236 Table 9-2. Keys for the array returned by openssl_x509_parse Key name Data type Description name string The name assigned to the certificate, if it has one. This key may not be present. subject array An associative array that contains all of the fields comprising the subjects distinguished name, such as commonName , organizationName , etc. The shortnames argument affects the keys in this array. issuer array An associative array that contains all of the fields comprising the issuers distinguished name. The shortnames argument affects the keys in this array. version long The X.509 version. serialNumber long The certificates serial number. validFrom string A string representation of the date the certificate is valid from. validTo string A string representation of the date the certificate is valid to. validFrom_time_t long A time_t integer representation of the date the certificate is valid from number of seconds since Jan 1, 1970 00:00:00 GMT. validTo_time_t long A time_t integer representation of the date the certificate is valid to. alias string The alias assigned to the certificate, if it has one. This key may not be present. purposes array Each element in this array represents a purpose that is supported by OpenSSL. The index values of this array correspond to the constants listed in Table 9-1 . Each element of that array is another array containing three elements. The first two are bools. The first indicates whether the certificate may be used for that purpose, and the second indicates whether the certificate is a CA. The third is a string representation of the purpose name, which is affected by the shortnames argument.

9.3.3 Encryption and Signing Functions

The OpenSSL extension provides wrappers around OpenSSLs high-level EVP suite of functions, which can be used for data encryption as well as for digital signing. The functions provided are actually close mappings to the OpenSSL API functions; however, the PHP wrappers have imposed some limitations on them, most notably by limiting the cipher for encryption and decryption to RC4, and the digest for signing and verification to SHA1. We hope that future versions of the extension will remove these limitations, allowing for much more flexibility and security. There is another, potentially more serious problem with the encryption support in PHP. On systems in which the OpenSSL library cannot seed the PRNG itself, PHP provides no means to seed it. The problem exists particularly on Unix systems without a devurandom device. On such systems, we do not recommend that you use the PHP interface to OpenSSL unless there is another module loaded into the same server that does initialize the OpenSSL PRNG, such as mod_ssl. This warning also holds for the SMIME functions that are described in the next section. int openssl_sealstring data, string sealed_data, array env_keys, array pub_keys 237 This function is used for encrypting data. The data is encrypted using RC4 with a randomly generated secret key, which is then encrypted using a public key. The encrypted data is known as sealed data, and the encrypted secret key is known as an envelope. The recipient must have the envelope, the sealed data, and the private key matching the public key used to create the envelope to decrypt the sealed data. The function conveniently allows for multiple recipients by accepting an array of public keys. The first argument, data , specifies the data that will be sealed. The second argument, sealed_data , receives the sealed data. The third argument, env_keys , receives the envelopes for each public key that is specified for the fourth argument, pub_keys . The public keys should be key resources returned by openssl_get_publickey . If an error occurs, the return value will be false; otherwise, it will be the length of the sealed data in bytes. bool openssl_openstring sealed_data, string data, string env_key, mixed key This function is used for decrypting data that was previously encrypted using openssl_seal . The first argument, sealed_data , is the data to be decrypted. The decrypted data is placed into the second argument, data . The third argument, env_key , specifies the envelope containing the encrypted secret key required to decrypt the sealed data via RC4. The fourth argument, key , is the private key to use for decrypting the envelope to obtain the secret key. The private key should be specified as a key resource obtained from openssl_get_privatekey . If the sealed data is decrypted successfully, the return from this function will be true, and the decrypted data will be placed into the second argument, data . If an error occurs, the return will be false, and you should use openssl_error_string to obtain error information. Note that encrypted data not created with the PHP OpenSSL extension can also be decrypted with this function, as long as it was encrypted using the RC4 cipher. bool openssl_signstring data, string signature, mixed key This function signs data using the SHA1 message digest algorithm. The first argument, data , is the data to be signed. The second argument, signature , receives the resultant signature. The third argument, key , is a private key resource to use to sign the data, and should be a key resource obtained from openssl_get_privatekey . Anybody who has the public key that matches the private key used to sign the data can then verify the signature. If the data is successfully signed, the signature will be placed into the second argument, signature , and the return from the function will be true. If an error occurs, the return will be false, and openssl_error_string should be used to obtain error information. int openssl_verifystring data, string signature, mixed key This function is used for verifying the signature of a chunk of data using the SHA1 message digest algorithm. The first argument, data , is the signed data to be verified. The second argument, signature , is the signature of that data. The third argument, key , is the public key that matches the private key used to compute the signature. If the signature is valid, the return from this function will be the integer value 1. If it is incorrect, but no other errors occurred, the return will be the integer value 0. If an error occurs in the process of verifying the signature, the return will be the integer value -1, and openssl_error_string should be used to obtain error information. Note that data 238 not signed with the PHP OpenSSL extension can also be verified with this function, as long as it was signed using the SHA1 message digest algorithm.

9.3.4 PKCS7 SMIME Functions