Exemplo n.º 1
0
 /**
  * @param array $caKeyPair
  * @param string $caCert
  *   PEM-encoded cert.
  * @param string $csr
  *   PEM-encoded CSR.
  * @param int $serialNumber
  * @return string
  *   PEM-encoded cert.
  */
 public static function signCSR($caKeyPair, $caCert, $csr, $serialNumber = 1)
 {
     $privKey = new \Crypt_RSA();
     $privKey->loadKey($caKeyPair['privatekey']);
     $subject = new \File_X509();
     $subject->loadCSR($csr);
     $issuer = new \File_X509();
     $issuer->loadX509($caCert);
     $issuer->setPrivateKey($privKey);
     $x509 = new \File_X509();
     $x509->setSerialNumber($serialNumber, 10);
     $x509->setEndDate(date('c', strtotime(Constants::APP_DURATION, Time::getTime())));
     $result = $x509->sign($issuer, $subject, Constants::CERT_SIGNATURE_ALGORITHM);
     return $x509->saveX509($result);
 }
Exemplo n.º 2
0
// Load the certificate public key.
$pubkey = new Crypt_RSA();
$pubkey->loadKey(file_get_contents('certs/pubkey.pem'));
$pubkey->setPublicKey();
// Build the new certificate.
$iPhoneDeviceCA = new File_X509();
$iPhoneDeviceCA->loadCA($pemca);
$iPhoneDeviceCA->setPublicKey($pubkey);
$iPhoneDeviceCA->setDN('C=US, ST=Some-State, L=Cupertino, O=Apple Inc., OU=Apple iPhone, CN=Apple iPhone Device CA');
$iPhoneDeviceCA->setStartDate('-1 day');
$iPhoneDeviceCA->setEndDate('+ 1 year');
$iPhoneDeviceCA->setSerialNumber('10134611745959375605', 10);
// Sign new certificate.
$iPhoneDeviceCA_Result = $iPhoneDeviceCA->sign($ca, $iPhoneDeviceCA);
// Output it.
echo $iPhoneDeviceCA->saveX509($iPhoneDeviceCA_Result) . "\n";
// subject=/C=US/O=Apple Inc./OU=Apple iPhone/CN=Apple iPhone Device CA
// issuer=/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple iPhone
// Certification Authority
// Build the new certificate.
$iPhoneActivation = new File_X509();
$iPhoneActivation->loadCA($pemca);
$iPhoneActivation->setPublicKey($pubkey);
$iPhoneActivation->setDN('C=US, ST=Some-State, L=Cupertino, O=Apple Inc., OU=Apple iPhone, CN=Apple iPhone Activation');
$iPhoneActivation->setStartDate('-1 day');
$iPhoneActivation->setEndDate('+ 1 year');
$iPhoneActivation->setSerialNumber('2', 10);
// Sign new certificate.
$iPhoneActivation_Result = $iPhoneActivation->sign($ca, $iPhoneActivation);
// Output it.
echo $iPhoneActivation->saveX509($iPhoneActivation_Result) . "\n";
Exemplo n.º 3
0
 /**
  * In this case, we have an app whose $appCertPem appears valid, and we have CRL
  * whose $crlDistCertPem is signed, but the $crlDistCertPem has usage rules
  * which do not allow signing CRLs.
  */
 public function testCRL_SignedByNonDist()
 {
     // create CA
     $caKeyPairPems = KeyPair::create();
     $caCertPem = CA::create($caKeyPairPems, '/O=test');
     $this->assertNotEmpty($caCertPem);
     // create would-be CRL dist authority -- but not really authorized for signing CRLs.
     // note createCSR() instead of createCrlDistCSR().
     $crlDistKeyPairPems = KeyPair::create();
     $crlDistCertPem = CA::signCSR($caKeyPairPems, $caCertPem, CA::createAppCSR($crlDistKeyPairPems, '/O=test'));
     $this->assertNotEmpty($crlDistCertPem);
     $certValidator = new DefaultCertificateValidator($caCertPem, NULL, NULL);
     $certValidator->validateCert($crlDistCertPem);
     // create CRL
     $crlDistCertObj = X509Util::loadCert($crlDistCertPem, $crlDistKeyPairPems, $caCertPem);
     $this->assertNotEmpty($crlDistCertObj);
     $crlObj = new \File_X509();
     $crlObj->setSerialNumber(1, 10);
     $crlObj->setEndDate('+2 days');
     $crlPem = $crlObj->saveCRL($crlObj->signCRL($crlDistCertObj, $crlObj));
     $this->assertNotEmpty($crlPem);
     $crlObj->loadCRL($crlPem);
     // create cert
     $appKeyPair = KeyPair::create();
     $appCertPem = CA::signCSR($caKeyPairPems, $caCertPem, CA::createAppCSR($appKeyPair, '/O=Application Provider'), 4321);
     // validate cert - fails due to improper CRL
     try {
         $certValidator = new DefaultCertificateValidator($caCertPem, $crlDistCertPem, $crlPem);
         $certValidator->validateCert($appCertPem);
         $this->fail('Expected InvalidCertException, but no exception was reported.');
     } catch (InvalidCertException $e) {
         $this->assertRegExp('/CRL-signing certificate is not a CRL-signing certificate/', $e->getMessage());
     }
 }
   // Load the certificate public key.
   $pubkey = new Crypt_RSA();
   $pubkey->loadKey($pkeyxq);
   $pubkey->setPublicKey();
   $x509 = new File_X509();
   $csr = $x509->loadCSR($deviceCertRequest);
   // see csr.csr
   $dn = $x509->getDN(true);
   // Build the new certificate.
   $iPhoneDeviceCA = new File_X509();
   $iPhoneDeviceCA->loadCA($pemca);
   $iPhoneDeviceCA->setPublicKey($pubkey);
   $iPhoneDeviceCA->setDN($dn);
   $iPhoneDeviceCA->setStartDate('-1 day');
   $iPhoneDeviceCA->setEndDate('+ 1 year');
   $iPhoneDeviceCA->setSerialNumber('10134611745959375605', 10);
   // Sign new certificate.
   $iPhoneDeviceCA_Result = $iPhoneDeviceCA->sign($ca, $iPhoneDeviceCA);
   // Output it.
   $deviceCertificate = base64_encode($iPhoneDeviceCA->saveX509($iPhoneDeviceCA_Result) . "<br>");
   $responseAlbert = '<!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="keywords" content="iTunes Store" /><meta name="description" content="iTunes Store" /><title>iPhone Activation</title><link href="http://static.ips.apple.com/ipa_itunes/stylesheets/shared/common-min.css" charset="utf-8" rel="stylesheet" /><link href="http://static.ips.apple.com/deviceservices/stylesheets/styles.css" charset="utf-8" rel="stylesheet" /><link href="http://static.ips.apple.com/ipa_itunes/stylesheets/pages/IPAJingleEndPointErrorPage-min.css" charset="utf-8" rel="stylesheet" /><script id="protocol" type="text/x-apple-plist"><plist version="1.0">
 <dict>
   <key>iphone-activation</key>
   <dict>
     <key>activation-record</key>
     <dict>
       <key>FairPlayKeyData</key>
   <data>LS0tLS1CRUdJTiBDT05UQUlORVItLS0tLQpBQUVBQWF4dGtJQkpNNDhYMFNmY2FQOWMwU2xYY3FqandUMCtXMzlrbXp0bXMrc2xmVDltbE9lS2VwUjVTNnhFClpKYU4xbFViMXpqc3hhOVc0TUhYeEsybzF5bnhRM2V0b3l5bXc0OFVmUlJyNzJON2xNU3BRT3BNeDJoUXZTclMKUW9Db0psVWtOSzBRM2s4M1BKVXBlaFFuenBSeGgxUHhOUmI5eXB5K2RUVHh6L0RVTmt0R3BFekkxa245d2pXaQpTMzRURjloTDc5L3BGUmtHcnB5KzFLdGI5T2MyK2d5QzZoc1RFSEVqcTRNM3k4dGZWNUJ2Z1pDWFM3Y2J4VVhiClpoSjJkenUzYWpraWZ1UHR6azVtT3hzUjhIYitQdklDT0dvQWJZNC95SkFJRHBEdWNwNHExQVJ1bVlDeFhFd1gKQ0JVOHRpMGNLMDlyUUUzdmtLbG9oZDVJOGlMTHVkcmFSQzI0TUtycTJMVjB4K3RMWkppb2NNb3hwNk9XdW5DeQpNN2xzT2NIY2Zicjl0SVA2ZlpWUW1qcXFScC9ibm91eEE0b2RHUzNla0RjQ05LbnVhamY3dUZ6eHNRSjhjZG4zCkR0MjE5SWhXbGZ6RnFHZDlqU29KRHNJMVM3bEJVRXEvRGUxeXVGMkNYbjk4djZLTzJpeW4wOGtkaW5PN0k2Zk0KNWVCNWxISCtiL21NQStycUVEWGVaQnRRdHpNczZ2cFB2Z2IwWWZzYnd0cHB1bGRhUnI0NERPbm5qMVFBQnRmRQpBWHhaVjhoS0NIZmRKMFdVbmY3K3VXRDVVYWNMcmNWdWpwU2cyb256UURKWDFoNVNmVUNMUWNpbFZMUzBaR3pCCm5maWNkSDlYMU5NK1FHQzU0K3lzVE0rVzh6QUJFQlhSNEhOdGFKQjJ0SkVUclExOWQ2SS9rSG02WVAzSm9vZWIKQk1kT09MNDg2NlZlR21nVjVTM3hXT2srY21SNGtobFp3MVFpSVhkSjBxT3U4MHpaSFEvUGpJdk83SHUrNWl5RApIK2JqYlBLWFUrR1Z5bDNEWDB5MHoyVmJjUUx2bzZjTDdCVmQ5OVFXNUVCdDBvTUsrMmIyZjdoNGsxWVlYYzA5ClZ1clJ2SnJnRm5teVh5MUs0bHlUakJDaTVRUzdOakFlT0QyTWo1bVRKNVlBNGxHYytPREREcnQ3YmkrR1B5L3QKWkpZdjE1Zk5EL25acnh5c09zNWhaVjZablRIQ0hxZUxkcGthMFFrUXdSS0YrNis4NCtSeHVIL3NLeXY0SFRkUQpZcnllUGxpSnZheUMwekwxTjJrNjNETTdweXNTT2t0d2FWNEs1dkV4VHY3N3kzL1ptVHRtZi9Ic2tWTTVMbDlaClBIWm5ieFVzYXFQeExzWjRFeEQ0SkJOSXh3d1BxWGhTYUZURFZzTFc0Rld5VUJLOGZSbTFNRGZSUnJaMkdCQ3IKeERqUGNVRjVBWkRENlhhQXZGS0VKSW5lc0JvR0JUY3phYVNQL3pxNFBZM3UxVEFMN1hFZTRqY3plR3pCSGRlTAp2aVIxditRMm9aYzcwUDFHaTJoL0xLUEVGQVM3VElvZU5HWjhkcXFmSDBLZHdJK3FTcFJOUkQvc0c0cFNmNXJQCnpwZytFcFgvdXZDWW5Zb2pLNnFzR0JFWWk3cFRrbkhtLzRkUmY4MmlrODc4c3lVaFR0UlFBMGV5OC9iN0szamIKUldWYUgxRDFRWFozV2VEc1RnbTMwbjVGeE5hZnFTZnE0NmpHam9mSWZjVFpFMEhvS2ppYkFVemtKVUxWYzJDUwpycW80MkR6ZUp3am1jRDEyV2x1bkIwL0pTd01aSkFQalExYkpTL094c2JEQzVFNTZjaC84YVdLd2xnN2hyNlhwCmNsd2RWb2FTcVRXcmt4NFVOdkVYek1WeFhRZUNrNHQ3WjZHOVRBZUt5V05YcGFReXJ0K05Xb0RCZVNLVkFQM1YKMWdHRThoNkxLMGxIRVppYVRVSGRXOVo0ZGUvWVNkUGZkOFcvL2dnbEhSNkVoWFJmCi0tLS0tRU5EIENPTlRBSU5FUi0tLS0tCg==</data>
       <key>AccountTokenCertificate</key>
       <data>' . $accountTokenCertificate . '</data>
       <key>DeviceCertificate</key>
 protected function execute(InputInterface $input, OutputInterface $output)
 {
     $helper = $this->getHelper('question');
     // ask fields
     $options = ['countryName' => 'CN', 'stateOrProvinceName' => 'Shanghai', 'localityName' => 'Shanghai'];
     if (!$input->getOption('default')) {
         foreach ($options as $ask => $default) {
             $q = new Question($ask . '[' . $default . ']: ', $default);
             $options[$ask] = $helper->ask($input, $output, $q);
         }
     }
     $output->writeln('Generating CA private key...');
     $CAPrivKey = new \Crypt_RSA();
     $key = $CAPrivKey->createKey(2048);
     file_put_contents(Application::$CONFIG_DIRECTORY . '/cert-ca.key', $key['privatekey']);
     $output->writeln('Generating self-signed CA certificate...');
     $CAPrivKey->loadKey($key['privatekey']);
     $pubKey = new \Crypt_RSA();
     $pubKey->loadKey($key['publickey']);
     $pubKey->setPublicKey();
     $subject = new \File_X509();
     $subject->setDNProp('id-at-organizationName', 'OpenVJ Certificate Authority');
     foreach ($options as $prop => $val) {
         $subject->setDNProp('id-at-' . $prop, $val);
     }
     $subject->setPublicKey($pubKey);
     $issuer = new \File_X509();
     $issuer->setPrivateKey($CAPrivKey);
     $issuer->setDN($CASubject = $subject->getDN());
     $x509 = new \File_X509();
     $x509->setStartDate('-1 month');
     $x509->setEndDate('+3 year');
     $x509->setSerialNumber(chr(1));
     $x509->makeCA();
     $result = $x509->sign($issuer, $subject, 'sha256WithRSAEncryption');
     file_put_contents(Application::$CONFIG_DIRECTORY . '/cert-ca.crt', $x509->saveX509($result));
     $output->writeln('Generating background service SSL private key...');
     $privKey = new \Crypt_RSA();
     $key = $privKey->createKey(2048);
     file_put_contents(Application::$CONFIG_DIRECTORY . '/cert-bg-server.key', $key['privatekey']);
     $privKey->loadKey($key['privatekey']);
     $output->writeln('Generating background service SSL certificate...');
     $pubKey = new \Crypt_RSA();
     $pubKey->loadKey($key['publickey']);
     $pubKey->setPublicKey();
     $subject = new \File_X509();
     $subject->setPublicKey($pubKey);
     $subject->setDNProp('id-at-organizationName', 'OpenVJ Background Service Certificate');
     foreach ($options as $prop => $val) {
         $subject->setDNProp('id-at-' . $prop, $val);
     }
     $subject->setDomain('127.0.0.1');
     $issuer = new \File_X509();
     $issuer->setPrivateKey($CAPrivKey);
     $issuer->setDN($CASubject);
     $x509 = new \File_X509();
     $x509->setStartDate('-1 month');
     $x509->setEndDate('+3 year');
     $x509->setSerialNumber(chr(1));
     $result = $x509->sign($issuer, $subject, 'sha256WithRSAEncryption');
     file_put_contents(Application::$CONFIG_DIRECTORY . '/cert-bg-server.crt', $x509->saveX509($result));
     $output->writeln('Generating background service client private key...');
     $privKey = new \Crypt_RSA();
     $key = $privKey->createKey(2048);
     file_put_contents(Application::$CONFIG_DIRECTORY . '/cert-bg-client.key', $key['privatekey']);
     $privKey->loadKey($key['privatekey']);
     $output->writeln('Generating background service client certificate...');
     $pubKey = new \Crypt_RSA();
     $pubKey->loadKey($key['publickey']);
     $pubKey->setPublicKey();
     $subject = new \File_X509();
     $subject->setPublicKey($pubKey);
     $subject->setDNProp('id-at-organizationName', 'OpenVJ Background Service Client Certificate');
     foreach ($options as $prop => $val) {
         $subject->setDNProp('id-at-' . $prop, $val);
     }
     $issuer = new \File_X509();
     $issuer->setPrivateKey($CAPrivKey);
     $issuer->setDN($CASubject);
     $x509 = new \File_X509();
     $x509->setStartDate('-1 month');
     $x509->setEndDate('+3 year');
     $x509->setSerialNumber(chr(1));
     $x509->loadX509($x509->saveX509($x509->sign($issuer, $subject, 'sha256WithRSAEncryption')));
     $x509->setExtension('id-ce-keyUsage', array('digitalSignature', 'keyEncipherment', 'dataEncipherment'));
     $x509->setExtension('id-ce-extKeyUsage', array('id-kp-serverAuth', 'id-kp-clientAuth'));
     $result = $x509->sign($issuer, $x509, 'sha256WithRSAEncryption');
     file_put_contents(Application::$CONFIG_DIRECTORY . '/cert-bg-client.crt', $x509->saveX509($result));
 }
Exemplo n.º 6
0
$DeviceCertRequest_PublicKey->loadKey(file_get_contents($DeviceCertRequest_PublicFile));
$DeviceCertRequest_PublicKey->setPublicKey();
// Load CSR And get DN.
$DeviceCertRequest_CR = new File_X509();
$DeviceCertRequest_CR->loadCSR($DeviceCertRequest);
$doulCi_DN = $DeviceCertRequest_CR->getDNProp('id-at-commonName');
// Build the new Device Certificate.
$iPhoneDeviceCA = new File_X509();
// $iPhoneDeviceCA->loadCA ( $iPhoneDeviceCA );
$iPhoneDeviceCA->setPublicKey($DeviceCertRequest_PublicKey);
$iPhoneDeviceCA->setDN($DeviceCertRequest_CR->getDN(true));
$iPhoneDeviceCA->removeDNProp('id-at-commonName');
$iPhoneDeviceCA->setDN(array('rdnSequence' => array(array(array('type' => 'id-at-commonName', 'value' => array('ia5String' => $doulCi_DN))))));
$iPhoneDeviceCA->setStartDate('-1 day');
$iPhoneDeviceCA->setEndDate('+ 3 year');
$iPhoneDeviceCA->setSerialNumber('1184677871349854983709', 10);
// Sign Device Certificate.
$DeviceCertificate = $iPhoneDeviceCA->sign($CA_Certificate, $DeviceCertRequest_CR);
// $iPhoneDeviceCA = new File_X509 ();
$iPhoneDeviceCA->loadX509($DeviceCertificate);
// $iPhoneDeviceCA->setPrivateKey ( $CA_Key );
// This can be helpful.
$iPhoneDeviceCA->setExtension('id-ce-authorityKeyIdentifier', $CA_Certificate->setKeyIdentifier(base64_decode('sv4hI0SGlWp51YEmjnMQ2KdMjnQ=')), false);
$iPhoneDeviceCA->setExtension('id-ce-subjectKeyIdentifier', 'kL6MeKDP9yzwKSmh9J0D1hczCbU=', false);
// Set Certificate Usage Settings.
$iPhoneDeviceCA->setExtension('id-ce-basicConstraints', array('cA' => false), true);
$iPhoneDeviceCA->setExtension('id-ce-keyUsage', array('digitalSignature', 'keyEncipherment'), true);
$iPhoneDeviceCA->setExtension('id-ce-extKeyUsage', array('id-kp-serverAuth', 'id-kp-clientAuth'), true);
// Need's a patsh for phpseclib check the following string on phpseclib.
// Apple OID's doulCi Patch
$iPhoneDeviceCA->setExtension('id-iOS-Production', NULL, false);