|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #41033 Patch to enable signing with DSA keys
Submitted: 2007-04-10 00:43 UTC Modified: 2008-11-18 02:16 UTC
Avg. Score:4.3 ± 0.7
Reproduced:6 of 6 (100.0%)
Same Version:2 (33.3%)
Same OS:4 (66.7%)
From: gordyf at google dot com Assigned: pajoye
Status: Closed Package: Feature/Change Request
PHP Version: 5.2.1 OS: any
Private report: No CVE-ID:
 [2007-04-10 00:43 UTC] gordyf at google dot com
This patch enables signing and verifying signatures with DSA keys. This currently does not work because EVP_sha1() is called when signing with SHA1 hash, and EVP_dss1() must be called for DSA-SHA1 signing.  It adds the OPENSSL_ALGO_DSS1 constant which must be used with the last parameter of openssl_sign and openssl_verify when using a DSA key.

From the <a href="">man page</a>: "The link between digests and signing algorithms results in a situation where EVP_sha1() must be used with RSA and EVP_dss1() must be used with DSS even though they are identical digests."

Patch available <a href="">here</a>.

Reproduce code:
$key = file_get_contents("keys/dsa.privkey.pem");
$prkeyid = openssl_get_privatekey($key);
$ct = "Hello I am some text!";
openssl_sign($ct, $signature, $prkeyid, OPENSSL_ALGO_DSS1);
echo "Signature: ".base64_encode($signature)."<br>";

$key = file_get_contents("keys/dsa.pubkey.pem");
$pukeyid = openssl_get_publickey($key);
$valid = openssl_verify($ct, $signature, $pukeyid, OPENSSL_ALGO_DSS1);
echo "Signature validity: ".$valid;

Expected result:
(After patch)
Signature: MCwCFGKwtl03QDikxpqoGMrr4+EPoZfZAhQYIl/Bhzur/CW50b3ZFf5dYig3PA==
Signature validity: 1

Actual result:
(Before patch)
Signature validity: -1


patch1 (last revision 2011-02-17 16:34 UTC) by krishnanparya2 at gmail dot com)

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2007-04-10 00:47 UTC] gordyf at google dot com
It seems I shouldn't have used link tags, here they are without trailing quotes.

Man page:
 [2007-04-17 18:30 UTC] gordyf at google dot com
I notice there hasn't been any activity on this for a week -- is there any additional information that I can provide?
 [2007-04-17 19:35 UTC]
"I notice there hasn't been any activity on this for a week -- is there
any additional information that I can provide?"

Thank you, I have all I need to apply the patch as soon as possible.
 [2008-10-14 00:16 UTC] scott dot fagg at arup dot com
Experiencing same problem with PHP 5.2.5

Looking at openssl.c , 5.2.5 and 5.2.6 both appear to not support DSS1.
 [2008-11-04 21:48 UTC] joey dot parrish at gmail dot com
I'd like to see this patch merged.  I'm applying it manually to my sources in 5.2.6.  It seems like an exceedingly simple task, I don't understand why it's gone undone for 18 months.  Any news?
 [2008-11-18 02:16 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

Fixed in all branches
PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Sun Oct 04 16:01:30 2015 UTC