1

PhpSecLib 创建的默认证书文件的 keyUsage 设置为:All rules of applications. 我如何将 keyUsage 设置为digitalSignatureWindows Crypto Shell 将显示:Ensures the Identity of a remote computer

编辑

这是我的代码:

<?php
include('File/X509.php');
include('Crypt/RSA.php');
$c = $_POST['csr'];

$CAPrivKey = new Crypt_RSA();
$CAPrivKey->setPassword('[...]');
$CAPrivKey->loadKey("-----BEGIN RSA PRIVATE KEY-----
[...]
-----END RSA PRIVATE KEY-----
");

$issuer = new File_X509();
$issuer->setPrivateKey($CAPrivKey);
$issuer->loadX509("-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
");


$subject = new File_X509();

$subject->loadCSR($c); 


$x509 = new File_X509();
$x509->setStartDate('-1 month');
$x509->setEndDate('+1 year');
$x509->setSerialNumber('125');
$result = $x509->sign($issuer, $subject);


$x509->loadX509($result);
$x509->setExtension('id-ce-keyUsage', array_merge($x509->getExtension('id-ce-   keyUsage'), array('digitalSignature')));
$result = $x509->sign($issuer, $x509);
//echo $x509->saveX509($result);

header('Content-Type: application/x-x509-ca-cert');
header("Content-Disposition: attachment; filename='ssl.cer'");
echo $x509->saveX509($result);

?>
4

3 回答 3

3

除非您要辞去证书,否则您需要先执行 $x509->sign() 来创建证书。然后您需要重新加载该证书,设置扩展名,将其退出并保存。例如。

<?php
include('File/X509.php');
include('Crypt/RSA.php');

$privKey = new Crypt_RSA();
$privKey->loadKey('...');

$pubKey = new Crypt_RSA();
$pubKey->loadKey($privKey->getPublicKey());
$pubKey->setPublicKey();

$subject = new File_X509();
$subject->setDNProp('id-at-organizationName', 'demo cert');
$subject->setPublicKey($pubKey);

$issuer = new File_X509();
$issuer->setPrivateKey($privKey);
$issuer->setDN($subject->getDN());

$x509 = new File_X509();
//$x509->makeCA();
$x509->setSerialNumber('1');

$result = $x509->sign($issuer, $subject);
$x509->loadX509($result);
$x509->setExtension('id-ce-keyUsage', array('digitalSignature'));
//$x509->setExtension('id-ce-keyUsage', array_merge($x509->getExtension('id-ce-keyUsage'), array('digitalSignature')));
$result = $x509->sign($issuer, $x509);
echo $x509->saveX509($result);
?>

如果整个辞职的事情是不必要的,那就太好了,但无论如何。我会看看我是否可以让 phpseclib 作者在某个时候对其进行一些修改。

于 2012-12-22T18:01:44.070 回答
2

你可以发布你的证书吗?因为当我使用你的程序时,它完全不是为我做的。我的代码:

<?php
include('File/X509.php');
include('Crypt/RSA.php');

$c = '-----BEGIN CERTIFICATE REQUEST-----
MIIBVjCBwgIAMB4xHDAaBgNVBAoME3BocHNlY2xpYiBkZW1vIGNlcnQwgZ0wCwYJKoZIhvcNAQEB
A4GNADCBiQKBgQDF+1/N2DwvdkhoHsLq8LnH99AEGVOGpooSpbPCewbuZeqr/Djb9ySPar2PLySo
Y+kB2QAbxUgpO/57IpWIabQ9jDFIznqLCcLzXKiKOWnMv4KMf55yJ6pwlqoTbUPgyQ67CRAfjcaD
W9VQ/TzdKahdxLFPBAEIEpEX23YpLhTLNQIDAQABMAsGCSqGSIb3DQEBBQOBgQALjJE4OygjvLm0
rzFyMPvAo7Ux6z5qTOi//HQzzmjNun7MV09GTfZgcYeWvuLosJXcn7CPALF5FqHWePs98WioTA7K
WsvdZzm+yJ5UcmzdJ/Jq9X8o1KTsMELN0SQwiNk502a1wbiXotF4OgCsjSdno96PCV9VSF4w69HM
1eXfvg==
-----END CERTIFICATE REQUEST-----';


$CAPrivKey = new Crypt_RSA();
$CAPrivKey->loadKey('-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0FPqri0cb2JZfXJ/DgYSF6vUp
wmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/3j+skZ6UtW+5u09lHNsj6tQ5
1s1SPrCBkedbNf0Tp0GbMJDyR4e9T04ZZwIDAQABAoGAFijko56+qGyN8M0RVyaRAXz++xTqHBLh
3tx4VgMtrQ+WEgCjhoTwo23KMBAuJGSYnRmoBZM3lMfTKevIkAidPExvYCdm5dYq3XToLkkLv5L2
pIIVOFMDG+KESnAFV7l2c+cnzRMW0+b6f8mR1CJzZuxVLL6Q02fvLi55/mbSYxECQQDeAw6fiIQX
GukBI4eMZZt4nscy2o12KyYner3VpoeE+Np2q+Z3pvAMd/aNzQ/W9WaI+NRfcxUJrmfPwIGm63il
AkEAxCL5HQb2bQr4ByorcMWm/hEP2MZzROV73yF41hPsRC9m66KrheO9HPTJuo3/9s5p+sqGxOlF
L0NDt4SkosjgGwJAFklyR1uZ/wPJjj611cdBcztlPdqoxssQGnh85BzCj/u3WqBpE2vjvyyvyI5k
X6zk7S0ljKtt2jny2+00VsBerQJBAJGC1Mg5Oydo5NwD6BiROrPxGo2bpTbu/fhrT8ebHkTz2epl
U9VQQSQzY1oZMVX8i1m5WUTLPz2yLJIBQVdXqhMCQBGoiuSoSjafUhV7i1cEGpb88h5NBYZzWXGZ
37sJ5QsW+sJyoNde3xH8vdXhzU7eT82D6X/scw9RZz+/6rCJ4p0=
-----END RSA PRIVATE KEY-----');

$issuer = new File_X509();
$issuer->setPrivateKey($CAPrivKey);
$issuer->loadX509("-----BEGIN CERTIFICATE-----
MIIDITCCAoqgAwIBAgIQT52W2WawmStUwpV8tBV9TTANBgkqhkiG9w0BAQUFADBM
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0xMTEwMjYwMDAwMDBaFw0x
MzA5MzAyMzU5NTlaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHFA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKFApHb29nbGUgSW5jMRcw
FQYDVQQDFA53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEA3rcmQ6aZhc04pxUJuc8PycNVjIjujI0oJyRLKl6g2Bb6YRhLz21ggNM1QDJy
wI8S2OVOj7my9tkVXlqGMaO6hqpryNlxjMzNJxMenUJdOPanrO/6YvMYgdQkRn8B
d3zGKokUmbuYOR2oGfs5AER9G5RqeC1prcB6LPrQ2iASmNMCAwEAAaOB5zCB5DAM
BgNVHRMBAf8EAjAAMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwudGhhd3Rl
LmNvbS9UaGF3dGVTR0NDQS5jcmwwKAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUF
BwMCBglghkgBhvhCBAEwcgYIKwYBBQUHAQEEZjBkMCIGCCsGAQUFBzABhhZodHRw
Oi8vb2NzcC50aGF3dGUuY29tMD4GCCsGAQUFBzAChjJodHRwOi8vd3d3LnRoYXd0
ZS5jb20vcmVwb3NpdG9yeS9UaGF3dGVfU0dDX0NBLmNydDANBgkqhkiG9w0BAQUF
AAOBgQAhrNWuyjSJWsKrUtKyNGadeqvu5nzVfsJcKLt0AMkQH0IT/GmKHiSgAgDp
ulvKGQSy068Bsn5fFNum21K5mvMSf3yinDtvmX3qUA12IxL/92ZzKbeVCq3Yi7Le
IOkKcGQRCMha8X2e7GmlpdWC1ycenlbN0nbVeSv3JUMcafC4+Q==
-----END CERTIFICATE-----");


$subject = new File_X509();

$subject->loadCSR($c); 


$x509 = new File_X509();
$x509->setStartDate('-1 month');
$x509->setEndDate('+1 year');
$x509->setSerialNumber('125');
$result = $x509->sign($issuer, $subject);


$x509->loadX509($result);
$x509->setExtension('id-ce-keyUsage', array('digitalSignature'));
//$x509->setExtension('id-ce-keyUsage', array_merge($x509->getExtension('id-ce-keyUsage'), array('digitalSignature')));
$result = $x509->sign($issuer, $x509);
//echo $x509->saveX509($result);

header('Content-Type: application/x-x509-ca-cert');
header("Content-Disposition: attachment; filename='ssl.cer'");
echo $x509->saveX509($result);

截屏:

windows中显示的证书

证书本身:

-----BEGIN CERTIFICATE-----
MIICCzCCAXagAwIBAgIDMTI1MAsGCSqGSIb3DQEBBTBoMQswCQYDVQQGEwJVUzET
MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxQNTW91bnRhaW4gVmlldzETMBEG
A1UEChQKR29vZ2xlIEluYzEXMBUGA1UEAxQOd3d3Lmdvb2dsZS5jb20wIhgPMjAx
MjExMjUwNzE0MTJaGA8yMDEzMTIyNTA3MTQxMlowHjEcMBoGA1UECgwTcGhwc2Vj
bGliIGRlbW8gY2VydDCBnTALBgkqhkiG9w0BAQEDgY0AMIGJAoGBAMX7X83YPC92
SGgewurwucf30AQZU4amihKls8J7Bu5l6qv8ONv3JI9qvY8vJKhj6QHZABvFSCk7
/nsilYhptD2MMUjOeosJwvNcqIo5acy/gox/nnInqnCWqhNtQ+DJDrsJEB+NxoNb
1VD9PN0pqF3EsU8EAQgSkRfbdikuFMs1AgMBAAGjDzANMAsGA1UdDwQEAwIHgDAL
BgkqhkiG9w0BAQUDgYEAMtVKyBpbvD2txhlRtA3VHoL1Zp9E7CN/EqFxpAG7bwZT
8D1gifeff4tGH0zkbGvv+5kb5exBZ+PhGsaaHVZoBQVO33Rkr32rfMeMa7PYb76L
i+f0mOp1QfPbrQuvT/uJx8AUv/Owsk5zLyE7JznsvYQ7VeGARRAike2ThHGcZQ8=
-----END CERTIFICATE-----

所以就像我说的,它对我来说很好。

也许您可以在尝试运行它时发布您获得的证书?也许您也可以发布您正在使用的 CSR?

于 2012-12-25T17:06:14.350 回答
1

当我尝试运行您的代码时,我遇到了一堆错误。主要是因为这条线:

$x509->setExtension('id-ce-keyUsage', array_merge($x509->getExtension('id-ce-   keyUsage'), array('digitalSignature')));

有两个问题:

  1. id-ce- 和 keyUsage 之间有空格。那些空间不应该在那里。

  2. 如果 getExtension 返回 NULL,array_merge 将返回 NULL。IE。如果该扩展名未定义。因此,您需要做的是:

    $x509->setExtension('id-ce-keyUsage', array('digitalSignature'));
于 2012-12-25T07:13:00.943 回答