Example #1
0
/**
 * 验签 方法 二 (未知公匙,获得需经转换)
 * [rsa_verify2 description]
 * @param  [type] $cert_file [description]
 * @param  [type] $data      [description]
 * @param  [type] $signature [description]
 * @return [type]            [description]
 */
function rsa_verify2($cert_file, $data, $signature)
{
    $cert = der2pem(file_get_contents($cert_file));
    $certs = openssl_x509_read($cert);
    $key = openssl_get_publickey($certs);
    $result = (bool) openssl_verify($data, base64_decode($signature), $key, OPENSSL_ALGO_SHA1);
    openssl_free_key($key);
    return $result;
}
Example #2
0
function HandleValidateCert($backend, $devid, $protocolversion)
{
    global $zpushdtd;
    global $input, $output;
    $decoder = new WBXMLDecoder($input, $zpushdtd);
    $encoder = new WBXMLEncoder($output, $zpushdtd);
    if (!$decoder->getElementStartTag(SYNC_VALIDATECERT_VALIDATECERT)) {
        return false;
    }
    while (($field = $decoder->getElementStartTag(SYNC_VALIDATECERT_CERTIFICATES) ? SYNC_VALIDATECERT_CERTIFICATES : ($decoder->getElementStartTag(SYNC_VALIDATECERT_CERTIFICATECHAIN) ? SYNC_VALIDATECERT_CERTIFICATECHAIN : ($decoder->getElementStartTag(SYNC_VALIDATECERT_CHECKCRL) ? SYNC_VALIDATECERT_CHECKCRL : -1))) != -1) {
        if ($field == SYNC_VALIDATECERT_CERTIFICATES) {
            while ($decoder->getElementStartTag(SYNC_VALIDATECERT_CERTIFICATE)) {
                $certificates[] = $decoder->getElementContent();
                if (!$decoder->getElementEndTag()) {
                    return false;
                }
            }
            if (!$decoder->getElementEndTag()) {
                return false;
            }
        } else {
            if ($field == SYNC_VALIDATECERT_CERTIFICATECHAIN) {
                while ($decoder->getElementStartTag(SYNC_VALIDATECERT_CERTIFICATE)) {
                    $chain_certificates[] = $decoder->getElementContent();
                    if (!$decoder->getElementEndTag()) {
                        return false;
                    }
                }
                if (!$decoder->getElementEndTag()) {
                    return false;
                }
            } else {
                if ($field == SYNC_VALIDATECERT_CHECKCRL) {
                    $checkcrl = $decoder->getElementContent();
                    if (!$decoder->getElementEndTag()) {
                        return false;
                    }
                }
            }
        }
    }
    if (isset($checkcrl)) {
        debugLog("validatecert: checkcrl: " . $checkcrl);
    }
    if (isset($chain_certificates)) {
        foreach ($chain_certificates as $certificate) {
            debugLog("validatecert: certificatechain: " . print_r($certificate, true));
        }
    }
    foreach ($certificates as $certificate) {
        $cert_der = base64_decode($certificate);
        $cert_pem = "-----BEGIN CERTIFICATE-----\n" . chunk_split(base64_encode($cert_der), 64, "\n") . "-----END CERTIFICATE-----\n";
        $cert_fn = VERIFYCERT_TEMP . "validatecert" . rand(1000, 99999) . ".pem";
        file_put_contents($cert_fn, $cert_pem);
        $now = time();
        if (!($cert_content = openssl_x509_parse($cert_pem))) {
            $status = 10;
        } else {
            if ($cert_content['validFrom_time_t'] >= $now || $cert_content['validTo_time_t'] <= $now) {
                $status = 7;
            } else {
                if (openssl_x509_checkpurpose($cert_pem, X509_PURPOSE_SMIME_SIGN, array(VERIFYCERT_CERTSTORE)) != 1) {
                    $status = 9;
                } else {
                    if ($checkcrl == 1) {
                        if (isset($cert_content['extensions']['crlDistributionPoints'])) {
                            $crlDistributionPoints = explode("\n", str_replace("\r", '', $cert_content['extensions']['crlDistributionPoints']));
                            foreach ($crlDistributionPoints as $entry) {
                                $line = explode("URI:", $entry);
                                if (isset($line[1]) && substr($line[1], 0, 5) == "http:") {
                                    $crl_urls[] = $line[1];
                                }
                            }
                        }
                        if (isset($cert_content['extensions']['authorityInfoAccess'])) {
                            $authorityInfoAccess = explode("\n", str_replace("\r", '', $cert_content['extensions']['authorityInfoAccess']));
                            foreach ($authorityInfoAccess as $entry) {
                                $line = explode(" - URI:", $entry);
                                if (strtolower(trim($line[0])) == 'ocsp') {
                                    $ocsp_urls[] = $line[1];
                                }
                                if (strtolower(trim($line[0])) == 'ca issuers') {
                                    $ca_issuers[] = $line[1];
                                }
                            }
                        }
                        $result = preg_split('/[\\r\\n]/', shell_exec(VERIFYCERT_SSLBIN . " x509 -in " . $cert_fn . " -issuer_hash -noout"));
                        $issuer_cer_name = $result[0] . '.0';
                        $issuer_crl_name = $result[0] . '.r0';
                        if (!file_exists(VERIFYCERT_CERTSTORE . $issuer_cer_name)) {
                            if (isset($ca_issuers)) {
                                foreach ($ca_issuers as $ca_issuer) {
                                    $ca_cert = file_get_contents($ca_issuer);
                                    if (strpos($ca_cert, '----BEGIN CERTIFICATE-----') == false) {
                                        $ca_cert = der2pem($ca_cert);
                                    }
                                    if (!openssl_x509_parse($ca_cert)) {
                                        $status = 5;
                                    } else {
                                        file_put_contents(VERIFYCERT_CERTSTORE . $issuer_cer_name, $ca_cert);
                                    }
                                }
                            } else {
                                $status = 4;
                            }
                        }
                        if (isset($ocsp_urls)) {
                            $command = VERIFYCERT_SSLBIN . " ocsp -VAfile " . VERIFYCERT_CERTSTORE . $issuer_cer_name . "  -issuer " . VERIFYCERT_CERTSTORE . $issuer_cer_name . " -CApath " . VERIFYCERT_CERTSTORE . " -no_nonce -cert " . $cert_fn . " -url " . $ocsp_urls[0];
                            $result = preg_split('/[\\r\\n]/', shell_exec($command));
                            $status = 14;
                            foreach ($result as $line) {
                                $values = explode(":", $line);
                                if (trim($values[0]) == $cert_fn) {
                                    switch (strtolower(trim($values[1]))) {
                                        case 'good':
                                            $status = 1;
                                            break;
                                        default:
                                            $status = 13;
                                    }
                                }
                            }
                        } else {
                            if (isset($crl_urls)) {
                                echo "Verfication using crl!<br>\n";
                                $nextupdate = time() - 1;
                                if (file_exists(VERIFYCERT_CERTSTORE . $issuer_crl_name)) {
                                    $command = VERIFYCERT_SSLBIN . " crl -in " . VERIFYCERT_CERTSTORE . $issuer_crl_name . " -nextupdate -noout";
                                    $result = preg_split('/[\\r\\n]/', shell_exec($command));
                                    foreach ($result as $line) {
                                        $values = explode("=", $line);
                                        if (strtolower(trim($values[0])) == 'nextupdate') {
                                            $nextupdate = strtotime($values[1]);
                                        }
                                    }
                                }
                                if (!file_exists(VERIFYCERT_CERTSTORE . $issuer_crl_name) || $nextupdate < time()) {
                                    if ($nextupdate < time()) {
                                        echo "CRL File needs update!\n";
                                    }
                                    foreach ($crl_urls as $crl_url) {
                                        if ($crl_cert = file_get_contents($crl_url)) {
                                            if (strstr($crl_cert, '----BEGIN X509 CRL-----') == false) {
                                                file_put_contents(VERIFYCERT_TEMP . $issuer_crl_name, $crl_cert);
                                                $command = VERIFYCERT_SSLBIN . " crl -in " . VERIFYCERT_TEMP . $issuer_crl_name . " -inform der -out " . VERIFYCERT_CERTSTORE . $issuer_crl_name . " -outform pem";
                                                $result = preg_split('/[\\r\\n]/', shell_exec($command));
                                                foreach ($result as $line) {
                                                    echo $line . "\n";
                                                }
                                            } else {
                                                file_put_contents(VERIFYCERT_CERTSTORE . $issuer_crl_name, $crl_cert);
                                            }
                                        } else {
                                            $status = 14;
                                        }
                                    }
                                }
                                if (file_exists(VERIFYCERT_CERTSTORE . $issuer_crl_name)) {
                                    $command = VERIFYCERT_SSLBIN . " verify -verbose -CApath " . VERIFYCERT_CERTSTORE . " -crl_check " . $cert_fn;
                                    $result = preg_split('/[\\r\\n]/', shell_exec($command));
                                    foreach ($result as $line) {
                                        $values = explode(":", $line);
                                        if (trim($values[0]) == $cert_fn) {
                                            switch (strtolower(trim($values[1]))) {
                                                case 'ok':
                                                    $status = 1;
                                                    break;
                                                default:
                                                    $status = 13;
                                            }
                                        }
                                    }
                                } else {
                                    $status = 16;
                                }
                            } else {
                                $status = 16;
                            }
                        }
                    } else {
                        $status = 1;
                    }
                }
            }
        }
        unlink($cert_fn);
    }
    $encoder->startWBXML();
    $encoder->startTag(SYNC_VALIDATECERT_VALIDATECERT);
    $encoder->startTag(SYNC_VALIDATECERT_STATUS);
    $encoder->content(1);
    $encoder->endTag();
    // end SYNC_VALIDATECERT_STATUS
    $encoder->startTag(SYNC_VALIDATECERT_CERTIFICATE);
    $encoder->startTag(SYNC_VALIDATECERT_STATUS);
    $encoder->content($status);
    $encoder->endTag();
    // end SYNC_VALIDATECERT_STATUS
    $encoder->endTag();
    // end SYNC_VALIDATECERT_CERTIFICATE
    $encoder->endTag();
    // end SYNC_VALIDATECERT_VALIDATECERT
    return true;
}
<?php

function der2pem($der_data)
{
    $pem = chunk_split(base64_encode($der_data), 64, "\n");
    $pem = "-----BEGIN PUBLIC KEY-----\n" . $pem . "-----END PUBLIC KEY-----\n";
    return $pem;
}
$content = file_get_contents("sandbox/content");
$sigData = file_get_contents("sandbox/signature-data");
$prvKeyEnc = file_get_contents("sandbox/private-key");
$pubKeyEnc = file_get_contents("sandbox/public-key");
$pubKeyPem = der2pem($pubKeyEnc);
$pubKey = openssl_get_publickey($pubKeyPem);
if ($pubKey === false) {
    echo "Failed to load public key.\n";
    exit(1);
}
// echo "Key details: ";
// print_r( openssl_pkey_get_details($pubKey) );
//echo "Public key PEM: $pubKeyPem\n";
//echo "X.509 parsed: ";
//print_r( openssl_x509_parse($pubKeyEnc) );
$verified = openssl_verify($content, $sigData, $pubKey);
echo $verified ? "Verified!" : "Did not verify!", "\n";