Hey guys,
I added the first bash at some new cert generating functions for
the openssl extension late last night. I would be grateful if
anyone that's interested could comment on the API; thanks!
--Wez.
New funcs:
resource openssl_pkey_new([array configargs])
Generate a new private key resource.
Configargs is the standard configuration hash (described below).
bool openssl_pkey_export_to_file(mixed key, string filename,
[string passphrase[, array configargs]])
Export private key to a file. If passphrase is specified, or
not null, then the key will be encrypted.
Configargs is the standard configuration hash.
bool openssl_pkey_export(mixed key, string &output,
[string passphrase[, array configargs]])
Export private key and place it in output. If passphrase is
specified, or not null, then the key will be encrypted.
Configargs is the standard configuration hash.
resource openssl_csr_new(array dn, resource &privkey[,
array extraattribs][, array configargs])
Generate a new certificate signing request resource.
If privkey is null, a new private key will be generated and
returned via that parameter; otherwise it is the private key
to use for the CSR.
dn specifies name/value pairs for use in the distinguished
name of the cert. Any valid names/values are allowed.
Extraattribs specifies extra attributes in the same way.
Configargs is the standard configuration hash.
bool openssl_csr_export(resource csr, string &output[, bool notext=true])
Sets output to the exportable form of the given CSR (PEM encoded).
If notext is true (the default), additional human readable text is
suppressed from the output.
bool openssl_csr_export_to_file(resource csr, string filename
[, bool notext=true])
As above, except that the cert is saved into the file named by
the filename parameter.
resource openssl_csr_sign(mixed csr, mixed cert, mixed priv_key, long days
[, array configargs])
Generate a new certificate using the fields from the supplied CSR and sign
it using the supplied cert and private key.
The private must correspond to the supplied cert.
cert may be null, in which case the newly generated cert will be
self-signed.
Days specifies how many days the cert will be valid for.
configargs is the standard configuration hash.
bool openssl_x509_check_private_key(mixed cert, mixed key)
Returns true if the private key belongs to the cert.
bool openssl_x509_export(mixed cert, string &output[, bool notext=true])
Sets output to the exportable form of the given cert (PEM encoded).
If notext is true (the default), additional human readable text is
suppressed from the output.
Useful for storing certs in eg: a database.
bool openssl_x509_export_to_file(mixed cert, string filename
[, bool notext=true])
As above, except that the cert is saved into the file named by
the filename parameter.
Configargs works like this:
array(
"config" => name of openssl.cnf file to use
"config_section_name" => default section of config file to use
"digest_alg" => name of digest algorithm to use
"x509_extensions" => name of section describing extensions to add to
generated certs
"req_extensions" => name of section describing extensions to add to
generated CSRs
"private_key_bits" => the number of bits to use when generating a private
key
"private_key_type" => One of OPENSSL_KEYTYPE_RSA, OPENSSL_KEYTYPE_DSA,
OPENSSL_KEYTYPE_DH. Only RSA keys are supported
at this time.
);
Any of these values may be left out, including the array itself, which
may be also be null. If anything is not specified, the default
configuration
file is located and used.
Putting it to use:
==================
This script generates a new CSR and a self-signed cert, with the intention
of it being used as an SSL certificate
// Distinguished name
$dn = array(
"countryName" => "UK",
"stateOrProvinceName" => "Somerset",
"localityName" => "Glastonbury",
"organizationName" => "The Brain Room Limited",
"organizationalUnitName" => "PHP Dev",
"commonName" => "secure.thebrainroom.com",
"emailAddress" => "[EMAIL PROTECTED]"
);
// Privkey will be set to a new key
$csr = openssl_csr_new($dn, $privkey);
// Now get a self-signed cert that lasts for 1 year
$sscert = openssl_csr_sign($csr, null, $privkey, 365);
// Display the CSR, cert and privkey in the web page for
// cutting/pasting. NB: displaying the privkey may not be
// safe unless over SSL.
openssl_x509_export($sscert, $cert_dump);
openssl_csr_export($csr, $csr_dump);
openssl_pkey_export($privkey, $privkey_dump, "mypassphrase");
echo "<PRE>Key:\n$privkey_dump\nCert:\n$cert_dump\nCSR:\n$csr_dump\n</PRE>";
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
