Showing posts with label passphrase. Show all posts
Showing posts with label passphrase. Show all posts

Thursday, January 13, 2022

[FIXED] How can I force GPG to accept input from STDIN instead of trying to open a file?

      , , , ,      No comments   

Issue

I am trying to incorporate GPG clear-signing of text in a string in a PHP script. I can cause GPG to encrypt text in a string like this:

$encrypted = shell_exec("echo '$text' | gpg -e -a -r foo@bar.com --trust-model always");

and that works perfectly, with the encrypted text being sent to the $encrypted variable. This proves GNUPGHOME and GNUPG are set up correctly.

However, when I try to produce a clear-signed message in the same way with this:

$text = "googar";

$signature = exec("echo $passphrase | gpg -v --clearsign --no-tty --passphrase-fd 0 '$text' 2>&1 1> /dev/null", $output);

I am returned this error:

... string(51) "gpg: can't open `googar': No such file or directory"
[3]=>
string(46) "gpg: googar: clearsign failed: file open error"
}

This error is returned with or without the single quotes around the $text variable.

How can I force GPG or shell_exec to treat $text as a pipe instead of it looking for a file?

I need to echo the passphrase in this way (I know, its 'horribly insecure' because GPG has no way to pass in a passphrase as a variable on the command line.


Solution

You could use proc_open and create a separate file descriptor for your password:

$descriptorspec = array(
    0 => array("pipe", "r"),
    1 => array("pipe", "w"),
    2 => array("pipe", "w"),
    3 => array("pipe", "r"),
);

$pipes = false;
$process = proc_open("gpg -v --clearsign --no-tty --passphrase-fd 3", $descriptorspec, $pipes);

if(is_resource($process)) {
    fwrite($pipes[3], $passphrase);
    fclose($pipes[3]);

    fwrite($pipes[0], $text);
    fclose($pipes[0]);

    $output = stream_get_contents($pipes[1]);
    $stderr = stream_get_contents($pipes[2]);

    fclose($pipes[1]);
    fclose($pipes[2]);

    $retval = proc_close($process);

    echo "retval = $retval\n";
    echo "output= $output\n";
    echo "err= $stderr\n";
}


Answered By - vstm

[FIXED] PHP CURL request for a P12 (PFX) certificate with an export password (Passphrase)

      , , , ,      No comments   

Issue

Based on the PEM certificate and a key file, I'm creating two P12 (Pfx) files, with and without passphrase

  • demo_cert.pem

  • demo_key.pem

  • demo_pfx_withoutPassphrase.p12

  • demo_pfx_withPassphrase.p12

    openssl pkcs12 -export -clcerts -in demo_cert.pem -inkey demo_key.pem -out demo_pfx_withoutPassphrase.p12

Enter Export Password:  (empty)
Verifying - Enter Export Password:  (empty)


openssl pkcs12 -export -clcerts -in demo_cert.pem -inkey demo_key.pem -out demo_pfx_withPassphrase.p12 

Enter Export Password:  12345
Verifying - Enter Export Password: 12345

This file is used to communicate with the server.

<? php
try{
    $curl = curl_init($url);
    curl_setopt($curl, CURLOPT_URL, $url);
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
    curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($curl, CURLOPT_HEADER, 0);
    curl_setopt($curl, CURLOPT_HTTPHEADER, array("Content-Type:  application/json,application/octet-stream"));
    curl_setopt($curl, CURLOPT_SSLCERTTYPE, "P12");
    curl_setopt($curl, CURLOPT_SSLCERT, getcwd() . 'demo_pfx_withPassphrase.p12');
    curl_setopt($curl, CURLOPT_SSLCERTPASSWD, '12345');
    //curl_setopt($curl, CURLOPT_SSLKEYPASSWD, '12345');

    $resp = curl_exec($curl)
    
    if (curl_errno($curl)) {
        $error_msg = curl_error($curl);
        echo 'Curl error: ' . curl_error($curl);
        echo "<br>";
    }
    else{
        echo curl_getinfo($curl);
        echo 'Curl info:  ' . curl_getinfo($curl)[0];
        echo "<br>";
    }

}
catch(Exception $e){
    echo $e;
} 

?>

Im able to successfully establish communication with the server using demo_pfx_withoutPassphrase.p12 (with out passphrase).

However, the same is not possible with the file containing a passphrase, demo_pfx_withPassphrase.p12, despite providing the password in SSLCERTPASSWD option

This is following error is what I get.

-------------------- Error response from the REMOTE SSL SERVER --------------------
58
int(58)
Curl error: could not open PKCS12 file 'demo_pfx_withPassphrase.p12'

How can I establish connection to server using a P12 file containing a passphrase?

Any advice and suggestions will be thoroughly appreciated.


Solution

Finally figured out the solution for the P12 (pfx) certificate not able to establish communication with the server using demo_pfx_withPassphrase.p12 (with passphrase)

The certificate file din't have the read permission

Provide read permission to the certificate file

chomod +r demo_pfx_withPassphrase

This should do it.

Finally, wrt providing passphrase for the associated P12 file, either provide SSLKEYPASSWD or SSLCERTPASSWS. Either one of these will work fine.

// --- Authorized Certificate with passphrase

curl_setopt($curl, CURLOPT_SSLCERT, getcwd() . 'demo_pfx_withPassphrase.p12');
curl_setopt($curl, CURLOPT_SSLKEYPASSWD, '12345');   // either sslkeypsswd 
curl_setopt($curl, CURLOPT_SSLCERTPASSWD, '12345'); // or sslcertpasswd


Answered By - Nishi Bangar

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...