infilename outfilename signcert privkey headers flags



Similar documents
Electronic mail security. MHS (Message Handling System)

PrivaSphere Gateway Certificate Authority (GW CA)

4.1: Securing Applications Remote Login: Secure Shell (SSH) PEM/PGP. Chapter 5: Security Concepts for Networks

Electronic Mail Security

Internet Encryption S/Mime Standard

Prof. Sead Muftic Feng Zhang. Lecture 10: Secure Systems

2- Electronic Mail (SMTP), File Transfer (FTP), & Remote Logging (TELNET)

CPSC Network Programming. , FTP, and NAT.

Cryptography and Network Security Chapter 15

A Noval Approach for S/MIME

WebApp S/MIME Manual. Release Zarafa BV

Chapter 6 Electronic Mail Security

How To Encrypt With An Certificate On An From A Gmail Account On A Pc Or Mac Or Ipa (For A Pc) On A Microsoft Gmail (For An Ipa) Or Ipad (For Mac) On

PGP from: Cryptography and Network Security

Network Security Essentials Chapter 7

, SNMP, Securing the Web: SSL

TCS-CA. Outlook Express Configuration [VERSION 1.0] U S E R G U I D E

Grid Computing - X.509

Personal Secure Certificate

. MIME is the protocol that was devised to allow non-ascii encoded content in an and attached files to an .

Djigzo encryption. Djigzo white paper

The default option is that full headers appear at the BOTTOM of each received message.

Secure transaction guidelines for external users with Commission personnel.

Internet Technology 2/13/2013

2- Electronic Mail (SMTP), File Transfer (FTP), & Remote Logging (TELNET)

Electronic Mail

The Joys of Importing & Using an S/MIME Certificate CCIT Publication

GlobalSign Enterprise Solutions

SECURE USER GUIDE OUTLOOK 2000

Remote login (Telnet):

CS 393 Network Security. Nasir Memon Polytechnic University Module 11 Secure

Electronic Mail Security. Security. is one of the most widely used and regarded network services currently message contents are not secure

CS43: Computer Networks . Kevin Webb Swarthmore College September 24, 2015

Networking Applications

Tutorial Details Product Demonstrated: X-301 Estimated Completion Time: 15 minutes

Ciphermail S/MIME Setup Guide

Online signature API. Terms used in this document. The API in brief. Version 0.20,

User Guide Using Certificate in Microsoft Outlook Express

Djigzo S/MIME setup guide

DJIGZO ENCRYPTION. Djigzo white paper

How do I use Push Notifications with ios?

The Case For Secure

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

gpg4o Manual Version 3.0

A Brief Guide to Certificate Management

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

CIPHERMAIL ENCRYPTION. CipherMail white paper

Cryptography and Network Security

This script is called by an HTML form using the POST command with this file as the action. Example: <FORM METHOD="POST" ACTION="formhandler.

Forging Digital Signatures

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

An Introduction to Secure . Presented by: Addam Schroll IT Security & Privacy Analyst

cipher: the algorithm or function used for encryption and decryption

Why you need secure

Outlook XP Only

isecur User Guide for iphone

How To Protect Your From Being Hacked On A Pc Or Mac Or Ipa From Being Stolen On A Network (For A Free Download) On A Computer Or Ipo (For Free) On Your Pc Or Ipom (For An Ipo

Published : License : None

User Guide May Using Certificates in Outlook Express

Marriott Enrollment Server for Web User Guide V1.4

Installing your Digital Certificate & Using on MS Out Look 2007.

EE 7376: Introduction to Computer Networks. Homework #3: Network Security, , Web, DNS, and Network Management. Maximum Points: 60

Personal Secure Certificate

Lecture 10: 1. Secure E mail E systems. Systems. Page 1

Network Services. SMTP, Internet Message Format. Johann Oberleitner SS 2006

Sending MIME Messages in LISTSERV DISTRIBUTE Jobs

MailEnable Web Mail End User Manual V 2.x

StreamServe Persuasion SP5 Encryption and Authentication

NetSec Exercise 8 Communication Mixes

Evolution of the WWW. Communication in the WWW. WWW, HTML, URL and HTTP. HTTP Abstract Message Format. The Client/Server model is used:

s sent to the FaxFinder fax server must meet the following criteria to be processed for sending as a fax:

HP Device Manager 4.7

Network Security (2) CPSC 441 Department of Computer Science University of Calgary

Frequently Asked Questions. Frequently Asked Questions SSLPost Page 1 of 31 support@sslpost.com

Motivation retaining redisplaying

Steps to Opening Your First Password-Protected Envelope

DIGIPASS CertiID. Getting Started 3.1.0

Management CSCU9B2 CSCU9B2 1

Secure Part II Due Date: Sept 27 Points: 25 Points

Guide for Securing With WISeKey CertifyID Personal Digital Certificate (Personal eid)

GT 6.0 GSI C Security: Key Concepts

Package PKI. July 28, 2015

SecureStore I.CA. User manual. Version 2.16 and higher

FTP and . Computer Networks. FTP: the file transfer protocol

The IceWarp SSL Certificate Process

IceWarp SSL Certificate Process

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Standards and Products. Computer Security. Kerberos. Kerberos

E-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY)

This section includes troubleshooting topics about certificates.

Transcription:

http://doc.helplib.com openssl_pkcs7_encrypt openssl_pkcs7_verify OpenSSL 函 数 在 线 手 册 : 中 文 英 文 PHP 手 册 openssl_pkcs7_sign (PHP 4 >= 4.0.6, PHP 5) openssl_pkcs7_sign Sign - an S/MIME message 说 明 bool openssl_pkcs7_sign string ( $infilename string, $outfilename mixed, $signcert mixed, $privkey array, $headers [, int $flags = PKCS7_DETACHED [, string $extracerts ]] ) openssl_pkcs7_sign() takes the contents infilename of and the signs file them named using the private key signcert specified and privkey parameters. by 参 数 infilename outfilename signcert privkey headers headers is an array of headers that will openssl_pkcs7_e be prepended t for more information about the format of this paramet flags flags can be used to PKCS7 alter constants. the output - see Page 1/9

extracerts extracerts specifies the name of a file containing a bun example be used to help the recipient to verify the c 返 回 值 成 功 时 返 回 TRUE, 或 者 在 失 败 时 返 回 FALSE. 范 例 Example openssl_pkcs7_sign() #1 example // the message you want to sign so that recipient can be // sent it $data = <<<EOD You have my authorization to spend $10,000 on dinner e The CEO EOD; // save message to file $fp =fopen ("msg.txt","w" ); fwrite ($fp,$data ); fclose ($fp ); // encrypt it if openssl_pkcs7_sign ( ("msg.txt","signed.txt","mycert.pem", array( "file://mycert.pem","mypassphrase" ), array( "To" =>"joes@example.com",// keyed syntax "From: HQ <ceo@example.com>",// indexed syntax "Subject" =>"Eyes ) only" )) { // message signed - send it! exec (ini_get ("sendmail_path" )". < signed.txt" ); } openssl_pkcs7_encrypt Page 2/9

openssl_pkcs7_verify OpenSSL 函 数 在 线 手 册 : 中 文 英 文 PHP 手 册 用 户 评 论 : ungdi at hotmail (11-Feb-2010 dot ) com 09:34 Amongst the many discussions about signing or encrypting email by itself, none really discuss the pain of having an email BOTH signed AND encrypted. According to RFC 2311, you can encrypt then sign or sign then encrypt. However, it depends on the client in which you are programming for. In my experience, in Outlook 2000, it prefers it Encrypt then Sign. While in Outlook 2003, it is Sign then Encrypt. Generally, you want Sign then Encrypt, as it seems most logical from a snail-mail piece point of view. You first sign a letter than put it in an envelope. Certain clients complain if you do it in an order it does not like, so you may want to experiement with it. When you perform the first function, do NOT put in any headers in the headers array parameters, you want to put it in the SECOND function you want to perform. If you put the headers in the first function, the second function will hide it from the mail servers. You do not want that. Here I will sign then encrypt. // Setup mail headers. $headers = array("to" => "someone@nowhere.net", "From" => "noone@somewhere.net", "Subject" => "A signed and encrypted message."); // Sign the message first openssl_pkcs7_sign("msg.txt","signed.txt", "signing_cert.pem",array("private_key.pem", "password"),array()); // Get the public key certificate. $pubkey = file_get_contents("cert.pem"); //encrypt the message, now put in the headers. openssl_pkcs7_encrypt("signed.txt", "enc.txt", $pubkey,$headers,0,1); $data = file_get_contents("enc.txt"); // separate header and body, to use with mail function // unfortunate but required, else we have two sets of headers Page 3/9

// and the email client doesn't decode the attachment $parts = explode("\n\n", $data, 2); // send mail (headers in the Headers parameter will override those // generated for the To & Subject parameters) mail($mail, $subject, $parts[1], $parts[0]); Note that if you use a function that picks up the data from the disk to be used in another function in your program, remember that you may have used the explode("\n\n",$data,2) function which may have removed the spacing between the header and the message content. When you take the signed message and feed it in to the encryption part, you have to remember that the line spacing must also be fed AS PART OF THE MESSAGE BODY! If you plan to sign then encrypt, do not feed the header output from the signing into the encrypting as part of the headers array parameter! The output of the signing should stay as part of the message body being encrypted. (And the same is true if you are doing the reverse of encrypting then signing.) An example of both the signing and encryption function made in to a routine for reusability, and then called to sign and encrypt a message. THIS IS WRONG!: // [0] of Array contains headers of message. [1] of Array contains signed body of message. $signedoutputarray = signmessage($inputmessage,$headers); // [0] of Array contains headers of message and the signing. // [1] of Array contains encrypted body of message without the signing header. $signedandencryptedarray = encryptmessage($signedoutputarray[1], $signedoutputarray[0]); mail($emailaddr,$subject,$signedandencryptedarray[1], $signedandencryptedarray[0]); THIS IS CORRECT! // [0] of Array contains headers of signing. // [1] of Array contains signed body of message. $signedoutputarray = signmessage($inputmessage,array()); // [0] of Array contains headers of message. // [1] of Array contains encrypted contents of both the signed message and its headers of the signing. $signedandencryptedarray = encryptmessage($signedoutputarray[0]. "\n\n". $signedoutputarray[1],$headers); mail($emailaddr,$subject,$signedandencryptedarray[1], $signedandencryptedarray[0]); Page 4/9

yurchenko dot anton (02-Feb-2009 at ) gmail 02:13 dot com I also spent hours when trying to find the reason of error: "error getting private key". Sometimes this error appeared, sometimes not. My solution is using the realpath() for every parameter of openssl_pkcs7_sign. In my case the code looks like: $Certif_path = 'certificate/mycertificate.pem'; $clearfile = "certificate/random_name"; $encfile = $clearfile. ".enc"; $clearfile = $clearfile. ".txt"; // ---- // -- fill $clearfile with the mail to be signed... // ---- openssl_pkcs7_sign(realpath($clearfile), realpath('.').'/'.$encfile, // because $encfile does not exist yet we cannot use realpath($encfile); 'file://'.realpath($certif_path), array('file://'.realpath($certif_path), PUBLIC_KEY), array("to" => TO_EMAIL, "From" => FROM_EMAIL, "Subject" => ""), PKCS7_DETACHED)); ungdi at hotmail (10-Feb-2007 dot ) com 05:10 I would like to make a modification from my previous note. Some clients prefer a certain order in which messages should be signed and encrypted (if both is desired). Newer email clients, such as Thunderbird and Outlook 2003 will accept the most secure method of "sign -> encrypt -> sign again". Why? The first signing authenticates the message saying that you did indeed write it. Then the email is encrypted so that only the recipient can open and read it. Then the second signing ensure confidentiality by identifying that the person encrypting is the one whom encrypted it, a message intended for the decrypting person. This is the most secure method. This ensures: Non-Repudiation of message (first sign), Confidentiality (encrypt), and Context Integrity [you were intended to be addressed] (second sign). Page 5/9

If you only sign then encrypt, there is no way you can guarantee that (aside from the contents of the letter, headers are placed in plain text outside the message) that the message was intended for you by the original sender. For example: Bob signs a love letter and encrypts it to Amy saying only "I love you. -- Bob". Amy decrypts it, sees the message (and plays a joke) and forwards the message to John using John's public key, re-encrypting, but not tampering with the message contents keeping the signature valid. This allows Amy to make it look like Bob sent John a love letter and that Bob loves John, as you cannot verify whom sent it during encryption. That is not what you want! This is also analogous to someone taking a government document, put it in an envelope themselves and write the government address in the return address and send it to you. You know the letter is written by the government, but you don't know for sure whether the government sent it to you directly or was opened and relayed. While encrypting then signing has a problem, this is affectively signing on the envelope of a snail mail piece. I know you sent it, but is the message really from you? Or are you forwarding it? Sign - Encrypt - Sign Again method will make the first sign show that you know the writer of the message is the person, encrypt it to keep others from reading it, sign again to indicate the message was not relayed and that the sender intended to sent the mail to address you. Just make sure the headers of the mail is applied in the last step and not the second or third step. For more information about the security and integrity risks of this situation, please read this web page: http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html dmitri at (05-Apr-2006 gmx dot ) net04:01 Working example: $data = <<< EOF Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit You have my authorization to spend 10,000 on dinner expenses. The CEO EOF; $fp = fopen("msg.txt", "w"); fwrite($fp, $data); fclose($fp); Page 6/9

$headers = array("from" => "me@email.com"); openssl_pkcs7_sign("msg.txt", "signed.txt", "file://email.pem", array("file://email.pem", "123456"), $headers); $data = file_get_contents("signed.txt"); $parts = explode("\n\n", $data, 2); mail("you@email.com", "Signed message.", $parts[1], $parts[0]); echo "Email sent"; maarten at (11-Feb-2005 xolphin ) dot 06:24 nl It is also possible to sign message including attachments. An easy way to do this: $boundary = md5(uniqid(time())); $boddy = "MIME-Version: 1.0\n"; $boddy.= "Content-Type: multipart/mixed; boundary=\"". $boundary. "\"\n"; $boddy.= "Content-Transfer-Encoding: quoted-printable\n\n"; $boddy.= "This is a multi-part message in MIME format.\n\n"; $boddy.= "--$boundary\n"; $boddy.= "Content-Type: text/plain; charset=\"iso-8859-1\"\n"; $boddy.= "Content-Transfer-Encoding: quoted-printable\n\n"; $boddy.= $EmailText. "\n\n"; // Add the attachment to the message do { $boddy.= "--$boundary\n"; $boddy.= "Content-Type: application/pdf; name=\"filename\"\n"; $boddy.= "Content-Transfer-Encoding: base64\n"; $boddy.= "Content-Disposition: attachment;\n\n"; $boddy.= chunk_split(base64_encode($file)). "\n\n"; } while ( {files left to be attached} ); $boddy.= "--$boundary--\n"; // Save message to a file $msg = 'msg.txt'; $signed = 'signed.txt'; $fp = fopen($msg, "w"); fwrite($fp, $boddy); fclose($fp); // Sign it if (openssl_pkcs7_sign($msg, $signed, 'file://cert.pem', array('file://key.pem', 'test'), array("to" => "joes@example.com", // keyed syntax "From: HQ <ceo@example.com>", // indexed syntax "Subject" => "Eyes only"), PKCS7_DETACHED, 'intermediate_cert.pem' )) { Page 7/9

exec(ini_get('sendmail_path'). ' < '. $signed); } The same can be established by using the PEAR package Mail_Mime in combination with openssl_pkcs7_sign. Maciej_Niemir at (17-Oct-2003 ilim dot ) poznan 10:46dot pl This command doesn't work correctly on WIN32 with IIS. Mails arent interpreted correctly by IIS SMTP Server (and by Outlook too). The reason is that UNIX and WINDOWS interpret the enter to the next line ascii code in a different way. Below I present an improved code: $data = <<<EOD Testing 123 This is a test Test EOD; //save the message to a file $fp = fopen("msg.txt","w"); fwrite($fp,$data); fclose($fp); //sign the message using the sender's keys openssl_pkcs7_sign("msg.txt", "signed.eml", "file://c:/max/cert.pem", array("file://c:/max/priv.pem","your_password"), array("to" => "recipient <recipients@mail.com>", "From" => "sender <sender@mail.com>", "Subject" => "Order Notification - Test"),PKCS7_DETACHED,"c:\max\extra_cert.pem"); $file_arry = file("signed.eml"); $file = join ("", $file_arry); $message = preg_replace("/\r\n \r \n/", "\r\n", $file); $fp = fopen("c:\inetpub\mailroot\pickup\signed.eml", "wb"); flock($fp, 2); fputs($fp, $message); flock($fp, 3); fclose($fp); Besides, if you want to use the keys created with Windows, you should export them Page 8/9

Powered by TCPDF (www.tcpdf.org) (from IE) to the form of PKCS#12 file (*.pfx). Install OpenSSLWin32 from http://www.shininglightpro.com/search.php?searchname=win32+openssl execute: openssl.exe enter the commands: pkcs12 -in <pfx-file> -nokeys -out <pem-certs-file> pkcs12 -in <pfx-file> -nocerts -nodes -out <pem-key-file> Next export from IE Root CA certificate as Base-64 *.cer and rename the file to *.pem And that's all! php at toyingwithfate (24-Sep-2003 ) dot 05:55 com It's probably worth noting that I had a great deal of difficulty getting either Mozilla 1.4 or Outlook Express 6 to verify signatures generated by openssl_pkcs7_sign() until I added a newline (\n) to the beginning of the message I was signing. Not sure why that is, but as soon as I made that change all problems disappeared. del at babel (03-May-2002 dot com ) dot 06:09 au The "mycert.pem" parameters as shown in the example above are not correct. You either have to pass a string containing the PEM encoded certificate or key, or the location of a file in file://path/to/file.pem notation. See the comments on the OpenSSL functions page (the page above this one). meint dot post (05-Sep-2001 at bigfoot ) 07:35 dot com If you want to integrate PKCS7 signing/verifying with a browser and it's not a problem that it's only Internet Explorer (or Netscape + ActiveX plugin) you can look at Capicom. It's a free component and available at the MSDN website. http://doc.helplib.com Page 9/9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information