pgp encryption doesnt work
Posted: Fri Jan 09, 2004 9:31 am
I have finished setting up a web database-driven site with php and mysql. THe only thing that is left to finish is the pgp encryption part. In this site, a customer can use his/her credit card to order a product. The credit card data are sent through a form with SSL and when the data arrive to the server that contains the site, the data are GNU-gpg encrypted and then, are e-mailed to the computer of the owner of the company that sells the product (the owner then decrypts the data with his private key). The cc data submit takes place only when a new customer is registered in the company database, or when he modifies his data.
I am testing the site on the running server, and I have created a temporary pgp key-pair through a "Manage OpenPGP Keys" utility of the server in order to test the pgp encryption (if this is of any help, the server has a cPanelX utilities page through which the site administrator can do certain things).
The characteristics of the server are:
Operating system Linux
Kernel version 2.4.23-ow2
Apache version 1.3.29 (Unix)
Path to sendmail /usr/sbin/sendmail
PHP version 4.3.4
MySQL version 4.0.15-standard
cPanel Build 8.5.3-STABLE 3
My problem is that although the credit card data is submitted through the form, it doesnt get encrypted and therefore it is not e-mailed to the computer of the company owner (temporarily, for testing purposes I have set this e-mail address to my e-mail so I can check the code from my own computer).
I give you some paths from the server:
gpg path: /usr/bin/gpg
$keyring_location="/home/patrino/.gnupg";
Below, I am presenting all the php code related to the pgp data encryption.
When the customer submits the form with the credit card data the "process_card.php" script runs:
Listing of process_card.php:
Listing of process_card() function:
Now, this is maybe the part where the problem lies
Listing of pgp_encrypt() function:
I really have tried different syntax alternatives in the pgp command but it doesnt work
Is there something wrong with my code, or is it OK (if it is OK, is there something I should check with the server paths? )
I appreciate any help
I am testing the site on the running server, and I have created a temporary pgp key-pair through a "Manage OpenPGP Keys" utility of the server in order to test the pgp encryption (if this is of any help, the server has a cPanelX utilities page through which the site administrator can do certain things).
The characteristics of the server are:
Operating system Linux
Kernel version 2.4.23-ow2
Apache version 1.3.29 (Unix)
Path to sendmail /usr/sbin/sendmail
PHP version 4.3.4
MySQL version 4.0.15-standard
cPanel Build 8.5.3-STABLE 3
My problem is that although the credit card data is submitted through the form, it doesnt get encrypted and therefore it is not e-mailed to the computer of the company owner (temporarily, for testing purposes I have set this e-mail address to my e-mail so I can check the code from my own computer).
I give you some paths from the server:
gpg path: /usr/bin/gpg
$keyring_location="/home/patrino/.gnupg";
Below, I am presenting all the php code related to the pgp data encryption.
When the customer submits the form with the credit card data the "process_card.php" script runs:
Listing of process_card.php:
Code: Select all
<?php
session_start(); //to get the value of $valid_user in order to pass it to the display_order_confirm() function
require_once("user_auth_fns.php");
require_once("output_fns.php");
foreach ($_POST as $name=>$value) {
if (empty($value)) {
echo "you didnt fill in all the data. Please try again";
// code to display credit card form
exit();
}
}
if (process_card($valid_user, $_POSTї'cardtype'], $_POSTї'cardno'], $_POSTї'month_expir'], $_POSTї'year_expir'], $_POSTї'cardholder'])) {
// code for displaying message that says that credit card data were sent
}
else {
echo "<br>your credit card data couldnot be sent<br> try again.";
// code for displaying the credit card form
exit();
}
?>Code: Select all
//the method here is that the card data are sent via an encrypted (by GPG) email to the mail server of the company's owner
function process_card($username, $cardtype, $cardno, $month_expir, $year_expir, $cardholder)
{
global $keyring_location, $public_key_id, $viotopos_email; //these values are taken from an included script named "init.php"
//code to check correct user input first
$to_email = $company_owner_email; //taken from init.php
$title="cc data";
$body="cc data for the customer with user name: $username"; //$username is a local variable
$body .="<br>cardtype: $cardtype\r\n card no: $cardno\r\n month expiry: $month_expir\r\n year expir: $year_expir\r\n cardholder: $cardholder"; //these are the form submitted variables
$encrypted_text=pgp_encrypt($keyring_location, $public_key_id, $body);
if(empty($encrypted_text) || $encrypted_text=="") {
echo "<br>your cc data could not be encrypted";
return false;
}
if (mail($to_email, $title, $encrypted_text)==true) {
echo "cc data were sent encrypted
return true;
}
elseif(mail($to_email, $title, $body)==false) {
return false;
}
}Listing of pgp_encrypt() function:
Code: Select all
function pgp_encrypt($keyring_location, $public_key_id, $plain_text)
{
global $gpg;
$key_id = EscapeShellArg($public_key_id);
// encrypt the message
$pipe=popen("/usr/bin/gpg/gpg --recipient $key_id --armor --no-secmemwarning --always-trust --homedir $keyring_location --encrypt &>~/pgp_error.txt", "r");
fwrite($pipe, $plain_text);
$encrypted_text = '';
while($s = fgets($pipe, 1024)) {
// read from the pipe
$encrypted_text .= $s;
}
pclose($pipe);
//below is another alternative encryption code which still doesnt work
//alternative encryption code 2
//exec('echo ' . escapeshellarg($plain_text) . '| ' . $gpg . ' -ear ' . $key_id . ' --batch --no-secmemwarning --always-trust --homedir ' . $keyring_location, $resultarray);
//$encrypted_text = join('',$resultarray);
return $encrypted_text;
}Is there something wrong with my code, or is it OK (if it is OK, is there something I should check with the server paths? )
I appreciate any help