How to make PKCS5 and PKCS7 padding with openssl_public_encrypt?
These are the options:
OPENSSL_PKCS1_PADDING, OPENSSL_SSLV23_PADDING, OPENSSL_PKCS1_OAEP_PADDING, OPENSSL_NO_PADDING
Asked
Active
Viewed 1,936 times
-3
clarkk
- 27,151
- 72
- 200
- 340
-
I don't get the downvotes? – clarkk Aug 28 '18 at 05:59
-
The question doesn't make sense as PKCS#5/7 is specified for block ciphers, not asymmetric (public) encryption. – Maarten Bodewes Aug 28 '18 at 14:41
1 Answers
-1
How to make PKCS5 and PKCS7 padding with openssl_public_encrypt?
openssl_public_encrypt is used with asymmetric encryption (encrypting by public key) and indeed only the listed paddings are available.
PKCS7 padding is used with symmetric encryption (openssl_encrypt).
You can pkcs#7 padding with openssl_encrypt documentation. Apparently (according to the comments) the pkcs#7 padding is used when no option is specified.
Seems in php you will have to it yourself, see How to add/remove PKCS7 padding from an AES encrypted string?
please note - I am not php developer, so if there's better way, please comment / correct.
gusto2
- 11,210
- 2
- 17
- 36
-
1The PHP documentation also mentions an option `OPENSSL_ZERO_PADDING`. Looking at [the source code](https://github.com/php/php-src/blob/master/ext/openssl/openssl.c#L6534), it seems that standard block padding (PKCS#5) is used, unless zero padding is requested via that `OPENSSL_ZERO_PADDING` option. – Reinier Torenbeek Aug 28 '18 at 13:51
-
@ReinierTorenbeek I don't see where the pkcs#5 is implemented, as far I understood if no zero_padding is specified, OPENSSL_RAW_DATA is used (no padding at all). If I am mistaken, feel free to correct me – gusto2 Aug 28 '18 at 14:30
-
It's also mentioned as a comment under the documentation of `openssl_encrypt`: "Without using `OPENSSL_ZERO_PADDING`, you will automatically get PKCS#7 padding." And: "When OPENSSL_RAW_DATA is specified, the returned data is returned as-is. When it is not specified, Base64 encoded data is returned to the caller." – Maarten Bodewes Aug 28 '18 at 14:35
-
PKCS#5 is the default padding used with OpenSSL if you do not indicate any padding. See [the OpenSSL wiki section on EVP Symmetric Encryption and Decryption](https://wiki.openssl.org/index.php/EVP_Symmetric_Encryption_and_Decryption#Padding). The `OPENSSL_RAW_DATA` option is to select between base64-encoded (the default) and binary (raw) output. – Reinier Torenbeek Aug 28 '18 at 14:37
-
@MaartenBodewes: Interesting read, thanks. I got my information from the [OpenSSL enc app documentation](https://www.openssl.org/docs/man1.1.0/apps/openssl-enc.html), which states "All the block ciphers normally use PKCS#5 padding also known as standard block padding"... – Reinier Torenbeek Aug 28 '18 at 14:45
-
That link pointed to in the answer relates to `mcrypt` library, which doesn't support PKCS#7 padding. `mcrypt` has been deprecated (possibly also because of some not-too-friendly comments that I made about it). – Maarten Bodewes Aug 28 '18 at 14:45
-
Thank you all for feedback - so as far I understood from the commebts, when using `openssl_encrypt` with no options, the PKCS#7 padding is added by default? – gusto2 Aug 28 '18 at 14:56
-
Yes, PKCS#7 padding is added by default. Please adjust the answer so I can change my vote; currently the info in the answer is incorrect. – Maarten Bodewes Aug 28 '18 at 15:36