ID: 48632
User updated by: yonas dot y at gmail dot com
Reported By: yonas dot y at gmail dot com
Status: Open
Bug Type: Feature/Change Request
Operating System: Ubuntu Jaunty
PHP Version: 5.2.10
New Comment:
This patch allows users to encrypt their private key using the
following ciphers:
PHP_OPENSSL_CIPHER_RC2_40,
PHP_OPENSSL_CIPHER_RC2_128,
PHP_OPENSSL_CIPHER_RC2_64,
PHP_OPENSSL_CIPHER_DES,
PHP_OPENSSL_CIPHER_3DES,
PHP_OPENSSL_CIPHER_AES_128_CBC,
PHP_OPENSSL_CIPHER_AES_192_CBC,
PHP_OPENSSL_CIPHER_AES_256_CBC
Example:
<?php
// Create the keypair
$res=openssl_pkey_new();
$configargs = array(
'private_key_bits' => 2048,
'private_key_type' => OPENSSL_KEYTYPE_RSA,
'encrypt_key' => true,
'encrypt_key_cipher' => OPENSSL_CIPHER_AES_256_CBC
);
// Get private key
openssl_pkey_export($res, $privkey, "PassPhrase number 1",
$configargs);
var_dump( $privkey );
?>
--- ext/openssl/openssl.c.orig 2009-06-22 06:39:35.000000000 -0400
+++ ext/openssl/openssl.c 2009-06-22 08:13:39.000000000 -0400
@@ -83,6 +83,9 @@
PHP_OPENSSL_CIPHER_RC2_64,
PHP_OPENSSL_CIPHER_DES,
PHP_OPENSSL_CIPHER_3DES,
+ PHP_OPENSSL_CIPHER_AES_128_CBC,
+ PHP_OPENSSL_CIPHER_AES_192_CBC,
+ PHP_OPENSSL_CIPHER_AES_256_CBC,
PHP_OPENSSL_CIPHER_DEFAULT = PHP_OPENSSL_CIPHER_RC2_40
};
@@ -517,6 +520,7 @@
int priv_key_encrypt;
EVP_PKEY * priv_key;
+ const EVP_CIPHER * priv_key_encrypt_cipher;
};
/* }}} */
@@ -743,6 +747,9 @@
else \
varname = defval
+
+static const EVP_CIPHER * php_openssl_get_evp_cipher_from_algo(long
algo);
+
static int php_openssl_parse_config(struct php_x509_request * req,
zval * optional_args TSRMLS_DC) /* {{{ */
{
char * str;
@@ -794,6 +801,19 @@
}
}
+ if (req->priv_key_encrypt && optional_args &&
zend_hash_find(Z_ARRVAL_P(optional_args), "encrypt_key_cipher",
sizeof("encrypt_key_cipher"), (void**)&item) == SUCCESS) {
+ long cipher_algo = Z_LVAL_PP(item);
+ const EVP_CIPHER* cipher =
php_openssl_get_evp_cipher_from_algo(cipher_algo);
+ if (cipher == NULL) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown
cipher algorithm for private key.");
+ return FAILURE;
+ } else {
+ req->priv_key_encrypt_cipher = cipher;
+ }
+ } else {
+ req->priv_key_encrypt_cipher = NULL;
+ }
+
/* digest alg */
if (req->digest_name == NULL) {
req->digest_name = CONF_get_string(req->req_config,
req->section_name, "default_md");
@@ -940,6 +960,17 @@
return EVP_des_ede3_cbc();
break;
#endif
+#ifndef OPENSSL_NO_AES
+ case PHP_OPENSSL_CIPHER_AES_128_CBC:
+ return EVP_aes_128_cbc();
+ break;
+ case PHP_OPENSSL_CIPHER_AES_192_CBC:
+ return EVP_aes_192_cbc();
+ break;
+ case PHP_OPENSSL_CIPHER_AES_256_CBC:
+ return EVP_aes_256_cbc();
+ break;
+#endif
default:
return NULL;
break;
@@ -1017,6 +1048,11 @@
REGISTER_LONG_CONSTANT("OPENSSL_CIPHER_DES", PHP_OPENSSL_CIPHER_DES,
CONST_CS|CONST_PERSISTENT);
REGISTER_LONG_CONSTANT("OPENSSL_CIPHER_3DES",
PHP_OPENSSL_CIPHER_3DES, CONST_CS|CONST_PERSISTENT);
#endif
+#ifndef OPENSSL_NO_AES
+ REGISTER_LONG_CONSTANT("OPENSSL_CIPHER_AES_128_CBC",
PHP_OPENSSL_CIPHER_AES_128_CBC, CONST_CS|CONST_PERSISTENT);
+ REGISTER_LONG_CONSTANT("OPENSSL_CIPHER_AES_192_CBC",
PHP_OPENSSL_CIPHER_AES_192_CBC, CONST_CS|CONST_PERSISTENT);
+ REGISTER_LONG_CONSTANT("OPENSSL_CIPHER_AES_256_CBC",
PHP_OPENSSL_CIPHER_AES_256_CBC, CONST_CS|CONST_PERSISTENT);
+#endif
/* Values for key types */
REGISTER_LONG_CONSTANT("OPENSSL_KEYTYPE_RSA", OPENSSL_KEYTYPE_RSA,
CONST_CS|CONST_PERSISTENT);
@@ -2984,7 +3020,11 @@
bio_out = BIO_new_file(filename, "w");
if (passphrase && req.priv_key_encrypt) {
+ if (req.priv_key_encrypt_cipher) {
+ cipher = req.priv_key_encrypt_cipher;
+ } else {
cipher = (EVP_CIPHER *) EVP_des_ede3_cbc();
+ }
} else {
cipher = NULL;
}
@@ -3035,7 +3076,11 @@
bio_out = BIO_new(BIO_s_mem());
if (passphrase && req.priv_key_encrypt) {
+ if (req.priv_key_encrypt_cipher) {
+ cipher = req.priv_key_encrypt_cipher;
+ } else {
cipher = (EVP_CIPHER *) EVP_des_ede3_cbc();
+ }
} else {
cipher = NULL;
}
Previous Comments:
------------------------------------------------------------------------
[2009-06-21 21:11:01] yonas dot y at gmail dot com
Description:
------------
I'd like to export an AES encrypted private key using
openssl_pkey_export. The OpenSSL command-line supports AES, so this
shouldn't be hard to implement:
yo...@yonas-laptop:/usr/share/php/ZendFramework/library/Zend$ openssl
list-cipher-commands
aes-128-cbc
aes-128-ecb
aes-192-cbc
aes-192-ecb
aes-256-cbc
aes-256-ecb
Thanks for your help!!
Cheers,
Yonas
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=48632&edit=1
