How to use Sodium encryption extension function in PHP

This article will introduce to you how to use Sodium encryption extension function in PHP. It has certain reference value. Friends in need can refer to it. I hope it will be helpful to everyone.

Understanding PHP’s Sodium encryption extension function

This is the last article in this encryption extension series, and it is also what we want to do The last PHP encryption extension to learn about. The purpose of Sodium's emergence is also to replace Mcrypt, the original encryption extension. Mcrypt has been removed since PHP7.2 and marked obsolete in PHP7.1. However, there are not many applications of Sodium extension. In most cases, we will use OpenSSL to perform encryption operations. At the same time, Sodium extension provides many functions, so we will only understand them in this article. Of course, the most important thing is that even the official documentation about this extension is not complete. There are no parameter descriptions for most functions, and there is very little information found through searches.

The Sodium extension was released with the PHP source code after PHP7.2. You only need to add --with-sodium when compiling to install it successfully. If it is a version before PHP7.2, you need to install this extension separately. At the same time, the libsodium-devel library also needs to be installed in the operating system.

AEAD_AES_256_GCM encryption and decryption

The first is the application of this AEAD_AES_256_GCM encryption and decryption capability function. In the development related to WeChat payment, there is an interface that uses this method to encrypt data. In the official documentation, the corresponding decryption method for PHP is also provided, which uses the function in the Sodium extension library. (See the second link in the reference document at the end of the article)

$data = '测试加密'; // 原始数据
$nonce = random_bytes(SODIUM_CRYPTO_AEAD_AES256GCM_NPUBBYTES); // 加密证书的随机串,加密证书的随机串
$ad = 'fullstackpm'; // 加密证书的随机串
$kengen = sodium_crypto_aead_aes256gcm_keygen(); // 密钥

// 是否可用
echo sodium_crypto_aead_aes256gcm_is_available(), PHP_EOL; // 1

// 加密
$pem = sodium_crypto_aead_aes256gcm_encrypt($data, $ad, $nonce, $kengen);
var_dump($pem);
// string(28) "��VRw!�����f��l�O�tV=\x�"

// 解密
$v = sodium_crypto_aead_aes256gcm_decrypt($pem, $ad, $nonce, $kengen);
var_dump($v);
// string(12) "测试加密"

The comments in the code have detailed the relevant functions and parameters. When using this to decrypt in WeChat payment, ad, key, nonce, etc. are all provided by WeChat, and as a demonstration here, they are all self-generated content.

sodium_crypto_aead_aes256gcm_encrypt() The content generated by encryption is also binary content, so it is relatively a very safe form of encryption.

Information Signature

Sodium extension library also brings us the function of verifying whether the data has been tampered with, that is, the ability to compare signatures on information.

// 信息签名
$key = sodium_crypto_auth_keygen(); // 生成随机签名密钥
$message = '测试认证签名';

// 生成签名
$signature = sodium_crypto_auth($message, $key);
var_dump($signature);
// string(32) "�B�
//                9���l�wn�x���ӛc�ܙ�u^j��"

// 验证签名
var_dump(sodium_crypto_auth_verify($signature, $message, $key));
// bool(true)

All they need is a simple random signature key, and then compare the signature digest with the original text to determine whether the data has been tampered with during transmission.

Hash

Yes, you read that right, the Sodium extension also provides us with a set of Hash encryption functions. However, its use is a bit more complicated, and the generated content is a bit like the content generated by a password hashing algorithm. However, we still recommend using password_hash() in Password Hash Algorithm to generate this type of Hash password.

// Hash
$password = '测试Hash';
$hash = sodium_crypto_pwhash_str(
    $password,
    SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE, // 最大计算量
    SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE // 最大RAM量
);
var_dump($hash);
// string(97) "$argon2id$v=19$m=65536,t=2,p=1$VFfdNV4W0MFwLiLPdr9i6g$QDmd5sQToZANYTVEkPVTbPvbY7tuf1ALKU3IXrF44R0"

// 验证 Hash 信息
var_dump(sodium_crypto_pwhash_str_verify($hash, $password));
// bool(true)

Summary

Although we may not have come into contact with it usually, it is true that the Sodium extension still has practical applications under development, since WeChat uses this encryption method. In addition to data encryption, we should also have a deeper understanding of it. However, we still hope that the official can improve the documentation as soon as possible, otherwise we will not be able to systematically learn the contents of this set of extensions.

Test code:

https://github.com/zhangyue0503/dev-blog/blob/master/php/202008/source/PHP%E7%9A%84Sodium%E5%8A%A0%E5%AF%86%E6%89%A9%E5%B1%95%E5%87%BD%E6%95%B0%E4%BA%86%E8%A7%A3.php

Recommended learning: php video tutorial

The above is the detailed content of How to use Sodium encryption extension function in PHP. For more information, please follow other related articles on the PHP Chinese website!