fyrkat/openssl
Composer 安装命令:
composer require fyrkat/openssl
包简介
Class wrappers for PHPs built-in openssl_* functions
README 文档
README
This project provides classes around openssl_* functions in order to make working with keys and certificates a bit more palable. It is still a work in progress. Patches and bug reports welcome.
Requirements
- PHP >=8.1
- Make
- (for first dev setup) internet connection
Usage
Make sure that you use strict types in your code!
<?php declare(strict_types=1);
Self-sign
In order to make a self-signed CA, you need a key.
<?php
$caPrivKey = new PrivateKey( new OpenSSLConfig( privateKeyType: OpenSSLKey::KEYTYPE_EC ) );
// Instead of OpenSSLKey::KEYTYPE_EC you could use OpenSSLKey::KEYTYPE_RSA.
From this key we will make a signing request.
<?php
$caCsr = CSR::generate(
new DN( ['CN' => 'fyrkat example CA'] ), // Subject
$caPrivKey // CA key
);
This request can now be self-signed.
<?php
$caCertificate = $caCsr->sign(
null, // CA certificate
$caPrivKey, // CA key
18250, // Validity in days
new OpenSSLConfig( x509Extensions: OpenSSLConfig::X509_EXTENSION_CA ) // EKU
);
// We need the same $caPrivKey again because self-sign means you sign with your own key.
// OpenSSLConfig::X509_EXTENSION_CA means that the resulting certificate is to be used as a CA.
// Other options are OpenSSLConfig::X509_EXTENSION_SERVER and OpenSSLConfig::X509_EXTENSION_CLIENT.
Sign with own CA
If you already have your own CA, import it.
<?php
// Update these three lines to your own liking.
$caPrivPem = getMyPrivateKeyPemFromSomewhere();
$caPrivPemPassphrase = 'supersecret'; // or null if no passphrase.
$caCertificatePem = getMyPrivateKeyPemFromSomewhere();
$caPrivKey = new PrivateKey( $caPrivPem, $passphrase );
$caCertificate = new X509( $caCertificatePem );
Sign a server certificate with your CA
<?php
$serverPrivKey = new PrivateKey( new OpenSSLConfig( privateKeyType: OpenSSLKey::KEYTYPE_EC ) );
// Instead of OpenSSLKey::KEYTYPE_EC you could use OpenSSLKey::KEYTYPE_RSA.
$serverCsr = CSR::generate(
new DN( ['CN' => 'example.com'] ), // Subject
$serverPrivKey // Server key
);
$serverCertificate = $caCsr->sign(
$caCertificate, // CA certificate
$caPrivKey, // CA key
1095, // Validity in days
new OpenSSLConfig( x509Extensions: OpenSSLConfig::X509_EXTENSION_SERVER ) // EKU
);
// Using $caCertificate ensures the resulting certificate is signed by $caCertificate,
// instead of being self-signed.
// OpenSSLConfig::X509_EXTENSION_SERVER indicates that this will be a server certificate.
Sign a client certificate with your CA
<?php
$clientPrivKey = new PrivateKey( new OpenSSLConfig( privateKeyType: OpenSSLKey::KEYTYPE_EC ) );
$clientCsr = CSR::generate(
new DN( ['CN' => 'jornane@example.com'] ), // Subject
$clientPrivKey // Client key
);
$clientCertificate = $caCsr->sign(
$caCertificate, // CA certificate
$caPrivKey, // CA key
1095, // Validity in days
new OpenSSLConfig( x509Extensions: OpenSSLConfig::X509_EXTENSION_CLIENT ) // EKU
);
Retrieving PEM representations
Classes holding public key material have a __toString() method, which allows you to use them as strings.
<?php
echo $serverCertificate; // PEM output
However, PrivateKey does not have this feature, to avoid accidentally leaking data.
All classes have a function to get a PEM string.
<?php
$caCertificatePem = $caCertificate->getX509Pem();
$serverCertificatePem = $serverCertificate->getX509Pem();
$serverPrivKeyPem = $serverPrivKey->getPrivateKeyPem( 'supersecret' );
// Instead of 'supersecret', you can use null if you don't want the output encrypted
// Additionally, you could export just the public key, but it might not be that useful
$pkPem = $serverCertificate->getPublicKey()->getPublicKeyPem();
Known issues
Limitations in openssl_csr_sign
- When signing a CSR, the expire date is an integer amount of days from the current date/time.
- When signing a CSR, it is not possible to set the not before date. This is always the current date/time.
- The serial field is a native integer; X509 supports 20 bytes, but only 8 of these can be used on 64-bit systems.
Security issues
- It is not possible to filter extensions in a CSR, making it a risk to allow user input CSR
Testing
make test
Contributing
Before committing, run
make camera-ready
fyrkat/openssl 适用场景与选型建议
fyrkat/openssl 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 1.78k 次下载、GitHub Stars 达 0, 最近一次更新时间为 2019 年 06 月 06 日, 在 PHP 生态内属于活跃度较高的组件。
我们在过去多个企业项目中使用过 fyrkat/openssl 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 fyrkat/openssl 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
统计信息
- 总下载量: 1.78k
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 0
- 点击次数: 0
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: BSD-3-Clause
- 更新时间: 2019-06-06