如何使用 php 的 openssl_x509_parse 获取 SSL 证书哈希算法 OID
How to get SSL Certificate Hash Algorithm OID using php's openssl_x509_parse
我正在使用 php 的 OpenSSL 函数 (openssl_x509_parse) 来解析给定站点的 SSL 证书信息。
示例代码:
$stream = stream_context_create(
array(
"ssl" => array(
"allow_self_signed" => true,
"capture_peer_cert" => true,
"capture_peer_cert_chain" => true,
"verify_peer" => false,
"verify_peer_name" => false,
"sni_enabled" => true,
),
)
);
$streamRead = @stream_socket_client("ssl://whosebug.com:443", $streamErrNo, $streamErrStr, 30, STREAM_CLIENT_CONNECT, $stream);
if (!$streamErrNo && $streamRead) {
$streamContext = stream_context_get_params($streamRead);
$streamContextMeta = stream_get_meta_data($streamRead);
$certChainsRes = $streamContext["options"]["ssl"]["peer_certificate_chain"];
$certChainArr = array();
for ($i = 0; $i < count($certChainsRes); $i++) {
$certChainData = openssl_x509_parse($certChainsRes[$i]);
var_dump($certChainData);
}
}
代码运行良好,它为我提供了数据。
示例数据。
array (size=16)
'name' => string '/C=US/ST=NY/L=New York/O=Stack Exchange, Inc./CN=*.stackexchange.com' (length=68)
'subject' =>
array (size=5)
'C' => string 'US' (length=2)
'ST' => string 'NY' (length=2)
'L' => string 'New York' (length=8)
'O' => string 'Stack Exchange, Inc.' (length=20)
'CN' => string '*.stackexchange.com' (length=19)
'hash' => string '07cc7bb0' (length=8)
'issuer' =>
array (size=4)
'C' => string 'US' (length=2)
'O' => string 'DigiCert Inc' (length=12)
'OU' => string 'www.digicert.com' (length=16)
'CN' => string 'DigiCert SHA2 High Assurance Server CA' (length=38)
'version' => int 2
'serialNumber' => string '9833040086282421696121167723365753840' (length=37)
'serialNumberHex' => string '0765C64E74E591D68039CA2A847563F0' (length=32)
'validFrom' => string '181005000000Z' (length=13)
'validTo' => string '190814120000Z' (length=13)
'validFrom_time_t' => int 1538697600
'validTo_time_t' => int 1565784000
'signatureTypeSN' => string 'RSA-SHA256' (length=10)
'signatureTypeLN' => string 'sha256WithRSAEncryption' (length=23)
'signatureTypeNID' => int 668
问题:
1:我得到了 signatureTypeSN、signatureTypeLN 等详细信息,
signatureTypeNID 但我怎样才能得到签名算法 ID (Hash
算法 OID)例如。 sha256WithRSAEncryption => 1.2.840.113549.1.1.11
2:这些细节表明证书的版本是 2
'version' => int 2 但浏览器显示证书版本为 3 ![SSL Certificate Details 中的截图
浏览器]1
P.S:代码是 运行 在 Ubuntu 18.04 服务器上 php7.3。我使用的浏览器是 Windows 10.
上的 Mozilla Firefox
#1。版本
关于版本号(来自RFC:https://www.rfc-editor.org/rfc/rfc5280#section-4.1.2.1)
4.1.2.1. Version
This field describes the version of the encoded certificate. When
extensions are used, as expected in this profile, version MUST be 3
(value is 2). If no extensions are present, but a UniqueIdentifier
is present, the version SHOULD be 2 (value is 1); however, the
version MAY be 3. If only basic fields are present, the version
SHOULD be 1 (the value is omitted from the certificate as the default
value); however, the version MAY be 2 or 3.
Implementations SHOULD be prepared to accept any version certificate.
At a minimum, conforming implementations MUST recognize version 3
certificates.
版本 2 证书的生成不是预期的
基于此配置文件的实现。
这意味着输出中的版本 2 等于证书的版本 3。
#2。 OID
关于问题的第一部分,最简单的方法是找到列表并将其实现为数组然后正常替换。其中之一是我在 https://www.rfc-editor.org/rfc/rfc7427 上找到的(搜索 oid = )
同样在前一个RFC 7427 (https://www.rfc-editor.org/rfc/rfc5280)中你可以找到那些OID
我正在使用 php 的 OpenSSL 函数 (openssl_x509_parse) 来解析给定站点的 SSL 证书信息。 示例代码:
$stream = stream_context_create(
array(
"ssl" => array(
"allow_self_signed" => true,
"capture_peer_cert" => true,
"capture_peer_cert_chain" => true,
"verify_peer" => false,
"verify_peer_name" => false,
"sni_enabled" => true,
),
)
);
$streamRead = @stream_socket_client("ssl://whosebug.com:443", $streamErrNo, $streamErrStr, 30, STREAM_CLIENT_CONNECT, $stream);
if (!$streamErrNo && $streamRead) {
$streamContext = stream_context_get_params($streamRead);
$streamContextMeta = stream_get_meta_data($streamRead);
$certChainsRes = $streamContext["options"]["ssl"]["peer_certificate_chain"];
$certChainArr = array();
for ($i = 0; $i < count($certChainsRes); $i++) {
$certChainData = openssl_x509_parse($certChainsRes[$i]);
var_dump($certChainData);
}
}
代码运行良好,它为我提供了数据。 示例数据。
array (size=16)
'name' => string '/C=US/ST=NY/L=New York/O=Stack Exchange, Inc./CN=*.stackexchange.com' (length=68)
'subject' =>
array (size=5)
'C' => string 'US' (length=2)
'ST' => string 'NY' (length=2)
'L' => string 'New York' (length=8)
'O' => string 'Stack Exchange, Inc.' (length=20)
'CN' => string '*.stackexchange.com' (length=19)
'hash' => string '07cc7bb0' (length=8)
'issuer' =>
array (size=4)
'C' => string 'US' (length=2)
'O' => string 'DigiCert Inc' (length=12)
'OU' => string 'www.digicert.com' (length=16)
'CN' => string 'DigiCert SHA2 High Assurance Server CA' (length=38)
'version' => int 2
'serialNumber' => string '9833040086282421696121167723365753840' (length=37)
'serialNumberHex' => string '0765C64E74E591D68039CA2A847563F0' (length=32)
'validFrom' => string '181005000000Z' (length=13)
'validTo' => string '190814120000Z' (length=13)
'validFrom_time_t' => int 1538697600
'validTo_time_t' => int 1565784000
'signatureTypeSN' => string 'RSA-SHA256' (length=10)
'signatureTypeLN' => string 'sha256WithRSAEncryption' (length=23)
'signatureTypeNID' => int 668
问题:
1:我得到了 signatureTypeSN、signatureTypeLN 等详细信息,
signatureTypeNID 但我怎样才能得到签名算法 ID (Hash
算法 OID)例如。 sha256WithRSAEncryption => 1.2.840.113549.1.1.112:这些细节表明证书的版本是 2
'version' => int 2但浏览器显示证书版本为 3 ![SSL Certificate Details 中的截图 浏览器]1
![![SSL Certificate Details 中的截图 浏览器]1](https://i.stack.imgur.com/D4gzQ.png){kind=link}
P.S:代码是 运行 在 Ubuntu 18.04 服务器上 php7.3。我使用的浏览器是 Windows 10.
上的 Mozilla Firefox#1。版本
关于版本号(来自RFC:https://www.rfc-editor.org/rfc/rfc5280#section-4.1.2.1)
4.1.2.1. Version
This field describes the version of the encoded certificate. When extensions are used, as expected in this profile, version MUST be 3 (value is 2). If no extensions are present, but a UniqueIdentifier is present, the version SHOULD be 2 (value is 1); however, the version MAY be 3. If only basic fields are present, the version SHOULD be 1 (the value is omitted from the certificate as the default value); however, the version MAY be 2 or 3.
Implementations SHOULD be prepared to accept any version certificate. At a minimum, conforming implementations MUST recognize version 3 certificates.
版本 2 证书的生成不是预期的 基于此配置文件的实现。
这意味着输出中的版本 2 等于证书的版本 3。
#2。 OID
关于问题的第一部分,最简单的方法是找到列表并将其实现为数组然后正常替换。其中之一是我在 https://www.rfc-editor.org/rfc/rfc7427 上找到的(搜索 oid = )
同样在前一个RFC 7427 (https://www.rfc-editor.org/rfc/rfc5280)中你可以找到那些OID