Deprecated: Optional parameter $keys declared before required parameter $cms_id is implicitly treated as a required parameter in /home/www/dev/work/class/blog/CmsKey.php on line 75

Deprecated: Creation of dynamic property lvesu\lvesu\controller\blog\php::$title is deprecated in /home/www/dev/work/website/lvesu/class/controller/blog/php.php on line 28

Deprecated: Creation of dynamic property lvesu\lvesu\controller\blog\php::$outlink is deprecated in /home/www/dev/work/website/lvesu/template/blog/cms/php.manual.tpl on line 2

Deprecated: Creation of dynamic property lvesu\lvesu\controller\blog\php::$status is deprecated in /home/www/dev/work/website/lvesu/template/blog/index.head.php on line 2
PHP - Manual: openssl_pkey_new - 互联网笔记

略微加速

PHP官方手册 - 互联网笔记

PHP - Manual: openssl_pkey_new

2025-10-25

openssl_pkey_new

(PHP 4 >= 4.2.0, PHP 5, PHP 7, PHP 8)

openssl_pkey_new生成新的私钥

说明

openssl_pkey_new(?array $options = null): OpenSSLAsymmetricKey|false

openssl_pkey_new() 生成一个新的私钥和公钥对。如何获取该密钥的公共组件参见以下示例。

注意: 必须安装有效的 openssl.cnf 以保证此函数正确运行。参考有关安装的说明以获得更多信息。

参数

options

可以使用 options 参数微调密钥生成(例如指定位的数量或参数)。这些选项可以是用于密钥生成的特定于算法的参数,也可以是 CSR 生成中使用的通用选项(如果未指定)。有关在 CSR 中使用 options 的更多信息,参阅 openssl_csr_new()。在这些选项中,只有 private_key_bitsprivate_key_typecurve_nameconfig 用于密钥生成。如果关联数组包含某个特定 key,则使用特定算法选项。

  • "rsa" key 用于设置 RSA 参数。
    选项 类型 格式 是否必需 说明
    "n" string binary number yes modulus
    "e" string binary number no public exponent
    "d" string binary number yes private exponent
    "p" string binary number no prime 1
    "q" string binary number no prime 2
    "dmp1" string binary number no exponent1, d mod (p-1)
    "dmq1" string binary number no exponent2, d mod (q-1)
    "iqmp" string binary number no coefficient, (inverse of q) mod p
  • "dsa" key 用于设置 DSA 参数。
    选项 类型 格式 是否必需 说明
    "p" string binary number no prime number (public)
    "q" string binary number no 160-bit subprime, q | p-1 (public)
    "g" string binary number no generator of subgroup (public)
    "priv_key" string PEM key no private key x
    "pub_key" string PEM key no public key y = g^x
  • "dh" key 用于 DH(迪菲-赫尔曼密钥交换)参数。
    选项 类型 格式 是否必需 说明
    "p" string binary number no prime number (shared)
    "g" string binary number no generator of Z_p (shared)
    "priv_key" string PEM key no private DH value x
    "pub_key" string PEM key no public DH value g^x
  • "ec" key,用于椭圆曲线参数
    选项 类型 格式 是否必需 说明
    "curve_name" string name no name of curve, see openssl_get_curve_names()
    "p" string binary number no prime of the field for curve over Fp
    "a" string binary number no coofecient a of the curve for Fp: y^2 mod p = x^3 + ax + b mod p
    "b" string binary number no coofecient b of the curve for Fp: y^2 mod p = x^3 + ax + b mod p
    "seed" string binary number no 用于生成系数 b 的可选随机数种子
    "generator" string binary encoded point no 曲线生成点
    "g_x" string binary number no 曲线生成点 x 坐标
    "g_y" string binary number no 曲线生成点 y 坐标
    "cofactor" string binary number no curve cofactor
    "order" string binary number no curve order
    "x" string binary number no x coordinate (public)
    "y" string binary number no y coordinate (public)
    "d" string binary number no private key
  • "x25519""x448""ed25519""ed448" key 用于 Curve25519 和 Curve448 参数。
    选项 类型 格式 是否必需 说明
    "priv_key" string PEM key no 私钥
    "pub_key" string PEM key no 公钥

返回值

成功时此函数会返回 OpenSSLAsymmetricKey 的实例;在失败时则会返回 false

更新日志

版本 说明
8.4.0 引入 x25519ed25519x448ed448 字段,增加了对基于 Curve25519 和 Curve448 的密钥支持。
8.3.0 新增使用自定义 EC 参数生成 EC 秘钥的支持。特别是引入了 EC 选项:pabseedgeneratorg_xg_ycofactororder
8.0.0 成功时此函数会返回 OpenSSLAsymmetricKey 的实例;在之前版本中,则会返回类似为 OpenSSL keyresource
7.1.0 options 参数中增加了 curve_name 键,以便基于椭圆曲线算法创建 EC 密钥。

示例

示例 #1 从私钥获取公钥

<?php

$private_key
= openssl_pkey_new();

$public_key_pem = openssl_pkey_get_details($private_key)['key'];
echo
$public_key_pem, PHP_EOL;

$public_key = openssl_pkey_get_public($public_key_pem);
var_dump($public_key);

?>

以上示例的输出类似于:

// Output prior to PHP 8.0.0; note, the function returns a resource
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwknBFEherZe74BiRjTFA
hqwZ1SK7brwq7C/afnLXKhRR7jnrpfM0ypC46q8xz5UZswenZakJ7kd5fls+r4Bv
3P8XsKYLTh2m1GiWQhV1g77cNIN4qNWh70PiDO3fB2446o1LBgToQYuRZS5YQRfJ
rVD0ysgtVcCU9tjaey28HlgApOpYFTaaKPj2MBmEYpMC+kG2HhL12GfpHUi2eiXI
dXT2WskWHWvUrmQ7fJIfI92JlDokV62DH/q1oiedLs9OPNb0rL1aAmYdzaVN6XNH
x/o4Lh125v2vAPV9E3fZCDc/HDEUaahpjanMiCQEgEDp5Hr+CRkvERT5/ydN+p08
5wIDAQAB
-----END PUBLIC KEY-----

resource(6) of type (OpenSSL key)

// Output as of PHP 8.0.0; note, the function returns an object
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwknBFEherZe74BiRjTFA
hqwZ1SK7brwq7C/afnLXKhRR7jnrpfM0ypC46q8xz5UZswenZakJ7kd5fls+r4Bv
3P8XsKYLTh2m1GiWQhV1g77cNIN4qNWh70PiDO3fB2446o1LBgToQYuRZS5YQRfJ
rVD0ysgtVcCU9tjaey28HlgApOpYFTaaKPj2MBmEYpMC+kG2HhL12GfpHUi2eiXI
dXT2WskWHWvUrmQ7fJIfI92JlDokV62DH/q1oiedLs9OPNb0rL1aAmYdzaVN6XNH
x/o4Lh125v2vAPV9E3fZCDc/HDEUaahpjanMiCQEgEDp5Hr+CRkvERT5/ydN+p08
5wIDAQAB
-----END PUBLIC KEY-----

object(OpenSSLAsymmetricKey)#2 (0) {
}
添加备注

用户贡献的备注 8 notes

up
49
dirt at awoms dot com
11 years ago
Working example:

$config = array(
"digest_alg" => "sha512",
"private_key_bits" => 4096,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
);

// Create the private and public key
$res = openssl_pkey_new($config);

// Extract the private key from $res to $privKey
openssl_pkey_export($res, $privKey);

// Extract the public key from $res to $pubKey
$pubKey = openssl_pkey_get_details($res);
$pubKey = $pubKey["key"];

$data = 'plaintext data goes here';

// Encrypt the data to $encrypted using the public key
openssl_public_encrypt($data, $encrypted, $pubKey);

// Decrypt the data using the private key and store the results in $decrypted
openssl_private_decrypt($encrypted, $decrypted, $privKey);

echo $decrypted;
up
18
gomez dot alejandre at gmail dot com
6 years ago
Not forget the $configArgs for windows users :D, or the method throws a error with the primary key

//write your configurations :D
$configargs = array(
"config" => "C:/xampp/php/extras/openssl/openssl.cnf",
'private_key_bits'=> 2048,
'default_md' => "sha256",
);

// Create the keypair
$res=openssl_pkey_new($configargs);
// Get private key
openssl_pkey_export($res, $privKey,NULL,$configargs);

and it's for all methods ._ .

a full implementation example here.

https://gist.github.com/DuckHunter213/269a0efd17e709f7f1f177ae7da46ad1

this error take me 3 full days you'r welcome :)
up
12
scott at brynen dot com
10 years ago
If you try and generate a new key using openssl_pkey_new(), and need to specify the size of the key, the key MUST be type-bound to integer

// works
$keysize = 1024;
$ssl = openssl_pkey_new (array('private_key_bits' => $keysize));

// fails
$keysize = "1024";
$ssl = openssl_pkey_new (array('private_key_bits' => $keysize));

// works (force to int)
$keysize = "1024";
$ssl = openssl_pkey_new (array('private_key_bits' => (int)$keysize));
up
3
Andrew
3 years ago
It's not documented here but you can also create ECC keys from existing key parameters (e.g. from JWK):

<?php
$key
= openssl_pkey_new([
'ec' => [
'curve_name' => 'prime256v1',
'x' => $someXValue,
'y' => $someYValue,
'd' => $someDValue
]
]);
?>

You can just provide x/y if it's a public key, or you can just provide d if it's a private key.
up
5
Brad
16 years ago
It's easier than all that, if you just want the keys:

<?php
// Create the keypair
$res=openssl_pkey_new();

// Get private key
openssl_pkey_export($res, $privkey);

// Get public key
$pubkey=openssl_pkey_get_details($res);
$pubkey=$pubkey["key"];
?>
up
1
Eno_CN at qq dot com
1 month ago
Some examples for generating EC keypair

EC - generate keypair with curve_name

<?php
/*
* Custom parameters x, y, and d are not supported with SM2 in OpenSSL 3.x.
* Directly creating EVP_PKEY_CTX using EVP_PKEY_CTX_new_from_name(NULL, "SM2", NULL)
* will result in generating incorrect private keys (which cannot be correctly recognized
* by existing external applications based on the SM2 algorithm).
*/
$curve_name = 'SM2';
$pkey = openssl_pkey_new(array(
'ec'=> array(
'curve_name' => $curve_name,
)
));

$details = openssl_pkey_get_details($pkey);
var_dump($details);
$pubkey = $details['key'];
openssl_pkey_export($pkey, $prikey);
echo
'Private Key:', PHP_EOL, $prikey, PHP_EOL;
echo
'Public Key:', PHP_EOL, $pubkey, PHP_EOL;
?>

EC - generate keypair with custom params (OSCCA WAPIP192v1 Elliptic curve)

<?php
$d
= hex2bin('8D0AC65AAEA0D6B96254C65817D4A143A9E7A03876F1A37D'); // private key binary
$x = hex2bin('98E07AAD50C31F9189EBE6B8B5C70E5DEE59D7A8BC344CC6'); // public key x binary
$y = hex2bin('6109D3D96E52D0867B9D05D72D07BE5876A3D973E0E96792'); // public key y binary

$p = hex2bin('BDB6F4FE3E8B1D9E0DA8C0D46F4C318CEFE4AFE3B6B8551F');
$a = hex2bin('BB8E5E8FBC115E139FE6A814FE48AAA6F0ADA1AA5DF91985');
$b = hex2bin('1854BEBDC31B21B7AEFC80AB0ECD10D5B1B3308E6DBF11C1');
$g_x = hex2bin('4AD5F7048DE709AD51236DE65E4D4B482C836DC6E4106640');
$g_y = hex2bin('02BB3A02D4AAADACAE24817A4CA3A1B014B5270432DB27D2');
$order = hex2bin('BDB6F4FE3E8B1D9E0DA8C0D40FC962195DFAE76F56564677');

$pkey = openssl_pkey_new(array(
'ec'=> array(
'p' => $p,
'a' => $a,
'b' => $b,
'order' => $order,
'g_x' => $g_x,
'g_y' => $g_y,
//'d' => $d, // import the private key to generate keypairs
)
));

$details = openssl_pkey_get_details($pkey);
var_dump($details);
$pubkey = $details['key'];
openssl_pkey_export($pkey, $prikey);
echo
'Private Key:', PHP_EOL, $prikey, PHP_EOL;
echo
'Public Key:', PHP_EOL, $pubkey, PHP_EOL;
?>

EC - generate keypair with custom params (SM2 curve)

<?php
$p
= hex2bin('FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFF');
$a = hex2bin('FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFC');
$b = hex2bin('28E9FA9E9D9F5E344D5A9E4BCF6509A7F39789F515AB8F92DDBCBD414D940E93');
$g_x = hex2bin('32C4AE2C1F1981195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7');
$g_y = hex2bin('BC3736A2F4F6779C59BDCEE36B692153D0A9877CC62A474002DF32E52139F0A0');
$order = hex2bin('FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123');

/*
* Custom parameters x, y, and d are not supported with SM2 in OpenSSL 3.x.
* Directly creating EVP_PKEY_CTX using EVP_PKEY_CTX_new_from_name(NULL, "SM2", NULL)
* will result in generating incorrect private keys (which cannot be correctly recognized
* by existing external applications based on the SM2 algorithm).
*/
$pkey = openssl_pkey_new(array(
'ec'=> array(
'p' => $p,
'a' => $a,
'b' => $b,
'order' => $order,
'g_x' => $g_x,
'g_y' => $g_y,
)
));

/*
* It is not entirely the same as generating keys through the SM2 curve naming method.
* So the generated key will be in PKCS8 format to store algorithm information.
*/
$details = openssl_pkey_get_details($pkey);
var_dump($details);
$pubkey = $details['key'];
openssl_pkey_export($pkey, $prikey);
echo
'Private Key:', PHP_EOL, $prikey, PHP_EOL;
echo
'Public Key:', PHP_EOL, $pubkey, PHP_EOL;
?>
up
0
Jan
6 years ago
In case this function returns false, then check your openssl.cnf and make sure that in the [req] section of this file the entry default_bits is not commented out.
up
-1
dodginess at yahoo dot com
7 years ago
If you're using openssl_pkey_new() in conjunction with openssl_csr_new() and want to change the CSR digest algorithm as well as specify a custom key size, the configuration override should be defined once and sent to both functions:

<?php
$config
= array(
'digest_alg' => 'sha1',
'private_key_bits' => 2048,
'private_key_type' => OPENSSL_KEYTYPE_RSA,
);

$privkey = openssl_pkey_new($config);

$csr = openssl_csr_new($dn, $privkey, $config);
?>

Although openssl_pkey_new() will accept the 'digest_alg' argument it won't use it, and setting the value has no effect unless you also set this value for openssl_csr_new(). The reason for this is that the $config array is acting as a drop-in replacement for the values found in the openssl.cnf file, so it must contain all of the override values that you need even if the function they're being sent to won't use them.

Also, if you change the 'digest_alg' to something like 'sha256' and still get an MD5 signed CSR check your openssl.cnf file to see whether the digest algorithm you want to use is actually supported.

官方地址:https://www.php.net/manual/en/function.openssl-pkey-new.php

北京半月雨文化科技有限公司.版权所有 京ICP备12026184号-3