We Keep Coding

Old PayPal checkout page if using GET instead of POST

I'm using the following PHP code to encrypt the billing details I'm passing to PayPal:
<?php
$MY_KEY_FILE = "my-prvkey.pem";
$MY_CERT_FILE = "my-pubcert.pem";
$PAYPAL_CERT_FILE = "paypal_cert.pem";
$OPENSSL = "/usr/bin/openssl";
$form = array(
'cmd' => '_xclick',
'cert_id' => 'HSFU5KJLFS8JD',
'business' => 'example#icloud.com',
'currency_code' => 'EUR',
'no_shipping' => '1',
'charset' => 'utf-8',
'lc' => 'DE',
'item_name' => 'Test',
'amount' => '4.20',
'return' => 'http://www.example.com/success.php',
'cancel_return' => 'http://www.example.com/error.php',
);
$encrypted = paypal_encrypt($form);
function paypal_encrypt($hash)
{
global $MY_KEY_FILE;
global $MY_CERT_FILE;
global $PAYPAL_CERT_FILE;
global $OPENSSL;
if (!file_exists($MY_KEY_FILE)) {
echo "ERROR: MY_KEY_FILE $MY_KEY_FILE not found\n";
}
if (!file_exists($MY_CERT_FILE)) {
echo "ERROR: MY_CERT_FILE $MY_CERT_FILE not found\n";
}
if (!file_exists($PAYPAL_CERT_FILE)) {
echo "ERROR: PAYPAL_CERT_FILE $PAYPAL_CERT_FILE not found\n";
}
$data = "";
foreach ($hash as $key => $value) {
if ($value != "") {
$data .= "$key=$value\n";
}
}
$openssl_cmd = "($OPENSSL smime -sign -signer $MY_CERT_FILE -inkey $MY_KEY_FILE "."-outform der -nodetach -binary <<_EOF_\n$data\n_EOF_\n) | "."$OPENSSL smime -encrypt -des3 -binary -outform pem $PAYPAL_CERT_FILE";
exec($openssl_cmd, $output, $error);
if (!$error) {
return implode("\n",$output);
} else {
return "ERROR: encryption failed";
}
};
?>
<!DOCTYPE html>
<html>
<body>
<form action="https://www.paypal.com/cgi-bin/webscr" method="get">
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="encrypted" value=" <?php echo $encrypted;?>">
<input type="submit">
</form>
</body>
</html>
When clicking on the submit button I'll get redirected to PayPal and can make the payment.
I can either send the form data with method="post" or method="get".
If I'm using my code with method="post" I'm getting redirected to a page looking like this:
When using exactly the same code but changing method="post" to method="get" I'm getting redirected to a page looking like this:
This doesn't really look beautiful. I prefer the first one and I think my customers will do so, too.
Does anybody know how I can fix that? What am I doing wrong?

I have seen your question on Freelancer website as well. For your requirement of HTTP GET:
PayPal is discontinuing use of HTTP GET from June 2017.
https://www.paypal.com/au/webapps/mpp/discontinuation-get-method

APNS certificate .pem

I am trying to create the server side connection for apple push notifications.
First, I ask from the user (who probably will be an ios dev) to give the .cer and .p12 files that Apple provides in order to make it a .pem file.
Below is the .pem certificate creation.
$dir = $this->directory.'/certificates';
$password = 'a_user_password';
$certificate = $dir.'/certificate.cer';
$key_password = $dir.'/key.p12';
exec('openssl x509 -inform der -in '.$certificate.' -out '.$dir.'/certificate.pem');
exec('openssl pkcs12 -nocerts -out '.$dir.'/key.pem -in '.$key_password.' -passout pass:'.$password.' -passin pass:'.$password);
$filename = $key_password;
$results = array();
$worked = openssl_pkcs12_read(file_get_contents($filename), $results, $obj->password);
if($worked) {
$current = file_get_contents($dir.'/key.pem');
$current .= $results['pkey'];
file_put_contents($dir.'/key.pem', $current);
} else {
echo openssl_error_string();
}
exec('cat '.$dir.'/certificate.pem '.$dir.'/key.pem > '.$dir.'/apns_certificate.pem');
So far, so good. I have tested that the above generated apns_certificate.pem is successful with apple through command line via:
s_client -connect gateway.sandbox.push.apple.com:2195 -cert certificate.pem -key key.pem
However,
When I try to connect with apns through PHP I cannot. Follows the last php code that I have tried and I have seen that for others has worked:
$this->certificate = ROOT.'/certificates/apns_certificate.pem';
$this->socket = 'ssl://gateway.push.apple.com:2195';
if (!file_exists($this->certificate)) {
$this->error = 'Certificate file not found';
return false;
}
$this->stream_context = stream_context_create();
$this->stream_options = array(
'ssl' => array(
'local_cert' => $this->certificate,
'passphrase' => 'a_user_password', //same with the one used in my previous code
)
);
$success = stream_context_set_option($this->stream_context, $this->stream_options);
if ($success == false) {
$this->error = 'Secure connection failed';
return false;
}
$this->socket_client = stream_socket_client($this->socket, $con_error, $con_error_string, $this->timeout, STREAM_CLIENT_CONNECT, $this->stream_context);
if ($this->socket_client === false) {
$this->error = $con_error_string;
return false;
} else {
return true;
}
The above code returns me an error:
Warning: stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
Warning: stream_socket_client(): unable to connect to ssl://gateway.push.apple.com:2195
Thank you in advance for your help!

The above code is correct. There was an error with the certification .p12 . Also I changed the exec for .p12 convertion file to:
exec('openssl pkcs12 -out '.$dir.'/key.pem -in '.$key_password.' -passout pass:'.$password.' -passin pass:'.$password.' -nodes');

openssl command doesn't work so can I use php openssl functions instead

I think I asked this twice already and no one even bothered to view this. please help me out and try to at least think about it before forgetting the question.
So I am following this tutorial : http://www.stellarwebsolutions.com/en/articles/paypal_button_encryption_php.php and when I used their code and inserted all the things that were different with me I ran the code and got the error message from paypal 'Unable to decrypt certificate id'. After a little of research I found that the function in the code returned 'ERROR: Encryption failed.' I think the error was caused by the following piece of code:
$openssl_cmd = "($OPENSSL smime -sign -signer $MY_CERT_FILE -inkey $MY_KEY_FILE " .
"-outform der -nodetach -binary < \"_EOF_\n$data\n_EOF_\n\") | " .
"$OPENSSL smime -encrypt -des3 -binary -outform pem $PAYPAL_CERT_FILE";
exec($openssl_cmd, $output, $error);
if (!$error) {
return implode("\n",$output);
} else {
return "ERROR: encryption failed";
}
Is there any possible way of converting this openssl command to a openssl_something(); call? I would greatly appreciate any help. Here is the full code and another note: PLEASE don't make stupid comments on themes such as the questions is bad, e.t.c. :
<?php
ini_set('display_errors',1);
ini_set('display_startup_errors',1);
error_reporting(-1);
?>
<HTML>
<?php
//Sample PayPal Button Encryption: Copyright 2006-2010 StellarWebSolutions.com
//Not for resale - license agreement at
//http://www.stellarwebsolutions.com/en/eula.php
//Updated: 2010 02 01
# private key file to use
$MY_KEY_FILE = "my-prvkey.pem";
# public certificate file to use
$MY_CERT_FILE = "my-pubcert.pem";
# Paypal's public certificate
$PAYPAL_CERT_FILE = "paypal_cert_pem.txt";
# path to the openssl binary
$OPENSSL = "/usr/bin/openssl";
$form = array('cmd' => '_xclick',
'business' => 'naclo3samuel#gmail.com',
'cert_id' => 'PRIVACY?',
'lc' => 'RU',
'custom' => 'test',
'invoice' => '',
'currency_code' => 'USD',
'no_shipping' => '1',
'item_name' => 'Donation',
'item_number' => '1',
'amount' => '10'
);
$encrypted = paypal_encrypt($form);
function paypal_encrypt($hash)
{
//Sample PayPal Button Encryption: Copyright 2006-2010 StellarWebSolutions.com
//Not for resale - license agreement at
//http://www.stellarwebsolutions.com/en/eula.php
global $MY_KEY_FILE;
global $MY_CERT_FILE;
global $PAYPAL_CERT_FILE;
global $OPENSSL;
if (!file_exists($MY_KEY_FILE)) {
echo "ERROR: MY_KEY_FILE $MY_KEY_FILE not found\n";
}
if (!file_exists($MY_CERT_FILE)) {
echo "ERROR: MY_CERT_FILE $MY_CERT_FILE not found\n";
}
if (!file_exists($PAYPAL_CERT_FILE)) {
echo "ERROR: PAYPAL_CERT_FILE $PAYPAL_CERT_FILE not found\n";
}
//Assign Build Notation for PayPal Support
$hash['bn']= 'StellarWebSolutions.PHP_EWP2';
$data = "";
foreach ($hash as $key => $value) {
if ($value != "") {
//echo "Adding to blob: $key=$value\n";
$data .= "$key=$value\n";
}
}
$openssl_cmd = "($OPENSSL smime -sign -signer $MY_CERT_FILE -inkey $MY_KEY_FILE " .
"-outform der -nodetach -binary < \"_EOF_\n$data\n_EOF_\n\") | " .
"$OPENSSL smime -encrypt -des3 -binary -outform pem $PAYPAL_CERT_FILE";
exec($openssl_cmd, $output, $error);
if (!$error) {
return implode("\n",$output);
} else {
return "ERROR: encryption failed";
}
};
?>
<HEAD>
<LINK REL=stylesheet HREF="/styles/stellar.css" TYPE="text/css">
<TITLE>PHP Sample Donation using PayPal Encrypted Buttons</TITLE>
</HEAD>
<BODY bgcolor=white>
<TABLE border=0>
<TR><TD align=center>
<h1>Sample Donation Page</h1>
<P>This page uses encrypted PayPal buttons for your security.</P>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target=_blank>
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="encrypted" value="
<?PHP echo $encrypted; ?>">
<input type="submit" value="Donate $10">
</form>
<P><SMALL>(PayPal will open in a new window for demonstration purposes.)</SMALL></P>
</TD></TR></TABLE>
</BODY>
</HTML>

Well, then here is my answer ;) You might have a problem with safe_mode which prevents your code from executing the openssl binary.

Verify SSL Certificates using Openssl in PHP

I am working on below things:
Generate CSR(Certificate Signing Request)
Upload SSL Certificates
To generate SSL certificate I am using something like:
$privkey = openssl_pkey_new();
$csr = openssl_csr_new($dn, $privkey);
$sscert = openssl_csr_sign($csr, null, $privkey, $days);
openssl_csr_export($csr, $csrout);
openssl_pkey_export($privkey, $pkeyout, $_POST['password']);
openssl_pkey_export_to_file($privkey, "<path/to/store/server.key>");
openssl_csr_export_to_file($csr, "/tmp/".<domain-name>.".csr");
Now using that CSR request, I am able to generate(domain-name.cer),(DigitalCert.cer).
Now once I upload this(.cer) certificates, I need to verify those certificates.
Reason: Someone generated these certificates on say "a.com" and tries to upload on "b.com". this should not happen, so I want to validate the uploaded SSL certificates.
In PHP, we have
$ok = openssl_verify($data, $signature, $pubkeyid);
but i am not able to get what things would be treated as $data, $signature and $pubkeyid based on the above certificate generation process.

Check this out:
Verify SMTP in PHP
<?php
$server = "smtp.gmail.com"; // Who I connect to
$myself = "my_server.example.com"; // Who I am
$cabundle = '/etc/ssl/cacert.pem'; // Where my root certificates are
// Verify server. There's not much we can do, if we suppose that an attacker
// has taken control of the DNS. The most we can hope for is that there will
// be discrepancies between the expected responses to the following code and
// the answers from the subverted DNS server.
// To detect these discrepancies though, implies we knew the proper response
// and saved it in the code. At that point we might as well save the IP, and
// decouple from the DNS altogether.
$match1 = false;
$addrs = gethostbynamel($server);
foreach($addrs as $addr)
{
$name = gethostbyaddr($addr);
if ($name == $server)
{
$match1 = true;
break;
}
}
// Here we must decide what to do if $match1 is false.
// Which may happen often and for legitimate reasons.
print "Test 1: " . ($match1 ? "PASSED" : "FAILED") . "\n";
$match2 = false;
$domain = explode('.', $server);
array_shift($domain);
$domain = implode('.', $domain);
getmxrr($domain, $mxhosts);
foreach($mxhosts as $mxhost)
{
$tests = gethostbynamel($mxhost);
if (0 != count(array_intersect($addrs, $tests)))
{
// One of the instances of $server is a MX for its domain
$match2 = true;
break;
}
}
// Again here we must decide what to do if $match2 is false.
// Most small ISP pass test 2; very large ISPs and Google fail.
print "Test 2: " . ($match2 ? "PASSED" : "FAILED") . "\n";
// On the other hand, if you have a PASS on a server you use,
// it's unlikely to become a FAIL anytime soon.
// End of maybe-they-help-maybe-they-don't checks.
// Establish the connection
$smtp = fsockopen( "tcp://$server", 25, $errno, $errstr );
fread( $smtp, 512 );
// Here you can check the usual banner from $server (or in general,
// check whether it contains $server's domain name, or whether the
// domain it advertises has $server among its MX's.
// But yet again, Google fails both these tests.
fwrite($smtp,"HELO $myself\r\n");
fread($smtp, 512);
// Switch to TLS
fwrite($smtp,"STARTTLS\r\n");
fread($smtp, 512);
stream_set_blocking($smtp, true);
stream_context_set_option($smtp, 'ssl', 'verify_peer', true);
stream_context_set_option($smtp, 'ssl', 'allow_self_signed', false);
stream_context_set_option($smtp, 'ssl', 'capture_peer_cert', true);
stream_context_set_option($smtp, 'ssl', 'cafile', $cabundle);
$secure = stream_socket_enable_crypto($smtp, true, STREAM_CRYPTO_METHOD_TLS_CLIENT);
stream_set_blocking($smtp, false);
$opts = stream_context_get_options($smtp);
if (!isset($opts["ssl"]["peer_certificate"]))
$secure = false;
else
{
$cert = openssl_x509_parse($opts["ssl"]["peer_certificate"]);
$names = '';
if ('' != $cert)
{
if (isset($cert['extensions']))
$names = $cert['extensions']['subjectAltName'];
elseif (isset($cert['subject']))
{
if (isset($cert['subject']['CN']))
$names = 'DNS:' . $cert['subject']['CN'];
else
$secure = false; // No exts, subject without CN
}
else
$secure = false; // No exts, no subject
}
$checks = explode(',', $names);
// At least one $check must match $server
$tmp = explode('.', $server);
$fles = array_reverse($tmp);
$okay = false;
foreach($checks as $check)
{
$tmp = explode(':', $check);
if ('DNS' != $tmp[0]) continue; // candidates must start with DNS:
if (!isset($tmp[1])) continue; // and have something afterwards
$tmp = explode('.', $tmp[1]);
if (count($tmp) < 3) continue; // "*.com" is not a valid match
$cand = array_reverse($tmp);
$okay = true;
foreach($cand as $i => $item)
{
if (!isset($fles[$i]))
{
// We connected to www.example.com and certificate is for *.www.example.com -- bad.
$okay = false;
break;
}
if ($fles[$i] == $item)
continue;
if ($item == '*')
break;
}
if ($okay)
break;
}
if (!$okay)
$secure = false; // No hosts matched our server.
}
if (!$secure)
die("failed to connect securely\n");
print "Success!\n";
// Continue with connection...
?>

This works for me
$crt_md5=exec('openssl x509 -noout -modulus -in /path/to/domain.crt/ | openssl md5 | sed "s/^.* //"');
$key_md5=exec('openssl rsa -noout -modulus -in /path/to/server.key | openssl md5 | sed "s/^.* //"');
if($crt_md5 != $key_md5){
echo 'BAD';
}
else{
echo "GOOD";
}
sed "s/^.* //" - will remove (stdin)= thing from the output, so that
you get exact md5 string

this is how i do it...
system('openssl x509 -noout -modulus -in '.$crt.' | openssl md5', $crt_md5);
system('openssl rsa -noout -modulus -in '.$key.' | openssl md5', $key_md5);
if($crt_md5 != $key_md5){
echo 'BAD';
}

Try openssl_x509_check_private_key( $crt, $key ) it returns boolean
ref http://php.net/manual/en/function.openssl-x509-check-private-key.php

WARNING: openssl_x509_check_private_key will not work for some case.
Example:
SSL certificate like this:
-----BEGIN CERTIFICATE-----
xxxx
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
xxxx
xxxx
This certificate does not end with -----END CERTIFICATE----- , but it can still pass the check of this function. It will return true to tell you that it is correct, but it is not actually. If you upload this certificate to your application, such as Nginx , Nginx will tell you an error.
This doesn't seem to be an error that only appears in PHP. If you check with the openssl function on the command line, it will tell you the same result.
So I think the best way is that you need to check whether the paragraphs of the certificate are complete.
After confirming that the format is correct, use this function to verify the certificate and private key.

convert exec openssl to php openssl commands

Attempting to use dynamic encryption for Paypal on my local WAMP 2.4 server. Openssl is installed in Apache and enabled in PHP. Using exec Openssl fails. Can anyone provide some suggestions or if you feel real generous the code for converting the following PHP code to PHP Openssl requests (preferred method)? BTW I've tried both OPENSSL file pointers, both are found but neither works.
function paypal_encrypt($hash)
{
//Sample PayPal Button Encryption: Copyright 2006-2010 StellarWebSolutions.com
//Not for resale - license agreement at
//http://www.stellarwebsolutions.com/en/eula.php
$MY_KEY_FILE='paypal/encrypt/myprivate_key.pem';
$MY_CERT_FILE='paypal/encrypt/mypublic_cert.pem';
$PAYPAL_CERT_FILE='paypal/encrypt/paypal_cert.pem';
$OPENSSL='../../bin/apache/Apache2.4.4/bin/openssl.exe';
$OPENSSL='../../bin/apache/Apache2.4.4/conf/openssl.cnf';
if (!file_exists($MY_KEY_FILE)) {
echo "ERROR: MY_KEY_FILE $MY_KEY_FILE not found\n";
}
if (!file_exists($MY_CERT_FILE)) {
echo "ERROR: MY_CERT_FILE $MY_CERT_FILE not found\n";
}
if (!file_exists($PAYPAL_CERT_FILE)) {
echo "ERROR: PAYPAL_CERT_FILE $PAYPAL_CERT_FILE not found\n";
}
if (!file_exists($OPENSSL)) {
echo "ERROR: Openssl $OPENSSL not found\n";
}
//Assign Build Notation for PayPal Support
$hash['bn']= 'StellarWebSolutions.PHP_EWP2';
$data = "";
foreach ($hash as $key => $value) {
if ($value != "") {
//echo "Adding to blob: $key=$value\n";
$data .= "$key=$value\n";
}
}
echo $data;
$openssl_cmd = "($OPENSSL smime -sign -signer $MY_CERT_FILE -inkey $MY_KEY_FILE " .
"-outform der -nodetach -binary <<_EOF_\n$data\n_EOF_\n) | " .
"$OPENSSL smime -encrypt -des3 -binary -outform pem $PAYPAL_CERT_FILE";
exec($openssl_cmd, $output, $error);
if (!$error) {
return implode("\n",$output);
} else {
return $error."ERROR: encryption failed";
}
}

I have successfully done it with couple of hours of trying and searching. Finally found this very helpful article
Simplified Code Below
function paypal_ewp_encrypt_data( $hash, $certs ){
$temp_files_dir_path = ''; // a directory php have write access where we will write temporary files and delete afterwards.
$data = 'cert_id=' . $certs->paypal_cert_id;
foreach ($hash as $key => $value) {
if ($value != "") {
$data .= "\n$key=$value";
}
}
$unique_id = uniqid(time());
$data_file_in = $temp_files_dir_path . DIRECTORY_SEPARATOR . $unique_id . "-data-in.txt"; // raw data fie
$data_file_out = $temp_files_dir_path . DIRECTORY_SEPARATOR . $unique_id . "-data-out.txt";// signed data file
$enc_file_out = $temp_files_dir_path . DIRECTORY_SEPARATOR . $unique_id . "-enc-out.txt"; // encrypted data file
$fp = fopen( $data_in, "w" );
fwrite($fp, $data);
fclose($fp);
if( ! openssl_pkcs7_sign(
$data_file_in, $data_file_out, 'file://' . $certs->public_key,
array( 'file://' . $certs->private_key, ''),
array(),
PKCS7_BINARY)
){
return false;
}
$data_out_data = explode("\n\n", file_get_contents($data_out));
$out = fopen($data_out, 'wb');
fwrite($out, base64_decode($data_out_data[1]));
fclose($out);
if( ! openssl_pkcs7_encrypt(
$data_file_out, $enc_file_out,
'file://' . $certs->paypal_public_key, array(),
PKCS7_BINARY, OPENSSL_CIPHER_3DES )
){
return false;
}
$en_data = explode("\n\n", file_get_contents($enc_file_out) );
$en_data = $en_data[1];
$en_data = "-----BEGIN PKCS7-----" . str_replace("\n", "", $en_data ) . "-----END PKCS7-----";
// delete files
#unlink($data_file_in);
#unlink($data_file_out);
#unlink($enc_file_out);
$paypal_array = array(
'cmd' => '_s-' . $hash['cmd'], // use _s- before the cmd
'encrypted' => $en_data
);
}
function certs(){
$certs = new stdClass();
$certs->public_key = '' // absolute path to your public key file
$certs->private_key = '' // absolute path to your private key file
$certs->paypal_public_key = '' // absolute path to paypal public key file
$certs->paypal_cert_id = '' // given cert id after you upload the public key to paypal website.
}
Implementation
$hash = array(
// key value pair of paypal form variables
);
$certs = certs();
$data = paypal_ewp_encrypt_data($hash, $certs);
Data is a php array of key value pair require to create the form fields. Use key as name and value as field value.