如何使用命令行中的密码生成 openSSL 密钥? [英] How to generate an openSSL key using a passphrase from the command line?

问题描述

首先 - 如果我不提供密码会怎样?是否使用了某种伪随机短语?我只是在寻找足够好"的东西防止随意的黑客入侵.

First - what happens if I don't give a passphrase? Is some sort of pseudo random phrase used? I'm just looking for something "good enough" to keep casual hackers at bay.

第二 - 如何从命令行生成密钥对，在命令行上提供密码?

Second - how do I generate a key pair from the command line, supplying the passphrase on the command line?

我终于使用这些命令让它工作了，使用 exec() ，它通常被认为使用不安全，最好在文件中提供密码.我可以接受这种风险，因为我确信 PHP 只会在我的 PC 上执行(运行 Windows 并且没有 PS 命令).

I finally got it working using these commands, using exec() which it is generally reckoned not safe to use, being better to give the PassPhrase in a file. I can accept this risk as I am sure that the PHP will only ever be executed on my PC (which runs windows & doesn't have a PS command).

openssl genrsa -aes128 -passout pass:foobar -out privkey.pem 2048
openssl rsa -in privkey.pem -passin pass:foobar -pubout -out privkey.pub

非常感谢@caf，没有他们就不可能做到这一点.

Many many thanks to @caf, without whom this would not have been possible.

只有一个遗憾——无论我谷歌多少，似乎都没有人能让 openssl_pkey_new() 在 Windows 上与 Xampp 一起工作(这是正确的方式生成密钥对)

Only one regret - that, no matter how much I Google, no one can seem to get openssl_pkey_new() working with Xampp on Windows (which is the proper way to generate a key pair)

推荐答案

如果您不使用密码，那么私钥不会使用任何对称密码进行加密 - 它的输出完全不受保护.

If you don't use a passphrase, then the private key is not encrypted with any symmetric cipher - it is output completely unprotected.

您可以生成一个密钥对，使用如下调用在命令行上提供密码(在本例中，密码为 foobar):

You can generate a keypair, supplying the password on the command-line using an invocation like (in this case, the password is foobar):

openssl genrsa -aes128 -passout pass:foobar 3072

但是，请注意，此密码短语可能会被当时在机器上运行的任何其他进程获取，因为命令行参数通常对所有进程可见.

However, note that this passphrase could be grabbed by any other process running on the machine at the time, since command-line arguments are generally visible to all processes.

更好的选择是将密码写入受文件权限保护的临时文件，并指定:

A better alternative is to write the passphrase into a temporary file that is protected with file permissions, and specify that:

openssl genrsa -aes128 -passout file:passphrase.txt 3072

或者在标准输入上提供密码:

Or supply the passphrase on standard input:

openssl genrsa -aes128 -passout stdin 3072

您还可以使用带有 file: 选项或文件描述符的命名管道.

You can also used a named pipe with the file: option, or a file descriptor.

然后要获得匹配的公钥，您需要使用 openssl rsa，提供与用于加密私钥的 -passin 参数相同的密码:

To then obtain the matching public key, you need to use openssl rsa, supplying the same passphrase with the -passin parameter as was used to encrypt the private key:

openssl rsa -passin file:passphrase.txt -pubout

(这需要标准输入上的加密私钥 - 您可以改为使用 -in 从文件中读取它).

(This expects the encrypted private key on standard input - you can instead read it from a file using -in <file>).

在文件中创建3072位私钥和公钥对的示例，私钥对用密码加密foobar:

Example of creating a 3072-bit private and public key pair in files, with the private key pair encrypted with password foobar:

openssl genrsa -aes128 -passout pass:foobar -out privkey.pem 3072
openssl rsa -in privkey.pem -passin pass:foobar -pubout -out privkey.pub

这篇关于如何使用命令行中的密码生成 openSSL 密钥?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！