I do have a private.pem and public.crt. my goal is to signed using private.pem and to verify its signature using public.crt. How do I achieve this by using phpseclib ?
$data = 'test';
$rsa = new RSA();
$privatekey = file_get_contents(storage_path('app/private.pem'));
$rsa->loadKey($privatekey);
$signed = $rsa->sign($data);
$publickey = file_get_contents(storage_path('app/public.crt'));
$rsa->loadKey($publickey);
return $rsa->verify($data, $signed) ? 'verified' : 'unverified';
got my answer here:
<?php
$data = 'test';
$rsa = new RSA();
$x509 = new X509();
$privatekey = file_get_contents(storage_path('app/private.pem'));
$rsa->loadKey($privatekey);
$signed = $rsa->sign($data);
$publickey = file_get_contents(storage_path('app/public.crt'));
$x509->loadX509($publickey);
$rsa = $x509->getPublicKey();
return $rsa->verify($data, $signed) ? 'verified' : 'unverified';
Related
I am generating a RSA signature in PHP By PHPSECLIB library. According to the instructions, the signature digest must be sha256. Should the digest be set when the key is generated?
I generated Pub/Pri key by blow code: (It should be 2048 and .perm)
$new_key_pair = openssl_pkey_new(array(
"private_key_bits" => 2048,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
));
openssl_pkey_export($new_key_pair, $private_key_pem);
$details = openssl_pkey_get_details($new_key_pair);
$public_key_pem = $details['key'];
file_put_contents('private.pem', $private_key_pem);
file_put_contents('public.pem', $public_key_pem);
I sign data by blow code:
$file_name = "x.json";
$sign_file = "signed/" . $file_name . ".sign";
$data = file_get_contents('files/' . $file_name);
$privatekey = file_get_contents('private.pem');
$rsa = new Crypt_RSA();
$rsa->loadKey($privatekey);
$rsa->setHash('sha256');
$signature = $rsa->sign($data);
file_put_contents($sign_file, $signature);
exit("signed.");
and verify it by
$file_name = "x.json";
$sign_file = "signed/" . $file_name . ".sign";
$publickey = file_get_contents('public.pem');
$data = file_get_contents('files/' . $file_name);
$signature = file_get_contents($sign_file);
$rsa = new Crypt_RSA();
$rsa->setHash('sha256');
$rsa->loadKey($publickey);
$verify = false;
try {
$verify = $rsa->verify($data, $signature);
} catch (Exception $ex) {
$verify = false;
}
echo "verify: " . (($verify) ? "true" : "false") . "<br>";
exit("finished.");
How to set up a digest? Is the signing process correct?
I can add keyusage with phpseclib using this code:
$x509->setExtension('id-ce-keyUsage', array('digitalSignature', 'keyEncipherment'));
Is possible to also set extended key usage? Any docs on that?
$x509->setExtension('id-ce-extKeyUsage', array('id-kp-serverAuth', 'id-kp-clientAuth'));
Full example:
<?php
include('File/X509.php');
include('Crypt/RSA.php');
// create private key / x.509 cert for stunnel / website
$privKey = new Crypt_RSA();
extract($privKey->createKey());
$privKey->loadKey($privatekey);
$pubKey = new Crypt_RSA();
$pubKey->loadKey($publickey);
$pubKey->setPublicKey();
$subject = new File_X509();
$subject->setDNProp('id-at-organizationName', 'phpseclib demo cert');
$subject->setPublicKey($pubKey);
$issuer = new File_X509();
$issuer->setPrivateKey($privKey);
$issuer->setDN($subject->getDN());
$x509 = new File_X509();
$x509->loadX509($x509->saveX509($x509->sign($issuer, $subject)));
$x509->setExtension('id-ce-keyUsage', array('digitalSignature', 'keyEncipherment'));
$x509->setExtension('id-ce-extKeyUsage', array('id-kp-serverAuth', 'id-kp-clientAuth'));
$result = $x509->sign($issuer, $x509);
echo "the stunnel.pem contents are as follows:\r\n\r\n";
echo $privKey->getPrivateKey();
echo "\r\n";
echo $x509->saveX509($result);
echo "\r\n";
I can't say I like it how you have to re-sign a cert to get this effect but whatever.
I'm trying to create a simple PKI infrastucture for internal use, and I want to use the html <keygen> tag.
I know this tag sends an SPKAK to server, wich will have to sign it. Since I can't use exec to launch openssl, and have php 5.5, the only way to process SPKAK is with phpseclib.
This is my code:
<?PHP
if(isset($_POST['key'])){
header('Content-type: application/x-x509-user-cert');
header('Content-disposition: attachment; filename=user.crt');
include('File/X509.php');
$capem = file_get_contents('root-ca.crt');
$subject = new File_X509();
$subject->loadCA($capem);
$subject->loadSPKAC($_POST['key']);
$subject->setDN('CN=Username');
$issuer = new File_X509();
$issuer->loadX509($capem);
$cakey = new Crypt_RSA();
$cakey->setPassword('SECRETPASSWORD');
$cakey->loadKey(file_get_contents('root-ca.key'));
$issuer->setPrivateKey($cakey);
$x509 = new File_X509();
$cert = $x509->sign($issuer, $subject);
$x509->loadX509($cert);
$x509->setExtension('id-ce-keyUsage', array('digitalSignature', 'keyEncipherment'));
$x509->setStartDate('-1 day');
$x509->setEndDate('+ 3 year');
$x509->setSerialNumber('1235', 10);
$cert = $x509->sign($issuer, $x509);
echo $x509->saveX509($cert);
}else{
?>
<form method="POST">
<keygen name="key" keytype="RSA" challenge="ucert">
<button>SEND</button>
</form>
<?PHP
}
?>
The strange thing is that the generated certificate is valid (windows recognises it) but the browser (both Chrome and Firefox in my testings) doesn't recognise it, giving error 201 INVALID CERT, so it's not associated with the private key stored on browser.
What's the correct way to do this?
<?php
include('File/X509.php');
include('Crypt/RSA.php');
// create private key / x.509 cert for stunnel / website
$privKey = new Crypt_RSA();
extract($privKey->createKey());
$privKey->loadKey($privatekey);
$pubKey = new Crypt_RSA();
$pubKey->loadKey($publickey);
$pubKey->setPublicKey();
$subject = new File_X509();
$subject->setDNProp('id-at-organizationName', 'phpseclib demo cert');
$subject->setPublicKey($pubKey);
$issuer = new File_X509();
$issuer->setPrivateKey($privKey);
$issuer->setDN($subject->getDN());
$x509 = new File_X509();
$x509->loadX509($x509->saveX509($x509->sign($issuer, $subject)));
$x509->setExtension('id-ce-keyUsage', array('digitalSignature', 'keyEncipherment', 'dataEncipherment'));
$x509->setExtension('id-ce-extKeyUsage', array('id-kp-serverAuth', 'id-kp-clientAuth'));
$result = $x509->sign($issuer, $x509);
file_put_contents('key.pem', $privKey->getPrivateKey() . "\r\n" . $x509->saveX509($result));
exec('openssl pkcs12 -export -out file.pfx -in key.pem');
I was able to import the resultant file.pfx file into Google Chrome. It shows up now as a "Personal Certificate".
Why is it that when I try to use a certificate/key pair generated from phpseclib, the OpenSSL server code errors out? Certs/Keys generated from OpenSSL work fine. How do I fix this?
Certificate/Key Generation taken straight from phpseclib documentation:
<?php
include('File/X509.php');
include('Crypt/RSA.php');
// create private key / x.509 cert for stunnel / website
$privKey = new Crypt_RSA();
extract($privKey->createKey());
$privKey->loadKey($privatekey);
$pubKey = new Crypt_RSA();
$pubKey->loadKey($publickey);
$pubKey->setPublicKey();
$subject = new File_X509();
$subject->setDNProp('id-at-organizationName', 'phpseclib demo cert');
//$subject->removeDNProp('id-at-organizationName');
$subject->setPublicKey($pubKey);
$issuer = new File_X509();
$issuer->setPrivateKey($privKey);
$issuer->setDN($subject->getDN());
$x509 = new File_X509();
//$x509->setStartDate('-1 month'); // default: now
//$x509->setEndDate('+1 year'); // default: +1 year
$result = $x509->sign($issuer, $subject);
echo "the stunnel.pem contents are as follows:\r\n\r\n";
echo $privKey->getPrivateKey();
echo "\r\n";
echo $x509->saveX509($result);
echo "\r\n";
?>
Phpseclib requires you to call $x509->setSerialNumber("0") otherwise it will produce an invalid cert.
I am using openssl command for creating certificate using PHP.I am using exec.When I give exec the command ,the return status is 1,I echoed whatever i insert in exec(OpenSSL statement) and try it through cmd and it works fine (generate certificates) but it doesn't work when I run it through PHP exec. Anyone who can help me for this.
Thanks
Maybe you'd have an easier time with phpseclib, a pure PHP X.509 implementation? Example of how to create a self-signed cert:
<?php
include('File/X509.php');
include('Crypt/RSA.php');
// create private key / x.509 cert for stunnel / website
$privKey = new Crypt_RSA();
extract($privKey->createKey());
$privKey->loadKey($privatekey);
$pubKey = new Crypt_RSA();
$pubKey->loadKey($publickey);
$pubKey->setPublicKey();
$subject = new File_X509();
$subject->setDNProp('id-at-organizationName', 'phpseclib demo cert');
//$subject->removeDNProp('id-at-organizationName');
$subject->setPublicKey($pubKey);
$issuer = new File_X509();
$issuer->setPrivateKey($privKey);
$issuer->setDN($subject->getDN());
$x509 = new File_X509();
//$x509->setStartDate('-1 month'); // default: now
//$x509->setEndDate('+1 year'); // default: +1 year
$result = $x509->sign($issuer, $subject);
echo "the stunnel.pem contents are as follows:\r\n\r\n";
echo $privKey->getPrivateKey();
echo "\r\n";
echo $x509->saveX509($result);
echo "\r\n";
?>