Secure keypair encryption solution in Delphi & PHP?

Question

My application sends encrypted files over the internet, I need to be able to do the following:

1. (Client side Delphi 2010): Encrypt files using public key shipped with my application & upload it to server
2. (Server side PHP): Decrypt the uploaded file using my private key stored on server
3. (Work on the uploaded file...)

Sounds simple but I can't find any reliable code/component, I found these components:

1. DCPcrypt. This is what I'm using right now in development but doesn't seem to support keypair-based encryption (RSA?)

2. GnuPgp (GPL) so I can't use it on my commercial app.

3. TurboPower LockBox 3: does support keypair encryption but very cryptic (no documentation AFAIK) and doesn't seem to support file encryption.

My question is: is there a secure / reliable encryption component that:

1. Achieve what I described above (ie. keypair encryption)
2. Can be decrypted using PHP
3. Works on large files/streams
4. (Dreaming here!) Has a simple delphi/php demo that shows how to do this? :)
5. FOSS solutions only please, I'm already wayyy over budget :)

Answer 1

I would go with OpenSSL.
PHP seems to have plenty of support for it, though I haven't actually tried it: For example the manual and an example here.

Delphi can be made to work well with OpenSSL with a little work, using stuff I've mentioned on here numerous times: http://www.disi.unige.it/person/FerranteM/delphiopenssl/. Some good examples on that page too. And take a look at the Indy OpenSSL imports.

Not specific components but definitely free, flexible and with full possibilities for shooting yourself, security-wise, in the foot :-)

EDIT:

For Delphi I would consider using the EVP_Seal* functions and you can find my version of a cut down libeay32.pas file in this SO answer. You ned this as Indy doesn't surface or implement much/any of the actual EVP_ functions so you need to import the function declarations and a few other routines.

For PHP this link seems the right counterpart.

As a bonus, this should give you an idea of how to use the EVP_Seal* stuff (non-tested):

function EVPSeal(ASource: TBytes; const APublicKey: PEVP_PKEY; out Key: TBytes; out IV: TBytes): TBytes; 
var
  cipher: PEVP_CIPHER;
  ctx: EVP_CIPHER_CTX;
  buf: TBytes;
  block_size, buf_start, out_len, keysize: integer;
  ek: array[0..0] of PByte;
  ekl: array[0..0] of integer;
  pubk: array[0..0] of PEVP_PKEY;
begin
  keysize := EVP_PKEY_size(APublicKey);
  cipher := EVP_aes_256_cbc;
  SetLength(IV, EVP_MAX_IV_LENGTH);
  SetLength(Key, keysize);
  ek[0] := @Key[0];
  pubk[0] := APublicKey;
  buf_start := 0;
  EVP_CIPHER_CTX_init(@ctx);
  try
    EVP_SealInit(@ctx, cipher, @ek[0], @ekl, @IV[0], @pubk[0], 1);
    block_size := EVP_CIPHER_CTX_block_size(@ctx);
    SetLength(buf, Length(ASource) + block_size);
    SetLength(Key, ekl[0]);
    EVP_SealUpdate(@ctx, @buf[buf_start], out_len, @ASource[0], Length(ASource));
    Inc(buf_start, out_len);
    EVP_SealFinal(@ctx, @buf[buf_start], out_len);
    Inc(buf_start, out_len);
    SetLength(buf, buf_start);
    result := buf;
  finally
    EVP_CIPHER_CTX_cleanup(@ctx);
  end;
end;

Answer 2

Ah, crypto. There is a saying about a programmer that knows little crypto being far more dangerous than one that knows none.

On a really similar vein, I spent quite some time trying to find a way to do digital XML signatures using open source. I only managed to get so far before buckling up and getting a rock solid third party library. It is not cheap in the pure monetary sense, but one of my best investments so far.

(True story: I actually got into a little flamewar with the author of this library that even got deleted from the comments. Alas, I ended up buying from him. Go figure.)