php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #48632 OpenSSL extension should support AES
Submitted: 2009-06-21 21:11 UTC Modified: 2010-06-21 10:47 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: yonas dot y at gmail dot com Assigned: pajoye (profile)
Status: Closed Package: OpenSSL related
PHP Version: 6* OS: Ubuntu Jaunty
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: yonas dot y at gmail dot com
New email:
PHP Version: OS:

 

 [2009-06-21 21:11 UTC] yonas dot y at gmail dot com 
Description:
------------
I'd like to export an AES encrypted private key using openssl_pkey_export. The OpenSSL command-line supports AES, so this shouldn't be hard to implement:

yonas@yonas-laptop:/usr/share/php/ZendFramework/library/Zend$ openssl list-cipher-commands
aes-128-cbc
aes-128-ecb
aes-192-cbc
aes-192-ecb
aes-256-cbc
aes-256-ecb

Thanks for your help!!

Cheers,
Yonas

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-06-22 12:20 UTC] yonas dot y at gmail dot com 
This patch allows users to encrypt their private key using the following ciphers:

    PHP_OPENSSL_CIPHER_RC2_40,
    PHP_OPENSSL_CIPHER_RC2_128,
    PHP_OPENSSL_CIPHER_RC2_64,
    PHP_OPENSSL_CIPHER_DES,
    PHP_OPENSSL_CIPHER_3DES,
    PHP_OPENSSL_CIPHER_AES_128_CBC,
    PHP_OPENSSL_CIPHER_AES_192_CBC,
    PHP_OPENSSL_CIPHER_AES_256_CBC

Example:

<?php
// Create the keypair
$res=openssl_pkey_new();

$configargs = array(
    'private_key_bits' => 2048,
    'private_key_type' => OPENSSL_KEYTYPE_RSA,
    'encrypt_key' => true,
    'encrypt_key_cipher' => OPENSSL_CIPHER_AES_256_CBC
    );

// Get private key
openssl_pkey_export($res, $privkey, "PassPhrase number 1", $configargs);

var_dump( $privkey );
?>


--- ext/openssl/openssl.c.orig	2009-06-22 06:39:35.000000000 -0400
+++ ext/openssl/openssl.c	2009-06-22 08:13:39.000000000 -0400
@@ -83,6 +83,9 @@
 	PHP_OPENSSL_CIPHER_RC2_64,
 	PHP_OPENSSL_CIPHER_DES,
 	PHP_OPENSSL_CIPHER_3DES,
+	PHP_OPENSSL_CIPHER_AES_128_CBC,
+	PHP_OPENSSL_CIPHER_AES_192_CBC,
+	PHP_OPENSSL_CIPHER_AES_256_CBC,
 
 	PHP_OPENSSL_CIPHER_DEFAULT = PHP_OPENSSL_CIPHER_RC2_40
 };
@@ -517,6 +520,7 @@
 	int priv_key_encrypt;
 
 	EVP_PKEY * priv_key;
+    const EVP_CIPHER * priv_key_encrypt_cipher;
 };
 /* }}} */
 
@@ -743,6 +747,9 @@
 	else \
 		varname = defval
 
+
+static const EVP_CIPHER * php_openssl_get_evp_cipher_from_algo(long algo);
+
 static int php_openssl_parse_config(struct php_x509_request * req, zval * optional_args TSRMLS_DC) /* {{{ */
 {
 	char * str;
@@ -794,6 +801,19 @@
 		}
 	}
 	
+	if (req->priv_key_encrypt && optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), "encrypt_key_cipher", sizeof("encrypt_key_cipher"), (void**)&item) == SUCCESS) {
+        long cipher_algo = Z_LVAL_PP(item);
+        const EVP_CIPHER* cipher = php_openssl_get_evp_cipher_from_algo(cipher_algo);
+        if (cipher == NULL) {
+            php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown cipher algorithm for private key.");
+            return FAILURE;
+        } else  {
+            req->priv_key_encrypt_cipher = cipher;
+        }
+    } else {
+        req->priv_key_encrypt_cipher = NULL;
+    }
+	
 	/* digest alg */
 	if (req->digest_name == NULL) {
 		req->digest_name = CONF_get_string(req->req_config, req->section_name, "default_md");
@@ -940,6 +960,17 @@
 			return EVP_des_ede3_cbc();
 			break;
 #endif
+#ifndef OPENSSL_NO_AES
+		case PHP_OPENSSL_CIPHER_AES_128_CBC:
+            return EVP_aes_128_cbc();
+            break;
+		case PHP_OPENSSL_CIPHER_AES_192_CBC:
+            return EVP_aes_192_cbc();
+            break;
+		case PHP_OPENSSL_CIPHER_AES_256_CBC:
+            return EVP_aes_256_cbc();
+            break;
+#endif
 		default:
 			return NULL;
 			break;
@@ -1017,6 +1048,11 @@
 	REGISTER_LONG_CONSTANT("OPENSSL_CIPHER_DES", PHP_OPENSSL_CIPHER_DES, CONST_CS|CONST_PERSISTENT);
 	REGISTER_LONG_CONSTANT("OPENSSL_CIPHER_3DES", PHP_OPENSSL_CIPHER_3DES, CONST_CS|CONST_PERSISTENT);
 #endif
+#ifndef OPENSSL_NO_AES
+	REGISTER_LONG_CONSTANT("OPENSSL_CIPHER_AES_128_CBC", PHP_OPENSSL_CIPHER_AES_128_CBC, CONST_CS|CONST_PERSISTENT);
+	REGISTER_LONG_CONSTANT("OPENSSL_CIPHER_AES_192_CBC", PHP_OPENSSL_CIPHER_AES_192_CBC, CONST_CS|CONST_PERSISTENT);
+	REGISTER_LONG_CONSTANT("OPENSSL_CIPHER_AES_256_CBC", PHP_OPENSSL_CIPHER_AES_256_CBC, CONST_CS|CONST_PERSISTENT);
+#endif
 
 	/* Values for key types */
 	REGISTER_LONG_CONSTANT("OPENSSL_KEYTYPE_RSA", OPENSSL_KEYTYPE_RSA, CONST_CS|CONST_PERSISTENT);
@@ -2984,7 +3020,11 @@
 		bio_out = BIO_new_file(filename, "w");
 
 		if (passphrase && req.priv_key_encrypt) {
+            if (req.priv_key_encrypt_cipher) {
+                cipher = req.priv_key_encrypt_cipher;
+            } else {
 			cipher = (EVP_CIPHER *) EVP_des_ede3_cbc();
+            }
 		} else {
 			cipher = NULL;
 		}
@@ -3035,7 +3076,11 @@
 		bio_out = BIO_new(BIO_s_mem());
 
 		if (passphrase && req.priv_key_encrypt) {
+            if (req.priv_key_encrypt_cipher) {
+                cipher = req.priv_key_encrypt_cipher;
+            } else {
 			cipher = (EVP_CIPHER *) EVP_des_ede3_cbc();
+            }
 		} else {
 			cipher = NULL;
 		}
 [2009-06-22 12:32 UTC] pajoye@php.net 
Will test and apply to HEAD this week. 5.3.0 is in commit freeze and about to be released.
 [2009-06-22 12:45 UTC] yonas dot y at gmail dot com 
Thanks! :) 

Hmmm, seeing how this is a small patch, could we sneak it into 5.3.0? :)
 [2009-06-22 12:49 UTC] pajoye@php.net 
Not a single chance to get it in 5.3.0 :)
 [2009-10-30 05:29 UTC] yonas dot y at gmail dot com 
Can you please commit this patch, thanks!


Cheers,
Yonas
 [2010-06-20 17:02 UTC] pajoye@php.net
-Status: Assigned +Status: Closed -Package: Feature/Change Request +Package: *General Issues
 [2010-06-20 17:02 UTC] pajoye@php.net 
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 [2010-06-20 17:03 UTC] pajoye@php.net
-Status: Closed +Status: Assigned
 [2010-06-21 10:29 UTC] pajoye@php.net
-Package: *General Issues +Package: OpenSSL related
 [2010-06-21 10:47 UTC] pajoye@php.net 
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=300629
Log: - #48632, ssl AES support
 [2010-06-21 10:47 UTC] pajoye@php.net
-Status: Assigned +Status: Closed
 [2010-06-21 10:47 UTC] pajoye@php.net 
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 12:01:29 2024 UTC