如何使用密码短语正确加密JS生成的RSA私钥?
[英]How to properly encrypt a JS generated RSA private key with a passphrase?
问题描述
I have a php back-end that previously generated RSA private/public keypairs on its own, encrypting the private part with a given passphrase. 
我有一个php后端,以前自己生成RSA私有/公共密钥对,用给定的密码加密私有部分。
Now I'm using this library: http://travistidwell.com/jsencrypt/ to generate a keypair on client side. 现在我正在使用这个库: http ://travistidwell.com/jsencrypt/在客户端生成密钥对。 But I didn't find how to encrypt the private key with a passphrase using this library. 但我没有找到如何使用此库使用密码加密私钥。 So I tried using this: http://www.movable-type.co.uk/scripts/aes.html but it seems that a key I get doesn't work, I can't encrypt/decrypt using it on my php back-end and different keys management apps don't recognize the key. 所以我尝试使用这个: http : //www.movable-type.co.uk/scripts/aes.html但似乎我得到的密钥不起作用,我无法加密/解密使用它在我的PHP后端和不同的密钥管理应用程序无法识别密钥。
What am I doing wrong and how to successfully encrypt the original JSEncrypt'ed private key properly with a passphrase? 我做错了什么以及如何使用密码短语成功加密原始JSEncrypt的私钥?
This is how the keypair was generated on PHP: 这就是在PHP上生成密钥对的方式:
$config = array(
"digest_alg" => "sha256",
"private_key_bits" => 2048,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
"encrypt_key" => true
);
$keypair = openssl_pkey_new($config);
$pkey_pass = '123';
openssl_pkey_export($keypair, $privKey, $pkey_pass, $config);
$fp = fopen($keys_folder . '/private.pem', 'w');
fwrite($fp, $privKey);
fclose($fp);
$pubKey = openssl_pkey_get_details($keypair);
$fp = fopen($keys_folder . '/public.pem', 'w');
fwrite($fp, $pubKey);
fclose($fp);
2 个解决方案
解决方案1
1 2015-03-11 18:41:39
Maybe you could adapt code from phpseclib . 也许你可以调整phpseclib的代码。 Quoting it: 引用它:
if (!empty($this->password) || is_string($this->password)) {
$iv = Random::string(8);
$symkey = pack('H*', md5($this->password . $iv)); // symkey is short for symmetric key
$symkey.= substr(pack('H*', md5($symkey . $this->password . $iv)), 0, 8);
$des = new TripleDES();
$des->setKey($symkey);
$des->setIV($iv);
$iv = strtoupper(bin2hex($iv));
$RSAPrivateKey = "-----BEGIN RSA PRIVATE KEY-----\r\n" .
"Proc-Type: 4,ENCRYPTED\r\n" .
"DEK-Info: DES-EDE3-CBC,$iv\r\n" .
"\r\n" .
chunk_split(base64_encode($des->encrypt($RSAPrivateKey)), 64) .
'-----END RSA PRIVATE KEY-----';
} else {
$RSAPrivateKey = "-----BEGIN RSA PRIVATE KEY-----\r\n" .
chunk_split(base64_encode($RSAPrivateKey), 64) .
'-----END RSA PRIVATE KEY-----';
}
src: https://raw.githubusercontent.com/phpseclib/phpseclib/master/phpseclib/Crypt/RSA.php src: https : //raw.githubusercontent.com/phpseclib/phpseclib/master/phpseclib/Crypt/RSA.php
解决方案2
0 2015-03-12 20:09:54
How to encrypt a JS generated RSA private key with a passphrase?
You have one of two choices. 你有两种选择之一。 First, encrypt the entire key beofre it reaches disk. 首先,加密到达磁盘的整个密钥。 Then decrypt it before you use it. 然后在使用之前解密它。 In this case, you treat the key like a file you want to encrypt. 在这种情况下,您将密钥视为要加密的文件。
Second, use PKCS #8, aka RFC 5208, Public-Key Cryptography Standards (PKCS) #8: Private-Key Information Syntax Specification Version 1.2 . 其次,使用PKCS#8,又名RFC 5208,公钥加密标准(PKCS)#8:私钥信息语法规范版本1.2 。 In particular, see section 6 of RFC 5208, EncryptedPrivateKeyInfo . 特别是,请参阅RFC 5208的第6节, EncryptedPrivateKeyInfo 。
You have a third option, but its not advised. 你有第三种选择,但不建议。 The third option is to use an encrypted PEM encoding. 第三种选择是使用加密的PEM编码。 Its not advisable because its been superseded by PKCS #8. 它不可取,因为它已被PKCS#8取代。
In the future, you will have a fourth option, and that is to use WebCrypto to store your key. 将来,您将有第四个选项,即使用WebCrypto存储密钥。 In this case, you moved the problem of secure storage to the platform. 在这种情况下,您将安全存储的问题转移到了平台。
Unfortunately, I don't know about the library you are using, so I don't know what it may (or may not offer). 不幸的是,我不知道你正在使用的图书馆,所以我不知道它可能会提供什么(或者可能不会提供)。 But the answers above cover the OpenSSL bits of your question. 但上面的答案涵盖了你问题的OpenSSL位。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.