php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #48632 OpenSSL extension should support AES
Submitted: 2009-06-21 21:11 UTC Modified: 2010-06-21 10:47 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: yonas dot y at gmail dot com Assigned: pajoye
Status: Closed Package: OpenSSL related
PHP Version: 6* OS: Ubuntu Jaunty
Private report: No CVE-ID:
 [2009-06-21 21:11 UTC] yonas dot y at gmail dot com
Description:
------------
I'd like to export an AES encrypted private key using openssl_pkey_export. The OpenSSL command-line supports AES, so this shouldn't be hard to implement:

yonas@yonas-laptop:/usr/share/php/ZendFramework/library/Zend$ openssl list-cipher-commands
aes-128-cbc
aes-128-ecb
aes-192-cbc
aes-192-ecb
aes-256-cbc
aes-256-ecb

Thanks for your help!!

Cheers,
Yonas


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-06-22 12:20 UTC] yonas dot y at gmail dot com
This patch allows users to encrypt their private key using the following ciphers:

    PHP_OPENSSL_CIPHER_RC2_40,
    PHP_OPENSSL_CIPHER_RC2_128,
    PHP_OPENSSL_CIPHER_RC2_64,
    PHP_OPENSSL_CIPHER_DES,
    PHP_OPENSSL_CIPHER_3DES,
    PHP_OPENSSL_CIPHER_AES_128_CBC,
    PHP_OPENSSL_CIPHER_AES_192_CBC,
    PHP_OPENSSL_CIPHER_AES_256_CBC

Example:

<?php
// Create the keypair
$res=openssl_pkey_new();

$configargs = array(
    'private_key_bits' => 2048,
    'private_key_type' => OPENSSL_KEYTYPE_RSA,
    'encrypt_key' => true,
    'encrypt_key_cipher' => OPENSSL_CIPHER_AES_256_CBC
    );

// Get private key
openssl_pkey_export($res, $privkey, "PassPhrase number 1", $configargs);

var_dump( $privkey );
?>


--- ext/openssl/openssl.c.orig	2009-06-22 06:39:35.000000000 -0400
+++ ext/openssl/openssl.c	2009-06-22 08:13:39.000000000 -0400
@@ -83,6 +83,9 @@
 	PHP_OPENSSL_CIPHER_RC2_64,
 	PHP_OPENSSL_CIPHER_DES,
 	PHP_OPENSSL_CIPHER_3DES,
+	PHP_OPENSSL_CIPHER_AES_128_CBC,
+	PHP_OPENSSL_CIPHER_AES_192_CBC,
+	PHP_OPENSSL_CIPHER_AES_256_CBC,
 
 	PHP_OPENSSL_CIPHER_DEFAULT = PHP_OPENSSL_CIPHER_RC2_40
 };
@@ -517,6 +520,7 @@
 	int priv_key_encrypt;
 
 	EVP_PKEY * priv_key;
+    const EVP_CIPHER * priv_key_encrypt_cipher;
 };
 /* }}} */
 
@@ -743,6 +747,9 @@
 	else \
 		varname = defval
 
+
+static const EVP_CIPHER * php_openssl_get_evp_cipher_from_algo(long algo);
+
 static int php_openssl_parse_config(struct php_x509_request * req, zval * optional_args TSRMLS_DC) /* {{{ */
 {
 	char * str;
@@ -794,6 +801,19 @@
 		}
 	}
 	
+	if (req->priv_key_encrypt && optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), "encrypt_key_cipher", sizeof("encrypt_key_cipher"), (void**)&item) == SUCCESS) {
+        long cipher_algo = Z_LVAL_PP(item);
+        const EVP_CIPHER* cipher = php_openssl_get_evp_cipher_from_algo(cipher_algo);
+        if (cipher == NULL) {
+            php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown cipher algorithm for private key.");
+            return FAILURE;
+        } else  {
+            req->priv_key_encrypt_cipher = cipher;
+        }
+    } else {
+        req->priv_key_encrypt_cipher = NULL;
+    }
+	
 	/* digest alg */
 	if (req->digest_name == NULL) {
 		req->digest_name = CONF_get_string(req->req_config, req->section_name, "default_md");
@@ -940,6 +960,17 @@
 			return EVP_des_ede3_cbc();
 			break;
 #endif
+#ifndef OPENSSL_NO_AES
+		case PHP_OPENSSL_CIPHER_AES_128_CBC:
+            return EVP_aes_128_cbc();
+            break;
+		case PHP_OPENSSL_CIPHER_AES_192_CBC:
+            return EVP_aes_192_cbc();
+            break;
+		case PHP_OPENSSL_CIPHER_AES_256_CBC:
+            return EVP_aes_256_cbc();
+            break;
+#endif
 		default:
 			return NULL;
 			break;
@@ -1017,6 +1048,11 @@
 	REGISTER_LONG_CONSTANT("OPENSSL_CIPHER_DES", PHP_OPENSSL_CIPHER_DES, CONST_CS|CONST_PERSISTENT);
 	REGISTER_LONG_CONSTANT("OPENSSL_CIPHER_3DES", PHP_OPENSSL_CIPHER_3DES, CONST_CS|CONST_PERSISTENT);
 #endif
+#ifndef OPENSSL_NO_AES
+	REGISTER_LONG_CONSTANT("OPENSSL_CIPHER_AES_128_CBC", PHP_OPENSSL_CIPHER_AES_128_CBC, CONST_CS|CONST_PERSISTENT);
+	REGISTER_LONG_CONSTANT("OPENSSL_CIPHER_AES_192_CBC", PHP_OPENSSL_CIPHER_AES_192_CBC, CONST_CS|CONST_PERSISTENT);
+	REGISTER_LONG_CONSTANT("OPENSSL_CIPHER_AES_256_CBC", PHP_OPENSSL_CIPHER_AES_256_CBC, CONST_CS|CONST_PERSISTENT);
+#endif
 
 	/* Values for key types */
 	REGISTER_LONG_CONSTANT("OPENSSL_KEYTYPE_RSA", OPENSSL_KEYTYPE_RSA, CONST_CS|CONST_PERSISTENT);
@@ -2984,7 +3020,11 @@
 		bio_out = BIO_new_file(filename, "w");
 
 		if (passphrase && req.priv_key_encrypt) {
+            if (req.priv_key_encrypt_cipher) {
+                cipher = req.priv_key_encrypt_cipher;
+            } else {
 			cipher = (EVP_CIPHER *) EVP_des_ede3_cbc();
+            }
 		} else {
 			cipher = NULL;
 		}
@@ -3035,7 +3076,11 @@
 		bio_out = BIO_new(BIO_s_mem());
 
 		if (passphrase && req.priv_key_encrypt) {
+            if (req.priv_key_encrypt_cipher) {
+                cipher = req.priv_key_encrypt_cipher;
+            } else {
 			cipher = (EVP_CIPHER *) EVP_des_ede3_cbc();
+            }
 		} else {
 			cipher = NULL;
 		}
 [2009-06-22 12:32 UTC] pajoye@php.net
Will test and apply to HEAD this week. 5.3.0 is in commit freeze and about to be released.
 [2009-06-22 12:45 UTC] yonas dot y at gmail dot com
Thanks! :) 

Hmmm, seeing how this is a small patch, could we sneak it into 5.3.0? :)
 [2009-06-22 12:49 UTC] pajoye@php.net
Not a single chance to get it in 5.3.0 :)
 [2009-10-30 05:29 UTC] yonas dot y at gmail dot com
Can you please commit this patch, thanks!


Cheers,
Yonas
 [2010-06-20 17:02 UTC] pajoye@php.net
-Status: Assigned +Status: Closed -Package: Feature/Change Request +Package: *General Issues
 [2010-06-20 17:02 UTC] pajoye@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2010-06-20 17:03 UTC] pajoye@php.net
-Status: Closed +Status: Assigned
 [2010-06-21 10:29 UTC] pajoye@php.net
-Package: *General Issues +Package: OpenSSL related
 [2010-06-21 10:47 UTC] pajoye@php.net
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=300629
Log: - #48632, ssl AES support
 [2010-06-21 10:47 UTC] pajoye@php.net
-Status: Assigned +Status: Closed
 [2010-06-21 10:47 UTC] pajoye@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 09:02:28 2014 UTC