PHP hackers wanted -- here's a seed

Brad Fitzpatrick brad at
Thu May 26 15:19:33 PDT 2005

On Fri, 27 May 2005, Phillip Pearson wrote:

> function create_dsa_key_pair()
> 	-> returns array($private_key, $public_key)
> function dsa_sign_message($private_key, $message)
> 	-> returns $signature

dsa_sign_message, sure, that's easy and you need it all the time.

But why do you need create_dsa_key_pair in PHP?  You only need to recreate
your keypair once at the beginning, and only thereafter whenever you get
hacked or paranoid.  Since you have to store the keypair somewhere
anywhere (disk, database), why not just use openssl binary, or some Perl
script to do it, and store it?  If people don't have openssl/shell access,
your server code could require that they make a keypair on another machine
and upload it to a special protected directory (outside the web root)

If you want to do signing in PHP, look at the latest version of Crypt::DSA
(0.13, I believe) on CPAN.  It's a pure-perl version which should be easy
to port.

I'd really ignore the key generation part.  The pure-perl version of that
in Crypt::DSA is really, really slow, such that it defaults to looking for
your openssl binary unless you specify PurePerl => 1 to it.  You have to
do lots of strong random number generation, then lots of primality
testing, both of which are hard to get right/fast.

- Brad

More information about the yadis mailing list