Reputation: 9465
Openssl RSA Key generation
I have a client which talks to a server and communication is encrypted using RSA and AES combination. The RSA key pair which I had generated was without passphrase. So, to make it secure I recently added the passphrase. Every thing works fine server side, but the Private key generated by PHP doesn't contain encryption info, due to which I can't load it client side. Following is the php code:
$passphrase = 'Hello World';
$config = array ("digest_alg" => "sha256","private_key_bits" => 2048,"private_key_type" => OPENSSL_KEYTYPE_RSA );
// Create the private and public key
$res = openssl_pkey_new ( $config );
/* Extract the private key from $res to $privKey */
openssl_pkey_export ( $res, $priv_key, $passphrase );
/* Extract the public key from $res to $pubKey */
$pub_key = openssl_pkey_get_details ( $res );
$pub_key = $pub_key["key"];
$pkey_pair = array ('priv_key' => $priv_key,'pub_key' => $pub_key );
var_dump($pkey_pair);
You can try it on http://phpfiddle.org/ there is no enryption info, as if it is assuming that, since it works server side!
My client side code works only when no passphrase is used in RSA key generation.
try
{
Botan::AutoSeeded_RNG rng;
Botan::DataSource_Memory privKeyMem(privKey);
Botan::RSA_PrivateKey *rsaKey = dynamic_cast <Botan::RSA_PrivateKey*>
(Botan::PKCS8::load_key(privKeyMem, rng, passphrase.c_str()));
if(!rsaKey)
{
std::cout << "The loaded key is not a RSA key!\n";
return false;
}
....
.....
}
catch(...)
{
cout<<"Exception: could not load private key";
return false;
}
Upvotes: 0
Views: 1213
Answers (2)
Reputation: 94078
Private keys should not be exported except possibly for backup/replication purposes for the same service. You should only export public keys of both client and server. Those keys need to be trusted somehow though. You could do this by embedding them in a certificate signed by a (self signed) CA that is trusted by both client and server.
Note that for transport protocols AES CBC encryption is not enough. You will need to add integrity and authenticity protection. This is usually done by adding a (H)MAC.
It seems you are trying to perform symmetric encryption using a single RSA key pair.
Upvotes: 0
Reputation:
Exporting an RSA key with a passphrase does not cause the generated key pair to be any different; it just encrypts the private key using that passphrase. If your client-side code cannot decrypt an encrypted key, don't use a passphrase.
Additionally, the client code you're currently using appears to be trying to load a PKCS8 format private key. This is incorrect here; openssl_pkey_export() generates the public and private key in PEM format.
Upvotes: 1
Related Questions
- Convert rsa keys into pem format
- build public key PEM file with existing modulus and exponent in php with openssl library
- PHP RSA encryption openssl issue
- Generate RSA private SSH key in PHP
- PHP RSA encryption using private key and PKCS1
- PHP RSA key creation
- Generate private key RSA with PKCS1
- PHP RSA Encryption Logic
- RSA in php is confusing
- openssl key generation - php. how to get all the values?