PHP Question

I'm not a newbie at PHP I've been done it for years now however I've never been brilliant at hashing/salting but I'm looking to improve.


Basically I need to transfer an array accross via a URL (Passed through CURL) I am planning on using serialize to convert the array into a string.


The only problem I'm having atm is making it so that it is encrypted during transit, as it needs to be able to be decrypted at the other end. This is for a script so I can add code onto both ends. If anyone can help at all, it'd be greatly appreciated.

 

I'd have a look at the mcrypt doc's and cook something up from there.

 

You could use an SSH tunnel to securely send the text.

See: http:// www. php.net/manual/en/intro.ssh2.php
I don't have any specific details on this as I've never done this myself.
But SSH is the first thing that came to mind. If you're interested I could go dig around
/tinker with it and give you more details if you get stuck.

 

At first try to get the communication working without encryption.
In order to pass data in web url, you would need to base64_encode it:
http://php.net/manual/en/function.base64-encode.php

your url would look something like this:
http://your-url.com/index.php?data=<base64encoded-data>


The other end that is receiving the data, you will do base64 decode:
http://www.php.net/manual/en/function.base64-decode.php

$myData = base64_decode($_GET['data']);

//do more things with $myData

PHP:

If you manage to get it working this way, then you would start applying encryption.

 

I've got that sorted but I want a method so that to unencrypt the data needs a key that both ends have. Any ideas?

 

ok, that is simple, you use public-private key encryption scheme.

For that you just need to generate private and public key with openssl. (gets rough from here....)

Once the keypair has been generated you use the following command:

The end that is encrypting the data should use this command:
http://php.net/manual/en/function.openssl-seal.php

$cert = file_get_contents('path-to-public-key.pem');
$pubkeys = array(openssl_get_publickey($cert));

openssl_seal($origData, $sealedData, $keys, $pukeys);

$sealedData = base64_encode($sealedData);
$cryptKey = base64_encode($keys[0]);

PHP:

and it should forward the url like this:

http://www.yoursite.com/index.php?data=<$sealedData>&key=$cryptKey

And now the endpoint, that receives the data should open up the data like this

$privKey = openssl_get_privatekey(file_get_contents(path-to-private-key.pem));

openssl_open(base64_decode($_GET['data']), $openData, base64_decode($_GET['key']), $privKey);

// perform the actions with $openData - since this is the encrypted data

PHP:

If you do not know how private-public keypair should be generated, then it makes me think, that why do you want to encrypt the data between endpoints at all.....

 

Maybe because I've never had to learn how to do it before? But your suggestion does sound like something I need to go and take a look at. Thanks

 

You can generate public-private keypair with this utility:
http://pangalink.aktsia.ee/test/create_cert_lt.php

This utility does not store data, but you need to fill the details in order to get the keys.
If you have filled the details correctly then the keys will be sent to the email marked at the 'target email' field.
One of the emails will be public key and the other one will be the private key.
Of course this public key is no ordinary public key and you would need to use different function to extract the public key from that file.
Since the public key file is the CSR, then the correct function to extract the public key from that file would be this one:
http://www.php.net/manual/en/function.openssl-csr-get-public-key.php

All the other parts of the code would stay the same.

Source code of the keypair generator is here:

<?php
session_start();
function _post($var, $default = null) {
 if (isset($_POST[$var])) return $_POST[$var];
 return $default;
}
function _get($var, $default = null) {
 if (isset($_GET[$var])) return $_GET[$var];
 return $default;
}

function getSelect($array, $mandatory = false, $selected = "") {
 $r = '';
 if (!$mandatory) {
  $r .= "<option value=''>&nbsp;</option>";
 }
 foreach($array as $k => $i) {
  if ($k == $selected) {
   $r .= "<option selected='selected' value='".$k."'>".htmlspecialchars($i)."</option>";
  } else {
   $r .= "<option value='".$k."'>".htmlspecialchars($i)."</option>";
  }
 }
 return $r;
}
$messages = array();
$errors = array();
$showForm = true;
$counties = array(
 'Alytus' => 'Alytus',
 'Kaunas' => 'Kaunas',
 'Klaipeda' => 'Klaipeda',
 'Marijampole' => 'Marijampole',
 'Panevezys' => 'Panevezys',
 'Å iauliai' => 'Å iauliai',
 'Taurage' => 'Taurage',
 'Telsiai' => 'Telsiai',
 'Utena' => 'Utena',
 'Vilnius' => 'Vilnius',
);
if (count($_POST) > 0) {
require_once("dns.inc.php");
require_once("class.phpmailer.php");

$server="194.126.115.18";
$port=53;
$timeout=60;
$udp=true;
$debug=false;
$type="A";

//echo "this is test";
$output = array();
$countryName = "LT";
$stateName = trim(_post('stateOrProvinceName',""));
$cityName = trim(_post('localityName',""));
$orgName = trim(_post('organizationName',""));
$orgWww = trim(_post('organizationalUnitName',""));
$commonName = trim(_post('commonName',""));
$email = trim(_post('emailAddress',""));
$userEmail = trim(_post('userEmail',""));
$vkSndId = trim(_post('vk_snd_id',""));

if ($stateName == '' 
 || $cityName == ''
 || $orgName == ''
 || $orgWww == ''
 || $commonName == ''
 || $email == ''
 || $userEmail == ''
 || $vkSndId == '') {
 $errors[] = 'All fields are mandatory';
}

if (!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email)) {
 $errors[] = 'Company\'s email is incorrect';
}
if (!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $userEmail)) {
 $errors[] = 'Your email is incorrect';
}


if (count($errors) == 0) {
 $question=$orgWww;
 $query=new DNSQuery($server,$port,$timeout,$udp,$debug);
 $result=$query->Query($question,$type);
 if ($query->error) {
  $errors[] = 'Homepage does not exist';
 // exit();
 }
}
if (count($errors) == 0) {
 $r = end($result->results);
 $serverIp =  $r->data;
}
if (count($errors) == 0) {
 $dn = array("countryName" => $countryName, 
 "stateOrProvinceName" => $stateName, "localityName" => $cityName, "organizationName" => $orgName, "organizationalUnitName" => $orgWww,
 "commonName" => $commonName, "emailAddress" => $email);
 $privkeypass = null;
 $numberofdays = 365;
 $conf = array('private_key_bits' => 1024);
 $privkey = openssl_pkey_new($conf);
 $csr = openssl_csr_new($dn, $privkey);
 $sscert = openssl_csr_sign($csr, null, $privkey, $numberofdays);
 openssl_x509_export($sscert, $publickey);
 openssl_pkey_export($privkey, $privatekey, $privkeypass);
 openssl_csr_export($csr, $csrStr);
 $pubkey=openssl_pkey_get_details($privkey);
 $pubkey=$pubkey["key"];
 
 //mail everything
 $mailer = new PHPMailer();
 $mailer->CharSet = 'utf-8';
 $mailer->From = 'info@e-abi.ee';
 $mailer->FromName = 'E-abi.ee Banklinks';
 $mailer->addAddress($userEmail, $commonName);
 $mailer->Subject = 'Your public key, that has to be sent to the bank';
 $mailer->AddStringAttachment($csrStr, 'request.pem');
 $mailer->Body = "Hello,
 
Below the line begins the letter that should be sent to the bank.
Before you do so, make sure that all the contact details are correct.

Kind regards,

Matis Halmann

-------------------------------------
Hello <Name of the bank>,

I, $commonName, manager of the board at $orgName would like to establish e-bank contract:

VK_SND_ID: $vkSndId
I shall sign all the queries with the key, that can be verified with the attached public key (request.pem).
The webpage itself will be located at the IP: $serverIp

With regards,

$commonName
";
 $mailer->Send();
 
 $mailer = new PHPMailer();
 $mailer->CharSet = 'utf-8';
 $mailer->From = 'info@e-abi.ee';
 $mailer->FromName = 'E-abi.ee Banklinks';
 $mailer->addAddress($userEmail, $commonName);
 $mailer->Subject = 'Your private key';
 $mailer->AddStringAttachment($privatekey, 'privkey.pem');
 $mailer->Body = "Hello,
 
With this letter there is attached private key (privkey.pem).
Keep this file to yourself and use this key to set up your banklink configuration.

Do not send that file to the bank.

Kind regards,

Matis";
 $mailer->Send();
 
$messages[] = 'You have been sent 2 different e-mails. One of them contains public key and the other one contains private key <br/>
Make sure that those emails do not get lost, if they do, you need to repeat the process all over again.'; 
}
}
//if we have errors or success messages then put them in session and redirect
if (count($messages) > 0 || count($errors) > 0) {
 if (!isset($_SESSION['default'])) {
  $_SESSION['default'] = array();
 }
 $_SESSION['default']['errors'] = $errors;
 $_SESSION['default']['messages'] = $messages;
 if (count($messages) > 0) {
//print_r($_SESSION);
  header("Location: ".$_SERVER['PHP_SELF']);
  exit();
 }
}

?>
<html>
<head>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
<title>pakkumine</title>
<style>
input, select, textarea {
 position: absolute;
 width: 200px;
 left: 170px;
}
label {
 line-height: 25px;
 margin-left: 25px;
}
textarea {
 height: 100px;
}
fieldset {
 height: 350px;
 border: 0px;
}
</style>
</head>
<body>
<?php
//display all the errors and messages
if (isset($_SESSION['default']['errors']) && count($_SESSION['default']['errors']) > 0) {
?>
<div class="errormessages">
 <ul>
  <?php foreach ($_SESSION['default']['errors'] as $i) {?>
   <li><?php echo $i;?></li>
  <?php }?>
 </ul>
</div>
<?php 
unset($_SESSION['default']['errors']);
}
if (isset($_SESSION['default']['messages']) && count($_SESSION['default']['messages']) > 0) {
?>
<div class="successmessages">
 <ul>
  <?php foreach ($_SESSION['default']['messages'] as $i) {?>
   <li><?php echo $i;?></li>
  <?php }?>
 </ul>
</div>
<?php
unset($_SESSION['default']['messages']);
$showForm = false;
}
?>

<?php
if ($showForm) {
?>

<div class="get_print_offer">
<form action="" method="post" id="print_offer_form">
<fieldset>
<label>County:<select name="stateOrProvinceName"><?php echo getSelect($counties, false, $stateName);?></select></label><br/>
<label>City:<input name="localityName" value="<?php echo $cityName; ?>" /></label><br />
<label>Company name:<input name="organizationName" value="<?php echo $orgName; ?>" /></label><br />
<label>Company www:<input name="organizationalUnitName" value="<?php echo $orgWww; ?>" /></label><br />
<label>Your name:<input name="commonName" value="<?php echo $commonName; ?>" /></label><br />
<label>Company email:<input name="emailAddress" value="<?php echo $email; ?>" /></label><br />
<label>Target email:<input name="userEmail" value="<?php echo $userEmail; ?>" /></label><br />
<label>VK_SND_ID:<input name="vk_snd_id" value="<?php echo $vkSndId; ?>" /></label><br />


<label><input type="submit" value="Send to target email" name="calcButton"/></label>
</fieldset>
</form>
</div>
<?php
}
?>
<?php
/*

echo '<pre>';
echo '<br>';
echo $serverIp; // Will hold the exported PriKey
echo '<br>';
echo $privatekey; // Will hold the exported PriKey
//echo '<br>';
//echo $publickey;  // Will hold the exported PubKey
echo '<br>';
//sertificate request
echo $csrStr;     // Will hold the exported Certificate
//echo '<br>';
//echo $pubkey;     // Will hold the exported Certificate

echo '</pre>';
*/

?></body>
</html>

PHP: