phpseclib 无法解析来自 Microsoft CA 的 CSR?

phpseclib cant parse CSR from Microsoft CA?

在我与 public 密钥加密的持续斗争中,我 运行 遇到了一个障碍,这可能超出了我在解析 CSR 方面的专业知识:

我无法从 MS 服务器 2012r2 CA 获得 phpseclib 到 X509->loadCSR() 这个块:

# more file
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIFGDCCAwACAQAwOjEWMBQGCgmSJomT8ixkARkWBnNlY3VyZTEgMB4GA1UEAxMX
LlNlY3VyZSBFbnRlcnByaXNlIENBIDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
ggIKAoICAQCzgEpL+Za7a3y7YpURDrxlGIBlks25fD0tHaZIYkBTaXA5h+9MWoXn
FA7AlIUt8pbBvXdJbOCmGaeQmBfBH0Qy9vTbx/DR2IOwzqy2ZHuurI5bPL12ceE2
Mxa9xgY/i7U6MAUtoA3amEd7cKj2fz9EWZruRladOX0DXv9KexSan+45QjCWH+u2
Cxem2zH9ZDNPGBuAF9YsAvkdHdAoX8aSm05ZAjUiO2e/+L57whh7zZiDY3WIhin7
N/2JNTKVO6lx50S8a34XUKBt3SKgSR941hcLrBYUNftUYsTPo40bzKKcWqemiH+w
jQiDrln4V2b5EbVeoGWe4UDPXCVmC6UPklG7iYfF0eeK4ujV8uc9PtV2LvGLOFdm
AYE3+FAba5byQATw/DY8EJKQ7ptPigJhVe47NNeJlsKwk1haJ9k8ZazjS+vT45B5
pqe0yBFAEon8TFnOLnAOblmKO12i0zqMUNAAlmr1c8jNjLr+dhruS+QropZmzZ24
mAnFG+Y0qpfhMzAxTGQyVjyGwDfRK/ARmtrGpmROjj5+6VuMmZ6Ljf3xN09epmtH
gJe+lYNBlpfUYg16tm+OusnziYnXL6nIo2ChOY/7GNJJif9fjvvaPDCC98K64av5
5rpIx7N/XH4hwHeQQkEQangExE+8UMyBNFNmvPnIHVHUZdYo4SLsYwIDAQABoIGY
MBsGCisGAQQBgjcNAgMxDRYLNi4zLjk2MDAuMi4weQYJKoZIhvcNAQkOMWwwajAQ
BgkrBgEEAYI3FQEEAwIBADAdBgNVHQ4EFgQU5nEIMEUT5mMd1WepmviwgK7dIzww
GQYJKwYBBAGCNxQCBAweCgBTAHUAYgBDAEEwCwYDVR0PBAQDAgGGMA8GA1UdEwEB
/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAKZl6bAeaID3b/ic4aztL8ZZI7vi
D3A9otUKx6v1Xe63zDPR+DiWSnxb9m+l8OPtnWkcLkzEIM/IMWorHKUAJ/J871D0
Qx+0/HbkcrjMtVu/dNrtb9Z9CXup66ZvxTPcpEziq0/n2yw8QdBaa+lli65Qcwcy
tzMQK6WQTRYfvVCIX9AKcPKxwx1DLH+7hL/bERB1lUDu59Jx6fQfqJrFVOY2N8c0
MGvurfoHGmEoyCMIyvmIMu4+/wSNEE/sSDp4lZ6zuF6rf1m0GiLdTX2XJE+gfvep
JTFmp4S3WFqkszKvaxBIT+jV0XKTNDwnO+dpExwU4jZUh18CdEFkIUuQb0gFF8B7
WJFVpNdsRqZRPBz83BW1Kjo0yAmaoTrGNmG0p6Qf3K2zbk1+Jik3VZq4rvKoTi20
6RvLA2//cMNfkYPsuqvoHGe2e0GOLtIB63wJzloWROpb72ohEHsvCKullIJVSuiS
9sfTBAenHCyndgAEd4T3npTUdaiNumVEm5ilZId7LAYekJhkgFu3vlcl8blBJKjE
skVTp7JpBmdXCL/G/6H2SFjca4JMOAy3DxwlGdgneIaXazHs5nBK/BgKPIyPzZ4w
secxBTTCNgI48YezK3GDkn65cmlnkt6F6Mf0MwoDaXTuB88Jycbwb5ihKnHEJIsO
draiRBZruwMPwPIP
-----END NEW CERTIFICATE REQUEST-----

# openssl req -in file -noout -text
Certificate Request:
Data:
    Version: 0 (0x0)
    Subject: DC=secure, CN=.Secure Enterprise CA 1
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (4096 bit)
            Modulus:
                00:b3:80:4a:4b:f9:96:bb:6b:7c:bb:62:95:11:0e:
                bc:65:18:80:65:92:cd:b9:7c:3d:2d:1d:a6:48:62:
                40:53:69:70:39:87:ef:4c:5a:85:e7:14:0e:c0:94:
                85:2d:f2:96:c1:bd:77:49:6c:e0:a6:19:a7:90:98:
                17:c1:1f:44:32:f6:f4:db:c7:f0:d1:d8:83:b0:ce:
                ac:b6:64:7b:ae:ac:8e:5b:3c:bd:76:71:e1:36:33:
                16:bd:c6:06:3f:8b:b5:3a:30:05:2d:a0:0d:da:98:
                47:7b:70:a8:f6:7f:3f:44:59:9a:ee:46:56:9d:39:
                7d:03:5e:ff:4a:7b:14:9a:9f:ee:39:42:30:96:1f:
                eb:b6:0b:17:a6:db:31:fd:64:33:4f:18:1b:80:17:
                d6:2c:02:f9:1d:1d:d0:28:5f:c6:92:9b:4e:59:02:
                35:22:3b:67:bf:f8:be:7b:c2:18:7b:cd:98:83:63:
                75:88:86:29:fb:37:fd:89:35:32:95:3b:a9:71:e7:
                44:bc:6b:7e:17:50:a0:6d:dd:22:a0:49:1f:78:d6:
                17:0b:ac:16:14:35:fb:54:62:c4:cf:a3:8d:1b:cc:
                a2:9c:5a:a7:a6:88:7f:b0:8d:08:83:ae:59:f8:57:
                66:f9:11:b5:5e:a0:65:9e:e1:40:cf:5c:25:66:0b:
                a5:0f:92:51:bb:89:87:c5:d1:e7:8a:e2:e8:d5:f2:
                e7:3d:3e:d5:76:2e:f1:8b:38:57:66:01:81:37:f8:
                50:1b:6b:96:f2:40:04:f0:fc:36:3c:10:92:90:ee:
                9b:4f:8a:02:61:55:ee:3b:34:d7:89:96:c2:b0:93:
                58:5a:27:d9:3c:65:ac:e3:4b:eb:d3:e3:90:79:a6:
                a7:b4:c8:11:40:12:89:fc:4c:59:ce:2e:70:0e:6e:
                59:8a:3b:5d:a2:d3:3a:8c:50:d0:00:96:6a:f5:73:
                c8:cd:8c:ba:fe:76:1a:ee:4b:e4:2b:a2:96:66:cd:
                9d:b8:98:09:c5:1b:e6:34:aa:97:e1:33:30:31:4c:
                64:32:56:3c:86:c0:37:d1:2b:f0:11:9a:da:c6:a6:
                64:4e:8e:3e:7e:e9:5b:8c:99:9e:8b:8d:fd:f1:37:
                4f:5e:a6:6b:47:80:97:be:95:83:41:96:97:d4:62:
                0d:7a:b6:6f:8e:ba:c9:f3:89:89:d7:2f:a9:c8:a3:
                60:a1:39:8f:fb:18:d2:49:89:ff:5f:8e:fb:da:3c:
                30:82:f7:c2:ba:e1:ab:f9:e6:ba:48:c7:b3:7f:5c:
                7e:21:c0:77:90:42:41:10:6a:78:04:c4:4f:bc:50:
                cc:81:34:53:66:bc:f9:c8:1d:51:d4:65:d6:28:e1:
                22:ec:63
            Exponent: 65537 (0x10001)
    Attributes:
        1.3.6.1.4.1.311.13.2.3   :6.3.9600.2.
    Requested Extensions:
        1.3.6.1.4.1.311.21.1: 
            ...
        X509v3 Subject Key Identifier: 
            E6:71:08:30:45:13:E6:63:1D:D5:67:A9:9A:F8:B0:80:AE:DD:23:3C
        1.3.6.1.4.1.311.20.2:                 ..S.u.b.C.A
        X509v3 Key Usage: 
            Digital Signature, Certificate Sign, CRL Sign
        X509v3 Basic Constraints: critical
            CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
     a6:65:e9:b0:1e:68:80:f7:6f:f8:9c:e1:ac:ed:2f:c6:59:23:
     bb:e2:0f:70:3d:a2:d5:0a:c7:ab:f5:5d:ee:b7:cc:33:d1:f8:
     38:96:4a:7c:5b:f6:6f:a5:f0:e3:ed:9d:69:1c:2e:4c:c4:20:
     cf:c8:31:6a:2b:1c:a5:00:27:f2:7c:ef:50:f4:43:1f:b4:fc:
     76:e4:72:b8:cc:b5:5b:bf:74:da:ed:6f:d6:7d:09:7b:a9:eb:
     a6:6f:c5:33:dc:a4:4c:e2:ab:4f:e7:db:2c:3c:41:d0:5a:6b:
     e9:65:8b:ae:50:73:07:32:b7:33:10:2b:a5:90:4d:16:1f:bd:
     50:88:5f:d0:0a:70:f2:b1:c3:1d:43:2c:7f:bb:84:bf:db:11:
     10:75:95:40:ee:e7:d2:71:e9:f4:1f:a8:9a:c5:54:e6:36:37:
     c7:34:30:6b:ee:ad:fa:07:1a:61:28:c8:23:08:ca:f9:88:32:
     ee:3e:ff:04:8d:10:4f:ec:48:3a:78:95:9e:b3:b8:5e:ab:7f:
     59:b4:1a:22:dd:4d:7d:97:24:4f:a0:7e:f7:a9:25:31:66:a7:
     84:b7:58:5a:a4:b3:32:af:6b:10:48:4f:e8:d5:d1:72:93:34:
     3c:27:3b:e7:69:13:1c:14:e2:36:54:87:5f:02:74:41:64:21:
     4b:90:6f:48:05:17:c0:7b:58:91:55:a4:d7:6c:46:a6:51:3c:
     1c:fc:dc:15:b5:2a:3a:34:c8:09:9a:a1:3a:c6:36:61:b4:a7:
     a4:1f:dc:ad:b3:6e:4d:7e:26:29:37:55:9a:b8:ae:f2:a8:4e:
     2d:b4:e9:1b:cb:03:6f:ff:70:c3:5f:91:83:ec:ba:ab:e8:1c:
     67:b6:7b:41:8e:2e:d2:01:eb:7c:09:ce:5a:16:44:ea:5b:ef:
     6a:21:10:7b:2f:08:ab:a5:94:82:55:4a:e8:92:f6:c7:d3:04:
     07:a7:1c:2c:a7:76:00:04:77:84:f7:9e:94:d4:75:a8:8d:ba:
     65:44:9b:98:a5:64:87:7b:2c:06:1e:90:98:64:80:5b:b7:be:
     57:25:f1:b9:41:24:a8:c4:b2:45:53:a7:b2:69:06:67:57:08:
     bf:c6:ff:a1:f6:48:58:dc:6b:82:4c:38:0c:b7:0f:1c:25:19:
     d8:27:78:86:97:6b:31:ec:e6:70:4a:fc:18:0a:3c:8c:8f:cd:
     9e:30:b1:e7:31:05:34:c2:36:02:38:f1:87:b3:2b:71:83:92:
     7e:b9:72:69:67:92:de:85:e8:c7:f4:33:0a:03:69:74:ee:07:
     cf:09:c9:c6:f0:6f:98:a1:2a:71:c4:24:8b:0e:76:b6:a2:44:
     16:6b:bb:03:0f:c0:f2:0f

我将神秘供应商特定的 OID 添加到 OID 列表中,希望能帮到我:

// the following are X.509 extensions not supported by phpseclib
'1.3.6.1.5.5.7.1.12' => 'id-pe-logotype',
'1.3.6.1.4.1.311.13.2.3' => 'szOID_OS_VERSION',
'1.3.6.1.4.1.311.20.2' => 'szOID_ENROLL_CERTTYPE_EXTENSION',
'1.3.6.1.4.1.311.21.1' => 'szOID_CERTSRV_CA_VERSION',

但是我无法通过 loadCSR() 函数的这一部分:

$asn1->loadOIDs($this->oids);
$decoded = $asn1->decodeBER($csr);
//... $decoded contains content, but turns into binary junk in the middle
$csr = $asn1->asn1map($decoded[0], $this->CertificationRequest);
if (!isset($csr) || $csr === false) {

显然 asn1map 函数不喜欢 $decoded 中间的垃圾???不确定是否有某种方法可以调试我遗漏的这个,但我对 BER 解码和 asn1 映射了解不够,无法自行解决问题 =(

非常好,请帮忙,我真的很喜欢这个库(我用它做了很多很棒的事情)并且想用它从我的离线 Linux 根 CA 授权企业 CA,非常棒 php 网络前端 ;D

问题是 phpseclib 似乎不支持 openssl req 显示的 "Requested Extensions" 块。快速 Google 搜索表明 CSR 由 PKCS10 管理,而 "Requested Extensions" 块由 PKCS9 管理。我会联系作者,看看可以做些什么来解决这个问题。

同时,一个快速的解决方法是:

#
#-----[ OPEN ]------------------------------------------
#
File/ASN1.php
#
#-----[ FIND ]------------------------------------------
#
                return $i < $n? null: $map;
#
#-----[ REPLACE WITH ]----------------------------------
#
                return $map;