openssl_pkcs7_sign

(PHP 4 >= 4.0.6, PHP 5, PHP 7, PHP 8)

openssl_pkcs7_sign — Sign an S/MIME message

Description

openssl_pkcs7_sign(
    string $input_filename,
    string $output_filename,
    OpenSSLCertificate|string $certificate,
    #[\SensitiveParameter] OpenSSLAsymmetricKey|OpenSSLCertificate|array|string $private_key,
    ?array $headers,
    int $flags = PKCS7_DETACHED,
    ?string $untrusted_certificates_filename = null
): bool

openssl_pkcs7_sign() takes the contents of the file named input_filename and signs them using the certificate and its matching private key specified by certificate and private_key parameters.

Parameters

input_filename: The input file you are intending to digitally sign.
output_filename: The file which the digital signature will be written to.
certificate: The X.509 certificate used to digitally sign input_filename. See Key/Certificate parameters for a list of valid values.
private_key: private_key is the private key corresponding to certificate. See Public/Private Key parameters for a list of valid values.
headers: headers is an array of headers that will be prepended to the data after it has been signed (see openssl_pkcs7_encrypt() for more information about the format of this parameter).
flags: flags can be used to alter the output - see PKCS7 constants.
untrusted_certificates_filename: untrusted_certificates_filename specifies the name of a file containing a bunch of extra certificates to include in the signature which can for example be used to help the recipient to verify the certificate that you used.

Return Values

Returns true on success or false on failure.

Changelog

Version	Description
8.0.0	`certificate` accepts an OpenSSLCertificate instance now; previously, a resource of type `OpenSSL X.509 CSR` was accepted.
8.0.0	`private_key` accepts an OpenSSLAsymmetricKey or OpenSSLCertificate instance now; previously, a resource of type `OpenSSL key` or `OpenSSL X.509 CSR` was accepted.

Examples

Example #1 openssl_pkcs7_sign() example

<?php
// the message you want to sign so that recipient can be sure it was you that
// sent it
$data = <<<EOD

You have my authorization to spend $10,000 on dinner expenses.

The CEO
EOD;
// save message to file
$fp = fopen("msg.txt", "w");
fwrite($fp, $data);
fclose($fp);
// encrypt it
if (openssl_pkcs7_sign("msg.txt", "signed.txt", "file://mycert.pem",
array("file://mycert.pem", "mypassphrase"),
array("To" => "[email protected]", // keyed syntax
"From: HQ <[email protected]>", // indexed syntax
"Subject" => "Eyes only")
)) {
// message signed - send it!
exec(ini_get("sendmail_path") . " < signed.txt");
}
?>