Page 1 of 1

OpenSSL Encryption Class

Posted: Tue Jul 29, 2003 2:15 am
by dbalatero
I wrote an encryption class using the openssl functions (http://www.php.net/openssl), which I made with the purpose of encrypting credit card numbers.

Do not store a private key on the server box however: have a SSL form available to upload it in a private admin section of the site if you are decrypting something like credit card numbers, and have it delete the key after logout, or 5-minute delay.

Anyways, handling that security is your choice, here's the class for encrypting and decrypting using a public/private keypair:

Code: Select all

<?php
/************************************
 * class OpenSSLCrypt
 *
 * Encrypts and decrypts strings based on
 * public/private RSA keypair.
 *
 * library written by David Balatero <david@metatank.net>
 *
 * EXAMPLE USAGE:
	$public_key_path = "/usr/web/mycert.crt";
	$private_key_path = "/usr/web/mykey.key";
	$passphrase = "mypassphrase";

	$Crypt = new OpenSSLCrypt($public_key_path, $private_key_path);
	$Crypt->SetPassphrase($passphrase);
	$string = "1234 5678 9012 3456"; // credit card number
	$encrypted_string = $Crypt->Encrypt($string);
	$decrypted_string = $Crypt->Decrypt($encrypted_string);

	echo "Encrypted String: $encrypted_string<br>";
	echo "Decrypted String: $decrypted_string";
 *
 * HOW-TO GENERATE KEYPAIRS
 *
 * &#1111;db@logic home]$ /usr/local/ssl/bin/openssl req -x509 -newkey rsa:1025 -days 10950 -keyout mykey.key -out mycert.crt
 */

class OpenSSLCrypt &#123;
	var $public_key;
	var $private_key;
	var $passphrase;

	function OpenSSLCrypt($public_key, $private_key) &#123;
		$this->public_key = $public_key;
		$this->private_key = $private_key;
	&#125;

	function SetPassphrase($phrase) &#123;
		$this->passphrase = $phrase;
	&#125;

	function Encrypt($string) &#123;
		$fp = fopen($this->public_key, "r");
		$public_key = fread($fp, 8192);
		fclose($fp);

		openssl_get_publickey($public_key);

		// encrypt
		openssl_public_encrypt($string, $encrypted_string, $public_key);
		return $encrypted_string;
	&#125;

	function Decrypt($string) &#123;
		// decrypt using privkey
		$result = openssl_get_privatekey(array("file://" . $this->private_key, $this->passphrase));
		openssl_private_decrypt($string, $decrypted_string, $result);

		return $decrypted_string;
	&#125;
&#125;
?>
Comments/questions appreciated.

Posted: Tue Jul 29, 2003 2:27 am
by jason
Overall, thats pretty nifty, and I will probably steal it for my own use. =)

One thing that is a potential problem, however, is the requirement for passing both the public and private key to the object. May a simple set of setPublicKey() and a setPrivateKey() method might work out better?

Anyways, I will probably steal this, and implement it into the Eclipse CE lib (with attributes, of course), and reimplement some of the things to sue Eclipse CE objects, like file handling and such).

I haven't tried it out, however, but I plan to. Cool stuff. You might want to also consider posting it to http://www.phpclasses.org.

Posted: Tue Jul 29, 2003 2:42 am
by dbalatero
Posted it there, Jason. The next thing to do is for me to add support for either passing the private key and public key by filepath or from the $_FILES array (in case of upload).

Posted: Tue Jul 29, 2003 7:40 am
by Stoker
The only thing that I do not like about it, is the requirement of the private key being stored on disk, it should be kept as a variable only, and if needed to be stored for a short amount of time use session vars, and ofcourse the session data should be protected with a time limited cookie-key and symmetric cipher or something like that..

Posted: Tue Jul 29, 2003 8:41 am
by jason
Yeah, Stoker has a point there. If you could just pass the contents of the file, that would be even better.

I wouldn't worry about implementing $_FILES stuff directly into the class. Keep the class light. Don't add features that don't need to be there. Just have the programmer pass the contents of the private key file, and that's all you have to do. Let other things handle uploading of files, etc. That's not the idea of this class.

There is a correct term for adding too many features to a class, though I can't remember it (Super class?), but basically it amounts to Feature Bloat. Small, efficient classes are sexy. Fat ones are not. Keep it thin, dude.