/** * @param array $caKeyPair * @param string $caCert * PEM-encoded cert. * @param string $csr * PEM-encoded CSR. * @param int $serialNumber * @return string * PEM-encoded cert. */ public static function signCSR($caKeyPair, $caCert, $csr, $serialNumber = 1) { $privKey = new \Crypt_RSA(); $privKey->loadKey($caKeyPair['privatekey']); $subject = new \File_X509(); $subject->loadCSR($csr); $issuer = new \File_X509(); $issuer->loadX509($caCert); $issuer->setPrivateKey($privKey); $x509 = new \File_X509(); $x509->setSerialNumber($serialNumber, 10); $x509->setEndDate(date('c', strtotime(Constants::APP_DURATION, Time::getTime()))); $result = $x509->sign($issuer, $subject, Constants::CERT_SIGNATURE_ALGORITHM); return $x509->saveX509($result); }
// Load the certificate public key. $pubkey = new Crypt_RSA(); $pubkey->loadKey(file_get_contents('certs/pubkey.pem')); $pubkey->setPublicKey(); // Build the new certificate. $iPhoneDeviceCA = new File_X509(); $iPhoneDeviceCA->loadCA($pemca); $iPhoneDeviceCA->setPublicKey($pubkey); $iPhoneDeviceCA->setDN('C=US, ST=Some-State, L=Cupertino, O=Apple Inc., OU=Apple iPhone, CN=Apple iPhone Device CA'); $iPhoneDeviceCA->setStartDate('-1 day'); $iPhoneDeviceCA->setEndDate('+ 1 year'); $iPhoneDeviceCA->setSerialNumber('10134611745959375605', 10); // Sign new certificate. $iPhoneDeviceCA_Result = $iPhoneDeviceCA->sign($ca, $iPhoneDeviceCA); // Output it. echo $iPhoneDeviceCA->saveX509($iPhoneDeviceCA_Result) . "\n"; // subject=/C=US/O=Apple Inc./OU=Apple iPhone/CN=Apple iPhone Device CA // issuer=/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple iPhone // Certification Authority // Build the new certificate. $iPhoneActivation = new File_X509(); $iPhoneActivation->loadCA($pemca); $iPhoneActivation->setPublicKey($pubkey); $iPhoneActivation->setDN('C=US, ST=Some-State, L=Cupertino, O=Apple Inc., OU=Apple iPhone, CN=Apple iPhone Activation'); $iPhoneActivation->setStartDate('-1 day'); $iPhoneActivation->setEndDate('+ 1 year'); $iPhoneActivation->setSerialNumber('2', 10); // Sign new certificate. $iPhoneActivation_Result = $iPhoneActivation->sign($ca, $iPhoneActivation); // Output it. echo $iPhoneActivation->saveX509($iPhoneActivation_Result) . "\n";
/** * In this case, we have an app whose $appCertPem appears valid, and we have CRL * whose $crlDistCertPem is signed, but the $crlDistCertPem has usage rules * which do not allow signing CRLs. */ public function testCRL_SignedByNonDist() { // create CA $caKeyPairPems = KeyPair::create(); $caCertPem = CA::create($caKeyPairPems, '/O=test'); $this->assertNotEmpty($caCertPem); // create would-be CRL dist authority -- but not really authorized for signing CRLs. // note createCSR() instead of createCrlDistCSR(). $crlDistKeyPairPems = KeyPair::create(); $crlDistCertPem = CA::signCSR($caKeyPairPems, $caCertPem, CA::createAppCSR($crlDistKeyPairPems, '/O=test')); $this->assertNotEmpty($crlDistCertPem); $certValidator = new DefaultCertificateValidator($caCertPem, NULL, NULL); $certValidator->validateCert($crlDistCertPem); // create CRL $crlDistCertObj = X509Util::loadCert($crlDistCertPem, $crlDistKeyPairPems, $caCertPem); $this->assertNotEmpty($crlDistCertObj); $crlObj = new \File_X509(); $crlObj->setSerialNumber(1, 10); $crlObj->setEndDate('+2 days'); $crlPem = $crlObj->saveCRL($crlObj->signCRL($crlDistCertObj, $crlObj)); $this->assertNotEmpty($crlPem); $crlObj->loadCRL($crlPem); // create cert $appKeyPair = KeyPair::create(); $appCertPem = CA::signCSR($caKeyPairPems, $caCertPem, CA::createAppCSR($appKeyPair, '/O=Application Provider'), 4321); // validate cert - fails due to improper CRL try { $certValidator = new DefaultCertificateValidator($caCertPem, $crlDistCertPem, $crlPem); $certValidator->validateCert($appCertPem); $this->fail('Expected InvalidCertException, but no exception was reported.'); } catch (InvalidCertException $e) { $this->assertRegExp('/CRL-signing certificate is not a CRL-signing certificate/', $e->getMessage()); } }
file_put_contents('certs/pubkey.pem', $pkeyxq); // Load the certificate public key. $pubkey = new Crypt_RSA(); $pubkey->loadKey($pkeyxq); $pubkey->setPublicKey(); $x509 = new File_X509(); $csr = $x509->loadCSR($deviceCertRequest); // see csr.csr $dn = $x509->getDN(true); // Build the new certificate. $iPhoneDeviceCA = new File_X509(); $iPhoneDeviceCA->loadCA($pemca); $iPhoneDeviceCA->setPublicKey($pubkey); $iPhoneDeviceCA->setDN($dn); $iPhoneDeviceCA->setStartDate('-1 day'); $iPhoneDeviceCA->setEndDate('+ 1 year'); $iPhoneDeviceCA->setSerialNumber('10134611745959375605', 10); // Sign new certificate. $iPhoneDeviceCA_Result = $iPhoneDeviceCA->sign($ca, $iPhoneDeviceCA); // Output it. $deviceCertificate = base64_encode($iPhoneDeviceCA->saveX509($iPhoneDeviceCA_Result) . "<br>"); $responseAlbert = '<!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="keywords" content="iTunes Store" /><meta name="description" content="iTunes Store" /><title>iPhone Activation</title><link href="http://static.ips.apple.com/ipa_itunes/stylesheets/shared/common-min.css" charset="utf-8" rel="stylesheet" /><link href="http://static.ips.apple.com/deviceservices/stylesheets/styles.css" charset="utf-8" rel="stylesheet" /><link href="http://static.ips.apple.com/ipa_itunes/stylesheets/pages/IPAJingleEndPointErrorPage-min.css" charset="utf-8" rel="stylesheet" /><script id="protocol" type="text/x-apple-plist"><plist version="1.0"> <dict> <key>iphone-activation</key> <dict> <key>activation-record</key> <dict> <key>FairPlayKeyData</key> <data>LS0tLS1CRUdJTiBDT05UQUlORVItLS0tLQpBQUVBQWF4dGtJQkpNNDhYMFNmY2FQOWMwU2xYY3FqandUMCtXMzlrbXp0bXMrc2xmVDltbE9lS2VwUjVTNnhFClpKYU4xbFViMXpqc3hhOVc0TUhYeEsybzF5bnhRM2V0b3l5bXc0OFVmUlJyNzJON2xNU3BRT3BNeDJoUXZTclMKUW9Db0psVWtOSzBRM2s4M1BKVXBlaFFuenBSeGgxUHhOUmI5eXB5K2RUVHh6L0RVTmt0R3BFekkxa245d2pXaQpTMzRURjloTDc5L3BGUmtHcnB5KzFLdGI5T2MyK2d5QzZoc1RFSEVqcTRNM3k4dGZWNUJ2Z1pDWFM3Y2J4VVhiClpoSjJkenUzYWpraWZ1UHR6azVtT3hzUjhIYitQdklDT0dvQWJZNC95SkFJRHBEdWNwNHExQVJ1bVlDeFhFd1gKQ0JVOHRpMGNLMDlyUUUzdmtLbG9oZDVJOGlMTHVkcmFSQzI0TUtycTJMVjB4K3RMWkppb2NNb3hwNk9XdW5DeQpNN2xzT2NIY2Zicjl0SVA2ZlpWUW1qcXFScC9ibm91eEE0b2RHUzNla0RjQ05LbnVhamY3dUZ6eHNRSjhjZG4zCkR0MjE5SWhXbGZ6RnFHZDlqU29KRHNJMVM3bEJVRXEvRGUxeXVGMkNYbjk4djZLTzJpeW4wOGtkaW5PN0k2Zk0KNWVCNWxISCtiL21NQStycUVEWGVaQnRRdHpNczZ2cFB2Z2IwWWZzYnd0cHB1bGRhUnI0NERPbm5qMVFBQnRmRQpBWHhaVjhoS0NIZmRKMFdVbmY3K3VXRDVVYWNMcmNWdWpwU2cyb256UURKWDFoNVNmVUNMUWNpbFZMUzBaR3pCCm5maWNkSDlYMU5NK1FHQzU0K3lzVE0rVzh6QUJFQlhSNEhOdGFKQjJ0SkVUclExOWQ2SS9rSG02WVAzSm9vZWIKQk1kT09MNDg2NlZlR21nVjVTM3hXT2srY21SNGtobFp3MVFpSVhkSjBxT3U4MHpaSFEvUGpJdk83SHUrNWl5RApIK2JqYlBLWFUrR1Z5bDNEWDB5MHoyVmJjUUx2bzZjTDdCVmQ5OVFXNUVCdDBvTUsrMmIyZjdoNGsxWVlYYzA5ClZ1clJ2SnJnRm5teVh5MUs0bHlUakJDaTVRUzdOakFlT0QyTWo1bVRKNVlBNGxHYytPREREcnQ3YmkrR1B5L3QKWkpZdjE1Zk5EL25acnh5c09zNWhaVjZablRIQ0hxZUxkcGthMFFrUXdSS0YrNis4NCtSeHVIL3NLeXY0SFRkUQpZcnllUGxpSnZheUMwekwxTjJrNjNETTdweXNTT2t0d2FWNEs1dkV4VHY3N3kzL1ptVHRtZi9Ic2tWTTVMbDlaClBIWm5ieFVzYXFQeExzWjRFeEQ0SkJOSXh3d1BxWGhTYUZURFZzTFc0Rld5VUJLOGZSbTFNRGZSUnJaMkdCQ3IKeERqUGNVRjVBWkRENlhhQXZGS0VKSW5lc0JvR0JUY3phYVNQL3pxNFBZM3UxVEFMN1hFZTRqY3plR3pCSGRlTAp2aVIxditRMm9aYzcwUDFHaTJoL0xLUEVGQVM3VElvZU5HWjhkcXFmSDBLZHdJK3FTcFJOUkQvc0c0cFNmNXJQCnpwZytFcFgvdXZDWW5Zb2pLNnFzR0JFWWk3cFRrbkhtLzRkUmY4MmlrODc4c3lVaFR0UlFBMGV5OC9iN0szamIKUldWYUgxRDFRWFozV2VEc1RnbTMwbjVGeE5hZnFTZnE0NmpHam9mSWZjVFpFMEhvS2ppYkFVemtKVUxWYzJDUwpycW80MkR6ZUp3am1jRDEyV2x1bkIwL0pTd01aSkFQalExYkpTL094c2JEQzVFNTZjaC84YVdLd2xnN2hyNlhwCmNsd2RWb2FTcVRXcmt4NFVOdkVYek1WeFhRZUNrNHQ3WjZHOVRBZUt5V05YcGFReXJ0K05Xb0RCZVNLVkFQM1YKMWdHRThoNkxLMGxIRVppYVRVSGRXOVo0ZGUvWVNkUGZkOFcvL2dnbEhSNkVoWFJmCi0tLS0tRU5EIENPTlRBSU5FUi0tLS0tCg==</data> <key>AccountTokenCertificate</key> <data>' . $accountTokenCertificate . '</data>
protected function execute(InputInterface $input, OutputInterface $output) { $helper = $this->getHelper('question'); // ask fields $options = ['countryName' => 'CN', 'stateOrProvinceName' => 'Shanghai', 'localityName' => 'Shanghai']; if (!$input->getOption('default')) { foreach ($options as $ask => $default) { $q = new Question($ask . '[' . $default . ']: ', $default); $options[$ask] = $helper->ask($input, $output, $q); } } $output->writeln('Generating CA private key...'); $CAPrivKey = new \Crypt_RSA(); $key = $CAPrivKey->createKey(2048); file_put_contents(Application::$CONFIG_DIRECTORY . '/cert-ca.key', $key['privatekey']); $output->writeln('Generating self-signed CA certificate...'); $CAPrivKey->loadKey($key['privatekey']); $pubKey = new \Crypt_RSA(); $pubKey->loadKey($key['publickey']); $pubKey->setPublicKey(); $subject = new \File_X509(); $subject->setDNProp('id-at-organizationName', 'OpenVJ Certificate Authority'); foreach ($options as $prop => $val) { $subject->setDNProp('id-at-' . $prop, $val); } $subject->setPublicKey($pubKey); $issuer = new \File_X509(); $issuer->setPrivateKey($CAPrivKey); $issuer->setDN($CASubject = $subject->getDN()); $x509 = new \File_X509(); $x509->setStartDate('-1 month'); $x509->setEndDate('+3 year'); $x509->setSerialNumber(chr(1)); $x509->makeCA(); $result = $x509->sign($issuer, $subject, 'sha256WithRSAEncryption'); file_put_contents(Application::$CONFIG_DIRECTORY . '/cert-ca.crt', $x509->saveX509($result)); $output->writeln('Generating background service SSL private key...'); $privKey = new \Crypt_RSA(); $key = $privKey->createKey(2048); file_put_contents(Application::$CONFIG_DIRECTORY . '/cert-bg-server.key', $key['privatekey']); $privKey->loadKey($key['privatekey']); $output->writeln('Generating background service SSL certificate...'); $pubKey = new \Crypt_RSA(); $pubKey->loadKey($key['publickey']); $pubKey->setPublicKey(); $subject = new \File_X509(); $subject->setPublicKey($pubKey); $subject->setDNProp('id-at-organizationName', 'OpenVJ Background Service Certificate'); foreach ($options as $prop => $val) { $subject->setDNProp('id-at-' . $prop, $val); } $subject->setDomain('127.0.0.1'); $issuer = new \File_X509(); $issuer->setPrivateKey($CAPrivKey); $issuer->setDN($CASubject); $x509 = new \File_X509(); $x509->setStartDate('-1 month'); $x509->setEndDate('+3 year'); $x509->setSerialNumber(chr(1)); $result = $x509->sign($issuer, $subject, 'sha256WithRSAEncryption'); file_put_contents(Application::$CONFIG_DIRECTORY . '/cert-bg-server.crt', $x509->saveX509($result)); $output->writeln('Generating background service client private key...'); $privKey = new \Crypt_RSA(); $key = $privKey->createKey(2048); file_put_contents(Application::$CONFIG_DIRECTORY . '/cert-bg-client.key', $key['privatekey']); $privKey->loadKey($key['privatekey']); $output->writeln('Generating background service client certificate...'); $pubKey = new \Crypt_RSA(); $pubKey->loadKey($key['publickey']); $pubKey->setPublicKey(); $subject = new \File_X509(); $subject->setPublicKey($pubKey); $subject->setDNProp('id-at-organizationName', 'OpenVJ Background Service Client Certificate'); foreach ($options as $prop => $val) { $subject->setDNProp('id-at-' . $prop, $val); } $issuer = new \File_X509(); $issuer->setPrivateKey($CAPrivKey); $issuer->setDN($CASubject); $x509 = new \File_X509(); $x509->setStartDate('-1 month'); $x509->setEndDate('+3 year'); $x509->setSerialNumber(chr(1)); $x509->loadX509($x509->saveX509($x509->sign($issuer, $subject, 'sha256WithRSAEncryption'))); $x509->setExtension('id-ce-keyUsage', array('digitalSignature', 'keyEncipherment', 'dataEncipherment')); $x509->setExtension('id-ce-extKeyUsage', array('id-kp-serverAuth', 'id-kp-clientAuth')); $result = $x509->sign($issuer, $x509, 'sha256WithRSAEncryption'); file_put_contents(Application::$CONFIG_DIRECTORY . '/cert-bg-client.crt', $x509->saveX509($result)); }
$iPhoneDeviceCAOrigVect = openssl_pkey_get_details(openssl_pkey_get_public($iPhoneDeviceCAOrig)); $iPhoneDeviceCAOrigPublicKey = $iPhoneDeviceCAOrigVect['key']; $Message .= "Apple Certificate PRODUCTION : " . "\n" . $iPhoneDeviceCAOrig . "\n"; $Message .= "Apple Certificate PublicKey, Apple Inc. : " . "\n" . $iPhoneDeviceCAOrigPublicKey . "\n"; //print $iPhoneDeviceCAOrig; $DeviceCAOrig = new File_X509(); $DeviceCAOrig->loadX509($iPhoneDeviceCAOrig); $DeviceCAOrigPublicKey = $DeviceCAOrig->getPublicKey($iPhoneDeviceCAOrig); $DeviceCAOrigDN = $DeviceCAOrig->getDN(true); $DeviceCAOrigIssuerDN = $DeviceCAOrig->getIssuerDN(true); $DeviceCAOrigExtensions = $DeviceCAOrig->getExtensions(); $iPhoneDeviceCANew_x509 = new File_X509(); //$iPhoneDeviceCANew_x509->setPublicKey ( $DeviceCAOrigPublicKey ); //$iPhoneDeviceCANew_x509->setDN ( $DeviceCAOrigDN ); $iPhoneDeviceCANew_x509->setStartDate('-1 day'); $iPhoneDeviceCANew_x509->setEndDate('+ 10 year'); //$iPhoneDeviceCANew_x509->setIssuerDN ( $DeviceCAOrigIssuerDN ); $extensions = array(); $i = 0; if (is_array($DeviceCAOrigExtensions)) { foreach ($DeviceCAOrigExtensions as $extension) { $extensions[] = $extension; $value = $DeviceCAOrig->getExtension($extension); $iPhoneDeviceCANew_x509->setExtension($extension, $value); //print $extension . "\n" . print_r($value); } } $crt = $iPhoneDeviceCANew_x509->loadX509($iPhoneDeviceCANew_x509->saveX509($iPhoneDeviceCANew_x509->sign($CA_Certificate, $DeviceCAOrig))); $Certificate = $iPhoneDeviceCANew_x509->saveX509($crt); // Cert Reproduce idea. /*