|
|
|
|
Bookmark this on Delicious
Share on Facebook
 Slashdot It!
Digg  openssl_x509_read
Parse an X.509 certificate and return a resource identifier for
it
(PHP 4 >= 4.0.6, PHP 5)
Code Examples / Notes » openssl_x509_readanthony dot whitehead
Short HOWTO for getting data out of a client certificate via an SSL enabled iPlanet (Netscape Enterprise or Sun ONE) web server. The iPlanet server sets $_SERVER["CLIENT_CERT"] whenever a client authenticates with a certificate. This variable contains an encoded representation of the certificate presented by the client. This in itself is useless to scripts or applications, we need to extract the actual information from the encoding. It turns out that we are in luck, the encoding is NEARLY a standard PEM encoding which can be read by the openssl_x509_read() function. A standard PEM has a begin line, an end line and inbetween is a base64 encoding of the DER representation of the certificate. PEM requires that linefeeds be present every 64 characters, however this is already the case with our CLIENT_CERT variable. For some reason the iPlanet server neglects to attach the begin and end headers, all that is required to allow access to the certificate is replacing these headers. Here is a small code excerpt for doing just that and printing out the raw certificate data. <?php $beginpem = "-----BEGIN CERTIFICATE-----\n"; $endpem = "-----END CERTIFICATE-----\n"; // Small function to print the data recursivly. function print_element($item, $key) { if( is_array( $item ) ) { echo "$key is Array:\n"; array_walk( $item, 'print_element' ); echo "$key done\n"; } else echo "$key = $item\n"; } // Build the PEM string. $pemdata = $beginpem.$_SERVER["CLIENT_CERT"]."\n".$endpem; // Get a certificate resource from the PEM string. $cert = openssl_x509_read( $pemdata ); // Parse the resource and print out the contents. $cert_data = openssl_x509_parse( $cert ); array_walk( $cert_data, 'print_element' ); // Free the resource openssl_x509_free( $cert ); ?> gabe martin-dempesy
For those interested in parsing the timestamps from the certificate, such as the valid to and valid from times, it should be noted that the format returned by this function is: YYMMDDHHMMSS This code snippet is useful for generating a unix timestamp for this purpose: <?php $fp = fopen("/path/to/cert.crt", "r"); $cert = fread($fp, 8192); fclose($fp); $data = openssl_x509_parse($cert); /** * Convert a timestamp from openssl_x509_parse to a unix timestamp * @param string $in openssl timestamp * @return integer unix timestamp */ function openssl_to_timestamp ($in) { $year = substr($in, 0, 2); /* NOTE: Yes, this returns a two digit year */ $month = substr($in, 2, 2); $day = substr($in, 4, 2); $hour = substr($in, 6, 2); $min = substr($in, 8, 2); $sec = substr($in, 10, 2); return gmmktime($hour, $min, $sec, $month, $day, $year); } var_dump(gmdate('r', openssl_to_timestamp($data['validTo']))); ?> This will output: string(31) "Fri, 29 Aug 2008 16:45:15 +0000" Compare this with the output of `openssl x509 -in cert.crt -noout -text`: Validity Not After : Aug 29 16:45:15 2008 GMT 04-jun-2003 05:32
After some tests I've been able to get some results this way ... <?php $fp = fopen("/etc/httpd/conf/ssl/moncertif.crt", "r"); $cert = fread($fp, 8192); fclose($fp); echo "Read "; echo openssl_x509_read($cert); echo " "; echo "*********************"; echo " "; echo "Parse "; print_r(openssl_x509_parse($cert)); /* // or print_r(openssl_x509_parse( openssl_x509_read($cert) ) ); */ ?> enjoy ;) |
Change Language
openssl_csr_export_to_file openssl_csr_export openssl_csr_get_public_key openssl_csr_get_subject openssl_csr_new openssl_csr_sign openssl_error_string openssl_free_key openssl_get_privatekey openssl_get_publickey openssl_open openssl_pkcs12_export_to_file openssl_pkcs12_export openssl_pkcs12_read openssl_pkcs7_decrypt openssl_pkcs7_encrypt openssl_pkcs7_sign openssl_pkcs7_verify openssl_pkey_export_to_file openssl_pkey_export openssl_pkey_free openssl_pkey_get_details openssl_pkey_get_private openssl_pkey_get_public openssl_pkey_new openssl_private_decrypt openssl_private_encrypt openssl_public_decrypt openssl_public_encrypt openssl_seal openssl_sign openssl_verify openssl_x509_check_private_key openssl_x509_checkpurpose openssl_x509_export_to_file openssl_x509_export openssl_x509_free openssl_x509_parse openssl_x509_read |
