Sample code for 30+ languages & platforms
PHP Extension

Yubikey RSA Encrypt/Decrypt

See more RSA Examples

Demonstrates how to do RSA decryption using a private key stored on a Yubikey (or other USB token or smartcard).

Note: RSA encryption uses the public key, which is freely exportable and does not need to occur on the token/smartcard.

Chilkat PHP Extension Downloads

PHP Extension
<?php

include("chilkat.php");

$success = false;

// This example assumes you have a certificate with private key on the Yubikey token.
// When doing simple RSA encryption/decryption, we don't actually need the certificate,
// but we'll be using the private key associated with the certificate.
// 
// The sensitive/secret material that needs to be kept private is the private key.
// The certificate itself and the public key can be freely shared.
// 

// We're going to encrypt and decrypt 32-bytes of data.
$bd = new CkBinData();
$success = $bd->AppendEncoded('000102030405060708090A0B0C0D0E0F','hex');
$success = $bd->AppendEncoded('000102030405060708090A0B0C0D0E0F','hex');

// Let's get the desired cert.
// For this example, a self-signed certificate with a 2048-bit RSA key was generated in slot 9A.
$cert = new CkCert();

// Force Chilkat to use PKCS11 over ScMinidriver (if on Windows) and Apple Keychain (if on MacOS)
$cert->put_UncommonOptions('NoScMinidriver,NoAppleKeychain');

$cert->put_SmartCardPin('123456');

$success = $cert->LoadFromSmartcard('cn=chilkat_test_2048');
if ($success == false) {
    print $cert->lastErrorText() . "\n";
    exit;
}

// RSA encrypt using the public key.
$rsa = new CkRsa();

// Provide the RSA object with the certificate on the Yubkey.
$success = $rsa->SetX509Cert($cert,true);
if ($success == false) {
    print $rsa->lastErrorText() . "\n";
    exit;
}

// RSA encrypt using the public key.
$usePrivateKey = false;
$success = $rsa->EncryptBd($bd,$usePrivateKey);
if ($success == false) {
    print $rsa->lastErrorText() . "\n";
    exit;
}

print 'RSA Encrypted Output in Hex:' . "\n";
print $bd->getEncoded('hex') . "\n";

// Now let's decrypt, using the private key on the Yubikey.
$usePrivateKey = true;
$success = $rsa->DecryptBd($bd,$usePrivateKey);
if ($success == false) {
    print $rsa->lastErrorText() . "\n";
    exit;
}

print 'RSA Decrypted Output in Hex:' . "\n";
print $bd->getEncoded('hex') . "\n";

?>