Search code examples
phpgnupg

PHP ASCII Armored PGP encrypted string

I need to PGP encrypt and ASCII armor a small string/token within a MediaWiki environment using a public key provided to me by a third party. This gives me:

  • need to use PHP
  • better to stay away from exec_shell() ... true?
  • web server environment

I am planning to use GnuPG lib after reading this: http://devzone.zend.com/1278/using-gnupg-with-php/

What user should have PGP public key stored in their .gnupg folder?

UPDATE 1

so far I am testing hard-coding public key in (for now, just to test it out)

// GnuPG stuff
putenv("GNUPGHOME=/tmp");
$pubkey = "-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.6 (GNU/Linux)
...key...
-----END PGP PUBLIC KEY BLOCK-----";

$ token="some text";
$gpg = new gnupg();
$gpg->seterrormode(gnupg::ERROR_EXCEPTION); 

try 
{
    $info = $gpg->import($pubkey);
//  var_dump($info); // to see fingerprint
    $info = $gpg -> addencryptkey("...fingerprint...");
    $enc = $gpg -> encrypt($token);
} 
catch (Exception $e) {
    echo 'ERROR: ' . $e->getMessage();
}


$token = urlencode($enc);
echo $token, "\n";

it seems to encrypt, now I just need to figure out if I need/can strip 

Encrypted Data: -----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.5 (GNU/Linux)

as I am encrypting a token for a URL

Solution

  • Ascii-armored output can be enabled using PHP's gnupg-functions. Have a look at setarmor.

    Add this line, probably best directly after creating your $gpg object:

    $gpg -> setarmor(1);

    But the documentation says ascii armoring would be default; what output do you get and which do you want? Sending ascii armored is convenient when mailing; otherwise you usually choose the smaller binary format directly. Never seen ascii-armored OpenPGP with "headers" stripped.

    To your smaller questions:

    better to stay away from exec_shell() ... true?

    If it is disabled anyway, there is no decision on that. As long as PHP's gnupg-functions have all functionality you need, prefer them; they save you from the hassle interfacing gpg (there is no direct API but the command line tools). Chance to introduce any exploits are smaller, too.

    What user should have PGP public key stored in their .gnupg folder?

    Choose an arbitrary folder readable (possible not writable?) for the webserver but non-reachable using HTTP (so nobody will be able to fetch your keys). It seems you already realized how to setup this path.

    it seems to encrypt, now I just need to figure out if I need/can strip

    [snip]

    I'd use some regex for this.

    preg_match('/[\n\r]([=\n\r[:alnum:]]+)[\n\r]/', $token, $matches);

    should do; maybe its more elegant to strip all lines either empty or containing a slash or colon.