PHP Doku:: Parst ein X.509-Zertifikat und liefert die Informationen als Array zurück - function.openssl-x509-parse.html

Verlauf / Chronik / History: (1) anzeigen

Sie sind hier:
Doku-StartseitePHP-HandbuchFunktionsreferenzKryptografische ErweiterungenOpenSSLOpenSSL Funktionenopenssl_x509_parse

Ein Service von Reinhard Neidl - Webprogrammierung.

OpenSSL Funktionen

<<openssl_x509_free

openssl_x509_read>>

openssl_x509_parse

(PHP 4 >= 4.0.6, PHP 5)

openssl_x509_parseParst ein X.509-Zertifikat und liefert die Informationen als Array zurück

Beschreibung

array openssl_x509_parse ( mixed $x509cert [, bool $shortnames ] )

openssl_x509_parse() liefert Informationen über das per x509cert übergebene Zertifikat zurück, wie beispielsweise Name des Gegenstands, Name des Herausgebers, Zweck, Zeitangaben zur Gültigkeit etc.

Parameter-Liste

x509cert

shortnames

Der Parameter shortnames kontrolliert wie die Daten im Array indiziert werden. Wenn TRUE übergeben wird (Standard) dann wird die Kurzform verwendet, andernfalls werden die langen Bezeichner benutzt; CN ist beispielsweise die Kurzform zu commonName.

Rückgabewerte

Die Struktur der zurückgegeben Daten ist absichtlich noch nicht dokumentiert, da es noch Änderungen geben wird.


6 BenutzerBeiträge:
- Beiträge aktualisieren...
s dot stok at rollerscapes dot net
28.12.2009 14:03
Alternative subjects can read as extensions.

[extensions]
            [subjectAltName] => DNS:*.cacert.org, DNS:cacert.org, DNS:*.cacert.net, DNS:cacert.net, DNS:*.cacert.com, DNS:cacert.com
koukopoulos at gmail dot com
17.03.2008 14:22
Re: the previous note: support for the x509v3 extensions was added in PHP 5.2. Also in PHP5 prior to 5.2.4 the values of the x509v3 extensions were not decoded and were returned in the DER binary representation. Therefore in order to read the contents of the v3 extensions you have to parse the relevant ASN.1 structures yourself.

For example if one needs to read an IA5STRING value in a private extension with the OID 1.3.6.1.4.1.7782.3.3 one can do :

<?php

/* parse a DER encoded representation
   of a IA5STRING of length < 127 */
function asn1der_ia5string($str)
{
   
$len=strlen($str)-2;
    if (
$len < 0 && $len > 127) {
        return
false;
    }

   
/* check tag and len */
   
if (22 != (ord($str[$pos++]) & 0x1f) &&
   
ord($str[$pos++]) != $len) {
   
/* not a valid DER encoding of an IA5STRING */
   
return false;
    }

    return
substr($str, 2$len);
}
$cert = openssl_x509_parse($pemcert);
print (
asn1der_ia5string($cert['extensions']['1.3.6.1.4.1.7782.3.3'])); // prints decoded ascii string

?>

In newer versions (>5.2.3) the extensions are returned in a 'readable format'. For example:

<?php print_r(openssl_x509_parse(...)); ?>
will result in
<?
Array
(
    [
name] => /C=GR/O=SOMETHING/CN=ME/
    ...
    [
extensions] => Array
        (
            [
basicConstraints] => CA:FALSE
           
[keyUsage] => Digital Signature, Non Repudiation, Key Encipherment
           
[extendedKeyUsage] => E-mail Protection, TLS Web Client Authentication
           
[nsCertType] => SSL Client, S/MIME
           
....
?>
zioproto at gmail dot com
13.02.2008 15:43
To read an extension from a X.509 certificate, you can proceed like this if you know the OID

//Read the certificate from file
$cert = file_get_contents('test.crt');
$ssl = openssl_x509_parse($cert);

$ext_value =  $ssl['extensions']['1.2.3.4.5.6'];
echo $ext_value

--------------------------------

Because the $ssl array is not documented, you can easily see its contents like this:

  //To print out all the array!
  print_r(array_values($ssl));
  print_r(array_keys($ssl));
nathanael at dihedral dot de
11.08.2006 15:02
When dealing with the purposes of a x509 crt file
the output of openssl_x509_parse gives an array with following for the purposes:
each new array ([purposes][1], [purposes][2] for example) is a new purpose check
I compared this output with the output of the command
# openssl x509 -purpose -in <x509crt_file>
the result i got was that
[purposes][x][2] quite obviously is the name of the purpose checked
[purposes][x][1] corresponds to the tested purpose (as named in [purposes][x][2]) acting as CA
[purposes][x][0] corresponds to the general availability of the purpose

[purposes] => Array
    (
        [1] => Array
            (
                [0] => 1
                [1] => 1
                [2] => sslclient
            )

        [2] => Array
            (
                [0] => 1
                [1] => 1
                [2] => sslserver
            )

        [3] => Array
            (
                [0] => 1
                [1] => 1
                [2] => nssslserver
            )

        [4] => Array
            (
                [0] => 1
                [1] => 1
                [2] => smimesign
            )

        [5] => Array
            (
                [0] => 1
                [1] => 1
                [2] => smimeencrypt
            )

        [6] => Array
            (
                [0] => 1
                [1] => 1
                [2] => crlsign
            )

        [7] => Array
            (
                [0] => 1
                [1] => 1
                [2] => any
            )

        [8] => Array
            (
                [0] => 1
                [1] => 1
                [2] => ocsphelper
            )

    )
maarten at xolphin dot nl
11.02.2005 11:00
At this time very useful X509 oids (like streetAddress, postalCode and others) are missing. You can find a list of them at http://www.alvestrand.no/objectid/2.5.4.html, I hope they get included to openssl-x509-parse soon.

Until then you can get these oids anyway like this:

<?
 
function getOID($OID, $ssl)
  {
   
preg_match('/\/' . $OID  . '=([^\/]+)/', $ssl, $matches);
    return
$matches[1];
  }

 
$cert = file_get_contents('test.crt');
 
$ssl = openssl_x509_parse($cert);
 
$Address = getOID('2.5.4.9', $ssl['name']);
 
$ZipCode = getOID('2.5.4.17', $ssl['name']);
 
$Postbox = getOID('2.5.4.18', $ssl['name']);
?>

The parseCert function from the Horde framework can be usefull for this too.
smgallo at buffalo dot edu
29.10.2004 20:15
The identifier for the email portion of certificates in the name and subject array have changed since PHP4.  In PHP 4.3.0 the following array was returned (displayed my print_r())

[name] => /O=Grid/O=Globus/O=CCR Grid Portal/OU=Portal User/CN=Test User/Email=test@nospam.buffalo.edu
[subject] => Array
(
   [O] => Grid/O=Globus/O=CCR Grid Portal
   [OU] => Portal User
   [CN] => Test User
   [Email] => test@nospam.buffalo.edu
...

The result in PHP5 is (note Email -> emailAddress):

[name] => /O=Grid/O=Globus/O=CCR Grid Portal/OU=Portal User/CN=Test User/emailAddress=test@nospam.buffalo.edu
[subject] => Array
(
   [O] => Grid/O=Globus/O=CCR Grid Portal
   [OU] => Portal User
   [CN] => Test User
   [emailAddress] => test@nospam.buffalo.edu
...

Of course, the manual DOES say this could happen.  :)



PHP Powered Diese Seite bei php.net
The PHP manual text and comments are covered by the Creative Commons Attribution 3.0 License © the PHP Documentation Group - Impressum - mail("TO:Reinhard Neidl",...)