如何从命令行使用密码生成OpenSSL密钥? [英] How to generate an openSSL key using a passphrase from the command line?
问题描述
首先-如果我不输入密码怎么办?是否使用某种伪随机短语?我只是在寻找一种足够好"的东西来阻止随便的黑客.
First - what happens if I don't give a passphrase? Is some sort of pseudo random phrase used? I'm just looking for something "good enough" to keep casual hackers at bay.
第二-如何从命令行生成密钥对,并在命令行上提供密码短语?
Second - how do I generate a key pair form the command line, supplying the passphrase on the command line?
我终于使用这些命令使用exec()使其正常工作,通常认为它不安全使用,最好在文件中提供PassPhrase.我可以接受这种风险,因为我确信PHP仅将在我的PC(运行Windows&没有PS命令)上执行.
I finally got it working using these commands, using exec() which it is generally reckoned not safe to use, being better to give the PassPhrase in a file. I can accept this risk as I am sure that the PHP will only ever be executed on my PC (which runs windows & doesn't have a PS command).
openssl genrsa -aes128 -passout pass:foobar -out privkey.pem 2048
openssl rsa -in privkey.pem -passin pass:foobar -pubout -out privkey.pub
非常感谢@caf,否则,这将是不可能的.
Many many thanks to @caf, without whom this would not have been possible.
只有一个遗憾-无论我使用多少Google,似乎都无法在Windows上使用openssl_pkey_new()
在Xampp上使用(这是生成密钥对的正确方法)
Only one regret - that, no matter how much I Google, no one can seem to get openssl_pkey_new()
working with Xampp on Windows (which is the proper way to generate a key pair)
推荐答案
如果不使用密码短语,则私钥不会使用任何对称密码进行加密-完全不受保护地输出.
If you don't use a passphrase, then the private key is not encrypted with any symmetric cipher - it is output completely unprotected.
您可以生成密钥对,并使用以下调用在命令行上提供密码(在这种情况下,密码为foobar
):
You can generate a keypair, supplying the password on the command-line using an invocation like (in this case, the password is foobar
):
openssl genrsa -aes128 -passout pass:foobar 3072
但是,请注意,此密码短语可以被当时在计算机上运行的任何其他进程捕获,因为命令行参数通常对所有进程都是可见的.
However, note that this passphrase could be grabbed by any other process running on the machine at the time, since command-line arguments are generally visible to all processes.
更好的选择是将密码短语写入受文件权限保护的临时文件中,并指定以下内容:
A better alternative is to write the passphrase into a temporary file that is protected with file permissions, and specify that:
openssl genrsa -aes128 -passout file:passphrase.txt 3072
或在标准输入中提供密码:
Or supply the passphrase on standard input:
openssl genrsa -aes128 -passout stdin 3072
您还可以使用带有file:
选项的命名管道或文件描述符.
You can also used a named pipe with the file:
option, or a file descriptor.
要获取匹配的公钥,您需要使用openssl rsa
,并提供与用于加密私钥的参数相同的密码-passin
:
To then obtain the matching public key, you need to use openssl rsa
, supplying the same passphrase with the -passin
parameter as was used to encrypt the private key:
openssl rsa -passin file:passphrase.txt -pubout
(这需要标准输入中的加密私钥-您可以使用-in <file>
从文件中读取它).
(This expects the encrypted private key on standard input - you can instead read it from a file using -in <file>
).
在文件中创建3072位私钥和公钥对的示例,其中私钥对已使用密码foobar
加密:
Example of creating a 3072-bit private and public key pair in files, with the private key pair encrypted with password foobar
:
openssl genrsa -aes128 -passout pass:foobar -out privkey.pem 3072
openssl rsa -in privkey.pem -passin pass:foobar -pubout -out privkey.pub
这篇关于如何从命令行使用密码生成OpenSSL密钥?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!