wujh Posted October 6, 2017 Share Posted October 6, 2017 Hi guys, new here. New to php as well. Need to sign profile using openSSL. Bumping into the an error that I can't resolve. Any insights would be appreciated. Functions.php function signProfile() { $filename = "./template.mobileconfig"; $filename = realpath($filename); $outFilename = $filename . ".tmp"; $pkey = dirname(__FILE__) . "/PteKey.key"; $pkey = realpath($pkey); $certFile = dirname(__FILE__) . "/CertToSign.crt"; $certFile = realpath($certFile); // try signing the plain XML profile if (openssl_pkcs7_sign($filename, $outFilename, 'file://'.$certFile, array('file://'.$pkey, ""), array(), 0, "")) { // get the data back from the filesystem $signedString = file_get_contents($outFilename); // trim the fat $trimmedString = preg_replace('/(.+\n)+\n/', '', $signedString, 1); // convert to binary (DER) $decodedString = base64_decode($trimmedString); // write the file back to the filesystem (using the filename originally given) $fh = fopen($filename, 'w'); fwrite($fh, $decodedString); fclose($fh); // delete the temporary file unlink($outFilename); return TRUE; } else { return FALSE; } } From IDE: Error message: File Dir: Link to comment Share on other sites More sharing options...
requinix Posted October 6, 2017 Share Posted October 6, 2017 Your private key is web-accessible! Don't do that! And openssl_pkcs7_sign($filename, $outFilename, 'file://'.$certFile, array('file://'.$pkey, ""), array(), 0, "")don't pass extra parameters when you aren't using them: the last two are optional so leave them out or else PHP will think it should try to use them. Link to comment Share on other sites More sharing options...
wujh Posted October 6, 2017 Author Share Posted October 6, 2017 "Posted Today, 09:30 AM Your private key is web-accessible! Don't do that!" Sorry, I'm not familiar what it means? How have I leaked it? Link to comment Share on other sites More sharing options...
wujh Posted October 6, 2017 Author Share Posted October 6, 2017 Your private key is web-accessible! Don't do that! And openssl_pkcs7_sign($filename, $outFilename, 'file://'.$certFile, array('file://'.$pkey, ""), array(), 0, "")don't pass extra parameters when you aren't using them: the last two are optional so leave them out or else PHP will think it should try to use them. How can I edit my question? I don't have the power to do so. Could you remove what's considered information that's private? Link to comment Share on other sites More sharing options...
requinix Posted October 6, 2017 Share Posted October 6, 2017 You didn't post it here - I mean the private key is C:\wamp64\www\common\PteKey.key, which means if someone went to http://localhost/common/PteKey.keythey could download your key. I know it's not a real site now and only you can get to it, but you still need to fix it as soon as you can. If you don't want the public key to be public (you might not) or the certificate to sign (probably shouldn't) then those need to move too. [edit] With my magic admin powers I've discovered that your web server is open to the internet. Like I can tell you the private key is named SGPCCS.key. That's really, really bad. Remove the keys immediately, revoke them if applicable, and create a new key pair that isn't available to the world. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.