new method for encryption

src/Pkcs11Command.php

@@ -257,6 +257,67 @@ class Pkcs11Command
     /**
      * Encrypt AES key using HSM.
      */
+    // protected function encryptAesKey(string $aesKey, string $filename)
+    // {
+    //     $id_key = $this->getkeypairIdByLabel($this->keyLabel);
+
+    //     $storagePath = public_path("storage/hsm/encryptkey");
+    //     if (!File::exists($storagePath)) {
+    //         File::makeDirectory($storagePath, 0777, true);
+    //     }
+    //     $encryptedKeyPath = $storagePath . '/' . Str::beforeLast($filename, '.') . '.key.enc';
+
+    //     $cmd = '"' . $this->pkcs11_tool . '"'
+    //         . ' --module "' . $this->module . '"'
+    //         . ' --slot ' . $this->slotId
+    //         . ' --login'
+    //         . ' --pin "' . $this->pin . '"'
+    //         . ' --id ' . $id_key
+    //         . ' --encrypt'
+    //         . ' --mechanism RSA-PKCS-OAEP'
+    //         . ' --output-file "' . $encryptedKeyPath . '"';
+
+    //     $pipes = [];
+    //     $process = proc_open($cmd, [
+    //         0 => ["pipe", "r"], // stdin
+    //         1 => ["pipe", "w"], // stdout
+    //         2 => ["pipe", "w"], // stderr
+    //     ], $pipes);
+
+    //     if (!is_resource($process)) {
+    //         throw new \RuntimeException("Failed to start pkcs11-tool process.");
+    //     }
+
+    //     fwrite($pipes[0], $aesKey);
+    //     fclose($pipes[0]);
+
+    //     $stdout = stream_get_contents($pipes[1]);
+    //     $stderr = stream_get_contents($pipes[2]);
+
+    //     fclose($pipes[1]);
+    //     fclose($pipes[2]);
+
+    //     $returnCode = proc_close($process);
+
+    //     if ($returnCode !== 0) {
+    //         Log::error("Failed to encrypt AES key", [
+    //             'stdout' => $stdout,
+    //             'stderr' => $stderr,
+    //             'code' => $returnCode,
+    //         ]);
+            
+    //         $this->logger('AES Key Encrypted', '', 'AES Key Encrypted Failed');
+
+    //         throw new \RuntimeException("Failed to encrypt AES key: $stderr");
+    //     }
+
+    //     Log::info('AES key encrypted', ['path' => $encryptedKeyPath]);
+        
+    //     $this->logger('AES Key Encrypted', '', 'AES Key Encrypted Successful');
+
+    //     return $encryptedKeyPath;
+    // }
+
     protected function encryptAesKey(string $aesKey, string $filename)
     {
         $id_key = $this->getkeypairIdByLabel($this->keyLabel);
@@ -267,51 +328,54 @@ class Pkcs11Command
         }
         $encryptedKeyPath = $storagePath . '/' . Str::beforeLast($filename, '.') . '.key.enc';
 
-        $cmd = '"' . $this->pkcs11_tool . '"'
-            . ' --module "' . $this->module . '"'
-            . ' --slot ' . $this->slotId
-            . ' --login'
-            . ' --pin "' . $this->pin . '"'
-            . ' --id ' . $id_key
-            . ' --encrypt'
-            . ' --mechanism RSA-PKCS-OAEP'
-            . ' --output-file "' . $encryptedKeyPath . '"';
+        $storagePath = public_path("storage/hsm/key");
+        if (!File::exists($storagePath)) {
+            File::makeDirectory($storagePath, 0777, true);
+        }
+        $key_der = $storagePath . '/' . Str::beforeLast($filename, '.') . '.der';
+
+        $storagePath = public_path("storage/hsm/keypem");
+        if (!File::exists($storagePath)) {
+            File::makeDirectory($storagePath, 0777, true);
+        }
+        $key_pem = $storagePath . '/' . Str::beforeLast($filename, '.') . '.pem';
+
+        $extract_key = '"C:\Program Files\OpenSC Project\OpenSC\tools\pkcs11-tool.exe" --module "C:\Program Files\Utimaco\SecurityServer\Lib\cs_pkcs11_R3.dll" --slot 1 --read-object --type pubkey --id 01 > "'.$key_der.'"';
+        $this->runShellCommand($extract_key, 'Failed to extract key in HSM');
+
+        $convert_key = 'openssl rsa -pubin -inform DER -in "'.$key_der.'" -outform PEM -out "'.$key_pem.'"';
+        $this->runShellCommand($convert_key, 'Failed to convert key');
+
+        $cmd = 'openssl pkeyutl -encrypt -pubin -inkey ' . escapeshellarg($key_pem) .
+                ' -pkeyopt rsa_padding_mode:oaep ' .
+                ' -pkeyopt rsa_oaep_md:sha256 ' .
+                ' -pkeyopt rsa_mgf1_md:sha256 ' .
+                ' -out ' . escapeshellarg($encryptedKeyPath);
 
-        $pipes = [];
-        $process = proc_open($cmd, [
+            $descriptorspec = [
                 0 => ["pipe", "r"],   // stdin
                 1 => ["pipe", "w"],   // stdout
-            2 => ["pipe", "w"], // stderr
-        ], $pipes);
+                2 => ["pipe", "w"]    // stderr
+            ];
 
-        if (!is_resource($process)) {
-            throw new \RuntimeException("Failed to start pkcs11-tool process.");
-        }
+            $process = proc_open($cmd, $descriptorspec, $pipes);
 
-        fwrite($pipes[0], $aesKey);
+            if (is_resource($process)) {
+                fwrite($pipes[0], $aesKey); // send AES key directly
                 fclose($pipes[0]);
 
-        $stdout = stream_get_contents($pipes[1]);
                 $stderr = stream_get_contents($pipes[2]);
-
-        fclose($pipes[1]);
                 fclose($pipes[2]);
 
-        $returnCode = proc_close($process);
-
-        if ($returnCode !== 0) {
-            Log::error("Failed to encrypt AES key", [
-                'stdout' => $stdout,
-                'stderr' => $stderr,
-                'code' => $returnCode,
-            ]);
-            
-            $this->logger('AES Key Encrypted', '', 'AES Key Encrypted Failed');
+                $exitCode = proc_close($process);
 
+                if ($exitCode === 0) {
+                    Log::info('AES key encrypted Success', ['path' => $encryptedKeyPath]);
+                } else {
+                    Log::info('AES key encrypted Failed', ['path' => $encryptedKeyPath]);
                     throw new \RuntimeException("Failed to encrypt AES key: $stderr");
                 }
-
-        Log::info('AES key encrypted', ['path' => $encryptedKeyPath]);
+            }
 
         $this->logger('AES Key Encrypted', '', 'AES Key Encrypted Successful');