How can I convert .pfx (PKCS12 or .p12) certificate to .crt and .pem using PHP OpenSSL functions, so I avoid commandline tools, which are not allowed on my public server.
<?php
$res = [];
$openSSL = openssl_pkcs12_read($pkcs12, $res, $cert_password);
if(!$openSSL) {
throw new ClientException("Error: ".openssl_error_string());
}
// this is the CER FILE
file_put_contents('CERT.cer', $res['pkey'].$res['cert'].implode('', $res['extracerts']));
// this is the PEM FILE
$cert = $res['cert'].implode('', $res['extracerts']);
file_put_contents('KEY.pem', $cert);
Related
I'm trying to use the OpenSSL built in PHP library to get the content of a p7m signed file
I'm trying to "translate" this using openssl_pkcs7_verify():
openssl smime -verify -in DATA/test.ecs -inform der -binary -out DATA/test.enc.txt -CAfile CA.pem
The OpenSSL library needs S / MIME and not DER, so I use this function to get the file as S / MIME:
function der2pem($der_data) {
$pem = chunk_split(base64_encode($der_data), 64, "\n");
$pem = "MIME-Version: 1.0\nContent-Disposition: attachment; filename=\"smime.p7m\"\nContent-Type: application/x-pkcs7-mime; smime-type=signed-data; name=\"smime.p7m\"\nContent-Transfer-Encoding: base64\n\n".$pem;
return $pem;
}
PHP Code:
$decrypt_file_name = 'DATA/test.ecs';
$data = der2pem(file_get_contents($decrypt_file_name));
$out = fopen($decrypt_file_name, "w");
fwrite($out,$data);
fclose($out);
openssl_pkcs7_verify(
realpath($decrypt_file_name),
0,
'CA.pem',
[],
'CA.pem',
$output,
'DATA/test.enc.txt'
); // Return error: error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error
How i can traslate the shell command to openssl php library? Thanks in advance!
I try to decrypt my enrypted file(zip archive which contains multiple files) with Gnupg in php, but it constantly returns false. no exception or error message.
here's encryption:
$gpg = gnupg_init();
gnupg_seterrormode($gpg, GNUPG_ERROR_EXCEPTION);
// public key
$publicKey = file_get_contents('pubkey.pub');
$key = gnupg_import($gpg, $publicKey);
gnupg_addencryptkey($gpg, $key['fingerprint']);
// zip file
$zip = file_get_contents('myzip.zip');
$encryptedFile = gnupg_encrypt($gpg, $zip);
//save encrypted file
file_put_contents('myzip.zip.gpg', $encryptedFile);
here's decryption:
$gpg = gnupg_init();
$privateKey = file_get_contents('private.asc');
$key = gnupg_import($gpg, $privateKey);
gnupg_adddecryptkey($gpg, $key['fingerprint'], '12345');
$file = file_get_contents('myzip.zip.gpg');
$content = gnupg_decrypt($gpg, $file); // <- always returns false
I tried to decrypt the file with online tool. at first I tried to decrypt only 1 text file and it worked(it displayed the content of file). I tried to decrypt the zip archive as well
but everytime I try to decrypt it with gnupg_decrypt in php it return false. what am I doing wrong?
The problem was in gnupg version. I instilled gpg2 and it worked.
I have implemented JWT token generator library from Here, and i am able to get RS256 Token (Payload).
But i am having issue with Header data:
I need one header value "x5t", which is not generated from the given library.
I need header data like:
{
"typ": "JWT",
"alg": "RS256",
"x5t": "COm8ON2SD2MTc5jwcxZ0vE3-XJo"
}
I am getting first two parameter successfully, but not able to get valid third parameter.
My Sample code is :
$fingerprint = str_replace("SHA1 Fingerprint=", '', system('openssl x509 -noout -in my.pem -fingerprint'));
$fingerprint = sha1($fingerprint);
$fingerprint = base64_encode($fingerprint);
$fingerprint = rtrim(strtr($fingerprint, "+/", "-_"), '=');
To generate Valid "x5t" parameter there is already code available in .NET, need to convert in PHP.
Thanks for watching my question.
Any suggestion welcomed.
If you have PHP 5.6, you can use the following function openssl_x509_fingerprint:
$cert = openssl_x509_read($certificate);
$sha1_hash = openssl_x509_fingerprint($cert); // sha1 hash (x5t parameter)
$sha256_hash = openssl_x509_fingerprint($cert, 'sha256'); // sha256 hash (x5t#256 parameter)
If you do not have PHP 5.6, you can generate this fingerprint by yourself using the content of your certificate file (begins with BEGIN CERTIFICATE and ends with END CERTIFICATE):
function sha1_thumbprint($file_content)
{
$file_content = preg_replace('#-.*-|\r|\n#', '', $file_content);
$bin = base64_decode($file_content);
return hash('sha1', $bin);
}
Do not forget to encode in Base64 Url Safe the result.
$encoded_fingerprint = rtrim(strtr(base64_encode($fingerprint), "+/", "-_"), '=');
system outputs its result directly, unless you use the optional second parameter, which puts the result into the variable.
So use
system('openssl x509 -noout -in my.pem -fingerprint', $sha1);
$fingerprint = str_replace("SHA1 Fingerprint=", '', $sha1);
http://php.net/manual/en/function.system.php
openssl_x509_fingerprint (which Florent Morselli mentioned) returns an sha1 hash of the DER encoding of the cert. eg.
<?php
$cert = '...';
echo openssl_x509_fingerprint($cert);
echo "\r\n<br />\r\n";
echo sha1(base64_decode(preg_replace('#-.*-|\r|\n#', '', $cert)));
They output the same thing. At least with this cert:
-----BEGIN CERTIFICATE-----
MIIDITCCAoqgAwIBAgIQT52W2WawmStUwpV8tBV9TTANBgkqhkiG9w0BAQUFADBM
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0xMTEwMjYwMDAwMDBaFw0x
MzA5MzAyMzU5NTlaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHFA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKFApHb29nbGUgSW5jMRcw
FQYDVQQDFA53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEA3rcmQ6aZhc04pxUJuc8PycNVjIjujI0oJyRLKl6g2Bb6YRhLz21ggNM1QDJy
wI8S2OVOj7my9tkVXlqGMaO6hqpryNlxjMzNJxMenUJdOPanrO/6YvMYgdQkRn8B
d3zGKokUmbuYOR2oGfs5AER9G5RqeC1prcB6LPrQ2iASmNMCAwEAAaOB5zCB5DAM
BgNVHRMBAf8EAjAAMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwudGhhd3Rl
LmNvbS9UaGF3dGVTR0NDQS5jcmwwKAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUF
BwMCBglghkgBhvhCBAEwcgYIKwYBBQUHAQEEZjBkMCIGCCsGAQUFBzABhhZodHRw
Oi8vb2NzcC50aGF3dGUuY29tMD4GCCsGAQUFBzAChjJodHRwOi8vd3d3LnRoYXd0
ZS5jb20vcmVwb3NpdG9yeS9UaGF3dGVfU0dDX0NBLmNydDANBgkqhkiG9w0BAQUF
AAOBgQAhrNWuyjSJWsKrUtKyNGadeqvu5nzVfsJcKLt0AMkQH0IT/GmKHiSgAgDp
ulvKGQSy068Bsn5fFNum21K5mvMSf3yinDtvmX3qUA12IxL/92ZzKbeVCq3Yi7Le
IOkKcGQRCMha8X2e7GmlpdWC1ycenlbN0nbVeSv3JUMcafC4+Q==
-----END CERTIFICATE-----
openssl_x509_fingerprint is only on PHP 5.6 so if you're PHP 5.5 or earlier you can use the alternative method instead.
I've been trying to duplicate this command using PHP's built in openssl functions with no luck. I've tried variations of openssl_pkcs7_sign and openssl_pkcs7_encrypt. I believe the issue is that there is no flag to indicate the DER format output.
Here is the openssl command I am trying to replicate:
openssl smime -sign -signer mycert.pem -certfile mybundle.crt -inkey mykey.pem -nodetach -outform der -in file_in -out file_out
openssl_pkcs7_sign indeed signs the data in PEM format but you can just take the base64 chunk of the PEM data and convert it to DER by using base64_decode().
function get_base64($file_name) {
$content = file($file_name, FILE_IGNORE_NEW_LINES);
$base64_data = "";
for ($i=5; $i<sizeof($content); $i++){ // take only the base64 chunk
$base64_data .= $content[$i];
}
return $base64_data;
}
function pem2der($base64_data) {
$der = base64_decode($base64_data);
return $der;
}
if (openssl_pkcs7_sign( // Signs file_in and saves as file_out in PEM format
"file_in", // Input file
"file_out", // Output file (PEM format)
"file://../.pki/company.crt", // Certificate (mycert.pem)
"file://../.pki/company.key", // Private key (mykey.pem)
array(),
PKCS7_NOATTR,
"../.pki/company.cacrt" // Intermediate certificate (mybundle.crt)
)) {
$data = pem2der(get_base64("file_out")); // converts content of file_out to DER format
$out = fopen("file_out", "w") or die("Unable to open file!");
fwrite($out,$data); // output file (DER format)
fclose($out);
echo("File signed successfully!")
}
?>
Im trying to load a private key generated by the openssl cli tool with PHP.
I used the following command and PHP code:
openssl genrsa -des3 4096 -out private.key
if (!($key = openssl_pkey_get_private("file://private.key", "password")));
{
return false;
}
I'm sure the password is correct and the file is also PEM formatted, but it keeps returning false. What am I doing wrong?
Thanks in advance,
Jori.
Please note that file://path/to/file.pem in documentation means file protocol + file path. In UNIX like OS, that is something like file:///rsa_private_key.pem. There is THREE slashes in the path string, not TWO. And file:// cannot be omitted.
It is a lot easier to just put the key in a var:
$public = "-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfmlc2EgrdhvakQApmLCDOgP0n
NERInBheMh7J/r5aU8PUAIpGXET/8+kOGI1dSYjoux80AuHvkWp1EeHfMwC/SZ9t
6rF4sYqV5Lj9t32ELbh2VNbE/7QEVZnXRi5GdhozBZtS1gJHM2/Q+iToyh5dfTaA
U8bTnLEPMNC1h3qcUQIDAQAB
-----END PUBLIC KEY-----";
$private = "-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDfmlc2EgrdhvakQApmLCDOgP0nNERInBheMh7J/r5aU8PUAIpG
XET/8+kOGI1dSYjoux80AuHvkWp1EeHfMwC/SZ9t6rF4sYqV5Lj9t32ELbh2VNbE
/7QEVZnXRi5GdhozBZtS1gJHM2/Q+iToyh5dfTaAU8bTnLEPMNC1h3qcUQIDAQAB
AoGAcbh6UFqewgnpGKIlZ89bpAsANVckv1T8I7QT6qGvyBrABut7Z8t3oEE5r1yX
UPGcOtkoRniM1h276ex9VtoGr09sUn7duoLiEsp8aip7p7SB3X6XXWJ9K733co6C
dpXotfO0zMnv8l3O9h4pHrrBkmWDBEKbUeuE9Zz7uy6mFAECQQDygylLjzX+2rvm
FYd5ejSaLEeK17AiuT29LNPRHWLu6a0zl923299FCyHLasFgbeuLRCW0LMCs2SKE
Y+cIWMSRAkEA7AnzWjby8j8efjvUwIWh/L5YJyWlSgYKlR0zdgKxxUy9+i1MGRkn
m81NLYza4JLvb8/qjUtvw92Zcppxb7E7wQJAIuQWC+X12c30nLzaOfMIIGpgfKxd
jhFivZX2f66frkn2fmbKIorCy7c3TIH2gn4uFmJenlaV/ghbe/q3oa7L0QJAFP19
ipRAXpKGX6tqbAR2N0emBzUt0btfzYrfPKtYq7b7XfgRQFogT5aeOmLARCBM8qCG
tzHyKnTWZH6ff9M/AQJBAIToUPachXPhDyOpDBcBliRNsowZcw4Yln8CnLqgS9H5
Ya8iBJilFm2UlcXfpUOk9bhBTbgFp+Bv6BZ2Alag7pY=
-----END RSA PRIVATE KEY-----";
if (!$privateKey = openssl_pkey_get_private($private)) die('Loading Private Key failed');
if (!$publicKey = openssl_pkey_get_public($public)) die('Loading Public Key failed');
I'll also include a small encode / decode example:
$encrypted = '';
$decrypted = '';
$plaintext = 'This is just some text to encrypt';
echo '<p>$plaintext = ' . $plaintext . '<p>';
if (!openssl_public_encrypt($plaintext, $encrypted, $publicKey)) die('Failed to encrypt data');
echo '<p>$encrypted = ' . $encrypted . '<p>';
if (!openssl_private_decrypt($encrypted, $decrypted, $privateKey)) die('Failed to decrypt data');
echo '<p>$decrypted = ' . $decrypted . '<p>';
Or just in case you could generate a key with php:
$NEW_KEY = openssl_pkey_new(array(
'private_key_bits' => 1024,
'private_key_type' => OPENSSL_KEYTYPE_RSA,
));
openssl_pkey_export_to_file($NEW_KEY, 'private.key');
$NEW_KEY_DETAILS = openssl_pkey_get_details($NEW_KEY);
file_put_contents('public.key', $NEW_KEY_DETAILS['key']);
openssl_free_key($NEW_KEY);
Please refer to next URL.
https://www.php.net/manual/en/function.openssl-pkey-get-private.php
To narrow down your issue, please use same directory for your php file and key file and try this working code.
Working code
$keyfile="file://".__DIR__.DIRECTORY_SEPARATOR."key.pem"; //absolute path
$key = openssl_pkey_get_private($keyfile);
if ($key === false) {
var_dump(openssl_error_string());
}else{
var_dump($key);
}
The following might be an issue.
Path
Following path styles should work.
$keyfile="file:///home/john/php/key.pem"; // unix absoulute path
$keyfile="file://C:\\users\\john\\php\\key.pem"; // windows absoulute path
$keyfile="file://".__DIR__.DIRECTORY_SEPARATOR."key.pem"; //absoulute path for unix, windows
$keyfile="file://key.pem"; // relative path, unix, windows, (php,key files in same directory)
$key = openssl_pkey_get_private($keyfile);
If path does not exist, error will be like
"error:02001002:system library:fopen:No such file or directory"
Web environment
Check your web root and web user access permission to the folder and key file.
To reduce issues, test it on php build-in web server env rather than WAMP env.
>php -S localhost:80
Corrupted key file
saved as certain type which include whitespaces.
This can occur error like next.
"error:0906D06C:PEM routines:PEM_read_bio:no start line"
in my case, key file was saved as UTF-8 with BOM(whitespaces)
DEBUG key file 1 - READ FROM VARIABLE
This code should work. I got key file from
http://micmap.org/php-by-example/en/function/openssl_pkey_get_private
Please replace $str to yours.
$str = <<<EOF
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEA0llCeBjy18RylTdBih9GMUSZIC3GzeN0vQ9W8E3nwy2jdeUn
H3GBXWpMo3F43V68zM2Qz5epRNmlLSkY/PJUfJIC8Yc1VEokT52q87hH/XJ5eS8h
eZnjuSlPAGi8oZ3ImVbruzV7XmlD+QsCSxJW7tBv0dqJ71e1gAAisCXK2m7iyf/u
l6rT0Zz0ptYH4IZfwc/hQ9JcMg69uM+3bb4oBFsixMmEQwxKZsXk3YmO/YRjRbay
+6+79bSV/frW+lWhknyGSIJp2CJArYcOdbK1bXx1dRWpbNSExo7dWwuPC0Y7a5AE
eoZofieQPPBhXlp1hPgLYGat71pDqBjKLvF5GwIDAQABAoIBACPItYsSy3UzYT7L
OKYTrfBBuD8GKpTqBfkHvAWDa1MD15P92Mr7l0NaCxGfAy29qSa6LdFy/oPM9tGY
9TxKyV6rxD5sfwEI3+Z/bw6pIe4W5F1eTDaQnHHqehsatkRUQET9yXp+na8w/zRF
0C0PQKS95tfvcpm59RGCdGQ8+aZw+cIy/xez75W8IS/hagMxe7xYPjpkOkSCCEJU
zmbVq6AyWodASV0p4H9p8I+c0vO2hJ/ELJ167w6T+2/GlZg979rlyHoTW8jK2BbG
IRGaPo+c2GANXa686tdpbkPd6oJliXwBSNolxmXShvlveBbPFAJJACzCmbXNj9kH
6/K+SWkCgYEA7FNudcTkRPV8TzKhJ1AzDjw3VcnraYhY8IlNxbk7RVHLdkoUtwk/
mImeBlEfCoz9V+S/gRgeQ+1Vb/BCbS24+bN/+IGoNRFMRcOieFt6lQUpj7a9NeSo
IEclGgUiU7QR3xH73SB4GC3rgSPeHJhJZC5EJq5TzYjXTPGPpBD3zicCgYEA49wz
zfMDYIH8h4L65r/eJYIbLwpvgktgaYvhijO3qfZSWW+Y19jCBn55f65YOhPGQBHA
my0f+tVxFNZ/OupbrAIIzogxlCIYHNBawDhoHN/sB3/lSBAjifySNLyRlA62oA0w
wXvXVLVWMa3aXim3c9AlnLF1fHwcvwpOKSfdye0CgYBb1mBKq+T5V1yjek1d9bCh
i40FbZ5qOG43q2Ppvn3mBk9G/KroJlPsdy5NziB9/SRGj8JL7I92Xjihc4Cc5PPJ
NZQ5gklXtg0p30i39PTCDGuGScFlvCIJyRwF7JDWblezlE2INSH2Y4HtgX7DJfr/
T2t0jLJMYS0p3YWwgFeMaQKBgHUIe/8y6zAdc5QynSX5tGL1gXrW1FFK39k2RICU
cag1YTSYkhuDNJzbRxJifORPlcsAkzngooVWLb+zMCQVjUI6xUU3RKe+Hz5lccc6
8ZarGHL9qMkrqOVNudamZ+tw5zIrtDgcoIvcm8nmbrtgl94/MaJar2ph4O3qoByZ
Ylw9AoGAIdS79s0VKkj4VVXqK47ZcI7jGL4V4C8ujU8YcMNV88xwCoDg9ZIFprWA
P5p/cnvj6aHnqL58XiH0+bE0Lt3J+U6N6JelQQevgBHooMFh4FpDXcVda7xB3rK3
woqbi8fNhr827H2maxIZPtVG95/mvR4k5z1Jrdnr34ZUmtC6U5Q=
-----END RSA PRIVATE KEY-----
EOF;
$key = openssl_pkey_get_private($str);
if ($key === false) {
var_dump(openssl_error_string());
}else{
var_dump($key);
}
OUTPUT
resource(4) of type (OpenSSL key)
DEBUG key file 2 - READ FROM FILE
copy your key strings($str) to key file like "key.pem".
$str = <<<EOF
-----BEGIN RSA PRIVATE KEY-----
...YOUR KEY STINGS HERE...
-----END RSA PRIVATE KEY-----
EOF;
$str2 = file_get_contents("key.pem");
$len1 = strlen ($str);
$len2 = strlen ($str2);
if($len1 !== $len2) echo "File has been corrupted.";
$key = openssl_pkey_get_private($str2);
if ($key === false) {
var_dump(openssl_error_string());
}else{
var_dump($key);
}