OpenSSL

Introduction
Installing/Configuring
Predefined Constants
Key/Certificate parameters
Certificate Verification
OpenSSL Functions
- openssl_cipher_iv_length — Gets the cipher iv length
- openssl_cipher_key_length — Gets the cipher key length
- openssl_cms_decrypt — Decrypt a CMS message
- openssl_cms_encrypt — Encrypt a CMS message
- openssl_cms_read — Export the CMS file to an array of PEM certificates
- openssl_cms_sign — Sign a file
- openssl_cms_verify — Verify a CMS signature
- openssl_csr_export — Exports a CSR as a string
- openssl_csr_export_to_file — Exports a CSR to a file
- openssl_csr_get_public_key — Returns the public key of a CSR
- openssl_csr_get_subject — Returns the subject of a CSR
- openssl_csr_new — Generates a CSR
- openssl_csr_sign — Sign a CSR with another certificate (or itself) and generate a certificate
- openssl_decrypt — Decrypts data
- openssl_dh_compute_key — Computes shared secret for public value of remote DH public key and local DH key
- openssl_digest — Computes a digest
- openssl_encrypt — Encrypts data
- openssl_error_string — Return openSSL error message
- openssl_free_key — Free key resource
- openssl_get_cert_locations — Retrieve the available certificate locations
- openssl_get_cipher_methods — Gets available cipher methods
- openssl_get_curve_names — Gets list of available curve names for ECC
- openssl_get_md_methods — Gets available digest methods
- openssl_get_privatekey — Alias of openssl_pkey_get_private
- openssl_get_publickey — Alias of openssl_pkey_get_public
- openssl_open — Open sealed data
- openssl_pbkdf2 — Generates a PKCS5 v2 PBKDF2 string
- openssl_pkcs12_export — Exports a PKCS#12 Compatible Certificate Store File to variable
- openssl_pkcs12_export_to_file — Exports a PKCS#12 Compatible Certificate Store File
- openssl_pkcs12_read — Parse a PKCS#12 Certificate Store into an array
- openssl_pkcs7_decrypt — Decrypts an S/MIME encrypted message
- openssl_pkcs7_encrypt — Encrypt an S/MIME message
- openssl_pkcs7_read — Export the PKCS7 file to an array of PEM certificates
- openssl_pkcs7_sign — Sign an S/MIME message
- openssl_pkcs7_verify — Verifies the signature of an S/MIME signed message
- openssl_pkey_derive — Computes shared secret for public value of remote and local DH or ECDH key
- openssl_pkey_export — Gets an exportable representation of a key into a string
- openssl_pkey_export_to_file — Gets an exportable representation of a key into a file
- openssl_pkey_free — Frees a private key
- openssl_pkey_get_details — Returns an array with the key details
- openssl_pkey_get_private — Get a private key
- openssl_pkey_get_public — Extract public key from certificate and prepare it for use
- openssl_pkey_new — Generates a new private key
- openssl_private_decrypt — Decrypts data with private key
- openssl_private_encrypt — Encrypts data with private key
- openssl_public_decrypt — Decrypts data with public key
- openssl_public_encrypt — Encrypts data with public key
- openssl_random_pseudo_bytes — Generate a pseudo-random string of bytes
- openssl_seal — Seal (encrypt) data
- openssl_sign — Generate signature
- openssl_spki_export — Exports a valid PEM formatted public key signed public key and challenge
- openssl_spki_export_challenge — Exports the challenge associated with a signed public key and challenge
- openssl_spki_new — Generate a new signed public key and challenge
- openssl_spki_verify — Verifies a signed public key and challenge
- openssl_verify — Verify signature
- openssl_x509_check_private_key — Checks if a private key corresponds to a certificate
- openssl_x509_checkpurpose — Verifies if a certificate can be used for a particular purpose
- openssl_x509_export — Exports a certificate as a string
- openssl_x509_export_to_file — Exports a certificate to file
- openssl_x509_fingerprint — Calculates the fingerprint, or digest, of a given X.509 certificate
- openssl_x509_free — Free certificate resource
- openssl_x509_parse — Parse an X509 certificate and return the information as an array
- openssl_x509_read — Parse an X.509 certificate and return an object for it
- openssl_x509_verify — Verifies digital signature of x509 certificate against a public key
OpenSSLCertificate — The OpenSSLCertificate class
OpenSSLCertificateSigningRequest — The OpenSSLCertificateSigningRequest class
OpenSSLAsymmetricKey — The OpenSSLAsymmetricKey class

Improve This Page

Learn How To Improve This Page • Submit a Pull Request • Report a Bug

User Contributed Notes 2 notes

down

15 years ago

I was having a heck of a time finding help on making asynchronous encryption/decryption using private key/public key systems working, and I had to have it for creating a credit card module that uses recurring billing.

You'd be a fool to use normal, 'synchronous' or two-way encryption for this, so the whole mcrypt library won't help.

But, it turns out OpenSSL is extremely easy to use...yet it is so sparsely documented that it seems it would be incredibly hard.

So I share my day of hacking with you - I hope you find it helpful!

<?php

if (isset($_SERVER['HTTPS']) )
{
    echo "SECURE: This page is being accessed through a secure connection.<br><br>";
}
else
{
    echo "UNSECURE: This page is being access through an unsecure connection.<br><br>";
}

// Create the keypair
$res=openssl_pkey_new();

// Get private key
openssl_pkey_export($res, $privatekey);

// Get public key
$publickey=openssl_pkey_get_details($res);
$publickey=$publickey["key"];

echo "Private Key:<BR>$privatekey<br><br>Public Key:<BR>$publickey<BR><BR>";

$cleartext = '1234 5678 9012 3456';

echo "Clear text:<br>$cleartext<BR><BR>";

openssl_public_encrypt($cleartext, $crypttext, $publickey);

echo "Crypt text:<br>$crypttext<BR><BR>";

openssl_private_decrypt($crypttext, $decrypted, $privatekey);

echo "Decrypted text:<BR>$decrypted<br><br>";
?>

Many thanks to other contributors in the docs for making this less painful.

Note that you will want to use these sorts of functions to generate a key ONCE - save your privatekey offline for decryption, and put your public key in your scripts/configuration file. If your data is compromised you don't care about the encrypted stuff or the public key, it's only the private key and cleartext that really matter.

Good luck!

down

-5

koen dot thomeer at pubmed dot be ¶

16 years ago

For checking the status of a client certificate using OCSP, you can use this script:

<?php
// User variables:
$dir = '/path/to/temp/'; // Directory where apache has access to (chmod 777).
$RootCA = '/path/to/Root.cer'; // Points to the Root CA in PEM format.
$OCSPUrl = 'http://ocsp.url'; //Points to the OCSP URL
// Script:
$a = rand(1000,99999); // Needed if you expect more page clicks in one second!
file_put_contents($dir.$a.'cert_i.pem', $_SERVER['SSL_CLIENT_CERT_CHAIN_0']); // Issuer certificate.
file_put_contents($dir.$a.'cert_c.pem', $_SERVER['SSL_CLIENT_CERT']); // Client (authentication) certificate.
$output = shell_exec('openssl ocsp -CAfile '.$RootCA.' -issuer '.$dir.$a.'cert_i.pem -cert '.$dir.$a.'cert_c.pem -url '.$OCSPUrl);
$output2 = preg_split('/[\r\n]/', $output);
$output3 = preg_split('/: /', $output2[0]);
$ocsp = $output3[1];
echo "OCSP status: ".$ocsp; // will be "good", "revoked", or "unknown"
unlink($dir.$a.'cert_i.pem');
unlink($dir.$a.'cert_c.pem');
?>

It can be ameliorated, but it's just a beginning!

Normally, you can extract the ocsp url from the client certificate. Also, an OCSP request contains only the hash of the issuer name, the hash of the issuer's key, and the serial number of the client certificate. All three can be extracted directly from the client certificate.

＋add a note