Question

嗨，对于所有的phpseclib用户，我会开发一个系统来颁发证书，用于与apache建立相互认证系统。使用openssl所有步骤和设置都很容易跟随，我能够做到。但是，知道phpseclib，我试图对它做同样的事情，唯一的事情是我已经有一个openssl ca证书，意味着我已经用它来签署一个用phpseclib发布的新证书。似乎我能够做到这一点但是，当我尝试验证证书或当我在浏览器中导入时，程序是正确的并且证书（pkcs12）已导入，但看起来我没有有效的可用证书。怎么了？

此处验证结果：

root@me:/# openssl verify -verbose -CAfile /var/CA/CA/ca.crt  mario.rossi.crt
mario.rossi.crt: C = IT, ST = Lazio, O = MyOrg, OU = Users, CN = Mario ROSSI,    emailAddress = mario.rossi@myorg.lan
error 7 at 0 depth lookup:certificate signature failure
3073886360:error:04091077:rsa routines:INT_RSA_VERIFY:wrong signature    length:rsa_sign.c:175:
3073886360:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP    lib:a_verify.c:221:

此处使用的代码（取自网络）

require_once("File/X509.php");
require_once("Crypt/RSA.php");

// Setup our CA
$CA = array();      // Store our certificate authority information
$CA["key"           ] = new Crypt_RSA();
$CA["key"           ]->loadKey( file_get_contents($cakey) ); // Load our CA key to sign with
$CA["key"           ]->setPassword('---****---');
$CA["asciicert"     ] = file_get_contents($cacert);
$CA["cert"          ] = new File_X509();
$CA["cert"          ]->loadX509( $CA["asciicert"] );        // Load our CA cert and public key
$CA["cert"          ]->setPrivateKey($CA["key"]);

// Create a new keypair
$DEVICE = array();
$DEVICE["keys"      ] = new Crypt_RSA();
$DEVICE["keypair"   ] = $DEVICE["keys"]->createKey(2048);
// Save our private key
$DEVICE["privkey"   ] = new Crypt_RSA();
$DEVICE["privkey"   ]->loadKey($DEVICE["keypair"]["privatekey"]);

// Save our public key
$DEVICE["pubkey"    ] = new Crypt_RSA();
$DEVICE["pubkey"    ]->loadKey($DEVICE["keypair"]["publickey"]);
// Create a new CSR
$DEVICE["csr"       ] = new File_X509();
$DEVICE["csr"       ]->setPrivateKey($DEVICE["privkey"]);
$DEVICE["csr"       ]->setPublicKey ($DEVICE["pubkey" ]);
$DEVICE["csr"       ]->setDN("C=IT, ST=Emilia Romagna, O=Virtual Forensics Ambient, OU=Users, CN={$NAME}/emailAddress={$USERNAME}@{$DEVICENAME}");
// Sign the CSR
$DEVICE["signedcsr" ] = $DEVICE["csr"]->signCSR("sha256WithRSAEncryption");
$DEVICE["asciicsr"  ] = $DEVICE["csr"]->saveCSR($DEVICE["signedcsr"]);
// CSR attributes         
$DEVICE["cert"      ] = new File_X509();
$DEVICE["cert"      ]->loadCSR( $DEVICE["asciicsr"] );         // Now load it back up so we can set extended attributes
$DEVICE["cert"      ]->setPublicKey ($DEVICE["pubkey" ]);
$DEVICE["cert"      ]->setStartDate("-1 day");                  // Make it valid from yesterday...
$DEVICE["cert"      ]->setEndDate("+ 60 days");                 // Set a 5 year expiration on all device certs
$DEVICE["cert"      ]->setSerialNumber($ID, 10);                // Use our ID number in the DB, base 10 (decimal) notation
$DEVICE["cert"      ]->setExtension("id-ce-basicConstraints",   array("cA" => false                                                     ),  1   );
$DEVICE["cert"      ]->setExtension("id-ce-keyUsage"        ,   array("keyEncipherment"         ,"nonRepudiation"   ,"digitalSignature" ),  1   );
$DEVICE["cert"      ]->setExtension("id-ce-extKeyUsage"     ,   array("id-kp-emailProtection"   ,"id-kp-clientAuth"                     ),  1   );
$DEVICE["cert"      ]->setExtension("netscape-cert-type"    ,   array("Email"                   ,"SSLClient"                            ),  1   ); 
//CA sign the updated CSRc
$DEVICE["signedcert"] = $DEVICE["cert"]->sign($CA["cert"], $DEVICE["cert"], "sha256WithRSAEncryption"); // Sign the new certificate with our CA
$DEVICE["asciicert" ] = $DEVICE["cert"]->saveX509($DEVICE["signedcert"]);   // Ascii our certificate for presentation

Answer 1

看起来您正在调整phpseclib user cert for tls authetication

中的示例

无论如何，快速观察一下。

// Setup our CA
$CA = array();      // Store our certificate authority information
$CA["key"           ] = new Crypt_RSA();
$CA["key"           ]->loadKey( file_get_contents($cakey) ); // Load our CA key to sign with
$CA["key"           ]->setPassword('---***---');

setPassword应该在loadKey之前完成。

$DEVICE["cert"      ]->setEndDate("+ 60 days");                 // Set a 5 year expiration on all device certs

60天与5年不一样;）

PHPSecLib使用openssl CA证书无法验证

1 个答案: