使用PHP/openssl安全交换业务数据

Question

我想使用PHP/OpenSSL与其他企业交换数据。每个企业创建公钥/私钥并发布公钥。然后，我编写代码来管理所有这些。下面是PHP中的代码(主要来自php.net)：

<?php
$data = "secret message";

$key = file_get_contents("bus1.pub");

// get temp file w/ write access
$plaintextfile  = tempnam(sys_get_temp_dir(), 'abc');
$ciphertextfile = tempnam(sys_get_temp_dir(), 'abc');

$fp = fopen($plaintextfile, "w");
fwrite($fp, $data);
fclose($fp);

// encrypt it
if (openssl_pkcs7_encrypt($plaintextfile, $ciphertextfile, $key,
    array("To" => "nighthawk@example.com", // keyed syntax
          "From: HQ <hq@example.com>", // indexed syntax
          "Subject" => "Eyes only"))) {
   echo "encryption ok<br>";
} else
        echo "failure<br>";

?>

然而，我得到了一个错误(失败)。我怀疑我没有使用OpenSSL正确地生成密钥。请帮助正确地生成这些键，以便上面的PHP函数能够读取它们。

这就是我试过的：

openssl genrsa  -out bus1.pem 2048
openssl rsa -in bus1.pem -pubout > bus1.pub

Answer 1

好的。我想错了。感谢@towr指出了一个调试工具。对于其他读者，解决方案是生成证书，如下所示。每个企业都需要这样做，保存私钥并发布证书：

openssl genrsa  -out business1.pass.key 2048
openssl rsa -in business1.pass.key -out business1.key
openssl req -new -key business1.key -out business1.csr
openssl x509 -req -days 3650 -in business1.csr -signkey business1.key -out business1.crt

Answer 2

来自php https://www.php.net/manual/en/function.openssl-encrypt.php的另一个建议。

这是加密和解密数据的最安全的方法，几乎不可能破解您的加密。

--------------------------------------------------------
--- Create Two Random Keys And Save Them In Your Configuration File ---

<?php
// Create The First Key
echo base64_encode(openssl_random_pseudo_bytes(32));

// Create The Second Key
echo base64_encode(openssl_random_pseudo_bytes(64));
?>
--------------------------------------------------------
<?php
// Save The Keys In Your Configuration File
define('FIRSTKEY','Lk5Uz3slx3BrAghS1aaW5AYgWZRV0tIX5eI0yPchFz4=');
define('SECONDKEY','EZ44mFi3TlAey1b2w4Y7lVDuqO+SRxGXsa7nctnr/JmMrA2vN6EJhrvdVZbxaQs5jpSe34X3ejFK/o9+Y5c83w==');
?>
--------------------------------------------------------
<?php
function secured_encrypt($data)
{
$first_key = base64_decode(FIRSTKEY);
$second_key = base64_decode(SECONDKEY);   
   
$method = "aes-256-cbc";   
$iv_length = openssl_cipher_iv_length($method);
$iv = openssl_random_pseudo_bytes($iv_length);
       
$first_encrypted = openssl_encrypt($data,$method,$first_key, OPENSSL_RAW_DATA ,$iv);   
$second_encrypted = hash_hmac('sha3-512', $first_encrypted, $second_key, TRUE);
           
$output = base64_encode($iv.$second_encrypted.$first_encrypted);   
return $output;       
}
?>
--------------------------------------------------------
<?php
function secured_decrypt($input)
{
$first_key = base64_decode(FIRSTKEY);
$second_key = base64_decode(SECONDKEY);           
$mix = base64_decode($input);
       
$method = "aes-256-cbc";   
$iv_length = openssl_cipher_iv_length($method);
           
$iv = substr($mix,0,$iv_length);
$second_encrypted = substr($mix,$iv_length,64);
$first_encrypted = substr($mix,$iv_length+64);
           
$data = openssl_decrypt($first_encrypted,$method,$first_key,OPENSSL_RAW_DATA,$iv);
$second_encrypted_new = hash_hmac('sha3-512', $first_encrypted, $second_key, TRUE);
   
if (hash_equals($second_encrypted,$second_encrypted_new))
return $data;
   
return false;
}
?>