1<?php 2 3namespace Safe; 4 5use Safe\Exceptions\OpensslException; 6 7/** 8 * Gets the cipher initialization vector (iv) length. 9 * 10 * @param string $method The cipher method, see openssl_get_cipher_methods for a list of potential values. 11 * @return int Returns the cipher length on success. 12 * @throws OpensslException 13 * 14 */ 15function openssl_cipher_iv_length(string $method): int 16{ 17 error_clear_last(); 18 $result = \openssl_cipher_iv_length($method); 19 if ($result === false) { 20 throw OpensslException::createFromPhpError(); 21 } 22 return $result; 23} 24 25 26/** 27 * openssl_csr_export_to_file takes the Certificate 28 * Signing Request represented by csr and saves it 29 * in PEM format into the file named by outfilename. 30 * 31 * @param string|resource $csr See CSR parameters for a list of valid values. 32 * @param string $outfilename Path to the output file. 33 * @param bool $notext 34 * The optional parameter notext affects 35 * the verbosity of the output; if it is FALSE, then additional human-readable 36 * information is included in the output. The default value of 37 * notext is TRUE. 38 * @throws OpensslException 39 * 40 */ 41function openssl_csr_export_to_file($csr, string $outfilename, bool $notext = true): void 42{ 43 error_clear_last(); 44 $result = \openssl_csr_export_to_file($csr, $outfilename, $notext); 45 if ($result === false) { 46 throw OpensslException::createFromPhpError(); 47 } 48} 49 50 51/** 52 * openssl_csr_export takes the Certificate Signing 53 * Request represented by csr and stores it in 54 * PEM format in out, which is passed by 55 * reference. 56 * 57 * @param string|resource $csr See CSR parameters for a list of valid values. 58 * @param string|null $out on success, this string will contain the PEM encoded CSR 59 * @param bool $notext 60 * The optional parameter notext affects 61 * the verbosity of the output; if it is FALSE, then additional human-readable 62 * information is included in the output. The default value of 63 * notext is TRUE. 64 * @throws OpensslException 65 * 66 */ 67function openssl_csr_export($csr, ?string &$out, bool $notext = true): void 68{ 69 error_clear_last(); 70 $result = \openssl_csr_export($csr, $out, $notext); 71 if ($result === false) { 72 throw OpensslException::createFromPhpError(); 73 } 74} 75 76 77/** 78 * openssl_csr_get_subject returns subject 79 * distinguished name information encoded in the csr 80 * including fields commonName (CN), organizationName (O), countryName (C) etc. 81 * 82 * @param string|resource $csr See CSR parameters for a list of valid values. 83 * @param bool $use_shortnames shortnames controls how the data is indexed in the 84 * array - if shortnames is TRUE (the default) then 85 * fields will be indexed with the short name form, otherwise, the long name 86 * form will be used - e.g.: CN is the shortname form of commonName. 87 * @return array Returns an associative array with subject description. 88 * @throws OpensslException 89 * 90 */ 91function openssl_csr_get_subject($csr, bool $use_shortnames = true): array 92{ 93 error_clear_last(); 94 $result = \openssl_csr_get_subject($csr, $use_shortnames); 95 if ($result === false) { 96 throw OpensslException::createFromPhpError(); 97 } 98 return $result; 99} 100 101 102/** 103 * openssl_csr_new generates a new CSR (Certificate Signing Request) 104 * based on the information provided by dn. 105 * 106 * @param array $dn The Distinguished Name or subject fields to be used in the certificate. 107 * @param resource $privkey privkey should be set to a private key that was 108 * previously generated by openssl_pkey_new (or 109 * otherwise obtained from the other openssl_pkey family of functions). 110 * The corresponding public portion of the key will be used to sign the 111 * CSR. 112 * @param array $configargs By default, the information in your system openssl.conf 113 * is used to initialize the request; you can specify a configuration file 114 * section by setting the config_section_section key of 115 * configargs. You can also specify an alternative 116 * openssl configuration file by setting the value of the 117 * config key to the path of the file you want to use. 118 * The following keys, if present in configargs 119 * behave as their equivalents in the openssl.conf, as 120 * listed in the table below. 121 * 122 * Configuration overrides 123 * 124 * 125 * 126 * configargs key 127 * type 128 * openssl.conf equivalent 129 * description 130 * 131 * 132 * 133 * 134 * digest_alg 135 * string 136 * default_md 137 * Digest method or signature hash, usually one of openssl_get_md_methods 138 * 139 * 140 * x509_extensions 141 * string 142 * x509_extensions 143 * Selects which extensions should be used when creating an x509 144 * certificate 145 * 146 * 147 * req_extensions 148 * string 149 * req_extensions 150 * Selects which extensions should be used when creating a CSR 151 * 152 * 153 * private_key_bits 154 * integer 155 * default_bits 156 * Specifies how many bits should be used to generate a private 157 * key 158 * 159 * 160 * private_key_type 161 * integer 162 * none 163 * Specifies the type of private key to create. This can be one 164 * of OPENSSL_KEYTYPE_DSA, 165 * OPENSSL_KEYTYPE_DH, 166 * OPENSSL_KEYTYPE_RSA or 167 * OPENSSL_KEYTYPE_EC. 168 * The default value is OPENSSL_KEYTYPE_RSA. 169 * 170 * 171 * 172 * encrypt_key 173 * boolean 174 * encrypt_key 175 * Should an exported key (with passphrase) be encrypted? 176 * 177 * 178 * encrypt_key_cipher 179 * integer 180 * none 181 * 182 * One of cipher constants. 183 * 184 * 185 * 186 * curve_name 187 * string 188 * none 189 * 190 * One of openssl_get_curve_names. 191 * 192 * 193 * 194 * config 195 * string 196 * N/A 197 * 198 * Path to your own alternative openssl.conf file. 199 * 200 * 201 * 202 * 203 * 204 * @param array $extraattribs extraattribs is used to specify additional 205 * configuration options for the CSR. Both dn and 206 * extraattribs are associative arrays whose keys are 207 * converted to OIDs and applied to the relevant part of the request. 208 * @return resource Returns the CSR. 209 * @throws OpensslException 210 * 211 */ 212function openssl_csr_new(array $dn, &$privkey, array $configargs = null, array $extraattribs = null) 213{ 214 error_clear_last(); 215 if ($extraattribs !== null) { 216 $result = \openssl_csr_new($dn, $privkey, $configargs, $extraattribs); 217 } elseif ($configargs !== null) { 218 $result = \openssl_csr_new($dn, $privkey, $configargs); 219 } else { 220 $result = \openssl_csr_new($dn, $privkey); 221 } 222 if ($result === false) { 223 throw OpensslException::createFromPhpError(); 224 } 225 return $result; 226} 227 228 229/** 230 * openssl_csr_sign generates an x509 certificate 231 * resource from the given CSR. 232 * 233 * @param string|resource $csr A CSR previously generated by openssl_csr_new. 234 * It can also be the path to a PEM encoded CSR when specified as 235 * file://path/to/csr or an exported string generated 236 * by openssl_csr_export. 237 * @param mixed $cacert The generated certificate will be signed by cacert. 238 * If cacert is NULL, the generated certificate 239 * will be a self-signed certificate. 240 * @param string|resource|array $priv_key priv_key is the private key that corresponds to 241 * cacert. 242 * @param int $days days specifies the length of time for which the 243 * generated certificate will be valid, in days. 244 * @param array $configargs You can finetune the CSR signing by configargs. 245 * See openssl_csr_new for more information about 246 * configargs. 247 * @param int $serial An optional the serial number of issued certificate. If not specified 248 * it will default to 0. 249 * @return resource Returns an x509 certificate resource on success, FALSE on failure. 250 * @throws OpensslException 251 * 252 */ 253function openssl_csr_sign($csr, $cacert, $priv_key, int $days, array $configargs = null, int $serial = 0) 254{ 255 error_clear_last(); 256 if ($serial !== 0) { 257 $result = \openssl_csr_sign($csr, $cacert, $priv_key, $days, $configargs, $serial); 258 } elseif ($configargs !== null) { 259 $result = \openssl_csr_sign($csr, $cacert, $priv_key, $days, $configargs); 260 } else { 261 $result = \openssl_csr_sign($csr, $cacert, $priv_key, $days); 262 } 263 if ($result === false) { 264 throw OpensslException::createFromPhpError(); 265 } 266 return $result; 267} 268 269 270/** 271 * Takes a raw or base64 encoded string and decrypts it using a given method and key. 272 * 273 * @param string $data The encrypted message to be decrypted. 274 * @param string $method The cipher method. For a list of available cipher methods, use 275 * openssl_get_cipher_methods. 276 * @param string $key The key. 277 * @param int $options options can be one of 278 * OPENSSL_RAW_DATA, 279 * OPENSSL_ZERO_PADDING. 280 * @param string $iv A non-NULL Initialization Vector. 281 * @param string $tag The authentication tag in AEAD cipher mode. If it is incorrect, the authentication fails and the function returns FALSE. 282 * @param string $aad Additional authentication data. 283 * @return string The decrypted string on success. 284 * @throws OpensslException 285 * 286 */ 287function openssl_decrypt(string $data, string $method, string $key, int $options = 0, string $iv = "", string $tag = "", string $aad = ""): string 288{ 289 error_clear_last(); 290 $result = \openssl_decrypt($data, $method, $key, $options, $iv, $tag, $aad); 291 if ($result === false) { 292 throw OpensslException::createFromPhpError(); 293 } 294 return $result; 295} 296 297 298/** 299 * The shared secret returned by openssl_dh_compute_key is 300 * often used as an encryption key to secretly communicate with a remote party. 301 * This is known as the Diffie-Hellman key exchange. 302 * 303 * @param string $pub_key DH Public key of the remote party. 304 * @param resource $dh_key A local DH private key, corresponding to the public key to be shared with the remote party. 305 * @return string Returns shared secret on success. 306 * @throws OpensslException 307 * 308 */ 309function openssl_dh_compute_key(string $pub_key, $dh_key): string 310{ 311 error_clear_last(); 312 $result = \openssl_dh_compute_key($pub_key, $dh_key); 313 if ($result === false) { 314 throw OpensslException::createFromPhpError(); 315 } 316 return $result; 317} 318 319 320/** 321 * Computes a digest hash value for the given data using a given method, 322 * and returns a raw or binhex encoded string. 323 * 324 * @param string $data The data. 325 * @param string $method The digest method to use, e.g. "sha256", see openssl_get_md_methods for a list of available digest methods. 326 * @param bool $raw_output Setting to TRUE will return as raw output data, otherwise the return 327 * value is binhex encoded. 328 * @return string Returns the digested hash value on success. 329 * @throws OpensslException 330 * 331 */ 332function openssl_digest(string $data, string $method, bool $raw_output = false): string 333{ 334 error_clear_last(); 335 $result = \openssl_digest($data, $method, $raw_output); 336 if ($result === false) { 337 throw OpensslException::createFromPhpError(); 338 } 339 return $result; 340} 341 342 343/** 344 * openssl_open opens (decrypts) 345 * sealed_data using the private key associated with 346 * the key identifier priv_key_id and the envelope key 347 * env_key, and fills 348 * open_data with the decrypted data. 349 * The envelope key is generated when the 350 * data are sealed and can only be used by one specific private key. See 351 * openssl_seal for more information. 352 * 353 * @param string $sealed_data 354 * @param string|null $open_data If the call is successful the opened data is returned in this 355 * parameter. 356 * @param string $env_key 357 * @param string|array|resource $priv_key_id 358 * @param string $method The cipher method. 359 * @param string $iv The initialization vector. 360 * @throws OpensslException 361 * 362 */ 363function openssl_open(string $sealed_data, ?string &$open_data, string $env_key, $priv_key_id, string $method = "RC4", string $iv = null): void 364{ 365 error_clear_last(); 366 if ($iv !== null) { 367 $result = \openssl_open($sealed_data, $open_data, $env_key, $priv_key_id, $method, $iv); 368 } else { 369 $result = \openssl_open($sealed_data, $open_data, $env_key, $priv_key_id, $method); 370 } 371 if ($result === false) { 372 throw OpensslException::createFromPhpError(); 373 } 374} 375 376 377/** 378 * openssl_pbkdf2 computes PBKDF2 (Password-Based Key Derivation Function 2), 379 * a key derivation function defined in PKCS5 v2. 380 * 381 * @param string $password Password from which the derived key is generated. 382 * @param string $salt PBKDF2 recommends a crytographic salt of at least 64 bits (8 bytes). 383 * @param int $key_length Length of desired output key. 384 * @param int $iterations The number of iterations desired. NIST 385 * recommends at least 10,000. 386 * @param string $digest_algorithm Optional hash or digest algorithm from openssl_get_md_methods. Defaults to SHA-1. 387 * @return string Returns raw binary string. 388 * @throws OpensslException 389 * 390 */ 391function openssl_pbkdf2(string $password, string $salt, int $key_length, int $iterations, string $digest_algorithm = "sha1"): string 392{ 393 error_clear_last(); 394 $result = \openssl_pbkdf2($password, $salt, $key_length, $iterations, $digest_algorithm); 395 if ($result === false) { 396 throw OpensslException::createFromPhpError(); 397 } 398 return $result; 399} 400 401 402/** 403 * openssl_pkcs12_export_to_file stores 404 * x509 into a file named by 405 * filename in a PKCS#12 file format. 406 * 407 * @param string|resource $x509 See Key/Certificate parameters for a list of valid values. 408 * @param string $filename Path to the output file. 409 * @param string|array|resource $priv_key Private key component of PKCS#12 file. 410 * See Public/Private Key parameters for a list of valid values. 411 * @param string $pass Encryption password for unlocking the PKCS#12 file. 412 * @param array $args Optional array, other keys will be ignored. 413 * 414 * 415 * 416 * 417 * Key 418 * Description 419 * 420 * 421 * 422 * 423 * "extracerts" 424 * array of extra certificates or a single certificate to be included in the PKCS#12 file. 425 * 426 * 427 * "friendlyname" 428 * string to be used for the supplied certificate and key 429 * 430 * 431 * 432 * 433 * @throws OpensslException 434 * 435 */ 436function openssl_pkcs12_export_to_file($x509, string $filename, $priv_key, string $pass, array $args = null): void 437{ 438 error_clear_last(); 439 if ($args !== null) { 440 $result = \openssl_pkcs12_export_to_file($x509, $filename, $priv_key, $pass, $args); 441 } else { 442 $result = \openssl_pkcs12_export_to_file($x509, $filename, $priv_key, $pass); 443 } 444 if ($result === false) { 445 throw OpensslException::createFromPhpError(); 446 } 447} 448 449 450/** 451 * openssl_pkcs12_export stores 452 * x509 into a string named by 453 * out in a PKCS#12 file format. 454 * 455 * @param string|resource $x509 See Key/Certificate parameters for a list of valid values. 456 * @param string|null $out On success, this will hold the PKCS#12. 457 * @param string|array|resource $priv_key Private key component of PKCS#12 file. 458 * See Public/Private Key parameters for a list of valid values. 459 * @param string $pass Encryption password for unlocking the PKCS#12 file. 460 * @param array $args Optional array, other keys will be ignored. 461 * 462 * 463 * 464 * 465 * Key 466 * Description 467 * 468 * 469 * 470 * 471 * "extracerts" 472 * array of extra certificates or a single certificate to be included in the PKCS#12 file. 473 * 474 * 475 * "friendlyname" 476 * string to be used for the supplied certificate and key 477 * 478 * 479 * 480 * 481 * @throws OpensslException 482 * 483 */ 484function openssl_pkcs12_export($x509, ?string &$out, $priv_key, string $pass, array $args = null): void 485{ 486 error_clear_last(); 487 if ($args !== null) { 488 $result = \openssl_pkcs12_export($x509, $out, $priv_key, $pass, $args); 489 } else { 490 $result = \openssl_pkcs12_export($x509, $out, $priv_key, $pass); 491 } 492 if ($result === false) { 493 throw OpensslException::createFromPhpError(); 494 } 495} 496 497 498/** 499 * openssl_pkcs12_read parses the PKCS#12 certificate store supplied by 500 * pkcs12 into a array named 501 * certs. 502 * 503 * @param string $pkcs12 The certificate store contents, not its file name. 504 * @param array|null $certs On success, this will hold the Certificate Store Data. 505 * @param string $pass Encryption password for unlocking the PKCS#12 file. 506 * @throws OpensslException 507 * 508 */ 509function openssl_pkcs12_read(string $pkcs12, ?array &$certs, string $pass): void 510{ 511 error_clear_last(); 512 $result = \openssl_pkcs12_read($pkcs12, $certs, $pass); 513 if ($result === false) { 514 throw OpensslException::createFromPhpError(); 515 } 516} 517 518 519/** 520 * Decrypts the S/MIME encrypted message contained in the file specified by 521 * infilename using the certificate and its 522 * associated private key specified by recipcert and 523 * recipkey. 524 * 525 * @param string $infilename 526 * @param string $outfilename The decrypted message is written to the file specified by 527 * outfilename. 528 * @param string|resource $recipcert 529 * @param string|resource|array $recipkey 530 * @throws OpensslException 531 * 532 */ 533function openssl_pkcs7_decrypt(string $infilename, string $outfilename, $recipcert, $recipkey = null): void 534{ 535 error_clear_last(); 536 if ($recipkey !== null) { 537 $result = \openssl_pkcs7_decrypt($infilename, $outfilename, $recipcert, $recipkey); 538 } else { 539 $result = \openssl_pkcs7_decrypt($infilename, $outfilename, $recipcert); 540 } 541 if ($result === false) { 542 throw OpensslException::createFromPhpError(); 543 } 544} 545 546 547/** 548 * openssl_pkcs7_encrypt takes the contents of the 549 * file named infile and encrypts them using an RC2 550 * 40-bit cipher so that they can only be read by the intended recipients 551 * specified by recipcerts. 552 * 553 * @param string $infile 554 * @param string $outfile 555 * @param string|resource|array $recipcerts Either a lone X.509 certificate, or an array of X.509 certificates. 556 * @param array $headers headers is an array of headers that 557 * will be prepended to the data after it has been encrypted. 558 * 559 * headers can be either an associative array 560 * keyed by header name, or an indexed array, where each element contains 561 * a single header line. 562 * @param int $flags flags can be used to specify options that affect 563 * the encoding process - see PKCS7 564 * constants. 565 * @param int $cipherid One of cipher constants. 566 * @throws OpensslException 567 * 568 */ 569function openssl_pkcs7_encrypt(string $infile, string $outfile, $recipcerts, array $headers, int $flags = 0, int $cipherid = OPENSSL_CIPHER_RC2_40): void 570{ 571 error_clear_last(); 572 $result = \openssl_pkcs7_encrypt($infile, $outfile, $recipcerts, $headers, $flags, $cipherid); 573 if ($result === false) { 574 throw OpensslException::createFromPhpError(); 575 } 576} 577 578 579/** 580 * 581 * 582 * @param string $infilename 583 * @param array|null $certs 584 * @throws OpensslException 585 * 586 */ 587function openssl_pkcs7_read(string $infilename, ?array &$certs): void 588{ 589 error_clear_last(); 590 $result = \openssl_pkcs7_read($infilename, $certs); 591 if ($result === false) { 592 throw OpensslException::createFromPhpError(); 593 } 594} 595 596 597/** 598 * openssl_pkcs7_sign takes the contents of the file 599 * named infilename and signs them using the 600 * certificate and its matching private key specified by 601 * signcert and privkey 602 * parameters. 603 * 604 * @param string $infilename The input file you are intending to digitally sign. 605 * @param string $outfilename The file which the digital signature will be written to. 606 * @param string|resource $signcert The X.509 certificate used to digitally sign infilename. 607 * See Key/Certificate parameters for a list of valid values. 608 * @param string|resource|array $privkey privkey is the private key corresponding to signcert. 609 * See Public/Private Key parameters for a list of valid values. 610 * @param array $headers headers is an array of headers that 611 * will be prepended to the data after it has been signed (see 612 * openssl_pkcs7_encrypt for more information about 613 * the format of this parameter). 614 * @param int $flags flags can be used to alter the output - see PKCS7 constants. 615 * @param string $extracerts extracerts specifies the name of a file containing 616 * a bunch of extra certificates to include in the signature which can for 617 * example be used to help the recipient to verify the certificate that you used. 618 * @throws OpensslException 619 * 620 */ 621function openssl_pkcs7_sign(string $infilename, string $outfilename, $signcert, $privkey, array $headers, int $flags = PKCS7_DETACHED, string $extracerts = null): void 622{ 623 error_clear_last(); 624 if ($extracerts !== null) { 625 $result = \openssl_pkcs7_sign($infilename, $outfilename, $signcert, $privkey, $headers, $flags, $extracerts); 626 } else { 627 $result = \openssl_pkcs7_sign($infilename, $outfilename, $signcert, $privkey, $headers, $flags); 628 } 629 if ($result === false) { 630 throw OpensslException::createFromPhpError(); 631 } 632} 633 634 635/** 636 * openssl_pkey_export_to_file saves an ascii-armoured 637 * (PEM encoded) rendition of key into the file named 638 * by outfilename. 639 * 640 * @param resource|string|array $key 641 * @param string $outfilename Path to the output file. 642 * @param string $passphrase The key can be optionally protected by a 643 * passphrase. 644 * @param array $configargs configargs can be used to fine-tune the export 645 * process by specifying and/or overriding options for the openssl 646 * configuration file. See openssl_csr_new for more 647 * information about configargs. 648 * @throws OpensslException 649 * 650 */ 651function openssl_pkey_export_to_file($key, string $outfilename, string $passphrase = null, array $configargs = null): void 652{ 653 error_clear_last(); 654 if ($configargs !== null) { 655 $result = \openssl_pkey_export_to_file($key, $outfilename, $passphrase, $configargs); 656 } elseif ($passphrase !== null) { 657 $result = \openssl_pkey_export_to_file($key, $outfilename, $passphrase); 658 } else { 659 $result = \openssl_pkey_export_to_file($key, $outfilename); 660 } 661 if ($result === false) { 662 throw OpensslException::createFromPhpError(); 663 } 664} 665 666 667/** 668 * openssl_pkey_export exports 669 * key as a PEM encoded string and stores it into 670 * out (which is passed by reference). 671 * 672 * @param resource $key 673 * @param string|null $out 674 * @param string $passphrase The key is optionally protected by passphrase. 675 * @param array $configargs configargs can be used to fine-tune the export 676 * process by specifying and/or overriding options for the openssl 677 * configuration file. See openssl_csr_new for more 678 * information about configargs. 679 * @throws OpensslException 680 * 681 */ 682function openssl_pkey_export($key, ?string &$out, string $passphrase = null, array $configargs = null): void 683{ 684 error_clear_last(); 685 if ($configargs !== null) { 686 $result = \openssl_pkey_export($key, $out, $passphrase, $configargs); 687 } elseif ($passphrase !== null) { 688 $result = \openssl_pkey_export($key, $out, $passphrase); 689 } else { 690 $result = \openssl_pkey_export($key, $out); 691 } 692 if ($result === false) { 693 throw OpensslException::createFromPhpError(); 694 } 695} 696 697 698/** 699 * openssl_pkey_get_private parses 700 * key and prepares it for use by other functions. 701 * 702 * @param string $key key can be one of the following: 703 * 704 * a string having the format 705 * file://path/to/file.pem. The named file must 706 * contain a PEM encoded certificate/private key (it may contain both). 707 * 708 * 709 * A PEM formatted private key. 710 * 711 * @param string $passphrase The optional parameter passphrase must be used 712 * if the specified key is encrypted (protected by a passphrase). 713 * @return resource Returns a positive key resource identifier on success. 714 * @throws OpensslException 715 * 716 */ 717function openssl_pkey_get_private(string $key, string $passphrase = "") 718{ 719 error_clear_last(); 720 $result = \openssl_pkey_get_private($key, $passphrase); 721 if ($result === false) { 722 throw OpensslException::createFromPhpError(); 723 } 724 return $result; 725} 726 727 728/** 729 * openssl_pkey_get_public extracts the public key from 730 * certificate and prepares it for use by other 731 * functions. 732 * 733 * @param resource|string $certificate certificate can be one of the following: 734 * 735 * an X.509 certificate resource 736 * a string having the format 737 * file://path/to/file.pem. The named file must 738 * contain a PEM encoded certificate/public key (it may contain both). 739 * 740 * 741 * A PEM formatted public key. 742 * 743 * @return resource Returns a positive key resource identifier on success. 744 * @throws OpensslException 745 * 746 */ 747function openssl_pkey_get_public($certificate) 748{ 749 error_clear_last(); 750 $result = \openssl_pkey_get_public($certificate); 751 if ($result === false) { 752 throw OpensslException::createFromPhpError(); 753 } 754 return $result; 755} 756 757 758/** 759 * openssl_pkey_new generates a new private and public 760 * key pair. The public component of the key can be obtained using 761 * openssl_pkey_get_public. 762 * 763 * @param array $configargs You can finetune the key generation (such as specifying the number of 764 * bits) using configargs. See 765 * openssl_csr_new for more information about 766 * configargs. 767 * @return resource Returns a resource identifier for the pkey on success. 768 * @throws OpensslException 769 * 770 */ 771function openssl_pkey_new(array $configargs = null) 772{ 773 error_clear_last(); 774 if ($configargs !== null) { 775 $result = \openssl_pkey_new($configargs); 776 } else { 777 $result = \openssl_pkey_new(); 778 } 779 if ($result === false) { 780 throw OpensslException::createFromPhpError(); 781 } 782 return $result; 783} 784 785 786/** 787 * openssl_private_decrypt decrypts 788 * data that was previously encrypted via 789 * openssl_public_encrypt and stores the result into 790 * decrypted. 791 * 792 * You can use this function e.g. to decrypt data which is supposed to only be available to you. 793 * 794 * @param string $data 795 * @param string|null $decrypted 796 * @param string|resource|array $key key must be the private key corresponding that 797 * was used to encrypt the data. 798 * @param int $padding padding can be one of 799 * OPENSSL_PKCS1_PADDING, 800 * OPENSSL_SSLV23_PADDING, 801 * OPENSSL_PKCS1_OAEP_PADDING, 802 * OPENSSL_NO_PADDING. 803 * @throws OpensslException 804 * 805 */ 806function openssl_private_decrypt(string $data, ?string &$decrypted, $key, int $padding = OPENSSL_PKCS1_PADDING): void 807{ 808 error_clear_last(); 809 $result = \openssl_private_decrypt($data, $decrypted, $key, $padding); 810 if ($result === false) { 811 throw OpensslException::createFromPhpError(); 812 } 813} 814 815 816/** 817 * openssl_private_encrypt encrypts data 818 * with private key and stores the result into 819 * crypted. Encrypted data can be decrypted via 820 * openssl_public_decrypt. 821 * 822 * This function can be used e.g. to sign data (or its hash) to prove that it 823 * is not written by someone else. 824 * 825 * @param string $data 826 * @param string|null $crypted 827 * @param string|resource|array $key 828 * @param int $padding padding can be one of 829 * OPENSSL_PKCS1_PADDING, 830 * OPENSSL_NO_PADDING. 831 * @throws OpensslException 832 * 833 */ 834function openssl_private_encrypt(string $data, ?string &$crypted, $key, int $padding = OPENSSL_PKCS1_PADDING): void 835{ 836 error_clear_last(); 837 $result = \openssl_private_encrypt($data, $crypted, $key, $padding); 838 if ($result === false) { 839 throw OpensslException::createFromPhpError(); 840 } 841} 842 843 844/** 845 * openssl_public_decrypt decrypts 846 * data that was previous encrypted via 847 * openssl_private_encrypt and stores the result into 848 * decrypted. 849 * 850 * You can use this function e.g. to check if the message was written by the 851 * owner of the private key. 852 * 853 * @param string $data 854 * @param string|null $decrypted 855 * @param string|resource $key key must be the public key corresponding that 856 * was used to encrypt the data. 857 * @param int $padding padding can be one of 858 * OPENSSL_PKCS1_PADDING, 859 * OPENSSL_NO_PADDING. 860 * @throws OpensslException 861 * 862 */ 863function openssl_public_decrypt(string $data, ?string &$decrypted, $key, int $padding = OPENSSL_PKCS1_PADDING): void 864{ 865 error_clear_last(); 866 $result = \openssl_public_decrypt($data, $decrypted, $key, $padding); 867 if ($result === false) { 868 throw OpensslException::createFromPhpError(); 869 } 870} 871 872 873/** 874 * openssl_public_encrypt encrypts data 875 * with public key and stores the result into 876 * crypted. Encrypted data can be decrypted via 877 * openssl_private_decrypt. 878 * 879 * This function can be used e.g. to encrypt message which can be then read 880 * only by owner of the private key. It can be also used to store secure data 881 * in database. 882 * 883 * @param string $data 884 * @param string|null $crypted This will hold the result of the encryption. 885 * @param string|resource $key The public key. 886 * @param int $padding padding can be one of 887 * OPENSSL_PKCS1_PADDING, 888 * OPENSSL_SSLV23_PADDING, 889 * OPENSSL_PKCS1_OAEP_PADDING, 890 * OPENSSL_NO_PADDING. 891 * @throws OpensslException 892 * 893 */ 894function openssl_public_encrypt(string $data, ?string &$crypted, $key, int $padding = OPENSSL_PKCS1_PADDING): void 895{ 896 error_clear_last(); 897 $result = \openssl_public_encrypt($data, $crypted, $key, $padding); 898 if ($result === false) { 899 throw OpensslException::createFromPhpError(); 900 } 901} 902 903 904/** 905 * Generates a string of pseudo-random bytes, with the number of bytes 906 * determined by the length parameter. 907 * 908 * It also indicates if a cryptographically strong algorithm was used to produce the 909 * pseudo-random bytes, and does this via the optional crypto_strong 910 * parameter. It's rare for this to be FALSE, but some systems may be broken or old. 911 * 912 * @param int $length The length of the desired string of bytes. Must be a positive integer. PHP will 913 * try to cast this parameter to a non-null integer to use it. 914 * @param bool|null $crypto_strong If passed into the function, this will hold a boolean value that determines 915 * if the algorithm used was "cryptographically strong", e.g., safe for usage with GPG, 916 * passwords, etc. TRUE if it did, otherwise FALSE 917 * @return string Returns the generated string of bytes on success. 918 * @throws OpensslException 919 * 920 */ 921function openssl_random_pseudo_bytes(int $length, ?bool &$crypto_strong = null): string 922{ 923 error_clear_last(); 924 $result = \openssl_random_pseudo_bytes($length, $crypto_strong); 925 if ($result === false) { 926 throw OpensslException::createFromPhpError(); 927 } 928 return $result; 929} 930 931 932/** 933 * openssl_seal seals (encrypts) 934 * data by using the given method with a randomly generated 935 * secret key. The key is encrypted with each of the public keys 936 * associated with the identifiers in pub_key_ids 937 * and each encrypted key is returned 938 * in env_keys. This means that one can send 939 * sealed data to multiple recipients (provided one has obtained their 940 * public keys). Each recipient must receive both the sealed data and 941 * the envelope key that was encrypted with the recipient's public key. 942 * 943 * @param string $data The data to seal. 944 * @param string|null $sealed_data The sealed data. 945 * @param array $env_keys Array of encrypted keys. 946 * @param array $pub_key_ids Array of public key resource identifiers. 947 * @param string $method The cipher method. 948 * @param string $iv The initialization vector. 949 * @return int Returns the length of the sealed data on success. 950 * If successful the sealed data is returned in 951 * sealed_data, and the envelope keys in 952 * env_keys. 953 * @throws OpensslException 954 * 955 */ 956function openssl_seal(string $data, ?string &$sealed_data, array &$env_keys, array $pub_key_ids, string $method = "RC4", string &$iv = null): int 957{ 958 error_clear_last(); 959 $result = \openssl_seal($data, $sealed_data, $env_keys, $pub_key_ids, $method, $iv); 960 if ($result === false) { 961 throw OpensslException::createFromPhpError(); 962 } 963 return $result; 964} 965 966 967/** 968 * openssl_sign computes a signature for the 969 * specified data by generating a cryptographic 970 * digital signature using the private key associated with 971 * priv_key_id. Note that the data itself is 972 * not encrypted. 973 * 974 * @param string $data The string of data you wish to sign 975 * @param string|null $signature If the call was successful the signature is returned in 976 * signature. 977 * @param resource|string $priv_key_id resource - a key, returned by openssl_get_privatekey 978 * 979 * string - a PEM formatted key 980 * @param int|string $signature_alg int - one of these Signature Algorithms. 981 * 982 * string - a valid string returned by openssl_get_md_methods example, "sha256WithRSAEncryption" or "sha384". 983 * @throws OpensslException 984 * 985 */ 986function openssl_sign(string $data, ?string &$signature, $priv_key_id, $signature_alg = OPENSSL_ALGO_SHA1): void 987{ 988 error_clear_last(); 989 $result = \openssl_sign($data, $signature, $priv_key_id, $signature_alg); 990 if ($result === false) { 991 throw OpensslException::createFromPhpError(); 992 } 993} 994 995 996/** 997 * openssl_x509_export_to_file stores 998 * x509 into a file named by 999 * outfilename in a PEM encoded format. 1000 * 1001 * @param string|resource $x509 See Key/Certificate parameters for a list of valid values. 1002 * @param string $outfilename Path to the output file. 1003 * @param bool $notext 1004 * The optional parameter notext affects 1005 * the verbosity of the output; if it is FALSE, then additional human-readable 1006 * information is included in the output. The default value of 1007 * notext is TRUE. 1008 * @throws OpensslException 1009 * 1010 */ 1011function openssl_x509_export_to_file($x509, string $outfilename, bool $notext = true): void 1012{ 1013 error_clear_last(); 1014 $result = \openssl_x509_export_to_file($x509, $outfilename, $notext); 1015 if ($result === false) { 1016 throw OpensslException::createFromPhpError(); 1017 } 1018} 1019 1020 1021/** 1022 * openssl_x509_export stores 1023 * x509 into a string named by 1024 * output in a PEM encoded format. 1025 * 1026 * @param string|resource $x509 See Key/Certificate parameters for a list of valid values. 1027 * @param string|null $output On success, this will hold the PEM. 1028 * @param bool $notext 1029 * The optional parameter notext affects 1030 * the verbosity of the output; if it is FALSE, then additional human-readable 1031 * information is included in the output. The default value of 1032 * notext is TRUE. 1033 * @throws OpensslException 1034 * 1035 */ 1036function openssl_x509_export($x509, ?string &$output, bool $notext = true): void 1037{ 1038 error_clear_last(); 1039 $result = \openssl_x509_export($x509, $output, $notext); 1040 if ($result === false) { 1041 throw OpensslException::createFromPhpError(); 1042 } 1043} 1044 1045 1046/** 1047 * openssl_x509_fingerprint returns the digest of 1048 * x509 as a string. 1049 * 1050 * @param string|resource $x509 See Key/Certificate parameters for a list of valid values. 1051 * @param string $hash_algorithm The digest method or hash algorithm to use, e.g. "sha256", one of openssl_get_md_methods. 1052 * @param bool $raw_output When set to TRUE, outputs raw binary data. FALSE outputs lowercase hexits. 1053 * @return string Returns a string containing the calculated certificate fingerprint as lowercase hexits unless raw_output is set to TRUE in which case the raw binary representation of the message digest is returned. 1054 * 1055 * Returns FALSE on failure. 1056 * @throws OpensslException 1057 * 1058 */ 1059function openssl_x509_fingerprint($x509, string $hash_algorithm = "sha1", bool $raw_output = false): string 1060{ 1061 error_clear_last(); 1062 $result = \openssl_x509_fingerprint($x509, $hash_algorithm, $raw_output); 1063 if ($result === false) { 1064 throw OpensslException::createFromPhpError(); 1065 } 1066 return $result; 1067} 1068 1069 1070/** 1071 * openssl_x509_read parses the certificate supplied by 1072 * x509certdata and returns a resource identifier for 1073 * it. 1074 * 1075 * @param string|resource $x509certdata X509 certificate. See Key/Certificate parameters for a list of valid values. 1076 * @return resource Returns a resource identifier on success. 1077 * @throws OpensslException 1078 * 1079 */ 1080function openssl_x509_read($x509certdata) 1081{ 1082 error_clear_last(); 1083 $result = \openssl_x509_read($x509certdata); 1084 if ($result === false) { 1085 throw OpensslException::createFromPhpError(); 1086 } 1087 return $result; 1088} 1089