I want to use these openssl_pkcs7_* functions to verify, sign, encrypt and decrypt mails.
The problem seems to be the choice of PHP's functions (or PHP's OpenSSL offerings). Perhaps you should use something else, like a library that provides what you need.
Here's what is really available from OpenSSL. From PKCS7_encrypt(3):
PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, int flags);
You use a BIO
for the in-data
, and that can be a memory BIO
. There's no reason to write a disk file.
You have similar for PKCS7_decrypt(3):
int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags);
Now, for the keys. The keys can be read (and written) using BIO
s too. That means they can use a memory bio. But I'm not sure how useful that would be since the keys have to be stored somewhere.
For the reference, see pem(3). There's almost too many functions to list:
PEM, PEM_read_bio_PrivateKey, PEM_read_PrivateKey,
PEM_write_bio_PrivateKey, PEM_write_PrivateKey,
PEM_write_bio_PKCS8PrivateKey, PEM_write_PKCS8PrivateKey,
PEM_write_bio_PKCS8PrivateKey_nid, PEM_write_PKCS8PrivateKey_nid,
PEM_read_bio_PUBKEY, PEM_read_PUBKEY, PEM_write_bio_PUBKEY,
PEM_write_PUBKEY, PEM_read_bio_RSAPrivateKey, PEM_read_RSAPrivateKey,
PEM_write_bio_RSAPrivateKey, PEM_write_RSAPrivateKey,
PEM_read_bio_RSAPublicKey, PEM_read_RSAPublicKey,
PEM_write_bio_RSAPublicKey, PEM_write_RSAPublicKey,
PEM_read_bio_RSA_PUBKEY, PEM_read_RSA_PUBKEY,
PEM_write_bio_RSA_PUBKEY, PEM_write_RSA_PUBKEY,
PEM_read_bio_DSAPrivateKey, PEM_read_DSAPrivateKey,
PEM_write_bio_DSAPrivateKey, PEM_write_DSAPrivateKey,
PEM_read_bio_DSA_PUBKEY, PEM_read_DSA_PUBKEY,
PEM_write_bio_DSA_PUBKEY, PEM_write_DSA_PUBKEY,
PEM_read_bio_DSAparams, PEM_read_DSAparams, PEM_write_bio_DSAparams,
PEM_write_DSAparams, PEM_read_bio_DHparams, PEM_read_DHparams,
PEM_write_bio_DHparams, PEM_write_DHparams, PEM_read_bio_X509,
PEM_read_X509, PEM_write_bio_X509, PEM_write_X509,
PEM_read_bio_X509_AUX, PEM_read_X509_AUX, PEM_write_bio_X509_AUX,
PEM_write_X509_AUX, PEM_read_bio_X509_REQ, PEM_read_X509_REQ,
PEM_write_bio_X509_REQ, PEM_write_X509_REQ,
PEM_write_bio_X509_REQ_NEW, PEM_write_X509_REQ_NEW,
PEM_read_bio_X509_CRL, PEM_read_X509_CRL, PEM_write_bio_X509_CRL,
PEM_write_X509_CRL, PEM_read_bio_PKCS7, PEM_read_PKCS7,
PEM_write_bio_PKCS7, PEM_write_PKCS7,
PEM_read_bio_NETSCAPE_CERT_SEQUENCE, PEM_read_NETSCAPE_CERT_SEQUENCE,
PEM_write_bio_NETSCAPE_CERT_SEQUENCE, PEM_write_NETSCAPE_CERT_SEQUENCE
If you find something that offers more of OpenSSL, you might look into the CMS_*
functions, too. They are easy to work with, too.
You can see examples of how to use them in <openssl dir>/demos/cms_enc.c
, <openssl dir>/demos/cms_dec.c
, <openssl dir>/demos/cms_sign.c
and <openssl dir>/demos/cms_verify.c
.
Two of the functions of interest are:
CMS_ContentInfo *CMS_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, unsigned int flags);
and
int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pkey, X509 *cert, BIO *dcont, BIO *out, unsigned int flags);