PHP openssl_pkcs12_export函数代码示例

 public function exportCertificatePkcs12($file)
 {
     \debug("OpenSSL CSR: Exporting certificate as PKCS12: {$file}");
     $pkcs = null;
     openssl_pkcs12_export($this->signed, $pkcs, $this->pkey, $this->pkeypass, ["friendly_names" => true]);
     file_put_contents($file, $pkcs);
 }

 public static function createSerializedFairPlayOptionConfiguration($cert, $pkey, $pfxPassword, $pfxPasswordKeyId, $askId, $contentIv)
 {
     openssl_pkcs12_export($cert, $certBytes, $pkey, $pfxPassword);
     $certString = base64_encode($certBytes);
     $template = new FairPlayConfiguration();
     $template->ASkId = $askId;
     $template->ContentEncryptionIV = $contentIv;
     $template->FairPlayPfx = $certString;
     $template->FairPlayPfxPasswordId = $pfxPasswordKeyId;
     return json_encode($template);
 }

 /**
  * A method for exporting the certificate.
  *
  * @param mixed $password
  * @return string
  */
 public function export($type = 'x509', $password = null)
 {
     if ($this->signed === false) {
         openssl_csr_export($this->csr, $out);
         return $out;
     } else {
         switch ($type) {
             case 'x509':
                 openssl_x509_export($this->csr, $out);
                 break;
             case 'pkcs12':
                 openssl_pkcs12_export($this->csr, $out, $this->keyPair->privateKey, $password);
                 break;
         }
         return $out;
     }
 }

     }
     exit;
 } elseif ($act == "p12") {
     // export cert+key in p12 format
     if (isset($id)) {
         $exp_name = urlencode("{$a_cert[$id]['descr']}.p12");
         $args = array();
         $args['friendly_name'] = $a_cert[$id]['descr'];
         $ca = lookup_ca($a_cert[$id]['caref']);
         if ($ca) {
             $args['extracerts'] = openssl_x509_read(base64_decode($ca['crt']));
         }
         $res_crt = openssl_x509_read(base64_decode($a_cert[$id]['crt']));
         $res_key = openssl_pkey_get_private(array(0 => base64_decode($a_cert[$id]['prv']), 1 => ""));
         $exp_data = "";
         openssl_pkcs12_export($res_crt, $exp_data, $res_key, null, $args);
         $exp_size = strlen($exp_data);
         header("Content-Type: application/octet-stream");
         header("Content-Disposition: attachment; filename={$exp_name}");
         header("Content-Length: {$exp_size}");
         echo $exp_data;
     }
     exit;
 } elseif ($act == "csr") {
     if (!isset($id)) {
         header("Location: system_certmanager.php");
         exit;
     }
     $pconfig['descr'] = $a_cert[$id]['descr'];
     $pconfig['csr'] = base64_decode($a_cert[$id]['csr']);
     $pconfig['cert'] = null;

function test_openssl_pkcs12_read()
{
    $privkey = openssl_pkey_new();
    VERIFY($privkey != null);
    $csr = openssl_csr_new(null, $privkey);
    VERIFY($csr != null);
    $scert = openssl_csr_sign($csr, null, $privkey, 365);
    openssl_pkcs12_export($scert, $pkcs12, $privkey, "1234");
    VERIFY(openssl_pkcs12_read($pkcs12, $certs, "1234"));
    VERIFY(strlen($certs['cert']) > 500);
    VERIFY(strlen($certs['pkey']) > 500);
}

 /**
  * Process requests to obtain pkcs12 file.
  * @return void
  */
 function getPageServerPkcs12()
 {
     $this->html->setPageTitle('Get PKCS12 Certificate');
     $id = $this->html->crumbGet(WA_QS_ID);
     if (!is_numeric($id) or $id < 1) {
         $this->html->errorMsgSet('Must specify valid certificate id.');
         die($this->html->loadTemplate('client.view.php'));
     }
     $this->moduleRequired('server,ca');
     $this->server->resetProperties();
     if ($this->server->populateFromDb($id) === false) {
         $this->html->errorMsgSet('Failed to locate the specified certificate.');
         die($this->html->loadTemplate('server.view.php'));
     }
     $this->html->setVar('data', &$this->server);
     // Have they been given the chance to enter the private key password?
     $conf = isset($_POST[WA_QS_CONFIRM]) ? $_POST[WA_QS_CONFIRM] : false;
     $keyPass = isset($_POST['keyPass']) ? $_POST['keyPass'] : null;
     $expPass = isset($_POST['expPass']) ? $_POST['expPass'] : false;
     if ($conf !== 'yes' or $expPass === false) {
         die($this->html->loadTemplate('server.pkcs12.php'));
     }
     // Get down to bidness
     $cert = $this->server->getProperty('Certificate');
     $pk = $this->server->getProperty('PrivateKey');
     // Get and decrypt the private key...
     $pkey = openssl_pkey_get_private($pk, $keyPass);
     if ($pkey === false) {
         $this->html->errorMsgSet('Invalid pass phrase for private key.');
         die($this->html->loadTemplate('server.pkcs12.php'));
     }
     // Extra args - name of certificate for import and chain CA certificates
     $certs = array();
     $serverName = $this->server->getProperty('CommonName');
     $certName = 'Server Certificate - ' . $serverName;
     // Obtain chain of issuer certificate ids.
     $issuerIds = $this->ca->getCaChainIds($this->server->getProperty('ParentId'));
     if (is_array($issuerIds) and count($issuerIds) > 0) {
         foreach ($issuerIds as $id) {
             $pem = $this->ca->getPemCertById($id);
             if (is_string($pem)) {
                 $certs[] = trim($pem);
             }
         }
     }
     if (is_array($certs) and count($certs) > 0) {
         $certs = implode("\n", $certs);
     } else {
         $certs = '';
     }
     $extraArgs = array('extracerts' => $certs, 'friendly_name' => $certName);
     $rc = openssl_pkcs12_export($cert, $pkcs12, $pkey, $expPass, $extraArgs);
     if (!($rc === true)) {
         $this->html->errorMsgSet('Failed to export PKCS12 Certficate Store.');
         die($this->html->loadTemplate('server.pkcs12.php'));
     }
     header('Pragma: private');
     header('Expires: 0');
     header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
     header('Cache-Control: private');
     header('Content-Description: File Transfer');
     header('Content-Type: application/x-pkcs12');
     header('Content-Disposition: attachment; filename="' . $serverName . '.p12"');
     header('Content-Transfer-Encoding: binary');
     header('Content-Length: ' . strlen($pkcs12));
     die($pkcs12);
 }

 /**
  * 生成证书
  */
 private function process()
 {
     $privkey = openssl_pkey_new($this->config);
     $csr = openssl_csr_new($this->dn, $privkey);
     $sscert = openssl_csr_sign($csr, NULL, $privkey, $this->iNumberOfDays);
     openssl_x509_export($sscert, $csrkey);
     openssl_pkcs12_export($sscert, $privatekey, $privkey, $this->sPrivKeyPass);
     //生成公钥证书
     $fp = fopen($this->sCerPath, "w");
     fwrite($fp, $csrkey);
     fclose($fp);
     //生成密钥证书
     $fp = fopen($this->sPfxPath, "w");
     fwrite($fp, $privatekey);
     fclose($fp);
 }

    function generateCertificate($sip_address,$email,$password) {
        if (!$this->init) return false;

        if (!is_array($this->enrollment)) {
            print _("Error: missing enrollment settings");
            return false;
        }

        if (!$this->enrollment['ca_conf']) {
            //print _("Error: missing enrollment ca_conf settings");
            return false;
        }

        if (!$this->enrollment['ca_crt']) {
            //print _("Error: missing enrollment ca_crt settings");
            return false;
        }

        if (!$this->enrollment['ca_key']) {
            //print _("Error: missing enrollment ca_key settings");
            return false;
        }

    	$config = array(
    		'config'           => $this->enrollment['ca_conf'],
    		'digest_alg'       => 'md5',
    		'private_key_bits' => 1024,
    		'private_key_type' => OPENSSL_KEYTYPE_RSA,
    		'encrypt_key'      => false,
    	);

		$dn = array(
    		"countryName"            => $this->enrollment['countryName'],
	    	"stateOrProvinceName"    => $this->enrollment['stateOrProvinceName'],
    		"localityName"           => $this->enrollment['localityName'],
    		"organizationName"       => $this->enrollment['organizationName'],
    		"organizationalUnitName" => $this->enrollment['organizationalUnitName'],
    		"commonName"             => $sip_address,
    		"emailAddress"           => $email
		);

		$this->key = openssl_pkey_new($config);
		$this->csr = openssl_csr_new($dn, $this->key);

        openssl_csr_export($this->csr, $this->csr_out);
        openssl_pkey_export($this->key, $this->key_out, $password, $config);

		$ca="file://".$this->enrollment['ca_crt'];

        $this->crt = openssl_csr_sign($this->csr, $ca, $this->enrollment['ca_key'], 3650, $config);

		if ($this->crt==FALSE) {
			while (($e = openssl_error_string()) !== false) {
				echo $e . "\n";
				print "<br><br>";
			}
            return false;
		}

        openssl_x509_export   ($this->crt, $this->crt_out);
        openssl_pkcs12_export ($this->crt, $this->pk12_out, $this->key, $password);

        return array(
                     'crt'  => $this->crt_out,
                     'key'  => $this->key_out,
                     'pk12' => $this->pk12_out,
                     'ca'   => file_get_contents($this->enrollment['ca_crt'])
                     );
    }

 public function getPKCS12SelfSigned($countryName, $stateOrProvinceName, $localityName, $organizationName, $organizationalUnitName, $commonName, $emailAddress)
 {
     $dn = array("countryName" => $countryName, "stateOrProvinceName" => $stateOrProvinceName, "localityName" => $localityName, "organizationName" => $organizationName, "organizationalUnitName" => $organizationalUnitName, "commonName" => $commonName, "emailAddress" => $emailAddress, "extendedKeyUsage" => "clientAuth", "authorityInfoAccess" => "URI:http://" . getenv('HTTP_HOST') . "/");
     $privkey = openssl_pkey_new($this->config);
     $csr = openssl_csr_new($dn, $privkey, $this->config);
     $sscert = openssl_csr_sign($csr, null, $privkey, $this->csr_days_valid, $this->config);
     // Self signed
     openssl_x509_export($sscert, $this->publickey);
     openssl_pkcs12_export($this->publickey, $pks12, $privkey, null);
     return $pks12;
 }

 public function createpkcs12($c, $k, $p, $a = array('friendly_name' => '', 'extracerts' => ''), $f = false, $d = false)
 {
     $key = openssl_pkey_get_private($k, $p);
     $f === false ? openssl_pkcs12_export($c, $r, $key, $p, $a) : openssl_pkcs12_export_to_file($c, $r, $key, $p, $a);
     return $r;
 }

// 利用 pfx 证书加密解密
function _var($mixed, $is_dump = false)
{
    if ($is_dump) {
        var_dump($mixed);
    }
}
$dn = array("countryName" => "CN", "stateOrProvinceName" => "Beijing", "localityName" => "Beijing", "organizationName" => "Eyou", "organizationalUnitName" => "Develop team", "commonName" => "Li Bo", "emailAddress" => "libo@eyou.net");
$config = array('config' => '/etc/pki/tls/openssl.cnf', 'encrypt_key' => 1, 'private_key_type' => OPENSSL_KEYTYPE_RSA, "digest_alg" => "sha1", 'x509_extensions' => 'v3_ca', 'private_key_bits' => 1024, "encrypt_key_cipher" => OPENSSL_CIPHER_AES_256_CBC);
$privkey = openssl_pkey_new($config);
$csr = openssl_csr_new($dn, $privkey);
$sscert = openssl_csr_sign($csr, null, $privkey, 365);
openssl_csr_export($csr, $csrout) and _var($csrout);
openssl_x509_export($sscert, $cer_x509) and _var($cer_x509);
openssl_pkey_export($privkey, $pkeyout, "mypassword", $config) and _var($pkeyout);
openssl_pkcs12_export($cer_x509, $pkcs12, $privkey, 'mypassword', $config) && _var(base64_encode($pkcs12));
openssl_pkcs12_read($pkcs12, $cert, 'mypassword') && _var($cert);
//_var(getenv('OPENSSL_CONF'));
// Show any errors that occurred here
//while (($e = openssl_error_string()) !== false) {
//    echo $e . "\n";
//}
//exit;
$cleartext = '1234 5678 9012 3456';
echo "\nClear txt: \n{$cleartext}\n";
$pub_key = $cert['cert'];
$priv_key = $cert['pkey'];
openssl_public_encrypt($cleartext, $crypttext, $pub_key);
echo "\nCrypt text:\n" . base64_encode($crypttext) . "\n";
openssl_private_decrypt($crypttext, $decrypted, $priv_key);
echo "\nDecrypted text:\n{$decrypted}\n\n";

// ********** 签署证书 **********
//$cert = openssl_csr_sign($csr, null, $priv, 365); // right
//$cert = openssl_csr_sign($csrout, null, $priv, 365); // right
// CA 签证书
//$cert = openssl_csr_sign($csr, $ca_certout, $ca_pfx, 365); // wrong
//$cert = openssl_csr_sign($csr, $ca_pubout, $ca_privout, 365); // wrong
$cert = openssl_csr_sign($csr, $ca_certout, $ca_privout, 365);
// right
// ********* 导出证书 ***********
openssl_csr_export($csr, $csrout) and var_dump('CSR', $csrout);
openssl_x509_export($cert, $certout) and var_dump('Certificate', $certout);
openssl_pkey_export($priv, $pkeyout, $password, $config) and var_dump('Private', $pkeyout);
$pkey = openssl_pkey_get_private($pkeyout, $password);
// $pkey 参数可以是没有密码导出的密钥
// 或者是 OpenSSL key 资源
openssl_pkcs12_export($certout, $pfx, $pkey, $password);
openssl_pkcs12_read($pfx, $certs, $password) && var_dump($certs);
$cleartext = '1234 5678 9012 3456';
echo "Clear txt: \n{$cleartext}\n";
// ************ 公私钥 ***************
$pub_key = $certout;
// right
//$pub_key = $cert; // right
//$pub_key = openssl_pkey_get_public($certout); // right OpenSSL key
//$pub_key = openssl_pkey_get_public($cert); // right OpenSSL key
//$pub_key = openssl_pkey_get_details($priv)['key']; // right public key
//$pub_key = $csrout; // wrong
$priv_key = openssl_pkey_get_private($pkeyout, $password);
// right OpenSSL key
//$priv_key = $pkeyout; // wrong private key
//$priv_key = $pfx; // wrong pcks12 cert

 /**
  * Exports the data to be stored in a .p12 file (encrypted certificate and private key)
  * @param X509 $X509
  * @param PrivateKey $PrivateKey or PEM
  * @param String $Password to encrypt the whole file
  * @return String
  */
 function PKCS12_Export($X509, $PrivateKey, $Password = "")
 {
     $out = '';
     openssl_pkcs12_export($X509, $out, $PrivateKey, $Password);
     return $out;
 }

/**
 * Create a new client certificate for a username or client hostname.
 * @param $commonName   - The username or hostname
 * @param $emailAddress - The user's email address
 * @param $serial       - The serial number
 * @param $cacert       - Path to Certificate Authority cert file.
 * @param $cakey        - Path to Certificate Authority key file.
 * @param $valid_days   - validity in number of days for the user certificate
 * @return string       - The client certificate signed by the Certificate Authority, or false on error.
 */
function create_user_certificate($commonName, $emailAddress, $serial, $cacert, $cakey, $valid_days)
{
    $opensslConf = $GLOBALS['webserver_root'] . "/library/openssl.cnf";
    $config = array('config' => $opensslConf);
    /* Generate a certificate signing request */
    $arr = create_csr($commonName, $emailAddress, "", "", "", "", "");
    if ($arr === false) {
        return false;
    }
    $csr = $arr[0];
    $privkey = $arr[1];
    /* user id is used as serial number to sign a certificate */
    $serial = 0;
    $res = sqlStatement("select id from users where username='" . $commonName . "'");
    if ($row = sqlFetchArray($res)) {
        $serial = $row['id'];
    }
    $cert = openssl_csr_sign($csr, file_get_contents($cacert), file_get_contents($cakey), $valid_days, $config, $serial);
    if ($cert === false) {
        return false;
    }
    /* Convert the user certificate to .p12 (PKCS 12) format, which is the
     * standard format used by browsers.
     */
    if (openssl_pkcs12_export($cert, $p12Out, $privkey, "") === false) {
        return false;
    }
    return $p12Out;
}

 /**
  * @param string $password
  * @return string
  * @throws RuntimeException
  */
 public function export($password = NULL)
 {
     $options = [];
     if ($this->hasChain()) {
         $options['extracerts'] = $this->getChain();
     }
     $status = openssl_pkcs12_export($this->getCertificate(), $result, $this->getPrivateKey(), $password, $options);
     if (!$status) {
         throw new RuntimeException(OpenSSL::getLastError());
     }
     return $result;
 }