PHP :: Bug #53850 :: openssl_pkey_export() with password not protecting private key

[2011-01-26 20:04 UTC] jason dot gerfen at gmail dot com

Description:
------------
I have tested this against php5.3.5 with OpenSSL 1.0.0c (arch linux) vs an older server running php5.2.14 with OpenSSL 0.9.8e (centos linux).


Test script:
---------------
$opts = array('config'=>'openssl.cnf',
              'encrypt_key'=>true,
              'private_key_type'=>OPENSSL_KEYTYPE_RSA,
              'digest_alg'=>'sha256',
              'private_key_bits'=>2048,
              'x509_extensions'=>'usr_cert');

$handle = openssl_pkey_new($opts);
openssl_pkey_export($handle, $privatekey, sha1($_SERVER['REMOTE_ADDR']), $opts);
echo $privatekey;


Expected result:
----------------
CentOS example output
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,C93B386451093918

buV1Kuaiu8QXhSeBdAF9Le2u+SSzaEtrHw6rLq19xL+9lWuwf4dFtrMPRI/PPvA5
HwBB7ZzT1AAzOAK2AnDiND3+n6IyqrkQjD7R0bGY6VLXdMr3qgGiJOkmsroF5t/H
LQEFGn9F8eOfEQTjkz4h9KYF/traXZSayBjNQ37fL42HO4M5WY0Ehms6bfeU5BN5
1d+NdENKLK0KVIJDNM3clQoHCc2KJwq70CeZmKq+tIG7UdigxmW0f9B/BMSM8PFx
3cFzt1eZVj23jPO65icEfqLWvdYUpOqFfZc17Si87LW8ExvO8yu4UPrk8iRR8eFH
LeOCPobR446Ehq8XBgFiFp8kzus5vDbqRLbMaBqul/mVWDmkpcyrnWJVAfginUar
FDTji8Ge8Zv5GgpuS2tjYkQpykthA17SKxDGe8s26feaHkErEanTWg5o50RP1oUo
1e2rrX+PVFoukN9f+j5OiScC8QDVfBcSZZYvfRmkE1SnF3S3CAVdtDIcqmy33WY+
Icx/n2uh3Y4tYafzSu/5O8ZeBzGUz3eKWMIAL66mxOclPAceWsQ6Ry22IBdjr+7p
Af3IKo4sWVtj3mOlrwNdNX9JtdHYiskNTVJ7+7DBlmbM+lfQlvb7wBsVek9ex6k2
qxWv250S+rdWuXBx3WuleQsQ14gBtX7Rf0Sk3DvOTinaU9C5n8xwaO9GWS0CJtjA
AkDTLZ0rylVjfdd3W7fjxfYtQEwnbKeIC1SEKuNR8tv6GXGuubU5Nt8Q5TIhZIYL
p2H027lafTE1Ky+KIRD0qZWfSEAujrxJVnH1n62edYxzWXfr+onS0g==
-----END RSA PRIVATE KEY-----

Actual result:
--------------
Arch linux sample output
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIkd4I9LadOsYCAggA
MBQGCCqGSIb3DQMHBAhqJEWqm0xA9ASCAoDgWeRhfyKrCqfW7aSW1rYs8LVjN3ug
p9Kn6U7YZydHwxYdwNSK80i0yw+yU+ovVck2BdCBnm8ggdyXgS5UVTt5bnJHIHls
rEe4spLl8hkc0sOcL/ZseVBoxKIan7ZY1c0AysAwmrniFXKehSTCByDMUC58rl6H
gejVJk4+yebHuLqeq7z9d9dIvEuAFI9qjZjqUhq8wsCdN2+scFi/3/DXDp1V5/AS
SCeIsVsvcBNPaI8CYP48R13+mQJ+AGAWewcoHtwu8IQGuG46vlqOaYULCfInr/w7
/Y+Ttd2Hd6RHcnE9vTW7bhOn49v6KCtcwpcAtSz2kHrAufGxjAMzFV2oEVZPsDGM
4Rf3H1JtlJKIFYktTLoz9/07kQR0c6S1UkBa2oG/O7G0in7igzQEafKPKOMdOo3j
jP23He7kHJTTja5HE41DryUwa1JIB4L/BtbLDiYJA7KcrY7WoSROL675OmJEG1v6
vjLD0kcxIqc4rT0xesv4JEwVBxh8R/1qlqJjvLGJU8UQYWAzLqiMsg2rqrAy9XQy
Eu53GLXKhKCV2NtuvVQMbvza3RajA77B2i/EEM/ORKGiDI9isHce2yM4hptggBU6
YZiqOzIcgYjo1Dv/IB069jUdxXUg874MD/MG9r1ERUsZrLX8UMyVVj7VmnH6tMsc
2S/YwCgvflRdubDEJdmTE8KUD6XSTUjhdy1Tqzzhfg3KZ8SI8Bknb4k1oV8pSAlC
9YezxiisH4FL041LpUGhj9lbvHtY+8ctxbAT35Jy6npK94rASmoOXt0TFcOJxoGn
xCZjstibMOzNSNFU8subS92Xsu9fWtEV+nCAgDOtJeMwqFNBE1g5e6JN
-----END ENCRYPTED PRIVATE KEY-----

[2011-01-26 20:12 UTC] pajoye@php.net

-Status: Open +Status: Feedback

[2011-01-26 20:12 UTC] pajoye@php.net

There is no different code in php to deal with this function.

If two versions of openssl give you two different results then it is a openssl 
problem, not php.

Also I would like you to test using the same PHP versions vs two openssl, then we 
can begin to discuss a possible issue. Be sure to use the latest versions 
available at php.net, not the centos (or any other distro) you use.

[2011-01-28 19:42 UTC] jason dot gerfen at gmail dot com

-Status: Feedback +Status: Open

[2011-01-28 19:42 UTC] jason dot gerfen at gmail dot com

I have verified this under the following conditions.

Arch Linux x86_64 installation

This configuration returns a password protected private key
Apache 2.2 [./configure]
OpenSSL 0.9.8q [./config --openssldir=/usr/local/openssl-0.9.8q --shared]
PHP 5.3.5 [./configure --with-apxs2=/usr/local/apache2/bin/apxs --disable-cli --with-openssl=/usr/local/openssl-0.9.8q]

This configuration however does not return a password protected key
Apache 2.2 [./configure]
OpenSSL 0.9.8q [./config --openssldir=/usr/local/openssl-1.0.0c --shared]
PHP 5.3.5 [./configure --with-apxs2=/usr/local/apache2/bin/apxs --disable-cli --with-openssl=/usr/local/openssl-1.0.0c]

Anything else you might find pertinent?

[2011-01-31 15:18 UTC] jason dot gerfen at gmail dot com

Since I have not heard anything else about this I did some digging to try and identify the problem.

I have been adding some warning output in the 'openssl-1.0.0c/crypto/pem/pem_pkey.c' file after reviewing the the 'php-5.3.5/ext/openssl/openssl.c' file and noticing and focusing on the calls to the OpenSSL shared objects for 'PEM_write_bio_PrivateKey()'.

When adding the warning output flags in the 'OpenSSL-1.0.0c/crypt/pem/pem_pkey.c' the password argument would always display as '(null)'.

Correct me if I am looking the wrong spot in helping identify the problem.

[2011-02-16 17:19 UTC] jason dot gerfen at gmail dot com

Can I get an update on this status?

[2011-03-08 21:27 UTC] jason dot gerfen at gmail dot com

On another note. Using strictly SSL commands to generate a new private key using both openssl-0.9.8x & openssl-1.0.0x (installed from source) produce a valid password protected private key.

[2011-11-16 14:27 UTC] felipe@php.net

Any news on this?

[2011-11-16 14:27 UTC] felipe@php.net

-Status: Open +Status: Feedback

[2013-02-18 00:34 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.

Patches

Pull Requests

History

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2023 The PHP Group All rights reserved.	Last updated: Fri Jun 09 08:03:38 2023 UTC