lua-resty-openssl之rsa公钥加密私钥解密
1.创建文件 /usr/local/openresy/rsa_test.lua
local pkey = require "resty.openssl.pkey" local str = require "resty.string" -- 生成密钥对 local function generate_rsa_keys()-- 生成2048位RSA密钥对local key, err = pkey.new({type = "RSA",bits = 2048})-- 提取公钥local pub_pem = key:to_PEM("public")-- 提取私钥local priv_pem = key:to_PEM("private")if not priv_pem or not pub_pem thenreturn nil, nil, "转换 PEM 格式失败: " .. (err or "未知错误")endreturn pub_pem, priv_pem, nil end-- 公钥加密(用于生成测试数据) local function rsa_encrypt(pub_key, plaintext)local pkey, err = pkey.new(pub_key)if not pkey or not plaintext thenreturn nil, "参数错误"endlocal oaep_params = {oaep_md = "sha256", -- 对应pkey.lua中的opts.oaep_mdmgf1_md = "sha256", -- 对应pkey.lua中的opts.mgf1_mdlabel = nil}local RSA_PKCS1_OAEP_PADDING = "4"local ciphertext, err = pkey:encrypt(plaintext, RSA_PKCS1_OAEP_PADDING ,oaep_params)if not ciphertext thenreturn nil, "加密失败: " .. (err or "未知错误")end-- 返回Base64编码的密文(便于传输存储)return ngx.encode_base64(ciphertext), nil end-- 私钥解密(核心实现) local function rsa_decrypt(priv_key, encrypted_data)local pkey, err = pkey.new(priv_key)if not pkey or not encrypted_data thenreturn nil, "参数错误(私钥或密文为空)"end-- 1. 先解码Base64密文local ciphertext, err = ngx.decode_base64(encrypted_data)if not ciphertext thenreturn nil, "Base64解码失败: " .. (err or "无效密文")end-- 2. 设置解密填充方式(必须与加密时一致)local oaep_params = {oaep_md = "sha256", -- 对应pkey.lua中的opts.oaep_mdmgf1_md = "sha256", -- 对应pkey.lua中的opts.mgf1_mdlabel = nil}local RSA_PKCS1_OAEP_PADDING = "4"-- 3. 执行解密local result,err= pkey:decrypt(ciphertext, RSA_PKCS1_OAEP_PADDING,oaep_params)if not result thenreturn nil, "解密返回空结果"endreturn result, nil -- 返回解密后的原始数据 end-- 完整测试流程 local function test_rsa_crypto()-- 1. 生成密钥对local pub_key, priv_key, err = generate_rsa_keys(2048)if err thenreturn nil, "密钥生成失败: " .. errendngx.say(pub_key)ngx.say("-----")ngx.say(priv_key)ngx.say("-----")-- 2. 原始数据local original_text = "这是一段需要加密的敏感数据:123456"ngx.say(ngx.INFO, "原始数据: ", original_text)-- 3. 公钥加密local encrypted_data, err = rsa_encrypt(pub_key, original_text)if err thenreturn nil, "加密失败: " .. errendngx.say(ngx.INFO, "加密后(Base64): ", encrypted_data)-- 4. 私钥解密local decrypted_text, err = rsa_decrypt(priv_key, encrypted_data)if err thenreturn nil, "解密失败: " .. errendngx.say(ngx.INFO, "解密后: ", decrypted_text)ngx.say(ngx.INFO, "解密后hex: ", str.to_hex(decrypted_text))-- 5. 验证结果if decrypted_text ~= original_text thenreturn nil, "解密结果不匹配原始数据"endreturn true, "加密解密验证成功" end-- 执行测试 local success, msg = test_rsa_crypto() if success thenngx.say("测试成功: ", msg) elsengx.status = 500ngx.say("测试失败: ", msg) end
2.nginx中配置
location /rsa/test {content_by_lua_file /usr/local/openresy/rsa_test.lua; }
3. 重新加载nginx 并访问
nginx -t nginx -s reloadcurl http://localhost/rsa/test
4.输出
-----BEGIN PUBLIC KEY----- XXXXXXXXXXXXXXX -----END PUBLIC KEY---------- -----BEGIN PRIVATE KEY----- XXXXXXXXXXXXXXX -----END PRIVATE KEY---------- 7原始数据: 这是一段需要加密的敏感数据:123456 7加密后(Base64): l1OW/kvrWKegGUNHvYdHO4h3Zsyt7ATUFv0lHWOxAHu0ENtsbIu/4XQmr81U/ueDqMFnSQJRToka0uL4t32e6Sjb/gkh8zGY9MxvoME/hnmYCei86aYl4d+i5p4RGKnXknDmRxbAJh87xuj+jm/a7QW8nHPqNV2DSOz/S7kMlpaejwCnQqBHDs0Kv3Wsuu58eUivtmpMFhVSk08YWt/kzyPy1tgL7avo/N0QBtvS5x9++aZeqVQ92umplFU22fx47qZhfWWzRtioR/Ju73Ny4HlALpScHWOjDwuuSN0JE6X8xk29R9WSHLTFALDv52Z+4oH6OF1XiPI560g9V2VHZw== 7解密后: 这是一段需要加密的敏感数据:123456 7解密后hex: e8bf99e698afe4b880e6aeb5e99c80e8a681e58aa0e5af86e79a84e6958fe6849fe695b0e68daeefbc9a313233343536 测试成功: 加密解密验证成功