Generating signature using self signed certificate












1















I have the following sample code which I made for generating a signature using self signed certificate



public static String generateSignature(String data) throws Exception {



        System.out.println("@@inside generateSignature: " + data);



        String signature;



        String jksFilepath = "E:\test.jks";



        try {

            // Adding Security Provider for PKCS 12

            Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());

            // Setting password for the e-Token



            // logging into token

            ks = KeyStore.getInstance("jks");





            FileInputStream fileInputStream = new FileInputStream(jksFilepath);



            // Loading Keystore

            // System.out.println("loading keystore");

            ks.load(fileInputStream, JKSPassword);

            Enumeration<String> e = ks.aliases();



            while (e.hasMoreElements()) {

                alias = e.nextElement();

                // System.out.println("Alias of the e-Token : "+ alias);



                UserCert = (X509Certificate) ks.getCertificate(alias);



                UserCertPubKey = (PublicKey) ks.getCertificate(alias).getPublicKey();



                // System.out.println("loading Private key");

                UserCertPrivKey = (PrivateKey) ks.getKey(alias, JKSPassword);

            }



            // Method Call to generate Signature

            signature = MakeSignature(data);



            return signature;



        } catch (Exception e) {

            e.printStackTrace();

            System.out.println("generateSignature" + e.getCause());

            throw new Exception();

        }



    }



    private static String MakeSignature(String data) {



        System.out.println("@@inside MakeSignature...");



        try {

            PrivateKey privateKey = (PrivateKey) ks.getKey(alias, JKSPassword);

            myPubCert = (X509Certificate) ks.getCertificate(alias);

            Store certs = new JcaCertStore(Arrays.asList(myPubCert));



            CMSSignedDataGenerator generator = new CMSSignedDataGenerator();



            generator.addSignerInfoGenerator(new JcaSimpleSignerInfoGeneratorBuilder().setProvider("BC").build("SHA256withRSA", privateKey, myPubCert));



            generator.addCertificates(certs);



            CMSTypedData data1 = new CMSProcessableByteArray(data.getBytes());



            CMSSignedData signed = generator.generate(data1, true);



            BASE64Encoder encoder = new BASE64Encoder();



            String signedContent = encoder.encode((byte) signed.getSignedContent().getContent());



            String envelopedData = encoder.encode(signed.getEncoded());



            return envelopedData;

        } catch (Exception e) {

            e.printStackTrace();

            System.out.println("MakeSignature ==" + e.getCause());

            return "";

        }

    }


There are some associated functions as well, but for the sake of giving brief I am not adding it.



Now I want to do the exact same things using PHP.



JKS doesnt work on PHP as its keystore for Java.



I tried open_ssl functions with different sets of encryption methods. But I am not getting the expected result which is as same as what I get via this java code ("not same" is about the bit rate and length of generated signature).



Can someone help me to implement the same signature generation in PHP, please?






java php x509certificate self-signed-certificate







share|improve this question

























  • You could call the java, as a self contained executable, from PHP :-)

    – Nic3500
    Nov 15 '18 at 14:37











  • @Nic3500 :P true but dont want to do that, if it can be done directly in PHP

    – Ajeesh
    Nov 15 '18 at 14:40











  • try this example-code.com/phpExt/jks_listContents.asp

    – Sid Malani
    Nov 20 '18 at 4:10











  • By "not same" you really mean "the Java based signature can be validated in PHP and vice versa but the signature strings don't match"?

    – dpr
    Nov 21 '18 at 11:31











  • maybe it's "just the base64 encoding" (which is applied in java (to the "dumped" key ... MakeSignature()), but missing/invisible in php (sample) code ..)!?

    – xerx593
    Nov 22 '18 at 8:53


















1















I have the following sample code which I made for generating a signature using self signed certificate



public static String generateSignature(String data) throws Exception {



        System.out.println("@@inside generateSignature: " + data);



        String signature;



        String jksFilepath = "E:\test.jks";



        try {

            // Adding Security Provider for PKCS 12

            Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());

            // Setting password for the e-Token



            // logging into token

            ks = KeyStore.getInstance("jks");





            FileInputStream fileInputStream = new FileInputStream(jksFilepath);



            // Loading Keystore

            // System.out.println("loading keystore");

            ks.load(fileInputStream, JKSPassword);

            Enumeration<String> e = ks.aliases();



            while (e.hasMoreElements()) {

                alias = e.nextElement();

                // System.out.println("Alias of the e-Token : "+ alias);



                UserCert = (X509Certificate) ks.getCertificate(alias);



                UserCertPubKey = (PublicKey) ks.getCertificate(alias).getPublicKey();



                // System.out.println("loading Private key");

                UserCertPrivKey = (PrivateKey) ks.getKey(alias, JKSPassword);

            }



            // Method Call to generate Signature

            signature = MakeSignature(data);



            return signature;



        } catch (Exception e) {

            e.printStackTrace();

            System.out.println("generateSignature" + e.getCause());

            throw new Exception();

        }



    }



    private static String MakeSignature(String data) {



        System.out.println("@@inside MakeSignature...");



        try {

            PrivateKey privateKey = (PrivateKey) ks.getKey(alias, JKSPassword);

            myPubCert = (X509Certificate) ks.getCertificate(alias);

            Store certs = new JcaCertStore(Arrays.asList(myPubCert));



            CMSSignedDataGenerator generator = new CMSSignedDataGenerator();



            generator.addSignerInfoGenerator(new JcaSimpleSignerInfoGeneratorBuilder().setProvider("BC").build("SHA256withRSA", privateKey, myPubCert));



            generator.addCertificates(certs);



            CMSTypedData data1 = new CMSProcessableByteArray(data.getBytes());



            CMSSignedData signed = generator.generate(data1, true);



            BASE64Encoder encoder = new BASE64Encoder();



            String signedContent = encoder.encode((byte) signed.getSignedContent().getContent());



            String envelopedData = encoder.encode(signed.getEncoded());



            return envelopedData;

        } catch (Exception e) {

            e.printStackTrace();

            System.out.println("MakeSignature ==" + e.getCause());

            return "";

        }

    }


There are some associated functions as well, but for the sake of giving brief I am not adding it.



Now I want to do the exact same things using PHP.



JKS doesnt work on PHP as its keystore for Java.



I tried open_ssl functions with different sets of encryption methods. But I am not getting the expected result which is as same as what I get via this java code ("not same" is about the bit rate and length of generated signature).



Can someone help me to implement the same signature generation in PHP, please?






java php x509certificate self-signed-certificate







share|improve this question

























  • You could call the java, as a self contained executable, from PHP :-)

    – Nic3500
    Nov 15 '18 at 14:37











  • @Nic3500 :P true but dont want to do that, if it can be done directly in PHP

    – Ajeesh
    Nov 15 '18 at 14:40











  • try this example-code.com/phpExt/jks_listContents.asp

    – Sid Malani
    Nov 20 '18 at 4:10











  • By "not same" you really mean "the Java based signature can be validated in PHP and vice versa but the signature strings don't match"?

    – dpr
    Nov 21 '18 at 11:31











  • maybe it's "just the base64 encoding" (which is applied in java (to the "dumped" key ... MakeSignature()), but missing/invisible in php (sample) code ..)!?

    – xerx593
    Nov 22 '18 at 8:53
















1












1








1








I have the following sample code which I made for generating a signature using self signed certificate



public static String generateSignature(String data) throws Exception {



        System.out.println("@@inside generateSignature: " + data);



        String signature;



        String jksFilepath = "E:\test.jks";



        try {

            // Adding Security Provider for PKCS 12

            Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());

            // Setting password for the e-Token



            // logging into token

            ks = KeyStore.getInstance("jks");





            FileInputStream fileInputStream = new FileInputStream(jksFilepath);



            // Loading Keystore

            // System.out.println("loading keystore");

            ks.load(fileInputStream, JKSPassword);

            Enumeration<String> e = ks.aliases();



            while (e.hasMoreElements()) {

                alias = e.nextElement();

                // System.out.println("Alias of the e-Token : "+ alias);



                UserCert = (X509Certificate) ks.getCertificate(alias);



                UserCertPubKey = (PublicKey) ks.getCertificate(alias).getPublicKey();



                // System.out.println("loading Private key");

                UserCertPrivKey = (PrivateKey) ks.getKey(alias, JKSPassword);

            }



            // Method Call to generate Signature

            signature = MakeSignature(data);



            return signature;



        } catch (Exception e) {

            e.printStackTrace();

            System.out.println("generateSignature" + e.getCause());

            throw new Exception();

        }



    }



    private static String MakeSignature(String data) {



        System.out.println("@@inside MakeSignature...");



        try {

            PrivateKey privateKey = (PrivateKey) ks.getKey(alias, JKSPassword);

            myPubCert = (X509Certificate) ks.getCertificate(alias);

            Store certs = new JcaCertStore(Arrays.asList(myPubCert));



            CMSSignedDataGenerator generator = new CMSSignedDataGenerator();



            generator.addSignerInfoGenerator(new JcaSimpleSignerInfoGeneratorBuilder().setProvider("BC").build("SHA256withRSA", privateKey, myPubCert));



            generator.addCertificates(certs);



            CMSTypedData data1 = new CMSProcessableByteArray(data.getBytes());



            CMSSignedData signed = generator.generate(data1, true);



            BASE64Encoder encoder = new BASE64Encoder();



            String signedContent = encoder.encode((byte) signed.getSignedContent().getContent());



            String envelopedData = encoder.encode(signed.getEncoded());



            return envelopedData;

        } catch (Exception e) {

            e.printStackTrace();

            System.out.println("MakeSignature ==" + e.getCause());

            return "";

        }

    }


There are some associated functions as well, but for the sake of giving brief I am not adding it.



Now I want to do the exact same things using PHP.



JKS doesnt work on PHP as its keystore for Java.



I tried open_ssl functions with different sets of encryption methods. But I am not getting the expected result which is as same as what I get via this java code ("not same" is about the bit rate and length of generated signature).



Can someone help me to implement the same signature generation in PHP, please?






java php x509certificate self-signed-certificate







share|improve this question
















I have the following sample code which I made for generating a signature using self signed certificate



public static String generateSignature(String data) throws Exception {



        System.out.println("@@inside generateSignature: " + data);



        String signature;



        String jksFilepath = "E:\test.jks";



        try {

            // Adding Security Provider for PKCS 12

            Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());

            // Setting password for the e-Token



            // logging into token

            ks = KeyStore.getInstance("jks");





            FileInputStream fileInputStream = new FileInputStream(jksFilepath);



            // Loading Keystore

            // System.out.println("loading keystore");

            ks.load(fileInputStream, JKSPassword);

            Enumeration<String> e = ks.aliases();



            while (e.hasMoreElements()) {

                alias = e.nextElement();

                // System.out.println("Alias of the e-Token : "+ alias);



                UserCert = (X509Certificate) ks.getCertificate(alias);



                UserCertPubKey = (PublicKey) ks.getCertificate(alias).getPublicKey();



                // System.out.println("loading Private key");

                UserCertPrivKey = (PrivateKey) ks.getKey(alias, JKSPassword);

            }



            // Method Call to generate Signature

            signature = MakeSignature(data);



            return signature;



        } catch (Exception e) {

            e.printStackTrace();

            System.out.println("generateSignature" + e.getCause());

            throw new Exception();

        }



    }



    private static String MakeSignature(String data) {



        System.out.println("@@inside MakeSignature...");



        try {

            PrivateKey privateKey = (PrivateKey) ks.getKey(alias, JKSPassword);

            myPubCert = (X509Certificate) ks.getCertificate(alias);

            Store certs = new JcaCertStore(Arrays.asList(myPubCert));



            CMSSignedDataGenerator generator = new CMSSignedDataGenerator();



            generator.addSignerInfoGenerator(new JcaSimpleSignerInfoGeneratorBuilder().setProvider("BC").build("SHA256withRSA", privateKey, myPubCert));



            generator.addCertificates(certs);



            CMSTypedData data1 = new CMSProcessableByteArray(data.getBytes());



            CMSSignedData signed = generator.generate(data1, true);



            BASE64Encoder encoder = new BASE64Encoder();



            String signedContent = encoder.encode((byte) signed.getSignedContent().getContent());



            String envelopedData = encoder.encode(signed.getEncoded());



            return envelopedData;

        } catch (Exception e) {

            e.printStackTrace();

            System.out.println("MakeSignature ==" + e.getCause());

            return "";

        }

    }


There are some associated functions as well, but for the sake of giving brief I am not adding it.



Now I want to do the exact same things using PHP.



JKS doesnt work on PHP as its keystore for Java.



I tried open_ssl functions with different sets of encryption methods. But I am not getting the expected result which is as same as what I get via this java code ("not same" is about the bit rate and length of generated signature).



Can someone help me to implement the same signature generation in PHP, please?






java php x509certificate self-signed-certificate




java php x509certificate self-signed-certificate






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 15 '18 at 14:57









Bsquare ℬℬ

3,65491535




3,65491535










asked Nov 15 '18 at 14:09









AjeeshAjeesh

1,17461636




1,17461636













  • You could call the java, as a self contained executable, from PHP :-)

    – Nic3500
    Nov 15 '18 at 14:37











  • @Nic3500 :P true but dont want to do that, if it can be done directly in PHP

    – Ajeesh
    Nov 15 '18 at 14:40











  • try this example-code.com/phpExt/jks_listContents.asp

    – Sid Malani
    Nov 20 '18 at 4:10











  • By "not same" you really mean "the Java based signature can be validated in PHP and vice versa but the signature strings don't match"?

    – dpr
    Nov 21 '18 at 11:31











  • maybe it's "just the base64 encoding" (which is applied in java (to the "dumped" key ... MakeSignature()), but missing/invisible in php (sample) code ..)!?

    – xerx593
    Nov 22 '18 at 8:53





















  • You could call the java, as a self contained executable, from PHP :-)

    – Nic3500
    Nov 15 '18 at 14:37











  • @Nic3500 :P true but dont want to do that, if it can be done directly in PHP

    – Ajeesh
    Nov 15 '18 at 14:40











  • try this example-code.com/phpExt/jks_listContents.asp

    – Sid Malani
    Nov 20 '18 at 4:10











  • By "not same" you really mean "the Java based signature can be validated in PHP and vice versa but the signature strings don't match"?

    – dpr
    Nov 21 '18 at 11:31











  • maybe it's "just the base64 encoding" (which is applied in java (to the "dumped" key ... MakeSignature()), but missing/invisible in php (sample) code ..)!?

    – xerx593
    Nov 22 '18 at 8:53



















You could call the java, as a self contained executable, from PHP :-)

– Nic3500
Nov 15 '18 at 14:37





You could call the java, as a self contained executable, from PHP :-)

– Nic3500
Nov 15 '18 at 14:37













@Nic3500 :P true but dont want to do that, if it can be done directly in PHP

– Ajeesh
Nov 15 '18 at 14:40





@Nic3500 :P true but dont want to do that, if it can be done directly in PHP

– Ajeesh
Nov 15 '18 at 14:40













try this example-code.com/phpExt/jks_listContents.asp

– Sid Malani
Nov 20 '18 at 4:10





try this example-code.com/phpExt/jks_listContents.asp

– Sid Malani
Nov 20 '18 at 4:10













By "not same" you really mean "the Java based signature can be validated in PHP and vice versa but the signature strings don't match"?

– dpr
Nov 21 '18 at 11:31





By "not same" you really mean "the Java based signature can be validated in PHP and vice versa but the signature strings don't match"?

– dpr
Nov 21 '18 at 11:31













maybe it's "just the base64 encoding" (which is applied in java (to the "dumped" key ... MakeSignature()), but missing/invisible in php (sample) code ..)!?

– xerx593
Nov 22 '18 at 8:53







maybe it's "just the base64 encoding" (which is applied in java (to the "dumped" key ... MakeSignature()), but missing/invisible in php (sample) code ..)!?

– xerx593
Nov 22 '18 at 8:53














2 Answers
2






active

oldest

votes


















5





+100









I think the PHP official document is very clear: http://php.net/manual/en/function.openssl-csr-new.php



Example #1 Creating a self-signed certificate



<?php

$dn = array(

    "countryName" => "GB",

    "stateOrProvinceName" => "Somerset",

    "localityName" => "Glastonbury",

    "organizationName" => "The Brain Room Limited",

    "organizationalUnitName" => "PHP Documentation Team",

    "commonName" => "Wez Furlong",

    "emailAddress" => "wez@example.com"

);



// Generate a new private (and public) key pair

$privkey = openssl_pkey_new(array(

    "private_key_bits" => 2048,

    "private_key_type" => OPENSSL_KEYTYPE_RSA,

));



// Generate a certificate signing request

$csr = openssl_csr_new($dn, $privkey, array('digest_alg' => 'sha256'));



// Generate a self-signed cert, valid for 365 days

$x509 = openssl_csr_sign($csr, null, $privkey, $days=365, array('digest_alg' => 'sha256'));



// Save your private key, CSR and self-signed cert for later use

openssl_csr_export($csr, $csrout) and var_dump($csrout);

openssl_x509_export($x509, $certout) and var_dump($certout);

openssl_pkey_export($privkey, $pkeyout, "mypassword") and var_dump($pkeyout);



// Show any errors that occurred here

while (($e = openssl_error_string()) !== false) {

    echo $e . "n";

}


Then you can call openssl_sign: http://php.net/manual/en/function.openssl-sign.php , use the generated private key to sign.



If you want to use the Java(JKS)'s key in PHP code, you should export the keys first, and then use PHP function load the keys.






share|improve this answer
























  • This didn't work as expected. Didnt got expected result. The signed content I recieved is HJEN4z2zWIhHvpNnWB6DM13j1Mxd05TnvYg47x5gVZSw2B8yRAlPK8yQtSDvd1JJbvTx4SiQN4qU5ROhB3ts9QjbShUUgtD5jLAu94GiIG9zSqtBknc5ab/CXUiJIzxOGW0OBxNme+a9SHL3Z6QjFKbtbopO0sEr3k7JYpx8wQbqrH1Zp45MYdvrcknIlpUbb4pvEZhUuMPcxuI/CpbmgdGm7Ep+DD9ecMsdVtgCmvQiLFAxOoaRa3gtr/cxrj29nIfFKAxtqHgapEb6eETM5JGwsDJEquFjbxCgtKL1XkbV9xJyTAHL7PpNWgHXzn7PZaHnKA+qX1xrgDRZNhBlNg==

    – Ajeesh
    Nov 20 '18 at 4:42











  • Please provide Minimal Reproducible Example stackoverflow.com/help/mcve

    – shawn
    Nov 20 '18 at 6:35



















2














The following code Java and PHP takes a private key from a PKCS12 keystore (keystore.pfx) and signs the content of the data.txt file. Using the same keystore and data both implementations return exactly the same output:



I used plain Java only (no bouncycastle) as the java.security classes can handle PKCS12 input very well:



public static void main(String args) throws Exception {



    String keyStoreFile = "keystore.pfx";

    char password = "password".toCharArray();



    String dataFile = "data.txt";



    PrivateKey priv = loadPrivateKey(keyStoreFile, password);



    byte signature = signData(priv, dataFile);



    System.out.println(Base64.getEncoder().encodeToString(signature));

}



private static byte signData(PrivateKey priv, String dataFile) throws Exception {

    Signature dsa = Signature.getInstance("SHA256withRSA");



    dsa.initSign(priv);



    try (FileInputStream fis = new FileInputStream(dataFile);

         BufferedInputStream bufin = new BufferedInputStream(fis);) {



        byte buffer = new byte[1024];

        int len;

        while ((len = bufin.read(buffer)) >= 0) {

            dsa.update(buffer, 0, len);

        }



        bufin.close();



        byte realSig = dsa.sign();

        return realSig;

    }

}



private static PrivateKey loadPrivateKey(String keyStoreFile, char password) throws Exception {

    try (FileInputStream fin = new FileInputStream(keyStoreFile)) {

        KeyStore ks = KeyStore.getInstance("PKCS12", "SunJSSE");

        ks.load(fin, password);

        PrivateKey priv = (PrivateKey) ks.getKey("1", password);

        return priv;

    }

}


And the PHP version:



<?php

//data you want to sign

$data = file_get_contents("data.txt");



$cert_store = file_get_contents("keystore.pfx");

openssl_pkcs12_read($cert_store, $cert_info, "password");



//create signature

openssl_sign($data, $signature, $cert_info['pkey'], OPENSSL_ALGO_SHA256);



//finally encode

$r = base64_encode($signature);

print $r;

?>


I used OpenSSL to generate the PKCS12 keystore.pfx file:



# generate new RSA private key

openssl genrsa -out private.pem 1024

# CSR and signed certificate are needed to export as PKCS12 store

openssl req -new -key private.pem -out certificate.csr

openssl x509 -req -days 365 -in certificate.csr -signkey private.pem -out certificate.crt

# export as PKCS12 keystore

openssl pkcs12 -export -out keystore.pfx -inkey private.pem -in certificate.crt -passout pass:password


You can sign the data.txt using OpenSSL as well:



openssl dgst -sha256 -sign private.pem < data.txt | openssl base64


All version will output the same result.



If you have a JKS keystore and want to use the private key stored in this keystore, you can export the JKS keystore to PKCS12:



keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.pfx 

    -srcstoretype JKS -deststoretype PKCS12 -deststorepass password 

    -srcalias alias -destalias 1



One more thing to note as this always seems to be confused:



You don't sign data using a certificate. You sign data using a (private) key. A certificate is more or less simply a piece of data signed with a private key. A self-signed certificate is signed with your own private key. While a certificate issued by a certificate authority (CA) is signed with the CA's private key.



In the above example the generated certificate signing request (CSR) and certificate and basically only created to import the private key into the PKCS12 keystore. You could use the plain private.pem key file as well for the signing purpose, but as you were using a PKCS12 keystore I did the same.






share|improve this answer

























    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53321299%2fgenerating-signature-using-self-signed-certificate%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    5





    +100









    I think the PHP official document is very clear: http://php.net/manual/en/function.openssl-csr-new.php



    Example #1 Creating a self-signed certificate



    <?php
    
$dn = array(
    
    "countryName" => "GB",
    
    "stateOrProvinceName" => "Somerset",
    
    "localityName" => "Glastonbury",
    
    "organizationName" => "The Brain Room Limited",
    
    "organizationalUnitName" => "PHP Documentation Team",
    
    "commonName" => "Wez Furlong",
    
    "emailAddress" => "wez@example.com"
    
);
    

    
// Generate a new private (and public) key pair
    
$privkey = openssl_pkey_new(array(
    
    "private_key_bits" => 2048,
    
    "private_key_type" => OPENSSL_KEYTYPE_RSA,
    
));
    

    
// Generate a certificate signing request
    
$csr = openssl_csr_new($dn, $privkey, array('digest_alg' => 'sha256'));
    

    
// Generate a self-signed cert, valid for 365 days
    
$x509 = openssl_csr_sign($csr, null, $privkey, $days=365, array('digest_alg' => 'sha256'));
    

    
// Save your private key, CSR and self-signed cert for later use
    
openssl_csr_export($csr, $csrout) and var_dump($csrout);
    
openssl_x509_export($x509, $certout) and var_dump($certout);
    
openssl_pkey_export($privkey, $pkeyout, "mypassword") and var_dump($pkeyout);
    

    
// Show any errors that occurred here
    
while (($e = openssl_error_string()) !== false) {
    
    echo $e . "n";
    
}


    Then you can call openssl_sign: http://php.net/manual/en/function.openssl-sign.php , use the generated private key to sign.



    If you want to use the Java(JKS)'s key in PHP code, you should export the keys first, and then use PHP function load the keys.






    share|improve this answer
























    • This didn't work as expected. Didnt got expected result. The signed content I recieved is HJEN4z2zWIhHvpNnWB6DM13j1Mxd05TnvYg47x5gVZSw2B8yRAlPK8yQtSDvd1JJbvTx4SiQN4qU5ROhB3ts9QjbShUUgtD5jLAu94GiIG9zSqtBknc5ab/CXUiJIzxOGW0OBxNme+a9SHL3Z6QjFKbtbopO0sEr3k7JYpx8wQbqrH1Zp45MYdvrcknIlpUbb4pvEZhUuMPcxuI/CpbmgdGm7Ep+DD9ecMsdVtgCmvQiLFAxOoaRa3gtr/cxrj29nIfFKAxtqHgapEb6eETM5JGwsDJEquFjbxCgtKL1XkbV9xJyTAHL7PpNWgHXzn7PZaHnKA+qX1xrgDRZNhBlNg==

      – Ajeesh
      Nov 20 '18 at 4:42











    • Please provide Minimal Reproducible Example stackoverflow.com/help/mcve

      – shawn
      Nov 20 '18 at 6:35
















    5





    +100









    I think the PHP official document is very clear: http://php.net/manual/en/function.openssl-csr-new.php



    Example #1 Creating a self-signed certificate



    <?php
    
$dn = array(
    
    "countryName" => "GB",
    
    "stateOrProvinceName" => "Somerset",
    
    "localityName" => "Glastonbury",
    
    "organizationName" => "The Brain Room Limited",
    
    "organizationalUnitName" => "PHP Documentation Team",
    
    "commonName" => "Wez Furlong",
    
    "emailAddress" => "wez@example.com"
    
);
    

    
// Generate a new private (and public) key pair
    
$privkey = openssl_pkey_new(array(
    
    "private_key_bits" => 2048,
    
    "private_key_type" => OPENSSL_KEYTYPE_RSA,
    
));
    

    
// Generate a certificate signing request
    
$csr = openssl_csr_new($dn, $privkey, array('digest_alg' => 'sha256'));
    

    
// Generate a self-signed cert, valid for 365 days
    
$x509 = openssl_csr_sign($csr, null, $privkey, $days=365, array('digest_alg' => 'sha256'));
    

    
// Save your private key, CSR and self-signed cert for later use
    
openssl_csr_export($csr, $csrout) and var_dump($csrout);
    
openssl_x509_export($x509, $certout) and var_dump($certout);
    
openssl_pkey_export($privkey, $pkeyout, "mypassword") and var_dump($pkeyout);
    

    
// Show any errors that occurred here
    
while (($e = openssl_error_string()) !== false) {
    
    echo $e . "n";
    
}


    Then you can call openssl_sign: http://php.net/manual/en/function.openssl-sign.php , use the generated private key to sign.



    If you want to use the Java(JKS)'s key in PHP code, you should export the keys first, and then use PHP function load the keys.






    share|improve this answer
























    • This didn't work as expected. Didnt got expected result. The signed content I recieved is HJEN4z2zWIhHvpNnWB6DM13j1Mxd05TnvYg47x5gVZSw2B8yRAlPK8yQtSDvd1JJbvTx4SiQN4qU5ROhB3ts9QjbShUUgtD5jLAu94GiIG9zSqtBknc5ab/CXUiJIzxOGW0OBxNme+a9SHL3Z6QjFKbtbopO0sEr3k7JYpx8wQbqrH1Zp45MYdvrcknIlpUbb4pvEZhUuMPcxuI/CpbmgdGm7Ep+DD9ecMsdVtgCmvQiLFAxOoaRa3gtr/cxrj29nIfFKAxtqHgapEb6eETM5JGwsDJEquFjbxCgtKL1XkbV9xJyTAHL7PpNWgHXzn7PZaHnKA+qX1xrgDRZNhBlNg==

      – Ajeesh
      Nov 20 '18 at 4:42











    • Please provide Minimal Reproducible Example stackoverflow.com/help/mcve

      – shawn
      Nov 20 '18 at 6:35














    5





    +100







    5





    +100



    5




    +100





    I think the PHP official document is very clear: http://php.net/manual/en/function.openssl-csr-new.php



    Example #1 Creating a self-signed certificate



    <?php
    
$dn = array(
    
    "countryName" => "GB",
    
    "stateOrProvinceName" => "Somerset",
    
    "localityName" => "Glastonbury",
    
    "organizationName" => "The Brain Room Limited",
    
    "organizationalUnitName" => "PHP Documentation Team",
    
    "commonName" => "Wez Furlong",
    
    "emailAddress" => "wez@example.com"
    
);
    

    
// Generate a new private (and public) key pair
    
$privkey = openssl_pkey_new(array(
    
    "private_key_bits" => 2048,
    
    "private_key_type" => OPENSSL_KEYTYPE_RSA,
    
));
    

    
// Generate a certificate signing request
    
$csr = openssl_csr_new($dn, $privkey, array('digest_alg' => 'sha256'));
    

    
// Generate a self-signed cert, valid for 365 days
    
$x509 = openssl_csr_sign($csr, null, $privkey, $days=365, array('digest_alg' => 'sha256'));
    

    
// Save your private key, CSR and self-signed cert for later use
    
openssl_csr_export($csr, $csrout) and var_dump($csrout);
    
openssl_x509_export($x509, $certout) and var_dump($certout);
    
openssl_pkey_export($privkey, $pkeyout, "mypassword") and var_dump($pkeyout);
    

    
// Show any errors that occurred here
    
while (($e = openssl_error_string()) !== false) {
    
    echo $e . "n";
    
}


    Then you can call openssl_sign: http://php.net/manual/en/function.openssl-sign.php , use the generated private key to sign.



    If you want to use the Java(JKS)'s key in PHP code, you should export the keys first, and then use PHP function load the keys.






    share|improve this answer













    I think the PHP official document is very clear: http://php.net/manual/en/function.openssl-csr-new.php



    Example #1 Creating a self-signed certificate



    <?php
    
$dn = array(
    
    "countryName" => "GB",
    
    "stateOrProvinceName" => "Somerset",
    
    "localityName" => "Glastonbury",
    
    "organizationName" => "The Brain Room Limited",
    
    "organizationalUnitName" => "PHP Documentation Team",
    
    "commonName" => "Wez Furlong",
    
    "emailAddress" => "wez@example.com"
    
);
    

    
// Generate a new private (and public) key pair
    
$privkey = openssl_pkey_new(array(
    
    "private_key_bits" => 2048,
    
    "private_key_type" => OPENSSL_KEYTYPE_RSA,
    
));
    

    
// Generate a certificate signing request
    
$csr = openssl_csr_new($dn, $privkey, array('digest_alg' => 'sha256'));
    

    
// Generate a self-signed cert, valid for 365 days
    
$x509 = openssl_csr_sign($csr, null, $privkey, $days=365, array('digest_alg' => 'sha256'));
    

    
// Save your private key, CSR and self-signed cert for later use
    
openssl_csr_export($csr, $csrout) and var_dump($csrout);
    
openssl_x509_export($x509, $certout) and var_dump($certout);
    
openssl_pkey_export($privkey, $pkeyout, "mypassword") and var_dump($pkeyout);
    

    
// Show any errors that occurred here
    
while (($e = openssl_error_string()) !== false) {
    
    echo $e . "n";
    
}


    Then you can call openssl_sign: http://php.net/manual/en/function.openssl-sign.php , use the generated private key to sign.



    If you want to use the Java(JKS)'s key in PHP code, you should export the keys first, and then use PHP function load the keys.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Nov 19 '18 at 6:45









    shawnshawn

    3,320618




    3,320618













    • This didn't work as expected. Didnt got expected result. The signed content I recieved is HJEN4z2zWIhHvpNnWB6DM13j1Mxd05TnvYg47x5gVZSw2B8yRAlPK8yQtSDvd1JJbvTx4SiQN4qU5ROhB3ts9QjbShUUgtD5jLAu94GiIG9zSqtBknc5ab/CXUiJIzxOGW0OBxNme+a9SHL3Z6QjFKbtbopO0sEr3k7JYpx8wQbqrH1Zp45MYdvrcknIlpUbb4pvEZhUuMPcxuI/CpbmgdGm7Ep+DD9ecMsdVtgCmvQiLFAxOoaRa3gtr/cxrj29nIfFKAxtqHgapEb6eETM5JGwsDJEquFjbxCgtKL1XkbV9xJyTAHL7PpNWgHXzn7PZaHnKA+qX1xrgDRZNhBlNg==

      – Ajeesh
      Nov 20 '18 at 4:42











    • Please provide Minimal Reproducible Example stackoverflow.com/help/mcve

      – shawn
      Nov 20 '18 at 6:35



















    • This didn't work as expected. Didnt got expected result. The signed content I recieved is HJEN4z2zWIhHvpNnWB6DM13j1Mxd05TnvYg47x5gVZSw2B8yRAlPK8yQtSDvd1JJbvTx4SiQN4qU5ROhB3ts9QjbShUUgtD5jLAu94GiIG9zSqtBknc5ab/CXUiJIzxOGW0OBxNme+a9SHL3Z6QjFKbtbopO0sEr3k7JYpx8wQbqrH1Zp45MYdvrcknIlpUbb4pvEZhUuMPcxuI/CpbmgdGm7Ep+DD9ecMsdVtgCmvQiLFAxOoaRa3gtr/cxrj29nIfFKAxtqHgapEb6eETM5JGwsDJEquFjbxCgtKL1XkbV9xJyTAHL7PpNWgHXzn7PZaHnKA+qX1xrgDRZNhBlNg==

      – Ajeesh
      Nov 20 '18 at 4:42











    • Please provide Minimal Reproducible Example stackoverflow.com/help/mcve

      – shawn
      Nov 20 '18 at 6:35

















    This didn't work as expected. Didnt got expected result. The signed content I recieved is HJEN4z2zWIhHvpNnWB6DM13j1Mxd05TnvYg47x5gVZSw2B8yRAlPK8yQtSDvd1JJbvTx4SiQN4qU5ROhB3ts9QjbShUUgtD5jLAu94GiIG9zSqtBknc5ab/CXUiJIzxOGW0OBxNme+a9SHL3Z6QjFKbtbopO0sEr3k7JYpx8wQbqrH1Zp45MYdvrcknIlpUbb4pvEZhUuMPcxuI/CpbmgdGm7Ep+DD9ecMsdVtgCmvQiLFAxOoaRa3gtr/cxrj29nIfFKAxtqHgapEb6eETM5JGwsDJEquFjbxCgtKL1XkbV9xJyTAHL7PpNWgHXzn7PZaHnKA+qX1xrgDRZNhBlNg==

    – Ajeesh
    Nov 20 '18 at 4:42





    This didn't work as expected. Didnt got expected result. The signed content I recieved is HJEN4z2zWIhHvpNnWB6DM13j1Mxd05TnvYg47x5gVZSw2B8yRAlPK8yQtSDvd1JJbvTx4SiQN4qU5ROhB3ts9QjbShUUgtD5jLAu94GiIG9zSqtBknc5ab/CXUiJIzxOGW0OBxNme+a9SHL3Z6QjFKbtbopO0sEr3k7JYpx8wQbqrH1Zp45MYdvrcknIlpUbb4pvEZhUuMPcxuI/CpbmgdGm7Ep+DD9ecMsdVtgCmvQiLFAxOoaRa3gtr/cxrj29nIfFKAxtqHgapEb6eETM5JGwsDJEquFjbxCgtKL1XkbV9xJyTAHL7PpNWgHXzn7PZaHnKA+qX1xrgDRZNhBlNg==

    – Ajeesh
    Nov 20 '18 at 4:42













    Please provide Minimal Reproducible Example stackoverflow.com/help/mcve

    – shawn
    Nov 20 '18 at 6:35





    Please provide Minimal Reproducible Example stackoverflow.com/help/mcve

    – shawn
    Nov 20 '18 at 6:35













    2














    The following code Java and PHP takes a private key from a PKCS12 keystore (keystore.pfx) and signs the content of the data.txt file. Using the same keystore and data both implementations return exactly the same output:



    I used plain Java only (no bouncycastle) as the java.security classes can handle PKCS12 input very well:



    public static void main(String args) throws Exception {
    

    
    String keyStoreFile = "keystore.pfx";
    
    char password = "password".toCharArray();
    

    
    String dataFile = "data.txt";
    

    
    PrivateKey priv = loadPrivateKey(keyStoreFile, password);
    

    
    byte signature = signData(priv, dataFile);
    

    
    System.out.println(Base64.getEncoder().encodeToString(signature));
    
}
    

    
private static byte signData(PrivateKey priv, String dataFile) throws Exception {
    
    Signature dsa = Signature.getInstance("SHA256withRSA");
    

    
    dsa.initSign(priv);
    

    
    try (FileInputStream fis = new FileInputStream(dataFile);
    
         BufferedInputStream bufin = new BufferedInputStream(fis);) {
    

    
        byte buffer = new byte[1024];
    
        int len;
    
        while ((len = bufin.read(buffer)) >= 0) {
    
            dsa.update(buffer, 0, len);
    
        }
    

    
        bufin.close();
    

    
        byte realSig = dsa.sign();
    
        return realSig;
    
    }
    
}
    

    
private static PrivateKey loadPrivateKey(String keyStoreFile, char password) throws Exception {
    
    try (FileInputStream fin = new FileInputStream(keyStoreFile)) {
    
        KeyStore ks = KeyStore.getInstance("PKCS12", "SunJSSE");
    
        ks.load(fin, password);
    
        PrivateKey priv = (PrivateKey) ks.getKey("1", password);
    
        return priv;
    
    }
    
}


    And the PHP version:



    <?php
    
//data you want to sign
    
$data = file_get_contents("data.txt");
    

    
$cert_store = file_get_contents("keystore.pfx");
    
openssl_pkcs12_read($cert_store, $cert_info, "password");
    

    
//create signature
    
openssl_sign($data, $signature, $cert_info['pkey'], OPENSSL_ALGO_SHA256);
    

    
//finally encode
    
$r = base64_encode($signature);
    
print $r;
    
?>


    I used OpenSSL to generate the PKCS12 keystore.pfx file:



    # generate new RSA private key
    
openssl genrsa -out private.pem 1024
    
# CSR and signed certificate are needed to export as PKCS12 store
    
openssl req -new -key private.pem -out certificate.csr
    
openssl x509 -req -days 365 -in certificate.csr -signkey private.pem -out certificate.crt
    
# export as PKCS12 keystore
    
openssl pkcs12 -export -out keystore.pfx -inkey private.pem -in certificate.crt -passout pass:password


    You can sign the data.txt using OpenSSL as well:



    openssl dgst -sha256 -sign private.pem < data.txt | openssl base64


    All version will output the same result.



    If you have a JKS keystore and want to use the private key stored in this keystore, you can export the JKS keystore to PKCS12:



    keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.pfx 
    
    -srcstoretype JKS -deststoretype PKCS12 -deststorepass password 
    
    -srcalias alias -destalias 1



    One more thing to note as this always seems to be confused:



    You don't sign data using a certificate. You sign data using a (private) key. A certificate is more or less simply a piece of data signed with a private key. A self-signed certificate is signed with your own private key. While a certificate issued by a certificate authority (CA) is signed with the CA's private key.



    In the above example the generated certificate signing request (CSR) and certificate and basically only created to import the private key into the PKCS12 keystore. You could use the plain private.pem key file as well for the signing purpose, but as you were using a PKCS12 keystore I did the same.






    share|improve this answer






























      2














      The following code Java and PHP takes a private key from a PKCS12 keystore (keystore.pfx) and signs the content of the data.txt file. Using the same keystore and data both implementations return exactly the same output:



      I used plain Java only (no bouncycastle) as the java.security classes can handle PKCS12 input very well:



      public static void main(String args) throws Exception {
      

      
    String keyStoreFile = "keystore.pfx";
      
    char password = "password".toCharArray();
      

      
    String dataFile = "data.txt";
      

      
    PrivateKey priv = loadPrivateKey(keyStoreFile, password);
      

      
    byte signature = signData(priv, dataFile);
      

      
    System.out.println(Base64.getEncoder().encodeToString(signature));
      
}
      

      
private static byte signData(PrivateKey priv, String dataFile) throws Exception {
      
    Signature dsa = Signature.getInstance("SHA256withRSA");
      

      
    dsa.initSign(priv);
      

      
    try (FileInputStream fis = new FileInputStream(dataFile);
      
         BufferedInputStream bufin = new BufferedInputStream(fis);) {
      

      
        byte buffer = new byte[1024];
      
        int len;
      
        while ((len = bufin.read(buffer)) >= 0) {
      
            dsa.update(buffer, 0, len);
      
        }
      

      
        bufin.close();
      

      
        byte realSig = dsa.sign();
      
        return realSig;
      
    }
      
}
      

      
private static PrivateKey loadPrivateKey(String keyStoreFile, char password) throws Exception {
      
    try (FileInputStream fin = new FileInputStream(keyStoreFile)) {
      
        KeyStore ks = KeyStore.getInstance("PKCS12", "SunJSSE");
      
        ks.load(fin, password);
      
        PrivateKey priv = (PrivateKey) ks.getKey("1", password);
      
        return priv;
      
    }
      
}


      And the PHP version:



      <?php
      
//data you want to sign
      
$data = file_get_contents("data.txt");
      

      
$cert_store = file_get_contents("keystore.pfx");
      
openssl_pkcs12_read($cert_store, $cert_info, "password");
      

      
//create signature
      
openssl_sign($data, $signature, $cert_info['pkey'], OPENSSL_ALGO_SHA256);
      

      
//finally encode
      
$r = base64_encode($signature);
      
print $r;
      
?>


      I used OpenSSL to generate the PKCS12 keystore.pfx file:



      # generate new RSA private key
      
openssl genrsa -out private.pem 1024
      
# CSR and signed certificate are needed to export as PKCS12 store
      
openssl req -new -key private.pem -out certificate.csr
      
openssl x509 -req -days 365 -in certificate.csr -signkey private.pem -out certificate.crt
      
# export as PKCS12 keystore
      
openssl pkcs12 -export -out keystore.pfx -inkey private.pem -in certificate.crt -passout pass:password


      You can sign the data.txt using OpenSSL as well:



      openssl dgst -sha256 -sign private.pem < data.txt | openssl base64


      All version will output the same result.



      If you have a JKS keystore and want to use the private key stored in this keystore, you can export the JKS keystore to PKCS12:



      keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.pfx 
      
    -srcstoretype JKS -deststoretype PKCS12 -deststorepass password 
      
    -srcalias alias -destalias 1



      One more thing to note as this always seems to be confused:



      You don't sign data using a certificate. You sign data using a (private) key. A certificate is more or less simply a piece of data signed with a private key. A self-signed certificate is signed with your own private key. While a certificate issued by a certificate authority (CA) is signed with the CA's private key.



      In the above example the generated certificate signing request (CSR) and certificate and basically only created to import the private key into the PKCS12 keystore. You could use the plain private.pem key file as well for the signing purpose, but as you were using a PKCS12 keystore I did the same.






      share|improve this answer




























        2












        2








        2







        The following code Java and PHP takes a private key from a PKCS12 keystore (keystore.pfx) and signs the content of the data.txt file. Using the same keystore and data both implementations return exactly the same output:



        I used plain Java only (no bouncycastle) as the java.security classes can handle PKCS12 input very well:



        public static void main(String args) throws Exception {
        

        
    String keyStoreFile = "keystore.pfx";
        
    char password = "password".toCharArray();
        

        
    String dataFile = "data.txt";
        

        
    PrivateKey priv = loadPrivateKey(keyStoreFile, password);
        

        
    byte signature = signData(priv, dataFile);
        

        
    System.out.println(Base64.getEncoder().encodeToString(signature));
        
}
        

        
private static byte signData(PrivateKey priv, String dataFile) throws Exception {
        
    Signature dsa = Signature.getInstance("SHA256withRSA");
        

        
    dsa.initSign(priv);
        

        
    try (FileInputStream fis = new FileInputStream(dataFile);
        
         BufferedInputStream bufin = new BufferedInputStream(fis);) {
        

        
        byte buffer = new byte[1024];
        
        int len;
        
        while ((len = bufin.read(buffer)) >= 0) {
        
            dsa.update(buffer, 0, len);
        
        }
        

        
        bufin.close();
        

        
        byte realSig = dsa.sign();
        
        return realSig;
        
    }
        
}
        

        
private static PrivateKey loadPrivateKey(String keyStoreFile, char password) throws Exception {
        
    try (FileInputStream fin = new FileInputStream(keyStoreFile)) {
        
        KeyStore ks = KeyStore.getInstance("PKCS12", "SunJSSE");
        
        ks.load(fin, password);
        
        PrivateKey priv = (PrivateKey) ks.getKey("1", password);
        
        return priv;
        
    }
        
}


        And the PHP version:



        <?php
        
//data you want to sign
        
$data = file_get_contents("data.txt");
        

        
$cert_store = file_get_contents("keystore.pfx");
        
openssl_pkcs12_read($cert_store, $cert_info, "password");
        

        
//create signature
        
openssl_sign($data, $signature, $cert_info['pkey'], OPENSSL_ALGO_SHA256);
        

        
//finally encode
        
$r = base64_encode($signature);
        
print $r;
        
?>


        I used OpenSSL to generate the PKCS12 keystore.pfx file:



        # generate new RSA private key
        
openssl genrsa -out private.pem 1024
        
# CSR and signed certificate are needed to export as PKCS12 store
        
openssl req -new -key private.pem -out certificate.csr
        
openssl x509 -req -days 365 -in certificate.csr -signkey private.pem -out certificate.crt
        
# export as PKCS12 keystore
        
openssl pkcs12 -export -out keystore.pfx -inkey private.pem -in certificate.crt -passout pass:password


        You can sign the data.txt using OpenSSL as well:



        openssl dgst -sha256 -sign private.pem < data.txt | openssl base64


        All version will output the same result.



        If you have a JKS keystore and want to use the private key stored in this keystore, you can export the JKS keystore to PKCS12:



        keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.pfx 
        
    -srcstoretype JKS -deststoretype PKCS12 -deststorepass password 
        
    -srcalias alias -destalias 1



        One more thing to note as this always seems to be confused:



        You don't sign data using a certificate. You sign data using a (private) key. A certificate is more or less simply a piece of data signed with a private key. A self-signed certificate is signed with your own private key. While a certificate issued by a certificate authority (CA) is signed with the CA's private key.



        In the above example the generated certificate signing request (CSR) and certificate and basically only created to import the private key into the PKCS12 keystore. You could use the plain private.pem key file as well for the signing purpose, but as you were using a PKCS12 keystore I did the same.






        share|improve this answer















        The following code Java and PHP takes a private key from a PKCS12 keystore (keystore.pfx) and signs the content of the data.txt file. Using the same keystore and data both implementations return exactly the same output:



        I used plain Java only (no bouncycastle) as the java.security classes can handle PKCS12 input very well:



        public static void main(String args) throws Exception {
        

        
    String keyStoreFile = "keystore.pfx";
        
    char password = "password".toCharArray();
        

        
    String dataFile = "data.txt";
        

        
    PrivateKey priv = loadPrivateKey(keyStoreFile, password);
        

        
    byte signature = signData(priv, dataFile);
        

        
    System.out.println(Base64.getEncoder().encodeToString(signature));
        
}
        

        
private static byte signData(PrivateKey priv, String dataFile) throws Exception {
        
    Signature dsa = Signature.getInstance("SHA256withRSA");
        

        
    dsa.initSign(priv);
        

        
    try (FileInputStream fis = new FileInputStream(dataFile);
        
         BufferedInputStream bufin = new BufferedInputStream(fis);) {
        

        
        byte buffer = new byte[1024];
        
        int len;
        
        while ((len = bufin.read(buffer)) >= 0) {
        
            dsa.update(buffer, 0, len);
        
        }
        

        
        bufin.close();
        

        
        byte realSig = dsa.sign();
        
        return realSig;
        
    }
        
}
        

        
private static PrivateKey loadPrivateKey(String keyStoreFile, char password) throws Exception {
        
    try (FileInputStream fin = new FileInputStream(keyStoreFile)) {
        
        KeyStore ks = KeyStore.getInstance("PKCS12", "SunJSSE");
        
        ks.load(fin, password);
        
        PrivateKey priv = (PrivateKey) ks.getKey("1", password);
        
        return priv;
        
    }
        
}


        And the PHP version:



        <?php
        
//data you want to sign
        
$data = file_get_contents("data.txt");
        

        
$cert_store = file_get_contents("keystore.pfx");
        
openssl_pkcs12_read($cert_store, $cert_info, "password");
        

        
//create signature
        
openssl_sign($data, $signature, $cert_info['pkey'], OPENSSL_ALGO_SHA256);
        

        
//finally encode
        
$r = base64_encode($signature);
        
print $r;
        
?>


        I used OpenSSL to generate the PKCS12 keystore.pfx file:



        # generate new RSA private key
        
openssl genrsa -out private.pem 1024
        
# CSR and signed certificate are needed to export as PKCS12 store
        
openssl req -new -key private.pem -out certificate.csr
        
openssl x509 -req -days 365 -in certificate.csr -signkey private.pem -out certificate.crt
        
# export as PKCS12 keystore
        
openssl pkcs12 -export -out keystore.pfx -inkey private.pem -in certificate.crt -passout pass:password


        You can sign the data.txt using OpenSSL as well:



        openssl dgst -sha256 -sign private.pem < data.txt | openssl base64


        All version will output the same result.



        If you have a JKS keystore and want to use the private key stored in this keystore, you can export the JKS keystore to PKCS12:



        keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.pfx 
        
    -srcstoretype JKS -deststoretype PKCS12 -deststorepass password 
        
    -srcalias alias -destalias 1



        One more thing to note as this always seems to be confused:



        You don't sign data using a certificate. You sign data using a (private) key. A certificate is more or less simply a piece of data signed with a private key. A self-signed certificate is signed with your own private key. While a certificate issued by a certificate authority (CA) is signed with the CA's private key.



        In the above example the generated certificate signing request (CSR) and certificate and basically only created to import the private key into the PKCS12 keystore. You could use the plain private.pem key file as well for the signing purpose, but as you were using a PKCS12 keystore I did the same.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Nov 23 '18 at 5:58

























        answered Nov 22 '18 at 19:12









        dprdpr

        4,71311645




        4,71311645






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53321299%2fgenerating-signature-using-self-signed-certificate%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Xamarin.iOS Cant Deploy on Iphone

            Image
            .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } -1 I have a windows laptop and a mac mini my problem is that It wont deploy on iphone if I use Visual Studio Xamarin on windows to install my app, but it works fine with Visual Studio For Mac. Here's what I get after build succeded on Visual Studio Xamarin on windows : 1>------ Build started: Project: FinalCustomerApp.iOS, Configuration: Debug iPhone ------ 1> Connecting to Mac server 192.168.8.100... 1> FinalCustomerApp.iOS -> C:UsersJeremy PaulDesktopFinalCustomerAppFinalCustomerAppFinalCustomerApp.iOSbiniPhoneDebugFinalCustomerApp.iOS.exe 1> Detected signing identity: 1> Code Signing Key: &quo
            Read more

            Glorious Revolution

            Image
            "The Bloodless Revolution" redirects here. For a history of the vegetarian movement, see The Bloodless Revolution (book). This article is about the English revolution of 1688. For the revolution of 1868 in Spain, see Glorious Revolution (Spain). For other uses, see Glorious Revolution (disambiguation). Glorious Revolution The Prince of Orange lands at Torbay Date 1688–1689 Location British Isles Also known as Revolution of 1688 War of the English Succession Bloodless Revolution Participants English, Welsh and Scottish society, Dutch forces Outcome Replacement of James II by William III and Mary II Jacobite rising of 1689 Williamite War in Ireland War with France; England and Scotland join Grand Alliance Drafting of the Bill of Rights 1689 Part of a series on the History of England Timeline Prehistoric Britain Roman Britain Sub-Roman Britain Medieval period Economy in the Middle Ages Anglo-Saxon period
            Read more

            Dulmage-Mendelsohn matrix decomposition in Python

            Image
            0 Matlab has a function called dmperm that computes the so-called Dulmage–Mendelsohn decomposition of a n x n matrix. From wikipedia, the Dulmage–Mendelsohn is a partition of the vertices of a bipartite graph into subsets, with the property that two adjacent vertices belong to the same subset if and only if they are paired with each other in a perfect matching of the graph. Looking both on scipy and numpy, I could not find this function, nor some similar version. Is it possible to implement it using basic linear algebra operations? Any idea if this is implemented in some Python package? python matlab linear-algebra graph-theory matrix-decomposition share | improve this question
            Read more