Spomky-Labs/Pki-Framework 是一个用于管理公钥基础设施(PKI)的 PHP 框架。它提供了一套工具和库,帮助开发者高效、安全地管理数字证书、密钥对、证书颁发机构(CA)等 PKI 组件。以下是一个使用 Spomky-Labs/Pki-Framework 的指南,帮助你高效安全地管理 PKI。
首先,你需要通过 Composer 安装 Spomky-Labs/Pki-Framework:
composer require spomky-labs/pki-framework
要创建一个证书颁发机构(CA),你需要生成一个自签名的根证书。以下是一个示例代码:
use SpomkyLabs\Pki\X509\Certificate\Certificate;
use SpomkyLabs\Pki\X509\Certificate\TBSCertificate;
use SpomkyLabs\Pki\X509\Certificate\Validity;
use SpomkyLabs\Pki\CryptoTypes\AlgorithmIdentifier\Signature\SHA256WithRSAEncryptionAlgorithmIdentifier;
use SpomkyLabs\Pki\CryptoTypes\Asymmetric\PrivateKey;
use SpomkyLabs\Pki\X509\GeneralName\DirectoryName;
use SpomkyLabs\Pki\X509\GeneralName\GeneralNames;
// 生成密钥对
$privateKey = PrivateKey::generateRSA(2048);
$publicKey = $privateKey->publicKey();
// 创建证书的有效期
$validity = Validity::fromStrings('now', '+1 year');
// 创建证书的主体信息
$subject = DirectoryName::fromString('CN=My Root CA');
// 创建证书的扩展信息
$extensions = [];
// 创建 TBSCertificate
$tbsCert = TBSCertificate::create($subject, $publicKey, $subject, $validity, $extensions);
// 使用私钥签名证书
$certificate = $tbsCert->sign(new SHA256WithRSAEncryptionAlgorithmIdentifier(), $privateKey);
// 将证书保存到文件
file_put_contents('ca.crt', $certificate->toPem());
一旦你有了 CA 证书,你可以使用它来颁发终端实体证书。以下是一个示例代码:
use SpomkyLabs\Pki\X509\Certificate\Certificate;
use SpomkyLabs\Pki\X509\Certificate\TBSCertificate;
use SpomkyLabs\Pki\X509\Certificate\Validity;
use SpomkyLabs\Pki\CryptoTypes\AlgorithmIdentifier\Signature\SHA256WithRSAEncryptionAlgorithmIdentifier;
use SpomkyLabs\Pki\CryptoTypes\Asymmetric\PrivateKey;
use SpomkyLabs\Pki\X509\GeneralName\DirectoryName;
use SpomkyLabs\Pki\X509\GeneralName\GeneralNames;
// 加载 CA 证书和私钥
$caCert = Certificate::fromPem(file_get_contents('ca.crt'));
$caPrivateKey = PrivateKey::fromPem(file_get_contents('ca.key'));
// 生成终端实体的密钥对
$privateKey = PrivateKey::generateRSA(2048);
$publicKey = $privateKey->publicKey();
// 创建证书的有效期
$validity = Validity::fromStrings('now', '+1 year');
// 创建证书的主体信息
$subject = DirectoryName::fromString('CN=My End Entity');
// 创建证书的扩展信息
$extensions = [];
// 创建 TBSCertificate
$tbsCert = TBSCertificate::create($subject, $publicKey, $caCert->tbsCertificate()->subject(), $validity, $extensions);
// 使用 CA 私钥签名证书
$certificate = $tbsCert->sign(new SHA256WithRSAEncryptionAlgorithmIdentifier(), $caPrivateKey);
// 将证书保存到文件
file_put_contents('end_entity.crt', $certificate->toPem());
你可以使用 Spomky-Labs/Pki-Framework 来验证证书的有效性。以下是一个示例代码:
use SpomkyLabs\Pki\X509\Certificate\Certificate;
use SpomkyLabs\Pki\X509\Certificate\CertificateChain;
use SpomkyLabs\Pki\X509\CertificationPath\CertificationPath;
use SpomkyLabs\Pki\X509\CertificationPath\PathValidation\PathValidationConfig;
use SpomkyLabs\Pki\X509\CertificationPath\PathValidation\PathValidator;
// 加载终端实体证书和 CA 证书
$endEntityCert = Certificate::fromPem(file_get_contents('end_entity.crt'));
$caCert = Certificate::fromPem(file_get_contents('ca.crt'));
// 创建证书链
$chain = CertificateChain::create($endEntityCert, $caCert);
// 创建认证路径
$path = CertificationPath::create($chain);
// 创建路径验证配置
$config = PathValidationConfig::defaultConfig();
// 创建路径验证器
$validator = PathValidator::create($config);
// 验证证书路径
$result = $validator->validate($path);
if ($result->isValid()) {
echo "证书验证成功!";
} else {
echo "证书验证失败!";
}
Spomky-Labs/Pki-Framework 还支持管理证书撤销列表(CRL)。以下是一个示例代码,展示如何生成和验证 CRL:
use SpomkyLabs\Pki\X509\Certificate\Certificate;
use SpomkyLabs\Pki\X509\CRL\CertificateList;
use SpomkyLabs\Pki\X509\CRL\TBSCertList;
use SpomkyLabs\Pki\CryptoTypes\AlgorithmIdentifier\Signature\SHA256WithRSAEncryptionAlgorithmIdentifier;
use SpomkyLabs\Pki\CryptoTypes\Asymmetric\PrivateKey;
// 加载 CA 证书和私钥
$caCert = Certificate::fromPem(file_get_contents('ca.crt'));
$caPrivateKey = PrivateKey::fromPem(file_get_contents('ca.key'));
// 创建 CRL 的主体信息
$issuer = $caCert->tbsCertificate()->subject();
// 创建 CRL 的有效期
$thisUpdate = new \DateTimeImmutable();
$nextUpdate = $thisUpdate->add(new \DateInterval('P1D'));
// 创建 CRL 的撤销条目
$revokedCertificates = [];
// 创建 TBSCertList
$tbsCertList = TBSCertList::create($issuer, $thisUpdate, $nextUpdate, $revokedCertificates);
// 使用 CA 私钥签名 CRL
$crl = $tbsCertList->sign(new SHA256WithRSAEncryptionAlgorithmIdentifier(), $caPrivateKey);
// 将 CRL 保存到文件
file_put_contents('ca.crl', $crl->toPem());
// 验证 CRL
$crl = CertificateList::fromPem(file_get_contents('ca.crl'));
if ($crl->verify($caCert->publicKeyInfo())) {
echo "CRL 验证成功!";
} else {
echo "CRL 验证失败!";
}
Spomky-Labs/Pki-Framework 提供了一个强大的工具集,帮助开发者高效、安全地管理 PKI。通过遵循上述指南,你可以创建和管理证书颁发机构、颁发终端实体证书、验证证书以及管理证书撤销列表。同时,确保遵循安全最佳实践,以保护你的 PKI 系统免受潜在的安全威胁。