Skip to content

Instantly share code, notes, and snippets.

@jlainezs
Last active February 10, 2023 15:22
Show Gist options
  • Save jlainezs/4706024 to your computer and use it in GitHub Desktop.
Save jlainezs/4706024 to your computer and use it in GitHub Desktop.
Creates a certificate using OpenSSL with PHP. sing.php could be used to sign a text with the pkey generated with createCertificate. verify.java shows how to load the certificate from a resource and a verification sample of the text signed with sign.php
/**
* Creates an OpenSSL certificate
* @param $dn Array Associative array "key"=>"value"
* @param $duration int Number of days which the certificate is valid
* @throws Exception If there are any errors
* @return Array Associative array with the security elements: "cer"=>self signed certificate, "pem"=>private key, "file"=>path to the files
*
* @see http://www.php.net/manual/en/function.openssl-csr-new.php
* @author Pep Lainez
*/
static function createCertificate($dn, $duration, $password, $vaultPath, $fileNameNoExtension, $configFile=null){
$log = JLog::getInstance('com_jlicensemanagement-service.log.php');
$configParams = null;
if ($configFile)
$configParams = array('config' => $configFile);
// Generate a new private (and public) key pair
$privkey = openssl_pkey_new($configParams);
if ($privkey === FALSE){
return FALSE;
}
// generates a certificate signing request
$csr = openssl_csr_new($dn, $privkey, $configParams);
if ($csr === FALSE){
return FALSE;
}
// This creates a self-signed cert that is valid for $duration days
$sscert = openssl_csr_sign($csr, null, $privkey, $duration, $configParams);
if ($sscert === FALSE){
return FALSE;
}
// expport the certificate and the private key
openssl_x509_export($sscert, $certout);
openssl_pkey_export($privkey, $pkout, $password, $configParams);
$file = $vaultPath.DS.$fileNameNoExtension;
file_put_contents($file.".cer", $certout);
file_put_contents($file.".pem", $pkout);
$result = array('cer'=>$certout, 'pem'=>$pkout, 'file'=>$file);
// Gets any errors that occurred here
$allErrors = '';
while (($e = openssl_error_string()) !== false) {
$allErrors .= $e . "\n";
}
if ($allErrors != ''){
$aErrs = explode("\n", $allErrors);
foreach($aErrs as $err)
$log->addEntry(array('comment' => $err, 'status' => 500 ));
}
return $result;
}
/**
* Sign
* @param String $text Text to sign
* @param String $privkey Private key
* @param String $password Private key password
*/
static function sign($text, $privkey, $password){
$signature = "";
$privkeyId = openssl_get_privatekey($privkey, $password );
openssl_sign($text, $signature, $privkeyId);
openssl_free_key($privkeyId);
return $signature;
}
/**
* Loads a certificate
*
* @return X509Certificate The loaded certificate
* @throws FileNotFoundException
* @throws CertificateException
* @throws InvalidKeyException
* @throws NoSuchAlgorithmException
* @throws NoSuchProviderException
* @throws SignatureException
*/
static public X509Certificate getCertificate() throws FileNotFoundException, CertificateException,
InvalidKeyException, NoSuchAlgorithmException,
NoSuchProviderException, SignatureException{
InputStream in = getCertificateFromResource();
CertificateFactory cf = CertificateFactory.getInstance("X.509"); //$NON-NLS-1$
X509Certificate certificate = (X509Certificate)cf.generateCertificate(in);
PublicKey pk = certificate.getPublicKey();
certificate.verify(pk);
return certificate;
}
/**
* Verifies the giving signature of the text
* @param textToVerify The text which will be verified
* @param signature The base64 encoded signature
* @return boolean
*/
static public boolean verifySignature(String textToVerify, String signature) {
boolean verifies = false;
try {
X509Certificate certificate;
certificate = CertificateUtils.getCertificate();
PublicKey pubKey = certificate.getPublicKey();
Signature sig = Signature.getInstance("SHA1withRSA"); //$NON-NLS-1$
sig.initVerify(pubKey);
String dataSigned = textToVerify;
sig.update(dataSigned.getBytes());
verifies = sig.verify(Base64.decodeBase64(signature));
} catch (Exception e) {
e.printStackTrace();
}
return verifies;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment