We’re working on a project where we receive data which contains a “signature”. This is known parts of the data (UTF8) which have been signed by the sender using the private x.509 certificate and base64 encoded. As part of the data we receive their public certificate in Base64.
We’ve been researching this endlessly but can only find articles on verifying the certificate, but this isn’t what we need to do.
So, if we have something like:
$unsigned_data = "123456789";
$senders_certificate = "MIIHpTCCBY2gAwIBAgIQBZXrUf3M67aS2TO7RhrAIjANBgkqhkiG9w0BAQsFADBcMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluY..."; //etc etc
$posted_signature = "3BJcFbln7j5mUHdFIt9wbHlSi1McpmP0hCR5g6NXhBw3ffSGzXPtgg..."; //etc etc
… how do we check the $posted_signature is what it should be?