Your thoughts: I need secure email system integrated into my DB

Lahloob

I'm an advanced PHP programmer, and I have written a complex workflow script for some company that provides services to Banks.

  What's missing now, I need my scrip to be able to send an email to the bank (SSL, Digital signatures, and certificates are VERY essential) and when the Bank replies to the Email (Only authorized should be  able to open the message using private keys), I need to be able to automatically assign this received email to the (RequestID) I sent to the Bank.

Example, my database table looks like this:

where BankReplyText and BankReplyDate is what I get from email using either IMAP, POP or whatever.

My questions are:

--is it possible to do this in PHP?

--How difficult is it?

--Is their a current System with similar capabilities that I can integrate into my System?

--What libraries do I need? IMAP ? OpenSSL? Fsocket ?

I'm looking forward to hear your thoughts

sneakyimp

I believe it's possible to have PHP hold up its end of the bargain, but you will still need to organize the mail clients at the bank to have keys for description and an ability to parse the encrypted email.

for that, this link might be helpful:
http://itt.theintegrity.net/pmwiki.php?n=ITT.ThawtePersonalEmailCertificates

for the php side, you might want to look into PEAR mail or phpmailer or xpermailer or something. i don't know how similar 'secure mail' is to secure sockets layer, but i do know that SSL is transport layer as opposed to application layer which suggests that there might be some weird key-sharing stuff that goes on before apache or php get involved. the situation might be similar for mail.

sneakyimp

ps: there might be a solution here but i'm not a member of experts exchange:

http://www.experts-exchange.com/Web/Web_Languages/PHP/Q_21859996.html

Lahloob

No worries about Bank clients being able to decrypt messages, since we can have access to the PKI system in the Central Bank which controls all Banks.

The code at Experts-exchange is a good core for kicking off, I liked it and I definitely will consider it, especially the part of using OpenSSL, which I've never used in PHP before.

I need to look at what phpmailer and PEAR mail and the others can offer for me.

I'll keep this thread posted until I find the ultimate solution and share it for everyone.

Thanks sneakyimp..

I hope to hear more thoughts about this..

sneakyimp

I tried reading the comments on openssl_pkcs7_encrypt here:

http://us3.php.net/openssl_pkcs7_encrypt

Apparently it's not as simple as it might seem:

According to RFC 2311, you can encrypt then sign or sign then encrypt. However, it depends on the client in which you are programming for. In my experience, in Outlook 2000, it prefers it Encrypt then Sign. While in Outlook 2003, it is Sign then Encrypt.

HOWEVER, that same comment does offer this code:

<?
// Setup mail headers.
$headers = array("To" => "someone@nowhere.net",
     "From" => "noone@somewhere.net",
     "Subject" => "A signed and encrypted message.");

// Sign the message first
openssl_pkcs7_sign("msg.txt","signed.txt",
     "signing_cert.pem",array("private_key.pem",
     "password"),array());

// Get the public key certificate.
$pubkey = file_get_contents("cert.pem");

//encrypt the message, now put in the headers.
openssl_pkcs7_encrypt("signed.txt", "enc.txt",
     $pubkey,$headers,0,1);

$data = file_get_contents("enc.txt");

// separate header and body, to use with mail function
//  unfortunate but required, else we have two sets of headers
//  and the email client doesn't decode the attachment
$parts = explode("\n\n", $data, 2);

// send mail (headers in the Headers parameter will override those
//  generated for the To & Subject parameters)
mail($mail, $subject, $parts[1], $parts[0]);
?>

EDIT: be sure to read the comments. i don't really know whose public cert he is referring to...the server's or the client's?