openssl_pkcs12_read
(PHP 5 >= 5.2.2, PHP 7)
openssl_pkcs12_read — Parse a PKCS#12 Certificate Store into an array
Описание
bool openssl_pkcs12_read
( string
$pkcs12
, array &$certs
, string $pass
)
openssl_pkcs12_read() parses the PKCS#12 certificate store supplied by
pkcs12
into a array named
certs
.
Список параметров
-
pkcs12
-
The certificate store contents, not its file name.
-
certs
-
On success, this will hold the Certificate Store Data.
-
pass
-
Encryption password for unlocking the PKCS#12 file.
Возвращаемые значения
Возвращает TRUE
в случае успешного завершения или FALSE
в случае возникновения ошибки.
Примеры
Пример #1 openssl_pkcs12_read() example
<?php
if (!$cert_store = file_get_contents("/certs/file.p12")) {
echo "Error: Unable to read the cert file\n";
exit;
}
if (openssl_pkcs12_read($cert_store, $cert_info, "my_secret_pass")) {
echo "Certificate Information\n";
print_r($cert_info);
} else {
echo "Error: Unable to read the cert store.\n";
exit;
}
?>
- PHP Руководство
- Функции по категориям
- Индекс функций
- Справочник функций
- Криптографические расширения
- OpenSSL
- openssl_cipher_iv_length
- openssl_csr_export_to_file
- openssl_csr_export
- openssl_csr_get_public_key
- openssl_csr_get_subject
- openssl_csr_new
- openssl_csr_sign
- openssl_decrypt
- openssl_dh_compute_key
- openssl_digest
- openssl_encrypt
- openssl_error_string
- openssl_free_key
- openssl_get_cert_locations
- openssl_get_cipher_methods
- openssl_get_md_methods
- openssl_get_privatekey
- openssl_get_publickey
- openssl_open
- openssl_pbkdf2
- openssl_pkcs12_export_to_file
- openssl_pkcs12_export
- openssl_pkcs12_read
- openssl_pkcs7_decrypt
- openssl_pkcs7_encrypt
- openssl_pkcs7_sign
- openssl_pkcs7_verify
- openssl_pkey_export_to_file
- openssl_pkey_export
- openssl_pkey_free
- openssl_pkey_get_details
- openssl_pkey_get_private
- openssl_pkey_get_public
- openssl_pkey_new
- openssl_private_decrypt
- openssl_private_encrypt
- openssl_public_decrypt
- openssl_public_encrypt
- openssl_random_pseudo_bytes
- openssl_seal
- openssl_sign
- openssl_spki_export_challenge
- openssl_spki_export
- openssl_spki_new
- openssl_spki_verify
- openssl_verify
- openssl_x509_check_private_key
- openssl_x509_checkpurpose
- openssl_x509_export_to_file
- openssl_x509_export
- openssl_x509_fingerprint
- openssl_x509_free
- openssl_x509_parse
- openssl_x509_read
Коментарии
The openssl_pkcs12_read method does not work in PHP 8.2 due to the change in the OpenSSL library from version ^1 to ^3.
In response to Anonymous' note:(https://www.php.net/manual/en/function.openssl-pkcs12-read.php#128790)
I'm using 8.2.6 on Windows and this function is working without issue.
In response to Anonymous' note:(https://www.php.net/manual/es/function.openssl-pkcs12-read.php#128819)
In PHP versions 8.2.6 and 8.2.7, OpenSSL 1.1.1 is still utilized. However, starting from PHP version 8.2.8 onwards, OpenSSL 3.0.9 is employed.
I have conducted tests, and the function works correctly with all PHP versions using OpenSSL 1, but it fails with OpenSSL 3 versions.
It really seems to depend on the OpenSSL version only. I checked:
OpenSSL 1:
- Linux Sury PHP 8.1 and 8.2
- Windows (according to what Anonymous reported here)
OpenSSL 3:
- Linux Ubuntu jammy (22.04 LTS) PHP 8.1
- Mac OS Homebrew PHP 8.1 and 8.2
Since OpenSSL 3, this function will fail with .p12 files that use legacy ciphers. Unfortunately, .p12 files generated today from a lot of Windows based CAs are using them by default.
OpenSSL 3 uses a provider mechanism where there is a legacy provider that supports these legacy ciphers, but it is disabled by default.
While PHP SSL module lacks a mechanism to enable the legacy provider, you need to modify the openssl.conf used by PHP by hand, it is usually the same used by the system openssl command, so the OPENSSLDIR path value returned by the "openssl version -d" command contains the openssl.conf file to modify. The llines that need to be added, modified or uncommented are the following to look like this:
openssl_conf = openssl_init
[openss_init]
providers = provider_sect
[provider_sect]
default = default_sect
legacy = legacy_sect
[default_sect]
activate = 1
[legacy_sect]
activate = 1
This may require restarting the involved php service (php-fpm usually) to load the OpenSSL configuration changes.
Instead of enabling legacy providers for your private key container to work with openssl3 one can simply repack the container using recent openssl
openssl pkcs12 -legacy -in key.p12 -nodes -out key_decrypted.tmp
openssl pkcs12 -in key_decrypted.tmp -export -out key_new.p12
In response to Rovinson (https://www.php.net/manual/en/function.openssl-pkcs12-read.php#128854):
> In PHP versions 8.2.6 and 8.2.7, OpenSSL 1.1.1 is still utilized.
> However, starting from PHP version 8.2.8 onwards, OpenSSL 3.0.9 is employed.
This is not correct; Debian 12 currently uses PHP 8.2.7, yet it does use OpenSSL 3.0.11. So for a version check, I would rather target PHP 8.2+.