Encrypting and signing data using private/public keys in PHP
For a project, I needed to make sure that a particular piece of data actually came from a specific source. There are already many packages that allow you to do this, but most are not fun or easy to use. That's why we created a new package called spatie/crypto
to do this.
Using spatie/crypto
Using this package, it's easy to generate a private and public key.
[$privateKey, $publicKey] = (new Spatie\Crypto\RsaKeyPair())->generate();
When passing paths, the generated keys will be passed to those paths.
(new KeyPair())->generate($pathToPrivateKey, $pathToPublicKey);
Using a private key, you can sign a message.
$privateKey = Spatie\Crypto\Rsa\PrivateKey::fromFile($pathToPrivateKey);
$signature = $privateKey->sign('my message'); // returns a string
The public key can use the signature to determine that the message was not tampered with.
$publicKey = Spatie\Crypto\Rsa\PublicKey::fromFile($pathToPublicKey);
$publicKey->verify('my message', $signature) // returns true;
$publicKey->verify('my modified message', $signature) // returns false;
$publicKey->verify('my message', 'invalid signature') // returns false;
Alternatives
This package aims to be very lightweight and easy to use. If you need more features, consider using of one these alternatives:
A word on the usage of RSA
At the time of writing, RSA is secure enough for the use case we've built this package for.
To know more about why RSA might not be good enough for you, read this post on public-key encryption at Paragonie.com
In closing
Spatie/crypt can also encrypt and decrypt messages. To learn more, head over to the readme of spatie/crypto on GitHub.
On our company website, you'll find a list of packages our team has created previously. If you would like to support us, consider picking up one of our paid products or sponsoring us on GitHub.
What are your thoughts on "Encrypting and signing data using private/public keys in PHP"?