openssl_pkey_new()抛出错误 – 正确的openssl.cnf设置为PHP
作者:互联网
**好的,很明显,这个问题与Linux服务器上openssl的设置以及如何正确设置自定义openssl.cnf文件有关.我不是在寻找任何复杂的东西,但我需要一个前端能够创建自签名客户端证书,以便对我的webservice进行身份验证.因此,我需要能够使用我的CA为客户公司创建中间CA,然后允许他们使用安全接口为其员工颁发客户端证书.登录基于您是否属于特定的中间CA,以及您的证书或中间CA是否未被撤销.
对于任何想知道的人,我们可以使用自签名证书,因为它们仅用于我们的服务器来验证用户,因为我们发布它们,我们相信它们.对于初创公司而言,通过商业产品AFAIK建立自己作为中间CA的方式也太昂贵了.微软可以做到这一点,我们做不到.我们的网络服务器本身使用CA签名证书.
我知道设置这种东西的PHP代码是直截了当的,但不是如何正确设置openssl.我在网上尝试了几个不同的例子,它们似乎都不适用于我的设置,它们似乎都有所不同.一个盒子是全新安装的Centos 6.2,我仍然遇到错误.
任何人都可以指出我正确的方向设置openssl,apache2和php,以便我可以使用这些PHP库没有错误?我们的虚拟服务器使用debian squeeze,我可以完全控制安装的软件.
谢谢.
open_pkey_new()返回错误,如错误:0E06D06C:配置文件例程:NCONF_get_string:无值.然而,我正在通过一个openssl.cnf文件的路径,所以我不知道为什么我仍然遇到这个问题.这是我的相关代码
<?php
$cwd=getcwd();
$distname= array(
"countryName" => "CA",
"stateOrProvinceName" => "Ontario",
"localityName" => "Toronto",
"organizationName" => "G4 Apps",
"organizationalUnitName" => "Development",
"commonName" => "Mark Lane",
"emailAddress" => "nobody at gmail.com"
);
$password = 'seanix';
$cacert_location=$cwd."/certs/CA/g4CA.crt";
$cakey_location=$cwd."/certs/CA/g4CA.key";
$cnf=$cwd.'/certs/myopenssl.cnf';
$configArgs = array(
'config' =>$cnf
);
?>
这是我制作钥匙的功能.
<?php
function makekey($password,$configArgs) {
$key= openssl_pkey_new($configArgs);
//print_r($configArgs);
openssl_pkey_export($key, $pkeyout,$password);
if (($e=openssl_error_string()) ==false) return $pkeyout;
else {
do {
echo $e . "<BR>";
} while($e=openssl_error_string());
return -1;
}
}
?>
我也试过相对路径到配置文件,它仍然无法正常工作.看起来它可能是主机提供商ssl设置.我切换到本地虚拟机,我得到了生成密钥但现在我在创建csr时遇到了同样的错误.
错误:0E06D06C:配置文件例程:NCONF_get_string:无值
<?php
function newcsr($distname,$key,$configArgs) {
$csr=openssl_csr_new($distname,$key,$configArgs);
openssl_csr_export($csr, $csrout);
if (($e=openssl_error_string()) ==false) return $csrout;
else {
do {
echo $e . "<BR>";
} while($e=openssl_error_string());
return -1;
}
}
?>
openssl.conf这看起来是openssl.cnf中的错误所以我已经包含了该文件.
HOME = .
RANDFILE = $ENV::HOME/.rnd
oid_section = new_oids
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
####################################################################
[ ca ]
default_ca = g4CA
####################################################################
[ g4CA ]
dir = /home/g4apps/secure.g4apps.com/generator/certs
certs = $dir/
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/CA/g4CA.crt
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/CA/g4CA.crl
private_key = $dir/CA/g4CA.key
RANDFILE = $dir/private/.rand
x509_extensions = usr_cert
name_opt = ca_default
cert_opt = ca_default
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_md = md5
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CA
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = ON
localityName = Locality Name (eg, city)
localityName_default = Toronto
0.organizationName = Organization Name (eg, company)
0.organizationName_default = G4 Apps
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_default = lmlane@gmail.com
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
####################################################################
[ tsa ]
default_tsa = tsa_config1
[ tsa_config1 ]
dir = ./demoCA
serial = $dir/tsaserial
crypto_device = builtin
signer_cert = $dir/tsacert.pem
certs = $dir/cacert.pem
signer_key = $dir/private/tsakey.pem
default_policy = tsa_policy1
other_policies = tsa_policy2, tsa_policy3
digests = md5, sha1
accuracy = secs:1, millisecs:500, microsecs:100
clock_precision_digits = 0
ordering = yes
tsa_name = yes
ess_cert_id_chain = no
堆栈跟踪strace php getkeystore.php&>堆栈跟踪
http://secure.g4apps.com/generator/stack.trace
解决方法:
我在我的Mac上尝试了这个并重新安装了CentOS 6.3,我得到了同样的错误.我从IUS获得了我的CentOS软件包.这很奇怪,因为即使我收到此消息,实际上正在生成密钥.
以下代码:
$res = openssl_pkey_new();
openssl_pkey_export($res, $privkey);
var_dump(openssl_error_string());
var_dump($privkey);
给我以下输出:
string(68) "error:0E06D06C:configuration file routines:NCONF_get_string:no value"
string(887) "-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDdh4FiOEtUZzvTSnlb/pJHjmsS9rOHQ7PU2WOO6ZHxYRIgK1NR
ReY7bBwEsT2ziUpx0b8K2Fx4m+XovzysB/lVrKbrdbHoVtGuJGZjYSXgFlCRTBu+
+TnAPUBF0LGJfxfVzjOkHzsh02lH3fvzFpFgRZRWs4za+vVzIweeOweYTwIDAQAB
AoGANZD5iS2BkZQw1COS+tqwtlrKq1g6CwAk8NfsCfeSkaJeRqcTS3iydjXrBHtz
JwGQnbsRDedJXOSdkE0Ft7dp44lijOAp1ngMDCKbabxVN2Go6b1d743HE0oIhFCC
Dv2B9kf9vzeYy+0/BVCs5i4iPoKXJJTSJrWoDxrFEJWSJIkCQQDwe39bOFHmQlxz
pbfT3DZ8Q311xFo6PewcAf7DTsikoPZANx0GQ41WdZj6/n4QVP4k+TnhZLiJzsH+
p3RUrx8tAkEA69LsgPrQMZ0YjsE2vjRLdJmp1916G1xqSLIVWDUPd9Ns+MA8YKTx
AQxC3dl3n+w24m7UlCThANlU/+2r0eoi6wJBAKIxGOdEJ/Cdp08UYNRR/Kl4t2A7
SwNnChylt9awByEJsqwCv9+epe+/Jqt6AzouqK31LXV4AgJn4W1IMWyAJA0CQCp0
6/2AqnD0PpKc+JUf5yHT9H8Xsb8xUTVLUopx6xoAp5LVUUl5CKbOpU85ss7JAUyc
9YrCZPv5JNN6379ILwcCQQDDcjtNnhQHukQQQ8iVL9YCrWzyCgplTz3uktueT+Dd
SDK1bCM4xDehfG3RKu1ZNx80Q0nzmi7FSPJ2md7qSIHc
-----END RSA PRIVATE KEY-----
"
我怀疑它是PHP中的一个错误.某种openssl配置PHP正在被挂起.我在php.net上找到了一个关于这个的bug report,但是它“开始为用户工作”,因此bug被关闭了.
作为替代方案,您可以查看phpseclib,一个纯粹用PHP编写的库.
标签:private-key,php,openssl 来源: https://codeday.me/bug/20191007/1868425.html