Skip to end of metadata
Go to start of metadata

<ac:macro ac:name="unmigrated-inline-wiki-markup"><ac:plain-text-body><![CDATA[

<ac:macro ac:name="unmigrated-inline-wiki-markup"><ac:plain-text-body><![CDATA[

Zend Framework: Zend_Crypt_Rsa Component Proposal

Proposed Component Name Zend_Crypt_Rsa
Developer Notes http://framework.zend.com/wiki/display/ZFDEV/Zend_Crypt_Rsa
Proposers Pádraic Brady
Matthew Weier O'Phinney, Zend Liaison
Revision 1.0 - 12 June 2008: Ready for review (wiki revision: 6)

Table of Contents

1. Overview

Zend_Crypt_Rsa is an implementation of the RSA algorithm for public-key cryptography. This proposal assumes a dependency on PHP's OpenSSL extension, though a later adapter would allow operation even in the absence of OpenSSL, or outside the limitations that OpenSSL imposes. The purpose of the proposal is to write an OO wrapper around the existing ext/openssl functionality where keys are represented as discrete objects rather than resources and strings. Both public and private keys utilise a common interface supporting common encryption, decryption, data signing and key generation and can be directly echoed as PEM strings for remote storage. The main input source at present is also PEM for both private and public keys, or X.509 certificates for public keys.

2. References

3. Component Requirements, Constraints, and Acceptance Criteria

  • This component will utilise ext/openssl is available
  • This component will support dual path encryption/decryption
  • This component will support generating signed data signatures
  • This component will generate key pairs for any bit-length > 384 bits
  • This component will import PEM formatted keys and certificates
  • This component *will not currently" import DER or PKCS#12 formats
  • This component will not currently generate keys with less than 384 bits
  • This component will not currently operate in the absence of ext/openssl

4. Dependencies on Other Framework Components

  • Zend_Exception
  • ext/openssl

5. Theory of Operation

The component operates in a simple manner. The Zend_Crypt_Rsa object is instantiated usually by passing the PEM representation string of a private key, from which both the private key itself, and the respective public key, are in turn instantiated as separate objects of type Zend_Crypt_Key. Alternatively passing in a PEM formatted X.509 certificate will instantiate the object only with a public key available. Key objects share a common interface, and can be echoed directly back into the PEM format.

Once instantiated the object is capable of performing a wide range of common RSA operations including signing data, key generation, encryption and decryption. Both encryption and decryption operations require users to explicitly pass the key to use for both processes, to facilitate either public key, or private key, based encryption, for instance where the original object was instantiated from a X.509 certificate and a private key will be passed in later.

6. Milestones / Tasks

  • Milestone 1: [DONE] Assemble use cases and design comments based on draft source code
  • Milestone 2: [DONE] Assemble a unit test suite
  • Milestone 3: [UNDERWAY/PENDING COMMENT] Complete initial development
  • Milestone 4: Verify unit test coverage
  • Milestone 5: Write documentation

7. Class Index

  • Zend_Crypt_Rsa
  • Zend_Crypt_Rsa_Exception
  • Zend_Crypt_Rsa_Key
  • Zend_Crypt_Rsa_Key_Private
  • Zend_Crypt_Rsa_Key_Public

This is a preliminary class listing. Pending public and Zend review, the list may expand as necessary.

8. Use Cases

UC-01

Simple key generation.

UC-02

Data signing for secure message exchanges.

UC-03

Verifying received data using the signature also sent with message.

UC-04

Public key encryption for public messaging of secure data.

UC-05

Decrypting UC-04 result.

UC-06

All keys can be queried for their PEM string forms, their respective OpenSSL Key resources, and bit length.

UC-07

Public keys can be retrieved from X.509 certs

UC-08

Keys pairs can be generated to, or accessed from, PEM formats which are encrypted with a passphrase.

9. Class Skeletons

Source code and Unit Tests for this component are available from subversion (supports online viewing): http://svn.astrumfutura.com/zendframework/trunk

]]></ac:plain-text-body></ac:macro>

]]></ac:plain-text-body></ac:macro>

Labels:
encryption encryption Delete
proposal proposal Delete
api api Delete
openssl openssl Delete
zend_crypt zend_crypt Delete
proposals proposals Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

6 Comments

comments.show.hide

  1. Jun 12, 2008

    Kevin McArthur

    <p>I think this is a really great idea. My only concern is how it will tie into a more generic framework. Like the ability to support CA operations (CSRs, Signing, etc). Maybe a Zend_Certificate component would be complimentary for working with this data – taking rsa keys and moving them between der, pem and pkcs formats.</p>

  2. Jun 13, 2008

    Pádraic Brady

    <p>For the moment, the scope of the component is limited to RSA ops where a X.509 cert or PEM formatted private key exists. Not to say what you suggest won't happen or isn't possible, but the component is presently targeting a slightly out of sight goal of supporting RSA-SHA1 message signing so the Google Data guys can use the upcoming OAuth proposed component.</p>

    <p>What is more likely to happen in the short term is that I'll finish refactoring DiffieHellman (another possible openssl user with PHP 5.3), look at DSA, and end up refactoring source code to higher classes. Maybe a Zend_Crypt_Certificate? I know the Crypt namespace isn't absolutely perfect but it's the current catchall for cryptographic components.</p>

    <p>P.S. For readers, I added X.509 certificate import support for your public keys. The Key classes and other source has also been tidied up for separate use of a private key. I'll update any outdated UCs a bit later. Over the weekend I'll integrate the code which makes openssl availability optional for RSA.</p>

  3. Jun 13, 2008

    Pádraic Brady

    <p>If anyone (ever) tests this - at 12 June, it passes all unit tests on PHP 5.2.4. It has failures on both 5.2.0 and also the current 5.3 snapshot (5.3 is a previous review target for Zend_Crypt_DiffieHellman). Working on isolating the openssl changes so I can wrap around the varying versions they took place in. I'm beginning to not like this extension <ac:emoticon ac:name="wink" />.</p>

  4. Jul 01, 2008

    Matthew Weier O'Phinney

    <ac:macro ac:name="note"><ac:parameter ac:name="title">Zend Comment</ac:parameter><ac:rich-text-body>
    <p>This proposal is accepted as-is for development in the standard/incubator.</p></ac:rich-text-body></ac:macro>

  5. Mar 18, 2009

    Wil Sinclair

    <p>What is the status of this proposal?</p>

  6. Feb 22, 2011

    Benoît Durand

    <p>Zend_Crypt_Rsa is released into the stable branch. Maybe we can archive this proposal <ac:emoticon ac:name="smile" /></p>