John Davidson

php - Calling openssl_pkey_export() twice with the same passphrase gives different results

0 comments
Message:


I have basic knowledge on asymmetric cryptography but I'm a newbie regarding OpenSSL PHP Extension and I'm confused after executing the following piece of code (please, note that openssl_pkey_new() is called just once but openssl_pkey_export() with passphrase is called twice):


// Based on:

// PHP: openssl_pkey_new - Manual

// => https://www.php.net/manual/es/function.openssl-pkey-new.php#111769

$config=array(

    "digest_alg" => "sha512",

    "private_key_bits" => 4096,

    "private_key_type" => OPENSSL_KEYTYPE_RSA,

);

// Create the private and public key

$res=openssl_pkey_new($config);

// Extract the private key from $res

openssl_pkey_export($res, $privKey);

openssl_pkey_export($res, $privKeyEnc1, "12345678");

openssl_pkey_export($res, $privKeyEnc2, "12345678");

print_r($privKeyEnc1); /* Output 1 */

print_r($privKeyEnc2); /* Output 2 */

I run it using php -a and I figure out that Output 1 and Output 2 ($privKeyEnc1 and $privKeyEnc2) are different (I post first and last characters only):


Output 1 ($privKeyEnc1):


-----BEGIN ENCRYPTED PRIVATE KEY-----

MIIJnDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIu9pGQ4UYhHMCAggA

...

b/Jzga55d9CZAez70XZ1IcDlqhtfCS0Q7+RDwdXgsAd9IYrZaVKBrUOxhaSc/Xe8

9GBsV9M67b7uyJ1wAeEpJw==

-----END ENCRYPTED PRIVATE KEY-----

Output 2 ($privKeyEnc2):


-----BEGIN ENCRYPTED PRIVATE KEY-----

MIIJnDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIiNaCw3b9l9wCAggA

...

bOL2WGBOymb6db0G5/IdIs7zQx6aQjOtoFx4hm0cY4YmEmNKKdiXOoVpRZT4SBRw

t8ksuWHoESag0z4NETpetw==

-----END ENCRYPTED PRIVATE KEY-----

Is this wrong or is it normal behavior? Can anybody explain in detail why this occurs?


My Answer:
php

$config = array(
"digest_alg" => "sha512",
"private_key_bits" => 2048,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
);

// Create a new private and public key pair
$res = openssl_pkey_new($config);

// Export the private key with passphrase
openssl_pkey_export($res, $privKey, 'mypassword');

// Export the private key with the same passphrase again
openssl_pkey_export($res, $privKey2, 'mypassword');

// Compare the two exported private keys
if ($privKey === $privKey2) {
echo "The two exported private keys are the same.";
} else {
echo "The two exported private keys are different.";
}
?>


When you run this code, you will see that the two exported private keys are different even though the passphrase is the same. This is because the `openssl_pkey_export()` function generates a new random salt each time it is called with a passphrase. This salt is used to derive the encryption key from the passphrase, so even though the passphrase is the same, the encryption key will be different each time.

If you want to export the private key with the same encryption key each time, you can use the `openssl_pkey_export_to_file()` function with the `passphrase` parameter set to `true`. This will store the encryption key in the key file itself, so you can export the private key multiple times with the same passphrase and get the same result.

Rate this post

3 of 5 based on 2651 votes

Comments



© 2024 Hayatsk.info - Personal Blogs Platform. All Rights Reserved.
Create blog  |  Privacy Policy  |  Terms & Conditions  |  Contact Us