I have to encrypt files that will be decrypted on demand with PHP :
$fh = fopen('encrypted_file', 'rb');
$content = fread($fh, $size);
print mcrypt_decrypt(MCRYPT_TRIPLEDES, 'myPassword', $content, MCRYPT_MODE_ECB);
fclose($fh);
I cannot change the PHP code as it is used many times in the site.
Otherwise, I have to seriously prove that the change is mandatory.
Now, my problem is to find the Linux OpenSSL command to encrypt files that will be decrypted with the given code.
I tried things like :
openssl enc -e -des3 -k myPassword -nosalt -in text_file -out encrypted_file
But I cannot find the decrypted file through PHP.
May you help me to correct the openssl command?
There are so many options (I tried many, I sware) and I don't find how to make them corresponding to the PHP one.
Regards,
Olivier
Related
Because of some platform limitation I'm forced to generate openssl signature in command line. I'm executing openssl sign command and with openssl verify command it validates. But when I tired to sign by command and validate by php, it fails.
$filesize = filesize('test.txt');
$fp = fopen('test.txt', 'rb');
$data = fread($fp, $filesize);
$prvKey = 'qa_sig_ec.key';
$command = 'echo -n "'.$data.'" | openssl dgst -sha256 -sign '. $prvKey;
$sig = exec($command);
$filesize2 = filesize(__DIR__."\qa_sig_ec.pub");
$fp2 = fopen(__DIR__."\qa_sig_ec.pub", 'rb');
$publicKey = fread($fp2, $filesize2);
var_dump(openssl_verify($data, $sig, $publicKey, OPENSSL_ALGO_SHA256));
I believe that is something wrong with signature passing, because openssl command generates binary content, and perhpas when i pass it to script, it just break.
Any ideas, please?
you can base64 encode openssl signatures for textwise comparison and transmission.
You can probably:
$command = 'echo -n "'.$data.'" | openssl dgst -sha256 -sign '. $prvKey. ' | base64';
in php. I've also had trouble using php's openssl commands with key resources. It seems to be more reliable to:
file_get_contents($keypath);
And feed openssl functions the string containing the key. I haven't tried this with a passphrase protected key. Try this if using key resources doesn't work. base64 decode the signature to feed it to openssl functions in binary if it doesn't digest the encoded string version.
My answer is based on experience using php's openssl functions to verify openssl generated signatures. I haven't tried to do exactly what you're doing but I have a hunch your issues can be solved with strategic base64 encoding/decoding. It should take literally a minute to try for you.
Im using Gnupg to decrypt a file:
gpg --decrypt -o file.xml file.gpg
You need a passphrase to unlock the secret key for
user: "TEST-COMPANY (DAM Key) <test#test.de>"
4096-bit RSA key, ID 257C2D21, created 2018-04-23
Enter passphrase:
Then I write this passphrase and then works.
And now I want to make it automatic using this command on PHP:
$command = 'gpg --decrypt -o file.xml file.gpg'
exec($command);
The problem came when system ask for phassphrase.
I tried this:
$command = 'gpg --decrypt -o file.xml file.gpg | [Passphrase]'
but doesn't work.
Any idea about this?
Thank you
Just adding the answer that the OP and #CD001 figured out in the comments, because it helped me immensely (thanks!), and seems like a common issue (secret key was generated with passphrase, and generating new keys isn't an option). I was pulling my hair out trying to decrypt with the GnuPG functions, before learning that as of GnuPG 2.1, it can't decrypt a file with passphrase-generated key (as noted in comment here). Configuring gpg-agent with a preset passphrase may work fine, but I much prefer what the OP here did.
$encrypted_file = "file.csv.pgp";
$path_to_file = $_SERVER["DOCUMENT_ROOT"]."/dir1/dir2";
$passphrase = "passphrase";
$command = "echo {$passphrase} | gpg --passphrase-fd 0 --batch --yes {$path_to_file}/{$encrypted_file}";
exec($command);
If successful, the decrypted file will be in the same directory, without the .pgp extension. So make sure it was successful...
$decrypted_file = str_replace(".pgp", "", $encrypted_file );
if (file_exists("{$path_to_file}/{$decrypted_file}")) {
echo "Successfully decrypted $encrypted_file to $decrypted_file";
}
$passphrase = "';__!!??()[]";
$passphrase = escapeshellarg($passphrase);
shell_exec("openssl\openssl.exe genrsa -des3 -passout pass:${passphrase} -out test.key 2048");
#Here the password works
echo system("openssl\openssl.exe rsa -in test.key -passin pass:${passphrase} -noout -text");
This code works fine to generate a key with openssl. I can also read the key without any problem. But when I want to read the key from the command line I'm unable to decrypt it. I use exactly the same command as in the code. The only difference is, that I copy the passphrase to the command line as it is written in the code. This always fails with a bad decrypt error.
How can I fix this issue?
Edit: To make this more clear. This does not work when run from terminal:
openssl\openssl.exe rsa -in test.key -passin pass:"';__!!??()[]" -noout -text
Why don't you use PHP's OpenSSL library instead of the shell?
http://php.net/manual/en/ref.openssl.php
I'm having as issue with running a script using shell_exec in PHP.
When I log onto the server and run the script I get the correct output but when running it through the webpage it doesn't seem to be completing the commands.
The script is to use openssl to create .pem, .pfx and .p12 files from .crt and .key files.
Bash Script is below:
#!/bin/bash
#Script to create all the SSL certs needed from the .key and .crt files
set -o errexit
echo "Starting script....<br><br>"
echo "openssl pkcs12 -export -in $1.crt -inkey $1.key -out $1.p12 -passout pass:$2"
openssl pkcs12 -export -in $1.crt -inkey $1.key -out $1.p12 -passout pass:$2
echo "P12 Complete.<br><br>"
openssl pkcs12 -in $1.p12 -nodes -out $1.pem -passin pass:$2 -passout pass:$2
echo "PEM Complete.<br><br>"
openssl pkcs12 -inkey $1.pem -in $1.crt -export -out $1.pfx -passout pass:$2
echo "PFX complete.<br><br>"
mkdir $1_certs
mv $1.key $1_certs/$1.key
mv $1.crt $1_certs/$1.crt
mv $1.pem $1_certs/$1.pem
mv $1.p12 $1_certs/$1.p12
mv $1.pfx $1_certs/$1.pfx
echo "Password: " $2 >> $1_certs/password.txt
echo "ZIPing files.<br><br>"
zip $1_certs.zip $1_certs
echo "COMPLETE<br><br>"
PHP is below:
<?php
if (isset($_GET['cert_name'])) {
$cert_name = $_GET['cert_name'];
$password = $_GET['password'];
echo "/home/<username>/ssl $cert_name $password <br><br>";
$message=shell_exec("/home/<username>/ssl $cert_name $password");
echo $message;
}
?>
The abundance of echo's in both was to aid in troubleshooting.
The webpage is a basic table with 2 inputs and a submit button.
When I Run this in the webpage it gets to the openssl command to create the .p12 and fails.
If I remove the set -o errexit so that it runs completely through regardless of errors I can see that it doesnt even try to create the directory or move the files, I just see all the echo's. Its as if it just runs the echos and ignores the commands.
I have an echo in before the command to create the p12 file and it shows that it is getting all the correct details.
I'm at a loss of where to go from here. Any help would be appreciated.
From the manual on shell_exec
Return Values
The output from the executed command or NULL if an error occurred or the command produces no output.
Note:
This function can return NULL both when an error occurs or the program produces no output. It is not possible to detect execution failures using this function. exec() should be used when access to the program exit code is required.
In debugging, echo, and print/print_r variations aren't very helpful, because they type cast null to a string. Instead you could use var_dump, which guarantees output for every input even if it is null.
As far as why it's failing there is a way to get back any information from STDERR by redirecting STDERR to STDOUT.
$message = shell_exec("/home/<username>/ssl $cert_name $password 2>&1");
It's also important to note that you should escape any arguments passed to the shell via escapeshellarg
If I had to guess at why it's failing my best guess would be that whatever user PHP is running under (if you're doing this via your web server, for example, and using Apache httpd with mod_php, it probably doesn't have the necessary permissions to execute /home/<username>/ssl. You should be able to determine that for sure by checking permissions on the file and confirming with STDERR information back from the shell.
I've setup proftpd with a tutorial in an Ubuntu Server machine with MySQL user access. Now I've created some users (user01, user02, user03) and created a cyphered password with this command:
/bin/echo "{md5}"`/bin/echo -n "mypassword" | openssl dgst -binary -md5 | openssl enc -base64`
{md5}NIGde+6ruSYKXIVLyFs+RA==
I'm not ashamed to say I did not understand anything of this command, but I would like to, and make the same command line work in a PHP code.
I know there is an OpenSSL library in PHP, but I don't really know how to get the same result.
I've found it out my self (and I feel proud about)
`//php
$dgst = openssl_digest('mypassword', 'md5', TRUE);
echo "{md5}" . base64_encode($dgst); `
This will give as result '{md5}NIGde+6ruSYKXIVLyFs+RA=='
echo base64_encode(md5('mypassword', true));
No need to even use the openssl extension.