问题
In my ongoing struggle with public key crypto i ran into a snag that's possibly beyond my expertise with parsing CSR's:
I have not been able to get phpseclib to X509->loadCSR() this chunk from a MS server 2012r2 CA:
# more file
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIFGDCCAwACAQAwOjEWMBQGCgmSJomT8ixkARkWBnNlY3VyZTEgMB4GA1UEAxMX
LlNlY3VyZSBFbnRlcnByaXNlIENBIDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
ggIKAoICAQCzgEpL+Za7a3y7YpURDrxlGIBlks25fD0tHaZIYkBTaXA5h+9MWoXn
FA7AlIUt8pbBvXdJbOCmGaeQmBfBH0Qy9vTbx/DR2IOwzqy2ZHuurI5bPL12ceE2
Mxa9xgY/i7U6MAUtoA3amEd7cKj2fz9EWZruRladOX0DXv9KexSan+45QjCWH+u2
Cxem2zH9ZDNPGBuAF9YsAvkdHdAoX8aSm05ZAjUiO2e/+L57whh7zZiDY3WIhin7
N/2JNTKVO6lx50S8a34XUKBt3SKgSR941hcLrBYUNftUYsTPo40bzKKcWqemiH+w
jQiDrln4V2b5EbVeoGWe4UDPXCVmC6UPklG7iYfF0eeK4ujV8uc9PtV2LvGLOFdm
AYE3+FAba5byQATw/DY8EJKQ7ptPigJhVe47NNeJlsKwk1haJ9k8ZazjS+vT45B5
pqe0yBFAEon8TFnOLnAOblmKO12i0zqMUNAAlmr1c8jNjLr+dhruS+QropZmzZ24
mAnFG+Y0qpfhMzAxTGQyVjyGwDfRK/ARmtrGpmROjj5+6VuMmZ6Ljf3xN09epmtH
gJe+lYNBlpfUYg16tm+OusnziYnXL6nIo2ChOY/7GNJJif9fjvvaPDCC98K64av5
5rpIx7N/XH4hwHeQQkEQangExE+8UMyBNFNmvPnIHVHUZdYo4SLsYwIDAQABoIGY
MBsGCisGAQQBgjcNAgMxDRYLNi4zLjk2MDAuMi4weQYJKoZIhvcNAQkOMWwwajAQ
BgkrBgEEAYI3FQEEAwIBADAdBgNVHQ4EFgQU5nEIMEUT5mMd1WepmviwgK7dIzww
GQYJKwYBBAGCNxQCBAweCgBTAHUAYgBDAEEwCwYDVR0PBAQDAgGGMA8GA1UdEwEB
/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAKZl6bAeaID3b/ic4aztL8ZZI7vi
D3A9otUKx6v1Xe63zDPR+DiWSnxb9m+l8OPtnWkcLkzEIM/IMWorHKUAJ/J871D0
Qx+0/HbkcrjMtVu/dNrtb9Z9CXup66ZvxTPcpEziq0/n2yw8QdBaa+lli65Qcwcy
tzMQK6WQTRYfvVCIX9AKcPKxwx1DLH+7hL/bERB1lUDu59Jx6fQfqJrFVOY2N8c0
MGvurfoHGmEoyCMIyvmIMu4+/wSNEE/sSDp4lZ6zuF6rf1m0GiLdTX2XJE+gfvep
JTFmp4S3WFqkszKvaxBIT+jV0XKTNDwnO+dpExwU4jZUh18CdEFkIUuQb0gFF8B7
WJFVpNdsRqZRPBz83BW1Kjo0yAmaoTrGNmG0p6Qf3K2zbk1+Jik3VZq4rvKoTi20
6RvLA2//cMNfkYPsuqvoHGe2e0GOLtIB63wJzloWROpb72ohEHsvCKullIJVSuiS
9sfTBAenHCyndgAEd4T3npTUdaiNumVEm5ilZId7LAYekJhkgFu3vlcl8blBJKjE
skVTp7JpBmdXCL/G/6H2SFjca4JMOAy3DxwlGdgneIaXazHs5nBK/BgKPIyPzZ4w
secxBTTCNgI48YezK3GDkn65cmlnkt6F6Mf0MwoDaXTuB88Jycbwb5ihKnHEJIsO
draiRBZruwMPwPIP
-----END NEW CERTIFICATE REQUEST-----
# openssl req -in file -noout -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: DC=secure, CN=.Secure Enterprise CA 1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:b3:80:4a:4b:f9:96:bb:6b:7c:bb:62:95:11:0e:
bc:65:18:80:65:92:cd:b9:7c:3d:2d:1d:a6:48:62:
40:53:69:70:39:87:ef:4c:5a:85:e7:14:0e:c0:94:
85:2d:f2:96:c1:bd:77:49:6c:e0:a6:19:a7:90:98:
17:c1:1f:44:32:f6:f4:db:c7:f0:d1:d8:83:b0:ce:
ac:b6:64:7b:ae:ac:8e:5b:3c:bd:76:71:e1:36:33:
16:bd:c6:06:3f:8b:b5:3a:30:05:2d:a0:0d:da:98:
47:7b:70:a8:f6:7f:3f:44:59:9a:ee:46:56:9d:39:
7d:03:5e:ff:4a:7b:14:9a:9f:ee:39:42:30:96:1f:
eb:b6:0b:17:a6:db:31:fd:64:33:4f:18:1b:80:17:
d6:2c:02:f9:1d:1d:d0:28:5f:c6:92:9b:4e:59:02:
35:22:3b:67:bf:f8:be:7b:c2:18:7b:cd:98:83:63:
75:88:86:29:fb:37:fd:89:35:32:95:3b:a9:71:e7:
44:bc:6b:7e:17:50:a0:6d:dd:22:a0:49:1f:78:d6:
17:0b:ac:16:14:35:fb:54:62:c4:cf:a3:8d:1b:cc:
a2:9c:5a:a7:a6:88:7f:b0:8d:08:83:ae:59:f8:57:
66:f9:11:b5:5e:a0:65:9e:e1:40:cf:5c:25:66:0b:
a5:0f:92:51:bb:89:87:c5:d1:e7:8a:e2:e8:d5:f2:
e7:3d:3e:d5:76:2e:f1:8b:38:57:66:01:81:37:f8:
50:1b:6b:96:f2:40:04:f0:fc:36:3c:10:92:90:ee:
9b:4f:8a:02:61:55:ee:3b:34:d7:89:96:c2:b0:93:
58:5a:27:d9:3c:65:ac:e3:4b:eb:d3:e3:90:79:a6:
a7:b4:c8:11:40:12:89:fc:4c:59:ce:2e:70:0e:6e:
59:8a:3b:5d:a2:d3:3a:8c:50:d0:00:96:6a:f5:73:
c8:cd:8c:ba:fe:76:1a:ee:4b:e4:2b:a2:96:66:cd:
9d:b8:98:09:c5:1b:e6:34:aa:97:e1:33:30:31:4c:
64:32:56:3c:86:c0:37:d1:2b:f0:11:9a:da:c6:a6:
64:4e:8e:3e:7e:e9:5b:8c:99:9e:8b:8d:fd:f1:37:
4f:5e:a6:6b:47:80:97:be:95:83:41:96:97:d4:62:
0d:7a:b6:6f:8e:ba:c9:f3:89:89:d7:2f:a9:c8:a3:
60:a1:39:8f:fb:18:d2:49:89:ff:5f:8e:fb:da:3c:
30:82:f7:c2:ba:e1:ab:f9:e6:ba:48:c7:b3:7f:5c:
7e:21:c0:77:90:42:41:10:6a:78:04:c4:4f:bc:50:
cc:81:34:53:66:bc:f9:c8:1d:51:d4:65:d6:28:e1:
22:ec:63
Exponent: 65537 (0x10001)
Attributes:
1.3.6.1.4.1.311.13.2.3 :6.3.9600.2.
Requested Extensions:
1.3.6.1.4.1.311.21.1:
...
X509v3 Subject Key Identifier:
E6:71:08:30:45:13:E6:63:1D:D5:67:A9:9A:F8:B0:80:AE:DD:23:3C
1.3.6.1.4.1.311.20.2: ..S.u.b.C.A
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
a6:65:e9:b0:1e:68:80:f7:6f:f8:9c:e1:ac:ed:2f:c6:59:23:
bb:e2:0f:70:3d:a2:d5:0a:c7:ab:f5:5d:ee:b7:cc:33:d1:f8:
38:96:4a:7c:5b:f6:6f:a5:f0:e3:ed:9d:69:1c:2e:4c:c4:20:
cf:c8:31:6a:2b:1c:a5:00:27:f2:7c:ef:50:f4:43:1f:b4:fc:
76:e4:72:b8:cc:b5:5b:bf:74:da:ed:6f:d6:7d:09:7b:a9:eb:
a6:6f:c5:33:dc:a4:4c:e2:ab:4f:e7:db:2c:3c:41:d0:5a:6b:
e9:65:8b:ae:50:73:07:32:b7:33:10:2b:a5:90:4d:16:1f:bd:
50:88:5f:d0:0a:70:f2:b1:c3:1d:43:2c:7f:bb:84:bf:db:11:
10:75:95:40:ee:e7:d2:71:e9:f4:1f:a8:9a:c5:54:e6:36:37:
c7:34:30:6b:ee:ad:fa:07:1a:61:28:c8:23:08:ca:f9:88:32:
ee:3e:ff:04:8d:10:4f:ec:48:3a:78:95:9e:b3:b8:5e:ab:7f:
59:b4:1a:22:dd:4d:7d:97:24:4f:a0:7e:f7:a9:25:31:66:a7:
84:b7:58:5a:a4:b3:32:af:6b:10:48:4f:e8:d5:d1:72:93:34:
3c:27:3b:e7:69:13:1c:14:e2:36:54:87:5f:02:74:41:64:21:
4b:90:6f:48:05:17:c0:7b:58:91:55:a4:d7:6c:46:a6:51:3c:
1c:fc:dc:15:b5:2a:3a:34:c8:09:9a:a1:3a:c6:36:61:b4:a7:
a4:1f:dc:ad:b3:6e:4d:7e:26:29:37:55:9a:b8:ae:f2:a8:4e:
2d:b4:e9:1b:cb:03:6f:ff:70:c3:5f:91:83:ec:ba:ab:e8:1c:
67:b6:7b:41:8e:2e:d2:01:eb:7c:09:ce:5a:16:44:ea:5b:ef:
6a:21:10:7b:2f:08:ab:a5:94:82:55:4a:e8:92:f6:c7:d3:04:
07:a7:1c:2c:a7:76:00:04:77:84:f7:9e:94:d4:75:a8:8d:ba:
65:44:9b:98:a5:64:87:7b:2c:06:1e:90:98:64:80:5b:b7:be:
57:25:f1:b9:41:24:a8:c4:b2:45:53:a7:b2:69:06:67:57:08:
bf:c6:ff:a1:f6:48:58:dc:6b:82:4c:38:0c:b7:0f:1c:25:19:
d8:27:78:86:97:6b:31:ec:e6:70:4a:fc:18:0a:3c:8c:8f:cd:
9e:30:b1:e7:31:05:34:c2:36:02:38:f1:87:b3:2b:71:83:92:
7e:b9:72:69:67:92:de:85:e8:c7:f4:33:0a:03:69:74:ee:07:
cf:09:c9:c6:f0:6f:98:a1:2a:71:c4:24:8b:0e:76:b6:a2:44:
16:6b:bb:03:0f:c0:f2:0f
I added the mystery vendor specific OID's to the OID list in hopes that would get me somewhere:
// the following are X.509 extensions not supported by phpseclib
'1.3.6.1.5.5.7.1.12' => 'id-pe-logotype',
'1.3.6.1.4.1.311.13.2.3' => 'szOID_OS_VERSION',
'1.3.6.1.4.1.311.20.2' => 'szOID_ENROLL_CERTTYPE_EXTENSION',
'1.3.6.1.4.1.311.21.1' => 'szOID_CERTSRV_CA_VERSION',
But I am unable to get past this part of the loadCSR() function:
$asn1->loadOIDs($this->oids);
$decoded = $asn1->decodeBER($csr);
//... $decoded contains content, but turns into binary junk in the middle
$csr = $asn1->asn1map($decoded[0], $this->CertificationRequest);
if (!isset($csr) || $csr === false) {
Apparently the asn1map function does not like the garbage in the middle of $decoded??? Not sure if there is some kind of way to go about debugging this I am missing, but I dont know enough about BER decoding and asn1 mapping to correct the issue on my own =(
Pretty please help, I really love this library (i use it for so many great things) and would like to use it to authorize enterprise CA's from my offline Linux Root CA with a really awesome php web frontend ;D
回答1:
The problem is that phpseclib does not appear to support the "Requested Extensions" block that openssl req is showing. A quick Google search suggests that CSR's are governed by PKCS10 and that the "Requested Extensions" block is governed by PKCS9. I'll contact the author and see what can be done about addressing this.
In the mean time, a quick workaround is this:
#
#-----[ OPEN ]------------------------------------------
#
File/ASN1.php
#
#-----[ FIND ]------------------------------------------
#
return $i < $n? null: $map;
#
#-----[ REPLACE WITH ]----------------------------------
#
return $map;
来源:https://stackoverflow.com/questions/28662336/phpseclib-cant-parse-csr-from-microsoft-ca