236
Table 9-2. Keys for the array returned by openssl_x509_parse Key name
Data type
Description
name
string The name assigned to the certificate, if it has one. This key may not
be present.
subject
array An associative array that contains all of the fields comprising the
subjects distinguished name, such as
commonName
,
organizationName
, etc. The
shortnames
argument affects the keys in this array.
issuer
array An associative array that contains all of the fields comprising the
issuers distinguished name. The
shortnames
argument affects the keys in this array.
version
long The X.509
version.
serialNumber
long The certificates serial number.
validFrom
string A string representation of the date the certificate is valid from.
validTo
string A string representation of the date the certificate is valid to.
validFrom_time_t
long A
time_t
integer representation of the date the certificate is valid from number of seconds since Jan 1, 1970 00:00:00 GMT.
validTo_time_t
long A
time_t
integer representation of the date the certificate is valid to.
alias
string The alias assigned to the certificate, if it has one. This key may not
be present.
purposes
array Each element in this array represents a purpose that is supported by
OpenSSL. The index values of this array correspond to the constants listed in
Table 9-1 . Each element of that array is another
array containing three elements. The first two are bools. The first indicates whether the certificate may be used for that purpose, and
the second indicates whether the certificate is a CA. The third is a string representation of the purpose name, which is affected by the
shortnames
argument.
9.3.3 Encryption and Signing Functions
The OpenSSL extension provides wrappers around OpenSSLs high-level EVP suite of functions, which can be used for data encryption as well as for digital signing. The functions provided are
actually close mappings to the OpenSSL API functions; however, the PHP wrappers have imposed some limitations on them, most notably by limiting the cipher for encryption and decryption to
RC4, and the digest for signing and verification to SHA1. We hope that future versions of the extension will remove these limitations, allowing for much more flexibility and security.
There is another, potentially more serious problem with the encryption support in PHP. On systems in which the OpenSSL library cannot seed
the PRNG itself, PHP provides no means to seed it. The problem exists particularly on Unix systems without a devurandom device. On such
systems, we do not recommend that you use the PHP interface to OpenSSL unless there is another module loaded into the same server that
does initialize the OpenSSL PRNG, such as mod_ssl. This warning also holds for the SMIME functions that are described in the next section.
int openssl_sealstring data, string sealed_data, array env_keys, array pub_keys
237
This function is used for encrypting data. The data is encrypted using RC4 with a randomly generated secret key, which is then encrypted using a public key. The encrypted
data is known as sealed data, and the encrypted secret key is known as an envelope. The recipient must have the envelope, the sealed data, and the private key matching the public
key used to create the envelope to decrypt the sealed data. The function conveniently allows for multiple recipients by accepting an array of public keys.
The first argument,
data
, specifies the data that will be sealed. The second argument,
sealed_data
, receives the sealed data. The third argument,
env_keys
, receives the envelopes for each public key that is specified for the fourth argument,
pub_keys
. The public keys should be key resources returned by
openssl_get_publickey
. If an error occurs, the return value will be false; otherwise, it will be the length of the sealed data in
bytes. bool openssl_openstring sealed_data, string data, string env_key,
mixed key This function is used for decrypting data that was previously encrypted using
openssl_seal
. The first argument,
sealed_data
, is the data to be decrypted. The decrypted data is placed into the second argument,
data
. The third argument,
env_key
, specifies the envelope containing the encrypted secret key required to decrypt the sealed
data via RC4. The fourth argument,
key
, is the private key to use for decrypting the envelope to obtain the secret key. The private key should be specified as a key resource
obtained from
openssl_get_privatekey
. If the sealed data is decrypted successfully, the return from this function will be true, and
the decrypted data will be placed into the second argument,
data
. If an error occurs, the return will be false, and you should use
openssl_error_string
to obtain error information. Note that encrypted data not created with the PHP OpenSSL extension can
also be decrypted with this function, as long as it was encrypted using the RC4 cipher. bool openssl_signstring data, string signature, mixed key
This function signs data using the SHA1 message digest algorithm. The first argument,
data
, is the data to be signed. The second argument,
signature
, receives the resultant signature. The third argument,
key
, is a private key resource to use to sign the data, and should be a key resource obtained from
openssl_get_privatekey
. Anybody who has the public key that matches the private key used to sign the data can then verify the
signature. If the data is successfully signed, the signature will be placed into the second argument,
signature
, and the return from the function will be true. If an error occurs, the return will be false, and
openssl_error_string
should be used to obtain error information. int openssl_verifystring data, string signature, mixed key
This function is used for verifying the signature of a chunk of data using the SHA1 message digest algorithm. The first argument,
data
, is the signed data to be verified. The second argument,
signature
, is the signature of that data. The third argument,
key
, is the public key that matches the private key used to compute the signature.
If the signature is valid, the return from this function will be the integer value 1. If it is incorrect, but no other errors occurred, the return will be the integer value 0. If an error
occurs in the process of verifying the signature, the return will be the integer value -1, and
openssl_error_string
should be used to obtain error information. Note that data
238
not signed with the PHP OpenSSL extension can also be verified with this function, as long as it was signed using the SHA1 message digest algorithm.
9.3.4 PKCS7 SMIME Functions