создание и продвижение сайта (вбиваю в ТОП-10, как гвозди)Настройка и сопровождение платной рекламы яндекс.директ

PHP. Руководство по PHP. 2005

OpenSSL Functions

Пред.

След.

XCIV. OpenSSL Functions

Введение

This module uses the functions of OpenSSL for generation and verification

of signatures and for sealing (encrypting) and opening (decrypting)

data. OpenSSL offers many features that this module currently doesn't

support. Some of these may be added in the future.

Требования

In order to use the OpenSSL functions you need to install the OpenSSL package.

PHP between versions 4.0.5 and 4.3.1 will work with OpenSSL>= 0.9.5.

Other versions (PHP <=4.0.4pl1 and>= 4.3.2) require OpenSSL>=

0.9.6.

Внимание
- You are strongly encouraged to use the most recent OpenSSL version,

otherwise your web server could be vulnerable to attack.

Установка

To use PHP's OpenSSL support you must also compile PHP --with-openssl[=DIR].

Note to Win32 Users:

In order to enable this module on a Windows environment, you must copy

libeay32.dll from the DLL folder of the PHP/Win32 binary

package to the SYSTEM32 folder of your windows machine. (Ex:

C:\WINNT\SYSTEM32

or C:\WINDOWS\SYSTEM32)

Additionally, if you are planning to use the key generation and certificate

signing functions, you will need to install a valid openssl.cnf

on your system. As of PHP4.3.0, we include a sample

configuration file in the openssl

folder of our win32 binary distribution. If you are using PHP4.2.0 or

later and are missing the file, you can obtain it from

the OpenSSL home page or by

downloading the PHP4.3.0 release and using the configuration file from

there.

Note to Win32 Users:

PHP will search for the openssl.cnf using the

following logic:

the OPENSSL_CONF environmental variable, if

set, will be used as the path (including filename) of the configuration

file.

  • the SSLEAY_CONF environmental variable, if

    set, will be used as the path (including filename) of the configuration

    file.

  • The file openssl.cnf will be assumed to be

    found in the default certificate area, as configured at the time that

    the openssl DLL was compiled. This is usually means that the default

    filename is c:\usr\local\ssl\openssl.cnf.

    In your installation, you need to decide whether to install the

    configuration file at c:\usr\local\ssl\openssl.cnf or

    whether to install it someplace else and use environmental variables

    (possibly on a per-virtual-host basis) to locate the configuration file.

    Note that it is possible to override the default path from the script using

    the configargs of the functions that require a

    configuration file.

    Настройка во время выполнения

    Данное расширение не определяет никакие директивы конфигурации в php.ini.

    Типы ресурсов

    Key/Certificate parameters

    Quite a few of the openssl functions require a key or a certificate

    parameter. PHP4.0.5 and earlier have to use a key or certificate

    resource returned by one of the openssl_get_xxx functions.

    Later versions may use one of the following methods:

    Certificates

    1. An X.509 resource returned from

      openssl_x509_read()

    2. A string having the format

      file://path/to/cert.pem ; the named file must

      contain a PEM encoded certificate

    3. A string containing the content of a certificate, PEM encoded
  • Public/Private Keys
    1. A key resource returned from

      openssl_get_publickey() or

      openssl_get_privatekey()

    2. For public keys only: an X.509 resource
    3. A string having the format

      file://path/to/file.pem - the named file must

      contain a PEM encoded certificate/private key (it may contain both)

    4. A string containing the content of a certificate/key, PEM encoded
    5. For private keys, you may also use the syntax

      array($key, $passphrase) where $key represents a

      key specified using the file://or textual content notation above, and

      $passphrase represents a string containing the passphrase for that

      private key

    Certificate Verification

    When calling a function that will verify a signature/certificate, the

    cainfo parameter is an array containing file and

    directory names that specify the locations of trusted CA files. If a

    directory is specified, then it must be a correctly formed hashed

    directory as the openssl command would use.

    Предопределенные константы

    -Перечисленные ниже константы определены данным расширением и могут быть

    доступны только в том случае, если PHP был собран с

    поддержкой этого расширения или же в том случае, если

    данное расширение подгружается во время выполнения.

    Purpose checking flags

    X509_PURPOSE_SSL_CLIENT

    (integer)

    X509_PURPOSE_SSL_SERVER

    (integer)

    X509_PURPOSE_NS_SSL_SERVER

    (integer)

    X509_PURPOSE_SMIME_SIGN

    (integer)

    X509_PURPOSE_SMIME_ENCRYPT

    (integer)

    X509_PURPOSE_CRL_SIGN

    (integer)

    X509_PURPOSE_ANY

    (integer)

    Padding flags

    OPENSSL_PKCS1_PADDING

    (integer)

    OPENSSL_SSLV23_PADDING

    (integer)

    OPENSSL_NO_PADDING

    (integer)

    OPENSSL_PKCS1_OAEP_PADDING

    (integer)

    Key types

    OPENSSL_KEYTYPE_RSA

    (integer)

    OPENSSL_KEYTYPE_DSA

    (integer)

    OPENSSL_KEYTYPE_DH

    (integer)

    PKCS7 Flags/Constants

    The S/MIME functions make use of flags which are specified using a

    bitfield which can include one or more of the following values:

    Таблица 1. PKCS7 CONSTANTS

    ConstantDescription
    PKCS7_TEXTAdds text/plain content type headers to encrypted/signed

    message. If decrypting or verifying, it strips those headers from

    the output - if the decrypted or verified message is not of MIME type

    text/plain then an error will occur.

    PKCS7_BINARYNormally the input message is converted to "canonical" format

    which is effectively using CR and LF as end of line: as required by

    the S/MIME specification. When this options is present, no

    translation occurs. This is useful when handling binary data which

    may not be in MIME format.

    PKCS7_NOINTERNWhen verifying a message, certificates (if

    any) included in the message are normally searched for the

    signing certificate. With this option only the

    certificates specified in the extracerts

    parameter of openssl_pkcs7_verify() are

    used. The supplied certificates can still be used as

    untrusted CAs however.

    PKCS7_NOVERIFYDo not verify the signers certificate of a signed

    message.

    PKCS7_NOCHAINDo not chain verification of signers certificates: that is

    don't use the certificates in the signed message as untrusted CAs.

    PKCS7_NOCERTSWhen signing a message the signer's certificate is normally

    included - with this option it is excluded. This will reduce the

    size of the signed message but the verifier must have a copy of the

    signers certificate available locally (passed using the

    extracerts to

    openssl_pkcs7_verify() for example).

    PKCS7_NOATTRNormally when a message is signed, a set of attributes are

    included which include the signing time and the supported symmetric

    algorithms. With this option they are not included.

    PKCS7_DETACHEDWhen signing a message, use cleartext signing with the MIME

    type multipart/signed. This is the default

    if you do not specify any flags to

    openssl_pkcs7_sign().

    If you turn this option off, the message will be signed using

    opaque signing, which is more resistant to translation by mail relays

    but cannot be read by mail agents that do not support S/MIME.

    PKCS7_NOSIGSDon't try and verify the signatures on a message

    Замечание: These constants were added in 4.0.6.

    Содержание

    openssl_csr_export_to_file -- Exports a CSR to a file

    openssl_csr_export -- Exports a CSR as a string

    openssl_csr_new -- Generates a CSR

    openssl_csr_sign -- Sign a CSR with another certificate (or itself) and generate a certificate

    openssl_error_string -- Return openSSL error message

    openssl_free_key -- Free key resource

    openssl_get_privatekey -- Alias of openssl_pkey_get_private()

    openssl_get_publickey -- Alias of openssl_pkey_get_public()

    openssl_open -- Open sealed data

    openssl_pkcs7_decrypt -- Decrypts an S/MIME encrypted message

    openssl_pkcs7_encrypt -- Encrypt an S/MIME message

    openssl_pkcs7_sign -- Sign an S/MIME message

    openssl_pkcs7_verify -- Verifies the signature of an S/MIME signed message

    openssl_pkey_export_to_file -- Gets an exportable representation of a key into a file

    openssl_pkey_export -- Gets an exportable representation of a key into a string

    openssl_pkey_free -- Frees a private key

    openssl_pkey_get_private -- Get a private key

    openssl_pkey_get_public -- Extract public key from certificate and prepare it for use

    openssl_pkey_new -- Generates a new private key

    openssl_private_decrypt -- Decrypts data with private key

    openssl_private_encrypt -- Encrypts data with private key

    openssl_public_decrypt -- Decrypts data with public key

    openssl_public_encrypt -- Encrypts data with public key

    openssl_seal -- Seal (encrypt) data

    openssl_sign -- Generate signature

    openssl_verify -- Verify signature

    openssl_x509_check_private_key -- Checks if a private key corresponds to a certificate

    openssl_x509_checkpurpose -- Verifies if a certificate can be used for a particular

    purpose

    openssl_x509_export_to_file -- Exports a certificate to file

    openssl_x509_export -- Exports a certificate as a string

    openssl_x509_free -- Free certificate resource

    openssl_x509_parse -- Parse an X509 certificate and return the information as an

    array

    openssl_x509_read -- Parse an X.509 certificate and return a resource identifier for

    it

    Пред.

    Начало

    След.

    openal_stream

    Уровень выше

    openssl_csr_export_to_file

  • Отвечу на любые вопросы. С уважением, Дмитрий Владимирович.

    Ваше письмо×
    Free Web Hosting