定制 fyrkat/openssl 二次开发

按需修改功能、优化性能、对接业务系统,提供一站式技术支持

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

fyrkat/openssl

Composer 安装命令:

composer require fyrkat/openssl

包简介

Class wrappers for PHPs built-in openssl_* functions

README 文档

README

This project provides classes around openssl_* functions in order to make working with keys and certificates a bit more palable. It is still a work in progress. Patches and bug reports welcome.

Requirements

  • PHP >=8.1
  • Make
  • (for first dev setup) internet connection

Usage

Make sure that you use strict types in your code!

<?php declare(strict_types=1);

Self-sign

In order to make a self-signed CA, you need a key.

<?php
$caPrivKey = new PrivateKey( new OpenSSLConfig( privateKeyType: OpenSSLKey::KEYTYPE_EC ) );
// Instead of OpenSSLKey::KEYTYPE_EC you could use OpenSSLKey::KEYTYPE_RSA.

From this key we will make a signing request.

<?php
$caCsr = CSR::generate(
		new DN( ['CN' => 'fyrkat example CA'] ), // Subject
		$caPrivKey // CA key
	);

This request can now be self-signed.

<?php
$caCertificate = $caCsr->sign(
		null, // CA certificate
		$caPrivKey, // CA key
		18250, // Validity in days
		new OpenSSLConfig( x509Extensions: OpenSSLConfig::X509_EXTENSION_CA ) // EKU
	);
// We need the same $caPrivKey again because self-sign means you sign with your own key.
// OpenSSLConfig::X509_EXTENSION_CA means that the resulting certificate is to be used as a CA.
// Other options are OpenSSLConfig::X509_EXTENSION_SERVER and OpenSSLConfig::X509_EXTENSION_CLIENT.

Sign with own CA

If you already have your own CA, import it.

<?php
// Update these three lines to your own liking.
$caPrivPem = getMyPrivateKeyPemFromSomewhere();
$caPrivPemPassphrase = 'supersecret'; // or null if no passphrase.
$caCertificatePem = getMyPrivateKeyPemFromSomewhere();
$caPrivKey = new PrivateKey( $caPrivPem, $passphrase );
$caCertificate = new X509( $caCertificatePem );

Sign a server certificate with your CA

<?php
$serverPrivKey = new PrivateKey( new OpenSSLConfig( privateKeyType: OpenSSLKey::KEYTYPE_EC ) );
// Instead of OpenSSLKey::KEYTYPE_EC you could use OpenSSLKey::KEYTYPE_RSA.
$serverCsr = CSR::generate(
		new DN( ['CN' => 'example.com'] ), // Subject
		$serverPrivKey // Server key
	);
$serverCertificate = $caCsr->sign(
		$caCertificate, // CA certificate
		$caPrivKey, // CA key
		1095, // Validity in days
		new OpenSSLConfig( x509Extensions: OpenSSLConfig::X509_EXTENSION_SERVER ) // EKU
	);
// Using $caCertificate ensures the resulting certificate is signed by $caCertificate,
// instead of being self-signed.
// OpenSSLConfig::X509_EXTENSION_SERVER indicates that this will be a server certificate.

Sign a client certificate with your CA

<?php
$clientPrivKey = new PrivateKey( new OpenSSLConfig( privateKeyType: OpenSSLKey::KEYTYPE_EC ) );
$clientCsr = CSR::generate(
		new DN( ['CN' => 'jornane@example.com'] ), // Subject
		$clientPrivKey // Client key
	);
$clientCertificate = $caCsr->sign(
		$caCertificate, // CA certificate
		$caPrivKey, // CA key
		1095, // Validity in days
		new OpenSSLConfig( x509Extensions: OpenSSLConfig::X509_EXTENSION_CLIENT ) // EKU
	);

Retrieving PEM representations

Classes holding public key material have a __toString() method, which allows you to use them as strings.

<?php
echo $serverCertificate; // PEM output

However, PrivateKey does not have this feature, to avoid accidentally leaking data. All classes have a function to get a PEM string.

<?php
$caCertificatePem = $caCertificate->getX509Pem();
$serverCertificatePem = $serverCertificate->getX509Pem();
$serverPrivKeyPem = $serverPrivKey->getPrivateKeyPem( 'supersecret' );
// Instead of 'supersecret', you can use null if you don't want the output encrypted

// Additionally, you could export just the public key, but it might not be that useful
$pkPem = $serverCertificate->getPublicKey()->getPublicKeyPem();

Known issues

Limitations in openssl_csr_sign

  • When signing a CSR, the expire date is an integer amount of days from the current date/time.
  • When signing a CSR, it is not possible to set the not before date. This is always the current date/time.
  • The serial field is a native integer; X509 supports 20 bytes, but only 8 of these can be used on 64-bit systems.

Security issues

  • It is not possible to filter extensions in a CSR, making it a risk to allow user input CSR

Testing

make test

Contributing

Before committing, run

make camera-ready

fyrkat/openssl 适用场景与选型建议

fyrkat/openssl 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 1.78k 次下载、GitHub Stars 达 0, 最近一次更新时间为 2019 年 06 月 06 日, 在 PHP 生态内属于活跃度较高的组件。

我们在过去多个企业项目中使用过 fyrkat/openssl 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 fyrkat/openssl 我们能提供哪些服务?
定制开发 / 二次开发

基于 fyrkat/openssl 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 1.78k
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 0
  • 点击次数: 0
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 0
  • Watchers: 0
  • Forks: 0
  • 开发语言: PHP

其他信息

  • 授权协议: BSD-3-Clause
  • 更新时间: 2019-06-06