Fatal编程技术网
  • openssl/
  • Openssl phpseclib生成的证书完整性未得到保证/已损坏

Openssl phpseclib生成的证书完整性未得到保证/已损坏

openssl

Openssl phpseclib生成的证书完整性未得到保证/已损坏,openssl,phpseclib,Openssl,Phpseclib,我使用以下代码与自己的CA签署CSR: <?php require_once("vendor/autoload.php"); $privKey = new \phpseclib\Crypt\RSA(); $privKey->setHash('sha512'); $keypair = $privKey->createKey(4096); $privKey->loadKey($keypair['privatekey']); $pubKey = new \phpseclib\

我使用以下代码与自己的CA签署CSR:

<?php
require_once("vendor/autoload.php");

$privKey = new \phpseclib\Crypt\RSA();
$privKey->setHash('sha512');
$keypair = $privKey->createKey(4096);
$privKey->loadKey($keypair['privatekey']);
$pubKey = new \phpseclib\Crypt\RSA();
$pubKey->loadKey($keypair['publickey']);
$pubKey->setPublicKey();

$subject = new \phpseclib\File\X509();
$subject->setPrivateKey($privKey);
$subject->setPublicKey($pubKey);
$subject->setDNProp("id-at-organizationName", "??");
$subject->setDNProp("id-at-organizationalUnitName", "?");
$subject->setDNProp("id-at-commonName", "127.0.0.1");
$subject->setDNProp("id-at-localityName", "?");
$subject->setDNProp("id-at-stateOrProvinceName", "?");
$subject->setDNProp("id-at-countryName", "??");
$subject->setDNProp("emailAddress", "?");
$subject->loadCSR($subject->saveCSR($subject->signCSR('sha512WithRSAEncryption')));
$subject->setExtension('id-ce-basicConstraints', array('cA'=>FALSE));
$subject->setExtension('netscape-cert-type', ['SSLServer']);
$subject->setExtension('id-ce-keyUsage', ['digitalSignature', 'keyEncipherment'], TRUE);
$subject->setExtension('id-ce-extKeyUsage', ['id-kp-serverAuth', 'id-kp-OCSPSigning'], TRUE);
$strCSR = $subject->saveCSR($subject->signCSR('sha512WithRSAEncryption'));
file_put_contents("a.csr", $strCSR);

$cakey = new \phpseclib\Crypt\RSA();
$cakey->setPassword(file_get_contents("private/passphrase.txt"));
$cakey->loadKey(file_get_contents("private/cakey.pem"));
$ca = new \phpseclib\File\X509();
$ca->loadX509(file_get_contents("cacert.pem"));
$ca->setPrivateKey($cakey);
$x509 = new \phpseclib\File\X509();
$x509->makeCA();
@$x509->setEndDate(new \DateTime("2018-08-08 08:08:08", new \DateTimeZone(@date_default_timezone_get())));
$x509->setSerialNumber(999, 10);
$sign_result = $x509->sign($ca, $subject, $subject->currentCert['signatureAlgorithm']['algorithm']);
$cert = $x509->saveX509($sign_result);
file_put_contents("a.crt", $cert);
编辑: 我使用openssl来验证它,它看起来好像在之后丢失了什么 第二个“签名算法”

编辑:我的openssl.cnf

default_bits            = 4096
default_md              = sha512
dir         = "."
[ca]
default_ca      = CA_default
[CA_default]
serial          = $dir/serial.txt
database        = $dir/index.txt
new_certs_dir       = $dir/newcerts
certificate     = $dir/cacert.pem
private_key     = $dir/private/cakey.pem
default_days        = 3650
preserve        = no
email_in_dn     = no
nameopt         = default_ca
certopt         = default_ca
policy          = policy_match
default_crl_days = 365
[policy_match]
countryName     = optional
stateOrProvinceName = optional
organizationName    = optional
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = supplied
[req]
string_mask     = nombstr
distinguished_name  = req_distinguished_name
req_extensions      = v3_req
[req_distinguished_name]
............
[v3_ca]
basicConstraints    = CA:TRUE
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer:always
keyUsage                = critical, cRLSign, digitalSignature, keyCertSign
[v3_req]
........
问题是您的CA证书尚未安装。这不是phpseclib问题,甚至也不是编程问题。事实上,这个问题最好放在superuser.com上

也就是说,我能够重现你的问题

这是我点击生成的证书后得到的信息

未安装CA证书:

我执行了以下步骤:

  • 单击“安装证书…”获取CA证书
  • 单击“下一步”
  • 选择“将所有证书放入以下存储”
  • 单击“浏览…”
  • 选择“受信任的根证书颁发机构”
  • 单击“确定”
  • 单击“下一步”
  • 单击“完成”
  • 单击“是”
  • 单击“确定”
    • 这是我在那之后得到的:

    当我使用有效的私钥和有效的CA证书时,它对我很有效。因为你没有发布private/cakey.pem或cacert.pem,我想我的问题是。。。私钥是RSA私钥吗?phpseclib当前不支持ECDSA/DSA密钥。私钥是否与证书相对应?如果你能用一个测试私钥生成一个测试CA证书,如果你能发布这些证书,我可以更好地重现这个问题,但在那之前,我只是在抓救命稻草。也有可能您的CA证书没有作为CA证书安装在您的系统中。我的CA证书是使用
    openssl req-new-x509-extensions v3ca-keyout CA.key-out CA.crt-config./openssl.cnf
    生成的;我确实尝试在浏览器中安装我的CA,但仍然没有成功。CA.key是什么类型的密钥?ECDSA?DSA?RSA?ca.crt中有哪些参数?我假设有一个CA证书和私钥样本可以重现这个问题,因为如果没有它,我能做的最好的事情就是猜测。有了它,我可以在本地安装它,并准确地重现问题..我的ca.key是RSA。 
    Certificate:
    Data:
        ***********
    Signature Algorithm: sha512WithRSAEncryption
        ***************
        X509v3 extensions:
            ***********
    Signature Algorithm: sha512WithRSAEncryption
        **(something is missing here, there's nothing after this point)**

    default_bits            = 4096
default_md              = sha512
dir         = "."
[ca]
default_ca      = CA_default
[CA_default]
serial          = $dir/serial.txt
database        = $dir/index.txt
new_certs_dir       = $dir/newcerts
certificate     = $dir/cacert.pem
private_key     = $dir/private/cakey.pem
default_days        = 3650
preserve        = no
email_in_dn     = no
nameopt         = default_ca
certopt         = default_ca
policy          = policy_match
default_crl_days = 365
[policy_match]
countryName     = optional
stateOrProvinceName = optional
organizationName    = optional
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = supplied
[req]
string_mask     = nombstr
distinguished_name  = req_distinguished_name
req_extensions      = v3_req
[req_distinguished_name]
............
[v3_ca]
basicConstraints    = CA:TRUE
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer:always
keyUsage                = critical, cRLSign, digitalSignature, keyCertSign
[v3_req]
........