Hi,
On Mon, Aug 3, 2015 at 9:54 PM, Scott Arciszewski <sc...@paragonie.com>
wrote:
> Hi,
>
> I would like to make it easier for PHP developers to implement
> cryptography features in their applications. I intend to work on some
> of these ideas and submit them for inclusion in PHP 7.1.
>
> Some of these might be familiar to some of you.
>
> 1. Pluggable Cryptography Frontend
>
> Work is currently underway for a PHP prototype for this idea
> originally suggested by ircmaxell, that will basically be like PDO for
> cryptography. Our current project name, subject to change, is PHP
> Crypto Objects (PCO).
>
> The idea is that you could write code like this to add secure
> authenticated encryption to your application without having to worry
> about the details.
>
> $AES = new \PCO\Symmetric('openssl:cipher=AES-128');
> $ciphertext = $AES->encrypt($plaintext, $someKey);
>
> $PKC = new \PCO\Asymmetric('libsodium');
> $offlineDecryptable = $PKC->seal($plaintext, $someX25519PublicKey);
>
> When it's finished, I'd like to turn it into a PECL extension so users
> can play with it in PHP 7.0 and submit it for inclusion in 7.1.
>
> 2. Cache-timing-safe character encoding functions
>
> Alternatives for existing functions that should function like their
> unsafe counterparts, but without branches or data-based index lookups.
>
> * hex2bin() -> hex2bin_ts()
> * bin2hex() -> bin2hex_ts()
> * base64_encode() -> base64_encode_ts()
> * base64_decode() -> base64_decode_ts()
>
> Other formats are out of scope, unless someone can make the case that
> we need to support RFC 4648 base32 encoding (e.g. for Tor Hidden
> Service integration).
>
> 3. Other ideas (not yet committed to at all, but might be of interest
> to others):
>
> * Improving the OpenSSL API, or at least the documentation
> * Adding streaming encryption/decryption support to OpenSSL
> * Adding AE and AEAD interfaces to OpenSSL
> * Aliasing MCRYPT_AES -> MCRYPT_RIJNDAEL_128, adding MCYPT_MODE_CTR
>
> What I need from you is guidance on what features or changes you want
> to see in 7.1 and which can be put off until later (or never proposed
> as an RFC at all).
>
> Seriously, all I need is your opinion and whether or not you'd like to
> see any of these happen. If you have specific implementation details
> you'd like to discuss or requests, of course those are welcome too. :D
>
>
I have been actually working on something similar for some time. It's
already on PECL and it's called php-crypto:
https://github.com/bukka/php-crypto
I have been doing lots of changes and fixes including support for PHP 7 (it
also supports PHP 5 using https://github.com/bukka/phpc wrapper) and php
streams. The internal part has been almost completely rewritten since
version 0.1.0 and I plan to release soon 0.2.0 so I will send some update
then.
I'm currently working on fixing some issues, improving tests and mainly
documentation that is still very incomplete (just hash is partially
documented in the main readme) so probably the best doc at the moment is
generated api doc:
https://github.com/bukka/php-crypto/blob/master/docs/Crypto.php
There also are some examples in
https://github.com/bukka/php-crypto/blob/master/examples and even more
examples in tests where is about 70 tests:
https://github.com/bukka/php-crypto/blob/master/tests
In case you are interested in what I plan to do in the near future, it's
all in my TODO list: https://github.com/bukka/php-crypto/blob/master/TODO.md
In the long term I would like to add support for asymmetric encryption. I
actually wrote an extension called php-rsa (
https://github.com/bukka/php-rsa ) just to play with OpenSSL rsa.h (there
is no doc but you can look to the tests if you are interested). However the
way how it should be done in crypto is more about using PKEY which is much
more flexible but it will be supported only for OpenSSL 1.0.0+.
The providers (pluggable api) is a nice thing but it will require quite a
bit of thinking to make it right from the internal PoV (address all needs
of particular libs - especially OpenSSL) and it's quite a bit of work as
well :) But it would be definitely nice to have and I have been thinking
about it for some time. But the priority is a creating of a good wrapper
for OpenSSL first and then split it to more layers.
Cheers
Jakub
