使用.p12 SSL证书的curl / soap请求

时间:2018-04-19 10:02:28

标签: php ssl soap php-curl

我需要使用 PHP7.2 来获取https://address?wsdl证书的SOAP请求.p12

经过几个小时的研究后,我唯一能做的就是从bash发出这个请求:

$ curl -k -E cert.crt.pem --key cert.key.pem https://address?wsdl

退回了WSDL。但我不得不将.p12拆分为单独的文件并使用-k选项,这使得所有这些内容都不安全。 通过以下命令完成拆分:

openssl pkcs12 -in mycert.p12 -out cert.key.pem -nocerts -nodes
openssl pkcs12 -in mycert.p12 -out cert.crt.pem -clcerts -nokeys

问题是: 如何使用PHP中的cURL请求此WSDL或如何配置new \SoapClient()以便它可以工作?

这可能只有.p12档案&密码?或者我必须转换它?

希望这能描述我已经能够做到的事情:

<?php
$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch,CURLOPT_SSL_VERIFYHOST,2);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_setopt($ch, CURLOPT_VERBOSE, true);

/**
 * cert.p12 (with password) -> cert.pem (contains encrypted PKey & client ?unencrypted? cert)
 * $ openssl pkcs12 -in cert.p12 -out cert.pem -clcerts
 *
 * Result:
 *
 * This works. But:
 * - I don't have peer verification
 * - Is such file safe? It has encrypted pkey & certificate (I think not encrypted).
 *   I don't know much about that topic. Maybe someone with more experience will be able to tell more.
 *   Maybe some better solution to output this. Maybe as 2 separate files?
 */
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,false); // DO NOT VERIFY!
curl_setopt($ch,CURLOPT_SSLCERT,__DIR__ . '/cert.pem');
//curl_setopt($ch, CURLOPT_SSLCERTPASSWD, $pass); // This is not required :/
curl_setopt($ch,CURLOPT_SSLKEY,__DIR__ . '/cert.pem');
curl_setopt($ch,CURLOPT_SSLKEYPASSWD, $pass);

/**
 * cert.p12 (with password) -> cert.pem (contains encrypted PKey & client ?unencrypted? cert)
 * $ openssl pkcs12 -in cert.p12 -out cert.pem -clcerts
 *
 * Result:
 *
 * TCP_NODELAY set
 * Connected to XXX
 * ALPN, offering http/1.1
 * SSL certificate problem: self signed certificate in certificate chain
 * stopped the pause stream!
 * Closing connection 0
 */
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,true);
curl_setopt($ch,CURLOPT_SSLCERT,__DIR__ . '/cert.pem');
curl_setopt($ch,CURLOPT_SSLKEY,__DIR__ . '/cert.pem');
curl_setopt($ch,CURLOPT_SSLKEYPASSWD, $pass);

/**
 * cert.p12 (with password) -> cert.pem (contains encrypted PKey & client ?unencrypted? cert)
 * $ openssl pkcs12 -in cert.p12 -out cert.pem -clcerts
 *
 * Result:
 *
 * TCP_NODELAY set
 * Connected to XXX
 * ALPN, offering http/1.1
 * ignoring certificate verify locations due to disabled peer verification
 * error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
 * stopped the pause stream!
 * Closing connection 0
 */
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch,CURLOPT_CAINFO,__DIR__ . '/cert.pem');
curl_setopt($ch,CURLOPT_CAPATH,__DIR__);
curl_setopt($ch,CURLOPT_KEYPASSWD,$pass);

/**
 * cert.p12 (with password) -> cert.pem (contains encrypted PKey & client ?unencrypted? cert)
 * $ openssl pkcs12 -in cert.p12 -out cert.pem -clcerts
 *
 * Result:
 *
 * TCP_NODELAY set
 * Connected to XXX
 * ALPN, offering http/1.1
 * successfully set certificate verify locations:
 *   CAfile: /www/soap/cert.pem
 *   CApath: /www/soap
 * SSL certificate problem: self signed certificate in certificate chain
 * stopped the pause stream!
 * Closing connection 0
 */
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch,CURLOPT_CAINFO,__DIR__ . '/cert.pem');
curl_setopt($ch,CURLOPT_CAPATH,__DIR__);
curl_setopt($ch,CURLOPT_KEYPASSWD,$pass);

$data = curl_exec($ch);

$error = curl_error($ch);
$httpcode = curl_getinfo($ch, CURLINFO_HTTP_CODE);

curl_close($ch);

var_dump($data, $httpcode, $error);
?>

2 个答案:

答案 0 :(得分:1)

我无法直接使用.p12.pfxpkcs12是SOAP。 首先,我们需要读取p12文件并将其转换为.pem。稍后,您可以缓存结果($pemCertContent)以避免转换每个请求,也可以将其存储为文件以用作文件路径。

    $readSuccessful = openssl_pkcs12_read($content, $certData, $password);
    if (!$readSuccessful) {
        $msg = sprintf('Could not read pkcs12 file `%s`: `%s`.', $filePath, openssl_error_string());
        throw new \Exception($msg);
    }

    $pemCertContent = '';

    if (isset($certData['pkey'])) {
        openssl_pkey_export($certData['pkey'], $pem, $pemPassword);
        $pemCertContent .= $pem;
    }
    if (isset($certData['cert'])) {
        openssl_x509_export($certData['cert'], $cert);
        $pemCertContent .= $cert;
    }

    $pemCertContent; // This is your .pem certificate content. I store it as a file.

根据需要,可以在创建SOAP客户端时像这样使用它:

    $soapOptions = [
        /* In some cases, when you have 2 certificates you may need to use stream context instead of 'local_cert'
        'stream_context' => stream_context_create([
            'ssl' => [
                'cafile' => $caCert->getFilePath(), // CA Certificate
                'local_cert' => $tlsCertificate->getFilePath(), // PEM certificate
                'passphrase' => $tlsCertificatePass, // Pass for PEM certificate
            ],
        ]),
         */
        'local_cert' => $tlsCertificate->getFilePath(),
        'passphrase' => $tlsCertificatePass,

        'trace' => true,
        'exceptions' => true,
    ];

这允许连接到SoapServer以获取wsdl并执行请求。就我而言,我还必须使用WSSE签署整个请求正文。为此,我将其与.p12函数打开的openssl_pkcs12_read证书一起使用:

RobRichards\WsePhp\WSSESoap;
RobRichards\XMLSecLibs\XMLSecurityKey;

但这是另一个故事。

答案 1 :(得分:0)

随着当今安全技术的需求,使EDI功能轻松工作变得越来越困难。我一直在努力使用php肥皂和证书几个月,但仍然无法正常工作。似乎来自php的开发人员似乎无法完成其soap功能的这一部分-或无法正确完成它。

到目前为止,我只读到它可用于curl和pem证书,不幸的是,我需要一个受密码保护的pfx证书。我目前正在寻找不同的语言来完成它。

很抱歉,我建议不要在php上找到解决方案的时间浪费