the "Yellow Jack") had historically been used to signal quarantine (it stands for Q among signal flags), but now indicates the opposite, as a signal of a ship free of disease that requests boarding and inspection. A quarantine is used to separate and restrict the movement of people; it is 'a restraint upon the activities or communication of persons or the transport of goods designed to prevent the spread of disease or pests', for a certain period of time. [1] This is often used in connection to disease and illness, such as those who may possibly have been exposed to a communicable disease. [2] The term is often erroneously used to mean medical isolation, which is "to separate ill persons who have a communicable disease from those who are healthy
            Read more