PHP

PHP 4 OpenSSL support

1. Copy files:
   
   
   • C:\Tools\php-4.3.7-Win32\dlls\libeay32.dll
   • C:\Tools\php-4.3.7-Win32\dlls\ssleay32.dll
   
   to c:\WINDOWS\system32.
   
   
2. 
   

   Note: This step is not required. The location of the openssl.cnf can be specified in your php file.

   
   Set environment variable OPENSSL_CONF. This variable points to the openssl.cnf file which can be found in the C:\Tools\php-4.3.7-Win32\openssl directory or it can point to another existing openssl.cnf file.
   
   
   
   e.g.: OPENSSL_CONF=C:\Tools\OpenSSL\bin\openssl.cnf
   
   
3. Edit file c:\WINDOWS\php.ini. Change the following line:
   
   ;extension=php_openssl.dll
   
   into
   
   extension=php_openssl.dll
   
   
4. Restart Apache.
   
   
   
   
   
5. To check the OpenSSL installation, create a file phpinfo.php with the following line:
   
   <?php phpinfo(); ?>
   
   Save this file into your Apache htdocs directory and type: http://localhost/phpinfo.php
   
   You should see something like this:
   
   Screenshot A:
   
   
   Screenshot B:
   
   
   Screenshot C:
   
   
   Screenshot D:
   
   
   
6. 
   

   Note: This step is not required. Just to inform you.

   
   Screenshot A displays "OpenSSL 0.9.7c 30 Sep 2003" which is caused by C:\Tools\php\extensions\php_openssl.dll.
   
   If you only replace c:\WINDOWS\system32\libeay32.dll with another version, see tutorial Installing Apache 2 and SSL on Windows XP, you will notice that screenshot A remains the same, but screenshot B en C will have another version displayed.
   
   
7. A code example how to use the PHP OpenSSL functions:
   
   openssl_demo.php
   
   When you run this code you will see the following:
   
   

   1. Initial setup The Certificate Signing Request (CSR): -----BEGIN CERTIFICATE REQUEST----- MIIB9TCCAV4CAQAwgbQxCzAJBgNVBAYTAk5MMRYwFAYDVQQIEw1Ob29yZC1Ib2xs YW5kMRAwDgYDVQQHEwdaYWFuZGFtMRcwFQYDVQQKEw5Nb2JpbGVmaXNoLmNvbTEf MB0GA1UECxMWQ2VydGlmaWNhdGlvbiBTZXJ2aWNlczEaMBgGA1UEAxMRTW9iaWxl ZmlzaC5jb20gQ0ExJTAjBgkqhkiG9w0BCQEWFmNvbnRhY3RAbW9iaWxlZmlzaC5j b20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMpMinsWe0m3UGKgFnSWZYET wLLOeB4YIc0xwALgktuLVjQvBPgJJpBqtu8CoFGZz6Ogdf6txRGbz3A6JtFpOGut ly+CXamibO7uyElzQ5uJFkLwfunFORnUceM3xxFJCU4eRx20T3KiJIZI77Nn0rlF 5TUM6wUUMPhXtelw1TrdAgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQC/YkvyHTMC M3h+lSy7m1En8G/1A+Xp9+FwpIkxx4lUW2sCXZBLabvrckbZF68Gxh/JBmmYd8zt hs8qI05uP9Tk8+NKIs0Leqyn4NFeVftUjvhXds+49AuYxklfO6vfLPE61c72orgR 692AT9Ad1O5DhUh5FF7vH0XDHR8lG+FCBw== -----END CERTIFICATE REQUEST----- Certificate Signing Request as a file: csr_18G1E.pem The Certificate: -----BEGIN CERTIFICATE----- MIIC3jCCAkegAwIBAgIBADANBgkqhkiG9w0BAQQFADCBtDELMAkGA1UEBhMCTkwx FjAUBgNVBAgTDU5vb3JkLUhvbGxhbmQxEDAOBgNVBAcTB1phYW5kYW0xFzAVBgNV BAoTDk1vYmlsZWZpc2guY29tMR8wHQYDVQQLExZDZXJ0aWZpY2F0aW9uIFNlcnZp Y2VzMRowGAYDVQQDExFNb2JpbGVmaXNoLmNvbSBDQTElMCMGCSqGSIb3DQEJARYW Y29udGFjdEBtb2JpbGVmaXNoLmNvbTAeFw0wNzA2MDcxNzM1NTNaFw0wODA2MDYx NzM1NTNaMIG0MQswCQYDVQQGEwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDEQ MA4GA1UEBxMHWmFhbmRhbTEXMBUGA1UEChMOTW9iaWxlZmlzaC5jb20xHzAdBgNV BAsTFkNlcnRpZmljYXRpb24gU2VydmljZXMxGjAYBgNVBAMTEU1vYmlsZWZpc2gu Y29tIENBMSUwIwYJKoZIhvcNAQkBFhZjb250YWN0QG1vYmlsZWZpc2guY29tMIGf MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKTIp7FntJt1BioBZ0lmWBE8Cyznge GCHNMcAC4JLbi1Y0LwT4CSaQarbvAqBRmc+joHX+rcURm89wOibRaThrrZcvgl2p omzu7shJc0ObiRZC8H7pxTkZ1HHjN8cRSQlOHkcdtE9yoiSGSO+zZ9K5ReU1DOsF FDD4V7XpcNU63QIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAFQ22OU/PAN7rRDr23NS 2XkpSngwZWeHoFW1D2gRvHHRlqg5Q8KZHQAALd5PEFakehdn03NG6yEdnhXpqKT/ 5jYy6v3b+zwEvY82EUieMldovdnpsS1EScjjvPfQ1lSgcTHT2QX5MjNv13xLnOgh PIDs9E7uuizAKDhRRRvho8BS -----END CERTIFICATE----- Certificate as a file: certificate_18G1E.pem The Private Key: -----BEGIN RSA PRIVATE KEY----- MIICXgIBAAKBgQDKTIp7FntJt1BioBZ0lmWBE8CyzngeGCHNMcAC4JLbi1Y0LwT4 CSaQarbvAqBRmc+joHX+rcURm89wOibRaThrrZcvgl2pomzu7shJc0ObiRZC8H7p xTkZ1HHjN8cRSQlOHkcdtE9yoiSGSO+zZ9K5ReU1DOsFFDD4V7XpcNU63QIDAQAB AoGBALr0XY4/SpTnmpxqwhXg39GYBZ+5e/yj5KkTbxW5oT7P2EzFn1vyaPdSB9l+ ndaLxP68zg8dXGBXlC9tLm6dRQtocGupUPB1HOEQbUIlQdiKF/W7/8w6uzLNXdid qCSLrSJ4cfkYKtS29Xi6qooRw2DOvUFngXy/ELtmTeiBcihpAkEA8+oUesTET+TO IYM0+l5JrTOpCPZt+aY4JPmWoKz9bshJT/DP2KPgmqd8/Vy+i23yIfOwUxbpwbna aKzNPi/uywJBANRSl7RNL7jh1BJRQC7+mvUVTE8iQwbyGtIipcLC7bxwhNQzuPKS P4o/a1+HEVB9Nv1Em7DqKTwBnlkJvaFZ3/cCQQCcvx0SGEkgHqXpG2x8SQOH7t7+ B399I7iI6mxGLWVgQA389YBcdFPujxvfpi49ZBZqgzQY8WyfNlSJWCM9h4gpAkAu qxzHN7QGmjSn9g36hmH+/rhwKGK9MxfsGkt+/KOOqNi5X8kGIFkxBPGP5LtMisk8 cAkcoMuBcgWhIn/46C1PAkEAzLK/ibrdMQLOdO4SuDgj/2nc53NZ3agl61ew8Os6 d/fxzPfuO/bLpADozTAnYT9Hu3wPrQVLeAfCp0ojqH7DYg== -----END RSA PRIVATE KEY----- Private Key as a file: privatekey_18G1E.pem 2. Encrypt and Decrypt text (Method A) The following function is used: openssl_seal() The function openssl_seal is intended for general encryption and decryption. There is no limit on the size of the string to be encrypted. 2.1. Encrypt text The following text will be encrypted: It is the policy of the United States to deter, defeat and respond vigorously to all terrorist attacks on our territory and against our citizens, or facilities, whether they occur domestically, in international waters or airspace or on foreign territory. The United States regards all such terrorism as a potential threat to national security as well as a criminal act and will apply all appropriate means to combat it. In doing so, the U.S. shall pursue vigorously efforts to deter and preempt, apprehend and prosecute, or assist other governments to prosecute, individuals who perpetrate or plan to perpetrate such attacks. The encrypted text looks like: .=î®ÑW²Ð.˳j#="]xl.BC_ÙWÇ5ß&RE9¦Am©EÚ¿.Üú.3".Æ<..ÿ$ÓW.. ô8P1ÛÂe.¾jȳõGUÝô¸é{:rQw.6è.Ïzñ9:.æ£yú8²Ã0Ò:ScO .Ì|C¾°í¶Çð.¤Þ­.&Ç:TGîä#0Y¸.7zôäùe .{%_Ëù¿vkæ]K.!.]®Ç..CÒNÍÁÿ¦(µÃ÷}ø.9É©.$TC÷OL·ú.®Æ÷.K7aÈk6êTä¿f ïk.¿0Ç]/;.R ¯G?&?.ýÊM?á ¾Ð.¥¥Ê«.<ÕSãθ..díÛ}ÒK,.XxUd 4AÄÖAYHn̵ ¦Q#Qæ;õV=.úLÌ¢T\.aoDÚ­g  .²6û¹û5£jp¶.ËDä.²9JèqhX<#ØÉ÷iéåc..¦!h»kõ×t±.yþÏ¿öàò*¡ú.WPF.$¯úTk.(Ùð@.õð.GØlÐÍÑý.V³Wùô$.AE×¢Åþðg:XØ°o {Þ !)uì t.R¦ÓÑÐéç=²Ï[û.!¾.½TÀ<³Äõ® cRçx ²·.÷.½Û.cÌgÎq.ÙBÎ42Ü}?bë|KwtvÝqú°Ò6cýròñtÍ.ñÔ.ô?&¯1.¢p2¤#ðÒG.xÊvnQ*(­.*+à ?û.ºF·ðE ;.iÉ The envelope key, returned during encryption, looks like: =¦ä¼R©PÙzïlgõ.Á.<.îýXò¬Æ¹I.·.dêð.2?G£.ÒoÛð§çì.Ï.ø{4îô©ü¡@°?.¬Ý,Èåëÿ}ä3eëÚþaâhÔ,¢þ[ î)iÀ.ÿ>Ï.í\åNå 2.2. Decrypt text The decrypted text looks like: It is the policy of the United States to deter, defeat and respond vigorously to all terrorist attacks on our territory and against our citizens, or facilities, whether they occur domestically, in international waters or airspace or on foreign territory. The United States regards all such terrorism as a potential threat to national security as well as a criminal act and will apply all appropriate means to combat it. In doing so, the U.S. shall pursue vigorously efforts to deter and preempt, apprehend and prosecute, or assist other governments to prosecute, individuals who perpetrate or plan to perpetrate such attacks. 3. Encrypt and Decrypt text (Method B) The following functions are used: openssl_public_encrypt() openssl_private_decrypt() Both functions are not intended for general encryption and decryption. For that, you must use openssl_seal() and openssl_open(). A maximum limit on the size of the string to be encrypted is 117 characters. 3.1. Encrypt text The following text will be encrypted: 123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567 The encrypted text looks like: âÂYp¡ýµÊ1ek.þ¶}áº.!rÃ.åP¶.g.¹B]Õ±«öüÔ©í.>)Á.æ.P%.Ðúæ¿M6p.N4ØÔêɳäø.@X=f×íÍfL»Ì.TÂøZôñYbº576è¥Å<g)s 3.2. Decrypt text The decrypted text looks like: 123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567 4. Encrypt and Decrypt text (Method C) The following functions are used: openssl_private_encrypt() openssl_public_decrypt() Both functions are not intended for general encryption and decryption. For that, you must use openssl_seal() and openssl_open(). A maximum limit on the size of the string to be encrypted is 117 characters. 4.1. Encrypt text The following text will be encrypted: 123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567 The encrypted text looks like: .%.ál.Êtá?ôs]¬,ÕÚ.ÂçÛ8 úÒ¹bÐhypÅÀÄÌÊwÔöèÔ Iä.õÀööqU¸)9¥Öµ.îß.¯.C.Rdलç4»@¿l.;EG«/»³.Bí hñò¶ ].En.jÓ.úþ. 4.2. Decrypt text The decrypted text looks like: 123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567 5. Signature 5.1. Create signature The following text will be signed: Hello World The signature looks like: ÚQºk.í};¼É?û.RiÍ.Ì}Ð\?Du¨þ.8ªp.@kÆÁNñþ.ÐôðG±üæ¤þ¨(Qù<ÉQNÛ3..A¦õË­&ã..l.Oò¥â¾ t@:UÌ©.\hnLñó.U_ÃÉ.2U&ûCäýãý9®Ê%b.ñx 5.2. Verify signature Signature is good. 6. Miscellaneous 6.1. Check if private key match the certificate Private key does match the certificate. 6.2. Check if a certificate can be used for a particular purpose Certificate can not be used for purpose: 0 Certificate can not be used for purpose: 1 Certificate can not be used for purpose: 2 Certificate can not be used for purpose: 3 Certificate can not be used for purpose: 4 Certificate can not be used for purpose: 5 Certificate can not be used for purpose: 6 6.3. Display certificate information [name] /C=NL/ST=Noord-Holland/L=Zaandam/O=Mobilefish.com/OU=Certification Services/CN=Mobilefish.com CA/emailAddress= [subject] [countryName] NL [stateOrProvinceName] Noord-Holland [localityName] Zaandam [organizationName] Mobilefish.com [organizationalUnitName] Certification Services [commonName] Mobilefish.com CA [emailAddress] [hash] 2ee7b5d7 [issuer] [countryName] NL [stateOrProvinceName] Noord-Holland [localityName] Zaandam [organizationName] Mobilefish.com [organizationalUnitName] Certification Services [commonName] Mobilefish.com CA [emailAddress] [version] 2 [serialNumber] 0 [validFrom] 070607173553Z [validTo] 080606173553Z [validFrom_time_t] 1181237753 [validTo_time_t] 1212773753 [purposes] [1] 0 - 1 1 - 2 - SSL client [2] 0 - 1 1 - 2 - SSL server [3] 0 - 1 1 - 2 - Netscape SSL server [4] 0 - 1 1 - 2 - S/MIME signing [5] 0 - 1 1 - 2 - S/MIME encryption [6] 0 - 1 1 - 2 - CRL signing [7] 0 - 1 1 - 1 2 - Any Purpose [8] 0 - 1 1 - 2 - OCSP helper 6.4. Loading a private key Load private key: Source loaded from =file://C:/mobilefish_web/customer/tmp/openssl/privatekey_18G1E.pem Private key loaded 6.5. Loading a certificate Load certificate: Certificate loaded from =file://C:/mobilefish_web/customer/tmp/openssl/certificate_18G1E.pem Certificate loaded

   
   
   Note 1: See line 502
   In this situation OPEN_SSL_CONF_PATH is not used.
   If you change it to new OpenSSL(1), OPEN_SSL_CONF_PATH is used.
   
   Note 2: See line 57 - 62
   Configuration overrides:
   
   

   configargs key	type	openssl.conf equivalent	description
   digest_alg	string	default_md	Selects which digest method to use. Possible values include md5, sha1 and mdc2.
   encrypt_key	boolean	encrypt_key	Should an exported key (with passphrase) be encrypted?
   private_key_bits	integer	default_bits	Specifies how many bits should be used to generate a private key. Default value: 512 Usually set at: 1024 or 2048
   private_key_type	integer	none	Specifies the type of private key to create. This can be one of OPENSSL_KEYTYPE_DSA OPENSSL_KEYTYPE_DH OPENSSL_KEYTYPE_RSA The default value is OPENSSL_KEYTYPE_RSA which is currently the only supported key type.
   req_extensions	string	req_extensions	Selects which extensions should be used when creating a CSR.
   x509_extensions	string	x509_extensions	Selects which extensions should be used when creating an x509 certificate.

   
   
   Note 3: See line 22 - 23
   Specify the location where the created .pem files should be stored. make this directory writable.