Richard, Actually, if you leave the code exactly as-is, but change the openssl_csr_sign function to create a self-signed certificate, the entire script executes perfectly. I know there is a lot of error checking needed - I'm just making a "test" script to get a feel for how OpenSSL operates in PHP. The certificate and key files are mode 444 (readable by everyone) as they are just "test" certificates right now. I have a valid openssl.cnf file (in /etc/ssl/openssl.cnf, which is what's complied into OpenSSL) and I use that configuration file that I use with some shell scripts to do everything that I want to do in PHP, so I'm sure it's a valid openssl.cnf file. Does PHP restrict access to /etc/ssl for the OpenSSL library if I have open_basedir set? Perhaps I need to make an openssl.cnf in the /usr/home/ws1086 (which is the open_basedir path) so that it's readable? I would think that the library would have access to the whole system since it's not really part of PHP, but maybe I'm wrong. Either way, it's not complaining about access to openssl.cnf, it's complaining about access to the certificate, so let's take it one step at a time. :) Tim Gustafson MEI Technology Consulting, Inc tjg@xxxxxxxxxxx (516) 379-0001 Office (516) 480-1870 Mobile/Emergencies (516) 908-4185 Fax http://www.meitech.com/ -----Original Message----- From: Richard Lynch [mailto:ceo@xxxxxxxxx] Sent: Thursday, January 06, 2005 11:24 AM To: Gustafson, Tim Cc: php-general@xxxxxxxxxxxxx Subject: Re: OpenSSL Problem Gustafson, Tim wrote: > I am trying to use the OpenSSL module for PHP on a FreeBSD 4.10 server. > I have CVS'd everything, so I have the most current version of the > FreeBSD port. > > I have attached the PHP file that I'm running. Here's the error message > I get: > > openssl_csr_sign(): cannot get cert from parameter 2 > > The file that is being referenced is a valid certificate, encoded in > base-64 format and the path is correct, and OpenSSL is able to sign > using this certificate and the corresponding key if I run it directly > from the command line. I have also attached the certificate. What am I > missing? You are missing error checking on the openssl_pkey_new() and openssl_csr_new() function calls. You don't even know for sure that you have a valid PKEY nor that you have a valid CSR resource. And, of course, you should have some error-checking on the return value from openssl_csr_sign() to see if it worked. Odds are really good that if you add all that error-checking, and the code needed to find out what error occurred -- http://php.net/openssl_error_string -- you'll find out that the OpenSSL software and PHP have conpsired to tell you *exactly* what is going wrong. :-) My first Wild Guess would be that your PHP user doesn't have permission to read your .crt and .key files, or that you don't have a PHP-readable valid openssl.cnf file. If all else fails, despite the examples in the manual, you may want to try to get rid of the 'file://' parts of your file names. But maybe you need those for some arcane OpenSSL reason beyond my ken. [shrug] -- Like Music? http://l-i-e.com/artists.htm
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
