[英]Private Certificate Authority in PHP?
I am setting up a private CA, and I want to interface with it using PHP. 我正在建立一个私有CA,我想使用PHP与它进行交互。 I have tried with PHP's built-in openssl library . 我已经尝试使用PHP的内置openssl库 。 So I create a CSR, and to sign it I use openssl_csr_sign
. 因此,我创建了一个CSR,并使用openssl_csr_sign
进行签名。
This does sign the CSR, but that's it. 这确实签署了CSR,仅此而已。 In OpenSSL's CLI it would be something like 在OpenSSL的CLI中,它类似于
openssl x509 -req -days 360 -in file.csr -CA ca.crt -CAkey ca.key ...
Whereas I want something like 而我想要类似的东西
openssl ca -cert ca.crt -keyfile ca.key -in file.csr -out file.crt ...
Basically it uses the x509 module to sign it, instead of the ca module. 基本上,它使用x509模块而不是ca模块对其进行签名。 So it doesn't write it into the database specified in openssl.cnf
, it doesn't use or update the serial number; 因此,它不会将其写入openssl.cnf
指定的数据库中,它不会使用或更新序列号; it's more "I trust this guy so I'll sign his public key with my private key" than an actual CA. 它比实际的CA更像是“我信任这个人,所以我将用我的私钥对他的公钥进行签名”。 Is there a way to manage a private CA in PHP, with openssl or not? 有没有办法用PHP处理OpenCA的私有CA?
Yes and no. 是的,没有。
Despite using a provided openssl.conf file, PHP's OpenSSL extension doesn't automatically manage the certificate database and/or serial numbers, and it doesn't provide any utilities to help with that. 尽管使用了提供的openssl.conf文件,PHP的OpenSSL扩展并不会自动管理证书数据库和/或序列号,并且不提供任何实用程序来帮助您。
On the other hand, the database itself has a relatively simple format , so you can implement it yourself using the primitive file-system functions. 另一方面,数据库本身具有相对简单的格式 ,因此您可以使用原始文件系统功能自己实现它。 Here are some hints if you actually go with that route: 如果您确实选择了这条路线,这里有一些提示:
fgets()
comes handy while parsing it. 由于每个证书记录都位于单独的行上,因此fgets()
在解析时会派上用场。
fscanf()
looks better at first glance, but it treats all whitespace the same and tabs are an essential part of the format, so ... 乍看之下fscanf()
看起来更好,但是它会将所有空格都一样对待,并且制表符是格式的重要组成部分,所以... file()
is even easier, but only for reading. file()
甚至更容易,但仅用于读取。 Chances are that you'll need read+write at the same time, and you'll need to obtain a lock on the file to avoid race conditions. 可能是您需要同时进行读写操作,并且需要获得文件上的锁,以避免出现竞争状况。 $serial = hexdec(file_get_contents($pathToSerial))
, pass that variable to openssl_csr_sign()
and then write sprintf("%X\\n", $serial + 1)
to the file. 序列文件存储下一个序列号,因此您可以执行$serial = hexdec(file_get_contents($pathToSerial))
,将该变量传递给openssl_csr_sign()
,然后将sprintf("%X\\n", $serial + 1)
写入文件。 <filename>.old
and then creates an entirely new one as <filename>
. 它读取当前<filename>.old
,将其重命名为<filename>.old
,然后创建一个全新的<filename>
作为<filename>
。 What this means is that any file-system ownership, permissions that give your PHP script access to it are lost whenever you use the CLI tool. 这意味着,每当您使用CLI工具时,任何文件系统所有权,授予您PHP脚本访问权限的权限都会丢失。
chown
, chmod
instructions) to notify you of that. 失败时-中止生成/签名并记录/打印消息(可能带有chown
, chmod
指令)以通知您。 resource
(which should be closed after use). 生成的pKey,CSR,证书都是相互依赖的,并且是resource
类型的(使用后应关闭)。 To throw an exception and close the resources only when necessary, I like to pre-define the variables holding them and use
them in a closure that handles all conditional resource-free routines before throwing an exception. 要抛出异常并仅在必要时关闭资源,我想预定义保存变量的变量,并在引发异常之前在处理所有有条件的无资源例程的闭包中use
它们。 As you can see, it is manageable if you know what you're doing, but it has a lot of gotchas and not really worth it for a simple PoC. 如您所见,如果您知道自己在做什么,它是可管理的,但是它有很多陷阱,对于简单的PoC而言,确实不值得。 Calling the CLI tool via exec()
(and siblings) is a simpler choice. 通过exec()
(和兄弟姐妹)调用CLI工具是一个更简单的选择。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.