编程语言
首页 > 编程语言> > openssl_pkey_new()抛出错误 – 正确的openssl.cnf设置为PHP

openssl_pkey_new()抛出错误 – 正确的openssl.cnf设置为PHP

作者:互联网

**好的,很明显,这个问题与Linux服务器上openssl的设置以及如何正确设置自定义openssl.cnf文件有关.我不是在寻找任何复杂的东西,但我需要一个前端能够创建自签名客户端证书,以便对我的webservice进行身份验证.因此,我需要能够使用我的CA为客户公司创建中间CA,然后允许他们使用安全接口为其员工颁发客户端证书.登录基于您是否属于特定的中间CA,以及您的证书或中间CA是否未被撤销.

对于任何想知道的人,我们可以使用自签名证书,因为它们仅用于我们的服务器来验证用户,因为我们发布它们,我们相信它们.对于初创公司而言,通过商业产品AFAIK建立自己作为中间CA的方式也太昂贵了.微软可以做到这一点,我们做不到.我们的网络服务器本身使用CA签名证书.

我知道设置这种东西的PHP代码是直截了当的,但不是如何正确设置openssl.我在网上尝试了几个不同的例子,它们似乎都不适用于我的设置,它们似乎都有所不同.一个盒子是全新安装的Centos 6.2,我仍然遇到错误.

任何人都可以指出我正确的方向设置openssl,apache2和php,以便我可以使用这些PHP库没有错误?我们的虚拟服务器使用debian squeeze,我可以完全控制安装的软件.

谢谢.

open_pkey_new()返回错误,如错误:0E06D06C:配置文件例程:NCONF_get_string:无值.然而,我正在通过一个openssl.cnf文件的路径,所以我不知道为什么我仍然遇到这个问题.这是我的相关代码

<?php
$cwd=getcwd();
$distname= array(
    "countryName" => "CA",
    "stateOrProvinceName" => "Ontario",
    "localityName" => "Toronto",
    "organizationName" => "G4 Apps",
    "organizationalUnitName" => "Development",
    "commonName" => "Mark Lane",
    "emailAddress" => "nobody at gmail.com"
        );
$password = 'seanix';

$cacert_location=$cwd."/certs/CA/g4CA.crt";
$cakey_location=$cwd."/certs/CA/g4CA.key";
$cnf=$cwd.'/certs/myopenssl.cnf';
$configArgs = array(
        'config' =>$cnf
);
?>

这是我制作钥匙的功能.

<?php
function makekey($password,$configArgs) {
    $key= openssl_pkey_new($configArgs);
    //print_r($configArgs);
    openssl_pkey_export($key, $pkeyout,$password);
    if (($e=openssl_error_string()) ==false) return $pkeyout;
    else {
        do {

            echo $e . "<BR>";
        } while($e=openssl_error_string());
        return -1;
    }
}
?>

我也试过相对路径到配置文件,它仍然无法正常工作.看起来它可能是主机提供商ssl设置.我切换到本地虚拟机,我得到了生成密钥但现在我在创建csr时遇到了同样的错误.

错误:0E06D06C:配置文件例程:NCONF_get_string:无值

<?php
function newcsr($distname,$key,$configArgs) {
    $csr=openssl_csr_new($distname,$key,$configArgs);
    openssl_csr_export($csr, $csrout);
    if (($e=openssl_error_string()) ==false) return $csrout;
    else {
        do {

            echo $e . "<BR>";
        } while($e=openssl_error_string());
        return -1;
    }
}
?>

openssl.conf这看起来是openssl.cnf中的错误所以我已经包含了该文件.

HOME            = .
RANDFILE        = $ENV::HOME/.rnd

oid_section     = new_oids


[ new_oids ]


tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7

####################################################################
[ ca ]
default_ca  = g4CA      

####################################################################
[ g4CA ]

dir     = /home/g4apps/secure.g4apps.com/generator/certs    
certs       = $dir/     
crl_dir     = $dir/crl      
database    = $dir/index.txt    


new_certs_dir   = $dir/newcerts     

certificate = $dir/CA/g4CA.crt  
serial      = $dir/serial       
crlnumber   = $dir/crlnumber    

crl     = $dir/CA/g4CA.crl  
private_key = $dir/CA/g4CA.key  
RANDFILE    = $dir/private/.rand    

x509_extensions = usr_cert      

name_opt    = ca_default        
cert_opt    = ca_default        


default_days    = 365           # how long to certify for
default_crl_days= 30            # how long before next CRL
default_md  = default       # use public key default MD
preserve    = no            # keep passed DN ordering

policy      = policy_match


[ policy_match ]
countryName     = match
stateOrProvinceName = match
organizationName    = match
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional

[ policy_anything ]
countryName     = optional
stateOrProvinceName = optional
localityName        = optional
organizationName    = optional
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional

####################################################################
[ req ]
default_bits        = 2048
default_md      = md5
default_keyfile     = privkey.pem
distinguished_name  = req_distinguished_name
attributes      = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert

string_mask = utf8only

[ req_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default     = CA
countryName_min         = 2
countryName_max         = 2

stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = ON

localityName            = Locality Name (eg, city)
localityName_default    = Toronto

0.organizationName      = Organization Name (eg, company)
0.organizationName_default  = G4 Apps



organizationalUnitName      = Organizational Unit Name (eg, section)

commonName          = Common Name (eg, your name or your server\'s hostname)
commonName_max          = 64

emailAddress            = Email Address
emailAddress_default        = lmlane@gmail.com
emailAddress_max        = 64


[ req_attributes ]
challengePassword       = A challenge password
challengePassword_min       = 4
challengePassword_max       = 20

unstructuredName        = An optional company name

[ usr_cert ]

nsComment           = "OpenSSL Generated Certificate"

subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer



[ v3_req ]


basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]


subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true


[ crl_ext ]

authorityKeyIdentifier=keyid:always

[ proxy_cert_ext ]
basicConstraints=CA:FALSE

nsComment           = "OpenSSL Generated Certificate"

subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

####################################################################
[ tsa ]

default_tsa = tsa_config1   

[ tsa_config1 ]

dir             = ./demoCA      
serial      = $dir/tsaserial    
crypto_device   = builtin       
signer_cert = $dir/tsacert.pem  

certs       = $dir/cacert.pem   
signer_key  = $dir/private/tsakey.pem 
default_policy  = tsa_policy1       
other_policies  = tsa_policy2, tsa_policy3
digests     = md5, sha1     
accuracy    = secs:1, millisecs:500, microsecs:100  
clock_precision_digits  = 0 
ordering        = yes   

tsa_name        = yes   
ess_cert_id_chain   = no    

堆栈跟踪strace php getkeystore.php&>堆栈跟踪

http://secure.g4apps.com/generator/stack.trace

解决方法:

我在我的Mac上尝试了这个并重新安装了CentOS 6.3,我得到了同样的错误.我从IUS获得了我的CentOS软件包.这很奇怪,因为即使我收到此消息,实际上正在生成密钥.

以下代码:

$res = openssl_pkey_new();
openssl_pkey_export($res, $privkey);
var_dump(openssl_error_string());
var_dump($privkey);

给我以下输出:

string(68) "error:0E06D06C:configuration file routines:NCONF_get_string:no value"
string(887) "-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDdh4FiOEtUZzvTSnlb/pJHjmsS9rOHQ7PU2WOO6ZHxYRIgK1NR
ReY7bBwEsT2ziUpx0b8K2Fx4m+XovzysB/lVrKbrdbHoVtGuJGZjYSXgFlCRTBu+
+TnAPUBF0LGJfxfVzjOkHzsh02lH3fvzFpFgRZRWs4za+vVzIweeOweYTwIDAQAB
AoGANZD5iS2BkZQw1COS+tqwtlrKq1g6CwAk8NfsCfeSkaJeRqcTS3iydjXrBHtz
JwGQnbsRDedJXOSdkE0Ft7dp44lijOAp1ngMDCKbabxVN2Go6b1d743HE0oIhFCC
Dv2B9kf9vzeYy+0/BVCs5i4iPoKXJJTSJrWoDxrFEJWSJIkCQQDwe39bOFHmQlxz
pbfT3DZ8Q311xFo6PewcAf7DTsikoPZANx0GQ41WdZj6/n4QVP4k+TnhZLiJzsH+
p3RUrx8tAkEA69LsgPrQMZ0YjsE2vjRLdJmp1916G1xqSLIVWDUPd9Ns+MA8YKTx
AQxC3dl3n+w24m7UlCThANlU/+2r0eoi6wJBAKIxGOdEJ/Cdp08UYNRR/Kl4t2A7
SwNnChylt9awByEJsqwCv9+epe+/Jqt6AzouqK31LXV4AgJn4W1IMWyAJA0CQCp0
6/2AqnD0PpKc+JUf5yHT9H8Xsb8xUTVLUopx6xoAp5LVUUl5CKbOpU85ss7JAUyc
9YrCZPv5JNN6379ILwcCQQDDcjtNnhQHukQQQ8iVL9YCrWzyCgplTz3uktueT+Dd
SDK1bCM4xDehfG3RKu1ZNx80Q0nzmi7FSPJ2md7qSIHc
-----END RSA PRIVATE KEY-----
"

我怀疑它是PHP中的一个错误.某种openssl配置PHP正在被挂起.我在php.net上找到了一个关于这个的bug report,但是它“开始为用户工作”,因此bug被关闭了.

作为替代方案,您可以查看phpseclib,一个纯粹用PHP编写的库.

标签:private-key,php,openssl
来源: https://codeday.me/bug/20191007/1868425.html