如何使用BASH命令解密PHP Openssl加密
How to decrypt PHP Openssl encryption with BASH command
我正在 PHP 中加密密码,想在另一个盒子上解密。我运气不好,我希望能够直接从 bash 解密它并回显它。以下是 PHP.
中的测试片段
$textToEncrypt = "My super secret information.";
$encryptionMethod = "AES-256-CBC";
$secretHash = "Testkey";
//To encrypt
$encryptedMessage = openssl_encrypt($textToEncrypt, $encryptionMethod, $secretHash);
//To Decrypt
$decryptedMessage = openssl_decrypt($encryptedMessage, $encryptionMethod, $secretHash);
//Result
echo "Encrypted: $encryptedMessage <br>Decrypted: $decryptedMessage";
我试过很多方法在Ubuntu上解密,甚至把数据存到文件里输出到文件里。尝试的命令是:
openssl aes-256-cbc -a -d -k Testkey -in foo.txt -out secrets.txt
其中foo.txt是PHP加密返回的值,secrets.txt是输出。我该怎么做?
正如评论中一样,值得重复的是,没有 IV 的加密是危险的。事实上,当前版本的 PHP 会发出警告。 IV 可以使用 openssl_random_pseudo_bytes() 函数随机生成,并与加密文本一起以明文形式传输。它们不必是秘密的,重要的是不要重复使用相同的密钥和 IV 组合,并有一个随机的 IV。
因此,除此之外,如果您看一下 the source for the function,它不会将 password 参数作为密码传递,而是作为关键。因此,要在命令行上使用 openssl,它需要以十六进制形式传递给 -K 选项,而不是 -k 选项。但是随后,您会收到一条错误消息 "iv undefined",因此您的 PHP 需要调整为包括一个:
<?php
$textToEncrypt = "My super secret information.\n";
$encryptionMethod = "AES-256-CBC";
$key = "Testkey";
$iv = openssl_random_pseudo_bytes(
openssl_cipher_iv_length($encryptionMethod)
);
$keyHex = bin2hex($key);
$ivHex = bin2hex($iv);
//To encrypt
$encryptedMessage = openssl_encrypt($textToEncrypt, $encryptionMethod, $key, 0, $iv);
//To Decrypt
$decryptedMessage = openssl_decrypt($encryptedMessage, $encryptionMethod, $key, 0, $iv);
//Result
printf(
"Decrypted message: %s\n\nkeyHex=%s\nivHex=%s\nencryptedMessage=%s\n",
$decryptedMessage,
escapeshellarg($keyHex),
escapeshellarg($ivHex),
escapeshellarg($encryptedMessage)
);
获得这些详细信息后,您可以从命令行解密(re-using PHP 此处为变量名):
echo -n "$encryptedMessage" | openssl aes-256-cbc -d -a -A -K "$keyHex" -iv "$ivHex"
反过来
#!/bin/bash
# create in bash keys
echo "generating private key"
openssl genrsa -out privkey.pem 2048
echo "signing private key"
openssl req -new -key privkey.pem -out certreq.csr -subj "/C=RO/ST=AB L=AB/O=None/OU=Department/CN=someweb.com"
echo "create a sign request"
openssl x509 -req -in certreq.csr -signkey privkey.pem -out newcert.pem
# end-of-bash-script
cp ./privkey.pem /path/to/apache/root/<some>
加密一些 json 文件
openssl smime -encrypt -aes256 -in ./json.txt -binary -outform DER -out ./json.xxx newcert.pem
# test decrypt here in bash
# openssl smime -decrypt -in json.xxx -inform DER -inkey privkey.pem -out json.dec
Post 二进制到 php
curl --request POST --data-binary @./json.xxx http://localhost/<some/>json.php
然后json.php脚本@apache root
<?php
$rkey = file_get_contents("/var/www/html/privkey.pem");
$pkey = file_get_contents("/var/www/html/newcert.pem");
$data = file_get_contents("php://input");
$fenc = tempnam("", "enc");
$fdec = tempnam("", "dec");
file_put_contents($fenc,$data);
// openssl_pkcs7_decrypt ($fenc , $fdec , $pkey, $rkey ); unable to coerce parameter 3 to x509 cert
system("openssl smime -decrypt -in ${fenc} -inform DER -inkey privkey.pem -out ${fdec}");
echo file_get_contents($fdec);
?>
我正在 PHP 中加密密码,想在另一个盒子上解密。我运气不好,我希望能够直接从 bash 解密它并回显它。以下是 PHP.
中的测试片段$textToEncrypt = "My super secret information.";
$encryptionMethod = "AES-256-CBC";
$secretHash = "Testkey";
//To encrypt
$encryptedMessage = openssl_encrypt($textToEncrypt, $encryptionMethod, $secretHash);
//To Decrypt
$decryptedMessage = openssl_decrypt($encryptedMessage, $encryptionMethod, $secretHash);
//Result
echo "Encrypted: $encryptedMessage <br>Decrypted: $decryptedMessage";
我试过很多方法在Ubuntu上解密,甚至把数据存到文件里输出到文件里。尝试的命令是:
openssl aes-256-cbc -a -d -k Testkey -in foo.txt -out secrets.txt
其中foo.txt是PHP加密返回的值,secrets.txt是输出。我该怎么做?
正如评论中一样,值得重复的是,没有 IV 的加密是危险的。事实上,当前版本的 PHP 会发出警告。 IV 可以使用 openssl_random_pseudo_bytes() 函数随机生成,并与加密文本一起以明文形式传输。它们不必是秘密的,重要的是不要重复使用相同的密钥和 IV 组合,并有一个随机的 IV。
因此,除此之外,如果您看一下 the source for the function,它不会将 password 参数作为密码传递,而是作为关键。因此,要在命令行上使用 openssl,它需要以十六进制形式传递给 -K 选项,而不是 -k 选项。但是随后,您会收到一条错误消息 "iv undefined",因此您的 PHP 需要调整为包括一个:
<?php
$textToEncrypt = "My super secret information.\n";
$encryptionMethod = "AES-256-CBC";
$key = "Testkey";
$iv = openssl_random_pseudo_bytes(
openssl_cipher_iv_length($encryptionMethod)
);
$keyHex = bin2hex($key);
$ivHex = bin2hex($iv);
//To encrypt
$encryptedMessage = openssl_encrypt($textToEncrypt, $encryptionMethod, $key, 0, $iv);
//To Decrypt
$decryptedMessage = openssl_decrypt($encryptedMessage, $encryptionMethod, $key, 0, $iv);
//Result
printf(
"Decrypted message: %s\n\nkeyHex=%s\nivHex=%s\nencryptedMessage=%s\n",
$decryptedMessage,
escapeshellarg($keyHex),
escapeshellarg($ivHex),
escapeshellarg($encryptedMessage)
);
获得这些详细信息后,您可以从命令行解密(re-using PHP 此处为变量名):
echo -n "$encryptedMessage" | openssl aes-256-cbc -d -a -A -K "$keyHex" -iv "$ivHex"
反过来
#!/bin/bash
# create in bash keys
echo "generating private key"
openssl genrsa -out privkey.pem 2048
echo "signing private key"
openssl req -new -key privkey.pem -out certreq.csr -subj "/C=RO/ST=AB L=AB/O=None/OU=Department/CN=someweb.com"
echo "create a sign request"
openssl x509 -req -in certreq.csr -signkey privkey.pem -out newcert.pem
# end-of-bash-script
cp ./privkey.pem /path/to/apache/root/<some>
加密一些 json 文件
openssl smime -encrypt -aes256 -in ./json.txt -binary -outform DER -out ./json.xxx newcert.pem
# test decrypt here in bash
# openssl smime -decrypt -in json.xxx -inform DER -inkey privkey.pem -out json.dec
Post 二进制到 php
curl --request POST --data-binary @./json.xxx http://localhost/<some/>json.php
然后json.php脚本@apache root
<?php
$rkey = file_get_contents("/var/www/html/privkey.pem");
$pkey = file_get_contents("/var/www/html/newcert.pem");
$data = file_get_contents("php://input");
$fenc = tempnam("", "enc");
$fdec = tempnam("", "dec");
file_put_contents($fenc,$data);
// openssl_pkcs7_decrypt ($fenc , $fdec , $pkey, $rkey ); unable to coerce parameter 3 to x509 cert
system("openssl smime -decrypt -in ${fenc} -inform DER -inkey privkey.pem -out ${fdec}");
echo file_get_contents($fdec);
?>