2

How could I remove passphase from RSA private key using PHP I know that in OpenSSL it is this way: openssl rsa -in key.key -out key.key and I am searching equivalent command to this one in PHP.

RSA command requires the pass

OpenSSL> rsa -in key2.key -out key2.key 
Enter pass phrase for key2.key:
hakre
  • 193,403
  • 52
  • 435
  • 836
Disa
  • 630
  • 13
  • 42
  • What about system? http://php.net/manual/en/function.system.php – erenon Dec 16 '12 at 13:10
  • I don't want to keep keys on server. Only one place where they appears are variables – Disa Dec 16 '12 at 13:12
  • Have you looked at [this openssl manual page](http://au1.php.net/manual/en/function.openssl-pkey-export-to-file.php)? – Ja͢ck Dec 16 '12 at 13:20
  • This function saves private key generated by this function: `openssl_pkey_new`, providing passphase is required if pass was used while generation. – Disa Dec 16 '12 at 13:23

2 Answers2

2

This would accomplish the same operation using the openssl extension:

$key = file_get_contents('key2.key');
$password = 'your password or pass phrase';

if (false === ($pkey = openssl_pkey_get_private($key, $password))) {
    die(openssl_error_string());
}
openssl_pkey_export($pkey, $out_key);
file_put_contents('key2.key', $out_key);

A concrete example:

$key = <<<EOS
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,775352C44A559B6C

V8EuwC29zy4yuY7Ie+HvyygjKJx4G+VF/SgjjCQR+Q/iLaXcoXhIMBmP9ugQpywu
Tgmg25PruaXl3Mabs2h03aUwLyFEEjcnaVz4IFYGflqDIBbSb/Y4Q9Ef0OjbCwCJ
5pEnD0ATPtb+bptHk7VitvyK9vIN4zrqDeWdpGkqhYZx4SkUDLBhcYYYA3eY8P7y
/yeUmHt2p12W7xF4OWflNj0ot7N2GoofKrAomW0vHVAAlVHj4OVyZYeOEG/8gm2A
a3xo+LS9D2tFJjCtnP5ytczWnsoe18bKlWbjV/IimlkVEqR6jx0jC99eCUHyaSvm
OfU/DHHcooBIJxXB5VfxFbRzjyWYgsAiVf2lThvusRb+j8/Ey28t5CWx8ME2hgmk
hrTPmCFor+Lx/7++cmOFWSNvJU8MrC6jH+q2R3xIPuY=
-----END RSA PRIVATE KEY-----
EOS;
$password = 'superman';

if (false === ($pkey = openssl_pkey_get_private($key, $password))) {
    die(openssl_error_string());
}
openssl_pkey_export($pkey, $out_key);
echo $out_key;
Ja͢ck
  • 170,779
  • 38
  • 263
  • 309
  • This functions saves encrypted key – Disa Dec 16 '12 at 13:28
  • I have to save it decrypted – Disa Dec 16 '12 at 13:29
  • @Disa: And? What is your issue? – hakre Dec 16 '12 at 13:29
  • @Disa the third parameter to `openssl_pkey_export_to_file()` is the pass phrase, which i've left empty. – Ja͢ck Dec 16 '12 at 13:31
  • `$config = array('private_key_bits' => $k, 'passphrase' => "$p"); $privKey = openssl_pkey_new($config); openssl_pkey_export($privKey, $klucz, "$p");` in $p is passphase and $k is length. After generating this key I have to decrypt it – Disa Dec 16 '12 at 13:31
  • @Jack Leaving third paramenter empty will lead to parser error, because the key is encrypted – Disa Dec 16 '12 at 13:32
  • @Disa From your question it would seem that you have a key with pass phrase and you wish to remove it ... if that's not the case, please update your question. – Ja͢ck Dec 16 '12 at 13:33
  • @Jack Because it increases the security of key – Disa Dec 16 '12 at 13:35
  • @Jack Generating key without passphase makes it less secure, but the passpahse inside key makes another problem later. WWW Server will ask for this password everytime it starts up – Disa Dec 16 '12 at 13:40
  • It decreases the security level. Encrypted key, which is later decrypted offers way better security than not encrypted at generation. – Disa Dec 16 '12 at 13:48
  • @Disa: Why don't you create subkeys you can revoke? Wouldn't that be more secure? – hakre Dec 16 '12 at 14:05
  • 2
    @Disa I've just tested my code and it works exactly like how `openssl` works on the command line. – Ja͢ck Dec 17 '12 at 03:33
2

Using phpseclib, a pure PHP RSA implementation:

<?php
include('Crypt/RSA.php');

$rsa = new Crypt_RSA();
$rsa->setPassword('password');
$rsa->loadKey('...');

$rsa->setPassword();
echo $rsa->getPrivateKey();
?>
  • This is exactly what my answer does. – Ja͢ck Dec 17 '12 at 03:37
  • @Jack - see http://stackoverflow.com/questions/13908284/removing-password-from-rsa-private-key and tell me why openssl_* isn't working. –  Dec 17 '12 at 04:32
  • So that's fixed now =D I suppose it's because `Crypt_RSA` writes those keys with a non-compatible line length ... which is really strange. – Ja͢ck Dec 17 '12 at 06:34
  • 1
    Yah - I think you're right. I sent the author an email. But I think it's just a matter of tolerances. PuTTY likes those keys just fine. I mean, what is the key but a base64-encoded DER? Why should the line length matter to OpenSSL? Why is a new line needed? I don't know how Disa got her keys. I was the first one to mention phpseclib - not her. So maybe other programs are creating keys that OpenSSL doesn't like either with it's uber pickyness. –  Dec 17 '12 at 07:27
  • @ansur Thanks for posting the follow up question though, it was worthwhile for both of us I think :) – Ja͢ck Dec 18 '12 at 02:20