/**
* @param string $pkcs12
* @param string $password
*
* @throws Exception
*/
public function load($pkcs12, string $password = NULL)
{
if (is_null($pkcs12)) {
return;
}
if ($pkcs12 instanceof File) {
$pkcs12 = $pkcs12->getContent();
}
if ($pkcs12 instanceof SplFileInfo) {
$pkcs12 = file_get_contents($pkcs12);
}
if (!openssl_pkcs12_read($pkcs12, $result, $password)) {
throw new RuntimeException(OpenSSL::getLastError());
}
if (array_key_exists('cert', $result)) {
$certificate = new Certificate($result['cert']);
$this->setCertificate($certificate);
}
if (array_key_exists('pkey', $result)) {
$privateKey = new PrivateKey($result['pkey']);
$this->setPrivateKey($privateKey);
}
if (array_key_exists('extracerts', $result)) {
$this->setChain($result['extracerts']);
}
}
/**
* @param Entity\CloudCredentials $entity
* @param Entity\CloudCredentials $prevConfig
*
* @throws ApiErrorException
*/
public function validateEntity($entity, $prevConfig = null)
{
parent::validateEntity($entity, $prevConfig);
$ccProps = $entity->properties;
$prevCcProps = isset($prevConfig) ? $prevConfig->properties : null;
if ($this->needValidation($ccProps, $prevCcProps)) {
$ccProps[Entity\CloudCredentialsProperty::GCE_ACCESS_TOKEN] = "";
try {
$client = new \Google_Client();
$client->setApplicationName("Scalr GCE");
$client->setScopes(['https://www.googleapis.com/auth/compute']);
$key = base64_decode($ccProps[Entity\CloudCredentialsProperty::GCE_KEY]);
// If it's not a json key we need to convert PKCS12 to PEM
if (!$ccProps[Entity\CloudCredentialsProperty::GCE_JSON_KEY]) {
@openssl_pkcs12_read($key, $certs, 'notasecret');
$key = $certs['pkey'];
}
$client->setAuthConfig(['type' => 'service_account', 'project_id' => $ccProps[Entity\CloudCredentialsProperty::GCE_PROJECT_ID], 'private_key' => $key, 'client_email' => $ccProps[Entity\CloudCredentialsProperty::GCE_SERVICE_ACCOUNT_NAME], 'client_id' => $ccProps[Entity\CloudCredentialsProperty::GCE_CLIENT_ID]]);
$client->setClientId($ccProps[Entity\CloudCredentialsProperty::GCE_CLIENT_ID]);
$gce = new \Google_Service_Compute($client);
$gce->zones->listZones($ccProps[Entity\CloudCredentialsProperty::GCE_PROJECT_ID]);
} catch (Exception $e) {
throw new ApiErrorException(400, ErrorMessage::ERR_INVALID_VALUE, "Provided GCE credentials are incorrect: ({$e->getMessage()})");
}
$entity->status = Entity\CloudCredentials::STATUS_ENABLED;
}
}
public function __construct($p12, $password)
{
if (!function_exists('openssl_x509_read')) {
throw new Google_Exception('The Google PHP API library needs the openssl PHP extension');
}
// If the private key is provided directly, then this isn't in the p12
// format. Different versions of openssl support different p12 formats
// and the key from google wasn't being accepted by the version available
// at the time.
if (!$password && strpos($p12, "-----BEGIN RSA PRIVATE KEY-----") !== false) {
$this->privateKey = openssl_pkey_get_private($p12);
} elseif ($password === 'notasecret' && strpos($p12, "-----BEGIN PRIVATE KEY-----") !== false) {
$this->privateKey = openssl_pkey_get_private($p12);
} else {
// This throws on error
$certs = array();
if (!openssl_pkcs12_read($p12, $certs, $password)) {
throw new Google_Auth_Exception("Unable to parse the p12 file. " . "Is this a .p12 file? Is the password correct? OpenSSL error: " . openssl_error_string());
}
// TODO(beaton): is this part of the contract for the openssl_pkcs12_read
// method? What happens if there are multiple private keys? Do we care?
if (!array_key_exists("pkey", $certs) || !$certs["pkey"]) {
throw new Google_Auth_Exception("No private key found in p12 file.");
}
$this->privateKey = openssl_pkey_get_private($certs['pkey']);
}
if (!$this->privateKey) {
throw new Google_Auth_Exception("Unable to load private key");
}
}
/**
* @param $p12buf
* @param $p12cert
* @param $password
* @return array
* @throws \Exception
*/
private static function pkcs12Read($p12buf, array $p12cert, $password)
{
if (!openssl_pkcs12_read($p12buf, $p12cert, $password)) {
throw new \RuntimeException("Invalid cert format or password.");
}
return $p12cert;
}
/**
*
array(3) {
["cert"]=>
string(1334) "-----BEGIN CERTIFICATE-----
MIIDrTCCAxagAwIBAgIQWQKhEMePlPB2aPEW+YUIIDANBgkqhkiG9w0BAQUFADAk
MQswCQYDVQQGEwJDTjEVMBMGA1UEChMMQ0ZDQSBURVNUIENBMB4XDTExMDgyNDA3
NDc1MFoXDTEzMDgyNDA3NDc1MFowczELMAkGA1UEBhMCQ04xFTATBgNVBAoTDENG
Q0EgVEVTVCBDQTERMA8GA1UECxMITG9jYWwgUkExFDASBgNVBAsTC0VudGVycHJp
c2VzMSQwIgYDVQQDFBswNDFAWjIwMTEwODI0QFRFU1RAMDAwMDAwMjMwgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAK8kL0wwZEqbFEEjQoyMO3PYqighzpc6WMc9
aFN8BqaFXcDm/nI+JmviFowOm6VTTxjQnGx6DAPB9uxxCuEbue+KUiohr4eIjXGR
8XGO01Ssw3mGm87wdRR/CrNvkR2WVBy/8LTHEGR4IQIhvzokmvLu3LiY0GQ3aJ1s
bGV0yL3RAgMBAAGjggGPMIIBizAfBgNVHSMEGDAWgBRGctwlcp8CTlWDtYD5C9vp
k7P0RTAdBgNVHQ4EFgQUiFLVc/e56LvykZgnvwbiVHMKt0swCwYDVR0PBAQDAgTw
MAwGA1UdEwQFMAMBAQAwOwYDVR0lBDQwMgYIKwYBBQUHAwEGCCsGAQUFBwMCBggr
BgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMIMIHwBgNVHR8EgegwgeUwT6BNoEuk
STBHMQswCQYDVQQGEwJDTjEVMBMGA1UEChMMQ0ZDQSBURVNUIENBMQwwCgYDVQQL
EwNDUkwxEzARBgNVBAMTCmNybDEyN18xNTcwgZGggY6ggYuGgYhsZGFwOi8vdGVz
dGxkYXAuY2ZjYS5jb20uY246Mzg5L0NOPWNybDEyN18xNTcsT1U9Q1JMLE89Q0ZD
QSBURVNUIENBLEM9Q04/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29i
amVjdGNsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MA0GCSqGSIb3DQEBBQUAA4GB
AFakQbOuB4QHfvewOyDy1mW4iQSRgP2v47QFyExvRk/iOZkUT3tWsYaSLuyRyQV2
eg9lmuMZmB8ITL/0ed7DUsXN7mdoKHmgsBga1Sp8UhR3dznqOSfaAYJqDaIV6gei
TH0Fbj4FTRxcIsf20WzFUN65kkop3hl1ZssxxvA9Asns
-----END CERTIFICATE-----
"
["pkey"]=>
string(887) "-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCvJC9MMGRKmxRBI0KMjDtz2KooIc6XOljHPWhTfAamhV3A5v5y
PiZr4haMDpulU08Y0JxsegwDwfbscQrhG7nvilIqIa+HiI1xkfFxjtNUrMN5hpvO
8HUUfwqzb5EdllQcv/C0xxBkeCECIb86JJry7ty4mNBkN2idbGxldMi90QIDAQAB
AoGATvTIIdfbDss06Vyk/smlb8dohmkfQov6Q/AKHUDXmrCbIIDCiuw70/z73y4i
uviAuxYovrqSugryb4tStUMTogmft4methz1/O/083XHwBNKBPnS2fobYDfBxqkX
tH26woCjrEr/O/wngo6iFp7b5yJlyXapN0x+iOF3CShIhAECQQD2gZ6LLYdxSP8i
aRYAPOh10mF5IHt2dl89eOjNiqVGMlkV5aXNT80jAQr/kWGZfIjscb/xkawSKQKs
ovcn99GRAkEAteL02mBrCLfn2idBwXTdil+yeigReAZmRpqQuAfTRZN4RM+5Dw3q
X0IiCkR3oyiwx89n1eGmz1JTZRxoY1AIQQJAWVbQ5xAxLlWOYiJD3wI0Hb+JpCSp
ml18VwMjHJtLGw3US6NXW/m4Fx+hpM5D2STRWyA+uIZbHpnOZlMJ0Gp4gQJBAK38
66JV5y1Q1r2tHc6UHzQ1tMH7wDIjVQSm6FbSTXxZxAt29Rx8gD0dQvi1ZAg0bV7F
fRtwnqPlqZaoJQcTUMECQQD1Dh+Mu3OMb5AHnrtbk9l1qjM3U81QBKdyF0RY+djo
b3cR9I7+hurpqhJmQ7yuvAWe2xWc+YNTQ48FDJTogXlB
-----END RSA PRIVATE KEY-----
"
["extracerts"]=>
array(0) {
}
}
*/
function cfcasign_pkcs12($plainText)
{
$p12cert = array();
//①读取公匙文件内容:二进制数据
$file = 'ceshi/test.pfx';
//二进制文件
$fd = fopen($file, 'r');
//只读模式打开文件
$p12buf = fread($fd, filesize($file));
//读取文件
fclose($fd);
/**
* bool openssl_pkcs12_read ( string $pkcs12 , array &$certs , string $pass )
* 把以公匙加密标准证书存放区($pkcs12)转为数组存储($certs)
* $pass:解开公匙加密标准证书存放区加密的密码
*/
//②转为数组
openssl_pkcs12_read($p12buf, $p12cert, 'cfca1234');
$pkeyid = $p12cert["pkey"];
$binary_signature = "";
/**
* bool openssl_sign ( string $data , string &$signature , mixed $priv_key_id [, int $signature_alg = OPENSSL_ALGO_SHA1 ] )
* 生成签名
* $data:特殊数据
* $signature:如果成功,生成的签名(二进制数)
* $priv_key_id:用于加密sha散列法生成的数据
* 注意:$data没被加密过
*/
openssl_sign($plainText, $binary_signature, $pkeyid, OPENSSL_ALGO_SHA1);
return bin2hex($binary_signature);
//将二进制数据转换成十六进制表示
}
/**
* @param \Scalr_Environment $environment Scalr Environment object
* @param array $config optional Config array
* @return \Google_Service_Compute
*/
public function getClient(\Scalr_Environment $environment = null, array $config = [])
{
$ccProps = null;
if (empty($config)) {
$ccProps = $environment->keychain(\SERVER_PLATFORMS::GCE)->properties;
$config = $ccProps;
}
$client = new \Google_Client();
$client->setApplicationName("Scalr GCE");
$client->setScopes(array('https://www.googleapis.com/auth/compute'));
$key = base64_decode($config[Entity\CloudCredentialsProperty::GCE_KEY]);
// If it's not a json key we need to convert PKCS12 to PEM
if (!$config[Entity\CloudCredentialsProperty::GCE_JSON_KEY]) {
@openssl_pkcs12_read($key, $certs, 'notasecret');
$key = $certs['pkey'];
}
$client->setAuthConfig(['type' => 'service_account', 'project_id' => $config[Entity\CloudCredentialsProperty::GCE_PROJECT_ID], 'private_key' => $key, 'client_email' => $config[Entity\CloudCredentialsProperty::GCE_SERVICE_ACCOUNT_NAME], 'client_id' => $config[Entity\CloudCredentialsProperty::GCE_CLIENT_ID]]);
$client->setClientId($config[Entity\CloudCredentialsProperty::GCE_CLIENT_ID]);
$gce = new \Google_Service_Compute($client);
//**** Store access token ****//
$jsonAccessToken = $config[Entity\CloudCredentialsProperty::GCE_ACCESS_TOKEN];
$accessToken = @json_decode($jsonAccessToken);
if ($accessToken && $accessToken->created + $accessToken->expires_in > time()) {
$client->setAccessToken($jsonAccessToken);
} else {
$gce->zones->listZones($config[Entity\CloudCredentialsProperty::GCE_PROJECT_ID]);
if ($ccProps) {
$token = $client->getAccessToken();
$ccProps[Entity\CloudCredentialsProperty::GCE_ACCESS_TOKEN] = $token;
$ccProps->save();
}
}
return $gce;
}
protected function generateSignedJWT()
{
if (!file_exists($this->privateKey) || !is_file($this->privateKey)) {
throw new Exception('Private key does not exist');
}
$header = array('alg' => 'RS256', 'typ' => 'JWT');
$t = time();
$params = array('iss' => $this->email, 'scope' => Oauth::SCOPE_URL, 'aud' => Oauth::TOKEN_URL, 'exp' => $t + self::MAX_LIFETIME_SECONDS, 'iat' => $t);
$encodings = array(base64_encode(json_encode($header)), base64_encode(json_encode($params)));
$input = implode('.', $encodings);
$certs = array();
$pkcs12 = file_get_contents($this->privateKey);
if (!openssl_pkcs12_read($pkcs12, $certs, $this->password)) {
throw new Exception('Could not parse .p12 file');
}
if (!isset($certs['pkey'])) {
throw new Exception('Could not find private key in .p12 file');
}
$keyId = openssl_pkey_get_private($certs['pkey']);
if (!openssl_sign($input, $sig, $keyId, 'sha256')) {
throw new Exception('Could not sign data');
}
$encodings[] = base64_encode($sig);
$jwt = implode('.', $encodings);
return $jwt;
}
function gal_service_account_upgrade(&$option, $gal_option_name, &$existing_sa_options, $gal_sa_option_name)
{
/* Convert ga_serviceemail ga_keyfilepath
* into new separate sa options:
* ga_sakey, ga_serviceemail, ga_pkey_print
*/
if (count($existing_sa_options)) {
return;
}
$existing_sa_options = array('ga_serviceemail' => isset($option['ga_serviceemail']) ? $option['ga_serviceemail'] : '', 'ga_sakey' => '', 'ga_pkey_print' => '<unspecified>');
try {
if (version_compare(PHP_VERSION, '5.3.0') >= 0 && function_exists('openssl_x509_read')) {
if (isset($option['ga_keyfilepath']) && $option['ga_keyfilepath'] != '' && file_exists($option['ga_keyfilepath'])) {
$p12key = @file_get_contents($option['ga_keyfilepath']);
$certs = array();
if (openssl_pkcs12_read($p12key, $certs, 'notasecret')) {
if (array_key_exists("pkey", $certs) && $certs["pkey"]) {
$privateKey = openssl_pkey_get_private($certs['pkey']);
$pemString = '';
if (openssl_pkey_export($privateKey, $pemString)) {
$existing_sa_options['ga_sakey'] = $pemString;
}
openssl_pkey_free($privateKey);
@unlink($options['ga_keyfilepath']);
}
}
}
}
} catch (Exception $e) {
// Never mind
}
// Remove redundant parts of regular options
unset($option['ga_serviceemail']);
unset($option['ga_keyfilepath']);
}
/**
* @return string A plaintext private key in PEM format
*
* @throws \Exception When the pkcs12 string cannot be decrypted
*/
private function decryptPKCS12string()
{
$keystore = [];
if (!@openssl_pkcs12_read($this->pkcs12string, $keystore, $this->passphrase)) {
throw new \Exception('PKCS#12 cannot be decrypted');
}
return $keystore['pkey'];
}
public function read()
{
$data = array();
if (!openssl_pkcs12_read($this->content, $data, $this->password)) {
throw new \Exception('O certificado não pode ser lido, senha ou arquivo inválido');
}
$this->certificate->setPubKey($data['cert']);
$this->certificate->setPrivKey($data['pkey']);
}
/**
* Method to retrieve the private key from the p12 file
*
* @return Private key string
*/
private function getPrivateKey($masterPassData)
{
$thispath = dirname(__DIR__) . "/" . $masterPassData->keystorePath;
$path = realpath($thispath);
$keystore = array();
$pkcs12 = file_get_contents($path);
trim(openssl_pkcs12_read($pkcs12, $keystore, $masterPassData->keystorePassword));
return $keystore['pkey'];
}
/**
* Abre um certificado enviado com a senha informada
* @param string $password A senha necessária para abrir o certificado
* @return array Com os dados extraidos do certificado
* @throws CannotOpenCertificate Caso a senha do certificado for inválida
* @since 1.0.0
*/
public function open($password)
{
$key = file_get_contents($this->filePath);
$dataCertificate = array();
if (!openssl_pkcs12_read($key, $dataCertificate, $password)) {
throw new CannotOpenCertificate($this->filePath);
}
return $dataCertificate;
}
public function GetPrivate_Public_KeyFromPfxFile($filePath, $Passphase)
{
$p12cert = array();
$fp = fopen($filePath, "r");
$p12buf = fread($fp, filesize($filePath));
fclose($fp);
openssl_pkcs12_read($p12buf, $p12cert, $Passphase);
$this->RsaPrivateKey = $p12cert['pkey'];
$this->RsaPublicKey = $p12cert['cert'];
}
/**
* Represents a PKCS12 keystore.
* @param string $contents The contents of the PKCS12 keystore.
*/
public function __construct($contents, $passphrase)
{
if (!extension_loaded('openssl')) {
throw new OpenSSLExtensionNotLoadedException('The openssl module is not loaded.');
}
if (!openssl_pkcs12_read($contents, $keystore, $passphrase)) {
throw new KeyStoreDecryptionFailedException('Could not decrypt the certificate, the passphrase is incorrect, ' . 'its contents are mangled or it is not a valid PKCS #12 keystore.');
}
$this->X509Certificate = new X509Certificate($keystore['cert']);
$this->privateKey = new PrivateKey($keystore['pkey']);
}
/**
* @param string $certificate
* @param null|string $pass
* @return bool
* @throws Exception If could not open/parse certificate
*/
public function loadString($certificate, $pass = null)
{
//unset cached certData
//TODO: think Maybe disable loading of different certificate with some magic
$this->certData = null;
openssl_pkcs12_read($certificate, $this->raw_cert, $pass);
if (!$this->raw_cert) {
throw new Exception('Could not open certificate!');
}
return true;
}
function cfcasign_pkcs12($plainText)
{
$p12cert = array();
$file = $this->CICC_REAL['PFX_PATH'];
$fd = fopen($file, 'r');
$p12buf = fread($fd, filesize($file));
fclose($fd);
openssl_pkcs12_read($p12buf, $p12cert, $this->CICC_REAL['PFX_PASS']);
$pkeyid = $p12cert["pkey"];
$binary_signature = "";
openssl_sign($plainText, $binary_signature, $pkeyid, OPENSSL_ALGO_SHA1);
return bin2hex($binary_signature);
}
public function Certificate($path, $cert_password = '')
{
$this->path = $path;
$this->cert_password = $cert_password;
if (file_exists($this->path) == false) {
return $this;
}
$pkcs12 = file_get_contents($this->path);
if (openssl_pkcs12_read($pkcs12, $this->certs, $cert_password) == true) {
$this->cert_data = openssl_x509_read($this->certs['cert']);
$this->cert_info = openssl_x509_parse($this->cert_data);
}
}
/**
* Archive creator for phar, tar, tgz and zip archives.
*
* @param string path to primary archive
* @param string|false stub or false to use default stub of phar archives
* @param int one of Phar::TAR, Phar::PHAR, or Phar::ZIP
* @param int if the archive can be compressed (phar and tar), one of Phar::GZ, Phar::BZ2 or Phar::NONE
* for no compression
* @param array an array of arrays containing information on additional archives to create. The indices are:
*
* 0. extension (tar/tgz/zip)
* 1. format (Phar::TAR, Phar::ZIP, Phar::PHAR)
* 2. compression (Phar::GZ, Phar::BZ2, Phar::NONE)
* @param string PKCS12 certificate to be used to sign the archive. This must be a certificate issued
* by a certificate authority, self-signed certs will not be accepted by Pyrus
* @param string passphrase, if any, for the PKCS12 certificate.
*/
function __construct($path, $stub = false, $fileformat = \Phar::TAR, $compression = \Phar::GZ, array $others = null, $releaser = null, \PEAR2\Pyrus\Package $new = null, $pkcs12 = null, $passphrase = '')
{
if (!class_exists('Phar')) {
throw new \PEAR2\Pyrus\Developer\Creator\Exception('Phar extension is not available');
}
if (!\Phar::canWrite() || !\Phar::isValidPharFilename($path, true)) {
$this->_classname = 'PharData';
}
$this->path = $path;
$this->compression = $compression;
$this->format = $fileformat;
$this->others = $others;
$this->stub = $stub;
if ($pkcs12 && !extension_loaded('openssl')) {
throw new \PEAR2\Pyrus\Developer\Creator\Exception('Unable to use ' . 'OpenSSL signing of phars, enable the openssl PHP extension');
}
$this->pkcs12 = $pkcs12;
$this->passphrase = $passphrase;
if (null !== $this->pkcs12) {
$cert = array();
$pkcs = openssl_pkcs12_read(file_get_contents($this->pkcs12), $cert, $this->passphrase);
if (!$pkcs) {
throw new \PEAR2\Pyrus\Developer\Creator\Exception('Unable to process openssl key');
}
$private = openssl_pkey_get_private($cert['pkey']);
if (!$private) {
throw new \PEAR2\Pyrus\Developer\Creator\Exception('Unable to extract private openssl key');
}
$pub = openssl_pkey_get_public($cert['cert']);
$info = openssl_x509_parse($cert['cert']);
$details = openssl_pkey_get_details($pub);
if (true !== openssl_x509_checkpurpose($cert['cert'], X509_PURPOSE_SSL_SERVER, \PEAR2\Pyrus\Channel\RemotePackage::authorities())) {
throw new \PEAR2\Pyrus\Developer\Creator\Exception('releasing maintainer\'s certificate is invalid');
}
// now verify that this cert is in fact the releasing maintainer's certificate
// by verifying that alternate name is the releaser's email address
if (!isset($info['subject']) || !isset($info['subject']['emailAddress'])) {
throw new \PEAR2\Pyrus\Developer\Creator\Exception('releasing maintainer\'s certificate does not contain' . ' an alternate name corresponding to the releaser\'s email address');
}
if ($info['subject']['emailAddress'] != $new->maintainer[$releaser]->email) {
throw new \PEAR2\Pyrus\Developer\Creator\Exception('releasing maintainer\'s certificate ' . 'alternate name does not match the releaser\'s email address ' . $new->maintainer[$releaser]->email);
}
$pkey = '';
openssl_pkey_export($private, $pkey);
$this->x509cert = $cert['cert'];
$this->publickey = $details['key'];
$this->privatekey = $pkey;
}
}
/**
* Construct
*
* @param String $certificate P12 file
* @param String $passphrase Passphrase for the certificate
* @param bool $path The certificate variable is a path
*/
function __construct($certificate, $passphrase = null, $path = true)
{
if ($path) {
$this->certificate_path = $certificate;
$certificate = file_get_contents($certificate);
//Il est important que le certificat soit en p12
openssl_pkcs12_read($certificate, $array_cert, $passphrase);
$this->certificate = $array_cert["cert"];
$this->pivate_key = $array_cert["pkey"];
$this->chain = $array_cert["extracerts"];
} else {
$this->certificate = $certificate;
}
$this->passphrase = $passphrase;
}
/**
*
* [rsa_sign description]
* @param [string] $pfx [pfx 证书]
* @param [string] $pwd [pfx 密码]
* @param [string] $data [要加密的内容]
* @return [string] [description]
*/
function rsa_sign1($pfx, $pwd, $data)
{
//1、使用密码读取证书
openssl_pkcs12_read(file_get_contents($pfx), $cert_arr, $pwd);
//2、验证证书是否在有效期内
$cer = openssl_x509_parse($cert_arr['cert']);
//3、取得密钥
$pkey = openssl_get_privatekey($cert_arr['pkey']);
$signature = '';
$data = strval($data);
if (!openssl_sign($data, $signature, $pkey, OPENSSL_ALGO_SHA1)) {
return null;
}
$signature = base64_encode($signature);
return $signature;
}
public function getPrivateKey()
{
$keystorePath = "";
$keystorePassword = "";
if ($this->environment == Environment::PRODUCTION) {
$keystorePath = self::PRODUCTION_KEYSTORE_PATH;
$keystorePassword = self::PRODUCTION_KEYSTORE_PASSWORD;
} else {
$keystorePath = self::SANDBOX_KEYSTORE_PATH;
$keystorePassword = self::SANDBOX_KEYSTORE_PASSWORD;
}
$path = realpath($keystorePath);
$keystore = array();
$pkcs12 = file_get_contents($path);
trim(openssl_pkcs12_read($pkcs12, $keystore, $keystorePassword));
return $keystore['pkey'];
}
/**
* Fetch the private CERT key for the signature
*
* @param OAuthRequest request
* @return string private key
*/
protected function fetch_private_cert(&$request)
{
$passphrase = 'replace-this-withp12-cert-password';
$pkcs12 = file_get_contents("replace-this-with-pl2-filename");
$certs = array();
if (!openssl_pkcs12_read($pkcs12, $certs, $passphrase)) {
throw new OAuthException("Unable to parse the p12 file. " . "Is this a .p12 file? Is the password correct? OpenSSL error: " . openssl_error_string());
}
if (!array_key_exists("pkey", $certs) || !$certs["pkey"]) {
throw new OAuthException("No private key found in p12 file.");
}
$privateKey = openssl_pkey_get_private($certs["pkey"]);
if (!$privateKey) {
throw new OAuthException("Unable to load private key in ");
}
return $privateKey;
}
/**
* Constructor para la clase: crea configuración y carga certificado digital
*
* Si se desea pasar una configuración específica para la firma electrónica
* se debe hacer a través de un arreglo con los índices file y pass, donde
* file es la ruta hacia el archivo .p12 que contiene tanto la clave privada
* como la pública y pass es la contraseña para abrir dicho archivo.
* Ejemplo:
*
* \code{.php}
* $firma_config = ['file'=>'/ruta/al/certificado.p12', 'pass'=>'contraseña'];
* $firma = new \sasco\LibreDTE\FirmaElectronica($firma_config);
* \endcode
*
* @param config Configuración para la cllase, si no se especifica se trarará de determinar
* @author Esteban De La Fuente Rubio, DeLaF (esteban[at]sasco.cl)
* @version 2014-12-08
*/
public function __construct($config = [])
{
// crear configuración
if (!$config and class_exists('\\sowerphp\\core\\Configure')) {
$config = (array) \sowerphp\core\Configure::read('firma_electronica.default');
}
$this->config = array_merge(['file' => (defined('DIR_PROJECT') ? DIR_PROJECT . '/data/firma_electronica/' : '') . 'default.p12', 'pass' => '', 'wordwrap' => 64], $config);
// cargar certificado digital
if (file_exists($this->config['file'])) {
$pkcs12 = file_get_contents($this->config['file']);
if (openssl_pkcs12_read($pkcs12, $this->certs, $this->config['pass']) === false) {
$this->error('Contraseña incorrecta para la firma electrónica ' . basename($this->config['file']));
}
} else {
$this->error('Archivo de la firma electrónica ' . basename($this->config['file']) . ' no existe');
}
}
/**
* Builds and returns a JWT (JSON Web Signature) to submit to Google's
* OAuth2 endpoint. See https://developers.google.com/accounts/docs/OAuth2ServiceAccount
* for documentation on the contents of this signature.
*
* @return string
*/
private function _getJWT()
{
$header = array('alg' => 'RS256', 'typ' => 'JWT');
$requestTime = time();
$claimSet = array('iss' => $this->_user, 'scope' => $this->_scope, 'aud' => $this->_authTarget, 'exp' => $requestTime + 3600, 'iat' => $requestTime);
if ($this->_onBehalfOfUser !== null) {
$claimSet['sub'] = $this->_onBehalfOfUser;
}
$payload = base64_encode(json_encode($header)) . '.' . base64_encode(json_encode($claimSet));
$cert = array();
if (!openssl_pkcs12_read(file_get_contents($this->_keyFile), $cert, 'notasecret')) {
throw new RuntimeException('Unable to load private key from file.');
}
$signature = '';
if (!openssl_sign($payload, $signature, $cert['pkey'], 'sha256')) {
throw new RuntimeException('Unable to generate signature.');
}
return $payload . '.' . base64_encode($signature);
}
function __construct($p12, $password)
{
if (!function_exists('openssl_x509_read')) {
throw new Exception('The Google PHP API library needs the openssl PHP extension');
}
// This throws on error
$certs = array();
if (!openssl_pkcs12_read($p12, $certs, $password)) {
throw new Google_AuthException("Unable to parse the p12 file. " . "Is this a .p12 file? Is the password correct? OpenSSL error: " . openssl_error_string());
}
// TODO(beaton): is this part of the contract for the openssl_pkcs12_read
// method? What happens if there are multiple private keys? Do we care?
if (!array_key_exists("pkey", $certs) || !$certs["pkey"]) {
throw new Google_AuthException("No private key found in p12 file.");
}
$this->privateKey = openssl_pkey_get_private($certs["pkey"]);
if (!$this->privateKey) {
throw new Google_AuthException("Unable to load private key in ");
}
}
function create_signature($package_dir, $cert_path, $cert_password)
{
// Load the push notification certificate
$pkcs12 = file_get_contents($cert_path);
$certs = array();
if (!openssl_pkcs12_read($pkcs12, $certs, $cert_password)) {
return;
}
$signature_path = "{$package_dir}/signature";
// Sign the manifest.json file with the private key from the certificate
$cert_data = openssl_x509_read($certs['cert']);
$private_key = openssl_pkey_get_private($certs['pkey'], $cert_password);
openssl_pkcs7_sign("{$package_dir}/manifest.json", $signature_path, $cert_data, $private_key, array(), PKCS7_BINARY | PKCS7_DETACHED);
// Convert the signature from PEM to DER
$signature_pem = file_get_contents($signature_path);
$matches = array();
if (!preg_match('~Content-Disposition:[^\\n]+\\s*?([A-Za-z0-9+=/\\r\\n]+)\\s*?-----~', $signature_pem, $matches)) {
return;
}
$signature_der = base64_decode($matches[1]);
file_put_contents($signature_path, $signature_der);
}
public function testGetPKCS12SelfSigned()
{
$countryName = "US";
$stateOrProvinceName = "Georgia";
$localityName = "Roswell";
$organizationName = "Werx Limited";
$organizationalUnitName = "";
$commonName = "Wes Widner";
$emailAddress = "*****@*****.**";
$pks12 = $this->object->getPKCS12SelfSigned($countryName, $stateOrProvinceName, $localityName, $organizationName, $organizationalUnitName, $commonName, $emailAddress);
$this->assertNotNull($pks12, "PKCS12 cert not generated properly");
openssl_pkcs12_read($pks12, $data, null);
$this->assertNotNull($data, "PKCS12 Data not read properly");
$this->assertNotNull($data['cert'], "PKCS12 Cert data does not exist");
$certdata = openssl_x509_parse($data['cert']);
$this->assertEquals($certdata['subject']['C'], $countryName, "PKCS12 Country does not match");
$this->assertEquals($certdata['subject']['ST'], $stateOrProvinceName, "PKCS12 State does not match");
$this->assertEquals($certdata['subject']['L'], $localityName, "PKCS12 Locality does not match");
$this->assertEquals($certdata['subject']['O'], $organizationName, "PKCS12 Orginization name does not match");
$this->assertEquals($certdata['subject']['OU'], $organizationalUnitName, "PKCS12 Orginization unit name does not match");
$this->assertEquals($certdata['subject']['CN'], $commonName, "PKCS12 Common name does not match");
$this->assertEquals($certdata['subject']['emailAddress'], $emailAddress, "PKCS12 Email address does not match");
}
/**
* @param string $merchantName name of the merchant
* @param string|\SplFileInfo $pkcs12 filename or content of the certificate file
* @param string $password certificate password
* @param string $uuid uuid
*
* @throws \Exception
*/
public function __construct($merchantName, $pkcs12, $password, $uuid)
{
$this->merchantName = $merchantName;
$this->certificatePassword = $password;
$this->uuid = $uuid;
if (!$merchantName || !$password) {
throw new \RuntimeException('Invalid QPay Api credentials');
}
if ($pkcs12 instanceof \SplFileInfo) {
$pkcs12 = $pkcs12->getRealPath();
}
if (file_exists($pkcs12)) {
$pkcs12 = file_get_contents($pkcs12);
} else {
$fileInfo = new \SplFileInfo($pkcs12);
$message = sprintf('The certificate file called "%s" could not be found.', $fileInfo->getPathname());
throw new FileNotFoundException($message);
}
$certs = [];
if (openssl_pkcs12_read($pkcs12, $certs, $password)) {
if (isset($certs['cert'])) {
$this->setClientCertificate($certs['cert']);
}
if (isset($certs['pkey'])) {
$this->setCertificateKey($certs['pkey']);
}
if (isset($certs['extracerts'])) {
$content = '';
foreach ($certs['extracerts'] as $caCert) {
$content .= $caCert;
}
$this->setAuthorityCertificate($content);
}
} else {
throw new \Exception(openssl_error_string());
}
}
private function loadCert()
{
$x509CertData = array();
if (!openssl_pkcs12_read(file_get_contents($this->pkcs12), $x509CertData, $this->passphrase)) {
error_log(__METHOD__ . ': Certificate cannot be read. File is corrupted or invalid format.');
return false;
}
$this->X509Certificate = preg_replace("/[\n]/", '', preg_replace('/\\-\\-\\-\\-\\-[A-Z]+ CERTIFICATE\\-\\-\\-\\-\\-/', '', $x509CertData['cert']));
if (!self::validateCert($x509CertData['cert'])) {
return false;
}
if (!is_dir($this->certDir)) {
if (!mkdir($this->certDir, 0777)) {
error_log(__METHOD__ . ': Cannot create folder ' . $this->certDir);
return false;
}
}
if (!file_exists($this->privateKey)) {
if (!file_put_contents($this->privateKey, $x509CertData['pkey'])) {
error_log(__METHOD__ . ': Cannot create file ' . $this->privateKey);
return false;
}
}
if (!file_exists($this->publicKey)) {
if (!file_put_contents($this->publicKey, $x509CertData['cert'])) {
error_log(__METHOD__ . ': Cannot create file ' . $this->publicKey);
return false;
}
}
if (!file_exists($this->key)) {
if (!file_put_contents($this->key, $x509CertData['cert'] . $x509CertData['pkey'])) {
error_log(__METHOD__ . ': Cannot create file ' . $this->key);
return false;
}
}
return true;
}
private function loadCert()
{
$x509CertData = array();
if (!openssl_pkcs12_read(file_get_contents($this->pkcs12), $x509CertData, $this->passphrase)) {
error_log(__METHOD__ . ': Certificado não pode ser lido. O arquivo esta corrompido ou em formato invalido.');
return false;
}
$this->X509Certificate = preg_replace("/[\n]/", '', preg_replace('/\\-\\-\\-\\-\\-[A-Z]+ CERTIFICATE\\-\\-\\-\\-\\-/', '', $x509CertData['cert']));
if (!self::validateCert($x509CertData['cert'])) {
return false;
}
if (!is_dir($this->certDir)) {
if (!mkdir($this->certDir, 0777)) {
error_log(__METHOD__ . ': Falha ao criar o diretorio ' . $this->certDir);
return false;
}
}
if (!file_exists($this->privateKey)) {
if (!file_put_contents($this->privateKey, $x509CertData['pkey'])) {
error_log(__METHOD__ . ': Falha ao criar o arquivo ' . $this->privateKey);
return false;
}
}
if (!file_exists($this->publicKey)) {
if (!file_put_contents($this->publicKey, $x509CertData['cert'])) {
error_log(__METHOD__ . ': Falha ao criar o arquivo ' . $this->publicKey);
return false;
}
}
if (!file_exists($this->key)) {
if (!file_put_contents($this->key, $x509CertData['cert'] . $x509CertData['pkey'])) {
error_log(__METHOD__ . ': Falha ao criar o arquivo ' . $this->key);
return false;
}
}
return true;
}
