protected function execute(InputInterface $input, OutputInterface $output) { $error = $output->getErrorOutput(); $path = $input->getArgument("path"); $includeRoot = $input->getOption("include-root"); if (!\file_exists($path)) { throw new \Exception("File {$path} doesn't exist"); } try { list($inform, $format) = \detectCertFormat($path); $cert = \parseFormattedCert(\readCertificate($path, $inform, $format)); } catch (\Exception $e) { $err = implode("\n", $e->output); throw new \Exception("Unable to load certificate: {$err}"); } // perform some basic checks if (\isExpired($cert)) { $error->writeln("Certificate has expired"); } if (\areCertsLinked($cert, $cert)) { throw new \Exception("Self-signed or CA cert"); } // this can fail with an exception $out = \buildChain($cert, $path, $includeRoot); $output->write($out); }
protected function execute(InputInterface $input, OutputInterface $output) { $error = $output->getErrorOutput(); $fmt = $this->getHelper("formatter"); $dir = new \RecursiveDirectoryIterator($input->getArgument("directory")); $iter = new \RecursiveIteratorIterator($dir); if ($input->getOption("expiry")) { $expiry = strtotime($input->getOption("expiry")); if ($expiry === false) { $expiry = time(); $error->writeln("Invalid expiry arg, defaulting to now"); } } else { $expiry = time(); } $certs = new \RegexIterator($iter, '/^.+\\.(crt|pem)/i', \RecursiveRegexIterator::MATCH); foreach ($certs as $path) { try { $expirationDate = ""; $inform = ""; $format = ""; list($inform, $format) = \detectCertFormat($path); $cert = \parseFormattedCert(\readCertificate($path, $inform, $format)); if (isExpired($cert, $expiry)) { $expirationDate = \date('Y-m-d H:i:s e', $cert["expires"]); $output->writeln("Certificate {$path} expires on {$expirationDate}"); } } catch (\Exception $e) { $msgs = ["Unable to load {$path}"]; if ($output->isVerbose()) { $msgs = array_merge($msgs, ["", "{$e->cmd} said:", ""], $e->output); } $block = $fmt->formatBlock($msgs, 'error', true); $error->writeln($block); } } }
function buildChain($cert, $certPath, $includeRoot = false) { if (isExpired($cert)) { throw new Exception("Certificate has expired"); } if (areCertsLinked($cert, $cert)) { throw new Exception("Self-signed or CA cert"); } $uris = $cert["issuers"]; if (!$uris) { throw new Exception("Certificate doesn't specify issuers"); } $c = $cert; $chain = []; while (sizeof($uris) > 0) { $old = $c; $uri = array_shift($uris); $path = downloadIssuer($uri); list($inform, $format) = detectCertFormat($path); $c = parseFormattedCert(readCertificate($path, $inform, $format)); if (isExpired($c)) { throw new Exception("Expired intermediate in the chain"); } if (areCertsLinked($c, $c)) { break; } if (!areCertsLinked($c, $old)) { $msg = "Intermediate doesn't match previous certificate in the chain"; throw new Exception($msg); } $chain[] = $path; if (isset($c["issuers"])) { foreach ($c["issuers"] as $i) { $uris[] = $i; // we don't currently have a good way of handling multiple // issuers break; } } } // we are at the end of the chain, see if there's matching root CA $cacheDir = __DIR__ . '/cache'; $adapter = new File($cacheDir); $adapter->setOption('ttl', 600); $cache = new Cache($adapter); if (!$cache->get(md5($path) . "-root")) { $root = findMatchingRoot($c); $chain[] = $root; $cache->set(md5($path) . "-root", $root); } else { $chain[] = $cache->get(md5($path) . "-root"); } // build certificate bundle foreach ($chain as $i => $path) { list($inform, $format) = detectCertFormat($path); $cmd = sprintf("openssl x509 -inform %s -outform pem -in %s -out %s", escapeshellarg($inform), escapeshellarg($path), escapeshellarg(__DIR__ . "/tmp/" . sha1($cert["subject"]) . "-{$i}.pem")); exec($cmd); } unlink(__DIR__ . "/tmp/bundle.crt"); foreach ($chain as $i => $path) { file_put_contents(__DIR__ . "/tmp/bundle.crt", file_get_contents(__DIR__ . "/tmp/" . sha1($cert["subject"]) . "-{$i}.pem"), FILE_APPEND); } // verify the chain is valid $cmd = sprintf("openssl verify -verbose -purpose sslserver -CAfile %s/tmp/bundle.crt %s", __DIR__, escapeshellarg($certPath)); try { execute($cmd); } catch (Exception $e) { $err = implode("\n", $e->output); throw new Exception("Can't verify the bundle: {$err}"); } // extract the original cert (it might contain some, or all, parts of the // chain already) $cmd = sprintf("openssl x509 -inform pem -outform pem -in %s", $certPath); $out = implode("\n", execute($cmd)); $out .= "\n"; if (!$includeRoot) { array_pop($chain); } foreach ($chain as $i => $path) { $out .= file_get_contents(__DIR__ . "/tmp/" . sha1($cert["subject"]) . "-{$i}.pem"); unlink(__DIR__ . "/tmp/" . sha1($cert["subject"]) . "-{$i}.pem"); } return $out; }