PHP openssl_pkcs12_read函数代码示例

 /**
  * @param string $pkcs12
  * @param string $password
  *
  * @throws Exception
  */
 public function load($pkcs12, string $password = NULL)
 {
     if (is_null($pkcs12)) {
         return;
     }
     if ($pkcs12 instanceof File) {
         $pkcs12 = $pkcs12->getContent();
     }
     if ($pkcs12 instanceof SplFileInfo) {
         $pkcs12 = file_get_contents($pkcs12);
     }
     if (!openssl_pkcs12_read($pkcs12, $result, $password)) {
         throw new RuntimeException(OpenSSL::getLastError());
     }
     if (array_key_exists('cert', $result)) {
         $certificate = new Certificate($result['cert']);
         $this->setCertificate($certificate);
     }
     if (array_key_exists('pkey', $result)) {
         $privateKey = new PrivateKey($result['pkey']);
         $this->setPrivateKey($privateKey);
     }
     if (array_key_exists('extracerts', $result)) {
         $this->setChain($result['extracerts']);
     }
 }

 /**
  * @param $p12buf
  * @param $p12cert
  * @param $password
  * @return array
  * @throws \Exception
  */
 private static function pkcs12Read($p12buf, array $p12cert, $password)
 {
     if (!openssl_pkcs12_read($p12buf, $p12cert, $password)) {
         throw new \RuntimeException("Invalid cert format or password.");
     }
     return $p12cert;
 }

/** 
 * 
 array(3) {
  ["cert"]=>
  string(1334) "-----BEGIN CERTIFICATE-----
MIIDrTCCAxagAwIBAgIQWQKhEMePlPB2aPEW+YUIIDANBgkqhkiG9w0BAQUFADAk
MQswCQYDVQQGEwJDTjEVMBMGA1UEChMMQ0ZDQSBURVNUIENBMB4XDTExMDgyNDA3
NDc1MFoXDTEzMDgyNDA3NDc1MFowczELMAkGA1UEBhMCQ04xFTATBgNVBAoTDENG
Q0EgVEVTVCBDQTERMA8GA1UECxMITG9jYWwgUkExFDASBgNVBAsTC0VudGVycHJp
c2VzMSQwIgYDVQQDFBswNDFAWjIwMTEwODI0QFRFU1RAMDAwMDAwMjMwgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAK8kL0wwZEqbFEEjQoyMO3PYqighzpc6WMc9
aFN8BqaFXcDm/nI+JmviFowOm6VTTxjQnGx6DAPB9uxxCuEbue+KUiohr4eIjXGR
8XGO01Ssw3mGm87wdRR/CrNvkR2WVBy/8LTHEGR4IQIhvzokmvLu3LiY0GQ3aJ1s
bGV0yL3RAgMBAAGjggGPMIIBizAfBgNVHSMEGDAWgBRGctwlcp8CTlWDtYD5C9vp
k7P0RTAdBgNVHQ4EFgQUiFLVc/e56LvykZgnvwbiVHMKt0swCwYDVR0PBAQDAgTw
MAwGA1UdEwQFMAMBAQAwOwYDVR0lBDQwMgYIKwYBBQUHAwEGCCsGAQUFBwMCBggr
BgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMIMIHwBgNVHR8EgegwgeUwT6BNoEuk
STBHMQswCQYDVQQGEwJDTjEVMBMGA1UEChMMQ0ZDQSBURVNUIENBMQwwCgYDVQQL
EwNDUkwxEzARBgNVBAMTCmNybDEyN18xNTcwgZGggY6ggYuGgYhsZGFwOi8vdGVz
dGxkYXAuY2ZjYS5jb20uY246Mzg5L0NOPWNybDEyN18xNTcsT1U9Q1JMLE89Q0ZD
QSBURVNUIENBLEM9Q04/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29i
amVjdGNsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MA0GCSqGSIb3DQEBBQUAA4GB
AFakQbOuB4QHfvewOyDy1mW4iQSRgP2v47QFyExvRk/iOZkUT3tWsYaSLuyRyQV2
eg9lmuMZmB8ITL/0ed7DUsXN7mdoKHmgsBga1Sp8UhR3dznqOSfaAYJqDaIV6gei
TH0Fbj4FTRxcIsf20WzFUN65kkop3hl1ZssxxvA9Asns
-----END CERTIFICATE-----
"
  ["pkey"]=>
  string(887) "-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCvJC9MMGRKmxRBI0KMjDtz2KooIc6XOljHPWhTfAamhV3A5v5y
PiZr4haMDpulU08Y0JxsegwDwfbscQrhG7nvilIqIa+HiI1xkfFxjtNUrMN5hpvO
8HUUfwqzb5EdllQcv/C0xxBkeCECIb86JJry7ty4mNBkN2idbGxldMi90QIDAQAB
AoGATvTIIdfbDss06Vyk/smlb8dohmkfQov6Q/AKHUDXmrCbIIDCiuw70/z73y4i
uviAuxYovrqSugryb4tStUMTogmft4methz1/O/083XHwBNKBPnS2fobYDfBxqkX
tH26woCjrEr/O/wngo6iFp7b5yJlyXapN0x+iOF3CShIhAECQQD2gZ6LLYdxSP8i
aRYAPOh10mF5IHt2dl89eOjNiqVGMlkV5aXNT80jAQr/kWGZfIjscb/xkawSKQKs
ovcn99GRAkEAteL02mBrCLfn2idBwXTdil+yeigReAZmRpqQuAfTRZN4RM+5Dw3q
X0IiCkR3oyiwx89n1eGmz1JTZRxoY1AIQQJAWVbQ5xAxLlWOYiJD3wI0Hb+JpCSp
ml18VwMjHJtLGw3US6NXW/m4Fx+hpM5D2STRWyA+uIZbHpnOZlMJ0Gp4gQJBAK38
66JV5y1Q1r2tHc6UHzQ1tMH7wDIjVQSm6FbSTXxZxAt29Rx8gD0dQvi1ZAg0bV7F
fRtwnqPlqZaoJQcTUMECQQD1Dh+Mu3OMb5AHnrtbk9l1qjM3U81QBKdyF0RY+djo
b3cR9I7+hurpqhJmQ7yuvAWe2xWc+YNTQ48FDJTogXlB
-----END RSA PRIVATE KEY-----
"
  ["extracerts"]=>
  array(0) {
  }
}
*/
function cfcasign_pkcs12($plainText)
{
    $p12cert = array();
    //①读取公匙文件内容：二进制数据
    $file = 'ceshi/test.pfx';
    //二进制文件
    $fd = fopen($file, 'r');
    //只读模式打开文件
    $p12buf = fread($fd, filesize($file));
    //读取文件
    fclose($fd);
    /**
     * bool openssl_pkcs12_read ( string $pkcs12 , array &$certs , string $pass  )
     * 把以公匙加密标准证书存放区（$pkcs12）转为数组存储（$certs）
     * $pass:解开公匙加密标准证书存放区加密的密码
     */
    //②转为数组
    openssl_pkcs12_read($p12buf, $p12cert, 'cfca1234');
    $pkeyid = $p12cert["pkey"];
    $binary_signature = "";
    /**
     * bool openssl_sign ( string $data , string &$signature , mixed $priv_key_id [, int $signature_alg = OPENSSL_ALGO_SHA1 ] )
     * 生成签名
     * $data:特殊数据
     * $signature:如果成功，生成的签名(二进制数)
     * $priv_key_id:用于加密sha散列法生成的数据
     * 注意：$data没被加密过
     */
    openssl_sign($plainText, $binary_signature, $pkeyid, OPENSSL_ALGO_SHA1);
    return bin2hex($binary_signature);
    //将二进制数据转换成十六进制表示
}

 /**
  * @param \Scalr_Environment $environment             Scalr Environment object
  * @param array              $config        optional  Config array
  * @return \Google_Service_Compute
  */
 public function getClient(\Scalr_Environment $environment = null, array $config = [])
 {
     $ccProps = null;
     if (empty($config)) {
         $ccProps = $environment->keychain(\SERVER_PLATFORMS::GCE)->properties;
         $config = $ccProps;
     }
     $client = new \Google_Client();
     $client->setApplicationName("Scalr GCE");
     $client->setScopes(array('https://www.googleapis.com/auth/compute'));
     $key = base64_decode($config[Entity\CloudCredentialsProperty::GCE_KEY]);
     // If it's not a json key we need to convert PKCS12 to PEM
     if (!$config[Entity\CloudCredentialsProperty::GCE_JSON_KEY]) {
         @openssl_pkcs12_read($key, $certs, 'notasecret');
         $key = $certs['pkey'];
     }
     $client->setAuthConfig(['type' => 'service_account', 'project_id' => $config[Entity\CloudCredentialsProperty::GCE_PROJECT_ID], 'private_key' => $key, 'client_email' => $config[Entity\CloudCredentialsProperty::GCE_SERVICE_ACCOUNT_NAME], 'client_id' => $config[Entity\CloudCredentialsProperty::GCE_CLIENT_ID]]);
     $client->setClientId($config[Entity\CloudCredentialsProperty::GCE_CLIENT_ID]);
     $gce = new \Google_Service_Compute($client);
     //**** Store access token ****//
     $jsonAccessToken = $config[Entity\CloudCredentialsProperty::GCE_ACCESS_TOKEN];
     $accessToken = @json_decode($jsonAccessToken);
     if ($accessToken && $accessToken->created + $accessToken->expires_in > time()) {
         $client->setAccessToken($jsonAccessToken);
     } else {
         $gce->zones->listZones($config[Entity\CloudCredentialsProperty::GCE_PROJECT_ID]);
         if ($ccProps) {
             $token = $client->getAccessToken();
             $ccProps[Entity\CloudCredentialsProperty::GCE_ACCESS_TOKEN] = $token;
             $ccProps->save();
         }
     }
     return $gce;
 }

 protected function generateSignedJWT()
 {
     if (!file_exists($this->privateKey) || !is_file($this->privateKey)) {
         throw new Exception('Private key does not exist');
     }
     $header = array('alg' => 'RS256', 'typ' => 'JWT');
     $t = time();
     $params = array('iss' => $this->email, 'scope' => Oauth::SCOPE_URL, 'aud' => Oauth::TOKEN_URL, 'exp' => $t + self::MAX_LIFETIME_SECONDS, 'iat' => $t);
     $encodings = array(base64_encode(json_encode($header)), base64_encode(json_encode($params)));
     $input = implode('.', $encodings);
     $certs = array();
     $pkcs12 = file_get_contents($this->privateKey);
     if (!openssl_pkcs12_read($pkcs12, $certs, $this->password)) {
         throw new Exception('Could not parse .p12 file');
     }
     if (!isset($certs['pkey'])) {
         throw new Exception('Could not find private key in .p12 file');
     }
     $keyId = openssl_pkey_get_private($certs['pkey']);
     if (!openssl_sign($input, $sig, $keyId, 'sha256')) {
         throw new Exception('Could not sign data');
     }
     $encodings[] = base64_encode($sig);
     $jwt = implode('.', $encodings);
     return $jwt;
 }

 public function __construct($p12, $password)
 {
     if (!function_exists('openssl_x509_read')) {
         throw new Google_Exception('The Google PHP API library needs the openssl PHP extension');
     }
     // If the private key is provided directly, then this isn't in the p12
     // format. Different versions of openssl support different p12 formats
     // and the key from google wasn't being accepted by the version available
     // at the time.
     if (!$password && strpos($p12, "-----BEGIN RSA PRIVATE KEY-----") !== false) {
         $this->privateKey = openssl_pkey_get_private($p12);
     } elseif ($password === 'notasecret' && strpos($p12, "-----BEGIN PRIVATE KEY-----") !== false) {
         $this->privateKey = openssl_pkey_get_private($p12);
     } else {
         // This throws on error
         $certs = array();
         if (!openssl_pkcs12_read($p12, $certs, $password)) {
             throw new Google_Auth_Exception("Unable to parse the p12 file.  " . "Is this a .p12 file?  Is the password correct?  OpenSSL error: " . openssl_error_string());
         }
         // TODO(beaton): is this part of the contract for the openssl_pkcs12_read
         // method?  What happens if there are multiple private keys?  Do we care?
         if (!array_key_exists("pkey", $certs) || !$certs["pkey"]) {
             throw new Google_Auth_Exception("No private key found in p12 file.");
         }
         $this->privateKey = openssl_pkey_get_private($certs['pkey']);
     }
     if (!$this->privateKey) {
         throw new Google_Auth_Exception("Unable to load private key");
     }
 }

function gal_service_account_upgrade(&$option, $gal_option_name, &$existing_sa_options, $gal_sa_option_name)
{
    /* Convert ga_serviceemail ga_keyfilepath
     * into new separate sa options:
     * ga_sakey, ga_serviceemail, ga_pkey_print
     */
    if (count($existing_sa_options)) {
        return;
    }
    $existing_sa_options = array('ga_serviceemail' => isset($option['ga_serviceemail']) ? $option['ga_serviceemail'] : '', 'ga_sakey' => '', 'ga_pkey_print' => '<unspecified>');
    try {
        if (version_compare(PHP_VERSION, '5.3.0') >= 0 && function_exists('openssl_x509_read')) {
            if (isset($option['ga_keyfilepath']) && $option['ga_keyfilepath'] != '' && file_exists($option['ga_keyfilepath'])) {
                $p12key = @file_get_contents($option['ga_keyfilepath']);
                $certs = array();
                if (openssl_pkcs12_read($p12key, $certs, 'notasecret')) {
                    if (array_key_exists("pkey", $certs) && $certs["pkey"]) {
                        $privateKey = openssl_pkey_get_private($certs['pkey']);
                        $pemString = '';
                        if (openssl_pkey_export($privateKey, $pemString)) {
                            $existing_sa_options['ga_sakey'] = $pemString;
                        }
                        openssl_pkey_free($privateKey);
                        @unlink($options['ga_keyfilepath']);
                    }
                }
            }
        }
    } catch (Exception $e) {
        // Never mind
    }
    // Remove redundant parts of regular options
    unset($option['ga_serviceemail']);
    unset($option['ga_keyfilepath']);
}

 /**
  * @param   Entity\CloudCredentials $entity
  * @param   Entity\CloudCredentials $prevConfig
  *
  * @throws  ApiErrorException
  */
 public function validateEntity($entity, $prevConfig = null)
 {
     parent::validateEntity($entity, $prevConfig);
     $ccProps = $entity->properties;
     $prevCcProps = isset($prevConfig) ? $prevConfig->properties : null;
     if ($this->needValidation($ccProps, $prevCcProps)) {
         $ccProps[Entity\CloudCredentialsProperty::GCE_ACCESS_TOKEN] = "";
         try {
             $client = new \Google_Client();
             $client->setApplicationName("Scalr GCE");
             $client->setScopes(['https://www.googleapis.com/auth/compute']);
             $key = base64_decode($ccProps[Entity\CloudCredentialsProperty::GCE_KEY]);
             // If it's not a json key we need to convert PKCS12 to PEM
             if (!$ccProps[Entity\CloudCredentialsProperty::GCE_JSON_KEY]) {
                 @openssl_pkcs12_read($key, $certs, 'notasecret');
                 $key = $certs['pkey'];
             }
             $client->setAuthConfig(['type' => 'service_account', 'project_id' => $ccProps[Entity\CloudCredentialsProperty::GCE_PROJECT_ID], 'private_key' => $key, 'client_email' => $ccProps[Entity\CloudCredentialsProperty::GCE_SERVICE_ACCOUNT_NAME], 'client_id' => $ccProps[Entity\CloudCredentialsProperty::GCE_CLIENT_ID]]);
             $client->setClientId($ccProps[Entity\CloudCredentialsProperty::GCE_CLIENT_ID]);
             $gce = new \Google_Service_Compute($client);
             $gce->zones->listZones($ccProps[Entity\CloudCredentialsProperty::GCE_PROJECT_ID]);
         } catch (Exception $e) {
             throw new ApiErrorException(400, ErrorMessage::ERR_INVALID_VALUE, "Provided GCE credentials are incorrect: ({$e->getMessage()})");
         }
         $entity->status = Entity\CloudCredentials::STATUS_ENABLED;
     }
 }

 /**
  * @return string A plaintext private key in PEM format
  *
  * @throws \Exception When the pkcs12 string cannot be decrypted
  */
 private function decryptPKCS12string()
 {
     $keystore = [];
     if (!@openssl_pkcs12_read($this->pkcs12string, $keystore, $this->passphrase)) {
         throw new \Exception('PKCS#12 cannot be decrypted');
     }
     return $keystore['pkey'];
 }

 public function read()
 {
     $data = array();
     if (!openssl_pkcs12_read($this->content, $data, $this->password)) {
         throw new \Exception('O certificado não pode ser lido, senha ou arquivo inválido');
     }
     $this->certificate->setPubKey($data['cert']);
     $this->certificate->setPrivKey($data['pkey']);
 }

 /**
  * Method to retrieve the private key from the p12 file
  *
  * @return Private key string
  */
 private function getPrivateKey($masterPassData)
 {
     $thispath = dirname(__DIR__) . "/" . $masterPassData->keystorePath;
     $path = realpath($thispath);
     $keystore = array();
     $pkcs12 = file_get_contents($path);
     trim(openssl_pkcs12_read($pkcs12, $keystore, $masterPassData->keystorePassword));
     return $keystore['pkey'];
 }

 /**
  * Abre um certificado enviado com a senha informada
  * @param  string $password A senha necessária para abrir o certificado
  * @return array  Com os dados extraidos do certificado
  * @throws CannotOpenCertificate Caso a senha do certificado for inválida
  * @since  1.0.0
  */
 public function open($password)
 {
     $key = file_get_contents($this->filePath);
     $dataCertificate = array();
     if (!openssl_pkcs12_read($key, $dataCertificate, $password)) {
         throw new CannotOpenCertificate($this->filePath);
     }
     return $dataCertificate;
 }

 public function GetPrivate_Public_KeyFromPfxFile($filePath, $Passphase)
 {
     $p12cert = array();
     $fp = fopen($filePath, "r");
     $p12buf = fread($fp, filesize($filePath));
     fclose($fp);
     openssl_pkcs12_read($p12buf, $p12cert, $Passphase);
     $this->RsaPrivateKey = $p12cert['pkey'];
     $this->RsaPublicKey = $p12cert['cert'];
 }

 /**
  * Represents a PKCS12 keystore.
  * @param string $contents The contents of the PKCS12 keystore.
  */
 public function __construct($contents, $passphrase)
 {
     if (!extension_loaded('openssl')) {
         throw new OpenSSLExtensionNotLoadedException('The openssl module is not loaded.');
     }
     if (!openssl_pkcs12_read($contents, $keystore, $passphrase)) {
         throw new KeyStoreDecryptionFailedException('Could not decrypt the certificate, the passphrase is incorrect, ' . 'its contents are mangled or it is not a valid PKCS #12 keystore.');
     }
     $this->X509Certificate = new X509Certificate($keystore['cert']);
     $this->privateKey = new PrivateKey($keystore['pkey']);
 }

 /**
  * @param string $certificate
  * @param null|string $pass
  * @return bool
  * @throws Exception If could not open/parse certificate
  */
 public function loadString($certificate, $pass = null)
 {
     //unset cached certData
     //TODO: think Maybe disable loading of different certificate with some magic
     $this->certData = null;
     openssl_pkcs12_read($certificate, $this->raw_cert, $pass);
     if (!$this->raw_cert) {
         throw new Exception('Could not open certificate!');
     }
     return true;
 }