Comments (29)
Did I say so?
from openpgp-php.
sounds worth investigating!
from openpgp-php.
@singpolyma What learning resources do you recommend for learning how to contribute to this library?
from openpgp-php.
@jasekiw if you want to learn more about the spec and fine the main one daunting, I've distilled some of the most necessary parts to https://github.com/singpolyma/openpgp-spec
If you're interested into helping with this mcrypt issue specifically, the mcrypt-using code is isolated to one file that's designed to be modular (so you could write another file with the same interface using libsodium, IIRC)
from openpgp-php.
Looking over the code again, I think it only uses mcrypt for CAST5 support. So most operations will work without it.
from openpgp-php.
After looking at libsodium more closely it seems that PHP will add it to the core extensions in PHP 7.2. However you can install the extension on 7.0+. So that leaves 7.1 completely unsupported and breaks < 7.0. I see two paths to go down.
-
Create a legacy branch to support < 7.0 with mcrypt and implement libsodium. This would require a version jump since the drop of support would be quite large. The only supported version that is dropped is PHP 5. This package would also require the installation of libsodium on php versions < 7.2.
-
Investigate what methods use CAST5 and see if we can remove mcrypt without replacing it with libsodium. is CAST5 operations necessary? This has the pros of supporting older versions of PHP as well as newer.
from openpgp-php.
CAST5 is only necessary if you need to interoperate with someone using it as their symmetric algorithm. Unfortunately, gnupg defaults to CAST5 in most versions, so such interoperation is often desired.
from openpgp-php.
Probably the best is to have compatible mcrypt and sodium wrappers in the library, and choose the right one a runtime based on what is installed, to keep compatibility with both popular and new versions of PHP.
from openpgp-php.
I didn't think of that. That would be way better. PHP 7.1 would still be an odd version for people to install the package because the user would have to install libsodium seperately.
I cannot seem to find documentation on how to perform a CAST5 operation using libsodium. Have you seen anything?
I also found CAST5 in the list of supported algorithms in openssl. Maybe OpenSSL can be a polyfill?
from openpgp-php.
I think sodium calls it cast128 -- same algorithm
from openpgp-php.
Why not use https://github.com/paragonie/sodium_compat?
from openpgp-php.
The PECL extension supports PHP 7.0.x, 7.1.x and 7.2.x
from openpgp-php.
The PECL extension supports PHP 7.0.x, 7.1.x and 7.2.x
This is not an option here as this library should work on all systems with the right polyfills afaik.
from openpgp-php.
You can use openssl
for encryption and signing. Only Idea and Twofish is not supported with openssl. (Only tested with php7.0)
from openpgp-php.
You can use openssl for encryption and signing. Only Idea and Twofish is not supported with openssl. (Only tested with php7.0)
No, this should not be done.
from openpgp-php.
No, this should not be done.
Why?
Mcrypt is used in this library for encrypting with cast5
. Openssl supports cast5
. -> Openssl can replace Mcrypt.
from openpgp-php.
We should use and move to libsodium.
from openpgp-php.
Because it makes no sense to reimplement mcrypt with openssl and libsodium is different. mcrypt support should be dropped in the future.
from openpgp-php.
@DanielRuf https://github.com/paragonie/sodium_compat#cryptography-primitives-provided do not list cipher cast5
. Where did you read that the sodium library supports cipher cast5
?
from openpgp-php.
Also see the comment of @singpolyma
I think sodium calls it cast128 -- same algorithm
from openpgp-php.
Did I say so?
More ore less, yes. You wrote:
We should use and move to libsodium.
So you have no clue about the sodium library, but you recommend it. No words...
@singpolyma Sodium do not support any cipher used by openpgp. https://secure.php.net/manual/en/ref.sodium.php
from openpgp-php.
I'm happy to accept wrappers for any of openssl or sodium or whatever else for cast5/cast128 support. Should be no problem to support all of these options and use whatever is available on the system we're running on.
from openpgp-php.
@Rotzbua initially it was not my recommendation. See the first comment. I just said that I am also for supporting libsodium (or an alterntive) in some way.
I never wrote that it supports the gnupg / pgp algorithms ;-)
from openpgp-php.
Writing pure openssl wrappers is like writing your own crypto which is not recommended. I guess there is already a library for this eg by paragonie, ircmaxell and others.
from openpgp-php.
libsodium does not support CAST5. In fact, in doesn't support any of the ciphers currently supported by GnuPG. So, files encrypted using OpenPGP-PHP could only be decrypted by the same tool.
from openpgp-php.
I fail to see how wrapping openssl would be more dangerous than wrapping mcrypt.
I also remind people that mcrypt is only used for cast5 -- if you use AES that is supported directly by phpseclib so this whole question only matters if you application has a specific need for cast5 (which some do, of course)
from openpgp-php.
That being said, CAST5 is a very simple algorithm, which can be easily rewritten in pure PHP.
from openpgp-php.
@jedisct1 is there any current implementations of this in pure PHP? We don't want to reinvent the wheel if something is already out there.
from openpgp-php.
Happy to accept PRs for wrapping other methods, but I've added an OpenSSL-based CAST5 wrapper to master now -- passes tests in PHP7.1 and 7.2 without warnings now (though there are warnings if using older versions of phpseclib -- have to figure out how to tell travis which versions to use with with PHP versions...)
from openpgp-php.
Related Issues (20)
- Can't decrypt pgp ciphers from other clients HOT 1
- Encryption HOT 1
- PHP8 and thoughts on minimum PHP version HOT 2
- New tagged release version HOT 3
- Cant decrypt on CLI HOT 1
- Encrypt stream or chunks
- Not an asymmetrically encrypted message when trying to decrypt
- Support for phpseclib3 HOT 4
- Bump version to php 7.3? HOT 1
- Generated public keys cannot be imported into Thunderbird OpenPGP Key Manager HOT 6
- Need help with decrypting a file HOT 1
- getCipher algo number 1 HOT 1
- Please implement a "sop" (Stateless OpenPGP Command Line) interface HOT 2
- Multiple recipients when should be single HOT 3
- Error: Ciphertext representative out of range HOT 1
- Does this work out-the-box with laravel? HOT 9
- OpenPGP_PublicSubkeyPacket in SubKey exemple? HOT 1
- Documentation? HOT 1
- Cannot decrypt messages encoded with GPG
- encrypt and sign HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openpgp-php.