Криптографски разширения
For checking the status of a client certificate using OCSP, you can use this script:
<?php
// User variables:
$dir = '/path/to/temp/'; // Directory where apache has access to (chmod 777).
$RootCA = '/path/to/Root.cer'; // Points to the Root CA in PEM format.
$OCSPUrl = 'http://ocsp.url'; //Points to the OCSP URL
// Script:
$a = rand(1000,99999); // Needed if you expect more page clicks in one second!
file_put_contents($dir.$a.'cert_i.pem', $_SERVER['SSL_CLIENT_CERT_CHAIN_0']); // Issuer certificate.
file_put_contents($dir.$a.'cert_c.pem', $_SERVER['SSL_CLIENT_CERT']); // Client (authentication) certificate.
$output = shell_exec('openssl ocsp -CAfile '.$RootCA.' -issuer '.$dir.$a.'cert_i.pem -cert '.$dir.$a.'cert_c.pem -url '.$OCSPUrl);
$output2 = preg_split('/[\r\n]/', $output);
$output3 = preg_split('/: /', $output2[0]);
$ocsp = $output3[1];
echo "OCSP status: ".$ocsp; // will be "good", "revoked", or "unknown"
unlink($dir.$a.'cert_i.pem');
unlink($dir.$a.'cert_c.pem');
?>
It can be ameliorated, but it's just a beginning!
Normally, you can extract the ocsp url from the client certificate. Also, an OCSP request contains only the hash of the issuer name, the hash of the issuer's key, and the serial number of the client certificate. All three can be extracted directly from the client certificate.
OpenSSL
- Въведение
- Инсталиране/Конфигуриране
- Предварително-дефинирани константи
- Key/Certificate parameters
- Certificate Verification
- OpenSSL Функции
- openssl_csr_export_to_file — Exports a CSR to a file
- openssl_csr_export — Exports a CSR as a string
- openssl_csr_get_public_key — Returns the public key of a CERT
- openssl_csr_get_subject — Returns the subject of a CERT
- openssl_csr_new — Generates a CSR
- openssl_csr_sign — Sign a CSR with another certificate (or itself) and generate a certificate
- openssl_error_string — Return openSSL error message
- openssl_free_key — Free key resource
- openssl_get_privatekey — Псевдоним на openssl_pkey_get_private
- openssl_get_publickey — Псевдоним на openssl_pkey_get_public
- openssl_open — Open sealed data
- openssl_pkcs12_export_to_file — Exports a PKCS#12 Compatible Certificate Store File
- openssl_pkcs12_export — Exports a PKCS#12 Compatible Certificate Store File to variable.
- openssl_pkcs12_read — Parse a PKCS#12 Certificate Store into an array
- openssl_pkcs7_decrypt — Decrypts an S/MIME encrypted message
- openssl_pkcs7_encrypt — Encrypt an S/MIME message
- openssl_pkcs7_sign — Sign an S/MIME message
- openssl_pkcs7_verify — Verifies the signature of an S/MIME signed message
- openssl_pkey_export_to_file — Gets an exportable representation of a key into a file
- openssl_pkey_export — Gets an exportable representation of a key into a string
- openssl_pkey_free — Frees a private key
- openssl_pkey_get_details — Returns an array with the key details
- openssl_pkey_get_private — Get a private key
- openssl_pkey_get_public — Extract public key from certificate and prepare it for use
- openssl_pkey_new — Generates a new private key
- openssl_private_decrypt — Decrypts data with private key
- openssl_private_encrypt — Encrypts data with private key
- openssl_public_decrypt — Decrypts data with public key
- openssl_public_encrypt — Encrypts data with public key
- openssl_seal — Seal (encrypt) data
- openssl_sign — Generate signature
- openssl_verify — Verify signature
- openssl_x509_check_private_key — Checks if a private key corresponds to a certificate
- openssl_x509_checkpurpose — Verifies if a certificate can be used for a particular purpose
- openssl_x509_export_to_file — Exports a certificate to file
- openssl_x509_export — Exports a certificate as a string
- openssl_x509_free — Free certificate resource
- openssl_x509_parse — Parse an X509 certificate and return the information as an array
- openssl_x509_read — Parse an X.509 certificate and return a resource identifier for it
add a note
User Contributed NotesOpenSSL
koen dot thomeer at pubmed dot be
31-Aug-2008 07:27
31-Aug-2008 07:27