[PHP-BUG] Bug #53850 [NEW]: openssl_pkey_export() with password not protecting private key

Wed, 26 Jan 2011 11:05:01 -0800 

From:             
Operating system: arch linux x86_64
PHP version:      5.3.5
Package:          OpenSSL related
Bug Type:         Bug
Bug description:openssl_pkey_export() with password not protecting private key

Description:
------------
I have tested this against php5.3.5 with OpenSSL 1.0.0c (arch linux) vs an
older server running php5.2.14 with OpenSSL 0.9.8e (centos linux).



Test script:
---------------
$opts = array('config'=>'openssl.cnf',

              'encrypt_key'=>true,

              'private_key_type'=>OPENSSL_KEYTYPE_RSA,

              'digest_alg'=>'sha256',

              'private_key_bits'=>2048,

              'x509_extensions'=>'usr_cert');



$handle = openssl_pkey_new($opts);

openssl_pkey_export($handle, $privatekey, sha1($_SERVER['REMOTE_ADDR']),
$opts);

echo $privatekey;



Expected result:
----------------
CentOS example output

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,C93B386451093918



buV1Kuaiu8QXhSeBdAF9Le2u+SSzaEtrHw6rLq19xL+9lWuwf4dFtrMPRI/PPvA5

HwBB7ZzT1AAzOAK2AnDiND3+n6IyqrkQjD7R0bGY6VLXdMr3qgGiJOkmsroF5t/H

LQEFGn9F8eOfEQTjkz4h9KYF/traXZSayBjNQ37fL42HO4M5WY0Ehms6bfeU5BN5

1d+NdENKLK0KVIJDNM3clQoHCc2KJwq70CeZmKq+tIG7UdigxmW0f9B/BMSM8PFx

3cFzt1eZVj23jPO65icEfqLWvdYUpOqFfZc17Si87LW8ExvO8yu4UPrk8iRR8eFH

LeOCPobR446Ehq8XBgFiFp8kzus5vDbqRLbMaBqul/mVWDmkpcyrnWJVAfginUar

FDTji8Ge8Zv5GgpuS2tjYkQpykthA17SKxDGe8s26feaHkErEanTWg5o50RP1oUo

1e2rrX+PVFoukN9f+j5OiScC8QDVfBcSZZYvfRmkE1SnF3S3CAVdtDIcqmy33WY+

Icx/n2uh3Y4tYafzSu/5O8ZeBzGUz3eKWMIAL66mxOclPAceWsQ6Ry22IBdjr+7p

Af3IKo4sWVtj3mOlrwNdNX9JtdHYiskNTVJ7+7DBlmbM+lfQlvb7wBsVek9ex6k2

qxWv250S+rdWuXBx3WuleQsQ14gBtX7Rf0Sk3DvOTinaU9C5n8xwaO9GWS0CJtjA

AkDTLZ0rylVjfdd3W7fjxfYtQEwnbKeIC1SEKuNR8tv6GXGuubU5Nt8Q5TIhZIYL

p2H027lafTE1Ky+KIRD0qZWfSEAujrxJVnH1n62edYxzWXfr+onS0g==

-----END RSA PRIVATE KEY-----

Actual result:
--------------
Arch linux sample output

-----BEGIN ENCRYPTED PRIVATE KEY-----

MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIkd4I9LadOsYCAggA

MBQGCCqGSIb3DQMHBAhqJEWqm0xA9ASCAoDgWeRhfyKrCqfW7aSW1rYs8LVjN3ug

p9Kn6U7YZydHwxYdwNSK80i0yw+yU+ovVck2BdCBnm8ggdyXgS5UVTt5bnJHIHls

rEe4spLl8hkc0sOcL/ZseVBoxKIan7ZY1c0AysAwmrniFXKehSTCByDMUC58rl6H

gejVJk4+yebHuLqeq7z9d9dIvEuAFI9qjZjqUhq8wsCdN2+scFi/3/DXDp1V5/AS

SCeIsVsvcBNPaI8CYP48R13+mQJ+AGAWewcoHtwu8IQGuG46vlqOaYULCfInr/w7

/Y+Ttd2Hd6RHcnE9vTW7bhOn49v6KCtcwpcAtSz2kHrAufGxjAMzFV2oEVZPsDGM

4Rf3H1JtlJKIFYktTLoz9/07kQR0c6S1UkBa2oG/O7G0in7igzQEafKPKOMdOo3j

jP23He7kHJTTja5HE41DryUwa1JIB4L/BtbLDiYJA7KcrY7WoSROL675OmJEG1v6

vjLD0kcxIqc4rT0xesv4JEwVBxh8R/1qlqJjvLGJU8UQYWAzLqiMsg2rqrAy9XQy

Eu53GLXKhKCV2NtuvVQMbvza3RajA77B2i/EEM/ORKGiDI9isHce2yM4hptggBU6

YZiqOzIcgYjo1Dv/IB069jUdxXUg874MD/MG9r1ERUsZrLX8UMyVVj7VmnH6tMsc

2S/YwCgvflRdubDEJdmTE8KUD6XSTUjhdy1Tqzzhfg3KZ8SI8Bknb4k1oV8pSAlC

9YezxiisH4FL041LpUGhj9lbvHtY+8ctxbAT35Jy6npK94rASmoOXt0TFcOJxoGn

xCZjstibMOzNSNFU8subS92Xsu9fWtEV+nCAgDOtJeMwqFNBE1g5e6JN

-----END ENCRYPTED PRIVATE KEY-----



-- 
Edit bug report at http://bugs.php.net/bug.php?id=53850&edit=1
-- 
Try a snapshot (PHP 5.2):            
http://bugs.php.net/fix.php?id=53850&r=trysnapshot52
Try a snapshot (PHP 5.3):            
http://bugs.php.net/fix.php?id=53850&r=trysnapshot53
Try a snapshot (trunk):              
http://bugs.php.net/fix.php?id=53850&r=trysnapshottrunk
Fixed in SVN:                        
http://bugs.php.net/fix.php?id=53850&r=fixed
Fixed in SVN and need be documented: 
http://bugs.php.net/fix.php?id=53850&r=needdocs
Fixed in release:                    
http://bugs.php.net/fix.php?id=53850&r=alreadyfixed
Need backtrace:                      
http://bugs.php.net/fix.php?id=53850&r=needtrace
Need Reproduce Script:               
http://bugs.php.net/fix.php?id=53850&r=needscript
Try newer version:                   
http://bugs.php.net/fix.php?id=53850&r=oldversion
Not developer issue:                 
http://bugs.php.net/fix.php?id=53850&r=support
Expected behavior:                   
http://bugs.php.net/fix.php?id=53850&r=notwrong
Not enough info:                     
http://bugs.php.net/fix.php?id=53850&r=notenoughinfo
Submitted twice:                     
http://bugs.php.net/fix.php?id=53850&r=submittedtwice
register_globals:                    
http://bugs.php.net/fix.php?id=53850&r=globals
PHP 4 support discontinued:          http://bugs.php.net/fix.php?id=53850&r=php4
Daylight Savings:                    http://bugs.php.net/fix.php?id=53850&r=dst
IIS Stability:                       
http://bugs.php.net/fix.php?id=53850&r=isapi
Install GNU Sed:                     
http://bugs.php.net/fix.php?id=53850&r=gnused
Floating point limitations:          
http://bugs.php.net/fix.php?id=53850&r=float
No Zend Extensions:                  
http://bugs.php.net/fix.php?id=53850&r=nozend
MySQL Configuration Error:           
http://bugs.php.net/fix.php?id=53850&r=mysqlcfg

Reply via email to