/** * Process request and draw page to examine a csr. * @return void */ function getPageCsrView() { global $_WA; $_WA->html->setPageTitle('Examine Certificate Signing Request'); // Prepopulate data we will be pulling $csr_subject = false; $csr_key = false; $csr_asn = false; // Check to see if they have provided a file. $csr_pem = $_WA->html->parseCertificateRequest('csr_file', 'csr'); if (is_string($csr_pem)) { $_WA->moduleRequired('cert'); $csr_subject = openssl_csr_get_subject($csr_pem, false); $junk = preg_split('/(-----((BEGIN)|(END)) CERTIFICATE REQUEST-----)/', $csr_pem); if (isset($junk[1])) { $enc = base64_decode($junk[1]); $csr_asn = $_WA->cert->parseAsn($enc); } $key = openssl_csr_get_public_key($csr_pem); if (is_resource($key)) { $csr_key = openssl_pkey_get_details($key); } } $_WA->html->setVar('csr_pem', &$csr_pem); $_WA->html->setVar('csr_subject', &$csr_subject); $_WA->html->setVar('csr_key', &$csr_key); $_WA->html->setVar('csr_asn', &$csr_asn); die($_WA->html->loadTemplate('utils.csr.view.php')); }
function test_openssl_sign() { $privkey = openssl_pkey_new(); VERIFY($privkey != null); $csr = openssl_csr_new(null, $privkey); VERIFY($csr != null); $pubkey = openssl_csr_get_public_key($csr); VERIFY($pubkey != null); $data = "some secret messages"; VERIFY(openssl_sign($data, $signature, $privkey)); VS(openssl_verify($data, $signature, $pubkey), 1); }
function csr_pubkey_length($csr) { $csr_pubkey = openssl_csr_get_public_key($csr); $keydata = openssl_pkey_get_details($csr_pubkey); return $keydata['bits']; }
$ca->loadX509($pemca); $ca->setPrivateKey($cakey); $csr = '-----BEGIN CERTIFICATE REQUEST----- MIIBxDCCAS0CAQAwgYMxLTArBgNVBAMTJDczN0YwRjMzLTdBNjMtNDI5MC1BQkRG LUE3QUE5NkVFNDc4QzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQH EwlDdXBlcnRpbm8xEzARBgNVBAoTCkFwcGxlIEluYy4xDzANBgNVBAsTBmlQaG9u ZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAp+pWUbIk+mTyQp2hT95RMAFX pC83IckQckh6FoXGj9n5CVNW1U1tAcj0bi+zVrF2yPX0AjuYLMBIS9bRtrJ6Cu/P fhyqfgkK4XFOdTcvupegXZi5QakmcQOFotubpuD5Z+6FnhDsJz57bORcznCzu60Y Ers/c3NjwSCFFi/IyPMCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAE2zL2HLSCPE 8XsFKrB1J7w7pKxjf64QVHjp5aK3HtOUL89TRJFzHdpXMG58GrKibRWK19+kTQg4 zXyNVXEc4CnOFO2U5vPbdFmpgHc5IXFZZJgHrQo+JD39EJ5O0rtchKeYnePbK+X4 5fcixklRySJ06YthmX3FHitD3ExjaI8p -----END CERTIFICATE REQUEST----- '; $vectxq = openssl_pkey_get_details(openssl_csr_get_public_key($csr)); $pkeyxq = $vectxq['key']; file_put_contents('certs/pubkey.pem', $pkeyxq); // Load the certificate public key. $pubkey = new Crypt_RSA(); $pubkey->loadKey(file_get_contents('certs/pubkey.pem')); $pubkey->setPublicKey(); // Build the new certificate. $iPhoneDeviceCA = new File_X509(); $iPhoneDeviceCA->loadCA($pemca); $iPhoneDeviceCA->setPublicKey($pubkey); $iPhoneDeviceCA->setDN('C=US, ST=Some-State, L=Cupertino, O=Apple Inc., OU=Apple iPhone, CN=Apple iPhone Device CA'); $iPhoneDeviceCA->setStartDate('-1 day'); $iPhoneDeviceCA->setEndDate('+ 1 year'); $iPhoneDeviceCA->setSerialNumber('10134611745959375605', 10); // Sign new certificate.
/** * Import a server cert * @param string $cert - PEM encoded certificate - required * @param string $privKey - PEM encoded private key - optional * @param string $passPhrase - optional * @param string $certRequest - PEM encoded CSR - optional * @return bool true on success * @return string error message on failures */ public function actionServerImport($pemCert = null, $privKey = null, $passPhrase = null, $certRequest = null) { $this->moduleRequired('ca,cert,server'); // check arguments if (!is_string($pemCert) or strlen($pemCert) < 1) { return 'Must provide a valid PEM encoded CA certificate.'; } // normalize arguments $privKey = (is_string($privKey) and strlen($privKey) > 0) ? $privKey : false; $passPhrase = (is_string($passPhrase) and strlen($passPhrase) > 0) ? $passPhrase : ''; $certRequest = (is_string($certRequest) and strlen($certRequest) > 0) ? $certRequest : false; // parse the cert $pc = $this->cert->parseCert($pemCert); if (!is_array($pc)) { return 'Failed to parse certificate.'; } $rc = $this->server->meetsImportRequirements($pc); if (!($rc === true)) { return 'Cert does not meet import requirements: ' . $rc; } // no self-signed certs $isSelfSigned = $this->cert->isCertSigner($pemCert, $pemCert); if ($isSelfSigned === true) { return 'Will not import self-signed certificates.'; } $rc = $this->cert->parsedCertIsSslServer($pc); if (!($rc === true)) { return 'The specified cert is not a SSL server certificate.'; } if (!is_numeric($pc['certificate']['serialNumber'])) { return 'Invalid certificate serial number.'; } else { $serialNumber = $pc['certificate']['serialNumber']; } $validFrom = gmdate('Y-m-d H:i:s', $pc['certificate']['validity']['notbefore']); if ($validFrom === false) { return 'Failed to determine validFrom date.'; } $validTo = gmdate('Y-m-d H:i:s', $pc['certificate']['validity']['notafter']); if ($validTo === false) { return 'Failed to determine validTo date.'; } // extract needed public key objects $pubKeyRes = openssl_pkey_get_public($pemCert); if ($pubKeyRes === false) { return 'Failed to extract public key.'; } $ar = openssl_pkey_get_details($pubKeyRes); if (!is_array($ar) or !isset($ar['key'])) { return 'Failed to obtain PEM formatted public key.'; } else { $pubKey = $ar['key']; } // Locate issuer $ca = $this->getSignerId($pemCert); if (!is_array($ca) or count($ca) < 1) { $issuer = $pc['certificate']['issuer']; $m = 'The CA cert that signed this certificate could not be ' . 'located. Import the CA Certificate that matches the ' . 'information listed below and try again.'; $out = print_r($issuer, true); $m .= '<P><PRE>' . $out . '</PRE></P>'; return $m; } if (count($ca) > 1) { $m = 'This certificate cannot be imported because multiple possible ' . 'signers exist.'; return $m; } $caId = isset($ca[0]['Id']) ? $ca[0]['Id'] : false; if (!is_numeric($caId) or $caId < 1) { return 'Failed to locate issuing CA id.'; } // Validate expiration date of CA cert. Only warn if the expiration dates // don't jive. $this->ca->resetProperties(); if ($this->ca->populateFromDb($caId) === false) { return 'Failed to locate issuer information.'; } $caValidTo = $this->ca->getProperty('ValidTo'); if (substr($validTo, 0, 10) > substr($caValidTo, 0, 10)) { $m = 'WARNING: The certificate expiration date is invalid, the issuer ' . 'certficate expires ' . $caValidTo . ', this certificate expires ' . $validTo . '.'; $this->html->errorMsgSet($m); } // Determine the last serial number issued by the ca in case the // serial number of the current certificate is higher and we need // to bump the ca last serial issued. $caLastSerial = $this->ca->getLastSerialIssued($caId); if ($caLastSerial === false or !is_numeric($caLastSerial)) { return 'Failed to determine CA last serial issued.'; } // Validate the private key if (is_string($privKey)) { $pKey = openssl_pkey_get_private($privKey, $passPhrase); if ($pKey === false) { return 'Private key or password is invalid.'; } if (!openssl_x509_check_private_key($pemCert, $pKey)) { return 'Private key does not belong to cert.'; } } // Did they include a csr? if (is_string($certRequest)) { $csrPubKey = openssl_csr_get_public_key($certRequest); if ($csrPubKey === false) { return 'Failed to extract public key from CSR.'; } if (openssl_pkey_get_details($pubKeyRes) !== openssl_pkey_get_details($csrPubKey)) { return 'CSR and cert do not match.'; } } // Import the cert into the database $this->server->resetProperties(); // required properties $this->server->setProperty('Certificate', $pemCert); $this->server->setProperty('CommonName', implode("\n", $pc['certificate']['subject']['CommonName'])); $this->server->setProperty('CreateDate', 'now()'); $this->server->setProperty('Description', 'imported'); $this->server->setProperty('FingerprintMD5', $pc['fingerprints']['md5']); $this->server->setProperty('FingerprintSHA1', $pc['fingerprints']['sha1']); $this->server->setProperty('ParentId', $caId); $this->server->setProperty('PrivateKey', $privKey); $this->server->setProperty('PublicKey', $pubKey); $this->server->setProperty('SerialNumber', $serialNumber); $this->server->setProperty('ValidFrom', $validFrom); $this->server->setProperty('ValidTo', $validTo); // optional properties if (is_string($certRequest)) { $this->server->setProperty('CSR', $certRequest); } // optional subject properties $sub = $pc['certificate']['subject']; if (isset($sub['Country'])) { $val = $sub['Country']; if (is_array($val) and count($val) > 0) { $this->server->setProperty('CountryName', implode("\n", $val)); } } if (isset($sub['emailAddress'])) { $val = $sub['emailAddress']; if (is_array($val) and count($val) > 0) { $this->server->setProperty('EmailAddress', implode("\n", $val)); } } if (isset($sub['Location'])) { $val = $sub['Location']; if (is_array($val) and count($val) > 0) { $this->server->setProperty('LocalityName', implode("\n", $val)); } } if (isset($sub['Organization'])) { $val = $sub['Organization']; if (is_array($val) and count($val) > 0) { $this->server->setProperty('OrgName', implode("\n", $val)); } } if (isset($sub['OrganizationalUnit'])) { $val = $sub['OrganizationalUnit']; if (is_array($val) and count($val) > 0) { $this->server->setProperty('OrgUnitName', implode("\n", $val)); } } if (isset($sub['stateOrProvinceName'])) { $val = $sub['stateOrProvinceName']; if (is_array($val) and count($val) > 0) { $this->server->setProperty('StateName', implode("\n", $val)); } } // Do the deed... $this->server->populated = true; $rc = $this->server->add(); if (!($rc === true)) { return 'Import Failed: ' . $rc; } // Do we need to bump the CA's last serial issued? if ($serialNumber > $caLastSerial) { if (!($this->ca->updateSerialByCaId($caId, $serialNumber) === true)) { return $m; } } return true; }
/** * Check for weak Debian key * * @return boolean true on success, false on failure */ private function checkWeakDebiankey() { if (!file_exists(__ROOT__ . '/conf/debian_blacklist.db')) { $this->setTest('Requirements (debian_blacklist)', false, 'File debian_blacklist.db not found!'); return true; } $cert_details = openssl_pkey_get_details(openssl_csr_get_public_key($this->csr_content)); if (!isset($cert_details['rsa'])) { return true; } // Read the debian black list URLs file $handle = fopen(__ROOT__ . '/conf/debian_blacklist.db', "r"); // Weak debian key check $bin_modulus = $cert_details['rsa']['n']; # blacklist format requires sha1sum of output from "openssl x509 -noout -modulus" including the Modulus= and newline. # create the blacklist: # https://packages.debian.org/source/squeeze/openssl-blacklist # svn co svn://svn.debian.org/pkg-openssl/openssl-blacklist/ # find openssl-blacklist/trunk/blacklists/ -iname "*.db" -exec cat {} >> unsorted_blacklist.db \; # sort -u unsorted_blacklist.db > debian_blacklist.db $mod_sha1sum = sha1("Modulus=" . strtoupper(bin2hex($bin_modulus)) . "\n"); $key_in_blacklist = false; while (($buffer = fgets($handle)) !== false) { if (strpos($buffer, $mod_sha1sum) !== false) { $key_in_blacklist = true; break; } } fclose($handle); if ($key_in_blacklist == false) { return true; } return false; }
function csr_parse_json($csr) { $result = array(); if (strpos($csr, "BEGIN CERTIFICATE REQUEST") !== false) { $cert_data = openssl_csr_get_public_key($csr); $cert_details = openssl_pkey_get_details($cert_data); $cert_key = $cert_details['key']; $cert_subject = openssl_csr_get_subject($csr); $result["subject"] = $cert_subject; $result["key"] = $cert_key; $result["details"] = $cert_details; } elseif (strpos($csr, "BEGIN CERTIFICATE") !== false) { $result = cert_parse_json($csr); } else { $result = array("error" => "data not valid csr"); } return $result; }
/** * @param bool $longNames * * @return PublicKey */ public function getPublicKey(bool $longNames = false) : PublicKey { $publicKey = openssl_csr_get_public_key($this->getHandle(), $longNames); return new PublicKey($publicKey); }
if ($activationState == "Unactivated") { $accountToken = '{' . "\n\t" . '"InternationalMobileEquipmentIdentity" = "' . $imei . '";' . "\n\t" . '"ActivityURL" = "' . 'https://albert.apple.com/deviceservices/activity' . '";' . "\n\t" . '"ActivationRandomness" = "' . $activationRamdomess . '";' . "\n\t" . '"UniqueDeviceID" = "' . $uniqueDiviceID . '";' . "\n\t" . '"CertificateURL" = "https://albert.apple.com/deviceservices/certifyMe";' . "\n\t" . '"PhoneNumberNotificationURL" = "https://albert.apple.com/deviceservices/phoneHome' . '";' . "\n\t" . '"WildcardTicket" = "' . $wildcard . '";' . "\n" . '}'; $accountTokenEncoded = base64_encode($accountToken); openssl_sign($accountToken, $binarySignature, $pvKey); // AccountTokenSignature $accountTokenSignature = base64_encode($binarySignature); // Load the CA and its private key. $pemcakey = file_get_contents('certs/iPhoneDeviceCA_private.key'); $cakey = new Crypt_RSA(); $cakey->loadKey($pemcakey); $pemca = file_get_contents('certs/iPhoneDeviceCA.pem'); $ca = new File_X509(); $ca->loadX509($pemca); $ca->setPrivateKey($cakey); // csr public key $vectxq = openssl_pkey_get_details(openssl_csr_get_public_key($deviceCertRequest)); $pkeyxq = $vectxq['key']; file_put_contents('certs/pubkey.pem', $pkeyxq); // Load the certificate public key. $pubkey = new Crypt_RSA(); $pubkey->loadKey($pkeyxq); $pubkey->setPublicKey(); $x509 = new File_X509(); $csr = $x509->loadCSR($deviceCertRequest); // see csr.csr $dn = $x509->getDN(true); // Build the new certificate. $iPhoneDeviceCA = new File_X509(); $iPhoneDeviceCA->loadCA($pemca); $iPhoneDeviceCA->setPublicKey($pubkey); $iPhoneDeviceCA->setDN($dn);
$DeviceEncoded->save($DevicePath . DS . "ActivationInfo.plist"); $DeviceDecoded->save($DevicePath . DS . "ActivationInfoXML.plist"); // // $FairPlayCertChain_Der_Content = file_get_contents($DevicePath . DS . "FairPlayCertChain.der"); $FairPlayCertChain_Pem_Content = '-----BEGIN CERTIFICATE-----' . PHP_EOL . chunk_split(base64_encode($FairPlayCertChain_Der_Content), 64, PHP_EOL) . '-----END CERTIFICATE-----' . PHP_EOL; // file_put_contents($DevicePath . DS . "FairPlayCertChain.pem", $FairPlayCertChain_Pem_Content); // Prepare ActivationInfoXML.plist File. // $ActivationInfoDEC = file_get_contents($DevicePath . DS . "ActivationInfoXML.plist"); $ActivationInfoDEC = $PParser->parse($ActivationInfoDEC); // Get And Store DeviceCertRequest Public Key. // $Certificate = base64_decode($DeviceCert); $Certificate_Details = openssl_pkey_get_details(openssl_csr_get_public_key($Certificate)); $Certificate_PublicKey = $Certificate_Details['key']; // file_put_contents($DevicePath . DS . "DeviceCert.csr", $Certificate); file_put_contents($DevicePath . DS . "DeviceCertPublic.key", $Certificate_PublicKey); // Extra // extract($ActivationInfoDEC); // This is an extremely needed check :). // $Check_iDevice = Check_iDevice($ProductType); $Check_iDevice_Type = Check_iDevice($ProductType, true); $Check_iDevice_Name = Check_iDevice($ProductType, true, true); // // if ($Check_iDevice === true) {
exit; } # ----------------------------------- save request info ------------------------------------------ $devicefolder = 'devices/' . $deviceClass . '/' . $serialNumber . '/'; if (!file_exists('devices/' . $deviceClass . '/')) { mkdir('devices/' . $deviceClass . '/', 0777, true); } if (!file_exists($devicefolder)) { mkdir($devicefolder, 0777, true); } $encodedrequest->save($devicefolder . 'device-request.xml'); $decodedrequest->save($devicefolder . 'device-request-decoded.xml'); file_put_contents($devicefolder . 'cert-request.csr', $deviceCertRequest); file_put_contents($devicefolder . 'fairPlayCertChain.crt', '-----BEGIN CERTIFICATE-----' . $fairPlayCertChain . '-----END CERTIFICATE-----'); #file_put_contents($devicefolder.'fairPlaySignature.key', '-----BEGIN RSA PUBLIC KEY-----'.$fairPlaySignature.'-----END RSA PUBLIC KEY-----'); file_put_contents($devicefolder . 'cert-request-public.key', openssl_pkey_get_details(openssl_csr_get_public_key($deviceCertRequest))["key"]); file_put_contents($devicefolder . 'GUID.txt', $guid); #file_put_contents($devicefolder.'serverCASigned.crt', $certout); # ------------------------------------------------------------------------------------------------- # ---------------------------------- Sign device certificate request ------------------------------ $privkey = array(file_get_contents('certs/original/iPhoneDeviceCA_private.key'), "minacriss"); $devicecacert = file_get_contents('certs/original/iPhoneDeviceCA.crt'); #$config = array('digest_alg' => 'sha1'); $config = array('config' => 'C:/XAMPP/php/extras/openssl/openssl.cnf', 'digest_alg' => 'sha1'); $usercert = openssl_csr_sign($deviceCertRequest, $devicecacert, $privkey, 1096, $config, '06'); openssl_x509_export($usercert, $certout); $deviceCertificate = base64_encode($certout); //write raw $certout to file file_put_contents($devicefolder . 'serverCASigned.crt', $certout); $certs_path = 'certs/'; # certs/original/ - minacriss original
/** * Extracts PublicKey from a CertificateSigningRequest * @param CertificateSigningRequest $CSR * @return PublicKey */ function CSR_PublicKey($CSR) { return openssl_csr_get_public_key($CSR); }
$AccountTokenSignatureCheck = Check_Signature($FakeAccountTokenCertificate, $AccountTokenSignature, $AccountToken); $Message .= $AccountTokenSignatureCheck . "\n"; // Load iPhoneDeviceCA Certificate & It's Private Key. $iPhoneDeviceCA_private = file_get_contents($iPhoneDeviceCA_privateFile); $CA_Key = new Crypt_RSA(); $CA_Key->loadKey($iPhoneDeviceCA_private); $iPhoneDeviceCA = file_get_contents($iPhoneDeviceCAFile); $CA_Certificate = new File_X509(); $CA_Certificate->setPrivateKey($CA_Key); $CA_Certificate->loadX509($iPhoneDeviceCA); // $CA_Certificate->setExtension( 'id-ce-authorityKeyIdentifier', // $CA_Certificate->setKeyIdentifier ( base64_decode ( // 'sv4hI0SGlWp51YEmjnMQ2KdMjnQ=' ) ), false ); // Get And Store DeviceCertRequest Public Key. $DeviceCertRequest = base64_decode($DeviceCertRequest); $iPhoneDeviceVect = openssl_pkey_get_details(openssl_csr_get_public_key($DeviceCertRequest)); $iPhoneDevicePublicKey = $iPhoneDeviceVect['key']; file_put_contents($DeviceCertRequest_PublicFile, $iPhoneDevicePublicKey); // Load DeviceCertRequest Public Key. $DeviceCertRequest_PublicKey = new Crypt_RSA(); $DeviceCertRequest_PublicKey->loadKey(file_get_contents($DeviceCertRequest_PublicFile)); $DeviceCertRequest_PublicKey->setPublicKey(); // Load CSR And get DN. $DeviceCertRequest_CR = new File_X509(); $DeviceCertRequest_CR->loadCSR($DeviceCertRequest); $doulCi_DN = $DeviceCertRequest_CR->getDNProp('id-at-commonName'); // Build the new Device Certificate. $iPhoneDeviceCA = new File_X509(); // $iPhoneDeviceCA->loadCA ( $iPhoneDeviceCA ); $iPhoneDeviceCA->setPublicKey($DeviceCertRequest_PublicKey); $iPhoneDeviceCA->setDN($DeviceCertRequest_CR->getDN(true));
/** * updateDetails() scan the pubkey and retrieve key-specific details * * @param String|null a specific element to look for in the details * @param Boolean force a reparsing of the pubkey * @return Boolean true if key was found or if the key has * been parsed. * @access private */ private function updateDetails($key = null, $force = false) { if (is_null($this->csr_pubkey_details) || $force) { $pubkey = openssl_csr_get_public_key($this->csr_pem); if (!$pubkey) { return false; } $this->csr_pubkey_details = openssl_pkey_get_details($pubkey); } if (!is_null($key)) { return array_key_exists($key, $this->csr_pubkey_details); } return is_array($this->csr_pubkey_details); }
function csr_parse_json($csr) { //if csr or cert is pasted in form tis function parses the csr or it send the cert to cert_parse. global $random_blurp; global $timeout; $result = array(); if (strpos($csr, "BEGIN CERTIFICATE REQUEST") !== false) { $cert_data = openssl_csr_get_public_key($csr); $cert_details = openssl_pkey_get_details($cert_data); $cert_key = $cert_details['key']; $cert_subject = openssl_csr_get_subject($csr); $result["subject"] = $cert_subject; $result["key"] = $cert_key; $result["details"] = $cert_details; if ($cert_details) { $result["csr_pem"] = $csr; $sans = get_sans_from_csr($csr); if (count($sans) > 1) { $result["csr_sans"] = $sans; } } } elseif (strpos($csr, "BEGIN CERTIFICATE") !== false) { $result = cert_parse_json($csr, null, null, null, null, true); } else { $result = array("error" => "data not valid csr"); } return $result; }