Openssl phpseclib生成的证书完整性未得到保证/已损坏
我使用以下代码与自己的CA签署CSR:Openssl phpseclib生成的证书完整性未得到保证/已损坏,openssl,phpseclib,Openssl,Phpseclib,我使用以下代码与自己的CA签署CSR: <?php require_once("vendor/autoload.php"); $privKey = new \phpseclib\Crypt\RSA(); $privKey->setHash('sha512'); $keypair = $privKey->createKey(4096); $privKey->loadKey($keypair['privatekey']); $pubKey = new \phpseclib\
<?php
require_once("vendor/autoload.php");
$privKey = new \phpseclib\Crypt\RSA();
$privKey->setHash('sha512');
$keypair = $privKey->createKey(4096);
$privKey->loadKey($keypair['privatekey']);
$pubKey = new \phpseclib\Crypt\RSA();
$pubKey->loadKey($keypair['publickey']);
$pubKey->setPublicKey();
$subject = new \phpseclib\File\X509();
$subject->setPrivateKey($privKey);
$subject->setPublicKey($pubKey);
$subject->setDNProp("id-at-organizationName", "??");
$subject->setDNProp("id-at-organizationalUnitName", "?");
$subject->setDNProp("id-at-commonName", "127.0.0.1");
$subject->setDNProp("id-at-localityName", "?");
$subject->setDNProp("id-at-stateOrProvinceName", "?");
$subject->setDNProp("id-at-countryName", "??");
$subject->setDNProp("emailAddress", "?");
$subject->loadCSR($subject->saveCSR($subject->signCSR('sha512WithRSAEncryption')));
$subject->setExtension('id-ce-basicConstraints', array('cA'=>FALSE));
$subject->setExtension('netscape-cert-type', ['SSLServer']);
$subject->setExtension('id-ce-keyUsage', ['digitalSignature', 'keyEncipherment'], TRUE);
$subject->setExtension('id-ce-extKeyUsage', ['id-kp-serverAuth', 'id-kp-OCSPSigning'], TRUE);
$strCSR = $subject->saveCSR($subject->signCSR('sha512WithRSAEncryption'));
file_put_contents("a.csr", $strCSR);
$cakey = new \phpseclib\Crypt\RSA();
$cakey->setPassword(file_get_contents("private/passphrase.txt"));
$cakey->loadKey(file_get_contents("private/cakey.pem"));
$ca = new \phpseclib\File\X509();
$ca->loadX509(file_get_contents("cacert.pem"));
$ca->setPrivateKey($cakey);
$x509 = new \phpseclib\File\X509();
$x509->makeCA();
@$x509->setEndDate(new \DateTime("2018-08-08 08:08:08", new \DateTimeZone(@date_default_timezone_get())));
$x509->setSerialNumber(999, 10);
$sign_result = $x509->sign($ca, $subject, $subject->currentCert['signatureAlgorithm']['algorithm']);
$cert = $x509->saveX509($sign_result);
file_put_contents("a.crt", $cert);
编辑:
我使用openssl来验证它,它看起来好像在之后丢失了什么
第二个“签名算法”
编辑:我的openssl.cnf
default_bits = 4096
default_md = sha512
dir = "."
[ca]
default_ca = CA_default
[CA_default]
serial = $dir/serial.txt
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 3650
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
default_crl_days = 365
[policy_match]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = supplied
[req]
string_mask = nombstr
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
............
[v3_ca]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage = critical, cRLSign, digitalSignature, keyCertSign
[v3_req]
........
问题是您的CA证书尚未安装。这不是phpseclib问题,甚至也不是编程问题。事实上,这个问题最好放在superuser.com上 也就是说,我能够重现你的问题 这是我点击生成的证书后得到的信息 未安装CA证书: 我执行了以下步骤:
当我使用有效的私钥和有效的CA证书时,它对我很有效。因为你没有发布private/cakey.pem或cacert.pem,我想我的问题是。。。私钥是RSA私钥吗?phpseclib当前不支持ECDSA/DSA密钥。私钥是否与证书相对应?如果你能用一个测试私钥生成一个测试CA证书,如果你能发布这些证书,我可以更好地重现这个问题,但在那之前,我只是在抓救命稻草。也有可能您的CA证书没有作为CA证书安装在您的系统中。我的CA证书是使用
openssl req-new-x509-extensions v3ca-keyout CA.key-out CA.crt-config./openssl.cnf
生成的;我确实尝试在浏览器中安装我的CA,但仍然没有成功。CA.key是什么类型的密钥?ECDSA?DSA?RSA?ca.crt中有哪些参数?我假设有一个CA证书和私钥样本可以重现这个问题,因为如果没有它,我能做的最好的事情就是猜测。有了它,我可以在本地安装它,并准确地重现问题..我的ca.key是RSA。
Certificate:
Data:
***********
Signature Algorithm: sha512WithRSAEncryption
***************
X509v3 extensions:
***********
Signature Algorithm: sha512WithRSAEncryption
**(something is missing here, there's nothing after this point)**
default_bits = 4096
default_md = sha512
dir = "."
[ca]
default_ca = CA_default
[CA_default]
serial = $dir/serial.txt
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 3650
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
default_crl_days = 365
[policy_match]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = supplied
[req]
string_mask = nombstr
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
............
[v3_ca]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage = critical, cRLSign, digitalSignature, keyCertSign
[v3_req]
........