加密解密 on Yison's Bloghttps://blog.7ys.top/tags/%E5%8A%A0%E5%AF%86%E8%A7%A3%E5%AF%86/Recent content in 加密解密 on Yison's BlogHugo -- gohugo.iozh-CNWed, 25 Jul 2018 00:00:00 +0000PHP的OpenSSL加密扩展使用小结https://blog.7ys.top/posts/php%E7%9A%84openssl%E5%8A%A0%E5%AF%86%E6%89%A9%E5%B1%95%E4%BD%BF%E7%94%A8%E5%B0%8F%E7%BB%93/Wed, 25 Jul 2018 00:00:00 +0000https://blog.7ys.top/posts/php%E7%9A%84openssl%E5%8A%A0%E5%AF%86%E6%89%A9%E5%B1%95%E4%BD%BF%E7%94%A8%E5%B0%8F%E7%BB%93/<img src="https://blog.7ys.top/" alt="Featured image of post PHP的OpenSSL加密扩展使用小结" /> <blockquote> <p>互联网的发展史上,安全性一直是开发者们相当重视的主题。为了实现数据传输安全,我们需要保证:数据来源(防伪造)、数据完整性(防篡改)、数据私密性(防窃听)。</p> </blockquote> <h2 id="加密基础">加密基础 </h2><h3 id="加密算法分类">加密算法分类 </h3><pre tabindex="0"><code>┌─────────────────────────────────────────────────────────────┐ │ 加密算法分类 │ ├─────────────────────────────────────────────────────────────┤ │ │ │ ┌─────────────────┐ ┌─────────────────┐ │ │ │ 对称加密 │ │ 非对称加密 │ │ │ ├─────────────────┤ ├─────────────────┤ │ │ │ • DES │ │ • RSA │ │ │ │ • AES │ │ • DSA │ │ │ │ • 3DES │ │ • ECC │ │ │ │ • Blowfish │ │ • DH │ │ │ └─────────────────┘ └─────────────────┘ │ │ │ │ ┌─────────────────────────────────────────────────┐ │ │ │ 数字签名 │ │ │ ├─────────────────────────────────────────────────┤ │ │ │ • MD5 (已不安全) • SHA-1 (已不安全) │ │ │ │ • SHA-256 • SHA-512 • HMAC │ │ │ └─────────────────────────────────────────────────┘ │ │ │ └─────────────────────────────────────────────────────────────┘ </code></pre><h3 id="对称加密">对称加密 </h3><p><strong>特点</strong>:</p> <ul> <li>加密和解密使用同一密钥</li> <li>速度快,适合大量数据</li> <li>加密前后文件大小变化不大</li> <li>密钥管理是难题</li> </ul> <p><strong>常见算法</strong>:DES、AES、3DES、Blowfish</p> <h3 id="非对称加密">非对称加密 </h3><p><strong>特点</strong>:</p> <ul> <li>使用公钥和私钥一对密钥</li> <li>公钥加密,私钥解密(或反之)</li> <li>计算量大,速度慢</li> <li>适合密钥交换和数字签名</li> </ul> <p><strong>常见算法</strong>:RSA、DSA、ECC</p> <h3 id="数字签名">数字签名 </h3><p><strong>特点</strong>:</p> <ul> <li>无论原始数据多大,输出长度固定</li> <li>输入相同,输出相同</li> <li>微小改变导致输出巨大变化</li> <li>不可逆,无法从哈希值恢复原始数据</li> </ul> <p><strong>常见算法</strong>:MD5、SHA-1、SHA-256、HMAC</p> <h2 id="php-openssl-扩展">PHP OpenSSL 扩展 </h2><h3 id="安装检查">安装检查 </h3><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-php" data-lang="php"><span style="display:flex;"><span><span style="color:#f92672">&lt;?</span><span style="color:#a6e22e">php</span> </span></span><span style="display:flex;"><span><span style="color:#75715e">// 检查 OpenSSL 扩展是否启用 </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> (<span style="color:#a6e22e">extension_loaded</span>(<span style="color:#e6db74">&#39;openssl&#39;</span>)) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">echo</span> <span style="color:#e6db74">&#34;OpenSSL 已启用&#34;</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">// 查看支持的加密算法 </span></span></span><span style="display:flex;"><span> <span style="color:#a6e22e">print_r</span>(<span style="color:#a6e22e">openssl_get_cipher_methods</span>()); </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">print_r</span>(<span style="color:#a6e22e">openssl_get_md_methods</span>()); </span></span><span style="display:flex;"><span>} <span style="color:#66d9ef">else</span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">echo</span> <span style="color:#e6db74">&#34;OpenSSL 未启用&#34;</span>; </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><h2 id="对称加密-1">对称加密 </h2><h3 id="aes-加密">AES 加密 </h3><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-php" data-lang="php"><span style="display:flex;"><span><span style="color:#f92672">&lt;?</span><span style="color:#a6e22e">php</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#e6db74">/** </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * AES-256-CBC 加密 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * @param string $data 待加密数据 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * @param string $key 密钥(32字节) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * @param string $iv 初始化向量(16字节) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * @return string 加密后的数据(base64编码) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> */</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">function</span> <span style="color:#a6e22e">aes_encrypt</span>(<span style="color:#a6e22e">string</span> $data, <span style="color:#a6e22e">string</span> $key, <span style="color:#a6e22e">string</span> $iv <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;&#39;</span>)<span style="color:#f92672">:</span> <span style="color:#a6e22e">string</span> </span></span><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> <span style="color:#75715e">// 密钥必须是 32 字节(AES-256) </span></span></span><span style="display:flex;"><span> $key <span style="color:#f92672">=</span> <span style="color:#a6e22e">hash</span>(<span style="color:#e6db74">&#39;sha256&#39;</span>, $key, <span style="color:#66d9ef">true</span>); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">// IV 必须是 16 字节(AES 块大小) </span></span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#a6e22e">strlen</span>($iv) <span style="color:#f92672">!==</span> <span style="color:#ae81ff">16</span>) { </span></span><span style="display:flex;"><span> $iv <span style="color:#f92672">=</span> <span style="color:#a6e22e">openssl_random_pseudo_bytes</span>(<span style="color:#ae81ff">16</span>); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> $encrypted <span style="color:#f92672">=</span> <span style="color:#a6e22e">openssl_encrypt</span>( </span></span><span style="display:flex;"><span> $data, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;AES-256-CBC&#39;</span>, </span></span><span style="display:flex;"><span> $key, </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">OPENSSL_RAW_DATA</span>, <span style="color:#75715e">// 返回原始数据 </span></span></span><span style="display:flex;"><span> $iv </span></span><span style="display:flex;"><span> ); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">// 返回 IV + 密文(便于解密) </span></span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#a6e22e">base64_encode</span>($iv <span style="color:#f92672">.</span> $encrypted); </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#e6db74">/** </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * AES-256-CBC 解密 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * @param string $encrypted 加密数据(base64编码) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * @param string $key 密钥 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * @return string 解密后的数据 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> */</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">function</span> <span style="color:#a6e22e">aes_decrypt</span>(<span style="color:#a6e22e">string</span> $encrypted, <span style="color:#a6e22e">string</span> $key)<span style="color:#f92672">:</span> <span style="color:#a6e22e">string</span> </span></span><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> $key <span style="color:#f92672">=</span> <span style="color:#a6e22e">hash</span>(<span style="color:#e6db74">&#39;sha256&#39;</span>, $key, <span style="color:#66d9ef">true</span>); </span></span><span style="display:flex;"><span> $data <span style="color:#f92672">=</span> <span style="color:#a6e22e">base64_decode</span>($encrypted); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">// 提取 IV(前 16 字节) </span></span></span><span style="display:flex;"><span> $iv <span style="color:#f92672">=</span> <span style="color:#a6e22e">substr</span>($data, <span style="color:#ae81ff">0</span>, <span style="color:#ae81ff">16</span>); </span></span><span style="display:flex;"><span> $ciphertext <span style="color:#f92672">=</span> <span style="color:#a6e22e">substr</span>($data, <span style="color:#ae81ff">16</span>); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#a6e22e">openssl_decrypt</span>( </span></span><span style="display:flex;"><span> $ciphertext, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;AES-256-CBC&#39;</span>, </span></span><span style="display:flex;"><span> $key, </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">OPENSSL_RAW_DATA</span>, </span></span><span style="display:flex;"><span> $iv </span></span><span style="display:flex;"><span> ); </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">// 使用示例 </span></span></span><span style="display:flex;"><span>$key <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;your-secret-key-here&#39;</span>; </span></span><span style="display:flex;"><span>$data <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;Hello, World! 你好世界!&#39;</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$encrypted <span style="color:#f92672">=</span> <span style="color:#a6e22e">aes_encrypt</span>($data, $key); </span></span><span style="display:flex;"><span><span style="color:#66d9ef">echo</span> <span style="color:#e6db74">&#34;加密后: &#34;</span> <span style="color:#f92672">.</span> $encrypted <span style="color:#f92672">.</span> <span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$decrypted <span style="color:#f92672">=</span> <span style="color:#a6e22e">aes_decrypt</span>($encrypted, $key); </span></span><span style="display:flex;"><span><span style="color:#66d9ef">echo</span> <span style="color:#e6db74">&#34;解密后: &#34;</span> <span style="color:#f92672">.</span> $decrypted <span style="color:#f92672">.</span> <span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span>; </span></span></code></pre></div><h3 id="其他对称加密算法">其他对称加密算法 </h3><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-php" data-lang="php"><span style="display:flex;"><span><span style="color:#f92672">&lt;?</span><span style="color:#a6e22e">php</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$key <span style="color:#f92672">=</span> <span style="color:#a6e22e">hash</span>(<span style="color:#e6db74">&#39;sha256&#39;</span>, <span style="color:#e6db74">&#39;password&#39;</span>, <span style="color:#66d9ef">true</span>); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">// AES-128-CBC(密钥 16 字节) </span></span></span><span style="display:flex;"><span>$encrypted <span style="color:#f92672">=</span> <span style="color:#a6e22e">openssl_encrypt</span>($data, <span style="color:#e6db74">&#39;AES-128-CBC&#39;</span>, $key, <span style="color:#a6e22e">OPENSSL_RAW_DATA</span>, $iv); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">// AES-128-ECB(无需 IV,但不安全) </span></span></span><span style="display:flex;"><span>$encrypted <span style="color:#f92672">=</span> <span style="color:#a6e22e">openssl_encrypt</span>($data, <span style="color:#e6db74">&#39;AES-128-ECB&#39;</span>, $key); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">// DES(不安全,不推荐) </span></span></span><span style="display:flex;"><span>$encrypted <span style="color:#f92672">=</span> <span style="color:#a6e22e">openssl_encrypt</span>($data, <span style="color:#e6db74">&#39;DES-ECB&#39;</span>, $key); </span></span></code></pre></div><h2 id="非对称加密-1">非对称加密 </h2><h3 id="生成-rsa-密钥对">生成 RSA 密钥对 </h3><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-php" data-lang="php"><span style="display:flex;"><span><span style="color:#f92672">&lt;?</span><span style="color:#a6e22e">php</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#e6db74">/** </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * 生成 RSA 密钥对 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * @param int $bits 密钥位数(推荐 2048 或 4096) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * @return array [&#39;private_key&#39; =&gt; string, &#39;public_key&#39; =&gt; string] </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> */</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">function</span> <span style="color:#a6e22e">generate_rsa_keypair</span>(<span style="color:#a6e22e">int</span> $bits <span style="color:#f92672">=</span> <span style="color:#ae81ff">2048</span>)<span style="color:#f92672">:</span> <span style="color:#66d9ef">array</span> </span></span><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> $config <span style="color:#f92672">=</span> [ </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;private_key_bits&#39;</span> <span style="color:#f92672">=&gt;</span> $bits, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;private_key_type&#39;</span> <span style="color:#f92672">=&gt;</span> <span style="color:#a6e22e">OPENSSL_KEYTYPE_RSA</span>, </span></span><span style="display:flex;"><span> ]; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">// 生成密钥对 </span></span></span><span style="display:flex;"><span> $keyPair <span style="color:#f92672">=</span> <span style="color:#a6e22e">openssl_pkey_new</span>($config); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">// 导出私钥 </span></span></span><span style="display:flex;"><span> <span style="color:#a6e22e">openssl_pkey_export</span>($keyPair, $privateKey); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">// 导出公钥 </span></span></span><span style="display:flex;"><span> $publicKeyDetails <span style="color:#f92672">=</span> <span style="color:#a6e22e">openssl_pkey_get_details</span>($keyPair); </span></span><span style="display:flex;"><span> $publicKey <span style="color:#f92672">=</span> $publicKeyDetails[<span style="color:#e6db74">&#39;key&#39;</span>]; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> [ </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;private_key&#39;</span> <span style="color:#f92672">=&gt;</span> $privateKey, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;public_key&#39;</span> <span style="color:#f92672">=&gt;</span> $publicKey, </span></span><span style="display:flex;"><span> ]; </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">// 生成密钥对 </span></span></span><span style="display:flex;"><span>$keyPair <span style="color:#f92672">=</span> <span style="color:#a6e22e">generate_rsa_keypair</span>(<span style="color:#ae81ff">2048</span>); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">echo</span> <span style="color:#e6db74">&#34;私钥:</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span> <span style="color:#f92672">.</span> $keyPair[<span style="color:#e6db74">&#39;private_key&#39;</span>] <span style="color:#f92672">.</span> <span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\n\n</span><span style="color:#e6db74">&#34;</span>; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">echo</span> <span style="color:#e6db74">&#34;公钥:</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span> <span style="color:#f92672">.</span> $keyPair[<span style="color:#e6db74">&#39;public_key&#39;</span>] <span style="color:#f92672">.</span> <span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">// 保存到文件 </span></span></span><span style="display:flex;"><span><span style="color:#a6e22e">file_put_contents</span>(<span style="color:#e6db74">&#39;private.key&#39;</span>, $keyPair[<span style="color:#e6db74">&#39;private_key&#39;</span>]); </span></span><span style="display:flex;"><span><span style="color:#a6e22e">file_put_contents</span>(<span style="color:#e6db74">&#39;public.key&#39;</span>, $keyPair[<span style="color:#e6db74">&#39;public_key&#39;</span>]); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">// 设置权限(Linux) </span></span></span><span style="display:flex;"><span><span style="color:#a6e22e">chmod</span>(<span style="color:#e6db74">&#39;private.key&#39;</span>, <span style="color:#ae81ff">0600</span>); </span></span></code></pre></div><h3 id="rsa-加密解密">RSA 加密解密 </h3><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-php" data-lang="php"><span style="display:flex;"><span><span style="color:#f92672">&lt;?</span><span style="color:#a6e22e">php</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#e6db74">/** </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * RSA 加密(使用公钥) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * @param string $data 待加密数据 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * @param string $publicKey 公钥 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * @return string 加密后的数据(base64编码) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> */</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">function</span> <span style="color:#a6e22e">rsa_encrypt</span>(<span style="color:#a6e22e">string</span> $data, <span style="color:#a6e22e">string</span> $publicKey)<span style="color:#f92672">:</span> <span style="color:#a6e22e">string</span> </span></span><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> $publicKey <span style="color:#f92672">=</span> <span style="color:#a6e22e">openssl_pkey_get_public</span>($publicKey); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">openssl_public_encrypt</span>($data, $encrypted, $publicKey); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#a6e22e">base64_encode</span>($encrypted); </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#e6db74">/** </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * RSA 解密(使用私钥) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * @param string $encrypted 加密数据(base64编码) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * @param string $privateKey 私钥 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * @return string 解密后的数据 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> */</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">function</span> <span style="color:#a6e22e">rsa_decrypt</span>(<span style="color:#a6e22e">string</span> $encrypted, <span style="color:#a6e22e">string</span> $privateKey)<span style="color:#f92672">:</span> <span style="color:#a6e22e">string</span> </span></span><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> $privateKey <span style="color:#f92672">=</span> <span style="color:#a6e22e">openssl_pkey_get_private</span>($privateKey); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> $data <span style="color:#f92672">=</span> <span style="color:#a6e22e">base64_decode</span>($encrypted); </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">openssl_private_decrypt</span>($data, $decrypted, $privateKey); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> $decrypted; </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">// 使用示例 </span></span></span><span style="display:flex;"><span>$keyPair <span style="color:#f92672">=</span> <span style="color:#a6e22e">generate_rsa_keypair</span>(); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$data <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;Hello, RSA!&#39;</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$encrypted <span style="color:#f92672">=</span> <span style="color:#a6e22e">rsa_encrypt</span>($data, $keyPair[<span style="color:#e6db74">&#39;public_key&#39;</span>]); </span></span><span style="display:flex;"><span><span style="color:#66d9ef">echo</span> <span style="color:#e6db74">&#34;加密后: &#34;</span> <span style="color:#f92672">.</span> $encrypted <span style="color:#f92672">.</span> <span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>$decrypted <span style="color:#f92672">=</span> <span style="color:#a6e22e">rsa_decrypt</span>($encrypted, $keyPair[<span style="color:#e6db74">&#39;private_key&#39;</span>]); </span></span><span style="display:flex;"><span><span style="color:#66d9ef">echo</span> <span style="color:#e6db74">&#34;解密后: &#34;</span> <span style="color:#f92672">.</span> $decrypted <span style="color:#f92672">.</span> <span style="color:#e6db74">&#34;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span>; </span></span></code></pre></div> <blockquote> <p>⚠️ <strong>限制</strong>:RSA 加密的数据长度有限制(密钥位数 / 8 - 11 字节)</p> </blockquote> <h3 id="分块加密大文件">分块加密大文件 </h3><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-php" data-lang="php"><span style="display:flex;"><span><span style="color:#f92672">&lt;?</span><span style="color:#a6e22e">php</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#e6db74">/** </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * RSA 分块加密(用于大数据) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * @param string $data 待加密数据 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * @param string $publicKey 公钥 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * @return string 加密后的数据(base64编码) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> */</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">function</span> <span style="color:#a6e22e">rsa_encrypt_large</span>(<span style="color:#a6e22e">string</span> $data, <span style="color:#a6e22e">string</span> $publicKey)<span style="color:#f92672">:</span> <span style="color:#a6e22e">string</span> </span></span><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> $res <span style="color:#f92672">=</span> <span style="color:#a6e22e">openssl_pkey_get_public</span>($publicKey); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> ($res <span style="color:#f92672">===</span> <span style="color:#66d9ef">false</span>) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">throw</span> <span style="color:#66d9ef">new</span> <span style="color:#a6e22e">InvalidArgumentException</span>(<span style="color:#e6db74">&#39;Invalid public key&#39;</span>); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> $details <span style="color:#f92672">=</span> <span style="color:#a6e22e">openssl_pkey_get_details</span>($res); </span></span><span style="display:flex;"><span> $maxChunk <span style="color:#f92672">=</span> (<span style="color:#a6e22e">int</span>) ($details[<span style="color:#e6db74">&#39;bits&#39;</span>] <span style="color:#f92672">/</span> <span style="color:#ae81ff">8</span>) <span style="color:#f92672">-</span> <span style="color:#ae81ff">11</span>; <span style="color:#75715e">// PKCS#1 填充占用 11 字节 </span></span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> ($maxChunk <span style="color:#f92672">&lt;=</span> <span style="color:#ae81ff">0</span>) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">throw</span> <span style="color:#66d9ef">new</span> <span style="color:#a6e22e">RuntimeException</span>(<span style="color:#e6db74">&#39;Key size too small&#39;</span>); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> $cipherRaw <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;&#39;</span>; </span></span><span style="display:flex;"><span> $len <span style="color:#f92672">=</span> <span style="color:#a6e22e">strlen</span>($data); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">for</span> ($i <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; $i <span style="color:#f92672">&lt;</span> $len; $i <span style="color:#f92672">+=</span> $maxChunk) { </span></span><span style="display:flex;"><span> $chunk <span style="color:#f92672">=</span> <span style="color:#a6e22e">substr</span>($data, $i, $maxChunk); </span></span><span style="display:flex;"><span> $out <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;&#39;</span>; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span><span style="color:#a6e22e">openssl_public_encrypt</span>($chunk, $out, $res, <span style="color:#a6e22e">OPENSSL_PKCS1_PADDING</span>)) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">throw</span> <span style="color:#66d9ef">new</span> <span style="color:#a6e22e">RuntimeException</span>(<span style="color:#e6db74">&#39;openssl_public_encrypt failed&#39;</span>); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> $cipherRaw <span style="color:#f92672">.=</span> $out; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#a6e22e">base64_encode</span>($cipherRaw); </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#e6db74">/** </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * RSA 分块解密 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * @param string $encrypted 公钥加密且经 base64 编码的密文 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * @param string $privateKey 私钥 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> * @return string 原文 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> */</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">function</span> <span style="color:#a6e22e">rsa_decrypt_large</span>(<span style="color:#a6e22e">string</span> $encrypted, <span style="color:#a6e22e">string</span> $privateKey)<span style="color:#f92672">:</span> <span style="color:#a6e22e">string</span> </span></span><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> $res <span style="color:#f92672">=</span> <span style="color:#a6e22e">openssl_pkey_get_private</span>($privateKey); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> ($res <span style="color:#f92672">===</span> <span style="color:#66d9ef">false</span>) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">throw</span> <span style="color:#66d9ef">new</span> <span style="color:#a6e22e">InvalidArgumentException</span>(<span style="color:#e6db74">&#39;Invalid private key&#39;</span>); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> $details <span style="color:#f92672">=</span> <span style="color:#a6e22e">openssl_pkey_get_details</span>($res); </span></span><span style="display:flex;"><span> $block <span style="color:#f92672">=</span> (<span style="color:#a6e22e">int</span>) ($details[<span style="color:#e6db74">&#39;bits&#39;</span>] <span style="color:#f92672">/</span> <span style="color:#ae81ff">8</span>); </span></span><span style="display:flex;"><span> $raw <span style="color:#f92672">=</span> <span style="color:#a6e22e">base64_decode</span>($encrypted, <span style="color:#66d9ef">true</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> ($raw <span style="color:#f92672">===</span> <span style="color:#66d9ef">false</span>) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">throw</span> <span style="color:#66d9ef">new</span> <span style="color:#a6e22e">InvalidArgumentException</span>(<span style="color:#e6db74">&#39;Invalid base64 cipher&#39;</span>); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> $plain <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;&#39;</span>; </span></span><span style="display:flex;"><span> $len <span style="color:#f92672">=</span> <span style="color:#a6e22e">strlen</span>($raw); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">for</span> ($i <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; $i <span style="color:#f92672">&lt;</span> $len; $i <span style="color:#f92672">+=</span> $block) { </span></span><span style="display:flex;"><span> $chunk <span style="color:#f92672">=</span> <span style="color:#a6e22e">substr</span>($raw, $i, $block); </span></span><span style="display:flex;"><span> $out <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;&#39;</span>; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span><span style="color:#a6e22e">openssl_private_decrypt</span>($chunk, $out, $res, <span style="color:#a6e22e">OPENSSL_PKCS1_PADDING</span>)) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">throw</span> <span style="color:#66d9ef">new</span> <span style="color:#a6e22e">RuntimeException</span>(<span style="color:#e6db74">&#39;openssl_private_decrypt failed&#39;</span>); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> $plain <span style="color:#f92672">.=</span> $out; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> $plain; </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">/* </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> * 小结:超长明文请优先使用「RSA 协商对称密钥 + AES」的混合加密;本节分块 RSA 适用于必须纯 RSA 的场景, </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> * 实现时注意密钥位数与性能开销。 </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> */</span> </span></span></code></pre></div>