Pavel K
Reputation: 496
Decrypt PHP openssl_seal in BASH
I am trying to decrypt some data encrypted via PHP openssl_seal. There don't seem to be any examples involving bash on the net (spent a while researching the matter), so I think this post will help others down the road as well.
As I understand it, I have to first decrypt the key used for RC4 encryption of the actual data using my private key. The data itself, as well as the RC4 key are stored in base64 format.
Data:
Y3jrrTI96HVK7aMR/LrLnCGsqlQNvpQN8TTEoClak2GHk1MMV5/Ig6CD5EuojJaI
gey79XGjf8S9IqLsJ/MxOjODSFM48D+G0lbBW9GEOUFB027pfuHDhyMoTsxjEFBG
XIz5
Envkey:
JJXy5kX9RNSd90BgRSKUX1AGZhwbzetVHKAZTv1/HCBEPGqaGvoWdxaiA8UaJAAr
mS7Sh3pbMm1GN41BYi2r4m9VONknIqn3VB+cikA7ZRxmKOVhRuJTgdjWhrCMyxls
1osAsC8lIFkLo13Z1v8IZAXKGIdyO86WHXzfQku8HAE=
Test private key (this one is crypted, non crypted added at very bottom of a question):
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,CBBD77CC40F395BB
/OwGFHzIoLt4bNFMgdLp25igC8ghJhkRNghg1xpvpZISoniOC2b4oHXOJ4wvt0bj
5Giywp1iQCZUkM7qssJAFcLyTg/ycYz9WuOR5Z68h5p+lz4LnUtcCve2N/goJkwT
r5P59MybJEef27PAQYZyjiDK3eyYJRhcORzd592d81GsXoflroVzK9/eYS33IEeV
Y0grtBoOmDe4eVjDoluZXTGNu2si7SCXs6775jrDpPNMTeYLGApRacJ3TDYHyh9+
dmbaa65ARzRmWtdvvi2zoN/23oie5HUcBgRvubWM4u6LJ4HTLuAjGicpZjIlWQTe
Jex77StHO0zceic++Z9VQ+XfL4zdOHFCJpihunCU+zabqsFNZWZ44LeRul65iNIT
+3XHXezDsvuGkr5aJVvAdp1MxGIf5mO88Ga4pa0qIKFw/sLux+Otx94H45Zb1TgS
At8BU4zK0gSvAU7ea7H/Genug847vh2Up49h8ikmfdiexqnkxDO4N4GLrlDg5yYe
+YLEJyEDYa9Cg9vDV+no6oG1jC+4Fk1s9uk5uDSf4uNN5E5EsxsHS4JxvZ4xnWI7
DYbsy8XOwrrIptJvlttVNIYuobwFfDoWlf9yiAtsIKIVHhhVMgMSWc/0jPEKRmmv
NKMy6sGTEj6LGqh6R7bpeS3joccA8oAi0PjLil1Lt/bLBVAJ1JemLDCfJxjHqCmv
VfBcmF1YqxPKQl9cacUmZhozij1qDTghqIxpdQ/Y+HywGyfJtraDlYkGJ+UFgzh9
NEl1gebVhVBATrNodbUEfzJRz04/1BR2I1WPVcC93lo=
-----END RSA PRIVATE KEY-----
So I'm doing:
Decode from base64 (have tried getting data without base64, still the same result/using base64 to ensure there are no issues with encoding etc.):
base64 --decode envkey > envun
Decrypting the envkey with my private key:
openssl rsautl -decrypt -inkey private.pem -in /tmp/envun -out /tmp/envdec
Getting a decrypted binary (?) key and using it do decrypt data in RC4:
openssl enc -d -rc4 -in encrypted -out decrypted -pass file:envdec
. .
However, what I'm getting is:
bad magic number
Any advise?
Non crypted private key:
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQCkBLH08f4nZBxiy2K9DXXmxeyqxcZtBIU3BjKDMO0jt2Lt4r6e
+MI/QFKVkms5iDUKaxPgwXptilR/f0KeLz7p2KbsAtDEFSPDWedd2/WYj2DYvoeF
+LskTYoWEyZsTbV7Vcm6lfzlZYggShtjlf6haHHTKo+FEp/ENmspni7n9wIDAQAB
AoGAFrTzshaCeg+ZAnBn1gZ0CSPjlOzWgKc8jhaUjacLXYN49bgLbdTAh6MvC7f+
kjNyLGQQl3ARs/KPqisDHQUrb1mPk2NBlMKk8SPf61D5VPcGyh1OwWSCSM9zg0AO
ZuBhi8RxZhkVAenBwmEAjHID/dA1wGj748uyuUMhq9noGbkCQQDZ/p/2QMGim5dc
KluTxUAtTuxtL5Cjn3rsCNvQiKbDE17zuZQD8O0lKaUIdWpmA9TTVxMXkGiPf/Lf
TApT6lVdAkEAwJ0KXjDsLc6h2lN6LEsm2siAj0fMnCLDUYaRmYB8Wz9S7JGWqE5O
AVg982FeYXxXe2mRL/cpKhbnGT8lvDQpYwJADuUlDPBzyqaS+wsx4rDxp6bi5LsB
SQzWm1YnnuIXcvDZ5hFiGbrWmVl1G1TahknwutgSR+PoIRX/BF7vvbgfSQJAIOYx
8Si2DpTuvFXp1kr31gLNQqvm3PxrFC/CCtARbZyBU3sCmrjVRhGGc128OzZ70s6T
R/gVheTnkD5i+aSHNQJAYGwKSmW7TQPZSlaHfs4vdSnOoxVpdqi/KJG3v+PPhz6R
2+8OZnjXk62VX05jMnMNnu9BMvP0CNjKIjnsOP7NoQ==
-----END RSA PRIVATE KEY-----
How it was encrypted:
$pub_key_ids = [];
$sealed = '';
$pub_key_string = file_get_contents("/usr/local/ssl/public.pem");
$pub_key = openssl_get_publickey($pub_key_string);
if ($pub_key) {
$pub_key_ids[] = $pub_key;
}
if (count($pub_key_ids)) {
if (openssl_seal($params['deployment_settings'], $sealed, $ekeys, $pub_key_ids) !== false) {
$data = base64_encode($sealed);
$envkey = base64_encode($ekeys[0]);
}
foreach ($pub_key_ids as $pub_key_id) {
openssl_free_key($pub_key_id);
}
}
Upvotes: 0
Views: 1314
Answers (2)
F. Hauri - Give Up GitHub
Reputation: 70822
As question stand for bash, there are some bashisms we could use:
All in one:
#!/bin/bash
openssl rc4 -d -in <(
base64 -i --decode <<eodatas
Y3jrrTI96HVK7aMR/LrLnCGsqlQNvpQN8TTEoClak2GHk1MMV5/Ig6CD5EuojJaIgey7
9XGjf8S9IqLsJ/MxOjODSFM48D+G0lbBW9GEOUFB027pfuHDhyMoTsxjEFBGXIz5
eodatas
) -iv 0 -K "$(
hexdump -v -e '/1 "%02X"' < <(
openssl rsautl -decrypt -inkey <(cat <<eoprivkey
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQCkBLH08f4nZBxiy2K9DXXmxeyqxcZtBIU3BjKDMO0jt2Lt4r6e
+MI/QFKVkms5iDUKaxPgwXptilR/f0KeLz7p2KbsAtDEFSPDWedd2/WYj2DYvoeF
+LskTYoWEyZsTbV7Vcm6lfzlZYggShtjlf6haHHTKo+FEp/ENmspni7n9wIDAQAB
AoGAFrTzshaCeg+ZAnBn1gZ0CSPjlOzWgKc8jhaUjacLXYN49bgLbdTAh6MvC7f+
kjNyLGQQl3ARs/KPqisDHQUrb1mPk2NBlMKk8SPf61D5VPcGyh1OwWSCSM9zg0AO
ZuBhi8RxZhkVAenBwmEAjHID/dA1wGj748uyuUMhq9noGbkCQQDZ/p/2QMGim5dc
KluTxUAtTuxtL5Cjn3rsCNvQiKbDE17zuZQD8O0lKaUIdWpmA9TTVxMXkGiPf/Lf
TApT6lVdAkEAwJ0KXjDsLc6h2lN6LEsm2siAj0fMnCLDUYaRmYB8Wz9S7JGWqE5O
AVg982FeYXxXe2mRL/cpKhbnGT8lvDQpYwJADuUlDPBzyqaS+wsx4rDxp6bi5LsB
SQzWm1YnnuIXcvDZ5hFiGbrWmVl1G1TahknwutgSR+PoIRX/BF7vvbgfSQJAIOYx
8Si2DpTuvFXp1kr31gLNQqvm3PxrFC/CCtARbZyBU3sCmrjVRhGGc128OzZ70s6T
R/gVheTnkD5i+aSHNQJAYGwKSmW7TQPZSlaHfs4vdSnOoxVpdqi/KJG3v+PPhz6R
2+8OZnjXk62VX05jMnMNnu9BMvP0CNjKIjnsOP7NoQ==
-----END RSA PRIVATE KEY-----
eoprivkey
) -in <(base64 -i --decode <<eoenvkey
JJXy5kX9RNSd90BgRSKUX1AGZhwbzetVHKAZTv1/HCBEPGqaGvoWdxaiA8UaJAAr
mS7Sh3pbMm1GN41BYi2r4m9VONknIqn3VB+cikA7ZRxmKOVhRuJTgdjWhrCMyxls
1osAsC8lIFkLo13Z1v8IZAXKGIdyO86WHXzfQku8HAE=
eoenvkey
) ) )"
printf "\nResult: %s\n" $?
This could output:
A combination of genetic and environmental factors play a role in the development of schizophrenia.
Result: 0
By using functions
This could be more usefull:
#!/bin/bash
declare Data=./datas
declare Envkey=./envkey
declare PrivateKey=./privkey
b64Dec() { base64 -i --decode ; }
hxDump() { hexdump -e '/1 "%02X"' ; }
rsaDec() { openssl rsautl -decrypt -inkey $1 -in $2 ; }
rc4Dec() {
openssl rc4 -d -iv 0 -K "$1"
printf >&2 "\nResult: %s\n" $?
}
rc4Enc() {
openssl rc4 -iv 0 -K "$1"
printf >&2 "\nResult: %s\n" $?
}
declare Key="$(hxDump < <(rsaDec $PrivateKey <(b64Dec <$Envkey)))"
b64Dec <$Data | rc4Dec $Key
rc4Enc $Key <<eoGeorgOrwellQuote | base64
In our age there is no such thing as 'keeping out of politics.' All issues
are political issues, and politics itself is a mass of lies, evasions,
folly, hatred and schizophrenia.
-- George Orwell --
eoGeorgOrwellQuote
This could produce:
A combination of genetic and environmental factors play a role in the development of schizophrenia.
Result: 0
Result: 0
azaorSotoXpM/OoK+v/WnyGivBoGpd0dpDbC5H1XlHmJwV0RGt3NkqSfrUOuz42Sh7/04z2yaYi1
drngOLg2cxzPUBs0oyiWwUCnVdOMfF9an2j7N/HBg2o7Us9+B0YEFYy5oLISIRtZguZx2M6qYA9N
EJVDUG7mCL041jCszPAIKreV7PPnRCWt0MLyunv6MDSwJ3dppTUYcgXAL2vDxcIs/GYmbWh8sjgo
/t9fqxCM56a8xwUpityQh1JukHoFQyPzhOYUfNg85I2azhyLoX2OlQ==
Upvotes: 2
Adam
Reputation: 18805
Using openssl native command, you can do the following :
base64 --decode envkey > envun
openssl rsautl -decrypt -inkey private.pem -in envun -out envdec
KEY=$(cat envdec |hexdump -v -e '/1 "%02X"')
openssl rc4 -d -a -in encrypted -iv 0 -K "$KEY"
You have to use "-a" flag cause your content is base64 encoded.
You can use php in command line mode with "-q" to suppress the header.
php -q decrypt.php data.txt envkey private.pem
content of decrypt.php
<?php
$pkeyid=openssl_get_privatekey(file_get_contents($argv[3]));
$content=base64_decode(file_get_contents($argv[1]));
$envkey=base64_decode(file_get_contents($argv[2]));
if (openssl_open($content, $data, $envkey, $pkeyid)) {
echo "$data\n";
} else {
echo openssl_error_string()."\n";
}
openssl_free_key($pkeyid);
It will be far easier than using openssl native command.
Upvotes: 1
Related Questions
- how to convert openssl encrypt and decrypt into php
- How to decrypt PHP Openssl encryption with BASH command
- OpenSSL Encryption / Decryption php
- Decrypting a PHP generated OpenSSL string in Terminal
- Converting PHP openssl script to openssl command
- Decrypt File Made With PHP openssl_encrypt on Command Line
- Decrypting string using OpenSSL works in terminal but not in PHP script
- Cannot decrypt openssl_encrypt() output on command line
- PHP Encrypt/Decrypt using OpenSSL not working for me
- PHP Encrypt Data, Bash Decrypt it