Check xml against .pfx certificate

Question

I'm working on creating a Service Provide for an SSO. I already have the whole system up and running, but the only thing I have left to do is to verify the response we get using the certificate provided by the Identity Provider.

What I have:

• a certifcate (namewhere.pfx)
• a password (a small string)
• xml response (decoded and parsed)

What I'm using:

• php

What I need:

• to verify the xml response

I've been googling alot and have figured that it was possible if I had a certificate in .pem format. For that I googled up and found a few Linux commands. But I'm unsure how to go about it. How do I use those commands in my php code and have the created files available, or do I simply create the .pem file once and store that online? If so, where do I place them to avoid security problems, etc.

Answer 1

If you are only trying to verify a digital signature, then you only need the public certificate of the signer. As far as security problems go, you don't need to worry about exposing the certificate since it will already be public. The main thing will be to make sure no one can switch out the certificate you trust with another one.

Since you only need the public certificate, it is probably best to extract that from the pfx file. You can do that using the commands given here (Converting pfx to pem using openssl). Some pfx files may contain private keys, which you would NOT want to expose. This is another reason to extract the public cert and only use that.

Then you can use the openssl_verify() function to verify the signature. You need the data that was signed, the signature, and the public key. There is some example code at that link that will extract the public key from a certificate and verify a signature.