将 OpenSSL 生成的 RSA 公钥转换为 OpenSSH 格式 (PHP)

发布于 2024-10-30 06:39:09 字数 1722 浏览 0 评论 0原文

我已经尝试使用 PHP 的 openssl 扩展生成 RSA 密钥对并将结果保存为 OpenSSH 兼容密钥对 - 这意味着私钥是 PEM 编码的（这很容易）并且公钥以 OpenSSH 特定格式存储格式如下：

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABA...more base64 encoded stuff...

据我所知，此格式包括：

明文形式的密钥类型，后跟空格（即“openssh-rsa ”）
表示以下数据的 base64 编码字符串：
- 算法名称的长度（以字节为单位）（在本例中为 7），编码为 32 位无符号长大端字节序
- 算法名称，在本例中为“ssh-rsa”
- RSA“e”数字的长度（以字节为单位），编码为 32 位无符号长大端字节序
- RSA“e”编号
- RSA“n”数字的长度（以字节为单位），编码为 32 位无符号长大端字节序
- RSA“n”号

我尝试使用 PHP 的 pack( ) 函数，但无论我尝试什么，结果都不等于我在 openssl 生成的同一个 RSA 私钥上使用 ssh-keygen -y -f 命令得到的结果。

这是我的代码的简化版本：

<?php

// generate private key
$privKey = openssl_pkey_new(array(
    'private_key_bits' => 1024,
    'private_key_type' => OPENSSL_KEYTYPE_RSA
));

// convert public key to OpenSSH format
$keyInfo = openssl_pkey_get_details($privKey);
$data = pack("Na*", 7, 'ssh-rsa');
$data .= pack("Na*", strlen($keyInfo['rsa']['e']), $keyInfo['rsa']['e']);
$data .= pack("Na*", strlen($keyInfo['rsa']['n']), $keyInfo['rsa']['n']);

$pubKey = "ssh-rsa " . base64_encode($data);

echo "PHP generated RSA public key:\n$pubKey\n\n";

// For comparison, generate public key using ssh-keygen
openssl_pkey_export($privKey, $pem);
$umask = umask(0066); // this is needed for ssh-keygen to work properly
file_put_contents('/tmp/ssh-keygen-test', $pem);
umask($umask); 

exec('ssh-keygen -y -f /tmp/ssh-keygen-test', $out, $ret);
$otherPubKey = $out[0];
echo "ssh-keygen generated RSA public key:\n$otherPubKey\n\n";

echo ($pubKey == $otherPubKey ? "yes! they are the same\n" : "FAIL! they are different\n");

?>

有关如何在不依赖 ssh-keygen 的情况下执行此操作的任何提示？

原文

I've been trying for a while to generate an RSA keypair using PHP's openssl extension and save the result as an OpenSSH compatible keypair - meaning the private key is PEM encoded (which is easy) and the public key is stored in an OpenSSH specific format of the following form:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABA...more base64 encoded stuff...

As far as I could gather this format consists of:

the key type in clear text, followed by space (i.e. "openssh-rsa ")
A base64 encoded string representing the following data:
- the length of the algorithm name in bytes (in this case 7) encoded as 32 bit unsigned long big endian
- the algorithm name, in this case 'ssh-rsa'
- the length of the RSA 'e' number in bytes, encoded as 32 bit unsigned long big endian
- the RSA 'e' number
- the length of the RSA 'n' number in bytes, encoded as 32 bit unsigned long big endian
- the RSA 'n' number

I've tried implementing this using PHP's pack() function, but no matter what I try the result is never equivalent to what I get from using the ssh-keygen -y -f command on the same RSA private key generated by openssl.

Here is a simplified version of my code:

<?php

// generate private key
$privKey = openssl_pkey_new(array(
    'private_key_bits' => 1024,
    'private_key_type' => OPENSSL_KEYTYPE_RSA
));

// convert public key to OpenSSH format
$keyInfo = openssl_pkey_get_details($privKey);
$data = pack("Na*", 7, 'ssh-rsa');
$data .= pack("Na*", strlen($keyInfo['rsa']['e']), $keyInfo['rsa']['e']);
$data .= pack("Na*", strlen($keyInfo['rsa']['n']), $keyInfo['rsa']['n']);

$pubKey = "ssh-rsa " . base64_encode($data);

echo "PHP generated RSA public key:\n$pubKey\n\n";

// For comparison, generate public key using ssh-keygen
openssl_pkey_export($privKey, $pem);
$umask = umask(0066); // this is needed for ssh-keygen to work properly
file_put_contents('/tmp/ssh-keygen-test', $pem);
umask($umask); 

exec('ssh-keygen -y -f /tmp/ssh-keygen-test', $out, $ret);
$otherPubKey = $out[0];
echo "ssh-keygen generated RSA public key:\n$otherPubKey\n\n";

echo ($pubKey == $otherPubKey ? "yes! they are the same\n" : "FAIL! they are different\n");

?>

Any tips on how I can do this without relying on ssh-keygen?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

牵你手 2024-11-06 06:39:09

好的，我刚刚通过仔细查看将 pem 密钥转换为 ssh-rsa 格式（我之前做过，但显然我错过了一些重要的东西）。我需要将 N 和 e 的第一个字符与 0x80 进行 AND 运算，如果匹配，则在数字开头添加另一个 NULL 字符，并将大小分别增加 1。

我不确定为什么这样做（我在网上搜索中没有找到任何对此的引用），但它有效。

我只对此进行了基本测试，但它似乎运行良好，这里是我的代码：

<?php

$privKey = openssl_pkey_get_private($rsaKey);
$pubKey = sshEncodePublicKey($privKey);

echo "PHP generated RSA public key:\n$pubKey\n\n";

function sshEncodePublicKey($privKey)
{
    $keyInfo = openssl_pkey_get_details($privKey);

    $buffer  = pack("N", 7) . "ssh-rsa" . 
               sshEncodeBuffer($keyInfo['rsa']['e']) . 
               sshEncodeBuffer($keyInfo['rsa']['n']);

    return "ssh-rsa " . base64_encode($buffer); 
}

function sshEncodeBuffer($buffer)
{
    $len = strlen($buffer);
    if (ord($buffer[0]) & 0x80) {
        $len++;
        $buffer = "\x00" . $buffer;
    }

    return pack("Na*", $len, $buffer);
}
?>

Ok, I have just solved my own problem by taking a closer look at the C implementation references from Convert pem key to ssh-rsa format (which I did before but apparently I missed some important stuff). I needed to AND the first character of N and e with 0x80 and if it matches add another NULL character at the beginning of the number and increase the size by 1 respectively.

I am not sure why this is done (I didn't find any reference to this in on-line searching I did) but it works.

I've only done basic tests on this but it seems to work well, and here my code:

<?php

$privKey = openssl_pkey_get_private($rsaKey);
$pubKey = sshEncodePublicKey($privKey);

echo "PHP generated RSA public key:\n$pubKey\n\n";

function sshEncodePublicKey($privKey)
{
    $keyInfo = openssl_pkey_get_details($privKey);

    $buffer  = pack("N", 7) . "ssh-rsa" . 
               sshEncodeBuffer($keyInfo['rsa']['e']) . 
               sshEncodeBuffer($keyInfo['rsa']['n']);

    return "ssh-rsa " . base64_encode($buffer); 
}

function sshEncodeBuffer($buffer)
{
    $len = strlen($buffer);
    if (ord($buffer[0]) & 0x80) {
        $len++;
        $buffer = "\x00" . $buffer;
    }

    return pack("Na*", $len, $buffer);
}
?>

回复收藏 0 原文

琉璃繁缕 2024-11-06 06:39:09

更简单的方法，使用 phpseclib，一个纯 PHP RSA 实现：

<?php
include('Crypt/RSA.php');

$rsa = new Crypt_RSA();
$rsa->loadKey('-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0
FPqri0cb2JZfXJ/DgYSF6vUpwmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/
3j+skZ6UtW+5u09lHNsj6tQ51s1SPrCBkedbNf0Tp0GbMJDyR4e9T04ZZwIDAQAB
-----END PUBLIC KEY-----');
$rsa->setPublicKey();

$publickey = $rsa->getPublicKey(CRYPT_RSA_PUBLIC_FORMAT_OPENSSH);
?>

输出：

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0FPqri0cb2JZfXJ/DgYSF6vUpwmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/3j+skZ6UtW+5u09lHNsj6tQ51s1SPrCBkedbNf0Tp0GbMJDyR4e9T04ZZw== phpseclib-generated-key

来源：

http://phpseclib.sourceforge.net/rsa/examples.html#public,openssh

Much simpler method, using phpseclib, a pure-PHP RSA implementation:

<?php
include('Crypt/RSA.php');

$rsa = new Crypt_RSA();
$rsa->loadKey('-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0
FPqri0cb2JZfXJ/DgYSF6vUpwmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/
3j+skZ6UtW+5u09lHNsj6tQ51s1SPrCBkedbNf0Tp0GbMJDyR4e9T04ZZwIDAQAB
-----END PUBLIC KEY-----');
$rsa->setPublicKey();

$publickey = $rsa->getPublicKey(CRYPT_RSA_PUBLIC_FORMAT_OPENSSH);
?>

Output:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0FPqri0cb2JZfXJ/DgYSF6vUpwmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/3j+skZ6UtW+5u09lHNsj6tQ51s1SPrCBkedbNf0Tp0GbMJDyR4e9T04ZZw== phpseclib-generated-key

Source:

http://phpseclib.sourceforge.net/rsa/examples.html#public,openssh

回复收藏 0 原文

~没有更多了~