RSA and SHA-256 encryption for signing using PHP

Question

I\'m receiving XML in request from a Web Service API. It contains a signature, signed by the requester\'s private key, and I have to verify it by the requester public key. Then

Answer 1

The counterpart to openssl_private_encrypt is openssl_public_decrypt. Both methods allow low level signing/verification with PKCS#1 v1.5 padding (RSASSA-PKCS1-v1_5), where the data is implicitly not hashed, nor is the ID of the digest used prepended to the hash. I.e., for the result to be compliant with PKCS#1 v1.5 padding, both must be done explicitly.

In contrast, hashing and adding the digest ID is implicitly taken into account in openssl_sign and openssl_verify in the context of RSA and PKCS#1 v1.5 padding, so the signature is automatically compliant with PKCS#1 v1.5 padding.

Generally, the latter is the more efficient way for signing/verifying. However, openssl_private_encrypt also has a use, namely when not the data to be signed itself, but only the already hashed data is available for signing.

The issue in the code is the combination of openssl_private_encrypt and openssl_verify. Of course you can combine both, but then you have to implement hashing and adding the digest ID for openssl_private_encrypt, which is missing in the code. Alternatively (as already noted in the comments) openssl_sign can be applied, which is more efficient here.
Another inconsistency is that signing and verifying must be done on the same data. In the code, json_encode($result) is used for signing and $encrypt (from which json_encode($result) was derived) for verifying.

The following PHP code demonstrates the combination of openssl_private_encrypt and openssl_verify (see Test 1):

function getRSAKeys(){
    $keyPairResource = openssl_pkey_new(array("private_key_bits" => 2048, "private_key_type" => OPENSSL_KEYTYPE_RSA)); 
    openssl_pkey_export($keyPairResource, $privateKey);
    return [$privateKey, openssl_pkey_get_details($keyPairResource)["key"]];
}

// Create test key
$newKeyPair = getRSAKeys();
$privateKey = $newKeyPair[0];
$publicKey = $newKeyPair[1];

// Test 1: openssl_private_encrypt and openssl_verify
$dataToSign = 'Test 1: The data to sign'; // Could correspond to e.g. json_encode($result) in the code
$dataToSignHashed = hash('sha256', $dataToSign, true);
$dataToSignHashedWithID = hex2bin("3031300d060960864801650304020105000420") . $dataToSignHashed; // ID from https://tools.ietf.org/html/rfc8017#page-47
openssl_private_encrypt($dataToSignHashedWithID, $signature, $privateKey, OPENSSL_PKCS1_PADDING);
$verified = openssl_verify($dataToSign, $signature, $publicKey, OPENSSL_ALGO_SHA256);
print($verified) . PHP_EOL;

// Test 2: openssl_sign and openssl_verify
$dataToSign = 'Test 2: The data to sign'; // Could correspond to e.g. json_encode($result) in the code
openssl_sign($dataToSign, $signature, $privateKey, OPENSSL_ALGO_SHA256);
$verified = openssl_verify($dataToSign, $signature, $publicKey, OPENSSL_ALGO_SHA256);
print($verified) . PHP_EOL;

// Test 3: openssl_private_encrypt and openssl_public_decrypt (without hashing and adding the digest id)
$dataToSign = 'Test 3: The data to sign'; // Could correspond to e.g. json_encode($result) in the code
openssl_private_encrypt($dataToSign, $signature, $privateKey, OPENSSL_PKCS1_PADDING);
openssl_public_decrypt($signature, $decrypted, $publicKey, OPENSSL_PKCS1_PADDING);
print($dataToSign === $decrypted) . PHP_EOL;

Edit: The last example is to be understood purely technical and should demonstrate that encryption with openssl_private_encrypt without hashing and without adding the ID can be decrypted with openssl_public_decrypt. In practice, hashing is applied when signing, see comment by kelalaka and e.g. here. Both methods are not intended to sign/verify the message directly, but, as already mentioned above, to allow the user to sign/verify an already hashed message.