PHP openssl_x509_export函数代码示例

 /**
  * @param SigningDetails $dn
  * @param null $privateKey
  * @param null $privkeypass
  * @param int $numberofdays
  * @return array
  * @throws \Exception
  */
 function generate(SigningDetails $dn, $privateKey = null, $privkeypass = null, $numberofdays = 365)
 {
     if ($privateKey === null) {
         $privkey = $this->generatePrivateKey();
     } elseif (is_string($privateKey)) {
         $privkey = openssl_pkey_get_private($privateKey);
     } else {
         throw new \Exception('Invalid format for private key');
     }
     if (!$privkey) {
         throw new \Exception('Invalid private key');
     }
     $csr = @openssl_csr_new($dn->toArray(), $privkey);
     if (!$csr) {
         throw new \Exception('Failed create signing request. Input likely invalid.');
     }
     $sscert = openssl_csr_sign($csr, null, $privkey, $numberofdays);
     if (!$sscert) {
         throw new \Exception('Failed create signing request. Input likely invalid.');
     }
     openssl_x509_export($sscert, $publickey);
     $privatekey = null;
     if (!openssl_pkey_export($privkey, $privatekey, $privkeypass)) {
         throw new \Exception('Private key generatio failed');
     }
     /*$csrStr = null;
     		if(!openssl_csr_export($csr, $csrStr)){
     			throw new \Exception('CSR generation failed');
     		}*/
     return [$publickey, $privatekey];
 }

 static public function get_keys($login,$full_name) {
   $CA_CERT = base_url()."data/key/CA_DOC.csr";
   $CA_KEY  = base_url()."data/key/CA_DOC_priv.key";
   $config = array(
     "private_key_type"=>OPENSSL_KEYTYPE_RSA,
     "private_key_bits"=>512
   );
   $res = openssl_pkey_new($config);
   $privKey = '';
   openssl_pkey_export($res,$privKey);
   $arr = array(
     "organizationName" => "Фізична особа",
     "organizationalUnitName" => "Фізична особа",
     "commonName" => $full_name,
     "UID" => $login,
     "countryName" => "UA"
   );
   $csr = openssl_csr_new($arr,$privKey);
   $cert = openssl_csr_sign($csr,file_get_contents($CA_CERT),file_get_contents($CA_KEY),730);
   openssl_x509_export($cert,$str_cert);
   $public_key = openssl_pkey_get_public($str_cert);
   $public_key_details = openssl_pkey_get_details($public_key);
   $public_key_string = $public_key_details['key'];
   return array('private'=>$privKey,'cert'=>$str_cert,'public'=>$public_key_string);
 }

function generateSslKeypair($commonName, $keyLength)
{
    $key = openssl_pkey_new(array("private_key_bits" => $keyLength));
    $default = getDefaultConfPath();
    if (file_exists($default . "/cert-overrides.ini")) {
        $confFile = $default . "/cert-overrides.ini";
    } else {
        $confFile = $_SERVER["DOCUMENT_ROOT"] . "/conf/cert.ini";
    }
    $certConf = parse_ini_file($confFile, true);
    $dn = $certConf["dn"];
    $dn["commonName"] = $commonName;
    $cert = openssl_csr_new($dn, $key);
    // Creating a new X509 Certificate Signing Request
    if ($e = error_get_last()) {
        // Issues found in parsing the arguments will get a warning. A CSR is created, nonetheless
        throw new Exception("Error occured:" . $e["message"]);
    }
    $signed = openssl_csr_sign($cert, null, $key, $certConf["csr"]["validity_in_days"], array("config" => $confFile, "config_section_name" => "csr", "x509_extensions" => "clientx509_ext"));
    // Self-signed X509 certificate with SHA256 digest and extensions specified in local openssl.conf
    if (!$signed) {
        throw new Exception("Error occured while signing certificate");
    }
    openssl_pkey_export($key, $privateKey);
    // Export private-key to $privateKey
    openssl_x509_export($signed, $clientCert);
    // Export signed-certificate to $clientCert without Extra Details
    return array($clientCert, $privateKey);
}

 public function makeKeys($distinguishedName, $passphrase = NULL, $certCA = NULL, $keyCA)
 {
     // keep track of the distinguished name
     $this->dn = $distinguishedName;
     // generate the pem-encoded private key
     $config = array('digest_alg' => 'sha1', 'private_key_bits' => 1024, 'encrypt_key' => TRUE);
     $key = openssl_pkey_new($config);
     // generate the certificate signing request...
     $csr = openssl_csr_new($this->dn, $key, $config);
     // and use it to make a self-signed certificate
     $this->serialNumber = rand();
     $cert = openssl_csr_sign($csr, NULL, $key, 365, $config, time());
     // make openssl forget the key
     openssl_free_key($keyCA);
     // export private and public keys
     openssl_pkey_export($key, $this->privatekey, $passphrase, $config);
     //openssl_pkey_export_to_file ( $this->privatekey , "server.key", $passphrase, $config )
     openssl_x509_export($cert, $this->certificate);
     // parse certificate
     $this->x509 = openssl_x509_parse($cert);
     if (isset($this->serialNumber)) {
         $outfilename = '/var/www/html/' . $this->serialNumber;
         // Gets an exportable representation of a key into a file
         openssl_pkey_export_to_file($key, $outfilename . '.pem', $passphrase, $config);
     }
     openssl_x509_export_to_file($this->certificate, $outfilename . '.crt', TRUE);
     return TRUE;
     // end of makeKeys() method
 }

 public function run()
 {
     if (strrev($this->input['folder']) !== DIRECTORY_SEPARATOR) {
         $this->input['folder'] .= DIRECTORY_SEPARATOR;
     }
     $files = [];
     foreach (['pub', 'key', 'crt', 'csr'] as $extension) {
         $files[$extension] = sprintf('%s%s%s.%s', $this->input['folder'], $this->input['prefix'], $this->input['hostname'], $extension);
     }
     foreach ($files as $file) {
         if (file_exists($file)) {
             throw new RuntimeException(sprintf('File exist: %s', $file));
         }
     }
     $dn = array("countryName" => $this->input['country'], "stateOrProvinceName" => $this->input['state-or-province-name'], "localityName" => $this->input['locality-name'], "organizationName" => $this->input['organization-name'], "organizationalUnitName" => $this->input['organizational-unit-name'], "commonName" => $this->input['common-name'], "emailAddress" => $this->input['email-address']);
     // Create the private and public key
     $res = openssl_pkey_new(['digest_alg' => $this->input['alg'], 'private_key_bits' => $this->input['bits'], 'private_key_type' => OPENSSL_KEYTYPE_RSA]);
     // Generate a certificate signing request
     $csr = openssl_csr_new(array_filter($dn), $res);
     // Creates a self-signed cert
     $sscert = openssl_csr_sign($csr, null, $res, $this->input['days']);
     openssl_csr_export($csr, $out);
     file_put_contents($files['csr'], $out);
     // Export certfile
     openssl_x509_export($sscert, $out);
     file_put_contents($files['crt'], $out);
     // Extract the private key from $res to $privKey
     openssl_pkey_export($res, $out);
     file_put_contents($files['key'], $out);
     // Extract the public key from $res to $pubKey
     $out = openssl_pkey_get_details($res);
     file_put_contents($files['pub'], $out["key"]);
 }

function generateSslKeypair($commonName, $mail, $keyLength)
{
    $key = openssl_pkey_new(array("private_key_bits" => $keyLength));
    $certConf = parse_ini_file("cert.conf", true);
    $dn = $certConf["dn"];
    $dn["commonName"] = $commonName;
    $dn["emailAddress"] = $mail;
    $cert = openssl_csr_new($dn, $key);
    // Creating a new X509 Certificate Signing Request
    if ($e = error_get_last()) {
        // Issues found in parsing the arguments will get a warning. A CSR is created, nonetheless
        throw new Exception("Error occured:" . $e["message"]);
    }
    $signed = openssl_csr_sign($cert, null, $key, $certConf["csr"]["validity_in_days"], array("config" => "../core/cert.conf", "config_section_name" => "csr", "x509_extensions" => "clientx509_ext"));
    // Self-signed X509 certificate with SHA256 digest and extensions specified in local openssl.conf
    if (!$signed) {
        throw new Exception("Error occured while signing certificate");
    }
    openssl_pkey_export($key, $privateKey);
    // Export private-key to $privateKey
    openssl_x509_export($signed, $clientCert, FALSE);
    // Export signed-certificate to $clientCert
    openssl_x509_export($signed, $publicKey);
    // Export public-key from the signed-certificate to $publicKey
    return array($clientCert, $publicKey, $privateKey);
}

 public function make_request()
 {
     $g = stream_context_create(array("ssl" => array("capture_peer_cert" => true)));
     set_error_handler(function () {
         return true;
     });
     $r = stream_socket_client("ssl://{$this->target}:{$this->target_port}", $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $g);
     restore_error_handler();
     if (!$r) {
         return true;
     } else {
         $cont = stream_context_get_params($r);
         $cert = openssl_x509_read($cont["options"]["ssl"]["peer_certificate"]);
         $cert_data = openssl_x509_parse($cert);
         openssl_x509_export($cert, $out, FALSE);
         $signature_algorithm = null;
         if (preg_match('/^\\s+Signature Algorithm:\\s*(.*)\\s*$/m', $out, $match)) {
             $signature_algorithm = $match[1];
         }
         $this->sha_type = $signature_algorithm;
         $this->common_name = $cert_data['subject']['CN'];
         $this->alternative_names = $cert_data['extensions']['subjectAltName'];
         $this->issuer = $cert_data['issuer']['O'];
         $this->valid_from = date('m-d-Y H:i:s', strval($cert_data['validFrom_time_t']));
         $this->valid_to = date('m-d-Y H:i:s', strval($cert_data['validTo_time_t']));
         $this->parse_alternative_names();
     }
 }

 /**
  * Get the fingerprint from the specified certificate
  *
  * @param string $certificate
  * @return fingerprint or null on failure
  */
 public static function get_fingerprint($certificate, $hash = null)
 {
     $fingerprint = null;
     // The openssl_x509_read() function will throw an warning if the supplied
     // parameter cannot be coerced into an X509 certificate
     // @codingStandardsIgnoreStart
     $resource = @openssl_x509_read($certificate);
     // @codingStandardsIgnoreEnd
     if (false !== $resource) {
         $output = null;
         $result = openssl_x509_export($resource, $output);
         if (false !== $result) {
             $output = str_replace(self::CERTIFICATE_BEGIN, '', $output);
             $output = str_replace(self::CERTIFICATE_END, '', $output);
             // Base64 decode
             $fingerprint = base64_decode($output);
             // Hash
             if (null !== $hash) {
                 $fingerprint = hash($hash, $fingerprint);
             }
         }
         // @todo else what to do?
     }
     // @todo else what to do?
     return $fingerprint;
 }

 /**
  * Exports key of a given SSL certificate
  *
  * @param string    $url without protocol
  * @return string   $certificateContent
  */
 public function exportPemFromUrl($url)
 {
     $certificateResource = $this->loadFromUrl($url);
     openssl_x509_export($certificateResource, $certificateContent);
     $certificateContent = str_replace('-----BEGIN CERTIFICATE-----', '', $certificateContent);
     $certificateContent = str_replace('-----END CERTIFICATE-----', '', $certificateContent);
     return $certificateContent;
 }

 public static function setUpBeforeClass()
 {
     self::$pKey = openssl_pkey_new();
     $csr = openssl_csr_new([], self::$pKey);
     $x509 = openssl_csr_sign($csr, null, self::$pKey, 1);
     openssl_x509_export($x509, self::$certificate);
     openssl_x509_free($x509);
 }

function ocsp_verify_json($raw_cert_data, $raw_next_cert_data, $ocsp_uri)
{
    //uses openssl cli to validate cert status with ocsp
    global $random_blurp, $timeout;
    $result = array();
    $tmp_dir = '/tmp/';
    $root_ca = getcwd() . '/cacert.pem';
    $pem_issuer = "";
    $pem_client = "";
    openssl_x509_export($raw_cert_data, $pem_client);
    openssl_x509_export_to_file($raw_cert_data, $tmp_dir . $random_blurp . '.cert_client.pem');
    openssl_x509_export($raw_next_cert_data, $pem_issuer);
    openssl_x509_export_to_file($raw_next_cert_data, $tmp_dir . $random_blurp . '.cert_issuer.pem');
    $isser_loc = $tmp_dir . $random_blurp . '.cert_issuer.pem';
    // Some OCSP's want HTTP/1.1 but OpenSSL does not do that. Add Host header as workaround.
    $ocsp_host = parse_url($ocsp_uri, PHP_URL_HOST);
    $output = shell_exec('timeout ' . $timeout . ' | openssl ocsp -no_nonce -CAfile ' . $root_ca . ' -issuer ' . $isser_loc . ' -cert ' . $tmp_dir . $random_blurp . '.cert_client.pem -url "' . escapeshellcmd($ocsp_uri) . '" -header "HOST" "' . escapeshellcmd($ocsp_host) . '" 2>&1');
    $filter_output = shell_exec('timeout ' . $timeout . ' | openssl ocsp -no_nonce -CAfile ' . $root_ca . ' -issuer ' . $isser_loc . ' -cert ' . $tmp_dir . $random_blurp . '.cert_client.pem -url "' . escapeshellcmd($ocsp_uri) . '" -header "HOST" "' . escapeshellcmd($ocsp_host) . '" 2>&1 | grep -v -e "to get local issuer certificate" -e "signer certificate not found" -e "Response Verify" -e "' . $tmp_dir . $random_blurp . '.cert_client.pem"');
    $output = preg_replace("/[[:blank:]]+/", " ", $output);
    $ocsp_status_lines = explode("\n", $output);
    $ocsp_status_lines = array_map('trim', $ocsp_status_lines);
    foreach ($ocsp_status_lines as $line) {
        if (endsWith($line, ":") == false) {
            list($k, $v) = explode(":", $line, 2);
            if (trim($k)) {
                $lines[trim($k)] = trim($v);
            }
        }
    }
    if ($lines[$tmp_dir . $random_blurp . ".cert_client.pem"] == "good") {
        $result["status"] = "good";
    } else {
        if ($lines[$tmp_dir . $random_blurp . ".cert_client.pem"] == "revoked") {
            $result["status"] = "revoked";
        } else {
            $result["error"] = $filter_output;
            $result["status"] = "unknown";
        }
    }
    if (isset($lines["This Update"])) {
        $result["this_update"] = $lines["This Update"];
    }
    if (isset($lines["Next Update"])) {
        $result["next_update"] = $lines["Next Update"];
    }
    if (isset($lines["Reason"])) {
        $result["reason"] = $lines["Reason"];
    }
    if (isset($lines["Revocation Time"])) {
        $result["revocation_time"] = $lines["Revocation Time"];
    }
    $result["ocsp_uri"] = $ocsp_uri;
    //remove temp files after use
    unlink($tmp_dir . $random_blurp . '.cert_client.pem');
    unlink($tmp_dir . $random_blurp . '.cert_issuer.pem');
    return $result;
}

 public function toPem()
 {
     $pem = '';
     $exported = openssl_x509_export($this->opensslResource, $pem);
     if (!$exported) {
         throw new EngineBlock_Exception("Unable to convert certificate to PEM?");
     }
     return $pem;
 }

 public function exportCertificatePem($file)
 {
     \debug("OpenSSL CSR: Exporting certificate as PEM: {$file}");
     $pem = [];
     openssl_x509_export($this->signed, $pem[0]);
     openssl_pkey_export($this->pkey, $pem[1], $this->pkeypass);
     $pem = implode($pem);
     file_put_contents($file, $pem);
 }

function cert_signature_algorithm($raw_cert_data)
{
    $cert_read = openssl_x509_read($raw_cert_data);
    openssl_x509_export($cert_read, $out, FALSE);
    $signature_algorithm = null;
    if (preg_match('/^\\s+Signature Algorithm:\\s*(.*)\\s*$/m', $out, $match)) {
        $signature_algorithm = $match[1];
    }
    return $signature_algorithm;
}

 /**
  * @param array $dn
  * @param null  $passPhrase
  *
  * @return string
  */
 public function create(array $dn, $passPhrase = null)
 {
     $config = $this->getConfig();
     $key = openssl_pkey_new($config);
     $crt = openssl_csr_new($dn, $key, $config);
     $crt = openssl_csr_sign($crt, null, $key, 365, $config);
     $x509 = null;
     $pKey = null;
     openssl_x509_export($crt, $x509);
     openssl_pkey_export($key, $pKey, $passPhrase, $config);
     return $x509 . $pKey;
 }