protected function execute(InputInterface $input, OutputInterface $output)
{
$error = $output->getErrorOutput();
$path = $input->getArgument("path");
$includeRoot = $input->getOption("include-root");
if (!\file_exists($path)) {
throw new \Exception("File {$path} doesn't exist");
}
try {
list($inform, $format) = \detectCertFormat($path);
$cert = \parseFormattedCert(\readCertificate($path, $inform, $format));
} catch (\Exception $e) {
$err = implode("\n", $e->output);
throw new \Exception("Unable to load certificate: {$err}");
}
// perform some basic checks
if (\isExpired($cert)) {
$error->writeln("Certificate has expired");
}
if (\areCertsLinked($cert, $cert)) {
throw new \Exception("Self-signed or CA cert");
}
// this can fail with an exception
$out = \buildChain($cert, $path, $includeRoot);
$output->write($out);
}
protected function execute(InputInterface $input, OutputInterface $output)
{
$error = $output->getErrorOutput();
$fmt = $this->getHelper("formatter");
$dir = new \RecursiveDirectoryIterator($input->getArgument("directory"));
$iter = new \RecursiveIteratorIterator($dir);
if ($input->getOption("expiry")) {
$expiry = strtotime($input->getOption("expiry"));
if ($expiry === false) {
$expiry = time();
$error->writeln("Invalid expiry arg, defaulting to now");
}
} else {
$expiry = time();
}
$certs = new \RegexIterator($iter, '/^.+\\.(crt|pem)/i', \RecursiveRegexIterator::MATCH);
foreach ($certs as $path) {
try {
$expirationDate = "";
$inform = "";
$format = "";
list($inform, $format) = \detectCertFormat($path);
$cert = \parseFormattedCert(\readCertificate($path, $inform, $format));
if (isExpired($cert, $expiry)) {
$expirationDate = \date('Y-m-d H:i:s e', $cert["expires"]);
$output->writeln("Certificate {$path} expires on {$expirationDate}");
}
} catch (\Exception $e) {
$msgs = ["Unable to load {$path}"];
if ($output->isVerbose()) {
$msgs = array_merge($msgs, ["", "{$e->cmd} said:", ""], $e->output);
}
$block = $fmt->formatBlock($msgs, 'error', true);
$error->writeln($block);
}
}
}
function buildChain($cert, $certPath, $includeRoot = false)
{
if (isExpired($cert)) {
throw new Exception("Certificate has expired");
}
if (areCertsLinked($cert, $cert)) {
throw new Exception("Self-signed or CA cert");
}
$uris = $cert["issuers"];
if (!$uris) {
throw new Exception("Certificate doesn't specify issuers");
}
$c = $cert;
$chain = [];
while (sizeof($uris) > 0) {
$old = $c;
$uri = array_shift($uris);
$path = downloadIssuer($uri);
list($inform, $format) = detectCertFormat($path);
$c = parseFormattedCert(readCertificate($path, $inform, $format));
if (isExpired($c)) {
throw new Exception("Expired intermediate in the chain");
}
if (areCertsLinked($c, $c)) {
break;
}
if (!areCertsLinked($c, $old)) {
$msg = "Intermediate doesn't match previous certificate in the chain";
throw new Exception($msg);
}
$chain[] = $path;
if (isset($c["issuers"])) {
foreach ($c["issuers"] as $i) {
$uris[] = $i;
// we don't currently have a good way of handling multiple
// issuers
break;
}
}
}
// we are at the end of the chain, see if there's matching root CA
$cacheDir = __DIR__ . '/cache';
$adapter = new File($cacheDir);
$adapter->setOption('ttl', 600);
$cache = new Cache($adapter);
if (!$cache->get(md5($path) . "-root")) {
$root = findMatchingRoot($c);
$chain[] = $root;
$cache->set(md5($path) . "-root", $root);
} else {
$chain[] = $cache->get(md5($path) . "-root");
}
// build certificate bundle
foreach ($chain as $i => $path) {
list($inform, $format) = detectCertFormat($path);
$cmd = sprintf("openssl x509 -inform %s -outform pem -in %s -out %s", escapeshellarg($inform), escapeshellarg($path), escapeshellarg(__DIR__ . "/tmp/" . sha1($cert["subject"]) . "-{$i}.pem"));
exec($cmd);
}
unlink(__DIR__ . "/tmp/bundle.crt");
foreach ($chain as $i => $path) {
file_put_contents(__DIR__ . "/tmp/bundle.crt", file_get_contents(__DIR__ . "/tmp/" . sha1($cert["subject"]) . "-{$i}.pem"), FILE_APPEND);
}
// verify the chain is valid
$cmd = sprintf("openssl verify -verbose -purpose sslserver -CAfile %s/tmp/bundle.crt %s", __DIR__, escapeshellarg($certPath));
try {
execute($cmd);
} catch (Exception $e) {
$err = implode("\n", $e->output);
throw new Exception("Can't verify the bundle: {$err}");
}
// extract the original cert (it might contain some, or all, parts of the
// chain already)
$cmd = sprintf("openssl x509 -inform pem -outform pem -in %s", $certPath);
$out = implode("\n", execute($cmd));
$out .= "\n";
if (!$includeRoot) {
array_pop($chain);
}
foreach ($chain as $i => $path) {
$out .= file_get_contents(__DIR__ . "/tmp/" . sha1($cert["subject"]) . "-{$i}.pem");
unlink(__DIR__ . "/tmp/" . sha1($cert["subject"]) . "-{$i}.pem");
}
return $out;
}
