本文整理汇总了PHP中openssl_x509_checkpurpose函数的典型用法代码示例。如果您正苦于以下问题:PHP openssl_x509_checkpurpose函数的具体用法?PHP openssl_x509_checkpurpose怎么用?PHP openssl_x509_checkpurpose使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了openssl_x509_checkpurpose函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的PHP代码示例。
示例1: check_certificate_purpose
function check_certificate_purpose($purpose)
{
//$this->clear_debug_buffer();
$ok = openssl_x509_checkpurpose($this->certificate_resource, $purpose);
//$this->debug("check_certificate_purpose");
return $ok;
}示例2: __construct
/**
* Archive creator for phar, tar, tgz and zip archives.
*
* @param string path to primary archive
* @param string|false stub or false to use default stub of phar archives
* @param int one of Phar::TAR, Phar::PHAR, or Phar::ZIP
* @param int if the archive can be compressed (phar and tar), one of Phar::GZ, Phar::BZ2 or Phar::NONE
* for no compression
* @param array an array of arrays containing information on additional archives to create. The indices are:
*
* 0. extension (tar/tgz/zip)
* 1. format (Phar::TAR, Phar::ZIP, Phar::PHAR)
* 2. compression (Phar::GZ, Phar::BZ2, Phar::NONE)
* @param string PKCS12 certificate to be used to sign the archive. This must be a certificate issued
* by a certificate authority, self-signed certs will not be accepted by Pyrus
* @param string passphrase, if any, for the PKCS12 certificate.
*/
function __construct($path, $stub = false, $fileformat = \Phar::TAR, $compression = \Phar::GZ, array $others = null, $releaser = null, \PEAR2\Pyrus\Package $new = null, $pkcs12 = null, $passphrase = '')
{
if (!class_exists('Phar')) {
throw new \PEAR2\Pyrus\Developer\Creator\Exception('Phar extension is not available');
}
if (!\Phar::canWrite() || !\Phar::isValidPharFilename($path, true)) {
$this->_classname = 'PharData';
}
$this->path = $path;
$this->compression = $compression;
$this->format = $fileformat;
$this->others = $others;
$this->stub = $stub;
if ($pkcs12 && !extension_loaded('openssl')) {
throw new \PEAR2\Pyrus\Developer\Creator\Exception('Unable to use ' . 'OpenSSL signing of phars, enable the openssl PHP extension');
}
$this->pkcs12 = $pkcs12;
$this->passphrase = $passphrase;
if (null !== $this->pkcs12) {
$cert = array();
$pkcs = openssl_pkcs12_read(file_get_contents($this->pkcs12), $cert, $this->passphrase);
if (!$pkcs) {
throw new \PEAR2\Pyrus\Developer\Creator\Exception('Unable to process openssl key');
}
$private = openssl_pkey_get_private($cert['pkey']);
if (!$private) {
throw new \PEAR2\Pyrus\Developer\Creator\Exception('Unable to extract private openssl key');
}
$pub = openssl_pkey_get_public($cert['cert']);
$info = openssl_x509_parse($cert['cert']);
$details = openssl_pkey_get_details($pub);
if (true !== openssl_x509_checkpurpose($cert['cert'], X509_PURPOSE_SSL_SERVER, \PEAR2\Pyrus\Channel\RemotePackage::authorities())) {
throw new \PEAR2\Pyrus\Developer\Creator\Exception('releasing maintainer\'s certificate is invalid');
}
// now verify that this cert is in fact the releasing maintainer's certificate
// by verifying that alternate name is the releaser's email address
if (!isset($info['subject']) || !isset($info['subject']['emailAddress'])) {
throw new \PEAR2\Pyrus\Developer\Creator\Exception('releasing maintainer\'s certificate does not contain' . ' an alternate name corresponding to the releaser\'s email address');
}
if ($info['subject']['emailAddress'] != $new->maintainer[$releaser]->email) {
throw new \PEAR2\Pyrus\Developer\Creator\Exception('releasing maintainer\'s certificate ' . 'alternate name does not match the releaser\'s email address ' . $new->maintainer[$releaser]->email);
}
$pkey = '';
openssl_pkey_export($private, $pkey);
$this->x509cert = $cert['cert'];
$this->publickey = $details['key'];
$this->privatekey = $pkey;
}
}示例3: Handle
/**
* Handles the ValidateCert command
*
* @param int $commandCode
*
* @access public
* @return boolean
*/
public function Handle($commandCode)
{
// Parse input
if (!self::$decoder->getElementStartTag(SYNC_VALIDATECERT_VALIDATECERT)) {
return false;
}
$validateCert = new SyncValidateCert();
$validateCert->Decode(self::$decoder);
$cert_der = base64_decode($validateCert->certificates[0]);
$cert_pem = "-----BEGIN CERTIFICATE-----\n" . chunk_split(base64_encode($cert_der), 64, "\n") . "-----END CERTIFICATE-----\n";
$checkpurpose = defined('CAINFO') && CAINFO ? openssl_x509_checkpurpose($cert_pem, X509_PURPOSE_SMIME_SIGN, array(CAINFO)) : openssl_x509_checkpurpose($cert_pem, X509_PURPOSE_SMIME_SIGN);
if ($checkpurpose === true) {
$status = SYNC_VALIDATECERTSTATUS_SUCCESS;
} else {
$status = SYNC_VALIDATECERTSTATUS_CANTVALIDATESIG;
}
if (!self::$decoder->getElementEndTag()) {
return false;
}
// SYNC_VALIDATECERT_VALIDATECERT
self::$encoder->startWBXML();
self::$encoder->startTag(SYNC_VALIDATECERT_VALIDATECERT);
self::$encoder->startTag(SYNC_VALIDATECERT_STATUS);
self::$encoder->content($status);
self::$encoder->endTag();
// SYNC_VALIDATECERT_STATUS
self::$encoder->startTag(SYNC_VALIDATECERT_CERTIFICATE);
self::$encoder->startTag(SYNC_VALIDATECERT_STATUS);
self::$encoder->content($status);
self::$encoder->endTag();
// SYNC_VALIDATECERT_STATUS
self::$encoder->endTag();
// SYNC_VALIDATECERT_CERTIFICATE
self::$encoder->endTag();
// SYNC_VALIDATECERT_VALIDATECERT
return true;
}示例4: HandleValidateCert
function HandleValidateCert($backend, $devid, $protocolversion)
{
global $zpushdtd;
global $input, $output;
$decoder = new WBXMLDecoder($input, $zpushdtd);
$encoder = new WBXMLEncoder($output, $zpushdtd);
if (!$decoder->getElementStartTag(SYNC_VALIDATECERT_VALIDATECERT)) {
return false;
}
while (($field = $decoder->getElementStartTag(SYNC_VALIDATECERT_CERTIFICATES) ? SYNC_VALIDATECERT_CERTIFICATES : ($decoder->getElementStartTag(SYNC_VALIDATECERT_CERTIFICATECHAIN) ? SYNC_VALIDATECERT_CERTIFICATECHAIN : ($decoder->getElementStartTag(SYNC_VALIDATECERT_CHECKCRL) ? SYNC_VALIDATECERT_CHECKCRL : -1))) != -1) {
if ($field == SYNC_VALIDATECERT_CERTIFICATES) {
while ($decoder->getElementStartTag(SYNC_VALIDATECERT_CERTIFICATE)) {
$certificates[] = $decoder->getElementContent();
if (!$decoder->getElementEndTag()) {
return false;
}
}
if (!$decoder->getElementEndTag()) {
return false;
}
} else {
if ($field == SYNC_VALIDATECERT_CERTIFICATECHAIN) {
while ($decoder->getElementStartTag(SYNC_VALIDATECERT_CERTIFICATE)) {
$chain_certificates[] = $decoder->getElementContent();
if (!$decoder->getElementEndTag()) {
return false;
}
}
if (!$decoder->getElementEndTag()) {
return false;
}
} else {
if ($field == SYNC_VALIDATECERT_CHECKCRL) {
$checkcrl = $decoder->getElementContent();
if (!$decoder->getElementEndTag()) {
return false;
}
}
}
}
}
if (isset($checkcrl)) {
debugLog("validatecert: checkcrl: " . $checkcrl);
}
if (isset($chain_certificates)) {
foreach ($chain_certificates as $certificate) {
debugLog("validatecert: certificatechain: " . print_r($certificate, true));
}
}
foreach ($certificates as $certificate) {
$cert_der = base64_decode($certificate);
$cert_pem = "-----BEGIN CERTIFICATE-----\n" . chunk_split(base64_encode($cert_der), 64, "\n") . "-----END CERTIFICATE-----\n";
$cert_fn = VERIFYCERT_TEMP . "validatecert" . rand(1000, 99999) . ".pem";
file_put_contents($cert_fn, $cert_pem);
$now = time();
if (!($cert_content = openssl_x509_parse($cert_pem))) {
$status = 10;
} else {
if ($cert_content['validFrom_time_t'] >= $now || $cert_content['validTo_time_t'] <= $now) {
$status = 7;
} else {
if (openssl_x509_checkpurpose($cert_pem, X509_PURPOSE_SMIME_SIGN, array(VERIFYCERT_CERTSTORE)) != 1) {
$status = 9;
} else {
if ($checkcrl == 1) {
if (isset($cert_content['extensions']['crlDistributionPoints'])) {
$crlDistributionPoints = explode("\n", str_replace("\r", '', $cert_content['extensions']['crlDistributionPoints']));
foreach ($crlDistributionPoints as $entry) {
$line = explode("URI:", $entry);
if (isset($line[1]) && substr($line[1], 0, 5) == "http:") {
$crl_urls[] = $line[1];
}
}
}
if (isset($cert_content['extensions']['authorityInfoAccess'])) {
$authorityInfoAccess = explode("\n", str_replace("\r", '', $cert_content['extensions']['authorityInfoAccess']));
foreach ($authorityInfoAccess as $entry) {
$line = explode(" - URI:", $entry);
if (strtolower(trim($line[0])) == 'ocsp') {
$ocsp_urls[] = $line[1];
}
if (strtolower(trim($line[0])) == 'ca issuers') {
$ca_issuers[] = $line[1];
}
}
}
$result = preg_split('/[\\r\\n]/', shell_exec(VERIFYCERT_SSLBIN . " x509 -in " . $cert_fn . " -issuer_hash -noout"));
$issuer_cer_name = $result[0] . '.0';
$issuer_crl_name = $result[0] . '.r0';
if (!file_exists(VERIFYCERT_CERTSTORE . $issuer_cer_name)) {
if (isset($ca_issuers)) {
foreach ($ca_issuers as $ca_issuer) {
$ca_cert = file_get_contents($ca_issuer);
if (strpos($ca_cert, '----BEGIN CERTIFICATE-----') == false) {
$ca_cert = der2pem($ca_cert);
}
if (!openssl_x509_parse($ca_cert)) {
$status = 5;
} else {
file_put_contents(VERIFYCERT_CERTSTORE . $issuer_cer_name, $ca_cert);
//.........这里部分代码省略.........
示例5: transparent
/**
* Automatic authentication: checks if the username is set in the
* configured header.
*
* @return boolean Whether or not the client is allowed.
*/
public function transparent()
{
if (!is_callable('openssl_x509_parse')) {
throw new Horde_Auth_Exception('SSL not enabled on server.');
}
if (empty($_SERVER[$this->_params['username_field']]) || empty($_SERVER[$this->_params['certificate_field']])) {
return false;
}
// Valid for client auth?
$cert = openssl_x509_read($_SERVER[$this->_params['certificate_field']]);
if (!$this->_params['ignore_purpose'] && !openssl_x509_checkpurpose($cert, X509_PURPOSE_SSL_CLIENT) && !openssl_x509_checkpurpose($cert, X509_PURPOSE_ANY)) {
return false;
}
$c_parsed = openssl_x509_parse($cert);
foreach ($this->_params['filter'] as $key => $value) {
$keys = explode(':', $key);
$c = $c_parsed;
foreach ($keys as $k) {
$c = $c[$k];
}
if ($c != $value) {
return false;
}
}
// Handle any custom validation added by sub classes.
if (!$this->_validate($cert)) {
return false;
}
// Free resources.
openssl_x509_free($cert);
// Set credentials
$this->setCredential('userId', $_SERVER[$this->_params['username_field']]);
$cred = array('certificate_id' => $c_parsed['hash']);
if (!empty($this->_params['password'])) {
$cred['password'] = $this->_params['password'];
}
$this->setCredential('credentials', $cred);
return true;
}示例6: addSniServerCert
/**
* Adds a server ssl certificate for specific domain using the sni feature
*
* @param string $domain The domain for the certificate to use
* @param string $certPath The path to the bundled certificate file
* @param bool $overwrite If an existing domain entry should be overwritten or not
*
* @return bool true on success or false on failure
*/
public function addSniServerCert($domain, $certPath, $overwrite = true)
{
// get existing server certs
$sniServerCerts = $this->getOption('ssl', 'SNI_server_certs');
// check if sni server certs are set already or new should be started
if (!is_array($sniServerCerts)) {
$sniServerCerts = array();
}
// check if domain key exists and no overwrite is wanted
if (isset($sniServerCerts[$domain]) && $overwrite === false) {
return false;
}
// check if cert exists
if (!is_file($certPath)) {
throw new ServerException(sprintf("SSL certificate '%s' does not exist for domain '%s'.", $certPath, $domain));
}
// check if cert is valid for server usage
$x509_res = openssl_x509_read(file_get_contents($certPath));
$valid = openssl_x509_checkpurpose($x509_res, X509_PURPOSE_SSL_SERVER, array($certPath));
if ($valid === true) {
// if its valid, add it to sni server certs
$sniServerCerts[$domain] = $certPath;
} else {
throw new ServerException(sprintf("SSL certificate '%s' is not valid for domain '%s'.", $certPath, $domain));
}
// add it to array
$sniServerCerts[$domain] = $certPath;
// add sni server certs array back to stream context resource instance
return $this->setOption('ssl', 'SNI_server_certs', $sniServerCerts);
}示例7: client_addSslCert
/**
* Add or update an SSL certificate
*
* @throws iMSCP_Exception
* @throws iMSCP_Exception_Database
* @param int $domainId domain unique identifier
* @param string $domainType Domain type (dmn|als|sub|alssub)
* @return void
*/
function client_addSslCert($domainId, $domainType)
{
$config = iMSCP_Registry::get('config');
$domainName = _client_getDomainName($domainId, $domainType);
$selfSigned = isset($_POST['selfsigned']);
if ($domainName === false) {
showBadRequestErrorPage();
}
if ($selfSigned && !client_generateSelfSignedCert($domainName)) {
set_page_message(tr('Could not generate SSL certificate. An unexpected error occurred.'), 'error');
return;
}
if (!isset($_POST['passphrase']) || !isset($_POST['private_key']) || !isset($_POST['certificate']) || !isset($_POST['ca_bundle']) || !isset($_POST['cert_id'])) {
showBadRequestErrorPage();
}
$passPhrase = clean_input($_POST['passphrase']);
$privateKey = clean_input($_POST['private_key']);
$certificate = clean_input($_POST['certificate']);
$caBundle = clean_input($_POST['ca_bundle']);
$certId = intval($_POST['cert_id']);
if (!$selfSigned) {
// Validate SSL certificate (private key, SSL certificate and certificate chain)
$privateKey = @openssl_pkey_get_private($privateKey, $passPhrase);
if (!is_resource($privateKey)) {
set_page_message(tr('Invalid private key or passphrase.'), 'error');
return;
}
$certificateStr = $certificate;
$certificate = @openssl_x509_read($certificate);
if (!is_resource($certificate)) {
set_page_message(tr('Invalid SSL certificate.'), 'error');
return;
}
if (!@openssl_x509_check_private_key($certificate, $privateKey)) {
set_page_message(tr("The private key doesn't belong to the provided SSL certificate."), 'error');
return;
}
if (!($tmpfname = @tempnam(sys_get_temp_dir(), intval($_SESSION['user_id']) . 'ssl-ca'))) {
write_log('Could not create temporary file for CA bundle..', E_USER_ERROR);
set_page_message(tr('Could not add/update SSL certificate. An unexpected error occurred.'), 'error');
return;
}
register_shutdown_function(function ($file) {
@unlink($file);
}, $tmpfname);
if ($caBundle !== '') {
if (!@file_put_contents($tmpfname, $caBundle)) {
write_log('Could not export customer CA bundle in temporary file.', E_USER_ERROR);
set_page_message(tr('Could not add/update SSL certificate. An unexpected error occurred.'), 'error');
return;
}
// Note: Here we also add the CA bundle in the trusted chain to support self-signed certificates
if (@openssl_x509_checkpurpose($certificate, X509_PURPOSE_SSL_SERVER, array($config['DISTRO_CA_BUNDLE'], $tmpfname), $tmpfname)) {
set_page_message(tr('At least one intermediate certificate is invalid or missing.'), 'error');
return;
}
} else {
@file_put_contents($tmpfname, $certificateStr);
// Note: Here we also add the certificate in the trusted chain to support self-signed certificates
if (!@openssl_x509_checkpurpose($certificate, X509_PURPOSE_SSL_SERVER, array($config['DISTRO_CA_BUNDLE'], $tmpfname))) {
set_page_message(tr('At least one intermediate certificate is invalid or missing.'), 'error');
return;
}
}
}
// Preparing data for insertion in database
if (!$selfSigned) {
if (!@openssl_pkey_export($privateKey, $privateKeyStr)) {
write_log('Could not export private key.', E_USER_ERROR);
set_page_message(tr('Could not add/update SSL certificate. An unexpected error occurred.'), 'error');
return;
}
@openssl_pkey_free($privateKey);
if (!@openssl_x509_export($certificate, $certificateStr)) {
write_log('Could not export SSL certificate.', E_USER_ERROR);
set_page_message(tr('Could not add/update SSL certificate. An unexpected error occurred.'), 'error');
return;
}
@openssl_x509_free($certificate);
$caBundleStr = str_replace("\r\n", "\n", $caBundle);
} else {
$privateKeyStr = $privateKey;
$certificateStr = $certificate;
$caBundleStr = $caBundle;
}
$db = iMSCP_Database::getInstance();
try {
$db->beginTransaction();
if ($certId == 0) {
// Add new certificate
exec_query('
//.........这里部分代码省略.........
示例8: __checkSignatureAndGetSigner
/**
* __checkSignatureAndGetSigner - Checks the signature and extracts the signer certificate and it's serialnumber
* #params string Base64 encoded signature
* #params string verification of the message that should have been signed
* #params string location of Certificate Authority file that should be used during verificaton
* @return boolean
*/
private function __checkSignatureAndGetSigner($signature, $message, $cafile)
{
assert('is_string($signature)');
assert('is_string($message)');
assert('is_string($cafile)');
/* Check for provided file existence */
if (!file_exists($cafile)) {
trigger_error('mobileid::__checkSignatureAndGetSigner: file not found ' . $cafile, E_USER_WARNING);
}
/* Define temporary files */
$tmpfile = tempnam(sys_get_temp_dir(), '_mid_');
$file_sig = $tmpfile . '.sig';
$file_sig_cert = $tmpfile . '.crt';
$file_sig_msg = $tmpfile . '.msg';
/* Chunk spliting the signature */
$signature = chunk_split($signature, 64, "\n");
/* This because the openssl_pkcs7_verify() function needs some mime headers to make it work */
$signature = "MIME-Version: 1.0\nContent-Disposition: attachment;\n filename=\"dummy.p7m\"\nContent-Type: application/x-pkcs7-mime;\n name=\"dummy.p7m\"\nContent-Transfer-Encoding: base64\n\n" . $signature;
/* Write the signature into temp files */
file_put_contents($file_sig, $signature);
/* Signature checks must explicitly succeed */
$ok = false;
/* Get the signer certificate */
$status = openssl_pkcs7_verify($file_sig, PKCS7_NOVERIFY, $file_sig_cert);
if ($status == true && file_exists($file_sig_cert)) {
/* Get the signer certificate and details */
$this->mid_certificate = file_get_contents($file_sig_cert);
$certificate = openssl_x509_parse($this->mid_certificate);
$this->mid_serialnumber = $certificate['subject']['serialNumber'];
/* Verify message has been signed */
$data = '';
$status = openssl_pkcs7_verify($file_sig, PKCS7_NOVERIFY, $file_sig_cert, array($cafile), $file_sig_cert, $file_sig_msg);
if (file_exists($file_sig_msg)) {
$data = file_get_contents($file_sig_msg);
if ($data === $message) {
$ok = true;
}
} else {
trigger_error('mobileid::__checkSignatureAndGetSigner: signed message ' . openssl_error_string(), E_USER_NOTICE);
}
/* Verify signer issued by trusted CA */
$status = openssl_x509_checkpurpose($this->mid_certificate, X509_PURPOSE_SSL_CLIENT, array($cafile));
if ($status != true) {
$ok = false;
trigger_error('mobileid::__checkSignatureAndGetSigner: certificate check ' . openssl_error_string(), E_USER_NOTICE);
}
} else {
trigger_error('mobileid::__checkSignatureAndGetSigner: signer certificate ' . openssl_error_string(), E_USER_NOTICE);
}
/* Cleanup of temporary files */
if (file_exists($tmpfile)) {
unlink($tmpfile);
}
if (file_exists($file_sig)) {
unlink($file_sig);
}
if (file_exists($file_sig_cert)) {
unlink($file_sig_cert);
}
if (file_exists($file_sig_msg)) {
unlink($file_sig_msg);
}
/* Signature checks failed? */
if (!$ok) {
$this->statuscode = '503';
$this->statusmessage = 'INVALID_SIGNATURE';
}
return $ok;
}示例9: checkPurpose
/**
* Checks the purpose of this certificate. If using PURPOSE_ANY, make sure openssl is on the PATH.
* A bug in PHP prevents the certificate from being checked via the api for that specific purpose.
* @param int $purpose The purpose to check the certificate for.
* @param array $caInfo List of files and directories that contain root certificates.
* @return boolean
*/
public function checkPurpose($purpose, array $caInfo)
{
if ($purpose == self::PURPOSE_ANY) {
$caPathDirsArray = array();
$caPathFilesArray = array();
foreach ($caInfo as $caPath) {
if (is_dir($caPath)) {
$caPathDirsArray[] = $caPath;
} else {
$caPathFilesArray[] = $caPath;
}
}
$caPathDirs = implode(PATH_SEPARATOR, $caPathDirsArray);
if (!empty($caPathDirs)) {
$caPathDirs = " -CApath {$caPathDirs}";
}
$caPathFiles = implode(PATH_SEPARATOR, $caPathFilesArray);
if (!empty($caPathFiles)) {
$caPathFiles = " -CAfile {$caPathFiles}";
}
$tempCrt = tempnam(sys_get_temp_dir(), 'crt');
file_put_contents($tempCrt, $this->clearText);
exec("openssl verify{$caPathDirs}{$caPathFiles} -purpose any {$tempCrt}", $output);
unlink($tempCrt);
// return code of openssl is always 0, so we need to check the actual output
return $output[0] == "{$tempCrt}: OK";
}
return openssl_x509_checkpurpose($this->certResource, $purpose, $caInfo);
}示例10: download
function download()
{
$url = $this->getDownloadURL();
$errs = new \PEAR2\MultiErrors();
$certdownloaded = false;
if (extension_loaded('openssl')) {
// try to download openssl x509 signature certificate for our release
try {
$cert = \PEAR2\Pyrus\Main::download($url . '.pem');
$cert = $cert->body;
$certdownloaded = true;
} catch (\PEAR2\Pyrus\HTTPException $e) {
// file does not exist, ignore
}
if ($certdownloaded) {
$info = openssl_x509_parse($cert);
if (!$info) {
throw new \PEAR2\Pyrus\Package\Exception('Invalid abstract package ' . $this->channel . '/' . $this->name . ' - releasing maintainer\'s certificate is not a certificate');
}
if (true !== openssl_x509_checkpurpose($cert, X509_PURPOSE_SSL_SERVER, self::authorities())) {
throw new \PEAR2\Pyrus\Package\Exception('Invalid abstract package ' . $this->channel . '/' . $this->name . ' - releasing maintainer\'s certificate is invalid');
}
// now verify that this cert is in fact the releasing maintainer's certificate
// by verifying that alternate name is the releaser's email address
if (!isset($info['subject']) || !isset($info['subject']['emailAddress'])) {
throw new \PEAR2\Pyrus\Package\Exception('Invalid abstract package ' . $this->channel . '/' . $this->name . ' - releasing maintainer\'s certificate does not contain' . ' an alternate name corresponding to the releaser\'s email address');
}
// retrieve releaser's email address
if ($info['subject']['emailAddress'] != $this->maintainer[$this->remoteAbridgedInfo['m']]->email) {
throw new \PEAR2\Pyrus\Package\Exception('Invalid abstract package ' . $this->channel . '/' . $this->name . ' - releasing maintainer\'s certificate ' . 'alternate name does not match the releaser\'s email address ' . $this->maintainer[$this->remoteAbridgedInfo['m']]->email);
}
$key = openssl_pkey_get_public($cert);
$key = openssl_pkey_get_details($key);
$key = $key['key'];
}
}
// first try to download .phar, then .tgz, then .tar, then .zip
// if a public key was downloaded, save it where ext/phar will
// look to validate the openssl signature
foreach (array('.phar', '.tgz', '.tar') as $ext) {
try {
if ($certdownloaded) {
if (!file_exists(Config::current()->download_dir)) {
mkdir(Config::current()->download_dir, 0755, true);
}
file_put_contents($pubkey = Config::current()->download_dir . DIRECTORY_SEPARATOR . basename($url) . $ext . '.pubkey', $key);
}
$ret = new \PEAR2\Pyrus\Package\Remote($url . $ext);
if ($certdownloaded) {
if ($ext == '.tar' || $ext == '.tgz') {
if (phpversion() == '5.3.0') {
Logger::log(0, 'WARNING: ' . $url . $ext . ' may not be installable ' . 'with PHP version 5.3.0, the PHP extension phar ' . 'has a bug verifying openssl signatures for ' . 'tar and tgz files. Either upgrade to PHP 5.3.1 ' . 'or install the .zip version');
}
}
}
return $ret;
} catch (\PEAR2\Pyrus\HTTPException $e) {
if ($certdownloaded && file_exists($pubkey)) {
unlink($pubkey);
}
$errs->E_ERROR[] = $e;
} catch (\Exception $e) {
if ($certdownloaded && file_exists($pubkey)) {
unlink($pubkey);
}
$errs->E_ERROR[] = $e;
throw new \PEAR2\Pyrus\Package\Exception('Invalid abstract package ' . $this->channel . '/' . $this->name, $errs);
}
}
try {
// phar does not support signatures for zip archives
$ret = new \PEAR2\Pyrus\Package\Remote($url . '.zip');
return $ret;
} catch (\PEAR2\Pyrus\HTTPException $e) {
$errs->E_ERROR[] = $e;
throw new \PEAR2\Pyrus\Package\Exception('Could not download abstract package ' . $this->channel . '/' . $this->name, $errs);
} catch (\Exception $e) {
$errs->E_ERROR[] = $e;
throw new \PEAR2\Pyrus\Package\Exception('Invalid abstract package ' . $this->channel . '/' . $this->name, $errs);
}
}示例11: checkPurpose
/**
* @param int $purpose X509_PURPOSE_*
* @param array $cainfo
* @param string $untrusted
*
* @return bool
*/
public function checkPurpose(int $purpose, array $cainfo = [], string $untrusted = NULL) : bool
{
if ($untrusted === NULL) {
$status = openssl_x509_checkpurpose($this->getHandle(), $purpose, $cainfo);
} else {
$status = openssl_x509_checkpurpose($this->getHandle(), $purpose, $cainfo, $untrusted);
}
if (!is_bool($status)) {
throw new RuntimeException('Failed to check purpose');
}
return $status;
}示例12: validateCABuiltIn
/**
* Validate a certificate against a CA file, by using the builtin
* openssl_x509_checkpurpose function
*
* @param string $certificate The certificate, in PEM format.
* @param string $caFile File with trusted certificates, in PEM-format.
* @return boolean|string TRUE on success, or a string with error messages if it failed.
* @deprecated
*/
private static function validateCABuiltIn($certificate, $caFile)
{
assert('is_string($certificate)');
assert('is_string($caFile)');
/* Clear openssl errors. */
while (openssl_error_string() !== FALSE) {
}
$res = openssl_x509_checkpurpose($certificate, X509_PURPOSE_ANY, array($caFile));
$errors = '';
/* Log errors. */
while (($error = openssl_error_string()) !== FALSE) {
$errors .= ' [' . $error . ']';
}
if ($res !== TRUE) {
return $errors;
}
return TRUE;
}示例13: checkAttest
/**
* @param string $certificate
* @return boolean
*/
private function checkAttest($certificate)
{
if (!$this->config->getAttestDir()) {
return TRUE;
}
// @todo Original purpose is -1 which is undocumented. Is ANY ok to use here?
// https://github.com/Yubico/php-u2flib-server/blob/cd49f97017c8415be3e190397565719b5319d2d6/src/u2flib_server/U2F.php#L192
return openssl_x509_checkpurpose($certificate, X509_PURPOSE_ANY, array_map(function ($file) {
return $file->getPathName();
}, iterator_to_array(Finder::findFiles('*.pem')->from($this->config->getAttestDir()), FALSE))) === TRUE;
}示例14: test_openssl_x509_checkpurpose
function test_openssl_x509_checkpurpose()
{
$fcert = file_get_contents(__DIR__ . "/test_x509.crt");
$cert = openssl_x509_read($fcert);
VS(openssl_x509_checkpurpose($cert, X509_PURPOSE_SSL_CLIENT), 0);
VS(openssl_x509_checkpurpose($cert, X509_PURPOSE_SSL_SERVER), 0);
}示例15: validate_chain
function validate_chain($certs)
{
// Since we may have multiple certs in the XML, save the chain to a temp file
// so we an pass as a list of untrusted certs to verify.
$cert = array_shift($certs);
$untrusted_file = $this->save_cert_chain($certs);
$trusted = openssl_x509_checkpurpose($cert, X509_PURPOSE_ANY, $this->trust_roots, $untrusted_file);
unlink($untrusted_file);
return $trusted > 0;
}