1

我正在尝试使用一对 GOST 加密证书和一个私钥使用 PHP 签署 S/MIME。

从控制台使用 openssl 本身时,一切都很好:

/usr/local/openssl/bin/openssl cms -sign -in file.txt -out signedfile.txt -signer p12.pem
(signedfile.txt is created)

/usr/local/openssl/bin/openssl cms -verify -in signedfile.txt -out signedddata.txt -no_signer_cert_verify -issuer_checks -ignore_critical
Verification successful

使用 PHP 代码时,我有点卡住了:

$res = openssl_pkcs7_sign("file.txt", "phpsignedfile.txt", 'file://'.realpath('./p12.pem'), 'file://'.realpath('./p12.pem'), array("To" => "foo@bar.com", "From: FooBar <foo@bar.com>", "Subject" => "Foo Bar"));

    if (!$res) {
        while ($msg = openssl_error_string())
            echo $msg . "<br />\n";
        echo "Failed to sign.\n"; exit;
    }

我得到:

# /usr/local/php/bin/php sign-clear.php
PHP Warning:  openssl_pkcs7_sign(): error getting private key in /root/tests/sign-clear.php on line 3
error:0609E09C:digital envelope routines:PKEY_SET_TYPE:unsupported algorithm<br />
error:0606F076:digital envelope routines:EVP_PKCS82PKEY:unsupported private key algorithm<br />
error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib<br />
Failed to sign.

'错误获取私钥'一直在这里,除了当它真的无法加载时,我得到'无起始行错误'。所以这个输出看起来真的像 PHP openssl 模块找不到合适的密码。

我如何告诉 PHP 这是一个 GOST 密码?我告诉openssl要么使用配置文件,要么使用直接'-engine gost'选项。有没有办法告诉 PHP 同样的事情?

我确实有一个 PHP 编译并链接到支持 GOST 的 openss 1.0.1e(openssl 模块是与 PHP 一起构建的):

# /usr/local/openssl/bin/openssl ciphers | grep -i GOST
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:GOST2001-GOST89-GOST89:GOST94-GOST89-GOST89:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5

(注意这是默认的配置输出)

# ldd /usr/local/php/bin/php
        linux-vdso.so.1 =>  (0x00007fff42455000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007f1077404000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x00007f10771ee000)
        librt.so.1 => /lib/librt.so.1 (0x00007f1076fe5000)
        libmcrypt.so.4 => /usr/lib/libmcrypt.so.4 (0x00007f1076db3000)
        libltdl.so.7 => /usr/lib/libltdl.so.7 (0x00007f1076baa000)
        libdl.so.2 => /lib/libdl.so.2 (0x00007f10769a5000)
        libfreetype.so.6 => /usr/lib/libfreetype.so.6 (0x00007f107671d000)
        libz.so.1 => /usr/lib/libz.so.1 (0x00007f1076506000)
        libpng12.so.0 => /lib/libpng12.so.0 (0x00007f10762df000)
        libjpeg.so.62 => /usr/lib/libjpeg.so.62 (0x00007f10760bc000)
        libcrypto.so.1.0.0 => /usr/local/openssl/lib/libcrypto.so.1.0.0 (0x00007f1075ce2000)
        libssl.so.1.0.0 => /usr/local/openssl/lib/libssl.so.1.0.0 (0x00007f1075a78000)
        libmysqlclient.so.16 => /usr/lib/libmysqlclient.so.16 (0x00007f107565b000)
        libpthread.so.0 => /lib/libpthread.so.0 (0x00007f107543f000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x00007f1075226000)
        libm.so.6 => /lib/libm.so.6 (0x00007f1074fa4000)
        libxml2.so.2 => /usr/lib/libxml2.so.2 (0x00007f1074c53000)
        libc.so.6 => /lib/libc.so.6 (0x00007f10748f0000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f1077646000)
4

1 回答 1

1

实际上有一组错误报告,都提到应该修补 ext/openssl/openssl.c;添加

OPENSSL_config(NULL);

在一组之前

SSL_library_init();
OpenSSL_add_all_ciphers();
OpenSSL_add_all_digests();

来电。之后,openssl 开始与来自配置指向的 OPENSSL_CONF 变量的任何引擎一起使用。

于 2013-03-24T11:27:24.903 回答