Jump to content

Recommended Posts

I've been trying to figure out how to get $_SERVER['SSL_CLIENT_CERT'] into a way I can extract some of the x.509 certificate attributes. Unfortunately, the Apache variables and the PHP OpenSSL functions don't have a way to display the certificate "Key Usage" attributes.

Link to comment
https://forums.phpfreaks.com/topic/314389-using-apache-variables-in-php-openssl/
Share on other sites

1 hour ago, requinix said:

openssl_x509_parse looks relevant. What have you tried with that?

"tried" yes. Succeeded? Not so much. I probably doing it wrong by trying to shove $_SERVER['SSL_CLIENT_CERT'] into another variable that I use in that function. My BASH brain kicks in so it possibly might have something to do with syntax.

Requinix suggested you use a function to pull the information directly from the cert.  $_SERVER is an array created by php for you.  It's not going to figure into using openssl_x509_parse.

 

$cert = openssl_x509_parse(file_get_contents('/path/to/cert.crt'));
var_dump($cert);

$cert would be an array of the various items from the cert.  

If you are using PHP 8, I believe you would instead have to use:

$certObj = openssl_x509_read(file_get_contents('/path/to/cert.crt'));

$cert = openssl_x509_parse($certObj);
var_dump($cert);

I believe the SSL_CLIENT_CERT value is the cert as a string, so try plugging that into what gizmola showed.

Beyond that, if you have problems getting code to work, then posting that code would make it a lot easier for us to help fix it.

So, this gets me the screenshot...

<?php

$certObj = openssl_x509_read(file_get_contents($_SERVER['SSL_CLIENT_CERT']));

$cert = openssl_x509_parse($certObj);
var_dump($cert);

printf("<br><br><br>");
printf("SSL_CLIENT_M_SERIAL:\t%s<br>\n",$_SERVER['SSL_CLIENT_M_SERIAL']);
printf("SSL_CLIENT_S_DN:\t%s<br>\n",$_SERVER['SSL_CLIENT_S_DN']);
printf("SSL_CLIENT_S_DN_CN:\t%s<br>\n",$_SERVER['SSL_CLIENT_S_DN_CN']);
printf("SSL_CLIENT_SAN_Email_0:\t%s<br>\n",$_SERVER['SSL_CLIENT_SAN_Email_0']);
printf("SSL_CLIENT_SAN_OTHER_msUPN_0:\t%s<br>\n",$_SERVER['SSL_CLIENT_SAN_OTHER_msUPN_0']);
printf("SSL_CLIENT_SAN_DNS_0:\t%s<br>\n",$_SERVER['SSL_CLIENT_SAN_DNS_0']);
printf("SSL_CLIENT_CERT_RFC4523_CEA:\t%s<br>\n",$_SERVER['SSL_CLIENT_CERT_RFC4523_CEA']);

printf("####\tSSL_CLIENT_CERT_CHAIN_0\t####<br>\n%s<br>\n",$_SERVER['SSL_CLIENT_CERT_CHAIN_0']);
printf("####\tSSL_CLIENT_CERT\t####<br>\n%s<br>\n",$_SERVER['SSL_CLIENT_CERT']);

$certObj = openssl_x509_read(file_get_contents($_SERVER['SSL_CLIENT_CERT']));

$cert = openssl_x509_parse($certObj);
var_dump($cert);

phpinfo();
?>

 

Screen Shot 2022-01-07 at 22.05.12.jpg

 

I'm trying to figure out how to do the equivalent of `openssl x509 -text -noout`.

Edited by Bako

I see... Any keywords I should google on figuring out this nested array type thing? Trying to get the subjectAltName

Below is the output of this...

$certObj = openssl_x509_read(file_get_contents($_SERVER['SSL_CLIENT_CERT']));

#$cert = openssl_x509_parse($certObj);
$cert = openssl_x509_parse($_SERVER['SSL_CLIENT_CERT']);
var_dump($cert);
printf("<br><br><br>");
print_r(array_values($cert));
printf("<br><br><br>");

Output:

array(16) {
  ["name"]=>
  string(40) "/emailAddress=boyd.hanalei.ako@gmail.com"
  ["subject"]=>
  array(1) {
    ["emailAddress"]=>
    string(26) "boyd.hanalei.ako@gmail.com"
  }
  ["hash"]=>
  string(8) "29c7144b"
  ["issuer"]=>
  array(5) {
    ["C"]=>
    string(2) "GB"
    ["ST"]=>
    string(18) "Greater Manchester"
    ["L"]=>
    string(7) "Salford"
    ["O"]=>
    string(15) "Sectigo Limited"
    ["CN"]=>
    string(53) "Sectigo RSA Client Authentication and Secure Email CA"
  }
  ["version"]=>
  int(2)
  ["serialNumber"]=>
  string(39) "293838373167574313158409699983802423973"
  ["serialNumberHex"]=>
  string(32) "DD0F3650BAF3404F9B84A0AB065EDAA5"
  ["validFrom"]=>
  string(13) "201206000000Z"
  ["validTo"]=>
  string(13) "231206235959Z"
  ["validFrom_time_t"]=>
  int(1607212800)
  ["validTo_time_t"]=>
  int(1701907199)
  ["signatureTypeSN"]=>
  string(10) "RSA-SHA256"
  ["signatureTypeLN"]=>
  string(23) "sha256WithRSAEncryption"
  ["signatureTypeNID"]=>
  int(668)
  ["purposes"]=>
  array(9) {
    [1]=>
    array(3) {
      [0]=>
      bool(true)
      [1]=>
      bool(false)
      [2]=>
      string(9) "sslclient"
    }
    [2]=>
    array(3) {
      [0]=>
      bool(false)
      [1]=>
      bool(false)
      [2]=>
      string(9) "sslserver"
    }
    [3]=>
    array(3) {
      [0]=>
      bool(false)
      [1]=>
      bool(false)
      [2]=>
      string(11) "nssslserver"
    }
    [4]=>
    array(3) {
      [0]=>
      bool(true)
      [1]=>
      bool(false)
      [2]=>
      string(9) "smimesign"
    }
    [5]=>
    array(3) {
      [0]=>
      bool(true)
      [1]=>
      bool(false)
      [2]=>
      string(12) "smimeencrypt"
    }
    [6]=>
    array(3) {
      [0]=>
      bool(false)
      [1]=>
      bool(false)
      [2]=>
      string(7) "crlsign"
    }
    [7]=>
    array(3) {
      [0]=>
      bool(true)
      [1]=>
      bool(true)
      [2]=>
      string(3) "any"
    }
    [8]=>
    array(3) {
      [0]=>
      bool(true)
      [1]=>
      bool(false)
      [2]=>
      string(10) "ocsphelper"
    }
    [9]=>
    array(3) {
      [0]=>
      bool(false)
      [1]=>
      bool(false)
      [2]=>
      string(13) "timestampsign"
    }
  }
  ["extensions"]=>
  array(9) {
    ["authorityKeyIdentifier"]=>
    string(66) "keyid:09:C0:F2:FC:0B:DA:94:DB:5F:FE:2B:DF:A8:99:42:CF:C9:E0:AD:00
"
    ["subjectKeyIdentifier"]=>
    string(59) "59:A6:57:6E:04:AE:FB:2B:2F:36:CA:7F:1B:8E:C9:D0:44:A4:71:59"
    ["keyUsage"]=>
    string(35) "Digital Signature, Key Encipherment"
    ["basicConstraints"]=>
    string(8) "CA:FALSE"
    ["extendedKeyUsage"]=>
    string(48) "E-mail Protection, TLS Web Client Authentication"
    ["certificatePolicies"]=>
    string(66) "Policy: 1.3.6.1.4.1.6449.1.2.1.1.1
  CPS: https://sectigo.com/CPS
"
    ["crlDistributionPoints"]=>
    string(92) "
Full Name:
  URI:http://crl.sectigo.com/SectigoRSAClientAuthenticationandSecureEmailCA.crl
"
    ["authorityInfoAccess"]=>
    string(126) "CA Issuers - URI:http://crt.sectigo.com/SectigoRSAClientAuthenticationandSecureEmailCA.crt
OCSP - URI:http://ocsp.sectigo.com
"
    ["subjectAltName"]=>
    string(32) "email:boyd.hanalei.ako@gmail.com"
  }
}
<br><br><br>Array
(
    [0] => /emailAddress=boyd.hanalei.ako@gmail.com
    [1] => Array
        (
            [emailAddress] => boyd.hanalei.ako@gmail.com
        )

    [2] => 29c7144b
    [3] => Array
        (
            [C] => GB
            [ST] => Greater Manchester
            [L] => Salford
            [O] => Sectigo Limited
            [CN] => Sectigo RSA Client Authentication and Secure Email CA
        )

    [4] => 2
    [5] => 293838373167574313158409699983802423973
    [6] => DD0F3650BAF3404F9B84A0AB065EDAA5
    [7] => 201206000000Z
    [8] => 231206235959Z
    [9] => 1607212800
    [10] => 1701907199
    [11] => RSA-SHA256
    [12] => sha256WithRSAEncryption
    [13] => 668
    [14] => Array
        (
            [1] => Array
                (
                    [0] => 1
                    [1] => 
                    [2] => sslclient
                )

            [2] => Array
                (
                    [0] => 
                    [1] => 
                    [2] => sslserver
                )

            [3] => Array
                (
                    [0] => 
                    [1] => 
                    [2] => nssslserver
                )

            [4] => Array
                (
                    [0] => 1
                    [1] => 
                    [2] => smimesign
                )

            [5] => Array
                (
                    [0] => 1
                    [1] => 
                    [2] => smimeencrypt
                )

            [6] => Array
                (
                    [0] => 
                    [1] => 
                    [2] => crlsign
                )

            [7] => Array
                (
                    [0] => 1
                    [1] => 1
                    [2] => any
                )

            [8] => Array
                (
                    [0] => 1
                    [1] => 
                    [2] => ocsphelper
                )

            [9] => Array
                (
                    [0] => 
                    [1] => 
                    [2] => timestampsign
                )

        )

    [15] => Array
        (
            [authorityKeyIdentifier] => keyid:09:C0:F2:FC:0B:DA:94:DB:5F:FE:2B:DF:A8:99:42:CF:C9:E0:AD:00

            [subjectKeyIdentifier] => 59:A6:57:6E:04:AE:FB:2B:2F:36:CA:7F:1B:8E:C9:D0:44:A4:71:59
            [keyUsage] => Digital Signature, Key Encipherment
            [basicConstraints] => CA:FALSE
            [extendedKeyUsage] => E-mail Protection, TLS Web Client Authentication
            [certificatePolicies] => Policy: 1.3.6.1.4.1.6449.1.2.1.1.1
  CPS: https://sectigo.com/CPS

            [crlDistributionPoints] => 
Full Name:
  URI:http://crl.sectigo.com/SectigoRSAClientAuthenticationandSecureEmailCA.crl

            [authorityInfoAccess] => CA Issuers - URI:http://crt.sectigo.com/SectigoRSAClientAuthenticationandSecureEmailCA.crt
OCSP - URI:http://ocsp.sectigo.com

            [subjectAltName] => email:boyd.hanalei.ako@gmail.com
        )

)

 

49 minutes ago, Bako said:

I see... Any keywords I should google on figuring out this nested array type thing? Trying to get the subjectAltName

All you'll be able to find on Google is people saying that it's as simple as looking at the hierarchy your var_dump() output is showing you:

array(16) {   <--- this is $cert
  ...
  ["extensions"]=>   <--- this is $cert["extensions"]
  array(9) {
    ...
    ["subjectAltName"]=>   <--- this is $cert["extensions"]["subjectAltName"]
    string(32) "email:boyd.hanalei.ako@gmail.com"

 

$cert = openssl_x509_parse($_SERVER['SSL_CLIENT_CERT']);
var_dump($cert);
printf("<br><br><br>");
print_r(array_values($cert));
printf("<br><br><br>");
sanext=print_r(array_values($cert[extensions][subjectAltName]));
printf("\n\n### %s\n\n\n",$sanext;
printf("<br><br><br>");

 

.... What am I doing wrong...

print_r is a debugging tool, so you can evaluate the contents of variables on the path to your final solution.

Array keys require either a numeric index, or a string key.  If it's a string key, you need to put quotes around the key:

$cert = openssl_x509_parse($_SERVER['SSL_CLIENT_CERT']);
echo $cert['extensions']['subjectAltName'];

 

Thanks @gizmola and @requinix for dealing with my noobness. I'd buy you a cup of coffee if I could.

 

So, now I'm trying to figure out displaying the PKCS7 stuff. Below isn't quite working.

pkcs7 = openssl_pkcs7_read($_SERVER['SSL_CLIENT_CERT_CHAIN_0']);
print_r(array_values($pkcs7));

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.