Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
S
S
Sergey Fedotov2016-06-27 12:01:18
OpenSSL
Sergey Fedotov, 2016-06-27 12:01:18

PHP: How to hide private key file from web server (openssl_pkcs7_sign)?

I'm trying to implement interaction with the ESIA. Everything seems to be working fine, but it's annoying that the interaction takes place with the private key file available to the web server.
There is a suspicion that OpenSSL has its own private key store, especially since it can use hardware keys for encryption where the private key is not programmatically available at all.
Is it possible to hide the private key from the web server?
For example, the implementation of the function for signing PKCS7:

private function signPKCS7($message) {
      $this->checkFilesExists();
      $certContent = file_get_contents($this->certPath);
      $keyContent = file_get_contents($this->privateKeyPath);
      $cert = openssl_x509_read($certContent);
      if ($cert === false) {
          throw new Exception('Ошибка чтения сертификата '.$this->certPath);
      }
      #$this->writeLog('Cert: ' . print_r($cert, true));
      $privateKey = openssl_pkey_get_private($keyContent, $this->privateKeyPassword);
      if ($privateKey === false) {
          throw new Exception('Ошибка чтения приватного ключа '.$this->privateKeyPath);
      }
      $messageFile=TMP_PATH.DIRECTORY_SEPARATOR.uniqid();
      $signFile=TMP_PATH.DIRECTORY_SEPARATOR.uniqid();
      try {
        file_put_contents($messageFile, $message);
        $signResult = openssl_pkcs7_sign(
            $messageFile,
            $signFile,
            $cert,
            $privateKey,
            []
        );
        if (!$signResult) {
          throw new SignFailException('SSH error: ' . openssl_error_string());
        }
        $signed = file_get_contents($signFile);
        $signed = explode("\n\n", $signed);
        $sign = str_replace("\n", "", $this->urlSafe($signed[3]));
      } finally {
        unlink($signFile);
        unlink($messageFile);        
      }
      return $sign;
    }

$this->certPath - path to the certificate
$this->privateKeyPath - path to the private key (you have to give the full path to the file) $
this->privateKeyPassword - private key password
with a key.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

0 answer(s)
Similar questions
P
pavelpromin2014-12-01 21:26:51
Which file is signed with the key? 1Reply
P
Pista2021-01-06 21:12:18
How to replace OpenSSL with libressl on Centos 7? 1Reply
R
rustem_ck2017-03-05 09:39:52
Is it possible to transfer over OpenSSL encrypt/decrype network? 1Reply
G
Gregory2017-04-17 00:32:57
How to properly deploy a certification authority? 1Reply
D
Dmitry Ignashkin2019-09-20 23:35:00
Openssl + GOST + Stunnel+int223.zakupk.gov.ru. How to setup? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question