233
9.3 OpenSSL Support in PHP
PHP is a scripting language that is used primarily, if not exclusively, on the Web. It is normally HTML-embedded, although it is also capable of running as a CGI script. It boasts an extensive
library of functions that provide interfaces to a wide variety of common external libraries and services, such as LDAP and MySQL. PHP-4.04pl1 introduced experimental support for OpenSSL.
At the time of this writing, the current version of PHP is 4.1.1, and OpenSSL support is still considered experimental. Current versions of PHP require OpenSSL Version 0.9.5 or later.
Since PHPs support for OpenSSL is considered experimental, anything relating to the implementation could still change, including the function names, parameters, and return values.
The support for OpenSSL in PHP is more limited than Perl or Pythons support, but sufficient functionality does exist to make it moderately useful. Support for encryption, signing, SMIME,
key generation, and X.509 certificate manipulation is included.
PHPs OpenSSL functions are high-level abstractions from the OpenSSL API. Unlike Perl or Python, none of the low-level OpenSSL API is exposed directly. While this simplifies the usage of
OpenSSL greatly, it also restricts its capabilities. As newer versions of PHP have been released, new OpenSSL functionality has been introduced. We recommend that you use the latest version of
PHP available to you if you wish to make use of its OpenSSL functionality.
9.3.1 General Functions
The PHP OpenSSL extension provides four functions required for the more specific functionality offered by the extension. These functions provide a mechanism for error reporting as well as
private and public key management. In particular, many of the more specific functions require a public or private key, which are often supplied as a key resource. Key resources can be obtained
from any one of the sources listed below, but in all cases the key data obtained from an external source must be PEM-encoded because PHP provides no support for reading DER-encoded data:
•
The resource retreived from a prior call to either
openssl_get_publickey
or
openssl_get_privatekey •
An X.509 resource for public keys
•
A string that specifies a filename to read the key from
•
A string that contains the key data
•
An array that contains the key as a string representing a filename or containing the key data and the passphrase required to decrypt the key
In Version 4.0.5 or later of PHP, any of the inputs to
openssl_get_privatekey
,
openssl_get_publickey
, or
openssl_x509_read
, which return key or certificate resources, can be used as the key or certificate resource to the function requiring the key or
certificate resource. The earlier versions of the OpenSSL extension required the use of the three aforementioned functions, but versions that are more recent do not. If youll be using the same key
or certificate more than once, it is generally a good idea to use the functions to obtain a resource rather than obtaining it each time you need to use it.
mixed openssl_error_stringvoid This function pops the most recent error from OpenSSLs error stack and returns a string
representation of the error. If the stack is empty, the return from this function will be false. The string returned will be an English representation of the error as returned from the
OpenSSL function
ERR_error_string
. Note that OpenSSL pushes errors onto a stack, and that this function pops only one error from that stack. Call this function repeatedly
until it returns false in order to get all of the available error information when an error occurs.
234
resource openssl_get_privatekeymixed key [, string passphrase] This function creates a key resource for a private key. The first argument,
key
, can be one of three representations of a public key: a string beginning with file: that contains
the name of the file containing the private key data, a string that contains the private key data, or an array that contains the key information. If an array is used, the first element
should be either a string that contains the name of the file containing the key data, or the key data. The second element should be the passphrase to decrypt the key. The optional
argument,
passphrase
, should be a string containing the passphrase required to decrypt the key if one is necessary.
The return from this function is false if an error occurs;
openssl_error_string
should be used to obtain error information. If the key is successfully loaded and decrypted, the return will be a PHP resource for the key. When youre done using the key resource,
you should use
openssl_free_key
to release it. resource openssl_get_publickeymixed certificate
This function creates a key resource for a public key. The first argument,
key
, can be one of three representations of a certificate from which the public key will be extracted: a
certificate resource, a string beginning with file: that contains the name of the file containing the certificate data, or a string that contains the certificate data.
The return from this function is false if an error occurs;
openssl_error_string
should be used to obtain error information. If the key is successfully extracted from the certificate, the return will be a PHP resource for the key. When youre done using the key
resource, you should use
openssl_free_key
to release it. void openssl_free_keyresource key
This function releases a key resource that was previously obtained from either
openssl_get_privatekey
or
openssl_get_publickey
. You should call this function to free any internal resources that are associated with a PHP key resource when
you are through using it.
9.3.2 Certificate Functions