Phpseclib KeyUsage

Question

PhpSecLib创建的默认证书文件的keyUsage设置为：All rules of applications。如何将keyUsage设置为Windows将显示的digitalSignature：Ensures the Identity of a remote computer

编辑

这是我的代码：

<?php
include('File/X509.php');
include('Crypt/RSA.php');
$c = $_POST['csr'];

$CAPrivKey = new Crypt_RSA();
$CAPrivKey->setPassword('[...]');
$CAPrivKey->loadKey("-----BEGIN RSA PRIVATE KEY-----
[...]
-----END RSA PRIVATE KEY-----
");

$issuer = new File_X509();
$issuer->setPrivateKey($CAPrivKey);
$issuer->loadX509("-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
");


$subject = new File_X509();

$subject->loadCSR($c); 


$x509 = new File_X509();
$x509->setStartDate('-1 month');
$x509->setEndDate('+1 year');
$x509->setSerialNumber('125');
$result = $x509->sign($issuer, $subject);


$x509->loadX509($result);
$x509->setExtension('id-ce-keyUsage', array_merge($x509->getExtension('id-ce-   keyUsage'), array('digitalSignature')));
$result = $x509->sign($issuer, $x509);
//echo $x509->saveX509($result);

header('Content-Type: application/x-x509-ca-cert');
header("Content-Disposition: attachment; filename='ssl.cer'");
echo $x509->saveX509($result);

?>

Answer 1

你能把证书寄出去吗？因为当我使用你的程序时，它完全不是为我做的。我的代码：

<?php
include('File/X509.php');
include('Crypt/RSA.php');

$c = '-----BEGIN CERTIFICATE REQUEST-----
MIIBVjCBwgIAMB4xHDAaBgNVBAoME3BocHNlY2xpYiBkZW1vIGNlcnQwgZ0wCwYJKoZIhvcNAQEB
A4GNADCBiQKBgQDF+1/N2DwvdkhoHsLq8LnH99AEGVOGpooSpbPCewbuZeqr/Djb9ySPar2PLySo
Y+kB2QAbxUgpO/57IpWIabQ9jDFIznqLCcLzXKiKOWnMv4KMf55yJ6pwlqoTbUPgyQ67CRAfjcaD
W9VQ/TzdKahdxLFPBAEIEpEX23YpLhTLNQIDAQABMAsGCSqGSIb3DQEBBQOBgQALjJE4OygjvLm0
rzFyMPvAo7Ux6z5qTOi//HQzzmjNun7MV09GTfZgcYeWvuLosJXcn7CPALF5FqHWePs98WioTA7K
WsvdZzm+yJ5UcmzdJ/Jq9X8o1KTsMELN0SQwiNk502a1wbiXotF4OgCsjSdno96PCV9VSF4w69HM
1eXfvg==
-----END CERTIFICATE REQUEST-----';


$CAPrivKey = new Crypt_RSA();
$CAPrivKey->loadKey('-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0FPqri0cb2JZfXJ/DgYSF6vUp
wmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/3j+skZ6UtW+5u09lHNsj6tQ5
1s1SPrCBkedbNf0Tp0GbMJDyR4e9T04ZZwIDAQABAoGAFijko56+qGyN8M0RVyaRAXz++xTqHBLh
3tx4VgMtrQ+WEgCjhoTwo23KMBAuJGSYnRmoBZM3lMfTKevIkAidPExvYCdm5dYq3XToLkkLv5L2
pIIVOFMDG+KESnAFV7l2c+cnzRMW0+b6f8mR1CJzZuxVLL6Q02fvLi55/mbSYxECQQDeAw6fiIQX
GukBI4eMZZt4nscy2o12KyYner3VpoeE+Np2q+Z3pvAMd/aNzQ/W9WaI+NRfcxUJrmfPwIGm63il
AkEAxCL5HQb2bQr4ByorcMWm/hEP2MZzROV73yF41hPsRC9m66KrheO9HPTJuo3/9s5p+sqGxOlF
L0NDt4SkosjgGwJAFklyR1uZ/wPJjj611cdBcztlPdqoxssQGnh85BzCj/u3WqBpE2vjvyyvyI5k
X6zk7S0ljKtt2jny2+00VsBerQJBAJGC1Mg5Oydo5NwD6BiROrPxGo2bpTbu/fhrT8ebHkTz2epl
U9VQQSQzY1oZMVX8i1m5WUTLPz2yLJIBQVdXqhMCQBGoiuSoSjafUhV7i1cEGpb88h5NBYZzWXGZ
37sJ5QsW+sJyoNde3xH8vdXhzU7eT82D6X/scw9RZz+/6rCJ4p0=
-----END RSA PRIVATE KEY-----');

$issuer = new File_X509();
$issuer->setPrivateKey($CAPrivKey);
$issuer->loadX509("-----BEGIN CERTIFICATE-----
MIIDITCCAoqgAwIBAgIQT52W2WawmStUwpV8tBV9TTANBgkqhkiG9w0BAQUFADBM
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0xMTEwMjYwMDAwMDBaFw0x
MzA5MzAyMzU5NTlaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHFA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKFApHb29nbGUgSW5jMRcw
FQYDVQQDFA53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEA3rcmQ6aZhc04pxUJuc8PycNVjIjujI0oJyRLKl6g2Bb6YRhLz21ggNM1QDJy
wI8S2OVOj7my9tkVXlqGMaO6hqpryNlxjMzNJxMenUJdOPanrO/6YvMYgdQkRn8B
d3zGKokUmbuYOR2oGfs5AER9G5RqeC1prcB6LPrQ2iASmNMCAwEAAaOB5zCB5DAM
BgNVHRMBAf8EAjAAMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwudGhhd3Rl
LmNvbS9UaGF3dGVTR0NDQS5jcmwwKAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUF
BwMCBglghkgBhvhCBAEwcgYIKwYBBQUHAQEEZjBkMCIGCCsGAQUFBzABhhZodHRw
Oi8vb2NzcC50aGF3dGUuY29tMD4GCCsGAQUFBzAChjJodHRwOi8vd3d3LnRoYXd0
ZS5jb20vcmVwb3NpdG9yeS9UaGF3dGVfU0dDX0NBLmNydDANBgkqhkiG9w0BAQUF
AAOBgQAhrNWuyjSJWsKrUtKyNGadeqvu5nzVfsJcKLt0AMkQH0IT/GmKHiSgAgDp
ulvKGQSy068Bsn5fFNum21K5mvMSf3yinDtvmX3qUA12IxL/92ZzKbeVCq3Yi7Le
IOkKcGQRCMha8X2e7GmlpdWC1ycenlbN0nbVeSv3JUMcafC4+Q==
-----END CERTIFICATE-----");


$subject = new File_X509();

$subject->loadCSR($c); 


$x509 = new File_X509();
$x509->setStartDate('-1 month');
$x509->setEndDate('+1 year');
$x509->setSerialNumber('125');
$result = $x509->sign($issuer, $subject);


$x509->loadX509($result);
$x509->setExtension('id-ce-keyUsage', array('digitalSignature'));
//$x509->setExtension('id-ce-keyUsage', array_merge($x509->getExtension('id-ce-keyUsage'), array('digitalSignature')));
$result = $x509->sign($issuer, $x509);
//echo $x509->saveX509($result);

header('Content-Type: application/x-x509-ca-cert');
header("Content-Disposition: attachment; filename='ssl.cer'");
echo $x509->saveX509($result);

截图：

​

​

证书本身：

-----BEGIN CERTIFICATE-----
MIICCzCCAXagAwIBAgIDMTI1MAsGCSqGSIb3DQEBBTBoMQswCQYDVQQGEwJVUzET
MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxQNTW91bnRhaW4gVmlldzETMBEG
A1UEChQKR29vZ2xlIEluYzEXMBUGA1UEAxQOd3d3Lmdvb2dsZS5jb20wIhgPMjAx
MjExMjUwNzE0MTJaGA8yMDEzMTIyNTA3MTQxMlowHjEcMBoGA1UECgwTcGhwc2Vj
bGliIGRlbW8gY2VydDCBnTALBgkqhkiG9w0BAQEDgY0AMIGJAoGBAMX7X83YPC92
SGgewurwucf30AQZU4amihKls8J7Bu5l6qv8ONv3JI9qvY8vJKhj6QHZABvFSCk7
/nsilYhptD2MMUjOeosJwvNcqIo5acy/gox/nnInqnCWqhNtQ+DJDrsJEB+NxoNb
1VD9PN0pqF3EsU8EAQgSkRfbdikuFMs1AgMBAAGjDzANMAsGA1UdDwQEAwIHgDAL
BgkqhkiG9w0BAQUDgYEAMtVKyBpbvD2txhlRtA3VHoL1Zp9E7CN/EqFxpAG7bwZT
8D1gifeff4tGH0zkbGvv+5kb5exBZ+PhGsaaHVZoBQVO33Rkr32rfMeMa7PYb76L
i+f0mOp1QfPbrQuvT/uJx8AUv/Owsk5zLyE7JznsvYQ7VeGARRAike2ThHGcZQ8=
-----END CERTIFICATE-----

就像我说的，这对我来说很好。

也许你可以在你试着运行它的时候发布你得到的证书？也许你也可以贴上你正在使用的CSR？

Answer 2

除非您要放弃一个证书，否则您需要首先执行$x 509->符号()来创建您的证书。然后，您需要重新加载该证书，设置扩展，辞职并保存它。例如：

<?php
include('File/X509.php');
include('Crypt/RSA.php');

$privKey = new Crypt_RSA();
$privKey->loadKey('...');

$pubKey = new Crypt_RSA();
$pubKey->loadKey($privKey->getPublicKey());
$pubKey->setPublicKey();

$subject = new File_X509();
$subject->setDNProp('id-at-organizationName', 'demo cert');
$subject->setPublicKey($pubKey);

$issuer = new File_X509();
$issuer->setPrivateKey($privKey);
$issuer->setDN($subject->getDN());

$x509 = new File_X509();
//$x509->makeCA();
$x509->setSerialNumber('1');

$result = $x509->sign($issuer, $subject);
$x509->loadX509($result);
$x509->setExtension('id-ce-keyUsage', array('digitalSignature'));
//$x509->setExtension('id-ce-keyUsage', array_merge($x509->getExtension('id-ce-keyUsage'), array('digitalSignature')));
$result = $x509->sign($issuer, $x509);
echo $x509->saveX509($result);
?>

如果辞职这件事没有必要，那就太好了。我将看看是否可以让phpseclib作者在某个时候对其进行一些修改。

Answer 3

当我试图运行您的代码时，我得到了很多错误。主要原因如下：

$x509->setExtension('id-ce-keyUsage', array_merge($x509->getExtension('id-ce-   keyUsage'), array('digitalSignature')));

这方面有两个问题：

1. 在id-ce和keyUsage之间有空格。那些空间不应该在那里。
2. 如果array_merge返回NULL，getExtension将返回NULL。即。如果该扩展是未定义的。因此，您需要做的是： $x 509->setExtension(‘id-ce-keyUsage’，数组(‘digitalSignature’))；