◐ Shell
reader mode source ↗

    openssl_cms_encrypt

    (PHP 8)

    openssl_cms_encryptEncrypt a CMS message

    Description

    function openssl_cms_encrypt(
        string $input_filename,
        string $output_filename,
        OpenSSLCertificate|array|string $certificate,
        ?array $headers,
        int $flags = 0,
        int $encoding = OPENSSL_ENCODING_SMIME,
        string|int $cipher_algo = OPENSSL_CIPHER_AES_128_CBC
    ): bool

    This function encrypts content to one or more recipients, based on the certificates that are passed to it.

    Parameters

    input_filename

    The file to be encrypted.

    output_filename

    The output file.

    certificate

    Recipients to encrypt to.

    headers

    Headers to include when S/MIME is used.

    flags

    Flags to be passed to CMS_sign.

    encoding

    An encoding to output. One of OPENSSL_ENCODING_SMIME, OPENSSL_ENCODING_DER or OPENSSL_ENCODING_PEM.

    cipher_algo

    A cipher to use.

    Return Values

    Returns true on success or false on failure.

    Changelog

    Version Description
    8.5.0 cipher_algo is now of type int or string. Previously, it was of type int.
    8.1.0 The default cipher algorithm (cipher_algo) is now AES-128-CBC (OPENSSL_CIPHER_AES_128_CBC). Previously, PKCS7/CMS was used (OPENSSL_CIPHER_RC2_40).

    Found A Problem?

    Learn How To Improve This PageSubmit a Pull RequestReport a Bug
    add a note

    User Contributed Notes 1 note

    up
    10
    Sebastian
    5 years ago
    It took me a while to find out the correct way how to sign and encrypt data with these functions.
I needed that to communicate with German Health Insurance Providers as part of a DiGA. Maybe someone finds that useful.

<?php
function signAndEncrypt(string $rawData): string
{
    $tempDir = __DIR__ . '/tmp';
    $tempfileOriginal = tempnam($tempDir, 'original');
    $tempfileSigned = tempnam($tempDir, 'signed');
    $tempfileEncrypted = tempnam($tempDir, 'signedEncrypted');

    file_put_contents($tempfileOriginal, $rawData);

    // pick the correct certificate for the recipient
    $recipientsCertificateFile = __DIR__ . '/recipientsCertificate.pem';
    // -----BEGIN CERTIFICATE----- ...-----END CERTIFICATE-----
    $recipientsCertificate = file_get_contents($recipientsCertificateFile);

    // Certificate:
    //    Data:
    //        Version: 3 (0x2)...
    $myCertificate = file_get_contents(__DIR__ . '/my.crt');
    $myPrivateKey = openssl_pkey_get_private(
        // -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY-----
        file_get_contents(__DIR__ . '/my.prv.key.pem')
    );

    openssl_cms_sign(
        input_filename: $tempfileOriginal,
        output_filename: $tempfileSigned,
        certificate: $myCertificate,
        private_key: $myPrivateKey,
        headers: [],
        encoding: OPENSSL_ENCODING_DER,
    );

    openssl_cms_encrypt(
        input_filename: $tempfileSigned,
        output_filename: $tempfileEncrypted,
        certificate: $recipientsCertificate,
        headers: [],
        flags: OPENSSL_CMS_BINARY | OPENSSL_CMS_NOSIGS | OPENSSL_CMS_NOVERIFY,
        encoding: OPENSSL_ENCODING_DER,
        cipher_algo: OPENSSL_CIPHER_AES_256_CBC
    );
    return file_get_contents($tempfileEncrypted);
}
    add a note
    To Top