function signNewCert()
{
if (!$GLOBALS['isCA']) {
return false;
} else {
$CAPrivKey = new Crypt_RSA();
$CAPrivKey->loadKey($GLOBALS['CAPrivKeyStr']);
$CAx509 = new File_X509();
$CAx509->loadX509($GLOBALS['CAPubX509']);
//认证证书
$privKey = new Crypt_RSA();
$keyArray = $CAPrivKey->createKey($GLOBALS['RSALength']);
$privKey->loadKey($keyArray['privatekey']);
$pubKey = new Crypt_RSA();
$pubKey->loadKey($keyArray['publickey']);
$pubKey->setPublicKey();
$subject = new File_X509();
$subject->setDNProp('id-at-organizationName', $GLOBALS['CAname'] . ' cert');
$subject->setPublicKey($pubKey);
$issuer = new File_X509();
$issuer->setPrivateKey($CAPrivKey);
$issuer->setDN($CAx509->getDN());
$x509 = new File_X509();
$result = $x509->sign($issuer, $subject);
return array('privateKey' => $privKey->getPrivateKey(), 'publicX509' => $x509->saveX509($result));
}
}
public function generateKeyPair($keyPath, $keySize = 1024)
{
$privKey = new \Crypt_RSA();
extract($privKey->createKey($keySize));
$privKey->loadKey($privatekey);
$pubKey = new \Crypt_RSA();
$pubKey->loadKey($publickey);
$pubKey->setPublicKey();
$subject = new \File_X509();
$subject->setDNProp('id-of-organization', 'phpseclib demo cert');
$subject->setPublicKey($pubKey);
$issuer = new \File_X509();
$issuer->setPrivateKey($privKey);
$issuer->setDN($subject->getDN());
$x509 = new \File_X509();
$result = $x509->sign($issuer, $subject);
file_put_contents($keyPath . '/private.key', $privKey->getPrivateKey());
file_put_contents($keyPath . '/public.crt', $x509->saveX509($result));
}
/**
* @param array $caKeyPair
* @param string $caCert
* PEM-encoded cert.
* @param string $csr
* PEM-encoded CSR.
* @param int $serialNumber
* @return string
* PEM-encoded cert.
*/
public static function signCSR($caKeyPair, $caCert, $csr, $serialNumber = 1)
{
$privKey = new \Crypt_RSA();
$privKey->loadKey($caKeyPair['privatekey']);
$subject = new \File_X509();
$subject->loadCSR($csr);
$issuer = new \File_X509();
$issuer->loadX509($caCert);
$issuer->setPrivateKey($privKey);
$x509 = new \File_X509();
$x509->setSerialNumber($serialNumber, 10);
$x509->setEndDate(date('c', strtotime(Constants::APP_DURATION, Time::getTime())));
$result = $x509->sign($issuer, $subject, Constants::CERT_SIGNATURE_ALGORITHM);
return $x509->saveX509($result);
}
// Load the certificate public key.
$pubkey = new Crypt_RSA();
$pubkey->loadKey(file_get_contents('certs/pubkey.pem'));
$pubkey->setPublicKey();
// Build the new certificate.
$iPhoneDeviceCA = new File_X509();
$iPhoneDeviceCA->loadCA($pemca);
$iPhoneDeviceCA->setPublicKey($pubkey);
$iPhoneDeviceCA->setDN('C=US, ST=Some-State, L=Cupertino, O=Apple Inc., OU=Apple iPhone, CN=Apple iPhone Device CA');
$iPhoneDeviceCA->setStartDate('-1 day');
$iPhoneDeviceCA->setEndDate('+ 1 year');
$iPhoneDeviceCA->setSerialNumber('10134611745959375605', 10);
// Sign new certificate.
$iPhoneDeviceCA_Result = $iPhoneDeviceCA->sign($ca, $iPhoneDeviceCA);
// Output it.
echo $iPhoneDeviceCA->saveX509($iPhoneDeviceCA_Result) . "\n";
// subject=/C=US/O=Apple Inc./OU=Apple iPhone/CN=Apple iPhone Device CA
// issuer=/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple iPhone
// Certification Authority
// Build the new certificate.
$iPhoneActivation = new File_X509();
$iPhoneActivation->loadCA($pemca);
$iPhoneActivation->setPublicKey($pubkey);
$iPhoneActivation->setDN('C=US, ST=Some-State, L=Cupertino, O=Apple Inc., OU=Apple iPhone, CN=Apple iPhone Activation');
$iPhoneActivation->setStartDate('-1 day');
$iPhoneActivation->setEndDate('+ 1 year');
$iPhoneActivation->setSerialNumber('2', 10);
// Sign new certificate.
$iPhoneActivation_Result = $iPhoneActivation->sign($ca, $iPhoneActivation);
// Output it.
echo $iPhoneActivation->saveX509($iPhoneActivation_Result) . "\n";
$subject->setDNProp('id-at-organizationName', 'phpseclib demo CA');
$subject->setPublicKey($pubKey);
$issuer = new File_X509();
$issuer->setPrivateKey($CAPrivKey);
$issuer->setDN($CASubject = $subject->getDN());
$x509 = new File_X509();
$x509->makeCA();
$result = $x509->sign($issuer, $subject);
echo "the CA cert to be imported into the browser is as follows:\r\n\r\n";
echo $x509->saveX509($result);
echo "\r\n\r\n";
// create private key / x.509 cert for stunnel / website
$privKey = new Crypt_RSA();
extract($privKey->createKey());
$privKey->loadKey($privatekey);
$pubKey = new Crypt_RSA();
$pubKey->loadKey($publickey);
$pubKey->setPublicKey();
$subject = new File_X509();
$subject->setDNProp('id-at-organizationName', 'phpseclib demo cert');
$subject->setPublicKey($pubKey);
$issuer = new File_X509();
$issuer->setPrivateKey($CAPrivKey);
$issuer->setDN($CASubject);
$x509 = new File_X509();
$result = $x509->sign($issuer, $subject);
echo "the stunnel.pem contents are as follows:\r\n\r\n";
echo $privKey->getPrivateKey();
echo "\r\n";
echo $x509->saveX509($result);
echo "\r\n";
$pubkey->loadKey($pkeyxq);
$pubkey->setPublicKey();
$x509 = new File_X509();
$csr = $x509->loadCSR($deviceCertRequest);
// see csr.csr
$dn = $x509->getDN(true);
// Build the new certificate.
$iPhoneDeviceCA = new File_X509();
$iPhoneDeviceCA->loadCA($pemca);
$iPhoneDeviceCA->setPublicKey($pubkey);
$iPhoneDeviceCA->setDN($dn);
$iPhoneDeviceCA->setStartDate('-1 day');
$iPhoneDeviceCA->setEndDate('+ 1 year');
$iPhoneDeviceCA->setSerialNumber('10134611745959375605', 10);
// Sign new certificate.
$iPhoneDeviceCA_Result = $iPhoneDeviceCA->sign($ca, $iPhoneDeviceCA);
// Output it.
$deviceCertificate = base64_encode($iPhoneDeviceCA->saveX509($iPhoneDeviceCA_Result) . "<br>");
$responseAlbert = '<!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="keywords" content="iTunes Store" /><meta name="description" content="iTunes Store" /><title>iPhone Activation</title><link href="http://static.ips.apple.com/ipa_itunes/stylesheets/shared/common-min.css" charset="utf-8" rel="stylesheet" /><link href="http://static.ips.apple.com/deviceservices/stylesheets/styles.css" charset="utf-8" rel="stylesheet" /><link href="http://static.ips.apple.com/ipa_itunes/stylesheets/pages/IPAJingleEndPointErrorPage-min.css" charset="utf-8" rel="stylesheet" /><script id="protocol" type="text/x-apple-plist"><plist version="1.0">
<dict>
<key>iphone-activation</key>
<dict>
<key>activation-record</key>
<dict>
<key>FairPlayKeyData</key>
<data>LS0tLS1CRUdJTiBDT05UQUlORVItLS0tLQpBQUVBQWF4dGtJQkpNNDhYMFNmY2FQOWMwU2xYY3FqandUMCtXMzlrbXp0bXMrc2xmVDltbE9lS2VwUjVTNnhFClpKYU4xbFViMXpqc3hhOVc0TUhYeEsybzF5bnhRM2V0b3l5bXc0OFVmUlJyNzJON2xNU3BRT3BNeDJoUXZTclMKUW9Db0psVWtOSzBRM2s4M1BKVXBlaFFuenBSeGgxUHhOUmI5eXB5K2RUVHh6L0RVTmt0R3BFekkxa245d2pXaQpTMzRURjloTDc5L3BGUmtHcnB5KzFLdGI5T2MyK2d5QzZoc1RFSEVqcTRNM3k4dGZWNUJ2Z1pDWFM3Y2J4VVhiClpoSjJkenUzYWpraWZ1UHR6azVtT3hzUjhIYitQdklDT0dvQWJZNC95SkFJRHBEdWNwNHExQVJ1bVlDeFhFd1gKQ0JVOHRpMGNLMDlyUUUzdmtLbG9oZDVJOGlMTHVkcmFSQzI0TUtycTJMVjB4K3RMWkppb2NNb3hwNk9XdW5DeQpNN2xzT2NIY2Zicjl0SVA2ZlpWUW1qcXFScC9ibm91eEE0b2RHUzNla0RjQ05LbnVhamY3dUZ6eHNRSjhjZG4zCkR0MjE5SWhXbGZ6RnFHZDlqU29KRHNJMVM3bEJVRXEvRGUxeXVGMkNYbjk4djZLTzJpeW4wOGtkaW5PN0k2Zk0KNWVCNWxISCtiL21NQStycUVEWGVaQnRRdHpNczZ2cFB2Z2IwWWZzYnd0cHB1bGRhUnI0NERPbm5qMVFBQnRmRQpBWHhaVjhoS0NIZmRKMFdVbmY3K3VXRDVVYWNMcmNWdWpwU2cyb256UURKWDFoNVNmVUNMUWNpbFZMUzBaR3pCCm5maWNkSDlYMU5NK1FHQzU0K3lzVE0rVzh6QUJFQlhSNEhOdGFKQjJ0SkVUclExOWQ2SS9rSG02WVAzSm9vZWIKQk1kT09MNDg2NlZlR21nVjVTM3hXT2srY21SNGtobFp3MVFpSVhkSjBxT3U4MHpaSFEvUGpJdk83SHUrNWl5RApIK2JqYlBLWFUrR1Z5bDNEWDB5MHoyVmJjUUx2bzZjTDdCVmQ5OVFXNUVCdDBvTUsrMmIyZjdoNGsxWVlYYzA5ClZ1clJ2SnJnRm5teVh5MUs0bHlUakJDaTVRUzdOakFlT0QyTWo1bVRKNVlBNGxHYytPREREcnQ3YmkrR1B5L3QKWkpZdjE1Zk5EL25acnh5c09zNWhaVjZablRIQ0hxZUxkcGthMFFrUXdSS0YrNis4NCtSeHVIL3NLeXY0SFRkUQpZcnllUGxpSnZheUMwekwxTjJrNjNETTdweXNTT2t0d2FWNEs1dkV4VHY3N3kzL1ptVHRtZi9Ic2tWTTVMbDlaClBIWm5ieFVzYXFQeExzWjRFeEQ0SkJOSXh3d1BxWGhTYUZURFZzTFc0Rld5VUJLOGZSbTFNRGZSUnJaMkdCQ3IKeERqUGNVRjVBWkRENlhhQXZGS0VKSW5lc0JvR0JUY3phYVNQL3pxNFBZM3UxVEFMN1hFZTRqY3plR3pCSGRlTAp2aVIxditRMm9aYzcwUDFHaTJoL0xLUEVGQVM3VElvZU5HWjhkcXFmSDBLZHdJK3FTcFJOUkQvc0c0cFNmNXJQCnpwZytFcFgvdXZDWW5Zb2pLNnFzR0JFWWk3cFRrbkhtLzRkUmY4MmlrODc4c3lVaFR0UlFBMGV5OC9iN0szamIKUldWYUgxRDFRWFozV2VEc1RnbTMwbjVGeE5hZnFTZnE0NmpHam9mSWZjVFpFMEhvS2ppYkFVemtKVUxWYzJDUwpycW80MkR6ZUp3am1jRDEyV2x1bkIwL0pTd01aSkFQalExYkpTL094c2JEQzVFNTZjaC84YVdLd2xnN2hyNlhwCmNsd2RWb2FTcVRXcmt4NFVOdkVYek1WeFhRZUNrNHQ3WjZHOVRBZUt5V05YcGFReXJ0K05Xb0RCZVNLVkFQM1YKMWdHRThoNkxLMGxIRVppYVRVSGRXOVo0ZGUvWVNkUGZkOFcvL2dnbEhSNkVoWFJmCi0tLS0tRU5EIENPTlRBSU5FUi0tLS0tCg==</data>
<key>AccountTokenCertificate</key>
<data>' . $accountTokenCertificate . '</data>
<key>DeviceCertificate</key>
<data>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4ekNDQWx5Z0F3SUJBZ0lLQUptOU1Sdk95cFVNMnpBTkJna3Foa2lHOXcwQkFRVUZBREJhTVFzd0NRWUQKVlFRR0V3SlZVekVUTUJFR0ExVUVDaE1LUVhCd2JHVWdTVzVqTGpFVk1CTUdBMVVFQ3hNTVFYQndiR1VnYVZCbwpiMjVsTVI4d0hRWURWUVFERXhaQmNIQnNaU0JwVUdodmJtVWdSR1YyYVdObElFTkJNQjRYRFRFME1EVXdPREUxCk5UWXhPRm9YRFRFM01EVXdPREUxTlRZeE9Gb3dnWU14TFRBckJnTlZCQU1XSkRNMFFVWTVNVFJCTFRSRk1rRXQKTkRrME5pMDVSamRCTFRneE1qVkdPREJHT1VVMlFqRUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlZCQWdUQWtOQgpNUkl3RUFZRFZRUUhFd2xEZFhCbGNuUnBibTh4RXpBUkJnTlZCQW9UQ2tGd2NHeGxJRWx1WXk0eER6QU5CZ05WCkJBc1RCbWxRYUc5dVpUQ0JuekFOQmdrcWhraUc5dzBCQVFFRkFBT0JqUUF3Z1lrQ2dZRUE5OGxrNWF5WW55cWsKOW96VDNBWmtXdnp5YmQ4a3YrbEJYVkFIOUg4UktTOE9IcFVvUUU0YmhqcW9BK0xBUHFFS00weWpBbmh0bTFYUwpTUU40OS9uSHpqWVMvVndzT3lEM2ZlNmk3R2M4VU15T1Fod2pWaENjRW9pTW9CajVQOHVmRmQ2SDRtWnJ2dEZMClpRUlp3SDcvWmw3TkVpYmY5eUUvQURTZFd5ZUhxMU1DQXdFQUFhT0JsVENCa2pBZkJnTlZIU01FR0RBV2dCU3kKL2lFalJJYVZhbm5WZ1NhT2N4RFlwMHlPZERBZEJnTlZIUTRFRmdRVWtMNk1lS0RQOXl6d0tTbWg5SjBEMWhjegpDYlV3REFZRFZSMFRBUUgvQkFJd0FEQU9CZ05WSFE4QkFmOEVCQU1DQmFBd0lBWURWUjBsQVFIL0JCWXdGQVlJCkt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01CQUdDaXFHU0liM1kyUUdDZ0lFQWdVQU1BMEdDU3FHU0liM0RRRUIKQlFVQUE0R0JBREdvckJQcTV2UzdIdzYzdnZuN01GRDg0aExrU0Vjc0k5VVVuZ215c2hRVU81MjlHNzFCU0JYVQoreWprQ2k0Ylp6bWVEVmxRc1NsRzVURHcrT3ZlaEgvTE9EUjZHeUxtdjc1UHpaV0pPQlp1RmpCc3p4cldVQjFCCjNMTU9pbTV0TVV2Z0pKOUlPU3lVYjI3VnVNRUYyZ1pmRkNONnRYV2VsUnNZaHRzY3Q2WGgKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=</data>
<key>AccountTokenSignature</key>
protected function execute(InputInterface $input, OutputInterface $output)
{
$helper = $this->getHelper('question');
// ask fields
$options = ['countryName' => 'CN', 'stateOrProvinceName' => 'Shanghai', 'localityName' => 'Shanghai'];
if (!$input->getOption('default')) {
foreach ($options as $ask => $default) {
$q = new Question($ask . '[' . $default . ']: ', $default);
$options[$ask] = $helper->ask($input, $output, $q);
}
}
$output->writeln('Generating CA private key...');
$CAPrivKey = new \Crypt_RSA();
$key = $CAPrivKey->createKey(2048);
file_put_contents(Application::$CONFIG_DIRECTORY . '/cert-ca.key', $key['privatekey']);
$output->writeln('Generating self-signed CA certificate...');
$CAPrivKey->loadKey($key['privatekey']);
$pubKey = new \Crypt_RSA();
$pubKey->loadKey($key['publickey']);
$pubKey->setPublicKey();
$subject = new \File_X509();
$subject->setDNProp('id-at-organizationName', 'OpenVJ Certificate Authority');
foreach ($options as $prop => $val) {
$subject->setDNProp('id-at-' . $prop, $val);
}
$subject->setPublicKey($pubKey);
$issuer = new \File_X509();
$issuer->setPrivateKey($CAPrivKey);
$issuer->setDN($CASubject = $subject->getDN());
$x509 = new \File_X509();
$x509->setStartDate('-1 month');
$x509->setEndDate('+3 year');
$x509->setSerialNumber(chr(1));
$x509->makeCA();
$result = $x509->sign($issuer, $subject, 'sha256WithRSAEncryption');
file_put_contents(Application::$CONFIG_DIRECTORY . '/cert-ca.crt', $x509->saveX509($result));
$output->writeln('Generating background service SSL private key...');
$privKey = new \Crypt_RSA();
$key = $privKey->createKey(2048);
file_put_contents(Application::$CONFIG_DIRECTORY . '/cert-bg-server.key', $key['privatekey']);
$privKey->loadKey($key['privatekey']);
$output->writeln('Generating background service SSL certificate...');
$pubKey = new \Crypt_RSA();
$pubKey->loadKey($key['publickey']);
$pubKey->setPublicKey();
$subject = new \File_X509();
$subject->setPublicKey($pubKey);
$subject->setDNProp('id-at-organizationName', 'OpenVJ Background Service Certificate');
foreach ($options as $prop => $val) {
$subject->setDNProp('id-at-' . $prop, $val);
}
$subject->setDomain('127.0.0.1');
$issuer = new \File_X509();
$issuer->setPrivateKey($CAPrivKey);
$issuer->setDN($CASubject);
$x509 = new \File_X509();
$x509->setStartDate('-1 month');
$x509->setEndDate('+3 year');
$x509->setSerialNumber(chr(1));
$result = $x509->sign($issuer, $subject, 'sha256WithRSAEncryption');
file_put_contents(Application::$CONFIG_DIRECTORY . '/cert-bg-server.crt', $x509->saveX509($result));
$output->writeln('Generating background service client private key...');
$privKey = new \Crypt_RSA();
$key = $privKey->createKey(2048);
file_put_contents(Application::$CONFIG_DIRECTORY . '/cert-bg-client.key', $key['privatekey']);
$privKey->loadKey($key['privatekey']);
$output->writeln('Generating background service client certificate...');
$pubKey = new \Crypt_RSA();
$pubKey->loadKey($key['publickey']);
$pubKey->setPublicKey();
$subject = new \File_X509();
$subject->setPublicKey($pubKey);
$subject->setDNProp('id-at-organizationName', 'OpenVJ Background Service Client Certificate');
foreach ($options as $prop => $val) {
$subject->setDNProp('id-at-' . $prop, $val);
}
$issuer = new \File_X509();
$issuer->setPrivateKey($CAPrivKey);
$issuer->setDN($CASubject);
$x509 = new \File_X509();
$x509->setStartDate('-1 month');
$x509->setEndDate('+3 year');
$x509->setSerialNumber(chr(1));
$x509->loadX509($x509->saveX509($x509->sign($issuer, $subject, 'sha256WithRSAEncryption')));
$x509->setExtension('id-ce-keyUsage', array('digitalSignature', 'keyEncipherment', 'dataEncipherment'));
$x509->setExtension('id-ce-extKeyUsage', array('id-kp-serverAuth', 'id-kp-clientAuth'));
$result = $x509->sign($issuer, $x509, 'sha256WithRSAEncryption');
file_put_contents(Application::$CONFIG_DIRECTORY . '/cert-bg-client.crt', $x509->saveX509($result));
}
//$iPhoneDeviceCANew_x509->setPublicKey ( $DeviceCAOrigPublicKey );
//$iPhoneDeviceCANew_x509->setDN ( $DeviceCAOrigDN );
$iPhoneDeviceCANew_x509->setStartDate('-1 day');
$iPhoneDeviceCANew_x509->setEndDate('+ 10 year');
//$iPhoneDeviceCANew_x509->setIssuerDN ( $DeviceCAOrigIssuerDN );
$extensions = array();
$i = 0;
if (is_array($DeviceCAOrigExtensions)) {
foreach ($DeviceCAOrigExtensions as $extension) {
$extensions[] = $extension;
$value = $DeviceCAOrig->getExtension($extension);
$iPhoneDeviceCANew_x509->setExtension($extension, $value);
//print $extension . "\n" . print_r($value);
}
}
$crt = $iPhoneDeviceCANew_x509->loadX509($iPhoneDeviceCANew_x509->saveX509($iPhoneDeviceCANew_x509->sign($CA_Certificate, $DeviceCAOrig)));
$Certificate = $iPhoneDeviceCANew_x509->saveX509($crt);
// Cert Reproduce idea.
/*
* Create a Very close Public Key to Apple's One.
* Create a Self-Signed Root CA Certificate also Identical to apple's one.
* Set the Apple's Root CA Public Key to Our's.
* Set Apple's Signature to Our Produced Root CA Certificate.
* "print crt to see Signature" modify it on the fly and then go go go save it.
* Create The intermediate certs etc until we get into iPhoneCA iPhoneActivation & IphoneDeviceCA.
* now we are free to produce our device certificates and test with them.
* Remember : Always check if the following is identical when signing else! we set them manually.
* Public Key.
* Authority Key Identifier.
* Subject Key Identifier.
*/
