mirror of
https://github.com/php/php-src.git
synced 2024-10-04 16:26:13 +00:00
165 lines
4.7 KiB
Plaintext
165 lines
4.7 KiB
Plaintext
OpenSSL extension for PHP4
|
|
$Id$
|
|
|
|
The functions implemented so far make it possible to seal and open data,
|
|
and also create and verify signatures. To enable the extension, configure
|
|
PHP with --with-openssl.
|
|
|
|
|
|
Functions:
|
|
|
|
int openssl_get_privatekey(string key [, string passphrase])
|
|
|
|
Parses the key data and returns a key resource identifier. If the key is
|
|
encrypted a passphrase is needed. This can be supplied as second argument.
|
|
|
|
|
|
int openssl_get_publickey(string cert)
|
|
|
|
Extracts the public key from the given certificate and returns a key
|
|
resource identifier.
|
|
|
|
|
|
void openssl_free_key(int key)
|
|
|
|
Frees the resource given by the key resource identifier.
|
|
|
|
|
|
bool openssl_sign(string data, string signature, int key)
|
|
|
|
Uses key to create signature for data, returns true on success and false
|
|
on failure.
|
|
|
|
|
|
int openssl_verify(string data, string signature, int key)
|
|
|
|
Uses key to verify that the signature is correct for the given data.
|
|
Returns 1 if correct, 0 if incorrect, and -1 on error.
|
|
|
|
|
|
int openssl_seal(string data, string sealdata, array ekeys, array pubkeys)
|
|
|
|
Encrypts data using pubkeys, so that only owners of the respective private
|
|
keys and ekeys can decrypt and read the data. Returns the length of the
|
|
sealed data on success, else false.
|
|
|
|
|
|
bool openssl_open(string data, string opendata, string ekey, int privkey)
|
|
|
|
Opens (decrypts) sealed data using a private key and the corresponding
|
|
envelope key. Returns true on success and false on failure.
|
|
|
|
|
|
See below for more details on usage. Also feel free to mail me at
|
|
venaas@php.net if you have questions. The OpenSSL documentation,
|
|
especially the EVP documentation at
|
|
http://www.openssl.org/docs/crypto/evp.html, might also be of help.
|
|
|
|
|
|
HOWTO:
|
|
|
|
To do anything you need a private key and a certificate containing the
|
|
corresponding public key. This is similar to what you have using say an
|
|
Apache webserver with OpenSSL. For testing you could try keys that come
|
|
with OpenSSL, that's what the sample scripts below do. You can also get
|
|
keys from some CA, or you can create them yourself.
|
|
|
|
|
|
Creating private key
|
|
|
|
To generate an unprotected 1024 bit RSA private key you can do
|
|
|
|
openssl genrsa -out /tmp/test.key 1024
|
|
|
|
Private keys should be protected by a passphrase though.
|
|
|
|
|
|
Creating a self signed certificate
|
|
|
|
To generate a self signed certificate from the key that is valid for
|
|
365 days, do
|
|
|
|
openssl req -new -key /tmp/test.key -out /tmp/test.crt -days 365 -x509
|
|
|
|
|
|
Example usage
|
|
|
|
These examples use keys that come with OpenSSL, you should perhaps test with
|
|
those first.
|
|
|
|
|
|
Seal and open
|
|
|
|
<?php
|
|
$data = "Follow the white rabbit";
|
|
|
|
// Get certificate into a string
|
|
// this file comes with OpenSSL 0.9.6
|
|
$fp = fopen("/src/openssl-0.9.6/demos/maurice/cert.pem", "r");
|
|
$cert = fread($fp, 8192);
|
|
fclose($fp);
|
|
// get public key from certificate
|
|
$pk1 = openssl_get_publickey($cert);
|
|
// $pk1 is an encryption key resource id if success, else false
|
|
// Repeat if want public keys for multiple parties
|
|
|
|
$fp = fopen("/src/openssl-0.9.6/demos/sign/cert.pem", "r");
|
|
$cert = fread($fp, 8192);
|
|
fclose($fp);
|
|
$pk2 = openssl_get_publickey($cert);
|
|
|
|
// seal data, only owners of $pk1 and $pk2 can decrypt $sealed with keys
|
|
// $ekeys[0] and $ekeys[1] respectively.
|
|
openssl_seal($data, $sealed, $ekeys, array($pk1,$pk2));
|
|
openssl_free_key($pk1);
|
|
openssl_free_key($pk2);
|
|
|
|
// now we try to decrypt data for one of the recipients
|
|
$fp = fopen("/src/openssl-0.9.6/demos/sign/key.pem", "r");
|
|
// Get PEM coded key into $pkey
|
|
$pkey = fread($fp, 8192);
|
|
fclose($fp);
|
|
// $key will be resource id for unpacked $pkey
|
|
$key = openssl_get_privatekey($pkey);
|
|
|
|
openssl_open($sealed, $open, $ekeys[1], $key);
|
|
openssl_free_key($key);
|
|
echo "$open\n";
|
|
?>
|
|
|
|
|
|
Sign and verify
|
|
|
|
<?php
|
|
$data = "Follow the white rabbit";
|
|
|
|
// First we need to have a string containing the private key in PEM format
|
|
// this file comes with OpenSSL 0.9.6
|
|
$fp = fopen("/src/openssl-0.9.6/demos/sign/key.pem", "r");
|
|
$pkey = fread($fp, 8192);
|
|
fclose($fp);
|
|
|
|
// get private key from the PEM format
|
|
// $key is an encr key resource id if success, else false
|
|
$key = openssl_get_privatekey($pkey);
|
|
|
|
// calculate signature
|
|
openssl_sign($data, $signature, $key);
|
|
openssl_free_key($key);
|
|
|
|
// recipient verifies signature
|
|
// read certificate
|
|
$fp = fopen("/src/openssl-0.9.6/demos/sign/cert.pem", "r");
|
|
$cert = fread($fp, 8192);
|
|
fclose($fp);
|
|
|
|
// Get public key from the certificate
|
|
$pubkey = openssl_get_publickey($cert);
|
|
|
|
// state whether signature is okay or not
|
|
echo openssl_verify($data, $signature, $pubkey) == 1 ? "ok\n" : "bad\n";
|
|
|
|
// free key
|
|
openssl_free_key($pubkey);
|
|
?>
|