openssl_pkey_new()引发错误-正确的php openssl.cnf设置 [英] openssl_pkey_new() throwing errors -- Proper openssl.cnf setup for php

问题描述

**好，很明显，此问题与Linux服务器上的openssl设置以及如何正确设置自定义的openssl.cnf文件有关.我没有在寻找任何复杂的东西，但是我需要一个前端才能创建用于对Web服务进行身份验证的自签名客户端证书.因此，我需要能够使用我的CA为客户公司创建中间CA，然后为它们提供一个安全的接口来为其员工颁发客户证书.登录名取决于您是否属于特定的中间CA，并且您的证书或中间CA尚未被撤消.

**Okay, It's become clear that this issue is an issue related with the setup of openssl on the Linux server and how to properly setup a custom openssl.cnf file. I am not looking for anything complicated but I need a front-end to be able to create self-signed client certificates for authentication to my webservice. So I need to be able to use my CA to create intermediate CAs for client companies and then allow them a secure interface to issue client certificates for their employees. Logins are based on whether you belong to a specific intermediate CA and that your certificate or the intermediate CA hasn't be revoked.

对于任何想知道的人，我们都可以使用自签名证书，因为它们仅用于我们的服务器来对用户进行身份验证，并且自从我们颁发它们以来，我们就信任它们.对于初创公司来说，通过商业产品AFAIK将自己建立为中间CA可能也太昂贵了.微软可以做到，我们不能.我们的网络服务器本身使用CA签名的证书.

我知道用于设置此类内容的php代码很简单，但不是如何正确设置openssl.我在网上尝试了几个不同的示例，但它们似乎都不适合我的设置，而且它们似乎都不同.一个盒子是Centos 6.2的全新安装，但我仍然遇到错误.

I know that php code for setting this kind of thing up is straight forward but what isn't is how to properly setup openssl. I have tried several different examples on the net and none of them seem to work for my setup and they all seem to be different. One box was fresh install of Centos 6.2 and I am still getting errors.

有人能指出我正确的方向来设置openssl，apache2和php，以便我可以正确使用这些php库吗?我们的虚拟服务器正在使用debian squeeze，并且我完全控制了已安装的软件.

Can anyone point me in the proper direction for setting up openssl, apache2 and php so that I can use these php libraries without errors? Our virtual server is using debian squeeze and I have full control of software installed.

谢谢.

open_pkey_new()返回错误，例如错误:0E06D06C:配置文件例程:NCONF_get_string:无值.但是我正在传递一个指向openssl.cnf文件的路径，所以我不知道为什么我仍然遇到这个问题.这是我的相关代码

open_pkey_new() is returning errors such as error:0E06D06C:configuration file routines:NCONF_get_string:no value. Yet I am passing a path to a openssl.cnf file so I don't know why I'm still getting this problem. Here's my relevent code

<?php
$cwd=getcwd();
$distname= array(
    "countryName" => "CA",
    "stateOrProvinceName" => "Ontario",
    "localityName" => "Toronto",
    "organizationName" => "G4 Apps",
    "organizationalUnitName" => "Development",
    "commonName" => "Mark Lane",
    "emailAddress" => "nobody at gmail.com"
        );
$password = 'seanix';

$cacert_location=$cwd."/certs/CA/g4CA.crt";
$cakey_location=$cwd."/certs/CA/g4CA.key";
$cnf=$cwd.'/certs/myopenssl.cnf';
$configArgs = array(
        'config' =>$cnf
);
?>

这是我制作按键的功能.

Here's my function that makes the keys.

<?php
function makekey($password,$configArgs) {
    $key= openssl_pkey_new($configArgs);
    //print_r($configArgs);
    openssl_pkey_export($key, $pkeyout,$password);
    if (($e=openssl_error_string()) ==false) return $pkeyout;
    else {
        do {

            echo $e . "<BR>";
        } while($e=openssl_error_string());
        return -1;
    }
}
?>

我也尝试了configfile的相对路径，但仍然无法使用.看起来可能是主机提供商的ssl设置.我切换到本地虚拟机，并获得了要生成的密钥，但是现在在创建csr时遇到了相同的错误.

I've tried relative paths too to the configfile and it still won't work. Looks like it might be the host providers ssl setup. I switched to a local virtual machine and I got the key to generate but now I'm getting the same error when creating a csr.

错误:0E06D06C:配置文件例程:NCONF_get_string:无值

<?php
function newcsr($distname,$key,$configArgs) {
    $csr=openssl_csr_new($distname,$key,$configArgs);
    openssl_csr_export($csr, $csrout);
    if (($e=openssl_error_string()) ==false) return $csrout;
    else {
        do {

            echo $e . "<BR>";
        } while($e=openssl_error_string());
        return -1;
    }
}
?>

openssl.conf .这似乎是openssl.cnf中的错误，因此我已经包含了该文件.

openssl.conf This looks to be an error in openssl.cnf so I've included the file.

HOME            = .
RANDFILE        = $ENV::HOME/.rnd

oid_section     = new_oids


[ new_oids ]


tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7

####################################################################
[ ca ]
default_ca  = g4CA      

####################################################################
[ g4CA ]

dir     = /home/g4apps/secure.g4apps.com/generator/certs    
certs       = $dir/     
crl_dir     = $dir/crl      
database    = $dir/index.txt    


new_certs_dir   = $dir/newcerts     

certificate = $dir/CA/g4CA.crt  
serial      = $dir/serial       
crlnumber   = $dir/crlnumber    

crl     = $dir/CA/g4CA.crl  
private_key = $dir/CA/g4CA.key  
RANDFILE    = $dir/private/.rand    

x509_extensions = usr_cert      

name_opt    = ca_default        
cert_opt    = ca_default        


default_days    = 365           # how long to certify for
default_crl_days= 30            # how long before next CRL
default_md  = default       # use public key default MD
preserve    = no            # keep passed DN ordering

policy      = policy_match


[ policy_match ]
countryName     = match
stateOrProvinceName = match
organizationName    = match
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional

[ policy_anything ]
countryName     = optional
stateOrProvinceName = optional
localityName        = optional
organizationName    = optional
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional

####################################################################
[ req ]
default_bits        = 2048
default_md      = md5
default_keyfile     = privkey.pem
distinguished_name  = req_distinguished_name
attributes      = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert

string_mask = utf8only

[ req_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default     = CA
countryName_min         = 2
countryName_max         = 2

stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = ON

localityName            = Locality Name (eg, city)
localityName_default    = Toronto

0.organizationName      = Organization Name (eg, company)
0.organizationName_default  = G4 Apps



organizationalUnitName      = Organizational Unit Name (eg, section)

commonName          = Common Name (eg, your name or your server\'s hostname)
commonName_max          = 64

emailAddress            = Email Address
emailAddress_default        = lmlane@gmail.com
emailAddress_max        = 64


[ req_attributes ]
challengePassword       = A challenge password
challengePassword_min       = 4
challengePassword_max       = 20

unstructuredName        = An optional company name

[ usr_cert ]

nsComment           = "OpenSSL Generated Certificate"

subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer



[ v3_req ]


basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]


subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true


[ crl_ext ]

authorityKeyIdentifier=keyid:always

[ proxy_cert_ext ]
basicConstraints=CA:FALSE

nsComment           = "OpenSSL Generated Certificate"

subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

####################################################################
[ tsa ]

default_tsa = tsa_config1   

[ tsa_config1 ]

dir             = ./demoCA      
serial      = $dir/tsaserial    
crypto_device   = builtin       
signer_cert = $dir/tsacert.pem  

certs       = $dir/cacert.pem   
signer_key  = $dir/private/tsakey.pem 
default_policy  = tsa_policy1       
other_policies  = tsa_policy2, tsa_policy3
digests     = md5, sha1     
accuracy    = secs:1, millisecs:500, microsecs:100  
clock_precision_digits  = 0 
ordering        = yes   

tsa_name        = yes   
ess_cert_id_chain   = no    

堆栈跟踪strace php getkeystore.php &> stack.trace

http://secure.g4apps.com/generator/stack.trace

推荐答案

我在Mac和全新安装的CentOS 6.3上尝试了此操作，但遇到了同样的错误.我从IUS获得了CentOS软件包.但这很奇怪，因为即使我收到此消息，也实际上是在生成密钥.

I tried this on my Mac and a fresh install of CentOS 6.3 and I'm getting the same error. I get my CentOS packages from IUS. It's weird though because even though I'm getting this message, the key is actually being generated.

以下代码:

$res = openssl_pkey_new();
openssl_pkey_export($res, $privkey);
var_dump(openssl_error_string());
var_dump($privkey);

给我以下输出:

string(68) "error:0E06D06C:configuration file routines:NCONF_get_string:no value"
string(887) "-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDdh4FiOEtUZzvTSnlb/pJHjmsS9rOHQ7PU2WOO6ZHxYRIgK1NR
ReY7bBwEsT2ziUpx0b8K2Fx4m+XovzysB/lVrKbrdbHoVtGuJGZjYSXgFlCRTBu+
+TnAPUBF0LGJfxfVzjOkHzsh02lH3fvzFpFgRZRWs4za+vVzIweeOweYTwIDAQAB
AoGANZD5iS2BkZQw1COS+tqwtlrKq1g6CwAk8NfsCfeSkaJeRqcTS3iydjXrBHtz
JwGQnbsRDedJXOSdkE0Ft7dp44lijOAp1ngMDCKbabxVN2Go6b1d743HE0oIhFCC
Dv2B9kf9vzeYy+0/BVCs5i4iPoKXJJTSJrWoDxrFEJWSJIkCQQDwe39bOFHmQlxz
pbfT3DZ8Q311xFo6PewcAf7DTsikoPZANx0GQ41WdZj6/n4QVP4k+TnhZLiJzsH+
p3RUrx8tAkEA69LsgPrQMZ0YjsE2vjRLdJmp1916G1xqSLIVWDUPd9Ns+MA8YKTx
AQxC3dl3n+w24m7UlCThANlU/+2r0eoi6wJBAKIxGOdEJ/Cdp08UYNRR/Kl4t2A7
SwNnChylt9awByEJsqwCv9+epe+/Jqt6AzouqK31LXV4AgJn4W1IMWyAJA0CQCp0
6/2AqnD0PpKc+JUf5yHT9H8Xsb8xUTVLUopx6xoAp5LVUUl5CKbOpU85ss7JAUyc
9YrCZPv5JNN6379ILwcCQQDDcjtNnhQHukQQQ8iVL9YCrWzyCgplTz3uktueT+Dd
SDK1bCM4xDehfG3RKu1ZNx80Q0nzmi7FSPJ2md7qSIHc
-----END RSA PRIVATE KEY-----
"

我怀疑这是PHP中的错误.某种形式的openssl配置PHP正在挂断.我在php.net上找到了错误报告，但是它为用户开始工作"，因此该错误已关闭.

I suspect it being a bug in PHP. Some sort of openssl configuration PHP is getting hung up on. I found a bug report about this on php.net, but it "started working" for the user so the bug was closed.

或者，您可以签出 phpseclib ，这是一个纯粹用PHP编写的库.

As an alternative, you can check out phpseclib, a library purely written in PHP.

这篇关于openssl_pkey_new()引发错误-正确的php openssl.cnf设置的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！