openssl_cms_encrypt

(PHP 8)

openssl_cms_encrypt — Encrypt a CMS message

Description

openssl_cms_encrypt(
string $input_filename,
string $output_filename,
OpenSSLCertificate |array |string $certificate,
? array $headers,
int $flags = 0,
int $encoding = OPENSSL_ENCODING_SMIME ,
int $cipher_algo = OPENSSL_CIPHER_AES_128_CBC
): bool

This function encrypts content to one or more recipients, based on the certificates that are passed to it.

Parameters

input_filename: The file to be encrypted.
output_filename: The output file.
certificate: Recipients to encrypt to.
headers: Headers to include when S/MIME is used.
flags: Flags to be passed to CMS_sign.
encoding: An encoding to output. One of OPENSSL_ENCODING_SMIME , OPENSSL_ENCODING_DER or OPENSSL_ENCODING_PEM .
cipher_algo: A cypher to use.

Return Values

Returns true on success or false on failure.

Changelog

Version	Description
8.1.0	The default cipher algorithm (`cipher_algo`) is now AES-128-CBC (`OPENSSL_CIPHER_AES_128_CBC` ). Previously, PKCS7/CMS was used (`OPENSSL_CIPHER_RC2_40` ).

Found A Problem?

Learn How To Improve This Page • Submit a Pull Request • Report a Bug

+add a note

User Contributed Notes 1 note

down

Sebastian ¶

4 years ago

It took me a while to find out the correct way how to sign and encrypt data with these functions.
I needed that to communicate with German Health Insurance Providers as part of a DiGA. Maybe someone finds that useful.

<?php
function signAndEncrypt(string $rawData): string
{
 $tempDir = __DIR__ . '/tmp';
 $tempfileOriginal = tempnam($tempDir, 'original');
 $tempfileSigned = tempnam($tempDir, 'signed');
 $tempfileEncrypted = tempnam($tempDir, 'signedEncrypted');

 file_put_contents($tempfileOriginal, $rawData);

 // pick the correct certificate for the recipient
 $recipientsCertificateFile = __DIR__ . '/recipientsCertificate.pem';
 // -----BEGIN CERTIFICATE----- ...-----END CERTIFICATE-----
 $recipientsCertificate = file_get_contents($recipientsCertificateFile);

 // Certificate:
 // Data:
 // Version: 3 (0x2)...
 $myCertificate = file_get_contents(__DIR__ . '/my.crt');
 $myPrivateKey = openssl_pkey_get_private(
 // -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY-----
 file_get_contents(__DIR__ . '/my.prv.key.pem')
 );

 openssl_cms_sign(
 input_filename: $tempfileOriginal,
 output_filename: $tempfileSigned,
 certificate: $myCertificate,
 private_key: $myPrivateKey,
 headers: [],
 encoding: OPENSSL_ENCODING_DER,
 );

 openssl_cms_encrypt(
 input_filename: $tempfileSigned,
 output_filename: $tempfileEncrypted,
 certificate: $recipientsCertificate,
 headers: [],
 flags: OPENSSL_CMS_BINARY | OPENSSL_CMS_NOSIGS | OPENSSL_CMS_NOVERIFY,
 encoding: OPENSSL_ENCODING_DER,
 cipher_algo: OPENSSL_CIPHER_AES_256_CBC
 );
 return file_get_contents($tempfileEncrypted);
}

+add a note