Forum OpenACS Q&A: example: using openssl to encrypt/decrypt cc information

I built these functions two encrypt and decrypt credit card information using openssl. I'm going to ask some questions about these functions in the next thread.

Is there a file storage module on the new openacs server?

Would you send me your credit card information so I can test these functions?

If you help me improve these functions, I will happily send you some credit card numbers that will work with verisign servers.

ad_proc cc_encrypt {
    passphrase  crypto  cc_number  cc_name  cc_type
    cc_exp_month  cc_exp_year  cc_address
    cc_city  cc_state  cc_zip
} {
    Encrypts the cc information according to various crypto parameters
    and crypto schemes.  Schemes: Plaintext (nothing) and openssl-bf (blowfish)

} {

    set plaintext "${cc_number}__:__${cc_name}__:__${cc_type}__:__${cc_exp_month}__:__${cc_exp_year}__:__${cc_address}__:__${cc_city}__:__${cc_state}__:__${cc_zip}"

    switch $crypto {
        plaintext -
        default {
            # plaintext noop
            return $plaintext
        }
        openssl-bf {

            set plainfilename [ns_mktemp /tmp/cc-XXXXXX]
            set plainfd [open $plainfilename w]
            puts -nonewline $plainfd $plaintext
            close $plainfd
            
            set cryptfilename ${plainfilename}.crypt
            exec openssl bf -pass pass:${passphrase} -in $plainfilename -out $cryptfilename
            file delete $plainfilename
            
            set cryptfd [open $cryptfilename r]
            fconfigure $cryptfd -translation binary
            set crypt [read $cryptfd]
            close $cryptfd
            
            file delete $cryptfilename

            return $crypt
        }
    }
}

ad_proc cc_decrypt {
    passphrase
    crypto
    encrypted_string
} {
    Decrypts the cc information according to various crypto parameters
    and crypto schemes.  Schemes: plaintext and openssl-bf (blowfish)

} {
    switch $crypto {
        plaintext -
        default {
            # plaintext noop
            set decrypted_string $encrypted_string
        }
        openssl-bf {

            set cryptfilename [ns_mktemp /tmp/cc-de-XXXXXX]
            set cryptfd [open $cryptfilename w]
            fconfigure $cryptfd -translation binary
            puts -nonewline $cryptfd $encrypted_string
            close $cryptfd
            
            set plainfilename ${cryptfilename}.plain
            exec openssl bf -pass pass:${passphrase} -in $cryptfilename -out $plainfilename -d
            
            set plainfd [open $plainfilename r]
            set decrypted_string [read $plainfd]
            close $plainfd
            
            file delete $plainfilename
            file delete $cryptfilename

        }
    }

    if {[regexp {^(.*)__:__(.*)__:__(.*)__:__(.*)__:__(.*)__:__(.*)__:__(.*)__:__(.*)__:__(.*)$} $decrypted_string match cc_number cc_name cc_type cc_exp_month cc_exp_year cc_address cc_city cc_state cc_zip]} {
        return [list cc_number $cc_number cc_name $cc_name cc_type $cc_type cc_exp_month $cc_exp_month cc_exp_year $cc_exp_year cc_address $cc_address cc_city $cc_city cc_state $cc_state cc_zip $cc_zip]
    } else {
        return [list error error]
    }
}

Scott Goodwin pointed me to ns_encrypt, an AOLserver module available at sourceforge that will encrypt a string using des3, bf, idea, or public key mechanisms.

And of course the advantage is that it would not require a fork for each card procesed.

The only drawback of this approach is that if you have a doublequote character, the "echo" command will get confused. I really would prefer to have something like "ns_encrypt" working but I'll need to get deeper into it.