Bako Posted January 5, 2022 Share Posted January 5, 2022 I've been trying to figure out how to get $_SERVER['SSL_CLIENT_CERT'] into a way I can extract some of the x.509 certificate attributes. Unfortunately, the Apache variables and the PHP OpenSSL functions don't have a way to display the certificate "Key Usage" attributes. Quote Link to comment Share on other sites More sharing options...
requinix Posted January 5, 2022 Share Posted January 5, 2022 openssl_x509_parse looks relevant. What have you tried with that? Quote Link to comment Share on other sites More sharing options...
Bako Posted January 5, 2022 Author Share Posted January 5, 2022 1 hour ago, requinix said: openssl_x509_parse looks relevant. What have you tried with that? "tried" yes. Succeeded? Not so much. I probably doing it wrong by trying to shove $_SERVER['SSL_CLIENT_CERT'] into another variable that I use in that function. My BASH brain kicks in so it possibly might have something to do with syntax. Quote Link to comment Share on other sites More sharing options...
gizmola Posted January 5, 2022 Share Posted January 5, 2022 Requinix suggested you use a function to pull the information directly from the cert. $_SERVER is an array created by php for you. It's not going to figure into using openssl_x509_parse. $cert = openssl_x509_parse(file_get_contents('/path/to/cert.crt')); var_dump($cert); $cert would be an array of the various items from the cert. If you are using PHP 8, I believe you would instead have to use: $certObj = openssl_x509_read(file_get_contents('/path/to/cert.crt')); $cert = openssl_x509_parse($certObj); var_dump($cert); Quote Link to comment Share on other sites More sharing options...
requinix Posted January 5, 2022 Share Posted January 5, 2022 I believe the SSL_CLIENT_CERT value is the cert as a string, so try plugging that into what gizmola showed. Beyond that, if you have problems getting code to work, then posting that code would make it a lot easier for us to help fix it. Quote Link to comment Share on other sites More sharing options...
Bako Posted January 8, 2022 Author Share Posted January 8, 2022 (edited) So, this gets me the screenshot... <?php $certObj = openssl_x509_read(file_get_contents($_SERVER['SSL_CLIENT_CERT'])); $cert = openssl_x509_parse($certObj); var_dump($cert); printf("<br><br><br>"); printf("SSL_CLIENT_M_SERIAL:\t%s<br>\n",$_SERVER['SSL_CLIENT_M_SERIAL']); printf("SSL_CLIENT_S_DN:\t%s<br>\n",$_SERVER['SSL_CLIENT_S_DN']); printf("SSL_CLIENT_S_DN_CN:\t%s<br>\n",$_SERVER['SSL_CLIENT_S_DN_CN']); printf("SSL_CLIENT_SAN_Email_0:\t%s<br>\n",$_SERVER['SSL_CLIENT_SAN_Email_0']); printf("SSL_CLIENT_SAN_OTHER_msUPN_0:\t%s<br>\n",$_SERVER['SSL_CLIENT_SAN_OTHER_msUPN_0']); printf("SSL_CLIENT_SAN_DNS_0:\t%s<br>\n",$_SERVER['SSL_CLIENT_SAN_DNS_0']); printf("SSL_CLIENT_CERT_RFC4523_CEA:\t%s<br>\n",$_SERVER['SSL_CLIENT_CERT_RFC4523_CEA']); printf("####\tSSL_CLIENT_CERT_CHAIN_0\t####<br>\n%s<br>\n",$_SERVER['SSL_CLIENT_CERT_CHAIN_0']); printf("####\tSSL_CLIENT_CERT\t####<br>\n%s<br>\n",$_SERVER['SSL_CLIENT_CERT']); $certObj = openssl_x509_read(file_get_contents($_SERVER['SSL_CLIENT_CERT'])); $cert = openssl_x509_parse($certObj); var_dump($cert); phpinfo(); ?> I'm trying to figure out how to do the equivalent of `openssl x509 -text -noout`. Edited January 8, 2022 by Bako Quote Link to comment Share on other sites More sharing options...
requinix Posted January 8, 2022 Share Posted January 8, 2022 SSL_CLIENT_CERT is a string value containing the certificate data. It is not a file. Quote Link to comment Share on other sites More sharing options...
Bako Posted January 8, 2022 Author Share Posted January 8, 2022 I see... Any keywords I should google on figuring out this nested array type thing? Trying to get the subjectAltName Below is the output of this... $certObj = openssl_x509_read(file_get_contents($_SERVER['SSL_CLIENT_CERT'])); #$cert = openssl_x509_parse($certObj); $cert = openssl_x509_parse($_SERVER['SSL_CLIENT_CERT']); var_dump($cert); printf("<br><br><br>"); print_r(array_values($cert)); printf("<br><br><br>"); Output: array(16) { ["name"]=> string(40) "/emailAddress=boyd.hanalei.ako@gmail.com" ["subject"]=> array(1) { ["emailAddress"]=> string(26) "boyd.hanalei.ako@gmail.com" } ["hash"]=> string(8) "29c7144b" ["issuer"]=> array(5) { ["C"]=> string(2) "GB" ["ST"]=> string(18) "Greater Manchester" ["L"]=> string(7) "Salford" ["O"]=> string(15) "Sectigo Limited" ["CN"]=> string(53) "Sectigo RSA Client Authentication and Secure Email CA" } ["version"]=> int(2) ["serialNumber"]=> string(39) "293838373167574313158409699983802423973" ["serialNumberHex"]=> string(32) "DD0F3650BAF3404F9B84A0AB065EDAA5" ["validFrom"]=> string(13) "201206000000Z" ["validTo"]=> string(13) "231206235959Z" ["validFrom_time_t"]=> int(1607212800) ["validTo_time_t"]=> int(1701907199) ["signatureTypeSN"]=> string(10) "RSA-SHA256" ["signatureTypeLN"]=> string(23) "sha256WithRSAEncryption" ["signatureTypeNID"]=> int(668) ["purposes"]=> array(9) { [1]=> array(3) { [0]=> bool(true) [1]=> bool(false) [2]=> string(9) "sslclient" } [2]=> array(3) { [0]=> bool(false) [1]=> bool(false) [2]=> string(9) "sslserver" } [3]=> array(3) { [0]=> bool(false) [1]=> bool(false) [2]=> string(11) "nssslserver" } [4]=> array(3) { [0]=> bool(true) [1]=> bool(false) [2]=> string(9) "smimesign" } [5]=> array(3) { [0]=> bool(true) [1]=> bool(false) [2]=> string(12) "smimeencrypt" } [6]=> array(3) { [0]=> bool(false) [1]=> bool(false) [2]=> string(7) "crlsign" } [7]=> array(3) { [0]=> bool(true) [1]=> bool(true) [2]=> string(3) "any" } [8]=> array(3) { [0]=> bool(true) [1]=> bool(false) [2]=> string(10) "ocsphelper" } [9]=> array(3) { [0]=> bool(false) [1]=> bool(false) [2]=> string(13) "timestampsign" } } ["extensions"]=> array(9) { ["authorityKeyIdentifier"]=> string(66) "keyid:09:C0:F2:FC:0B:DA:94:DB:5F:FE:2B:DF:A8:99:42:CF:C9:E0:AD:00 " ["subjectKeyIdentifier"]=> string(59) "59:A6:57:6E:04:AE:FB:2B:2F:36:CA:7F:1B:8E:C9:D0:44:A4:71:59" ["keyUsage"]=> string(35) "Digital Signature, Key Encipherment" ["basicConstraints"]=> string(8) "CA:FALSE" ["extendedKeyUsage"]=> string(48) "E-mail Protection, TLS Web Client Authentication" ["certificatePolicies"]=> string(66) "Policy: 1.3.6.1.4.1.6449.1.2.1.1.1 CPS: https://sectigo.com/CPS " ["crlDistributionPoints"]=> string(92) " Full Name: URI:http://crl.sectigo.com/SectigoRSAClientAuthenticationandSecureEmailCA.crl " ["authorityInfoAccess"]=> string(126) "CA Issuers - URI:http://crt.sectigo.com/SectigoRSAClientAuthenticationandSecureEmailCA.crt OCSP - URI:http://ocsp.sectigo.com " ["subjectAltName"]=> string(32) "email:boyd.hanalei.ako@gmail.com" } } <br><br><br>Array ( [0] => /emailAddress=boyd.hanalei.ako@gmail.com [1] => Array ( [emailAddress] => boyd.hanalei.ako@gmail.com ) [2] => 29c7144b [3] => Array ( [C] => GB [ST] => Greater Manchester [L] => Salford [O] => Sectigo Limited [CN] => Sectigo RSA Client Authentication and Secure Email CA ) [4] => 2 [5] => 293838373167574313158409699983802423973 [6] => DD0F3650BAF3404F9B84A0AB065EDAA5 [7] => 201206000000Z [8] => 231206235959Z [9] => 1607212800 [10] => 1701907199 [11] => RSA-SHA256 [12] => sha256WithRSAEncryption [13] => 668 [14] => Array ( [1] => Array ( [0] => 1 [1] => [2] => sslclient ) [2] => Array ( [0] => [1] => [2] => sslserver ) [3] => Array ( [0] => [1] => [2] => nssslserver ) [4] => Array ( [0] => 1 [1] => [2] => smimesign ) [5] => Array ( [0] => 1 [1] => [2] => smimeencrypt ) [6] => Array ( [0] => [1] => [2] => crlsign ) [7] => Array ( [0] => 1 [1] => 1 [2] => any ) [8] => Array ( [0] => 1 [1] => [2] => ocsphelper ) [9] => Array ( [0] => [1] => [2] => timestampsign ) ) [15] => Array ( [authorityKeyIdentifier] => keyid:09:C0:F2:FC:0B:DA:94:DB:5F:FE:2B:DF:A8:99:42:CF:C9:E0:AD:00 [subjectKeyIdentifier] => 59:A6:57:6E:04:AE:FB:2B:2F:36:CA:7F:1B:8E:C9:D0:44:A4:71:59 [keyUsage] => Digital Signature, Key Encipherment [basicConstraints] => CA:FALSE [extendedKeyUsage] => E-mail Protection, TLS Web Client Authentication [certificatePolicies] => Policy: 1.3.6.1.4.1.6449.1.2.1.1.1 CPS: https://sectigo.com/CPS [crlDistributionPoints] => Full Name: URI:http://crl.sectigo.com/SectigoRSAClientAuthenticationandSecureEmailCA.crl [authorityInfoAccess] => CA Issuers - URI:http://crt.sectigo.com/SectigoRSAClientAuthenticationandSecureEmailCA.crt OCSP - URI:http://ocsp.sectigo.com [subjectAltName] => email:boyd.hanalei.ako@gmail.com ) ) Quote Link to comment Share on other sites More sharing options...
requinix Posted January 8, 2022 Share Posted January 8, 2022 49 minutes ago, Bako said: I see... Any keywords I should google on figuring out this nested array type thing? Trying to get the subjectAltName All you'll be able to find on Google is people saying that it's as simple as looking at the hierarchy your var_dump() output is showing you: array(16) { <--- this is $cert ... ["extensions"]=> <--- this is $cert["extensions"] array(9) { ... ["subjectAltName"]=> <--- this is $cert["extensions"]["subjectAltName"] string(32) "email:boyd.hanalei.ako@gmail.com" Quote Link to comment Share on other sites More sharing options...
Bako Posted January 8, 2022 Author Share Posted January 8, 2022 $cert = openssl_x509_parse($_SERVER['SSL_CLIENT_CERT']); var_dump($cert); printf("<br><br><br>"); print_r(array_values($cert)); printf("<br><br><br>"); sanext=print_r(array_values($cert[extensions][subjectAltName])); printf("\n\n### %s\n\n\n",$sanext; printf("<br><br><br>"); .... What am I doing wrong... Quote Link to comment Share on other sites More sharing options...
gizmola Posted January 8, 2022 Share Posted January 8, 2022 print_r is a debugging tool, so you can evaluate the contents of variables on the path to your final solution. Array keys require either a numeric index, or a string key. If it's a string key, you need to put quotes around the key: $cert = openssl_x509_parse($_SERVER['SSL_CLIENT_CERT']); echo $cert['extensions']['subjectAltName']; Quote Link to comment Share on other sites More sharing options...
Bako Posted January 9, 2022 Author Share Posted January 9, 2022 Thanks @gizmola and @requinix for dealing with my noobness. I'd buy you a cup of coffee if I could. So, now I'm trying to figure out displaying the PKCS7 stuff. Below isn't quite working. pkcs7 = openssl_pkcs7_read($_SERVER['SSL_CLIENT_CERT_CHAIN_0']); print_r(array_values($pkcs7)); Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.