qlg.tsgz.moe/extend/unionpay/sdk/cert_util.php

<?php

include_once 'acp_service.php';

const COMPANY = "中国银联股份有限公司";
class Cert
{
    public $cert;
    public $certId;
    public $key;
}


// 内存泄漏问题说明：
//     openssl_x509_parse疑似有内存泄漏，暂不清楚原因，可能和php、openssl版本有关，估计有bug。
//     windows下试过php5.4+openssl0.9.8，php7.0+openssl1.0.2都有这问题。mac下试过也有问题。
//     不过至今没人来反馈过这个问题，所以不一定真有泄漏？或者因为增长量不大所以一般都不会遇到问题？
//     也有别人汇报过bug：https://bugs.php.net/bug.php?id=71519
//
// 替代解决方案：
//     方案1. 所有调用openssl_x509_parse的地方都是为了获取证书序列号，可以尝试把证书序列号+证书/key以别的方式保存，
//            从其他地方（比如数据库）读序列号，而不直接从证书文件里读序列号。
//     方案2. 代码改成执行脚本的方式执行，这样执行完一次保证能释放掉所有内存。
//     方案3. 改用下面的CertSerialUtil取序列号，
//            此方法仅用了几个测试和生产的证书做过测试，不保证没bug，所以默认注释掉了。如发现有bug或者可优化的地方可自行修改代码。
//            注意用了bcmath的方法，*nix下编译时需要 --enable-bcmath。http://php.net/manual/zh/bc.installation.php


class CertUtil{

    private static $signCerts = array();
    private static $encryptCerts = array();
    private static $verifyCerts = array();
    private static $verifyCerts510 = array();

    private static function initSignCert($certPath, $certPwd){
        $logger = LogUtil::getLogger();
        $logger->LogInfo("读取签名证书……");

        $pkcs12certdata = file_get_contents ( $certPath );
        if($pkcs12certdata === false ){
        	$logger->LogInfo($certPath . "file_get_contents fail。");
        	return;
        }
        
        if(openssl_pkcs12_read ( $pkcs12certdata, $certs, $certPwd ) == FALSE ){
        	$logger->LogInfo($certPath . ", pwd[" . $certPwd . "] openssl_pkcs12_read fail。");
        	return;
        }
        
        $cert = new Cert();
        $x509data = $certs ['cert'];

        if(!openssl_x509_read ( $x509data )){
        	$logger->LogInfo($certPath . " openssl_x509_read fail。");
        }
        $certdata = openssl_x509_parse ( $x509data );
        $cert->certId = $certdata ['serialNumber'];

// 		$certId = CertSerialUtil::getSerial($x509data, $errMsg);
// 		if($certId === false){
//         	$logger->LogInfo("签名证书读取序列号失败：" . $errMsg);
//         	return;
// 		}
//         $cert->certId = $certId;
        
        $cert->key = $certs ['pkey'];
        $cert->cert = $x509data;

        $logger->LogInfo("签名证书读取成功，序列号：" . $cert->certId);
        CertUtil::$signCerts[$certPath] = $cert;
    }

    public static function getSignKeyFromPfx($certPath=null, $certPwd=null)
    {
    	if( $certPath == null ) {
    		$certPath = SDKConfig::$signCertPath;
    		$certPwd = SDKConfig::$signCertPwd;
    	}
    	
        if (!array_key_exists($certPath, CertUtil::$signCerts)) {
            self::initSignCert($certPath, $certPwd);
        }
        return CertUtil::$signCerts[$certPath] -> key;
    }

    public static function getSignCertIdFromPfx($certPath=null, $certPwd=null)
    {

    	if( $certPath == null ) {
    		$certPath = SDKConfig::$signCertPath;
    		$certPwd = SDKConfig::$signCertPwd;
    	}
    	
        if (!array_key_exists($certPath, CertUtil::$signCerts)) {
            self::initSignCert($certPath, $certPwd);
        }
        return CertUtil::$signCerts[$certPath] -> certId;
    }

    private static function initEncryptCert($cert_path)
    {
        $logger = LogUtil::getLogger();
        $logger->LogInfo("读取加密证书……");
        
	    $x509data = file_get_contents ( $cert_path );
        if($x509data === false ){
        	$logger->LogInfo($cert_path . " file_get_contents fail。");
        	return;
        }
	    
	    if(!openssl_x509_read ( $x509data )){
        	$logger->LogInfo($cert_path . " openssl_x509_read fail。");
        	return;
	    }

	    $cert = new Cert();
	    $certdata = openssl_x509_parse ( $x509data );
	    $cert->certId = $certdata ['serialNumber'];

// 	    $certId = CertSerialUtil::getSerial($x509data, $errMsg);
// 	    if($certId === false){
// 	    	$logger->LogInfo("签名证书读取序列号失败：" . $errMsg);
// 	    	return;
// 	    }
// 	    $cert->certId = $certId;
	    
        $cert->key = $x509data;
        CertUtil::$encryptCerts[$cert_path] = $cert;
        $logger->LogInfo("加密证书读取成功，序列号：" . $cert->certId);
    }
    
    public static function verifyAndGetVerifyCert($certBase64String){

    	$logger = LogUtil::getLogger();
    	
    	if (array_key_exists($certBase64String, CertUtil::$verifyCerts510)){
    		return CertUtil::$verifyCerts510[$certBase64String];
    	}
    	
		if (SDKConfig::$middleCertPath === null || SDKConfig::$rootCertPath === null){
			$logger->LogError("rootCertPath or middleCertPath is none, exit initRootCert");
			return null;
		}
		openssl_x509_read($certBase64String);
		$certInfo = openssl_x509_parse($certBase64String);
		
		$cn = CertUtil::getIdentitiesFromCertficate($certInfo);
		if(strtolower(SDKConfig::$ifValidateCNName) == "true"){
			if (COMPANY != $cn){
				$logger->LogInfo("cer owner is not CUP:" . $cn);
				return null;
			}
		} else if (COMPANY != $cn && "00040000:SIGN" != $cn){
			$logger->LogInfo("cer owner is not CUP:" . $cn);
			return null;
		}
		
		$from = date_create ( '@' . $certInfo ['validFrom_time_t'] );
		$to = date_create ( '@' . $certInfo ['validTo_time_t'] );
		$now = date_create ( date ( 'Ymd' ) );
		$interval1 = $from->diff ( $now );
		$interval2 = $now->diff ( $to );
		if ($interval1->invert || $interval2->invert) {
			$logger->LogInfo("signPubKeyCert has expired");
			return null;
		}
		 
		$result = openssl_x509_checkpurpose($certBase64String, X509_PURPOSE_ANY, array(SDKConfig::$rootCertPath, SDKConfig::$middleCertPath));
		if($result === FALSE){
			$logger->LogInfo("validate signPubKeyCert by rootCert failed");
			return null;
		} else if($result === TRUE){
			CertUtil::$verifyCerts510[$certBase64String] = $certBase64String;
    		return CertUtil::$verifyCerts510[$certBase64String];
		} else {
			$logger->LogInfo("validate signPubKeyCert by rootCert failed with error");
			return null;
		}
    }
    
    public static function getIdentitiesFromCertficate($certInfo){
    	
    	$cn = $certInfo['subject'];
    	$cn = $cn['CN'];  	
    	$company = explode('@',$cn);
    	
    	if(count($company) < 3) {
    		return null;
    	} 
    	return $company[2];
    }
    
    public static function getEncryptCertId($cert_path=null){
    	if( $cert_path == null ) {
    		$cert_path = SDKConfig::$encryptCertPath;
    	}
        if(!array_key_exists($cert_path, CertUtil::$encryptCerts)){
            self::initEncryptCert($cert_path);
        }
        if(array_key_exists($cert_path, CertUtil::$encryptCerts)){
        	return CertUtil::$encryptCerts[$cert_path] -> certId;
        }
        return false;
    }

    public static function getEncryptKey($cert_path=null){
    	if( $cert_path == null ) {
    		$cert_path = SDKConfig::$encryptCertPath;
    	}
        if(!array_key_exists($cert_path, CertUtil::$encryptCerts)){
            self::initEncryptCert($cert_path);
        }
        if(array_key_exists($cert_path, CertUtil::$encryptCerts)){
        	return CertUtil::$encryptCerts[$cert_path] -> key;
        }
        return false;
    }

    private static function initVerifyCerts($cert_dir=null) {

    	if( $cert_dir == null ) {
    		$cert_dir = SDKConfig::$validateCertDir;
    	}
    	
        $logger = LogUtil::getLogger();
        $logger->LogInfo ( '验证签名证书目录 :>' . $cert_dir );
        $handle = opendir ( $cert_dir );
        if (!$handle) {
            $logger->LogInfo ( '证书目录 ' . $cert_dir . '不正确' );
            return;
        }
        
        while ($file = readdir($handle)) {
            clearstatcache();
            $filePath = $cert_dir . '/' . $file;
            if (is_file($filePath)) {
                if (pathinfo($file, PATHINFO_EXTENSION) == 'cer') {
                	
                    $x509data = file_get_contents($filePath);
			        if($x509data === false ){
			        	$logger->LogInfo($filePath . " file_get_contents fail。");
                    	continue;
			        }
                    if(!openssl_x509_read($x509data)){
                    	$logger->LogInfo($certPath . " openssl_x509_read fail。");
                    	continue;
                    }
                    
                    $cert = new Cert();
                    $certdata = openssl_x509_parse($x509data);
                    $cert->certId = $certdata ['serialNumber'];

//                     $certId = CertSerialUtil::getSerial($x509data, $errMsg);
//                     if($certId === false){
//                     	$logger->LogInfo("签名证书读取序列号失败：" . $errMsg);
//                     	return;
//                     }
//                     $cert->certId = $certId;

                    $cert->key = $x509data;
                    CertUtil::$verifyCerts[$cert->certId] = $cert;
                    $logger->LogInfo($filePath . "读取成功，序列号：" . $cert->certId);
                }
            }
        }
        closedir ( $handle );
    }

    public static function getVerifyCertByCertId($certId){
        $logger = LogUtil::getLogger();
        if(count(CertUtil::$verifyCerts) == 0){
            self::initVerifyCerts();
        }
        if(count(CertUtil::$verifyCerts) == 0){
            $logger->LogInfo("未读取到任何证书……");
            return null;
        }
        if(array_key_exists($certId, CertUtil::$verifyCerts)){
            return CertUtil::$verifyCerts[$certId]->key;
        } else {
            $logger->LogInfo("未匹配到序列号为[" . certId . "]的证书");
            return null;
        }
    }
    
	public static function test() {
		
		$x509data = file_get_contents ( "d:/certs/acp_test_enc.cer" );
// 		$resource = openssl_x509_read ( $x509data );
		// $certdata = openssl_x509_parse ( $resource ); //<=这句尼玛内存泄漏啊根本释放不掉啊啊啊啊啊啊啊
		// echo $certdata ['serialNumber']; //<=就是需要这个数据啦
		// echo $x509data;
		// unset($certdata); //<=没有什么用
		// openssl_x509_free($resource); //<=没有什么用x2
		echo CertSerialUtil::getSerial ( $x509data, $errMsg ) . "\n";
	}
}



// class CertSerialUtil {
	 
// 	private static function bytesToInteger($bytes) {
// 		$val = 0;
// 		for($i = 0; $i < count ( $bytes ); $i ++) {
// // 			$val += (($bytes [$i] & 0xff) << (8 * (count ( $bytes ) - 1 - $i)));
// 			$val += $bytes [$i] * pow(256, count ( $bytes ) - 1 - $i);
// // 			echo $val . "<br>\n";
// 		}
// 		return $val;
// 	}
	
// 	private static function bytesToBigInteger($bytes) {
// 		$val = 0;
// 		for($i = 0; $i < count ( $bytes ); $i ++) {
// 			$val = bcadd($val, bcmul($bytes [$i], bcpow(256, count ( $bytes ) - 1 - $i)));
// // 			echo $val . "<br>\n";
// 		}
// 		return $val;
// 	}
	
// 	private static function toStr($bytes) {
// 		$str = '';
// 		foreach($bytes as $ch) {
// 			$str .= chr($ch);
// 		}
// 		return $str;
// 	}
	
// 	public static function getSerial($fileData, &$errMsg) {
		
// // 		$fileData = str_replace('\n','',$fileData);
// // 		$fileData = str_replace('\r','',$fileData);
		
// 		$start = "-----BEGIN CERTIFICATE-----";
// 		$end = "-----END CERTIFICATE-----";
// 		$data = trim ( $fileData );
// 		if (substr ( $data, 0, strlen ( $start ) ) != $start || 
// 		substr ( $data, strlen ( $data ) - strlen ( $end ) ) != $end) {
// 			// echo $fileData;
// 			$errMsg = "error pem data";
// 			return false;
// 		}
		
// 		$data = substr ( $data, strlen ( $start ), strlen ( $data ) - strlen ( $end ) - strlen ( $start ) );
// 		$bindata = base64_decode ( $data );
// 		$bindata = unpack ( 'C*', $bindata );
		
// 		$byte = array_shift ( $bindata );
// 		if ($byte != 0x30) {
// 			$errMsg = "1st tag " . $byte . " is not 30"; 
// 			return false;
// 		}
		
// 		$length = CertSerialUtil::readLength ( $bindata ); 
// 		$byte = array_shift ( $bindata );
// 		if ($byte != 0x30) {
// 			$errMsg = "2nd tag " . $byte . " is not 30";
// 			return false;
// 		}
		
// 		$length = CertSerialUtil::readLength ( $bindata );
// 		$byte = array_shift ( $bindata );
// // 		echo $byte . "<br>\n";
// 		if ($byte == 0xa0) { //version tag.
// 			$length = CertSerialUtil::readLength ( $bindata );
// 			CertSerialUtil::readData ( $bindata, $length );
// 			$byte = array_shift ( $bindata );
// 		}

// // 		echo $byte . "<br>\n";
// 		if ($byte != 0x02) { //x509v1 has no version tag, x509v3 has.
// 			$errMsg = "4th/3rd tag " . $byte . " is not 02";
// 			return false;
// 		}
// 		$length = CertSerialUtil::readLength ( $bindata );
// 		$serial = CertSerialUtil::readData ( $bindata, $length );
// // 		echo bin2hex(CertSerialUtil::toStr( $serial ));
// 		return CertSerialUtil::bytesToBigInteger($serial);
// 	}
	
// 	private static function readLength(&$bindata) {
// 		$byte = array_shift ( $bindata );
// 		if ($byte < 0x80) {
// 			$length = $byte;
// 		} else {
// 			$lenOfLength = $byte - 0x80;
// 			for($i = 0; $i < $lenOfLength; $i ++) {
// 				$lenBytes [] = array_shift ( $bindata );
// 			}
// 			$length = CertSerialUtil::bytesToInteger ( $lenBytes );
// 		}
// 		return $length;
// 	}
	
// 	private static function readData(&$bindata, $length) {
// 		$data = array ();
// 		for($i = 0; $i < $length; $i ++) {
// 			$data [] = array_shift ( $bindata );
// 		}
// 		return $data;
// 	}
// }