public function exportCertificatePkcs12($file) { \debug("OpenSSL CSR: Exporting certificate as PKCS12: {$file}"); $pkcs = null; openssl_pkcs12_export($this->signed, $pkcs, $this->pkey, $this->pkeypass, ["friendly_names" => true]); file_put_contents($file, $pkcs); }
public static function createSerializedFairPlayOptionConfiguration($cert, $pkey, $pfxPassword, $pfxPasswordKeyId, $askId, $contentIv) { openssl_pkcs12_export($cert, $certBytes, $pkey, $pfxPassword); $certString = base64_encode($certBytes); $template = new FairPlayConfiguration(); $template->ASkId = $askId; $template->ContentEncryptionIV = $contentIv; $template->FairPlayPfx = $certString; $template->FairPlayPfxPasswordId = $pfxPasswordKeyId; return json_encode($template); }
/** * A method for exporting the certificate. * * @param mixed $password * @return string */ public function export($type = 'x509', $password = null) { if ($this->signed === false) { openssl_csr_export($this->csr, $out); return $out; } else { switch ($type) { case 'x509': openssl_x509_export($this->csr, $out); break; case 'pkcs12': openssl_pkcs12_export($this->csr, $out, $this->keyPair->privateKey, $password); break; } return $out; } }
} exit; } elseif ($act == "p12") { // export cert+key in p12 format if (isset($id)) { $exp_name = urlencode("{$a_cert[$id]['descr']}.p12"); $args = array(); $args['friendly_name'] = $a_cert[$id]['descr']; $ca = lookup_ca($a_cert[$id]['caref']); if ($ca) { $args['extracerts'] = openssl_x509_read(base64_decode($ca['crt'])); } $res_crt = openssl_x509_read(base64_decode($a_cert[$id]['crt'])); $res_key = openssl_pkey_get_private(array(0 => base64_decode($a_cert[$id]['prv']), 1 => "")); $exp_data = ""; openssl_pkcs12_export($res_crt, $exp_data, $res_key, null, $args); $exp_size = strlen($exp_data); header("Content-Type: application/octet-stream"); header("Content-Disposition: attachment; filename={$exp_name}"); header("Content-Length: {$exp_size}"); echo $exp_data; } exit; } elseif ($act == "csr") { if (!isset($id)) { header("Location: system_certmanager.php"); exit; } $pconfig['descr'] = $a_cert[$id]['descr']; $pconfig['csr'] = base64_decode($a_cert[$id]['csr']); $pconfig['cert'] = null;
function test_openssl_pkcs12_read() { $privkey = openssl_pkey_new(); VERIFY($privkey != null); $csr = openssl_csr_new(null, $privkey); VERIFY($csr != null); $scert = openssl_csr_sign($csr, null, $privkey, 365); openssl_pkcs12_export($scert, $pkcs12, $privkey, "1234"); VERIFY(openssl_pkcs12_read($pkcs12, $certs, "1234")); VERIFY(strlen($certs['cert']) > 500); VERIFY(strlen($certs['pkey']) > 500); }
/** * Process requests to obtain pkcs12 file. * @return void */ function getPageServerPkcs12() { $this->html->setPageTitle('Get PKCS12 Certificate'); $id = $this->html->crumbGet(WA_QS_ID); if (!is_numeric($id) or $id < 1) { $this->html->errorMsgSet('Must specify valid certificate id.'); die($this->html->loadTemplate('client.view.php')); } $this->moduleRequired('server,ca'); $this->server->resetProperties(); if ($this->server->populateFromDb($id) === false) { $this->html->errorMsgSet('Failed to locate the specified certificate.'); die($this->html->loadTemplate('server.view.php')); } $this->html->setVar('data', &$this->server); // Have they been given the chance to enter the private key password? $conf = isset($_POST[WA_QS_CONFIRM]) ? $_POST[WA_QS_CONFIRM] : false; $keyPass = isset($_POST['keyPass']) ? $_POST['keyPass'] : null; $expPass = isset($_POST['expPass']) ? $_POST['expPass'] : false; if ($conf !== 'yes' or $expPass === false) { die($this->html->loadTemplate('server.pkcs12.php')); } // Get down to bidness $cert = $this->server->getProperty('Certificate'); $pk = $this->server->getProperty('PrivateKey'); // Get and decrypt the private key... $pkey = openssl_pkey_get_private($pk, $keyPass); if ($pkey === false) { $this->html->errorMsgSet('Invalid pass phrase for private key.'); die($this->html->loadTemplate('server.pkcs12.php')); } // Extra args - name of certificate for import and chain CA certificates $certs = array(); $serverName = $this->server->getProperty('CommonName'); $certName = 'Server Certificate - ' . $serverName; // Obtain chain of issuer certificate ids. $issuerIds = $this->ca->getCaChainIds($this->server->getProperty('ParentId')); if (is_array($issuerIds) and count($issuerIds) > 0) { foreach ($issuerIds as $id) { $pem = $this->ca->getPemCertById($id); if (is_string($pem)) { $certs[] = trim($pem); } } } if (is_array($certs) and count($certs) > 0) { $certs = implode("\n", $certs); } else { $certs = ''; } $extraArgs = array('extracerts' => $certs, 'friendly_name' => $certName); $rc = openssl_pkcs12_export($cert, $pkcs12, $pkey, $expPass, $extraArgs); if (!($rc === true)) { $this->html->errorMsgSet('Failed to export PKCS12 Certficate Store.'); die($this->html->loadTemplate('server.pkcs12.php')); } header('Pragma: private'); header('Expires: 0'); header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); header('Cache-Control: private'); header('Content-Description: File Transfer'); header('Content-Type: application/x-pkcs12'); header('Content-Disposition: attachment; filename="' . $serverName . '.p12"'); header('Content-Transfer-Encoding: binary'); header('Content-Length: ' . strlen($pkcs12)); die($pkcs12); }
/** * 生成证书 */ private function process() { $privkey = openssl_pkey_new($this->config); $csr = openssl_csr_new($this->dn, $privkey); $sscert = openssl_csr_sign($csr, NULL, $privkey, $this->iNumberOfDays); openssl_x509_export($sscert, $csrkey); openssl_pkcs12_export($sscert, $privatekey, $privkey, $this->sPrivKeyPass); //生成公钥证书 $fp = fopen($this->sCerPath, "w"); fwrite($fp, $csrkey); fclose($fp); //生成密钥证书 $fp = fopen($this->sPfxPath, "w"); fwrite($fp, $privatekey); fclose($fp); }
function generateCertificate($sip_address,$email,$password) { if (!$this->init) return false; if (!is_array($this->enrollment)) { print _("Error: missing enrollment settings"); return false; } if (!$this->enrollment['ca_conf']) { //print _("Error: missing enrollment ca_conf settings"); return false; } if (!$this->enrollment['ca_crt']) { //print _("Error: missing enrollment ca_crt settings"); return false; } if (!$this->enrollment['ca_key']) { //print _("Error: missing enrollment ca_key settings"); return false; } $config = array( 'config' => $this->enrollment['ca_conf'], 'digest_alg' => 'md5', 'private_key_bits' => 1024, 'private_key_type' => OPENSSL_KEYTYPE_RSA, 'encrypt_key' => false, ); $dn = array( "countryName" => $this->enrollment['countryName'], "stateOrProvinceName" => $this->enrollment['stateOrProvinceName'], "localityName" => $this->enrollment['localityName'], "organizationName" => $this->enrollment['organizationName'], "organizationalUnitName" => $this->enrollment['organizationalUnitName'], "commonName" => $sip_address, "emailAddress" => $email ); $this->key = openssl_pkey_new($config); $this->csr = openssl_csr_new($dn, $this->key); openssl_csr_export($this->csr, $this->csr_out); openssl_pkey_export($this->key, $this->key_out, $password, $config); $ca="file://".$this->enrollment['ca_crt']; $this->crt = openssl_csr_sign($this->csr, $ca, $this->enrollment['ca_key'], 3650, $config); if ($this->crt==FALSE) { while (($e = openssl_error_string()) !== false) { echo $e . "\n"; print "<br><br>"; } return false; } openssl_x509_export ($this->crt, $this->crt_out); openssl_pkcs12_export ($this->crt, $this->pk12_out, $this->key, $password); return array( 'crt' => $this->crt_out, 'key' => $this->key_out, 'pk12' => $this->pk12_out, 'ca' => file_get_contents($this->enrollment['ca_crt']) ); }
public function getPKCS12SelfSigned($countryName, $stateOrProvinceName, $localityName, $organizationName, $organizationalUnitName, $commonName, $emailAddress) { $dn = array("countryName" => $countryName, "stateOrProvinceName" => $stateOrProvinceName, "localityName" => $localityName, "organizationName" => $organizationName, "organizationalUnitName" => $organizationalUnitName, "commonName" => $commonName, "emailAddress" => $emailAddress, "extendedKeyUsage" => "clientAuth", "authorityInfoAccess" => "URI:http://" . getenv('HTTP_HOST') . "/"); $privkey = openssl_pkey_new($this->config); $csr = openssl_csr_new($dn, $privkey, $this->config); $sscert = openssl_csr_sign($csr, null, $privkey, $this->csr_days_valid, $this->config); // Self signed openssl_x509_export($sscert, $this->publickey); openssl_pkcs12_export($this->publickey, $pks12, $privkey, null); return $pks12; }
public function createpkcs12($c, $k, $p, $a = array('friendly_name' => '', 'extracerts' => ''), $f = false, $d = false) { $key = openssl_pkey_get_private($k, $p); $f === false ? openssl_pkcs12_export($c, $r, $key, $p, $a) : openssl_pkcs12_export_to_file($c, $r, $key, $p, $a); return $r; }
// 利用 pfx 证书加密解密 function _var($mixed, $is_dump = false) { if ($is_dump) { var_dump($mixed); } } $dn = array("countryName" => "CN", "stateOrProvinceName" => "Beijing", "localityName" => "Beijing", "organizationName" => "Eyou", "organizationalUnitName" => "Develop team", "commonName" => "Li Bo", "emailAddress" => "*****@*****.**"); $config = array('config' => '/etc/pki/tls/openssl.cnf', 'encrypt_key' => 1, 'private_key_type' => OPENSSL_KEYTYPE_RSA, "digest_alg" => "sha1", 'x509_extensions' => 'v3_ca', 'private_key_bits' => 1024, "encrypt_key_cipher" => OPENSSL_CIPHER_AES_256_CBC); $privkey = openssl_pkey_new($config); $csr = openssl_csr_new($dn, $privkey); $sscert = openssl_csr_sign($csr, null, $privkey, 365); openssl_csr_export($csr, $csrout) and _var($csrout); openssl_x509_export($sscert, $cer_x509) and _var($cer_x509); openssl_pkey_export($privkey, $pkeyout, "mypassword", $config) and _var($pkeyout); openssl_pkcs12_export($cer_x509, $pkcs12, $privkey, 'mypassword', $config) && _var(base64_encode($pkcs12)); openssl_pkcs12_read($pkcs12, $cert, 'mypassword') && _var($cert); //_var(getenv('OPENSSL_CONF')); // Show any errors that occurred here //while (($e = openssl_error_string()) !== false) { // echo $e . "\n"; //} //exit; $cleartext = '1234 5678 9012 3456'; echo "\nClear txt: \n{$cleartext}\n"; $pub_key = $cert['cert']; $priv_key = $cert['pkey']; openssl_public_encrypt($cleartext, $crypttext, $pub_key); echo "\nCrypt text:\n" . base64_encode($crypttext) . "\n"; openssl_private_decrypt($crypttext, $decrypted, $priv_key); echo "\nDecrypted text:\n{$decrypted}\n\n";
// ********** 签署证书 ********** //$cert = openssl_csr_sign($csr, null, $priv, 365); // right //$cert = openssl_csr_sign($csrout, null, $priv, 365); // right // CA 签证书 //$cert = openssl_csr_sign($csr, $ca_certout, $ca_pfx, 365); // wrong //$cert = openssl_csr_sign($csr, $ca_pubout, $ca_privout, 365); // wrong $cert = openssl_csr_sign($csr, $ca_certout, $ca_privout, 365); // right // ********* 导出证书 *********** openssl_csr_export($csr, $csrout) and var_dump('CSR', $csrout); openssl_x509_export($cert, $certout) and var_dump('Certificate', $certout); openssl_pkey_export($priv, $pkeyout, $password, $config) and var_dump('Private', $pkeyout); $pkey = openssl_pkey_get_private($pkeyout, $password); // $pkey 参数可以是没有密码导出的密钥 // 或者是 OpenSSL key 资源 openssl_pkcs12_export($certout, $pfx, $pkey, $password); openssl_pkcs12_read($pfx, $certs, $password) && var_dump($certs); $cleartext = '1234 5678 9012 3456'; echo "Clear txt: \n{$cleartext}\n"; // ************ 公私钥 *************** $pub_key = $certout; // right //$pub_key = $cert; // right //$pub_key = openssl_pkey_get_public($certout); // right OpenSSL key //$pub_key = openssl_pkey_get_public($cert); // right OpenSSL key //$pub_key = openssl_pkey_get_details($priv)['key']; // right public key //$pub_key = $csrout; // wrong $priv_key = openssl_pkey_get_private($pkeyout, $password); // right OpenSSL key //$priv_key = $pkeyout; // wrong private key //$priv_key = $pfx; // wrong pcks12 cert
/** * Exports the data to be stored in a .p12 file (encrypted certificate and private key) * @param X509 $X509 * @param PrivateKey $PrivateKey or PEM * @param String $Password to encrypt the whole file * @return String */ function PKCS12_Export($X509, $PrivateKey, $Password = "") { $out = ''; openssl_pkcs12_export($X509, $out, $PrivateKey, $Password); return $out; }
/** * Create a new client certificate for a username or client hostname. * @param $commonName - The username or hostname * @param $emailAddress - The user's email address * @param $serial - The serial number * @param $cacert - Path to Certificate Authority cert file. * @param $cakey - Path to Certificate Authority key file. * @param $valid_days - validity in number of days for the user certificate * @return string - The client certificate signed by the Certificate Authority, or false on error. */ function create_user_certificate($commonName, $emailAddress, $serial, $cacert, $cakey, $valid_days) { $opensslConf = $GLOBALS['webserver_root'] . "/library/openssl.cnf"; $config = array('config' => $opensslConf); /* Generate a certificate signing request */ $arr = create_csr($commonName, $emailAddress, "", "", "", "", ""); if ($arr === false) { return false; } $csr = $arr[0]; $privkey = $arr[1]; /* user id is used as serial number to sign a certificate */ $serial = 0; $res = sqlStatement("select id from users where username='******'"); if ($row = sqlFetchArray($res)) { $serial = $row['id']; } $cert = openssl_csr_sign($csr, file_get_contents($cacert), file_get_contents($cakey), $valid_days, $config, $serial); if ($cert === false) { return false; } /* Convert the user certificate to .p12 (PKCS 12) format, which is the * standard format used by browsers. */ if (openssl_pkcs12_export($cert, $p12Out, $privkey, "") === false) { return false; } return $p12Out; }
/** * @param string $password * @return string * @throws RuntimeException */ public function export($password = NULL) { $options = []; if ($this->hasChain()) { $options['extracerts'] = $this->getChain(); } $status = openssl_pkcs12_export($this->getCertificate(), $result, $this->getPrivateKey(), $password, $options); if (!$status) { throw new RuntimeException(OpenSSL::getLastError()); } return $result; }
if (!is_writable($zippath)) { die("ERROR: temp directory read only {$zippath}"); } if (isset($_POST['element_1'])) { $p12k = ""; $cert = $_POST['element_1']; $key = $_POST['element_2']; $pass = $_POST['element_3']; if (FALSE == ($pkey = openssl_pkey_get_private($key))) { die('failed to open key\\n $key'); } if (FALSE == ($x509 = openssl_x509_read($cert))) { die('failed to open cert\\n $cert'); } $cert_info = print_r(openssl_x509_parse($x509), TRUE); if (FALSE == openssl_pkcs12_export($x509, $p12k, $pkey, $pass)) { while (($e = openssl_error_string()) !== false) { echo $e . "\n"; } die("\nfailed to make p12, probably you supplied cert from another key?\n {$cert_info}"); } $zip = new ZipArchive(); $filename = "{$zippath}/p12_" . time() . ".zip"; if ($zip->open($filename, ZIPARCHIVE::CREATE) !== TRUE) { die("cant open <{$filename}>\n"); } $zip->addFromString("certinfo.txt", "{$cert_info}\n"); $zip->addFromString("password.txt", "{$pass}\n"); $zip->addFromString("cert.pem", "{$cert}\n"); $zip->addFromString("key.pem", "{$key}\n"); $zip->addFromString("cert.p12", "{$p12k}\n");