/**
* 验签 方法 二 (未知公匙,获得需经转换)
* [rsa_verify2 description]
* @param [type] $cert_file [description]
* @param [type] $data [description]
* @param [type] $signature [description]
* @return [type] [description]
*/
function rsa_verify2($cert_file, $data, $signature)
{
$cert = der2pem(file_get_contents($cert_file));
$certs = openssl_x509_read($cert);
$key = openssl_get_publickey($certs);
$result = (bool) openssl_verify($data, base64_decode($signature), $key, OPENSSL_ALGO_SHA1);
openssl_free_key($key);
return $result;
}
function HandleValidateCert($backend, $devid, $protocolversion)
{
global $zpushdtd;
global $input, $output;
$decoder = new WBXMLDecoder($input, $zpushdtd);
$encoder = new WBXMLEncoder($output, $zpushdtd);
if (!$decoder->getElementStartTag(SYNC_VALIDATECERT_VALIDATECERT)) {
return false;
}
while (($field = $decoder->getElementStartTag(SYNC_VALIDATECERT_CERTIFICATES) ? SYNC_VALIDATECERT_CERTIFICATES : ($decoder->getElementStartTag(SYNC_VALIDATECERT_CERTIFICATECHAIN) ? SYNC_VALIDATECERT_CERTIFICATECHAIN : ($decoder->getElementStartTag(SYNC_VALIDATECERT_CHECKCRL) ? SYNC_VALIDATECERT_CHECKCRL : -1))) != -1) {
if ($field == SYNC_VALIDATECERT_CERTIFICATES) {
while ($decoder->getElementStartTag(SYNC_VALIDATECERT_CERTIFICATE)) {
$certificates[] = $decoder->getElementContent();
if (!$decoder->getElementEndTag()) {
return false;
}
}
if (!$decoder->getElementEndTag()) {
return false;
}
} else {
if ($field == SYNC_VALIDATECERT_CERTIFICATECHAIN) {
while ($decoder->getElementStartTag(SYNC_VALIDATECERT_CERTIFICATE)) {
$chain_certificates[] = $decoder->getElementContent();
if (!$decoder->getElementEndTag()) {
return false;
}
}
if (!$decoder->getElementEndTag()) {
return false;
}
} else {
if ($field == SYNC_VALIDATECERT_CHECKCRL) {
$checkcrl = $decoder->getElementContent();
if (!$decoder->getElementEndTag()) {
return false;
}
}
}
}
}
if (isset($checkcrl)) {
debugLog("validatecert: checkcrl: " . $checkcrl);
}
if (isset($chain_certificates)) {
foreach ($chain_certificates as $certificate) {
debugLog("validatecert: certificatechain: " . print_r($certificate, true));
}
}
foreach ($certificates as $certificate) {
$cert_der = base64_decode($certificate);
$cert_pem = "-----BEGIN CERTIFICATE-----\n" . chunk_split(base64_encode($cert_der), 64, "\n") . "-----END CERTIFICATE-----\n";
$cert_fn = VERIFYCERT_TEMP . "validatecert" . rand(1000, 99999) . ".pem";
file_put_contents($cert_fn, $cert_pem);
$now = time();
if (!($cert_content = openssl_x509_parse($cert_pem))) {
$status = 10;
} else {
if ($cert_content['validFrom_time_t'] >= $now || $cert_content['validTo_time_t'] <= $now) {
$status = 7;
} else {
if (openssl_x509_checkpurpose($cert_pem, X509_PURPOSE_SMIME_SIGN, array(VERIFYCERT_CERTSTORE)) != 1) {
$status = 9;
} else {
if ($checkcrl == 1) {
if (isset($cert_content['extensions']['crlDistributionPoints'])) {
$crlDistributionPoints = explode("\n", str_replace("\r", '', $cert_content['extensions']['crlDistributionPoints']));
foreach ($crlDistributionPoints as $entry) {
$line = explode("URI:", $entry);
if (isset($line[1]) && substr($line[1], 0, 5) == "http:") {
$crl_urls[] = $line[1];
}
}
}
if (isset($cert_content['extensions']['authorityInfoAccess'])) {
$authorityInfoAccess = explode("\n", str_replace("\r", '', $cert_content['extensions']['authorityInfoAccess']));
foreach ($authorityInfoAccess as $entry) {
$line = explode(" - URI:", $entry);
if (strtolower(trim($line[0])) == 'ocsp') {
$ocsp_urls[] = $line[1];
}
if (strtolower(trim($line[0])) == 'ca issuers') {
$ca_issuers[] = $line[1];
}
}
}
$result = preg_split('/[\\r\\n]/', shell_exec(VERIFYCERT_SSLBIN . " x509 -in " . $cert_fn . " -issuer_hash -noout"));
$issuer_cer_name = $result[0] . '.0';
$issuer_crl_name = $result[0] . '.r0';
if (!file_exists(VERIFYCERT_CERTSTORE . $issuer_cer_name)) {
if (isset($ca_issuers)) {
foreach ($ca_issuers as $ca_issuer) {
$ca_cert = file_get_contents($ca_issuer);
if (strpos($ca_cert, '----BEGIN CERTIFICATE-----') == false) {
$ca_cert = der2pem($ca_cert);
}
if (!openssl_x509_parse($ca_cert)) {
$status = 5;
} else {
file_put_contents(VERIFYCERT_CERTSTORE . $issuer_cer_name, $ca_cert);
}
}
} else {
$status = 4;
}
}
if (isset($ocsp_urls)) {
$command = VERIFYCERT_SSLBIN . " ocsp -VAfile " . VERIFYCERT_CERTSTORE . $issuer_cer_name . " -issuer " . VERIFYCERT_CERTSTORE . $issuer_cer_name . " -CApath " . VERIFYCERT_CERTSTORE . " -no_nonce -cert " . $cert_fn . " -url " . $ocsp_urls[0];
$result = preg_split('/[\\r\\n]/', shell_exec($command));
$status = 14;
foreach ($result as $line) {
$values = explode(":", $line);
if (trim($values[0]) == $cert_fn) {
switch (strtolower(trim($values[1]))) {
case 'good':
$status = 1;
break;
default:
$status = 13;
}
}
}
} else {
if (isset($crl_urls)) {
echo "Verfication using crl!<br>\n";
$nextupdate = time() - 1;
if (file_exists(VERIFYCERT_CERTSTORE . $issuer_crl_name)) {
$command = VERIFYCERT_SSLBIN . " crl -in " . VERIFYCERT_CERTSTORE . $issuer_crl_name . " -nextupdate -noout";
$result = preg_split('/[\\r\\n]/', shell_exec($command));
foreach ($result as $line) {
$values = explode("=", $line);
if (strtolower(trim($values[0])) == 'nextupdate') {
$nextupdate = strtotime($values[1]);
}
}
}
if (!file_exists(VERIFYCERT_CERTSTORE . $issuer_crl_name) || $nextupdate < time()) {
if ($nextupdate < time()) {
echo "CRL File needs update!\n";
}
foreach ($crl_urls as $crl_url) {
if ($crl_cert = file_get_contents($crl_url)) {
if (strstr($crl_cert, '----BEGIN X509 CRL-----') == false) {
file_put_contents(VERIFYCERT_TEMP . $issuer_crl_name, $crl_cert);
$command = VERIFYCERT_SSLBIN . " crl -in " . VERIFYCERT_TEMP . $issuer_crl_name . " -inform der -out " . VERIFYCERT_CERTSTORE . $issuer_crl_name . " -outform pem";
$result = preg_split('/[\\r\\n]/', shell_exec($command));
foreach ($result as $line) {
echo $line . "\n";
}
} else {
file_put_contents(VERIFYCERT_CERTSTORE . $issuer_crl_name, $crl_cert);
}
} else {
$status = 14;
}
}
}
if (file_exists(VERIFYCERT_CERTSTORE . $issuer_crl_name)) {
$command = VERIFYCERT_SSLBIN . " verify -verbose -CApath " . VERIFYCERT_CERTSTORE . " -crl_check " . $cert_fn;
$result = preg_split('/[\\r\\n]/', shell_exec($command));
foreach ($result as $line) {
$values = explode(":", $line);
if (trim($values[0]) == $cert_fn) {
switch (strtolower(trim($values[1]))) {
case 'ok':
$status = 1;
break;
default:
$status = 13;
}
}
}
} else {
$status = 16;
}
} else {
$status = 16;
}
}
} else {
$status = 1;
}
}
}
}
unlink($cert_fn);
}
$encoder->startWBXML();
$encoder->startTag(SYNC_VALIDATECERT_VALIDATECERT);
$encoder->startTag(SYNC_VALIDATECERT_STATUS);
$encoder->content(1);
$encoder->endTag();
// end SYNC_VALIDATECERT_STATUS
$encoder->startTag(SYNC_VALIDATECERT_CERTIFICATE);
$encoder->startTag(SYNC_VALIDATECERT_STATUS);
$encoder->content($status);
$encoder->endTag();
// end SYNC_VALIDATECERT_STATUS
$encoder->endTag();
// end SYNC_VALIDATECERT_CERTIFICATE
$encoder->endTag();
// end SYNC_VALIDATECERT_VALIDATECERT
return true;
}
<?php
function der2pem($der_data)
{
$pem = chunk_split(base64_encode($der_data), 64, "\n");
$pem = "-----BEGIN PUBLIC KEY-----\n" . $pem . "-----END PUBLIC KEY-----\n";
return $pem;
}
$content = file_get_contents("sandbox/content");
$sigData = file_get_contents("sandbox/signature-data");
$prvKeyEnc = file_get_contents("sandbox/private-key");
$pubKeyEnc = file_get_contents("sandbox/public-key");
$pubKeyPem = der2pem($pubKeyEnc);
$pubKey = openssl_get_publickey($pubKeyPem);
if ($pubKey === false) {
echo "Failed to load public key.\n";
exit(1);
}
// echo "Key details: ";
// print_r( openssl_pkey_get_details($pubKey) );
//echo "Public key PEM: $pubKeyPem\n";
//echo "X.509 parsed: ";
//print_r( openssl_x509_parse($pubKeyEnc) );
$verified = openssl_verify($content, $sigData, $pubKey);
echo $verified ? "Verified!" : "Did not verify!", "\n";