Automatic OpenSSL encryption for custom PayPal Buttons? PHP

Question

I am currently trying to add the PayPal buy-now functionality to my custom created third-party shopping cart. Normally, these buttons only contain information about the specific items being bought which is inputted manually through the PayPal website for security reasons, however i also have the option of dynamically creating the information using PHP to inject the correct information - This is all fine but since the button was not created on the PayPal website it does not come with the standard encryption that protects it from tampering.

On the PayPal website they outline the method of encryption which includes using OpenSSL to create the Private Key, Public Certificate, and as a way to encrypting the PayPal button code. Creating the keys and certificates sounds all fine but when it comes time to encrypt the button code itself, PayPal asks me to manually input a command into the downloaded OpenSSL program to have the encrypted code be outputted - This however is impossible for my shopping cart because of the fact that shopping cart contents are dynamic and change all the time thus i need to have a freshly encrypted button every time someone access' the shopping cart page.

QUESTION: So i was wondering if i could use a PHP function such as openssl_encrypt() to handle the encryption process instead of relying on manual operations. Is this possible? Is this even Safe?

Note: The downloaded OpenSSL software is located on my web-server along with the necessary keys

I HIGHLY recommand a quick look at this link for more information about the short encryption proccedure outlined by PayPal: https://developer.paypal.com/docs/classic/paypal-payments-standard/integration-guide/encryptedwebpayments/#id08A3I0P0MRO
For the information about inputing the manual commands click the link and scroll down to the "Use the Downloaded Software to Manually Encrypt the Payment Button Code" Heading.

PS: This is my first time dealing with any sort of encryption or OpenSSL

Any ideas?

Answer 1

Due to time restrictions i just skimmed the PayPal document.

First, using any sort of encryption without knowing what you're doing is bad and might easily lead to security issues.

But let's look at what you're trying to achieve and what I've "read".

You'll have to upload your public (NOT your private key) and download their public key (certificate).

The term "Encrypt the payment button code" sounds wrong as you'll likely only have to encrypt some parameters (but that gets into too much detail for the short time I have).

Anyway, this "button code" has to be (asymetric) encrypted by using their public key / certificate which means that only PayPal can decrypt it.

In the next step, this "encrypted button code" has to be signed with your private key. PayPal can then check the authenticity of the message because they are in possesion of your public key (and only you're able to sign it - so keep your private key safe!).

string openssl_encrypt ( string $data , string $method , string $password [, int $options = 0 [, string $iv = "" ]] )

or maybe

int openssl_seal ( string $data , string &$sealed_data , array &$env_keys , array $pub_key_ids [, string $method = "RC4" ] )

are the methods that can be used.

Alternatively the openssl binary could be called directly to do the job.

Anyway, you should be careful:

• Validate all input carefully as you might sign malicious data

• If you directly call the binary be sure that you won't implement any sort of os command injection vulnerability.