function EncryptedPin($sPin, $sCardNo, $sPubKeyURL)
{
global $log;
$sPubKeyURL = trim(SDK_ENCRYPT_CERT_PATH, " ");
/**
* [WeEngine System] Copyright (c) 2014 WE7.CC
* WeEngine is NOT a free software, it under the license terms, visited http://www.we7.cc/ for more details.
*/
$fp = fopen($sPubKeyURL, "r");
if ($fp != NULL) {
$sCrt = fread($fp, 8192);
fclose($fp);
}
$sPubCrt = openssl_x509_read($sCrt);
if ($sPubCrt === FALSE) {
print "openssl_x509_read in false!";
return -1;
}
$sPubKey = openssl_x509_parse($sPubCrt);
$sInput = Pin2PinBlockWithCardNO($sPin, $sCardNo);
if ($sInput == 1) {
print "Pin2PinBlockWithCardNO Error ! : " . $sInput;
return 1;
}
$iRet = openssl_public_encrypt($sInput, $sOutData, $sCrt, OPENSSL_PKCS1_PADDING);
if ($iRet === TRUE) {
$sBase64EncodeOutData = base64_encode($sOutData);
return $sBase64EncodeOutData;
} else {
print "openssl_public_encrypt Error !";
return -1;
}
}
public function make_request()
{
$g = stream_context_create(array("ssl" => array("capture_peer_cert" => true)));
set_error_handler(function () {
return true;
});
$r = stream_socket_client("ssl://{$this->target}:{$this->target_port}", $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $g);
restore_error_handler();
if (!$r) {
return true;
} else {
$cont = stream_context_get_params($r);
$cert = openssl_x509_read($cont["options"]["ssl"]["peer_certificate"]);
$cert_data = openssl_x509_parse($cert);
openssl_x509_export($cert, $out, FALSE);
$signature_algorithm = null;
if (preg_match('/^\\s+Signature Algorithm:\\s*(.*)\\s*$/m', $out, $match)) {
$signature_algorithm = $match[1];
}
$this->sha_type = $signature_algorithm;
$this->common_name = $cert_data['subject']['CN'];
$this->alternative_names = $cert_data['extensions']['subjectAltName'];
$this->issuer = $cert_data['issuer']['O'];
$this->valid_from = date('m-d-Y H:i:s', strval($cert_data['validFrom_time_t']));
$this->valid_to = date('m-d-Y H:i:s', strval($cert_data['validTo_time_t']));
$this->parse_alternative_names();
}
}
function webid_claim()
{
$r = array('uri' => array());
if (isset($_SERVER['SSL_CLIENT_CERT'])) {
$pem = $_SERVER['SSL_CLIENT_CERT'];
if ($pem) {
$x509 = openssl_x509_read($pem);
$pubKey = openssl_pkey_get_public($x509);
$keyData = openssl_pkey_get_details($pubKey);
if (isset($keyData['rsa'])) {
if (isset($keyData['rsa']['n'])) {
$r['m'] = strtolower(array_pop(unpack("H*", $keyData['rsa']['n'])));
}
if (isset($keyData['rsa']['e'])) {
$r['e'] = hexdec(array_shift(unpack("H*", $keyData['rsa']['e'])));
}
}
$d = openssl_x509_parse($x509);
if (isset($d['extensions']) && isset($d['extensions']['subjectAltName'])) {
foreach (explode(', ', $d['extensions']['subjectAltName']) as $elt) {
if (substr($elt, 0, 4) == 'URI:') {
$r['uri'][] = substr($elt, 4);
}
}
}
}
}
return $r;
}
protected static function getCertIdByCerPath($certPath)
{
$x509data = file_get_contents($certPath);
openssl_x509_read($x509data);
$certData = openssl_x509_parse($x509data);
return $certData['serialNumber'];
}
/**
* 证书Id验证密码方法
* @param $sPin
* @param $sCardNo
* @param array $options 参数数组
* @return array
*/
function encryptedPin($sPin, $sCardNo, $options)
{
$resArr = ['code' => 1];
$fp = fopen($options['encrypt_cert_path'], "r");
if ($fp != NULL) {
$sCrt = fread($fp, 8192);
fclose($fp);
$sPubCrt = openssl_x509_read($sCrt);
if ($sPubCrt === false) {
$resArr['code'] = 2;
$resArr['message'] = '读取密码加密证书数据失败';
} else {
$pinBlock = new UnionPayPinBlock();
$sInput = $pinBlock->Pin2PinBlockWithCardNO($sPin, $sCardNo);
if ($sInput['code'] > 0) {
$resArr['code'] = 3;
$resArr['message'] = $sInput['message'];
} else {
$iRet = openssl_public_encrypt($sInput['data'], $sOutData, $sCrt, OPENSSL_PKCS1_PADDING);
if ($iRet === true) {
$resArr['data'] = base64_encode($sOutData);
} else {
$resArr['code'] = 3;
$resArr['message'] = '加密失败';
}
}
}
} else {
$resArr['code'] = 1;
$resArr['message'] = '打开密码加密证书失败';
}
return $resArr;
}
function EncryptedPin($sPin, $sCardNo, $sPubKeyURL)
{
global $log;
$sPubKeyURL = trim(SDK_ENCRYPT_CERT_PATH, " ");
$fp = fopen($sPubKeyURL, "r");
if ($fp != NULL) {
$sCrt = fread($fp, 8192);
fclose($fp);
}
$sPubCrt = openssl_x509_read($sCrt);
if ($sPubCrt === FALSE) {
print "openssl_x509_read in false!";
return -1;
}
$sPubKey = openssl_x509_parse($sPubCrt);
$sInput = Pin2PinBlockWithCardNO($sPin, $sCardNo);
if ($sInput == 1) {
print "Pin2PinBlockWithCardNO Error ! : " . $sInput;
return 1;
}
$iRet = openssl_public_encrypt($sInput, $sOutData, $sCrt, OPENSSL_PKCS1_PADDING);
if ($iRet === TRUE) {
$sBase64EncodeOutData = base64_encode($sOutData);
return $sBase64EncodeOutData;
} else {
print "openssl_public_encrypt Error !";
return -1;
}
}
/**
* Get the fingerprint from the specified certificate
*
* @param string $certificate
* @return fingerprint or null on failure
*/
public static function get_fingerprint($certificate, $hash = null)
{
$fingerprint = null;
// The openssl_x509_read() function will throw an warning if the supplied
// parameter cannot be coerced into an X509 certificate
// @codingStandardsIgnoreStart
$resource = @openssl_x509_read($certificate);
// @codingStandardsIgnoreEnd
if (false !== $resource) {
$output = null;
$result = openssl_x509_export($resource, $output);
if (false !== $result) {
$output = str_replace(self::CERTIFICATE_BEGIN, '', $output);
$output = str_replace(self::CERTIFICATE_END, '', $output);
// Base64 decode
$fingerprint = base64_decode($output);
// Hash
if (null !== $hash) {
$fingerprint = hash($hash, $fingerprint);
}
}
// @todo else what to do?
}
// @todo else what to do?
return $fingerprint;
}
public function setup()
{
$proxyServer = Phake::mock('EngineBlock_Corto_ProxyServer');
$log = Phake::mock('Psr\\Log\\LoggerInterface');
Phake::when($proxyServer)->getSessionLog()->thenReturn($log);
Phake::when($proxyServer)->getSigningCertificates()->thenReturn(new EngineBlock_X509_KeyPair(new EngineBlock_X509_Certificate(openssl_x509_read(file_get_contents(__DIR__ . '/test.pem.crt'))), new EngineBlock_X509_PrivateKey(__DIR__ . '/test.pem.key')));
$this->bindings = new EngineBlock_Corto_Module_Bindings($proxyServer);
}
function getCertIdByCerPath($cert_path)
{
$x509data = file_get_contents($cert_path);
openssl_x509_read($x509data);
$certdata = openssl_x509_parse($x509data);
$cert_id = $certdata['serialNumber'];
return $cert_id;
}
/**
* Parse a given string as a X.509 certificate.
*
* @param string $x509CertificateContent
* @return EngineBlock_X509_Certificate
* @throws EngineBlock_Exception
*/
public function fromString($x509CertificateContent)
{
$opensslCertificate = openssl_x509_read($x509CertificateContent);
if (!$opensslCertificate) {
throw new EngineBlock_Exception("Unable to read X.509 certificate from content: '{$x509CertificateContent}'");
}
return new EngineBlock_X509_Certificate($opensslCertificate);
}
/**
* 验签 方法 二 (未知公匙,获得需经转换)
* [rsa_verify2 description]
* @param [type] $cert_file [description]
* @param [type] $data [description]
* @param [type] $signature [description]
* @return [type] [description]
*/
function rsa_verify2($cert_file, $data, $signature)
{
$cert = der2pem(file_get_contents($cert_file));
$certs = openssl_x509_read($cert);
$key = openssl_get_publickey($certs);
$result = (bool) openssl_verify($data, base64_decode($signature), $key, OPENSSL_ALGO_SHA1);
openssl_free_key($key);
return $result;
}
/**
* @return bool
*/
protected function validateSslOptions()
{
// Get the contents.
if (!is_readable($this->certPath)) {
$this->stdErr->writeln("The certificate file could not be read: " . $this->certPath);
return false;
}
$sslCert = trim(file_get_contents($this->certPath));
// Do a bit of validation.
$certResource = openssl_x509_read($sslCert);
if (!$certResource) {
$this->stdErr->writeln("The certificate file is not a valid X509 certificate: " . $this->certPath);
return false;
}
// Then the key. Does it match?
if (!is_readable($this->keyPath)) {
$this->stdErr->writeln("The private key file could not be read: " . $this->keyPath);
return false;
}
$sslPrivateKey = trim(file_get_contents($this->keyPath));
$keyResource = openssl_pkey_get_private($sslPrivateKey);
if (!$keyResource) {
$this->stdErr->writeln("Private key not valid, or passphrase-protected: " . $this->keyPath);
return false;
}
$keyMatch = openssl_x509_check_private_key($certResource, $keyResource);
if (!$keyMatch) {
$this->stdErr->writeln("The provided certificate does not match the provided private key.");
return false;
}
// Each chain needs to contain one or more valid certificates.
$chainFileContents = $this->readChainFiles($this->chainPaths);
foreach ($chainFileContents as $filePath => $data) {
$chainResource = openssl_x509_read($data);
if (!$chainResource) {
$this->stdErr->writeln("File contains an invalid X509 certificate: " . $filePath);
return false;
}
openssl_x509_free($chainResource);
}
// Split up the chain file contents.
$chain = [];
$begin = '-----BEGIN CERTIFICATE-----';
foreach ($chainFileContents as $data) {
if (substr_count($data, $begin) > 1) {
foreach (explode($begin, $data) as $cert) {
$chain[] = $begin . $cert;
}
} else {
$chain[] = $data;
}
}
// Yay we win.
$this->sslOptions = ['certificate' => $sslCert, 'key' => $sslPrivateKey, 'chain' => $chain];
return true;
}
function cert_signature_algorithm($raw_cert_data)
{
$cert_read = openssl_x509_read($raw_cert_data);
openssl_x509_export($cert_read, $out, FALSE);
$signature_algorithm = null;
if (preg_match('/^\\s+Signature Algorithm:\\s*(.*)\\s*$/m', $out, $match)) {
$signature_algorithm = $match[1];
}
return $signature_algorithm;
}
public static function calculateThumbprint($certificate, $hash)
{
if (function_exists('openssl_x509_fingerprint')) {
$cert = openssl_x509_read($certificate);
return openssl_x509_fingerprint($cert, $hash);
}
$cert = preg_replace('#-.*-|\\r|\\n#', '', $certificate);
$bin = base64_decode($cert);
return hash($hash, $bin);
}
/**
* Constructs a verifier from the supplied PEM-encoded certificate.
*
* $pem: a PEM encoded certificate (not a file).
* @param $pem
* @throws Google_AuthException
* @throws Google_Exception
*/
function __construct($pem)
{
if (!function_exists('openssl_x509_read')) {
throw new Google_Exception('Google API PHP client needs the openssl PHP extension');
}
$this->publicKey = openssl_x509_read($pem);
if (!$this->publicKey) {
throw new Google_AuthException("Unable to parse PEM: {$pem}");
}
}
/**
* Constructs a verifier from the supplied PEM-encoded certificate.
*
* $pem: a PEM encoded certificate (not a file).
*/
function __construct($pem)
{
if (!function_exists('openssl_x509_read')) {
throw new Exception('The Google PHP API library needs the openssl PHP extension');
}
$this->publicKey = openssl_x509_read($pem);
if (!$this->publicKey) {
throw new apiAuthException("Unable to parse PEM: {$pem}");
}
}
private function validateCert($cert)
{
$data = openssl_x509_read($cert);
$certData = openssl_x509_parse($data);
$certValidDate = gmmktime(0, 0, 0, substr($certData['validTo'], 2, 2), substr($certData['validTo'], 4, 2), substr($certData['validTo'], 0, 2));
if ($certValidDate < time()) {
error_log(__METHOD__ . ': Certificate expired in ' . date('Y-m-d', $certValidDate));
return false;
}
return true;
}
function cert_signature_algorithm($raw_cert_data)
{
$cert_read = openssl_x509_read($raw_cert_data);
//if param 3 is FALSE, $out is filled with both the PEM file as wel all the contents of `openssl x509 -noout -text -in cert.pem.
//we use that to get the signature alg.
openssl_x509_export($cert_read, $out, FALSE);
$signature_algorithm = null;
if (preg_match('/^\\s+Signature Algorithm:\\s*(.*)\\s*$/m', $out, $match)) {
$signature_algorithm = $match[1];
}
return $signature_algorithm;
}
/**
* 验证签名
* @method verifySign
* @since 0.0.1
* @return {boolean}
* @example $this->verifySign();
*/
public function verifySign()
{
if (empty($_POST) || !isset($_POST['Plain']) || !isset($_POST['Signature'])) {
return false;
}
$cer = file_get_contents(\Yii::getAlias($this->verifyCertPath));
$_cer = openssl_x509_read($cer);
$pkey = openssl_get_publickey($_cer);
$result = openssl_verify($_POST['Plain'], hex2bin($_POST['Signature']), $pkey, OPENSSL_ALGO_MD5);
openssl_free_key($pkey);
return $result;
}
/**
* Sets the PayPal certificate
*
* @param mixed $fileName - The path to the PayPal certificate.
* @return bollean TRUE if the certificate is read successfully, FALSE otherwise.
*/
public function setPayPalCertificate($fileName)
{
if (is_readable($fileName)) {
$certificate = openssl_x509_read(file_get_contents($fileName));
if ($certificate !== FALSE) {
$this->paypalCertificate = $certificate;
$this->paypalCertificateFile = $fileName;
return TRUE;
}
}
return FALSE;
}
public function __construct($pem)
{
if (!is_string($pem)) {
throw new \InvalidArgumentException("Invalid variable type: Expected string, got " . gettype($pem));
}
if (!($cert = @openssl_x509_read($pem))) {
throw new InvalidCertificateException("Invalid PEM encoded certificate!");
}
$this->pem = $pem;
if (!($this->info = openssl_x509_parse($cert))) {
throw new InvalidCertificateException("Invalid PEM encoded certificate!");
}
}
static function certificado_decodificar($certificado)
{
$resource = openssl_x509_read($certificado);
$output = null;
$result = openssl_x509_export($resource, $output);
if ($result !== false) {
$output = str_replace('-----BEGIN CERTIFICATE-----', '', $output);
$output = str_replace('-----END CERTIFICATE-----', '', $output);
return base64_decode($output);
} else {
throw new toba_error("El certificado no es un certificado valido", "Detalles: {$certificado}");
}
}
public function Certificate($path, $cert_password = '')
{
$this->path = $path;
$this->cert_password = $cert_password;
if (file_exists($this->path) == false) {
return $this;
}
$pkcs12 = file_get_contents($this->path);
if (openssl_pkcs12_read($pkcs12, $this->certs, $cert_password) == true) {
$this->cert_data = openssl_x509_read($this->certs['cert']);
$this->cert_info = openssl_x509_parse($this->cert_data);
}
}
public function testConsructorSupoprtsMultipleInputTypesAndCanGenerateProperKeyPin()
{
$certPath = __DIR__ . '/_files/mxr.mozilla.org.pem';
$certString = file_get_contents($certPath);
$certResource = openssl_x509_read($certString);
$expectedPin = '47cac6d8f2c2363675e6f433970f27523824d0ec';
$cert = new X509Certificate($certPath);
$this->assertSame($cert->getPin(), $expectedPin);
$cert = new X509Certificate($certString);
$this->assertSame($cert->getPin(), $expectedPin);
$cert = new X509Certificate($certResource);
$this->assertSame($cert->getPin(), $expectedPin);
}
public function getBase64()
{
$this->checkLoaded();
$resource = openssl_x509_read($this->cert);
$output = null;
$result = openssl_x509_export($resource, $output);
if ($result !== false) {
$output = str_replace('-----BEGIN CERTIFICATE-----', '', $output);
$output = str_replace('-----END CERTIFICATE-----', '', $output);
return base64_decode($output);
} else {
throw new \Exception("El certificado no es un certificado valido", "Detalles: {$this->cert}");
}
}
/**
* @param $certificate mixed X.509 resource, X.509 certificate string, or path to X.509 certificate file.
*/
public function __construct($certificate)
{
if (is_string($certificate)) {
if (is_readable($certificate)) {
$certificate = file_get_contents($certificate);
}
// We're surpressing errors here in favor of the more verbose exception below.
$certificate = @openssl_x509_read($certificate);
}
if (@get_resource_type($certificate) !== 'OpenSSL X.509') {
throw new \InvalidArgumentException('Argument passed to constructor' . ' of %s must be an X.509 resource, X.509 certificate string, or' . ' valid path to an X.509 certificate.');
}
$this->certificate = $certificate;
}
/**
* @param string $certificate
*
* @throws \InvalidArgumentException
*
* @return array
*/
public static function loadKeyFromCertificate($certificate)
{
try {
$res = openssl_x509_read($certificate);
} catch (\Exception $e) {
$certificate = self::convertDerToPem($certificate);
$res = openssl_x509_read($certificate);
}
if (false === $res) {
throw new \InvalidArgumentException('Unable to load the certificate');
}
$values = self::loadKeyFromX509Resource($res);
openssl_x509_free($res);
return $values;
}
public static function getCertFromFiles($path)
{
if (!is_array($path)) {
$path = array($path);
}
$chain = array();
foreach ($path as $index => $certPath) {
if (!file_exists($certPath) || !is_readable($certPath)) {
throw new \RuntimeException('Path to cert is not accessible: ' . $certPath);
}
$certFile = file_get_contents($certPath);
$chain[$index] = openssl_x509_read($certFile);
}
$cert = static::getCertFromChain($chain);
return $cert;
}
public static function getIssuer($cert)
{
if ($cert == NULL) {
return 'http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self';
} else {
$resource = file_get_contents($cert);
$check_cert = openssl_x509_read($resource);
$array = openssl_x509_parse($check_cert);
openssl_x509_free($check_cert);
$schema = $array['name'];
$pattern = '/.*CN=/';
$replacement = '';
$CN = preg_replace($pattern, $replacement, $schema);
return $CN;
}
}
/**
* reads in a certificate file and creates a fingerprint
* @param Filename of the certificate
* @return fingerprint
*/
function createCertFingerprint($filename)
{
if (is_readable($filename)) {
$cert = file_get_contents($filename);
} else {
return false;
}
$data = openssl_x509_read($cert);
if (!openssl_x509_export($data, $data)) {
return false;
}
$data = str_replace("-----BEGIN CERTIFICATE-----", "", $data);
$data = str_replace("-----END CERTIFICATE-----", "", $data);
$data = base64_decode($data);
$fingerprint = sha1($data);
$fingerprint = strtoupper($fingerprint);
return $fingerprint;
}
