openssl_decrypt

(PHP 5 >= 5.3.0, PHP 7, PHP 8)

openssl_decrypt — 解密数据

说明

openssl_decrypt ( string $data , string $method , string $key , int $options = 0 , string $iv = "" , string $tag = "" , string $aad = "" ) : string

采用原始或base64编码的字符串，并使用给定的方法和密钥对其进行解密。

参数

data: 将被解密的密文。
method: 加密算法，使用openssl_get_cipher_methods()函数获取可用的加密算法列表。
key: 密钥。
options: options can be one of OPENSSL_RAW_DATA, OPENSSL_ZERO_PADDING.
iv: 非空的初始化向量。
tag: AEAD密码模式中的身份验证标签。如果是错误的，验证失败，函数返回false.
aad: 额外的认证数据。

返回值

The decrypted string on success 或者在失败时返回 false.

错误／异常

如果通过method参数传递的是一个未知的加密算法，将会抛出一个 E_WARNING 等级的错误。

如果通过iv参数传递的是一个空值，将会抛出一个 E_WARNING 等级的错误。

更新日志

版本	说明
5.3.3	添加 `iv` 参数。
5.4.0	将 `raw_output` 更改至 `options`。
7.1.0	添加了 `tag` 和 `aad` 参数。

参见

openssl_encrypt() - 加密数据

User Contributed Notes

markagius dot co dot uk 16-Apr-2017 09:35


openssl_decrypt(..) works with most but not all method types.

This list can vary, depending on the data (Message) and key (Password) used.



See the following code and edit the $text and $password values.

Code checks if text is the same after encrypting then decrypting it.



Note:

  You can still use openssl_encrypt(..) with;

  User enters 'Log-in password'

  (Encrypted and stored using openssl_encrypt)

  Next time.

  User logs-in with 'Log-in password'

  (Check that encrypted 'Log-in password' = stored data)



<CODE>

  // Please edit $password=... and $text=...



  $password = "This is a journey into sound";



  $text = "";

  for($charNo=0; $charNo<=255; $charNo=$charNo+1){

    // if($charNo==127) {$charNo=$charNo+1;}

    if(!$charNo<127){

      // $text = $text."&#x".strtoupper(dechex($charNo)).";";

      $text = $text.chr($charNo);

    } else {

      $text = $text.chr($charNo);

    }

  }



$text = "This is a test message.";



  print "<TABLE BORDER=\"1\">\n";

  print "<TR><TD><B>Encryption type:</B></TD><TD><B>String after converting back:</B></TD></TR>\n";

  $ciphers = openssl_get_cipher_methods();

  for($pointer=0; $pointer<count($ciphers); $pointer=$pointer+1){

    $edit  = EncryptDecrypt($text, true,  $password, $ciphers[$pointer]);

    $check = EncryptDecrypt($edit, false, $password, $ciphers[$pointer]);

    if($text!=$check){

      $info  = $check;

      print "<TR><TD>".$ciphers[$pointer]."</TD><TD>".$info."</TD></TR>\n";

    }

  }

  print "</TABLE>\n";



function EncryptDecrypt($oldText, $encryptIt=true, $password="PASSWORD", $encryptType=""){

  $ciphers = openssl_get_cipher_methods();

  $foundEncType = false;

  for($pointer=0; $pointer<count($ciphers); $pointer=$pointer+1){

    if($ciphers[$pointer]==$encryptType){$foundEncType=true;}

  }

  if(!$foundEncType){

    $encryptType = "RC2-64-CBC"; // Default value used if not set or listed.

  }

  if($encryptIt){

    $newText = openssl_encrypt($oldText,$encryptType,$password);

  } else {

    $newText = openssl_decrypt($oldText,$encryptType,$password);

  }

  return $newText;

}

</CODE>

The following (sometimes) don't work:

    DES-EDE3-CFB1    (sometimes)

    aes-128-gcm

    aes-192-gcm

    aes-256-gcm

    des-ede3-cfb1        (sometimes)

    id-aes128-GCM

    id-aes192-GCM

    id-aes256-GCM

lucianonapoli at yahoo dot it 28-Feb-2017 10:19


The parameter string $password must be in binary form and is derived from the exadecimal key value.



Example:



encrypting in command line console with openssl

openssl AES-256-CBC -K 5ae1b8a17bad4da4fdac796f64c16ecd -iv 34857d973953e44afb49ea9d61104d8c -in doc.txt -out doc.enc.txt



decripting in php

$key = hex2bin('5ae1b8a17bad4da4fdac796f64c16ecd');

$iv = hex2bin('34857d973953e44afb49ea9d61104d8c');



$output = openssl_decrypt($encstr, 'AES-256-CBC', $key, OPENSSL_RAW_DATA, $iv);

Hernanibus 11-Jul-2016 06:04


Parameters may seem obvius to some but not for everyone so:





- $data can be as the description says raw or base64. If no $option is set (this is, if value of 0 is passed in this parameter), data will be assumed to be base64 encoded. If parameter OPENSSL_RAW_DATA is set, it will be understood as row data.





- $password (key) is a String of [pseudo] bytes as those generated by the function openssl_random_pseudo_bytes().





- $options as (as for 2016) two possible values OPENSSL_RAW_DATA and OPENSSL_ZERO_PADDING. Setting both can be done by OPENSSL_RAW_DATA|OPENSSL_ZERO_PADDING. If no OPENSSL_ZERO_PADDING is specify, default pading of PKCS#7 will be done as it's been observe by [openssl at mailismagic dot com]'s coment in openssl_encrypt()





- $iv is as in the case of $password, a String of bytes. Its length depends on the algorithm used. May be the best way to generate an $iv is by:





<?php


    $iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length('your algorithm'));// for example you algorithm = 'AES-256-CTR'


?>

ittasks at gmail dot com 03-Apr-2013 12:02


in case that hosting do not provide openssl_encrypt decrypt functions - it could be mimiced via commad prompt executions  

this functions will check is if openssl is installed and try to use it by default



function sslPrm()

{

 return array("your_password","IV (optional)","aes-128-cbc");

}

function sslEnc($msg)

{

  list ($pass, $iv, $method)=sslPrm();

  if(function_exists('openssl_encrypt'))

     return urlencode(openssl_encrypt(urlencode($msg), $method, $pass, false, $iv));

  else

     return urlencode(exec("echo \"".urlencode($msg)."\" | openssl enc -".urlencode($method)." -base64 -nosalt -K ".bin2hex($pass)." -iv ".bin2hex($iv)));

}

function sslDec($msg)

{

  list ($pass, $iv, $method)=sslPrm();

  if(function_exists('openssl_decrypt'))

     return trim(urldecode(openssl_decrypt(urldecode($msg), $method, $pass, false, $iv)));

  else

     return trim(urldecode(exec("echo \"".urldecode($msg)."\" | openssl enc -".$method." -d -base64 -nosalt -K ".bin2hex($pass)." -iv ".bin2hex($iv))));

}



//example of usage:

$r= sslEnc("This is encryption/decryption test!");

echo "<br>\n".$r.":".sslDec($r);