removing password from rsa private key
Asked Answered
H

2

10

Here's how I'd do it with phpseclib (which works):

<?php
include('Crypt/RSA.php');

$rsa = new Crypt_RSA();
$rsa->setPassword('password');
$result = $rsa->loadKey('-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,E3B1C06E0D0C2633

gvmXzl6W7eV1a3N5rQNwBWKY9on3IgxZudS33cip5f88FotsPSDJMvqj6LVw2RxobDjhlOOzqmTb
VrlTnoQ6CogXFZSfiPmixiyyptCUEKJkSiEhYGM5GQm0OoGcLeLbgBb9tRpWh5IlXulKD6XFhx8q
/eGg5a+mSkX1i7kv2+Ih3jHmEKwrnfzhcA29pBF3OQJo+Ks9IYneuk676pHtsIs7CpFKq1tDvD8Q
O7URxnVnHLltaFvIxshqyZu92xbUYZR7YzjXl5+3w4TVgeAHUogEV+H9iZTosD/copUsbQO+78w2
E1D3iDS94wRgx0Tjv4xlwrTpOV38FS5rdL32492DcCRlCYM4VtuwjYeWi5shJg69jCb0EwGRqfAo
xko+lbKWELTuFKwD7n1rc/2fTarbGuf8S2AEggBLZyfXHC/9N84mXLFO2XKq+0WdiEFhQj2Cze+a
9qcSK6tPSrjK1LPlnOOppFgDElZaZ0rxsgjtiWSIAEw/Ad+SIM5u+vqwzF8J317JlsdKoBFDw8mS
MxCMuMksKJ23mgvY+THRIVgH3E7lEDZQzCi1Uy6ldLJcran/6wHwP88pVM2odiHkpnrJGcEBbbIk
qsxJZhFT8aUt/cUEBj3fnP7cxoNLQfTHMPqUTqKBWaVufFzGU9YB1R+XWFULLddwJHnV7gPheBlk
MDapowb+Is77+a9Y2VDsOXEvNpqTY0giiSrckG05IZnrhJ24JnSCwyNd99lm7XKdEGGrjBCMqIyI
Fqox8Ahkv3KWAJPYK1eOCc5d/KwZHlnlFJq7ZYy9u3fEnxQCjOEmeXLkLangKA==
-----END RSA PRIVATE KEY-----');

echo $result ? 'true' : 'false';
?>

For comparison purposes, however, I'm trying to do it with OpenSSL. Here's my code:

<?php
$pkey = openssl_pkey_get_private('-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,E3B1C06E0D0C2633

gvmXzl6W7eV1a3N5rQNwBWKY9on3IgxZudS33cip5f88FotsPSDJMvqj6LVw2RxobDjhlOOzqmTb
VrlTnoQ6CogXFZSfiPmixiyyptCUEKJkSiEhYGM5GQm0OoGcLeLbgBb9tRpWh5IlXulKD6XFhx8q
/eGg5a+mSkX1i7kv2+Ih3jHmEKwrnfzhcA29pBF3OQJo+Ks9IYneuk676pHtsIs7CpFKq1tDvD8Q
O7URxnVnHLltaFvIxshqyZu92xbUYZR7YzjXl5+3w4TVgeAHUogEV+H9iZTosD/copUsbQO+78w2
E1D3iDS94wRgx0Tjv4xlwrTpOV38FS5rdL32492DcCRlCYM4VtuwjYeWi5shJg69jCb0EwGRqfAo
xko+lbKWELTuFKwD7n1rc/2fTarbGuf8S2AEggBLZyfXHC/9N84mXLFO2XKq+0WdiEFhQj2Cze+a
9qcSK6tPSrjK1LPlnOOppFgDElZaZ0rxsgjtiWSIAEw/Ad+SIM5u+vqwzF8J317JlsdKoBFDw8mS
MxCMuMksKJ23mgvY+THRIVgH3E7lEDZQzCi1Uy6ldLJcran/6wHwP88pVM2odiHkpnrJGcEBbbIk
qsxJZhFT8aUt/cUEBj3fnP7cxoNLQfTHMPqUTqKBWaVufFzGU9YB1R+XWFULLddwJHnV7gPheBlk
MDapowb+Is77+a9Y2VDsOXEvNpqTY0giiSrckG05IZnrhJ24JnSCwyNd99lm7XKdEGGrjBCMqIyI
Fqox8Ahkv3KWAJPYK1eOCc5d/KwZHlnlFJq7ZYy9u3fEnxQCjOEmeXLkLangKA==
-----END RSA PRIVATE KEY-----', 'password');
if ($pkey === false) exit('FAILURE');
openssl_pkey_export($pkey, $out_key_file);
echo $out_key_file;
?>

Only problem: the code dies prematurely, echo'ing out FAILURE. ie. openssl_pkey_get_private() isn't loading the key. openssl_error_string says "error:0906D066:PEM routines:PEM_read_bio:bad end line".

Any ideas?

Heteromorphic answered 17/12, 2012 at 4:32 Comment(2)
I hope this particular key you've published isn't one you plan to use for keeping stuff safe =)Pneumonia
Maybe the password of "password" that he's using for the key he posted is a password he's using universally. Maybe he posted his stackoverflow password :PSelfconfessed
L
8

I'm not sure what's going on here; I've tried your code and it gives the same issue, so I've generated a key myself:

openssl genrsa -des3 -out des3.rsa

Then copied the contents into this script:

$out_key_file = 'des3nopass.rsa';

$key = <<<EOS
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,5F2FDB4C8F710F92

pkaBIMCdnvrejw6egagg/lGrrGJWLsceDkC0KSdouRfR8LhQS/XjSJ/Wqrj7fa36
xXRd/USBebgy2hLAi9RMPofOjlcUyUVvZZgh0+JDQ79pH5q1FsRMcsJ+J8GO0edw
kh8zdZoCbbtJgQjTx0JheJMDdZymw4cfK5hoZbnxX6HZ1wNhtPb7Z/noNcxpK6Zl
CCzPgLd9hCGLBD2XqoRjOM1U2vpZwpCTdYgAtFIPMVXQQpzgIyw06CHcHvYZgnAc
oxiVx7Z7N9r0J1vDnlrW/OU1l07D0pBr1yPRTDMI5tBMo8KDsL2tkBxqtYyOJdZr
as/5zQDPRlbW7Jve1JuXmsnja+gN7jZ+3LpUzfRFo/wWnvOzhHQxLz+RaUpVDYTl
F4m9zjo9dgOhlZzigOhYTB+5aq5f92Yf6K0daCwTDpU=
-----END RSA PRIVATE KEY-----
EOS;

$pkey = openssl_pkey_get_private($key, 'password');
if ($pkey === false) {
        die(openssl_error_string());
}

openssl_pkey_export($pkey, $out_key_file);
echo "Wrote to $out_key_file\n";

And that works fine for me.

Update

I've tried to perform this using openssl command line as well, using your key:

openssl rsa -in des3big.rsa -out des3bignopass.rsa
unable to load Private Key
14179:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:746:

It seems that OpenSSL has an issue with it as well, so it's not PHP.

Update 2

Turns out that your lines are too long (they should be 64 characters wide):

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,E3B1C06E0D0C2633

gvmXzl6W7eV1a3N5rQNwBWKY9on3IgxZudS33cip5f88FotsPSDJMvqj6LVw2Rxo
bDjhlOOzqmTbVrlTnoQ6CogXFZSfiPmixiyyptCUEKJkSiEhYGM5GQm0OoGcLeLb
gBb9tRpWh5IlXulKD6XFhx8q/eGg5a+mSkX1i7kv2+Ih3jHmEKwrnfzhcA29pBF3
OQJo+Ks9IYneuk676pHtsIs7CpFKq1tDvD8QO7URxnVnHLltaFvIxshqyZu92xbU
YZR7YzjXl5+3w4TVgeAHUogEV+H9iZTosD/copUsbQO+78w2E1D3iDS94wRgx0Tj
v4xlwrTpOV38FS5rdL32492DcCRlCYM4VtuwjYeWi5shJg69jCb0EwGRqfAoxko+
lbKWELTuFKwD7n1rc/2fTarbGuf8S2AEggBLZyfXHC/9N84mXLFO2XKq+0WdiEFh
Qj2Cze+a9qcSK6tPSrjK1LPlnOOppFgDElZaZ0rxsgjtiWSIAEw/Ad+SIM5u+vqw
zF8J317JlsdKoBFDw8mSMxCMuMksKJ23mgvY+THRIVgH3E7lEDZQzCi1Uy6ldLJc
ran/6wHwP88pVM2odiHkpnrJGcEBbbIkqsxJZhFT8aUt/cUEBj3fnP7cxoNLQfTH
MPqUTqKBWaVufFzGU9YB1R+XWFULLddwJHnV7gPheBlkMDapowb+Is77+a9Y2VDs
OXEvNpqTY0giiSrckG05IZnrhJ24JnSCwyNd99lm7XKdEGGrjBCMqIyIFqox8Ahk
v3KWAJPYK1eOCc5d/KwZHlnlFJq7ZYy9u3fEnxQCjOEmeXLkLangKA==
-----END RSA PRIVATE KEY-----
Loma answered 17/12, 2012 at 5:52 Comment(1)
OMG OpenSSL is so finicky. New line at the end, lines have to be 64 characters long, etc. Nice find though!Heteromorphic
P
1

Might find further info by looking into the cause of the error:

if ($pkey === false) {
  echo openssl_error_string();
  exit('FAILURE');
}

Edit: Given the error "PEM_read_bio:bad end line" here is the portion of OpenSSL source which triggers:

[...]
if ((strncmp(buf,"-----END ",9) != 0) ||
        (strncmp(nameB->data,&(buf[9]),i) != 0) ||
        (strncmp(&(buf[9+i]),"-----\n",6) != 0)) {

        PEMerr(PEM_F_PEM_READ_BIO,PEM_R_BAD_END_LINE);
        goto err;
        }
[...]

Looking at your code I suspect you'll need a newline char appended to the end of the private key string.

Pinna answered 17/12, 2012 at 5:25 Comment(5)
It says "error:0906D066:PEM routines:PEM_read_bio:bad end line"Heteromorphic
this might help: edokan.wordpress.com/2011/10/22/… -- the author suggests must end with a line feed charPinna
i just looked up the error in openssl sources and indeed there must be a newline as the last character in the stringPinna
I tried adding a new line to no avail.. try it out yourself.. does a new line make it work for you?Heteromorphic
Guessing both fixes were required? I'm curious if OpenSSL returned a different error or the same in reference to the line lengthPinna

© 2022 - 2024 — McMap. All rights reserved.