I want to generate ssh keypair from php can anyone please guide me how to do it? I have tried the shell_exec but the shell asks questions so that command does not work. I would like to specify filename and path in which to put the keys after generation.
This is based on Converting an OpenSSL generated RSA public key to OpenSSH format (PHP). Thanks shevron.
<?php
$rsaKey = openssl_pkey_new(array(
'private_key_bits' => 1024,
'private_key_type' => OPENSSL_KEYTYPE_RSA));
$privKey = openssl_pkey_get_private($rsaKey);
openssl_pkey_export($privKey, $pem); //Private Key
$pubKey = sshEncodePublicKey($rsaKey); //Public Key
$umask = umask(0066);
file_put_contents('/tmp/test.rsa', $pem); //save private key into file
file_put_contents('/tmp/test.rsa.pub', $pubKey); //save public key into file
print "Private Key:\n $pem \n\n";
echo "Public key:\n$pubKey\n\n";
function sshEncodePublicKey($privKey) {
$keyInfo = openssl_pkey_get_details($privKey);
$buffer = pack("N", 7) . "ssh-rsa" .
sshEncodeBuffer($keyInfo['rsa']['e']) .
sshEncodeBuffer($keyInfo['rsa']['n']);
return "ssh-rsa " . base64_encode($buffer);
}
function sshEncodeBuffer($buffer) {
$len = strlen($buffer);
if (ord($buffer[0]) & 0x80) {
$len++;
$buffer = "\x00" . $buffer;
}
return pack("Na*", $len, $buffer);
}
?>
I would use phpseclib, a pure PHP RSA implementation:
<?php
include('Crypt/RSA.php');
$rsa = new Crypt_RSA();
$rsa->setPublicKeyFormat(CRYPT_RSA_PUBLIC_FORMAT_OPENSSH);
extract($rsa->createKey());
echo "$publickey\r\n\r\n$privatekey";
?>
Sample output:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0FPqri0cb2JZfXJ/DgYSF6vUpwmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/3j+skZ6UtW+5u09lHNsj6tQ51s1SPrCBkedbNf0Tp0GbMJDyR4e9T04ZZw== phpseclib-generated-key
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0FPqri0cb2JZfXJ/DgYSF6vUp
wmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/3j+skZ6UtW+5u09lHNsj6tQ5
1s1SPrCBkedbNf0Tp0GbMJDyR4e9T04ZZwIDAQABAoGAFijko56+qGyN8M0RVyaRAXz++xTqHBLh
3tx4VgMtrQ+WEgCjhoTwo23KMBAuJGSYnRmoBZM3lMfTKevIkAidPExvYCdm5dYq3XToLkkLv5L2
pIIVOFMDG+KESnAFV7l2c+cnzRMW0+b6f8mR1CJzZuxVLL6Q02fvLi55/mbSYxECQQDeAw6fiIQX
GukBI4eMZZt4nscy2o12KyYner3VpoeE+Np2q+Z3pvAMd/aNzQ/W9WaI+NRfcxUJrmfPwIGm63il
AkEAxCL5HQb2bQr4ByorcMWm/hEP2MZzROV73yF41hPsRC9m66KrheO9HPTJuo3/9s5p+sqGxOlF
L0NDt4SkosjgGwJAFklyR1uZ/wPJjj611cdBcztlPdqoxssQGnh85BzCj/u3WqBpE2vjvyyvyI5k
X6zk7S0ljKtt2jny2+00VsBerQJBAJGC1Mg5Oydo5NwD6BiROrPxGo2bpTbu/fhrT8ebHkTz2epl
U9VQQSQzY1oZMVX8i1m5WUTLPz2yLJIBQVdXqhMCQBGoiuSoSjafUhV7i1cEGpb88h5NBYZzWXGZ
37sJ5QsW+sJyoNde3xH8vdXhzU7eT82D6X/scw9RZz+/6rCJ4p0=
-----END RSA PRIVATE KEY-----
Source: http://phpseclib.sourceforge.net/rsa/examples.html#openssh
Has anybody tried this?
ssh-keygen -q -N place_your_passphrase_here -t rsa -f ~/.ssh/id_rsa
It's worked for me
Check the manpage of ssh-keygen to find out how to execute it without any prompts.
http://linux.die.net/man/1/ssh-keygen
This code uses only built-in PHP openssl functions.
It generates keys in a portable PEM format, suitable for use with most 3rd party software.
<?php
function generateRsaKeyPair(array $config = []): array
{
$config = array_merge([
'digest_alg' => 'sha512',
'private_key_bits' => 2048,
'private_key_type' => OPENSSL_KEYTYPE_RSA,
], $config);
// Create the keypair
$key = openssl_pkey_new($config);
if (!$key) {
throw new RuntimeException('Unable to generate RSA key pair');
}
// Get private key
openssl_pkey_export($key, $private);
if (!$private) {
throw new RuntimeException('Unable to extract private key');
}
// Get public key
$public = openssl_pkey_get_details($key)['key'] ?? null;
if (!$public) {
throw new RuntimeException('Unable to extract public key');
}
// Free key from memory
openssl_pkey_free($key);
// Return both keys
return compact('public', 'private');
}
Related
Introduction
Hello, when signing a simple string Hello World! I get a signature that is different from any other library I'm using. I already double checked padding, algorithm, key pair, hash and input text.
Code
<?php
/*
$config = array(
"digest_alg" => "sha256",
"private_key_bits" => 4096,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
);
$resource = openssl_pkey_new ($config);
// Extract the private key from $res to $privKey
openssl_pkey_export($resource, $privKey);
// Extract the public key from $res to $pubKey
$pubKey = openssl_pkey_get_details($resource);
$pubKey = $pubKey["key"];
echo var_dump($privKey) . "\n" . $pubKey;
*/
//require __DIR__ . '/../vendor/autoload.php';
require __DIR__ . '/../vendor/autoload.php';
use phpseclib\Crypt\RSA;
$privatekey = "-----BEGIN RSA PRIVATE KEY-----
MIIJJwIBAAKCAgEAn4CD0nFHCeM3DQkCWfXuqRVlX4rbqEk43lMgEns4DnTldrSl
1oaD9YOnwGktk7MaCf80AAZv2O4a9LIfvMxBf+LshgqTOAgvr1qy9bIkn0o/BBNY
bwOTCEnbvSha6uHlexpr31aRvzj8km4uzeBusUyJaXgF8ZMcp0UmThhdYlHhWP1E
uajkbXS8/zlD2F4TVaiPgvupIoWC62PMe5QvNWjrxOYSNwiV29QVxnHt8xm5Vx1J
ET1A4uUCVnOUQ5L+zBv+BYhCHr03j6aq+Z1aKHpEsYtCQPRCJJ/+r24+yd8tMJ2u
63feVCcSOfuZTYG8Qlr5wZICuGimneeKWpauOCqmb7osVDZfY7e2xSxnbjabtVqn
i43NWB0CcXwQ4fIbHX0/JdWmLbupIhTBJDzO6CCpyE506UZJGZOu7t16FBwGVLh3
jE1nLxwIbswv7oiN9fFBP+2eebvyuEvkSwYevGc16Mh4qfnHARwhiG0aflrUbf8h
ls2NrvCRTm7mRIjCBZe8rM7VWyZbUaA8DI8NE3/PnwjvRWLdmEqM2ShVBuDnDpeD
x46x58B1HZqeGx7HwfL/x/fSRG3uvBAG/lqKmq3o1E1gmauHm6jcnHOUftlt6nv0
xfqboScJYVgPkNT0l3rzKUtNwI3Bh0X/Yhy4ikEl9DTSFOhWa9ReUwYOqVMCAwEA
AQKCAgA3LG9tBj46j1xlp+4mTEooNvyAFjpxdhKz5TE8816qsYkGjOqo0JMpBEes
6TUY2GVze9HzCEb8VTEB3/PWjRlDMa37mADg6wQDtm4dS2gbqcUulbqLfEMKJPJb
9m+svENzV+pksT9tVDsaM/8AvFfOANmvoBL+Q5Mv0V20ufzjm8tFyyZQyrlpm24d
IyPy3mf1w38RIhiZlnF5F2aOgO3rncWgsK0wWEnuZui5YoObChTwq3KxAe1GD03F
teldjqWQ2UX/h+jHVVC44kBWZDXhtpm4iKF8coHGxYmGCa6yif7JyGHPlgFUPsex
QvT+uJf0pB+s8+L5A0pPaN6VA3Zz7sE1/XgLBj8qFhjsyPYL7Q4ikB4svtzLZ4vG
1wCP1v+V5KCl9d4jcIbm7ZxrRbFuFZimxE+/vUiaZQv30/fzOzppWYw1giGuMcQu
ttXsgfTkrq33hJI0u4RmYG5rknpZ2/a2QE2OZoTEMVnO3jn+Qz5grwH7oWQW85U0
GKwkHOP0GQ/JFgLeZ6oWDuR3tY75sQFoDORY3xYFXiz6L9jjIKCAsu8GwdnoaQwY
nzY7hi7BnaKaaSkI6myHWXg0k5o71HQiysUJzdbbWD/PvhTfkjolcGR1fRBu/L4U
8+DN0eJEvuwrwfDAIQJX+0bfi8pOhV4PmyvQSjSombv5g85L4QKCAQEA4QMbuiXf
Z1+nzFefwyz6lNq8zmek6PlakXiwDdH7WUtfeV0y9cn08TU9dLjqO0qXmfGjBhIz
OP3kHa3i3lHvnF964tq4cstU0juLwLjES4q3kdr+Np3C8lukoDPwcaQhL+/MOfGi
ZDHvCTQejzYmxpstwcAP9gITkH5CMvVTMInJKGXpSBbEAahTgklaoXMRLFKLqo0e
TJCCEdzVDYELjzk40G5fmombfFLN2wURMgkRf3aIttFNXoNKdK8VPmPHU0wVFi+Z
7pkVkhLV4B9UJZUwwVLO0rC4sIQ22SozZQ3m5ATYg7/tKgd7d9UeWXOKdjwUNUC+
ko82FFufVB1/WwKCAQEAtXfSODGK8EOwNMinI9xUkK3M9MOmzqNRIMQQwz1PcOkS
jE/c5LzKnTYVlVtaB7J7CsPXLFoVR+XUK0oCQ2kyN4rLPrpPwD0gvKPvXVnnAR/O
bI8iFwOuNVR5odU2XcGtXuGg+7SB+JqeUy50o65QP11pAzHXv4ptvCD2tk22dD8u
WmGl5bElzmWNVua33h+KISJoa4vBu3/rmfq+09qn5VfoNpxsE62udF6juhmbOz8z
H4pUpP5SYI0NfOdqI8a16wVHR4t3uMTGA7DdV8JAxzR95UBmZFsQbMvtj+HvfGmE
YKBeCRy+BuW8mrT+mat2o1xemG3ROCicDiXaQADXaQKCAQBh9Qt2H5TBmSgg0qjP
vF4evZdiuEZX0m52VDc43QhymFipKkTMMi67b7UggnwecdvL/iE9vGCmWAmeThwt
MziAOCT0a8nO1+xGVfwCW63BQVOnYNI5DrdW8USbJeFwZ8a26stbEnHi8sYgmJsR
N77ryZTC+403STIhPoYtTxX3VJTJTIyhgJ+2JQSt/KdDECgSxqDdD/B33pVxl1T9
OwfAQ2YTf2mJioyxNA9AYVVaFg6TEhR0mmv3UGryn2I9Ng0Jm162uORntido32BS
4PCuJ+QA1b8KhDrzRavnIPMc9E9nRyDHQp/KI1XCFnrO8Hj//inCATy16zjc5gJY
CTtvAoIBAClXHKr0jmRh5zh/JaSDwzgagACauduFVSwTvoXb58cfMbyJTRdG8xmR
gqU95GqwfFtddh2CgCqa7xTVjWJyCqCgm+C0bQqsYlLXPeaUXo3hAxO0H94CVqOL
lRILEpGVV7uvxw7QdnN+NedZQ/Ut9tYYn528sxvNm2YqVEn/tjsRUawBZtvG2YgF
lodflC+kG8GkpwkpE391iuTPPL3iqDEVL6+RPwXUoVOdY8s3nieHJExhJRtZXMbm
G1aDGakA0dyynSRtX17WZQ3eMu6VMFCxYqThYPIn1LwUURBgNkCvgRrKLeIBjEDi
AW91IDM93o8kseAj1G/owHRwpyHBj1ECggEAASOlqfGjCyRQPS4Cb4F87DOTl9bH
tPiFXqnARdajeMhbCKhhOhDMOQpqGMlskTcg2vOum1drvKGeTHtuQqlIyu2W5IRX
SxazFVscOmvQ1UbSlR7coL0NiXU7v1xuZYNUZyrgnYme4UsoegvTEYcHCXmsz3ji
HanMxaRzToSiNY2MOPYv1Obrr48IiktPz+XVSQYiiPOJeQuETdkiNVOS2+epVjbr
fVvRCtUbQl4akkpK7xK0gbD+TnMIeozwAK3aXDwiaLiHzmws1hWf6zDYGc8B9F8N
VqiqLc7ek40r66miDPnqHxLuvv+DKMYCxctqPAxikqDzYgvmzBlgrMRXZQ==
-----END RSA PRIVATE KEY-----
";
$publicKey = "-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAn4CD0nFHCeM3DQkCWfXu
qRVlX4rbqEk43lMgEns4DnTldrSl1oaD9YOnwGktk7MaCf80AAZv2O4a9LIfvMxB
f+LshgqTOAgvr1qy9bIkn0o/BBNYbwOTCEnbvSha6uHlexpr31aRvzj8km4uzeBu
sUyJaXgF8ZMcp0UmThhdYlHhWP1EuajkbXS8/zlD2F4TVaiPgvupIoWC62PMe5Qv
NWjrxOYSNwiV29QVxnHt8xm5Vx1JET1A4uUCVnOUQ5L+zBv+BYhCHr03j6aq+Z1a
KHpEsYtCQPRCJJ/+r24+yd8tMJ2u63feVCcSOfuZTYG8Qlr5wZICuGimneeKWpau
OCqmb7osVDZfY7e2xSxnbjabtVqni43NWB0CcXwQ4fIbHX0/JdWmLbupIhTBJDzO
6CCpyE506UZJGZOu7t16FBwGVLh3jE1nLxwIbswv7oiN9fFBP+2eebvyuEvkSwYe
vGc16Mh4qfnHARwhiG0aflrUbf8hls2NrvCRTm7mRIjCBZe8rM7VWyZbUaA8DI8N
E3/PnwjvRWLdmEqM2ShVBuDnDpeDx46x58B1HZqeGx7HwfL/x/fSRG3uvBAG/lqK
mq3o1E1gmauHm6jcnHOUftlt6nv0xfqboScJYVgPkNT0l3rzKUtNwI3Bh0X/Yhy4
ikEl9DTSFOhWa9ReUwYOqVMCAwEAAQ==
-----END PUBLIC KEY-----
";
$rsa = new RSA();
$rsa->loadKey($privatekey);
$rsa->loadKey($publicKey);
$rsa->setHash('sha256');
$rsa->setMGFHash('sha256'); // Added to see if it made a difference. It made no difference
//$rsa->setSaltLength($sLen)
$rsa->setEncryptionMode(RSA::ENCRYPTION_PKCS1); // Added to see if it made a difference. It made no difference
$rsa->setSignatureMode(RSA::SIGNATURE_PKCS1);
$plaintext = 'Hello World!';
$signature = $rsa->sign($plaintext);
$rsa->verify($plaintext, $signature);
echo base64_encode($signature);
?>
Output vs expected output
Output: Zhy04W5K+Xjhd3isDi3rlqpUgGAmcTKpW7HEPQiG8eIaxqPVqOilw60zOcS1GDuPn2b5Z1UWyvBNbw3r5fK9JSxAXCGFtbe/Fd8nGtAsCe9RW9oQ14OCwpuqWFJwADdax0GAh0KC/2JpmHYu+GG8IfESgG4NPxwe36r861jdIW9icsmcRUQOpfCkIsKClbwBhS74oIQAmbxMl23hNqzue6I7+onlZxNqnVH1XLPsMZghx1CkkpVGnSm6bHmiz01AFTF9U5oHto5MLLy1UMIhFDOFOxNHwC4ISK8kC8vnfUkm3nM3GQMD+yvDYPKLse0dYBPUcmFwiErSOkG8guA5IG4nWCkM2V5GpBHPwsGFpckjKOUvsuq+8g3ILqkW5IZSBUDaTSsHUd0CxD05DzZOGOBQ5Lhm3vMm2kbO5uwlTYbZX5deLJLOJivCip56CGX4GpAfT/VRctLyl5NL2CwVE3zUKMTnOj/NLoU7Liqw4WaYKekB2vTCUWcse8mdX1ZiUNxW3EHiXiEGB1yzVxPE0QaLdcfK3pyVVpkd5cxHOdXI5Zg/5RkADYiueyO/1oIObzHPEcAvdoj5fxW5XKnFPux6KzjWdqnqVyZXKNSZquJodn0408n2NGLrEukOVlMaixnNgvj7lmHtz/UlN0FNRzCHwVDl4q3uOiVPfRmj+28=
Expected output: J8iGPq9MWUHnzHYJqNE3y/o41uZXTdr+JGOl7YN06qIv+vbylgL367Y8B0jA/LYPcPIJDpUs991DdHEgFAE/+JkVYcrKZpmGXSFvR3RWaTe3DQZMoeD07iaOElJXVn6XBWbU77hCDUMkWXwWHbH9Ybs9BDyq8VHCrhHXgo4zyRNHB+Hb4LLVPyFCv+nQ8d6wCbY14ecyMiL5xS27g78aAg+87uTaq/naLPiSUftKiq0/ih9/Jk6IxrSLsfF4XRD2uAe5jruUMe+wZmzzYeS1syl1nto2FX/28k/z2c8Bt1Rr7nl4E6uiEKO2jYknBkwvJ2MVmbiANpeal534GRvBWaHvTGU/kZa4hEjDkRbZJ/byvLIOMrafoCQfmHYVBLS1OkVEraa34LIqla38VAV7QQGtUrq4ehYsJ16daacysCkJcuvyYz0qNoSvBV9Knh727eEbkLHrYkjf7LjYvWkVXt82AwdohzlnbQb/Ge1BhR+tV0jmC5ztpHE6xzRqkjuNU3mYKjE/Jp+udKokNXcPZcbCrFhA8MY6ay/ldy8ySYl3vTdzE0d8FzIVn/z8fBJme/nCDLeP8/bRja+dpwKwWO0c9k/cyKs0M0YEyZ/PF/CYm/sPBMZHFY4cJacVqrkbnFgEWSAnEJ8SLCqLNXKQR/4hOhlC9sF3asMCkGszrgc=
Additional details
I'm sure I'm using:
RSA
SHA256
PKCS1
Hello World! as input text
You can check using openssl or 8gwifi RSA Signature/Generation & Validation (make sure you paste the keys provided and change the signature algorithm to SHA256withRSA)
Found the problem. When loading the keys you can't load both. You need to load the one you need, do whatever operation you need and then load the other one for the next operation.
I have a code that makes the transformation but need to do it with native PHP functions because it is not activated support for running exec:
exec("openssl pkcs8 -inform DER -in 'archivo.key' -out 'archivo.key.pem' -passin pass:'lacontrasena'");
Someone can help me translate this into native PHP functions? It can be openssl or a library.
//Updated
This is my code using der2pem function:
function der2pem($der_data) {
$pem = chunk_split(base64_encode($der_data), 64, "\n");
$pem = "-----BEGIN PRIVATE KEY-----\n".$pem."-----END PRIVATE KEY-----\n";
return $pem;
}
$keyfile = 'myFileDER.key';
$keyFileContent = file_get_contents($keyfile);
$pemContent = der2pem($keyFileContent);
file_put_contents('llavetemp.pem', $pemContent);
$private_key1 = openssl_pkey_get_private($pemContent);
var_dump($private_key1);
The var_dump return boolean false
You can easily use uri2x's answer and a few informations from the first google result. PEM is just the base64-encoded form of the binary DER file.
Some Metadata is added and you can do everything with it.
so if you modify the function (posted by uri2x!) to the following:
function der2pem($der_data, $type='CERTIFICATE') {
$pem = chunk_split(base64_encode($der_data), 64, "\n");
$pem = "-----BEGIN ".$type."-----\n".$pem."-----END ".$type."-----\n";
return $pem;
}
you can now call it:
$private_key=file_get_contents('archivo.key');
file_put_contents('archivo.key.pem',der2pem($private_key,'PRIVATE KEY');
and you can transform nearly everything which needs to bee transferred in crypto-concerns:
//certificates
$private_key=file_get_contents('certificate');
echo der2pem($private_key,'CERTIFICATE');//here, certificate isn't even required because it's the default
//GPG/PGP Public Keys
$pgp_public_key=file_get_contents('pgp_public_key');
echo der2pem($private_key,'PGP PUBLIC KEY BLOCK');
//CSR
$certificate_signing_request=file_get_contents('csr');
echo der2pem($private_key,'CERTIFICATE REQUEST');
...and many others!
See dan's comment on php.net:
Use the following code to convert from DER to PEM and PEM to DER.
<?php
$pem_data = file_get_contents($cert_path.$pem_file);
$pem2der = pem2der($pem_data);
$der_data = file_get_contents($cert_path.$der_file);
$der2pem = der2pem($der_data);
function pem2der($pem_data) {
$begin = "CERTIFICATE-----";
$end = "-----END";
$pem_data = substr($pem_data, strpos($pem_data, $begin)+strlen($begin));
$pem_data = substr($pem_data, 0, strpos($pem_data, $end));
$der = base64_decode($pem_data);
return $der;
}
function der2pem($der_data) {
$pem = chunk_split(base64_encode($der_data), 64, "\n");
$pem = "-----BEGIN CERTIFICATE-----\n".$pem."-----END CERTIFICATE-----\n";
return $pem;
}
I have a RSA private key and a RSA public key.
both rsa keys are in xml version ( <RSAKeyValue><Modulus>.... );
I need to make a PKCS8 signature from private key and test it by publik key in php
I used this snippet for making signature:
$content = "test string";
include('Crypt/RSA.php');
$rsa = new Crypt_RSA();
$rsa->loadKey(file_get_contents("private.txt"));
$pem_format = $rsa->getPrivateKey();
$pvk_res = openssl_get_privatekey($pem_format);
$sig = '';
openssl_sign($content , $sig, $pvk_res, OPENSSL_ALGO_SHA1);
$signature = base64_encode($sig);
is this right way for making signature ??
now how use public key to test accuracy of signature ??
PKCS8 concerns key formats - not signatures.
Also, I see you're using phpseclib to convert the key to pem and then using openssl. Why not just use phpseclib for everything? At that point you could use this example:
http://phpseclib.sourceforge.net/rsa/examples.html#sign,sign2
<?php
include('Crypt/RSA.php');
$rsa = new Crypt_RSA();
//$rsa->setPassword('password');
$rsa->loadKey('...'); // private key
$plaintext = '...';
$rsa->setSignatureMode(CRYPT_RSA_SIGNATURE_PKCS1);
$signature = $rsa->sign($plaintext);
$rsa->loadKey('...'); // public key
echo $rsa->verify($plaintext, $signature) ? 'verified' : 'unverified';
?>
How i can create a self-signed certificate using phpseclib from a existing .csr file, only i can use a .csr file.
I've read the manual and the method use a private key, but in my assignment i only can use a .csr file.
I hope you can help me.
Here's my code:
<?php
include('File/X509.php');
include('Crypt/RSA.php');
if ($_FILES["file"]["error"] > 0)
{
echo "Return Code: " . $_FILES["file"]["error"] . "<br>";
}
else
{
//This is the content of the file
$csr = file_get_contents($_FILES["file"]["name"]);
}
// create private key / x.509 cert for stunnel / website
$privKey = new Crypt_RSA();
extract($privKey->createKey());
$privKey->loadKey($privatekey);
$pubKey = new Crypt_RSA();
$pubKey->loadKey($publickey);
$pubKey->setPublicKey();
$subject = new File_X509();
$subject->loadCSR('...'); // see csr.pem
// calling setPublicKey() is unnecessary when loadCSR() is called
$issuer = new File_X509();
$issuer->setPrivateKey($privKey);
$issuer->setDN($subject->getDN());
$x509 = new File_X509();
//$x509->setStartDate('-1 month'); // default: now
//$x509->setEndDate('+1 year'); // default: +1 year
$result = $x509->sign($issuer, $subject);
echo "the stunnel.pem contents are as follows:\r\n\r\n";
echo $privKey->getPrivateKey();
echo "\r\n";
echo $x509->saveX509($result);
echo "\r\n";
?>
You need a private key, plain and simple. Otherwise, what are you going to sign it with? The signature field of an X.509 cert is mandatory.
I mean, if all you want is a public key, you don't need to bother with the X.509 overhead. You can just pony up a public key that looks like this:
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0
FPqri0cb2JZfXJ/DgYSF6vUpwmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/
3j+skZ6UtW+5u09lHNsj6tQ51s1SPrCBkedbNf0Tp0GbMJDyR4e9T04ZZwIDAQAB
-----END PUBLIC KEY-----
But X.509 is more than just a public key - it's a signed public key. Technically, a CSR is, too, but CSR's are always self-signed whereas X.509 certs can be signed by anyone.
Im trying to load a private key generated by the openssl cli tool with PHP.
I used the following command and PHP code:
openssl genrsa -des3 4096 -out private.key
if (!($key = openssl_pkey_get_private("file://private.key", "password")));
{
return false;
}
I'm sure the password is correct and the file is also PEM formatted, but it keeps returning false. What am I doing wrong?
Thanks in advance,
Jori.
Please note that file://path/to/file.pem in documentation means file protocol + file path. In UNIX like OS, that is something like file:///rsa_private_key.pem. There is THREE slashes in the path string, not TWO. And file:// cannot be omitted.
It is a lot easier to just put the key in a var:
$public = "-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfmlc2EgrdhvakQApmLCDOgP0n
NERInBheMh7J/r5aU8PUAIpGXET/8+kOGI1dSYjoux80AuHvkWp1EeHfMwC/SZ9t
6rF4sYqV5Lj9t32ELbh2VNbE/7QEVZnXRi5GdhozBZtS1gJHM2/Q+iToyh5dfTaA
U8bTnLEPMNC1h3qcUQIDAQAB
-----END PUBLIC KEY-----";
$private = "-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDfmlc2EgrdhvakQApmLCDOgP0nNERInBheMh7J/r5aU8PUAIpG
XET/8+kOGI1dSYjoux80AuHvkWp1EeHfMwC/SZ9t6rF4sYqV5Lj9t32ELbh2VNbE
/7QEVZnXRi5GdhozBZtS1gJHM2/Q+iToyh5dfTaAU8bTnLEPMNC1h3qcUQIDAQAB
AoGAcbh6UFqewgnpGKIlZ89bpAsANVckv1T8I7QT6qGvyBrABut7Z8t3oEE5r1yX
UPGcOtkoRniM1h276ex9VtoGr09sUn7duoLiEsp8aip7p7SB3X6XXWJ9K733co6C
dpXotfO0zMnv8l3O9h4pHrrBkmWDBEKbUeuE9Zz7uy6mFAECQQDygylLjzX+2rvm
FYd5ejSaLEeK17AiuT29LNPRHWLu6a0zl923299FCyHLasFgbeuLRCW0LMCs2SKE
Y+cIWMSRAkEA7AnzWjby8j8efjvUwIWh/L5YJyWlSgYKlR0zdgKxxUy9+i1MGRkn
m81NLYza4JLvb8/qjUtvw92Zcppxb7E7wQJAIuQWC+X12c30nLzaOfMIIGpgfKxd
jhFivZX2f66frkn2fmbKIorCy7c3TIH2gn4uFmJenlaV/ghbe/q3oa7L0QJAFP19
ipRAXpKGX6tqbAR2N0emBzUt0btfzYrfPKtYq7b7XfgRQFogT5aeOmLARCBM8qCG
tzHyKnTWZH6ff9M/AQJBAIToUPachXPhDyOpDBcBliRNsowZcw4Yln8CnLqgS9H5
Ya8iBJilFm2UlcXfpUOk9bhBTbgFp+Bv6BZ2Alag7pY=
-----END RSA PRIVATE KEY-----";
if (!$privateKey = openssl_pkey_get_private($private)) die('Loading Private Key failed');
if (!$publicKey = openssl_pkey_get_public($public)) die('Loading Public Key failed');
I'll also include a small encode / decode example:
$encrypted = '';
$decrypted = '';
$plaintext = 'This is just some text to encrypt';
echo '<p>$plaintext = ' . $plaintext . '<p>';
if (!openssl_public_encrypt($plaintext, $encrypted, $publicKey)) die('Failed to encrypt data');
echo '<p>$encrypted = ' . $encrypted . '<p>';
if (!openssl_private_decrypt($encrypted, $decrypted, $privateKey)) die('Failed to decrypt data');
echo '<p>$decrypted = ' . $decrypted . '<p>';
Or just in case you could generate a key with php:
$NEW_KEY = openssl_pkey_new(array(
'private_key_bits' => 1024,
'private_key_type' => OPENSSL_KEYTYPE_RSA,
));
openssl_pkey_export_to_file($NEW_KEY, 'private.key');
$NEW_KEY_DETAILS = openssl_pkey_get_details($NEW_KEY);
file_put_contents('public.key', $NEW_KEY_DETAILS['key']);
openssl_free_key($NEW_KEY);
Please refer to next URL.
https://www.php.net/manual/en/function.openssl-pkey-get-private.php
To narrow down your issue, please use same directory for your php file and key file and try this working code.
Working code
$keyfile="file://".__DIR__.DIRECTORY_SEPARATOR."key.pem"; //absolute path
$key = openssl_pkey_get_private($keyfile);
if ($key === false) {
var_dump(openssl_error_string());
}else{
var_dump($key);
}
The following might be an issue.
Path
Following path styles should work.
$keyfile="file:///home/john/php/key.pem"; // unix absoulute path
$keyfile="file://C:\\users\\john\\php\\key.pem"; // windows absoulute path
$keyfile="file://".__DIR__.DIRECTORY_SEPARATOR."key.pem"; //absoulute path for unix, windows
$keyfile="file://key.pem"; // relative path, unix, windows, (php,key files in same directory)
$key = openssl_pkey_get_private($keyfile);
If path does not exist, error will be like
"error:02001002:system library:fopen:No such file or directory"
Web environment
Check your web root and web user access permission to the folder and key file.
To reduce issues, test it on php build-in web server env rather than WAMP env.
>php -S localhost:80
Corrupted key file
saved as certain type which include whitespaces.
This can occur error like next.
"error:0906D06C:PEM routines:PEM_read_bio:no start line"
in my case, key file was saved as UTF-8 with BOM(whitespaces)
DEBUG key file 1 - READ FROM VARIABLE
This code should work. I got key file from
http://micmap.org/php-by-example/en/function/openssl_pkey_get_private
Please replace $str to yours.
$str = <<<EOF
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEA0llCeBjy18RylTdBih9GMUSZIC3GzeN0vQ9W8E3nwy2jdeUn
H3GBXWpMo3F43V68zM2Qz5epRNmlLSkY/PJUfJIC8Yc1VEokT52q87hH/XJ5eS8h
eZnjuSlPAGi8oZ3ImVbruzV7XmlD+QsCSxJW7tBv0dqJ71e1gAAisCXK2m7iyf/u
l6rT0Zz0ptYH4IZfwc/hQ9JcMg69uM+3bb4oBFsixMmEQwxKZsXk3YmO/YRjRbay
+6+79bSV/frW+lWhknyGSIJp2CJArYcOdbK1bXx1dRWpbNSExo7dWwuPC0Y7a5AE
eoZofieQPPBhXlp1hPgLYGat71pDqBjKLvF5GwIDAQABAoIBACPItYsSy3UzYT7L
OKYTrfBBuD8GKpTqBfkHvAWDa1MD15P92Mr7l0NaCxGfAy29qSa6LdFy/oPM9tGY
9TxKyV6rxD5sfwEI3+Z/bw6pIe4W5F1eTDaQnHHqehsatkRUQET9yXp+na8w/zRF
0C0PQKS95tfvcpm59RGCdGQ8+aZw+cIy/xez75W8IS/hagMxe7xYPjpkOkSCCEJU
zmbVq6AyWodASV0p4H9p8I+c0vO2hJ/ELJ167w6T+2/GlZg979rlyHoTW8jK2BbG
IRGaPo+c2GANXa686tdpbkPd6oJliXwBSNolxmXShvlveBbPFAJJACzCmbXNj9kH
6/K+SWkCgYEA7FNudcTkRPV8TzKhJ1AzDjw3VcnraYhY8IlNxbk7RVHLdkoUtwk/
mImeBlEfCoz9V+S/gRgeQ+1Vb/BCbS24+bN/+IGoNRFMRcOieFt6lQUpj7a9NeSo
IEclGgUiU7QR3xH73SB4GC3rgSPeHJhJZC5EJq5TzYjXTPGPpBD3zicCgYEA49wz
zfMDYIH8h4L65r/eJYIbLwpvgktgaYvhijO3qfZSWW+Y19jCBn55f65YOhPGQBHA
my0f+tVxFNZ/OupbrAIIzogxlCIYHNBawDhoHN/sB3/lSBAjifySNLyRlA62oA0w
wXvXVLVWMa3aXim3c9AlnLF1fHwcvwpOKSfdye0CgYBb1mBKq+T5V1yjek1d9bCh
i40FbZ5qOG43q2Ppvn3mBk9G/KroJlPsdy5NziB9/SRGj8JL7I92Xjihc4Cc5PPJ
NZQ5gklXtg0p30i39PTCDGuGScFlvCIJyRwF7JDWblezlE2INSH2Y4HtgX7DJfr/
T2t0jLJMYS0p3YWwgFeMaQKBgHUIe/8y6zAdc5QynSX5tGL1gXrW1FFK39k2RICU
cag1YTSYkhuDNJzbRxJifORPlcsAkzngooVWLb+zMCQVjUI6xUU3RKe+Hz5lccc6
8ZarGHL9qMkrqOVNudamZ+tw5zIrtDgcoIvcm8nmbrtgl94/MaJar2ph4O3qoByZ
Ylw9AoGAIdS79s0VKkj4VVXqK47ZcI7jGL4V4C8ujU8YcMNV88xwCoDg9ZIFprWA
P5p/cnvj6aHnqL58XiH0+bE0Lt3J+U6N6JelQQevgBHooMFh4FpDXcVda7xB3rK3
woqbi8fNhr827H2maxIZPtVG95/mvR4k5z1Jrdnr34ZUmtC6U5Q=
-----END RSA PRIVATE KEY-----
EOF;
$key = openssl_pkey_get_private($str);
if ($key === false) {
var_dump(openssl_error_string());
}else{
var_dump($key);
}
OUTPUT
resource(4) of type (OpenSSL key)
DEBUG key file 2 - READ FROM FILE
copy your key strings($str) to key file like "key.pem".
$str = <<<EOF
-----BEGIN RSA PRIVATE KEY-----
...YOUR KEY STINGS HERE...
-----END RSA PRIVATE KEY-----
EOF;
$str2 = file_get_contents("key.pem");
$len1 = strlen ($str);
$len2 = strlen ($str2);
if($len1 !== $len2) echo "File has been corrupted.";
$key = openssl_pkey_get_private($str2);
if ($key === false) {
var_dump(openssl_error_string());
}else{
var_dump($key);
}