使用 PHP 为 Apple Wallet passes 创建 PKCS #7 分离签名
Creating a PKCS #7 detached signature for Apple Wallet passes using PHP
这对我来说是一个全新的概念,所以我在黑暗中拍摄。
To create the signature file, make a PKCS #7 detached signature of the
manifest file, using the private key associated with your signing
certificate. Include the WWDR intermediate certificate as part of the
signature. You can download this certificate from Apple’s website.
Write the signature to the file signature at the top level of the pass
package. Include the date and time that the pass was signed using the
S/MIME signing-time attribute.
我的理解:
To create the signature file, make a PKCS #7 detached signature of the manifest file
我将使用带有标志 PKCS7_DETACHED 的 openssl_pkcs7_sign 函数。
using the private key associated with your signing certificate.
我将使用我的 ssl cert.pem 文件的位置作为 signcert 参数,使用 cert.key 文件的位置作为 privkey 参数。
Include the WWDR intermediate certificate as part of the signature.
我将在 extracerts 参数中包含 WWDR 证书的路径
Include the date and time that the pass was signed using the S/MIME signing-time attribute.
我将包含一个数组,其中的键 signing-time 和 headers 参数的值类似于 2015-05-03 10:40:00。
我的代码:
private function createSignature($dir)
{
$cert = '/etc/ssl/cert.pem';
$key = '/etc/ssl/private/cert.key';
$wwdr = '/location/of/apple/wwdr/cert.cer';
$headers = [
'signing-time' => (new DateTime())->format('o-m-d H:i:s'),
];
return openssl_pkcs7_sign("$dir/manifest.json", "$dir/signature", $cert, $key, $headers, PKCS7_DETACHED, $wwdr);
}
其他问题:
我在 openssl_pkcs7_sign 函数的文档示例中注意到文件的 某些 位置带有前缀 file://。这是为什么?
- 在 https://developer.apple.com/account/ios/identifier/passTypeId
处生成通行证类型 ID
- 在 https://developer.apple.com/account/ios/certificate/create/
为该通行证类型 ID 创建证书
- 下载证书并将其放入您的钥匙串
- 在您的钥匙串中找到证书并将其导出为
Certificates.p12,没有密码
- 打开终端,运行
openssl pkcs12 -in Certificates.p12 -clcerts -nokeys -out pass_cert.pem -passin pass:生成证书
- 在终端中,运行
openssl pkcs12 -in Certificates.p12 -nocerts -out pass_key.pem -passin pass: -passout pass:YourPassword 生成密钥
- 从 https://www.apple.com/certificateauthority/ 下载 WWDR 证书并将其放入您的钥匙串
- 将 WWDR 证书从您的钥匙串导出为
wwdr.pem
创建分离签名的函数:
public function createSignature()
{
$cert = "file://location/of/pass_cert.pem";
$key = "file://location/of/pass_key.pem";
$wwdr = "/location/of/wwdr.pem";
openssl_pkcs7_sign("/location/of/manifest.json", "/location/of/signature",
$cert, [$key, 'YourPassword'], [], PKCS7_BINARY | PKCS7_DETACHED, $wwdr);
// convert pem to der
$signature = file_get_contents("/location/of/signature");
$begin = 'filename="smime.p7s"';
$end = '------';
$signature = substr($signature, strpos($signature, $begin) + strlen($begin));
$signature = substr($signature, 0, strpos($signature, $end));
$signature = trim($signature);
$signature = base64_decode($signature);
file_put_contents("/location/of/signature", $signature);
}
参考文献:
这对我来说是一个全新的概念,所以我在黑暗中拍摄。
To create the signature file, make a PKCS #7 detached signature of the manifest file, using the private key associated with your signing certificate. Include the WWDR intermediate certificate as part of the signature. You can download this certificate from Apple’s website. Write the signature to the file signature at the top level of the pass package. Include the date and time that the pass was signed using the S/MIME signing-time attribute.
我的理解:
To create the signature file, make a PKCS #7 detached signature of the manifest file
我将使用带有标志 PKCS7_DETACHED 的 openssl_pkcs7_sign 函数。
using the private key associated with your signing certificate.
我将使用我的 ssl cert.pem 文件的位置作为 signcert 参数,使用 cert.key 文件的位置作为 privkey 参数。
Include the WWDR intermediate certificate as part of the signature.
我将在 extracerts 参数中包含 WWDR 证书的路径
Include the date and time that the pass was signed using the S/MIME signing-time attribute.
我将包含一个数组,其中的键 signing-time 和 headers 参数的值类似于 2015-05-03 10:40:00。
我的代码:
private function createSignature($dir)
{
$cert = '/etc/ssl/cert.pem';
$key = '/etc/ssl/private/cert.key';
$wwdr = '/location/of/apple/wwdr/cert.cer';
$headers = [
'signing-time' => (new DateTime())->format('o-m-d H:i:s'),
];
return openssl_pkcs7_sign("$dir/manifest.json", "$dir/signature", $cert, $key, $headers, PKCS7_DETACHED, $wwdr);
}
其他问题:
我在 openssl_pkcs7_sign 函数的文档示例中注意到文件的 某些 位置带有前缀 file://。这是为什么?
- 在 https://developer.apple.com/account/ios/identifier/passTypeId 处生成通行证类型 ID
- 在 https://developer.apple.com/account/ios/certificate/create/ 为该通行证类型 ID 创建证书
- 下载证书并将其放入您的钥匙串
- 在您的钥匙串中找到证书并将其导出为
Certificates.p12,没有密码 - 打开终端,运行
openssl pkcs12 -in Certificates.p12 -clcerts -nokeys -out pass_cert.pem -passin pass:生成证书 - 在终端中,运行
openssl pkcs12 -in Certificates.p12 -nocerts -out pass_key.pem -passin pass: -passout pass:YourPassword生成密钥 - 从 https://www.apple.com/certificateauthority/ 下载 WWDR 证书并将其放入您的钥匙串
- 将 WWDR 证书从您的钥匙串导出为
wwdr.pem
创建分离签名的函数:
public function createSignature()
{
$cert = "file://location/of/pass_cert.pem";
$key = "file://location/of/pass_key.pem";
$wwdr = "/location/of/wwdr.pem";
openssl_pkcs7_sign("/location/of/manifest.json", "/location/of/signature",
$cert, [$key, 'YourPassword'], [], PKCS7_BINARY | PKCS7_DETACHED, $wwdr);
// convert pem to der
$signature = file_get_contents("/location/of/signature");
$begin = 'filename="smime.p7s"';
$end = '------';
$signature = substr($signature, strpos($signature, $begin) + strlen($begin));
$signature = substr($signature, 0, strpos($signature, $end));
$signature = trim($signature);
$signature = base64_decode($signature);
file_put_contents("/location/of/signature", $signature);
}
参考文献: