PHP Key Store
Current Status
A web site has been put up to host the documentation, development release downloads, and other links:
An initial development release is available for download with API documentation and browsable source. See the web site above for more information.
In addition, a proposal has been submitted to the PEAR development community to add the PHP KeyStore package to the PEAR repository. This is done for a couple reasons: to provide a simple way to get and configure the code and to get community review or the code.
Why Create a Key Store for PHP?
I find myself asking the same questing. Aren’t there already PHP libraries like mcrypt, mhash, openssl, etc. already out there that do all this for us? The truth is, building secure server-side web applications will, at times, require encryption. And, at the root of encryption, comes the problem of key management. Where do we keep that one key that unlocks all the other keys that open the doors to our proverbial castle?
The answer is in a well designed, thought-out, tested, and open key management system. The goal of the PHP Key Store is to use the functionality already available to the PHP language, but in an encapsulated package that is deliverable, configurable, and usable.
1. Deliverablity
The PHP Key Store will be designed to be delivered to the Apache/PHP platform through the PEAR, a framework and distribution system for reusable PHP components.
2. Configurability
The PHP Key Store will be configurable as a cPanel plugin. This will allow the management of the keystore to be performed by administrators within the cPanel interface.
3. Usability
The API of the PHP Key Store will be simple enough to get an instance of a key store and use the key for encryption/decryption.
The PHP Key Store will provide multiple cryptographic functionality surrounding secure key storage. Of primary concern is the creation, storage, and management of symmetric and asymmetric cryptographic keys.
Functionality
The following is a high-level overview of the goals PHP Key Store.
1. Key Creation
The PHP Key Store is used to create both symmetric (secret) and asymmetric (public/private) keys. The keys are created by and kept in the key store. The key store user never has direct access to the secret or private keys.
2. Key Management
Once keys are created, they can be managed with the PHP Key Store. Keys can be queried as to their existence, the date they were created, etc., and they can be deleted. However, the secret and private keys themselves cannot be accessed directly outside of the PHP Key Store.
3. Certificate Signing Request (CSR) Creation
A CSR can be created using the PHP Key Store. Once a CSR has been created, an associated private key and public key (i.e., certificate) will be added to the key store mapped to the alias provided with the requested CSR. After the CSR has been signed (e.g., from a public signing authority), the certificate can be imported (see below).
4. Certificate Import/Verification
Two types of certificates can be imported into the PHP Key Store: a publicly signed certificate that matches a private key alias previously created with a CSR request, or a trusted certificate that has been publicly signed by a CA. In either case, the PHP Key Store will verify that the certificate is valid and the certificate to the key store.
5. Data Encryption/Decryption
To encrypt plain text with a key in the key store, the PHP Key Store is used by specifying the alias of the key, the password of the key, and the plain text and the encrypted text is returned. Likewise, to decrypt text, the PHP Key Store is used by specifying the alias of the key, the password of the key, and the encrypted text, and the decrypted text is returned.
