openresty开发lua-resty-openssl之rsa公钥加密私钥解密
lua-resty-openssl之rsa公钥加密私钥解密
1.创建文件 /usr/local/openresy/rsa_test.lua
local pkey = require "resty.openssl.pkey" local str = require "resty.string" -- 生成密钥对 local function generate_rsa_keys() -- 生成2048位RSA密钥对 local key, err = pkey.new({ type = "RSA", bits = 2048 }) -- 提取公钥 local pub_pem = key:to_PEM("public") -- 提取私钥 local priv_pem = key:to_PEM("private") if not priv_pem or not pub_pem then return nil, nil, "转换 PEM 格式失败: " .. (err or "未知错误") end return pub_pem, priv_pem, nil end -- 公钥加密(用于生成测试数据) local function rsa_encrypt(pub_key, plaintext) local pkey, err = pkey.new(pub_key) if not pkey or not plaintext then return nil, "参数错误" end local oaep_params = { oaep_md = "sha256", -- 对应pkey.lua中的opts.oaep_md mgf1_md = "sha256", -- 对应pkey.lua中的opts.mgf1_md label = nil } local RSA_PKCS1_OAEP_PADDING = "4" local ciphertext, err = pkey:encrypt(plaintext, RSA_PKCS1_OAEP_PADDING ,oaep_params) if not ciphertext then return nil, "加密失败: " .. (err or "未知错误") end -- 返回Base64编码的密文(便于传输存储) return ngx.encode_base64(ciphertext), nil end -- 私钥解密(核心实现) local function rsa_decrypt(priv_key, encrypted_data) local pkey, err = pkey.new(priv_key) if not pkey or not encrypted_data then return nil, "参数错误(私钥或密文为空)" end -- 1. 先解码Base64密文 local ciphertext, err = ngx.decode_base64(encrypted_data) if not ciphertext then return nil, "Base64解码失败: " .. (err or "无效密文") end -- 2. 设置解密填充方式(必须与加密时一致) local oaep_params = { oaep_md = "sha256", -- 对应pkey.lua中的opts.oaep_md mgf1_md = "sha256", -- 对应pkey.lua中的opts.mgf1_md label = nil } local RSA_PKCS1_OAEP_PADDING = "4" -- 3. 执行解密 local result,err= pkey:decrypt(ciphertext, RSA_PKCS1_OAEP_PADDING,oaep_params) if not result then return nil, "解密返回空结果" end return result, nil -- 返回解密后的原始数据 end -- 完整测试流程 local function test_rsa_crypto() -- 1. 生成密钥对 local pub_key, priv_key, err = generate_rsa_keys(2048) if err then return nil, "密钥生成失败: " .. err end ngx.say(pub_key) ngx.say("-----") ngx.say(priv_key) ngx.say("-----") -- 2. 原始数据 local original_text = "这是一段需要加密的敏感数据:123456" ngx.say(ngx.INFO, "原始数据: ", original_text) -- 3. 公钥加密 local encrypted_data, err = rsa_encrypt(pub_key, original_text) if err then return nil, "加密失败: " .. err end ngx.say(ngx.INFO, "加密后(Base64): ", encrypted_data) -- 4. 私钥解密 local decrypted_text, err = rsa_decrypt(priv_key, encrypted_data) if err then return nil, "解密失败: " .. err end ngx.say(ngx.INFO, "解密后: ", decrypted_text) ngx.say(ngx.INFO, "解密后hex: ", str.to_hex(decrypted_text)) -- 5. 验证结果 if decrypted_text ~= original_text then return nil, "解密结果不匹配原始数据" end return true, "加密解密验证成功" end -- 执行测试 local success, msg = test_rsa_crypto() if success then ngx.say("测试成功: ", msg) else ngx.status = 500 ngx.say("测试失败: ", msg) end
2.nginx中配置
location /rsa/test { content_by_lua_file /usr/local/openresy/rsa_test.lua; }
3. 重新加载nginx 并访问
nginx -t nginx -s reload curl http://localhost/rsa/test
4.输出
-----BEGIN PUBLIC KEY----- XXXXXXXXXXXXXXX -----END PUBLIC KEY----- ----- -----BEGIN PRIVATE KEY----- XXXXXXXXXXXXXXX -----END PRIVATE KEY----- ----- 7原始数据: 这是一段需要加密的敏感数据:123456 7加密后(Base64): l1OW/kvrWKegGUNHvYdHO4h3Zsyt7ATUFv0lHWOxAHu0ENtsbIu/4XQmr81U/ueDqMFnSQJRToka0uL4t32e6Sjb/gkh8zGY9MxvoME/hnmYCei86aYl4d+i5p4RGKnXknDmRxbAJh87xuj+jm/a7QW8nHPqNV2DSOz/S7kMlpaejwCnQqBHDs0Kv3Wsuu58eUivtmpMFhVSk08YWt/kzyPy1tgL7avo/N0QBtvS5x9++aZeqVQ92umplFU22fx47qZhfWWzRtioR/Ju73Ny4HlALpScHWOjDwuuSN0JE6X8xk29R9WSHLTFALDv52Z+4oH6OF1XiPI560g9V2VHZw== 7解密后: 这是一段需要加密的敏感数据:123456 7解密后hex: e8bf99e698afe4b880e6aeb5e99c80e8a681e58aa0e5af86e79a84e6958fe6849fe695b0e68daeefbc9a313233343536 测试成功: 加密解密验证成功
浙公网安备 33010602011771号