diff --git a/secret/README.md b/secret/README.md old mode 100644 new mode 100755 index 6d5a025..8f2b025 --- a/secret/README.md +++ b/secret/README.md @@ -1,3 +1,5 @@ # The Secret Folder This MUST NOT be accessible by normal system users or the web server. + +Should use 770 permissions and be owned by www-data:www-data. diff --git a/secret/config.json.example b/secret/config.json.example old mode 100644 new mode 100755 diff --git a/secret/rsa.php b/secret/rsa.php old mode 100644 new mode 100755 index acb6c35..009e20b --- a/secret/rsa.php +++ b/secret/rsa.php @@ -1,2 +1,64 @@ "sha256", + "private_key_bits" => 4096, + "private_key_type" => OPENSSL_KEYTYPE_RSA, + "encrypt_key" => true, + "encrypt_key_cipher" => OPENSSL_CIPHER_AES_256_CBC + ); + $res = openssl_pkey_new($config); + openssl_pkey_export($res, $privkey, $passphrase); + $oldMask = umask(0007); + file_put_contents("/var/www/usergen/secret/private.key", $privkey); + $pubkey = openssl_pkey_get_details($res); + umask($oldMask); + file_put_contents("/var/www/usergen/secret/public.key", $pubkey["key"]); +} + +function getPublic() { + ensureKey(); + $public = file_get_contents("/var/www/usergen/secret/public.key"); + return $public; +} + +function getFingerprint() { + ensureKey(); + $fingerprint = shell_exec("/usr/bin/openssl pkey -pubin -in /var/www/usergen/secret/public.key -outform DER | /usr/bin/openssl dgst -sha256 -c | /usr/bin/sed -e 's/^.* //' | /usr/bin/sed -e 's/://g'"); + return $fingerprint; +} + +function encrypt($input){ + // Encrypt with public key + ensureKey(); + $public = getPublic(); + $public = openssl_get_publickey($public); + openssl_public_encrypt($input, $encrypted, $public); + return base64_encode($encrypted); +} + +function decrypt($input){ + // Decrypt with private key + ensureKey(); + openssl_private_decrypt( + base64_decode($input), + $decrypted, + openssl_get_privatekey( + file_get_contents("/var/www/usergen/secret/private.key"), + getPassphrase() + ) + ); + return $decrypted; +} + ?>