In releases before MySQL 8.0.30, MySQL Enterprise Encryption's functions are based
on the openssl_udf
shared library. This
reference describes those functions. The functions continue to be
available in later releases if they have been installed, but they
are deprecated.
For information on upgrading to the new component functions
provided by the MySQL component
component_enterprise_encryption
, and a list of
the behavior differences between the legacy functions and the
component functions, see
Upgrading MySQL Enterprise Encryption.
The reference for the component functions is Section 8.6.5, “MySQL Enterprise Encryption Component Function Descriptions”.
MySQL Enterprise Encryption functions have these general characteristics:
For arguments of the wrong type or an incorrect number of arguments, each function returns an error.
If the arguments are not suitable to permit a function to perform the requested operation, it returns
NULL
or 0 as appropriate. This occurs, for example, if a function does not support a specified algorithm, a key length is too short or long, or a string expected to be a key string in PEM format is not a valid key.The underlying SSL library takes care of randomness initialization.
Several of the legacy functions take an encryption algorithm argument. The following table summarizes the supported algorithms by function.
Table 8.49 Supported Algorithms by Function
Function | Supported Algorithms |
---|---|
asymmetric_decrypt() |
RSA |
asymmetric_derive() |
DH |
asymmetric_encrypt() |
RSA |
asymmetric_sign() |
RSA, DSA |
asymmetric_verify() |
RSA, DSA |
create_asymmetric_priv_key() |
RSA, DSA, DH |
create_asymmetric_pub_key() |
RSA, DSA, DH |
create_dh_parameters() |
DH |
Although you can create keys using any of the RSA, DSA, or DH
encryption algorithms, other legacy functions that take key
arguments might accept only certain types of keys. For example,
asymmetric_encrypt()
and
asymmetric_decrypt()
accept only RSA keys.
For additional examples and discussion, see Section 8.6.3, “MySQL Enterprise Encryption Usage and Examples”.
asymmetric_decrypt(
algorithm
,crypt_str
,key_str
)Decrypts an encrypted string using the given algorithm and key string, and returns the resulting plaintext as a binary string. If decryption fails, the result is
NULL
.The
openssl_udf
shared library function cannot decrypt content produced by thecomponent_enterprise_encryption
functions that are available from MySQL 8.0.30.algorithm
is the encryption algorithm used to create the key. The supported algorithm value is'RSA'
.crypt_str
is the encrypted string to decrypt, which was encrypted withasymmetric_encrypt()
.key_str
is a valid PEM encoded RSA public or private key. For successful decryption, the key string must correspond to the public or private key string used withasymmetric_encrypt()
to produce the encrypted string.For a usage example, see the description of
asymmetric_encrypt()
.asymmetric_derive(
pub_key_str
,priv_key_str
)Derives a symmetric key using the private key of one party and the public key of another, and returns the resulting key as a binary string. If key derivation fails, the result is
NULL
.pub_key_str
andpriv_key_str
are valid PEM encoded key strings that were created using the DH algorithm.Suppose that you have two pairs of public and private keys:
SET @dhp = create_dh_parameters(1024); SET @priv1 = create_asymmetric_priv_key('DH', @dhp); SET @pub1 = create_asymmetric_pub_key('DH', @priv1); SET @priv2 = create_asymmetric_priv_key('DH', @dhp); SET @pub2 = create_asymmetric_pub_key('DH', @priv2);
Suppose further that you use the private key from one pair and the public key from the other pair to create a symmetric key string. Then this symmetric key identity relationship holds:
asymmetric_derive(@pub1, @priv2) = asymmetric_derive(@pub2, @priv1)
This example requires DH private/public keys as inputs, created using a shared symmetric secret. Create the secret by passing the key length to
create_dh_parameters()
, then pass the secret as the “key length” tocreate_asymmetric_priv_key()
.-- Generate DH shared symmetric secret SET @dhp = create_dh_parameters(1024); -- Generate DH key pairs SET @algo = 'DH'; SET @priv1 = create_asymmetric_priv_key(@algo, @dhp); SET @pub1 = create_asymmetric_pub_key(@algo, @priv1); SET @priv2 = create_asymmetric_priv_key(@algo, @dhp); SET @pub2 = create_asymmetric_pub_key(@algo, @priv2); -- Generate symmetric key using public key of first party, -- private key of second party SET @sym1 = asymmetric_derive(@pub1, @priv2); -- Or use public key of second party, private key of first party SET @sym2 = asymmetric_derive(@pub2, @priv1);
asymmetric_encrypt(
algorithm
,str
,key_str
)Encrypts a string using the given algorithm and key string, and returns the resulting ciphertext as a binary string. If encryption fails, the result is
NULL
.algorithm
is the encryption algorithm used to create the key. The supported algorithm value is'RSA'
.str
is the string to encrypt. The length of this string cannot be greater than the key string length in bytes, minus 11 (to account for the padding).key_str
is a valid PEM encoded RSA public or private key.To recover the original unencrypted string, pass the encrypted string to
asymmetric_decrypt()
, along with the other part of the key pair used for encryption, as in the following example:-- Generate private/public key pair SET @priv = create_asymmetric_priv_key('RSA', 1024); SET @pub = create_asymmetric_pub_key('RSA', @priv); -- Encrypt using private key, decrypt using public key SET @ciphertext = asymmetric_encrypt('RSA', 'The quick brown fox', @priv); SET @plaintext = asymmetric_decrypt('RSA', @ciphertext, @pub); -- Encrypt using public key, decrypt using private key SET @ciphertext = asymmetric_encrypt('RSA', 'The quick brown fox', @pub); SET @plaintext = asymmetric_decrypt('RSA', @ciphertext, @priv);
Suppose that:
SET @s = a string to be encrypted SET @priv = a valid private RSA key string in PEM format SET @pub = the corresponding public RSA key string in PEM format
Then these identity relationships hold:
asymmetric_decrypt('RSA', asymmetric_encrypt('RSA', @s, @priv), @pub) = @s asymmetric_decrypt('RSA', asymmetric_encrypt('RSA', @s, @pub), @priv) = @s
asymmetric_sign(
algorithm
,digest_str
,priv_key_str
,digest_type
)Signs a digest string using a private key string, and returns the signature as a binary string. If signing fails, the result is
NULL
.algorithm
is the encryption algorithm used to create the key. The supported algorithm values are'RSA'
and'DSA'
.digest_str
is a digest string. A digest string can be generated by callingcreate_digest()
.priv_key_str
is the private key string to use for signing the digest string. It can be a valid PEM encoded RSA private key or DSA private key.digest_type
is the algorithm to be used to sign the data. The supporteddigest_type
values are'SHA224'
,'SHA256'
,'SHA384'
, and'SHA512'
.For a usage example, see the description of
asymmetric_verify()
.asymmetric_verify(
algorithm
,digest_str
,sig_str
,pub_key_str
,digest_type
)Verifies whether the signature string matches the digest string, and returns 1 or 0 to indicate whether verification succeeded or failed. If verification fails, the result is
NULL
.The
openssl_udf
shared library function cannot verify content produced by thecomponent_enterprise_encryption
functions that are available from MySQL 8.0.30.algorithm
is the encryption algorithm used to create the key. The supported algorithm values are'RSA'
and'DSA'
.digest_str
is the digest string. A digest string is required, and can be generated by callingcreate_digest()
.sig_str
is the signature string to be verified. A signature string can be generated by callingasymmetric_sign()
.pub_key_str
is the public key string of the signer. It corresponds to the private key passed toasymmetric_sign()
to generate the signature string. It must be a valid PEM encoded RSA public key or DSA public key.digest_type
is the algorithm that was used to sign the data. The supporteddigest_type
values are'SHA224'
,'SHA256'
,'SHA384'
, and'SHA512'
.-- Set the encryption algorithm and digest type SET @algo = 'RSA'; SET @dig_type = 'SHA224'; -- Create private/public key pair SET @priv = create_asymmetric_priv_key(@algo, 1024); SET @pub = create_asymmetric_pub_key(@algo, @priv); -- Generate digest from string SET @dig = create_digest(@dig_type, 'The quick brown fox'); -- Generate signature for digest and verify signature against digest SET @sig = asymmetric_sign(@algo, @dig, @priv, @dig_type); SET @verf = asymmetric_verify(@algo, @dig, @sig, @pub, @dig_type);
create_asymmetric_priv_key(
algorithm
, {key_len
|dh_secret
})Creates a private key using the given algorithm and key length or DH secret, and returns the key as a binary string in PEM format. The key is in PKCS #1 format. If key generation fails, the result is
NULL
.algorithm
is the encryption algorithm used to create the key. The supported algorithm values are'RSA'
,'DSA'
, and'DH'
.key_len
is the key length in bits for RSA and DSA keys. If you exceed the maximum allowed key length or specify less than the minimum, key generation fails and the result is null output. The minimum allowed key length in bits is 1,024, and the maximum allowed key length is 16,384 for the RSA algorithm or 10,000 for the DSA algorithm. These key-length limits are constraints imposed by OpenSSL. Server administrators can impose additional limits on maximum key length by setting theMYSQL_OPENSSL_UDF_RSA_BITS_THRESHOLD
,MYSQL_OPENSSL_UDF_DSA_BITS_THRESHOLD
, andMYSQL_OPENSSL_UDF_DH_BITS_THRESHOLD
environment variables. See Section 8.6.2, “Configuring MySQL Enterprise Encryption”.NoteGenerating longer keys can consume significant CPU resources. Limiting the key length using the environment variables lets you provide adequate security for your requirements while balancing this with resource usage.
dh_secret
is a shared DH secret, which must be passed instead of a key length for DH keys. To create the secret, pass the key length tocreate_dh_parameters()
.This example creates a 2,048-bit DSA private key, then derives a public key from the private key:
SET @priv = create_asymmetric_priv_key('DSA', 2048); SET @pub = create_asymmetric_pub_key('DSA', @priv);
For an example showing DH key generation, see the description of
asymmetric_derive()
.create_asymmetric_pub_key(
algorithm
,priv_key_str
)Derives a public key from the given private key using the given algorithm, and returns the key as a binary string in PEM format. The key is in PKCS #1 format. If key derivation fails, the result is
NULL
.algorithm
is the encryption algorithm used to create the key. The supported algorithm values are'RSA'
,'DSA'
, and'DH'
.priv_key_str
is a valid PEM encoded RSA, DSA, or DH private key.For a usage example, see the description of
create_asymmetric_priv_key()
.Creates a shared secret for generating a DH private/public key pair and returns a binary string that can be passed to
create_asymmetric_priv_key()
. If secret generation fails, the result isNULL
.key_len
is the key length. The minimum and maximum key lengths in bits are 1,024 and 10,000. These key-length limits are constraints imposed by OpenSSL. Server administrators can impose additional limits on maximum key length by setting theMYSQL_OPENSSL_UDF_RSA_BITS_THRESHOLD
,MYSQL_OPENSSL_UDF_DSA_BITS_THRESHOLD
, andMYSQL_OPENSSL_UDF_DH_BITS_THRESHOLD
environment variables. See Section 8.6.2, “Configuring MySQL Enterprise Encryption”.For an example showing how to use the return value for generating symmetric keys, see the description of
asymmetric_derive()
.SET @dhp = create_dh_parameters(1024);
create_digest(
digest_type
,str
)Creates a digest from the given string using the given digest type, and returns the digest as a binary string. If digest generation fails, the result is
NULL
.The resulting digest string is suitable for use with
asymmetric_sign()
andasymmetric_verify()
. A digest is required for these functions.digest_type
is the digest algorithm to be used to generate the digest string. The supporteddigest_type
values are'SHA224'
,'SHA256'
,'SHA384'
, and'SHA512'
.str
is the non-null data string for which the digest is to be generated.SET @dig = create_digest('SHA512', 'The quick brown fox');