This is an old revision of the document!
PHP RFC: Add CMS Support
- Version: 0.9
- Date: 2020-05-11
- Author: Eliot Lear, lear@lear.ch
- Status: Draft
- First Published at: http://wiki.php.net/rfc/add-cms-support
Introduction
PHP has for some time incorporated support for PKCS#7 sign, verify, encrypt, decrypt, and read operations. Cryptographic Message Syntax (CMS) is a newer version of PKCS#7. Having been around some time, CMS is used in both email messaging as well as signature verification operations relating to IoT devices.
Proposal
It is proposed that analogous functions be created for CMS. These would be as follows:
PKCS#7 function | new CMS function |
---|---|
openssl_pkcs7_encrypt() | openssl_cms_encrypt() |
openssl_pkcs7_decrypt() | openssl_cms_decrypt() |
openssl_pkcs7_sign() | openssl_cms_sign() |
openssl_pkcs7_verify () | openssl_cms_verify() |
openssl_pkcs7_read () | openssl_cms_read() |
As currently stands, the CMS sign and verify functions now can take as an argument the encoding method (DER/CMS/PEM).
The calling interface is as follows:
function openssl_cms_verify(string $filename, int $flags = 0, string $signerscerts = UNKNOWN, array $cainfo = UNKNOWN, string $extracerts = UNKNOWN, string $content = UNKNOWN, string $pk7 = UNKNOWN, string $sigfile = UNKNOWN, $encoding = ENCODING_CMS ): bool {} function openssl_cms_encrypt(string $infile, string $outfile, $recipcerts, ?array $headers, int $flags = 0, int $cipher = OPENSSL_CIPHER_RC2_40): bool {} function openssl_cms_sign(string $infile, string $outfile, $signcert, $signkey, ?array $headers, int $flags = 0, int $encoding = OPENSSL_ENCODING_CMS, ?string $extracertsfilename = null): bool {} function openssl_cms_decrypt(string $infilename, string $outfilename, $recipcert, $recipkey = UNKNOWN): bool {} function openssl_cms_read(string $infilename, &$certs): bool {}
This is nearly identical to the PKCS#7 calling interface, the only exception being $encoding.
Backward Incompatible Changes
None.
Proposed PHP Version(s)
PHP 8.0
RFC Impact
To SAPIs
The only change is an additional API. No modifications to existing APIs.
To Existing Extensions
openssl code is extended. No existing functions are changed.
To Opcache
These are entirely file operations.
New Constants
Several new constants are defined to indicate encoding, as follows:
OPENSSL_ENCODING_CMS /* encoding is a CMS-encoded message */ OPENSSL_ENCODING_DER /* encoding is DER (Distinguished Encoding Rules) */ OPENSSL_ENCODING_PEM /* encoding is PEM (Privacy-Enhanced Mail) */
php.ini Defaults
No change.
Open Issues
Currently encoding isn't passed to the encrypt, decrypt, and read operations.
Unaffected PHP Functionality
As these are new functions, no side effects to other functions should be expected.
Future Scope
Currently, as with the PKCS#7 calls, these calls take files as arguments. It may make sense to take strings as input and deliver strings as output. However, existing use cases do not require this, and any such change could be backward compatible with a new flag.
Proposed Voting Choices
Include these so readers know where you are heading and can discuss the proposed voting options.
Patches and Tests
This capability is available for inspection as PR5251. Tests are available in that PR. This PR is subject to change of course, based on community feedback.
Implementation
After the project is implemented, this section should contain
- the version(s) it was merged into
- a link to the git commit(s)
- a link to the PHP manual entry for the feature
- a link to the language specification section (if any)
References
Rejected Features
Keep this updated with features that were discussed on the mail lists.