View Source

<ac:macro ac:name="unmigrated-inline-wiki-markup"><ac:plain-text-body><![CDATA[{zone-template-instance:ZFDEV:Zend Proposal Zone Template}

{zone-data:component-name}
Zend_Crypt_Rsa
{zone-data}

{zone-data:proposer-list}
[Pádraic Brady|mailto:padraic.brady@yahoo.com]
[~matthew], Zend Liaison
{zone-data}

{zone-data:revision}
1.0 - 12 June 2008: Ready for review
{zone-data}

{zone-data:overview}
Zend_Crypt_Rsa is an implementation of the RSA algorithm for public-key cryptography. This proposal assumes a dependency on PHP's OpenSSL extension, though a later adapter would allow operation even in the absence of OpenSSL, or outside the limitations that OpenSSL imposes. The purpose of the proposal is to write an OO wrapper around the existing ext/openssl functionality where keys are represented as discrete objects rather than resources and strings. Both public and private keys utilise a common interface supporting common encryption, decryption, data signing and key generation and can be directly echoed as PEM strings for remote storage. The main input source at present is also PEM for both private and public keys, or X.509 certificates for public keys.
{zone-data}

{zone-data:references}
* [Ongoing implementation in Subversion with Unit Tests|http://svn.astrumfutura.org/zendframework/trunk/library/Proposed]
{zone-data}

{zone-data:requirements}
* This component *will* utilise ext/openssl is available
* This component *will* support dual path encryption/decryption
* This component *will* support generating signed data signatures
* This component *will* generate key pairs for any bit-length > 384 bits
* This component *will* import PEM formatted keys and certificates
* This component *will not currently" import DER or PKCS#12 formats
* This component *will not currently* generate keys with less than 384 bits
* This component *will not currently* operate in the absence of ext/openssl
{zone-data}

{zone-data:dependencies}
* Zend_Exception
* ext/openssl
{zone-data}

{zone-data:operation}
The component operates in a simple manner. The Zend_Crypt_Rsa object is instantiated usually by passing the PEM representation string of a private key, from which both the private key itself, and the respective public key, are in turn instantiated as separate objects of type Zend_Crypt_Key. Alternatively passing in a PEM formatted X.509 certificate will instantiate the object only with a public key available. Key objects share a common interface, and can be echoed directly back into the PEM format.

Once instantiated the object is capable of performing a wide range of common RSA operations including signing data, key generation, encryption and decryption. Both encryption and decryption operations require users to explicitly pass the key to use for both processes, to facilitate either public key, or private key, based encryption, for instance where the original object was instantiated from a X.509 certificate and a private key will be passed in later.
{zone-data}

{zone-data:milestones}
* Milestone 1: [DONE] Assemble use cases and design comments based on draft source code
* Milestone 2: [DONE] Assemble a unit test suite
* Milestone 3: [UNDERWAY/PENDING COMMENT] Complete initial development
* Milestone 4: Verify unit test coverage
* Milestone 5: Write documentation
{zone-data}

{zone-data:class-list}
* Zend_Crypt_Rsa
* Zend_Crypt_Rsa_Exception
* Zend_Crypt_Rsa_Key
* Zend_Crypt_Rsa_Key_Private
* Zend_Crypt_Rsa_Key_Public

This is a preliminary class listing. Pending public and Zend review, the list may expand as necessary.
{zone-data}

{zone-data:use-cases}
||UC-01||

Simple key generation.

{code}
<?php

$rsa = new Zend_Crypt_Rsa;
$keys = $rsa->generateKeys(array('private_key_bits'=>512));
echo $keys->privateKey; // PEM string
echo $keys->publicKey; // PEM string
{code}

||UC-02||

Data signing for secure message exchanges.

{code}
<?php

$dataToSend = '1234567890';
$rsa = new Zend_Crypt_Rsa('/path/to/privatekey.pem');
$binarySignature = $rsa->sign($dataToSign);
$base64Signature = $rsa->sign($dataToSign, Zend_Crypt_Rsa::BASE64);
{code}

||UC-03||

Verifying received data using the signature also sent with message.

{code}
<?php

$dataReceived = '1234567890';
$signatureReceived = 'XXXXXXXXXXXXXXXXXXXXXXX'; //assume some binary signature
$rsa = new Zend_Crypt_Rsa('/path/to/privatekey.pem');
$result = $rsa->verifySignature($dataReceived, $signatureReceived);
var_dump($result); // TRUE or FALSE
{code}

||UC-04||

Public key encryption for public messaging of secure data.

{code}
<?php

$rsa = new Zend_Crypt_Rsa('/path/to/privatekey.pem');
$dataToEncrypt = '1234567890';
$encrypted = $rsa->encrypt($data, $rsa->getPublicKey());
{code}

||UC-05||

Decrypting UC-04 result.

{code}
<?php

$encrypted = 'XXXXXXXXXXXXXXXXXXXXXX'; // assume encrypted data
$rsa = new Zend_Crypt_Rsa('/path/to/privatekey.pem');
$decrypted = $rsa->decrypt($data, $rsa->getPrivateKey());
{code}

||UC-06||

All keys can be queried for their PEM string forms, their respective OpenSSL Key resources, and bit length.

{code}
<?php

$rsa = new Zend_Crypt_Rsa('/path/to/privatekey.pem');
echo $rsa->getPublicKey(); // PEM string
echo count($rsa->getPrivateKey()); // bit count, class implemented Countable
echo get_resource_type($rsa->getPublicKey()->getOpensslKeyResource()); // Openssl key resource
{code}

||UC-07||

Public keys can be retrieved from X.509 certs

{code}
<?php
$rsa = new Zend_Crypt_Rsa(array('certificatePath'=>'path/to/x509.crt'));
$dataToEncrypt = '1234567890';
$encrypted = $rsa->encrypt($data, $rsa->getPublicKey());
$rsa2 = new Zend_Crypt_Rsa('/path/to/privkey.pem');
$decrypted = $rsa->decrypt($encrypted, $rsa2->getPrivateKey());
{code}


||UC-08||

Keys pairs can be generated to, or accessed from, PEM formats which are encrypted with a passphrase.

{code}
<?php
$rsa = new Zend_Crypt_Rsa(array('certificatePath'=>'path/to/x509.crt'));
$dataToEncrypt = '1234567890';
$encrypted = $rsa->encrypt($data, $rsa->getPublicKey());
$rsa2 = new Zend_Crypt_Rsa('/path/to/privkey.pem');
$decrypted = $rsa->decrypt($encrypted, $rsa2->getPrivateKey());
{code}

{zone-data}

{zone-data:skeletons}
Source code and Unit Tests for this component are available from subversion (supports online viewing):
http://svn.astrumfutura.com/zendframework/trunk
{zone-data}

{zone-template-instance}]]></ac:plain-text-body></ac:macro>