Esempio n. 1
0
echo "check a pair of keys: cert signed by self and private: \n";
check_pair($cert_self, $priv);
// 验证证书是否有效
function check_cert($cert)
{
    // 只能是文件路径,可以是多个 x509 证书
    // 不能是 pem 格式字符串和 OpenSSL X.509 资源
    $cainfo = __DIR__ . '/ca/ca_cert.cer';
    $purpose = [X509_PURPOSE_SSL_CLIENT, X509_PURPOSE_SSL_SERVER, X509_PURPOSE_NS_SSL_SERVER, X509_PURPOSE_SMIME_SIGN, X509_PURPOSE_SMIME_ENCRYPT, X509_PURPOSE_CRL_SIGN, X509_PURPOSE_ANY];
    foreach ($purpose as $p) {
        var_dump(openssl_x509_checkpurpose($cert, $p, [$cainfo]));
    }
}
echo "check certificate valid: signed ca\n";
check_cert($certout_ca);
echo "\ncheck certificate valid: signed self\n";
check_cert($certout_self);
echo "\ncheck certificate valid: another certificate\n";
check_cert($certout_other);
echo "\n";
openssl_pkey_export($priv, $priv_key, null, $config);
$cleartext = '1234 5678 9012 3456';
echo "Clear txt: \n{$cleartext}\n";
openssl_public_encrypt($cleartext, $crypttext, $certout_self);
// right
echo "\nCrypt signed self text:\n" . base64_encode($crypttext) . "\n";
openssl_public_encrypt($cleartext, $crypttext, $certout_ca);
// right
echo "\nCrypt signed CA text:\n" . base64_encode($crypttext) . "\n";
openssl_private_decrypt($crypttext, $decrypted, $priv_key);
echo "\nDecrypted text:\n{$decrypted}\n\n";
Esempio n. 2
0
    $contents = file_get_contents($file_contents);
    openssl_pkcs12_read($pkcs12, $cert, $pass);
    while ($msg = openssl_error_string()) {
        echo $msg . "<br />\n";
    }
    openssl_private_decrypt($contents, $decrypted, $cert['pkey']);
    if ($plain === $decrypted) {
        echo "+Ok, decrypt succ!\n";
    } else {
        echo "-Err, decrypt fail!(" . __LINE__ . ")\n";
    }
}
if (!is_dir($path)) {
    mkdir($path, 0775);
} else {
    exec("rm -fr {$path}/*", $out, $ret);
}
create_ca();
create_cert();
check_cert();
encrypt();
decrypt();
/*
 * 测试:
 * (1)CA 证书不过期,用户证书过期
 * (2)CA 证书过期,用户证书不过期
 *
 * 结论:
 * (1)CA 证书过期,则用户证书验证失败
 * (2)CA 证书有效,用户证书过期,则验证失败
 */