The confusion most have seems to be on "mixed $key"
The $key is explained in, and mostly the same as the parameter of http://www.php.net/manual/en/function.openssl-pkey-get-public.php
It can take the resource $key returned from openssl_pkey_get_public() OR find the value is text and passes the text to openssl_pkey_get_public() to get a valid resource.
To better break down rstinnett's example:
(and where the flaw is)
<?php
function EncryptData($source)
{
$fp=fopen("/etc/httpd/conf/ssl.crt/server.crt","r");
$pub_key_string=fread($fp,8192);
fclose($fp);
openssl_get_publickey($pub_key);
openssl_public_encrypt($source,$crypttext,$pub_key_string);
/*this simply passes the string contents of pub_key_string back to be decoded*/
return(base64_encode($crypttext));
}
?>
is more efficient:
<?php
function EncryptData($source)
{
$fp=fopen("/etc/httpd/conf/ssl.crt/server.crt","r");
$pub_key_string=fread($fp,8192);
fclose($fp);
$key_resource = openssl_get_publickey($pub_key);
openssl_public_encrypt($source,$crypttext, $key_resource );
/*uses the already existing key resource*/
return(base64_encode($crypttext));
}
?>
shorter:
<?php
function EncryptData($source)
{
$fp=fopen("/etc/httpd/conf/ssl.crt/server.crt","r");
$pub_key=fread($fp,8192);
fclose($fp);
openssl_public_encrypt($source,$crypttext, $pub_key );
return(base64_encode($crypttext));
}
?>