openresty开发lua-resty-openssl之rsa公钥加密私钥解密 - liuxm

lua-resty-openssl之rsa公钥加密私钥解密

 

1.创建文件  /usr/local/openresy/rsa_test.lua

local pkey = require "resty.openssl.pkey"
local str = require "resty.string"

-- 生成密钥对
local function generate_rsa_keys()-- 生成2048位RSA密钥对local key, err = pkey.new({type = "RSA",bits = 2048})-- 提取公钥local pub_pem =  key:to_PEM("public")-- 提取私钥local priv_pem = key:to_PEM("private")if not priv_pem or not pub_pem thenreturn nil, nil, "转换 PEM 格式失败: " .. (err or "未知错误")endreturn pub_pem, priv_pem, nil
end-- 公钥加密（用于生成测试数据）
local function rsa_encrypt(pub_key, plaintext)local pkey, err = pkey.new(pub_key)if not pkey or not plaintext thenreturn nil, "参数错误"endlocal oaep_params = {oaep_md = "sha256",  -- 对应pkey.lua中的opts.oaep_mdmgf1_md = "sha256",  -- 对应pkey.lua中的opts.mgf1_mdlabel = nil}local RSA_PKCS1_OAEP_PADDING = "4"local ciphertext, err = pkey:encrypt(plaintext, RSA_PKCS1_OAEP_PADDING ,oaep_params)if not ciphertext thenreturn nil, "加密失败: " .. (err or "未知错误")end-- 返回Base64编码的密文（便于传输存储）return ngx.encode_base64(ciphertext), nil
end-- 私钥解密（核心实现）
local function rsa_decrypt(priv_key, encrypted_data)local pkey, err = pkey.new(priv_key)if not pkey or not encrypted_data thenreturn nil, "参数错误（私钥或密文为空）"end-- 1. 先解码Base64密文local ciphertext, err = ngx.decode_base64(encrypted_data)if not ciphertext thenreturn nil, "Base64解码失败: " .. (err or "无效密文")end-- 2. 设置解密填充方式（必须与加密时一致）local oaep_params = {oaep_md = "sha256",  -- 对应pkey.lua中的opts.oaep_mdmgf1_md = "sha256",  -- 对应pkey.lua中的opts.mgf1_mdlabel = nil}local RSA_PKCS1_OAEP_PADDING = "4"-- 3. 执行解密local result,err= pkey:decrypt(ciphertext, RSA_PKCS1_OAEP_PADDING,oaep_params)if not result thenreturn nil, "解密返回空结果"endreturn result, nil  -- 返回解密后的原始数据
end-- 完整测试流程
local function test_rsa_crypto()-- 1. 生成密钥对local pub_key, priv_key, err = generate_rsa_keys(2048)if err thenreturn nil, "密钥生成失败: " .. errendngx.say(pub_key)ngx.say("-----")ngx.say(priv_key)ngx.say("-----")-- 2. 原始数据local original_text = "这是一段需要加密的敏感数据：123456"ngx.say(ngx.INFO, "原始数据: ", original_text)-- 3. 公钥加密local encrypted_data, err = rsa_encrypt(pub_key, original_text)if err thenreturn nil, "加密失败: " .. errendngx.say(ngx.INFO, "加密后(Base64): ", encrypted_data)-- 4. 私钥解密local decrypted_text, err = rsa_decrypt(priv_key, encrypted_data)if err thenreturn nil, "解密失败: " .. errendngx.say(ngx.INFO, "解密后: ", decrypted_text)ngx.say(ngx.INFO, "解密后hex: ", str.to_hex(decrypted_text))-- 5. 验证结果if decrypted_text ~= original_text thenreturn nil, "解密结果不匹配原始数据"endreturn true, "加密解密验证成功"
end-- 执行测试
local success, msg = test_rsa_crypto()
if success thenngx.say("测试成功: ", msg)
elsengx.status = 500ngx.say("测试失败: ", msg)
end

2.nginx中配置

location /rsa/test {content_by_lua_file /usr/local/openresy/rsa_test.lua;      
}

3. 重新加载nginx 并访问

nginx -t 
nginx -s reloadcurl http://localhost/rsa/test

4.输出

-----BEGIN PUBLIC KEY-----
XXXXXXXXXXXXXXX
-----END PUBLIC KEY----------
-----BEGIN PRIVATE KEY-----
XXXXXXXXXXXXXXX
-----END PRIVATE KEY----------
7原始数据: 这是一段需要加密的敏感数据：123456
7加密后(Base64): l1OW/kvrWKegGUNHvYdHO4h3Zsyt7ATUFv0lHWOxAHu0ENtsbIu/4XQmr81U/ueDqMFnSQJRToka0uL4t32e6Sjb/gkh8zGY9MxvoME/hnmYCei86aYl4d+i5p4RGKnXknDmRxbAJh87xuj+jm/a7QW8nHPqNV2DSOz/S7kMlpaejwCnQqBHDs0Kv3Wsuu58eUivtmpMFhVSk08YWt/kzyPy1tgL7avo/N0QBtvS5x9++aZeqVQ92umplFU22fx47qZhfWWzRtioR/Ju73Ny4HlALpScHWOjDwuuSN0JE6X8xk29R9WSHLTFALDv52Z+4oH6OF1XiPI560g9V2VHZw==
7解密后: 这是一段需要加密的敏感数据：123456
7解密后hex: e8bf99e698afe4b880e6aeb5e99c80e8a681e58aa0e5af86e79a84e6958fe6849fe695b0e68daeefbc9a313233343536
测试成功: 加密解密验证成功