My OpenSSL command is not working, which I am running through php's exec() function.
The error that is outputted is "1".
OpenSSL is enabled and working.
Here is the command:
$openssl_cmd = "($OPENSSL smime -sign -signer $MY_CERT_FILE -inkey $MY_KEY_FILE " .
"-outform der -nodetach -binary <<_EOF_\n$data\n_EOF_\n) | " .
"$OPENSSL smime -encrypt -des3 -binary -outform pem $PAYPAL_CERT_FILE";
exec($openssl_cmd, $output, $error);
I am running the latest version of XAMPP and running on Windows 10.
Thanks in advance!
EDIT:
Here is the full command when outputted as die($openssl_cmd); in php:
(C:/xampp/apache/bin/openssl.exe smime -sign -signer C:\xampp\[redacted]\paypal\pubcert.pem -inkey C:\xampp\[redacted]\paypal\prvkey.pem -outform der -nodetach -binary <<_EOF_ cmd=_xclick amount=[redacted] item_number=[redacted] discount_rate=0 item_name=[redacted] notify_url=https://www.REDACTED.net/paypal/ipn business=REDACTED cert_id=REDACTED currency_code=USD no_shipping=1 bn=domain.PHP_EWP2 _EOF_ ) | C:/xampp/apache/bin/openssl.exe smime -encrypt -des3 -binary -outform pem C:\xampp\[redacted]\paypal\paypal_cert.pem
EDIT:
I am using https://www.stellarwebsolutions.com/en/articles/paypal_button_encryption_php.php as a guide.
To execute a Linux-style command in Windows, something that uses piping and file redirection, it is possible to run the command using the Windows PowerShell.
For example, in this case, you would execute it via the PowerShell by executing something similar to this:
poewrshell -Command "(C:/xampp/apache/bin/openssl.exe smime -sign -signer C:\xampp\[redacted]\paypal\pubcert.pem -inkey C:\xampp\[redacted]\paypal\prvkey.pem -outform der -nodetach -binary <<_EOF_ cmd=_xclick amount=[redacted] item_number=[redacted] discount_rate=0 item_name=[redacted] notify_url=https://www.REDACTED.net/paypal/ipn business=tomekandres#live.ca cert_id=REDACTED currency_code=USD no_shipping=1 bn=domain.PHP_EWP2 _EOF_ ) | C:/xampp/apache/bin/openssl.exe smime -encrypt -des3 -binary -outform pem C:\xampp\[redacted]\paypal\paypal_cert.pem"
Related
I try to implement this bash command in PHP without success :
password='echo -en "$date" | openssl dgst -sha1 -hmac $apiKey -binary | openssl enc -base64'
I tried the openssl_digest and openssl_encrypt without success.
I don't understand the order of the parameters...
Could you help me to generate the expected command in PHP ?
Thanks for your help !
The bash command :
password='echo -en "$date" | openssl dgst -sha1 -hmac $apiKey -binary | openssl enc -base64'
can be interpreted in PHP as follows :
$password = base64_encode(hash_hmac('sha1', $date, $apiKey, true));
I have the following running code on PHP7.
$command = "openssl smime -verify -inform DER -in ".$path." -noverify -out ".PATH_XML_EXTRACT.$filename_output;
exec( $command, $output, $return_var );
The openssl command creates the file properly. Can I avoid to store the message content to the output file? I want to get the message as a string (for example in the $output variable) and managing the flow in memory (no writing on the disk).
Any suggestions?
Used this code to sign file, but with different OpenSSL versions, the different result, or SHA-1 or SHA-256 turns out. It is necessary to set SHA-1.
openssl_pkcs7_sign($inFilename, $outFilename, "file://".$publicCertFile, "file://privateCertFile", array(), PKCS7_DETACHED | PKCS7_BINARY | PKCS7_NOATTR);
Result:
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----592DF2A997B872976D85E98B5BC89799"
...
...
The algorithm of sha-256 was used.
Working OpenSSL command:
openssl smime -sign -md sha1 -in "INFILE.TXT" -inkey private.pem -signer public.pem -binary -outform DER -noattr > FILE.RSA
In command line it is possible to set algorithm and how to make it in PHP?
I am using this code to sign a file :
openssl_pkcs7_sign($in,$out,
cert.crt,
cert.key,
array(),
PKCS7_NOATTR
);
However it still appears as not verified when it is opened.
On the contrary, this openssl command works fine:
openssl smime -sign -in in -out out -signer cert.crt -inkey cert.key -certfile ca-bundle -outform der -nodetach
Why is the PHP code not working ?
OK,
openssl_pkcs7_sign($in,$out,
cert.crt,
cert.key,
array(),
PKCS7_NOATTR,
"/real/path/of/ca/intermeidate/cert/file.pem"
);
Did the trick. The last $extracerts arg uses real path instead of file://
If I use openssl to create a new key pair, use the private key to sign some data, and use the public key to verify the signature... it works.
$ openssl genrsa -out mykey.pem 1024
$ openssl rsa -in mykey.pem -pubout > mypubkey.pem
$ echo 'It could be bunnies' > file.txt
$ openssl rsautl -sign -in file.txt -inkey mykey.pem -out sig.txt
$ openssl rsautl -verify -in sig.txt -inkey mypubkey.pem -pubin
It could be bunnies
However, if I try to verify the signature using the openssl library in php it fails.
$pubkey = openssl_pkey_get_public(file_get_contents('/var/key/mypubkey.pem'));
$sig = file_get_contents('/var/key/sig.txt');
$data = file_get_contents('/var/key/file.txt');
$verifyResult = (openssl_verify($data, $sig, $pubkey) == 1);
Similar story with Crypt_RSA
$pubkey = file_get_contents('/var/test/mypubkey.pem');
$sig = file_get_contents('/var/test/sig.txt');
$data = file_get_contents('/var/test/file.txt');
$rsa = new Crypt_RSA();
$rsa->loadKey($pubkey);
$rsa->verify($data, $sig);
$verifyResult = $rsa->verify($data, $sig);
How do I get php to play nicely? These examples are simplified but accurate to my needs. In the real world I will only have the data, signature, and public key...
I was really hoping someone would chime in with a definitive answer on the public key question. Seems like it should work. However, in the meantime, I've switched from a public key to a self-signed certificate. The openssl library in PHP seems happy with extracting an acceptable public key from that. Which means the real problem (verifying signed data) is solved for me. Server clients will now have the data, signature, and x.509 certificate.
Here are the code snippet(s).
$ openssl genrsa -out server.key 4096
$ openssl req -new -key server.key -out server.csr
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
$ openssl dgst -sha1 -sign server.key -out file.sha1 file.txt
...
$pubkey = openssl_pkey_get_public(file_get_contents('/var/key/server.crt'));
$sig = file_get_contents('/var/key/file.sha1');
$data = file_get_contents('/var/key/file.txt');
$verifyResult = (openssl_verify($data, $sig, $pubkey) == 1);
For phpseclib, try $rsa->setSignatureMode(CRYPT_RSA_SIGNATURE_PKCS1) before calling $rsa->verify().