1

I'm creating a an X509 certificate using phpseclib and all of that seems to be fine. Once I've created the certificate, I save it down as a pkcs12 file in PHP using the private key associated with my certificate. However, once I read that file, the private key I get back is different. Shouldn't the key be the same?

For instance, let's say I call:

openssl_pkcs12_export_to_file($cert , $write_loc, $priv_key , $pass);

Works great, now when I read the file with:

openssl_pkcs12_read($write_loc, $certs, $pass);

The output in $certs['pkey'] differs from the $priv_key I passed to the export_to_file method above.

Surely they must be the same, or am I mixing up 2 completely different things?

Thank you!

Meezaan-ud-Din
  • 1,213
  • 16
  • 21

1 Answers1

2

I think what's going is explained at PHP RSA key creation

Basically, you're using a key that starts off with -----BEGIN RSA PRIVATE KEY----- and the key you're getting back starts off with -----BEGIN PRIVATE KEY-----.

The former is a PKCS1 formatted private key and the latter is a PKCS8 formatted private key. The latter has the private key type embedded within the base64-encoded data itself whereas the former has the private key type embedded in the human readable string.

Some versions of PHP / OpenSSL output the PKCS8 key and others output the PKCS1 key..

Community
  • 1
  • 1
neubert
  • 15,947
  • 24
  • 120
  • 212
  • Hi there, yes you're right. I figured this out yesterday after seeing http://stackoverflow.com/questions/20065304/what-is-the-differences-between-begin-rsa-private-key-and-begin-private-key and scrapped key generation with phpseclib and went to PHP's openssl functions. Even if I tell phpseclib to use PKCS8, it doesn't. I imagine that is a bug to raise with them. – Meezaan-ud-Din Aug 28 '15 at 14:40
  • It works if you're using the newest version. If you don't think it does I'll make a bet with you. $10.00 via PayPal says that it works and that you're either using it incorrectly or are using an out-of-date version. – neubert Aug 28 '15 at 23:20
  • So if you're right and it's a bug with the latest version (1.0.0) I'll pay you $10.00 and if you're wrong you'll pay me $10.00. – neubert Aug 29 '15 at 01:25
  • If you need $10, i can send it you anyway. I don't know what version I was using, and I won't be able to find out until next week anyway. In any case, as it stands, I had to get openssl to work with PHP because I needed to use PKCS12 which is not supported by the library. version aside, though, I was using the setPrivateKeyFormat() method and passing it the PKCS8 constant, so version is the most likely explanation. – Meezaan-ud-Din Aug 30 '15 at 00:04
  • I don't need $10 lol. I was just trying to incentivize you to help me out. I'm not the lead dev of phpseclib but I did a pull request for the PKCS8 feature so I'm a bit motivated to see that it works for people lol. But I agree about PKCS12. That's a little more involved than PKCS8. – neubert Aug 30 '15 at 02:34
  • I'm back at work on Tuesday so will have a look then and let you know. – Meezaan-ud-Din Aug 30 '15 at 13:28
  • I just checked my composer.json file. I think version was probably the problem (now I'm using PHP's openssl methods anyway) as that has 0.3.10. Wonder where I got that from! – Meezaan-ud-Din Sep 02 '15 at 12:07