openssl_dh_compute_key
(PHP 5 >= 5.3.0, PHP 7, PHP 8)
openssl_dh_compute_key — Computes shared secret for public value of remote DH public key and local DH key
Description
$public_key, #[\SensitiveParameter] OpenSSLAsymmetricKey $private_key): string|falseThe shared secret returned by openssl_dh_compute_key() is often used as an encryption key to secretly communicate with a remote party. This is known as the Diffie-Hellman key exchange.
It is important to use the same DH parameters for remote and local key pairs; otherwise, the generated secret between the two parties will not match.
Note: ECDH is only supported as of PHP 8.1.0 and OpenSSL 3.0.0.
Parameters
public_keyDH Public key of the remote party.
private_keyA local DH private key, corresponding to the public key to be shared with the remote party.
Return Values
Returns shared secret on success or false on failure.
Changelog
| Version | Description |
|---|---|
| 8.0.0 | private_key accepts an OpenSSLAsymmetricKey now; previously, a resource of type OpenSSL key was accepted. |
Examples
Example #1 Compute a shared secret
First generate a public/private DH keypair locally, and have the remote party do the same. We need to use the openssl command-line utility.
# generate private/public key keypair openssl dhparam -out dhparam.pem 2048 openssl genpkey -paramfile dhparam.pem -out privatekey.pem # extract public key only openssl pkey -in privatekey.pem -pubout -out publickey.pem
Next, send your public key to the remote party. Use the openssl pkey command to view the public key you will be sent from the remote party.
openssl pkey -pubin -in remotepublickey.pem -text -noout
The above example will output something similar to:
PKCS#3 DH Public-Key: (2048 bit)
public-key:
67:e5:e5:fa:e0:7b:0f:96:2c:dc:96:44:5f:50:02:
9e:8d:c2:6c:04:68:b0:d1:1d:75:66:fc:63:f5:e3:
42:30:b8:96:c1:45:cc:08:60:b4:21:3b:dd:ee:66:
88:db:77:d9:1e:11:89:d4:5c:f2:7a:f2:f1:fe:1c:
77:9d:6f:13:b8:b2:56:00:ef:cb:3b:60:79:74:02:
98:f5:f9:8e:3e:b5:62:08:de:ca:8c:c3:40:4a:80:
79:d5:43:06:17:a8:19:56:af:cc:95:5e:e2:32:2d:
d2:14:7b:76:5a:9a:f1:3c:76:76:35:cc:7b:c1:a5:
f4:39:e5:b6:ca:71:3f:7c:3f:97:e5:ab:86:c1:cd:
0e:e6:ee:04:c9:e6:2d:80:7e:59:c0:49:eb:b6:64:
4f:a8:f9:bb:a3:87:b3:3d:76:01:9e:2b:16:94:a4:
37:30:fb:35:e2:63:be:23:90:b9:ef:3f:46:46:04:
94:8f:60:79:7a:51:55:d6:1a:1d:f5:d9:7f:4a:3e:
aa:ac:b0:d0:82:cc:c2:e0:94:e0:54:c1:17:83:0b:
74:08:4d:5a:79:ae:ff:7f:1c:04:ab:23:39:4a:ae:
87:83:55:43:ab:7a:7c:04:9d:20:80:bb:af:5f:16:
a3:e3:20:b9:21:47:8c:f8:7f:a8:60:80:9e:61:77:
36
[...abbreviated...]Use this public key as a parameter to openssl_dh_compute_key() in order to compute the shared secret.
<?php
$remote_public_key = '67e5e5fae07b0f962cdc96445f50029e8dc26c0468b0d11d7566fc63f5e34230b896c145cc0860b4213bddee6688db77d91e1189d45cf27af2f1fe1c779d6f13b8b25600efcb3b6079740298f5f98e3eb56208deca8cc3404a8079d5430617a81956afcc955ee2322dd2147b765a9af13c767635cc7bc1a5f439e5b6ca713f7c3f97e5ab86c1cd0ee6ee04c9e62d807e59c049ebb6644fa8f9bba387b33d76019e2b1694a43730fb35e263be2390b9ef3f464604948f60797a5155d61a1df5d97f4a3eaaacb0d082ccc2e094e054c117830b74084d5a79aeff7f1c04ab23394aae87835543ab7a7c049d2080bbaf5f16a3e320b921478cf87fa860809e617736';
$local_priv_key = openssl_pkey_get_private('file://privatekey.pem');
$shared_secret = openssl_dh_compute_key(hex2bin($remote_public_key), $local_priv_key);
echo bin2hex($shared_secret)."\n";
?>Example #2 Generate a DH public/private keypair in php
First, generate the DH prime number
openssl dhparam -out dhparam.pem 2048 openssl dh -in dhparam.pem -noout -text
The above example will output something similar to:
PKCS#3 DH Parameters: (2048 bit)
prime:
00:a3:25:1e:73:3f:44:b9:2b:ee:f4:9d:9f:37:6a:
4b:fd:1d:bd:f4:af:da:c8:10:77:59:41:c6:5f:73:
d2:88:29:39:cd:1c:5f:c3:9f:0f:22:d2:9c:20:c1:
e4:c0:18:03:b8:b6:d8:da:ad:3b:39:a6:da:8e:fe:
12:30:e9:03:5d:22:ba:ef:18:d2:7b:69:f9:5b:cb:
78:c6:0c:8c:6b:f2:49:92:c2:49:e0:45:77:72:b3:
55:36:30:f2:40:17:89:18:50:03:fa:2d:54:7a:7f:
34:4c:73:32:b6:88:14:51:14:be:80:57:95:e6:a3:
f6:51:ff:17:47:4f:15:d6:0e:6c:47:53:72:2c:2a:
4c:21:cb:7d:f3:49:97:c9:47:5e:40:33:7b:99:52:
7e:7a:f3:52:27:80:de:1b:26:6b:40:bb:14:11:0b:
fb:e6:d8:2f:cf:a0:06:2f:96:b9:1c:0b:b4:cb:d3:
a6:62:9c:48:67:f6:81:f2:c6:ff:45:03:0a:9d:67:
9d:ce:27:d9:6b:48:5d:ca:fb:c2:5d:84:9b:8b:cb:
40:c7:a4:0c:8a:6e:f4:ab:ba:b6:10:c3:b8:25:4d:
cf:60:96:f4:db:e8:00:1c:58:47:7a:fb:51:86:d1:
22:d7:4e:94:31:7a:d5:da:3d:53:de:da:bb:64:8d:
62:6b
generator: 2 (0x2)Prime and generator values ares passed as p and g into openssl_pkey_new()
<?php
$configargs = array();
$configargs['p'] = hex2bin('00a3251e733f44b92beef49d9f376a4bfd1dbdf4afdac810775941c65f73d2882939cd1c5fc39f0f22d29c20c1e4c01803b8b6d8daad3b39a6da8efe1230e9035d22baef18d27b69f95bcb78c60c8c6bf24992c249e0457772b3553630f2401789185003fa2d547a7f344c7332b688145114be805795e6a3f651ff17474f15d60e6c4753722c2a4c21cb7df34997c9475e40337b99527e7af3522780de1b266b40bb14110bfbe6d82fcfa0062f96b91c0bb4cbd3a6629c4867f681f2c6ff45030a9d679dce27d96b485dcafbc25d849b8bcb40c7a40c8a6ef4abbab610c3b8254dcf6096f4dbe8001c58477afb5186d122d74e94317ad5da3d53dedabb648d626b');
$configargs['g'] = hex2bin('02');
$private_key = openssl_pkey_new(array('dh' => $configargs));
openssl_pkey_export_to_file($private_key,'privatekey.pem',$passphrase='y0urp@s5phr@se');
$details = openssl_pkey_get_details($private_key);
$local_pub_key = $details['dh']['pub_key'];
echo bin2hex($local_pub_key)."\n";//you can send your public key to the remote party
$details = openssl_pkey_get_details(openssl_pkey_get_public("file://remotepublickey.pem"));
$remote_public_key = $details['dh']['pub_key'];
$shared_secret = openssl_dh_compute_key($remote_public_key, $private_key);
echo bin2hex($shared_secret)."\n";
?>See Also
- openssl_pkey_new() - Generates a new private key
- openssl_pkey_get_details() - Returns an array with the key details
- openssl_pkey_get_private() - Get a private key
- openssl_pkey_get_public() - Extract public key from certificate and prepare it for use