openssl_pkey_new 抛出错误配置文件routines:NCONF_get_string:no value [英] openssl_pkey_new throws error configuration file routines:NCONF_get_string:no value

问题描述

我发现了几个有这个问题的帖子，但我没有使用他们的解决方案解决我的问题.

I have found couple of posts with this problem but I have not solved my problem using their solution.

这是我的测试脚本:

<?php
echo "\n*** Errors before calling openssl_pkey_new\n";
// no errors
while (($e = openssl_error_string()) !== false) {
    var_dump($e);
}

$config = [
    'config' => '/etc/ssl/openssl.cnf',
    "digest_alg" => "sha1",
    "private_key_bits" => 4096,
    "private_key_type" => OPENSSL_KEYTYPE_RSA,
];
var_dump(openssl_pkey_new($config));

echo "\n*** Errors after calling openssl_pkey_new\n";
while (($e = openssl_error_string()) !== false) {
    echo "<pre>";print_r($e);echo "</pre>";
}

也尝试过 sha256 和 sha512.

Tried also sha256 and sha512.

cnf 文件:

ls /etc/ssl/openssl.cnf
-rw-r--r-- 1 root root 10835 Jun 20  2014 /etc/ssl/openssl.cnf

错误:

error:0E06D06C:configuration file routines:NCONF_get_string:no value</pre><pre>error:0E06D06C:configuration file routines:NCONF_get_string:no value</pre><pre>error:0E06D06C:configuration file routines:NCONF_get_string:no value

我也尝试在脚本顶部设置 OPENSSL_CONF 但没有成功:

I have also tried to set OPENSSL_CONF on the top of script but without success:

putenv('OPENSSL_CONF=/etc/ssl/openssl.cnf');

我也尝试使用自定义 openssl.cnf 但也没有成功:

I have also tried to use custom openssl.cnf but also without any success:

cat /var/www/openssl.cnf 
distinguished_name  = req_distinguished_name
[req_distinguished_name]
[v3_req]
[v3_ca]

可能有什么问题?

在使用 openssl_pkey_new 后忽略此错误并清除它们是否安全或有解决方案?

Is it safe to ignore this errors and clear them out after using openssl_pkey_new or there is a solution?

提前致谢

推荐答案

问题分析

查看 openssl_pkey_new() 文档，它提及:

有关 configargs 的更多信息，请参阅 openssl_csr_new().

See openssl_csr_new() for more information about configargs.

事实证明，openssl_pkey_new() 和 openssl_csr_new() 实现共享读取配置的代码.你可以在 PHP 源代码中看到它的调用 此处 通过符号 PHP_SSL_REQ_PARSE 扩展为 php_openssl_parse_config.它的第一个参数是 x509_request 类型.(CSR 代表证书签名请求，有关更多信息，请参阅 OpenSSL req 应用程序文档)

It turns out that the openssl_pkey_new() and openssl_csr_new() implementation share the code for reading the configuration. You can see its invocation in the PHP source code here via a symbol PHP_SSL_REQ_PARSE which expands to php_openssl_parse_config. Its first parameter is a x509_request type. (CSR stands for Certificate Signing Request, for more information see the OpenSSL req app documentation)

对 php_openssl_parse_config 的实现进行筛选，结果证明有很多尝试读取与 CSR 相关的配置参数，而不仅仅是密钥生成.其中许多失败并产生与您指出的相同的错误.

Sifting through the implementation of php_openssl_parse_config, there turn out to be a lot of attempts to read configuration parameters that are relevant for CSRs, but not for just key generation. Many of those fail and generate that same error that you have indicated.

为了让生活更轻松，我直接检测了 OpenSSL 加密库以打印有关任何失败的配置字符串查找的信息.使用该设置运行脚本会产生以下结果(在 Ubuntu 18.04 上，使用 /etc/ssl/openssl.cnf 中的配置):

To make life easier, I have instrumented the OpenSSL crypto lib directly to print information about any failed configuration string lookup. Running your script with that setup resulted in the following (on Ubuntu 18.04, using the configuration found in /etc/ssl/openssl.cnf):

$ php conftest.php 
_CONF_get_string failed for section "(null)", name "openssl_conf"

*** Errors before calling openssl_pkey_new
_CONF_get_string failed for section "(null)", name "oid_file"
_CONF_get_string failed for section "req", name "default_md"
_CONF_get_string failed for section "req", name "req_extensions"
_CONF_get_string failed for section "req", name "encrypt_rsa_key"
_CONF_get_string failed for section "req", name "encrypt_key"
_CONF_get_string failed for section "req", name "default_md"
resource(4) of type (OpenSSL key)

*** Errors after calling openssl_pkey_new
<pre>error:0E06D06C:configuration file routines:NCONF_get_string:no value</pre><pre>error:0E06D06C:configuration file routines:NCONF_get_string:no value</pre><pre>error:0E06D06C:configuration file routines:NCONF_get_string:no value</pre><pre>error:0E06D06C:configuration file routines:NCONF_get_string:no value</pre><pre>error:0E06D06C:configuration file routines:NCONF_get_string:no value</pre><pre>error:0E06D06C:configuration file routines:NCONF_get_string:no value</pre>

<小时>

解决方案

从分析来看，它看起来像是为 main 部分中的设置 oid_file 和 default_md、req_extensions 和 encrypt_rsa_key 添加值openssl.cnf 的 [req] 部分中的 应该可以解决错误.确实，这样做之后，结果如下.

---

A solution

From the analysis, it looks like adding values for the settings oid_file in the main section and default_md, req_extensions and encrypt_rsa_key in the [req] section of openssl.cnf should resolve the errors. Indeed, after doing that, the result is as follows.

$ php conftest.php 

*** Errors before calling openssl_pkey_new
resource(4) of type (OpenSSL key)

*** Errors after calling openssl_pkey_new

<小时>

结论

我认为您可以放心地忽略 PHP 对无关配置设置的错误调用.

---

Conclusion

I think you can safely ignore PHP's erroneous invocation of irrelevant configuration settings.

这篇关于openssl_pkey_new 抛出错误配置文件routines:NCONF_get_string:no value的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！