Digital Certificate with PHP

Asked

Viewed 11,564 times

8

I am developing a system in which I need to implement the use of A3 digital certificate so that the documents attached to the system have legal value. How is this done? Is it possible to do it in PHP? Or is it better to do it in JAVA? What tools are used for this process? Help me, because I have no idea how to do it!

  • The A3 certificate is totally contrary to WEB principles. Primarily requiring "low-level" languages to access the corresponding hardware, they are also difficult to interact with and install with the desktop environments. <p>Just imagine if the banks, which have state-of-the-art technology for users to access their systems, were to make A3 certificates available for them to access? It would NEVER be possible! Or it would be impossible to try! Certification bodies in Brazil should rethink about this! <p>While we are accessing our accounts; paying, seeing balance, transferring,

  • 3

    You can use A3 with "Web". The problem is not the certificate, the problem is people getting into using "WEB principles" for real application tasks. It’s been at least 10 years since I’ve heard that the web is the future of applications, and all the ones on the market are clear proof that it didn’t work. The few that work REASONABLY well, like the online version of Office, have required far more men-hours than a conventional application, and without the same solidity. Who knows after 10 more years the kids start waking up to make real apps.

  • 3

    Other than that, you could use A3 seats, no problem. You are confusing limitation for a specific task with the use of the A3 for what was done. I’m using the term A3 for physical card certificates, actually this nomenclature problem is part of the poorly implemented bureaucracies in our public IT. And in this part I agree, our public IT goes against not only technology, but common sense, and I wonder if it’s just the fact that we have the wrong people making important decisions, or if you have reasons that go beyond the public interest, like lobbying companies influencing.

  • 3

    If it is a system, probably PHP is a bad choice, but not because of the certificate. The simple fact of using a language made for "web scripts" instead of a language for actual programming is already an indicator of problems. The "Web systems" that are on the market are the biggest proof of this. In the same way, I would not recommend Java, because I understand that forcing someone to install a JRE because of a system that could be done without dependencies is a very big mess. But then the respect with client is already personal posture, and not technical decision.

  • 2

    I think they are underestimating PHP. PHP4 back in the early days was a scripting language, today it is a powerful WEB language. Certificate negotiation happens on the network layer and not on the application layer, Handshake is done by the web server and not by php. You need to enable the "Verify client Certificate" function to gain access to certificates, this way the browser will request the user’s permission for authorization and reading of the certificate. Doubt? See my answer here: https://goo.gl/wxqBjw

2 answers

10


In order for the CA certificate to be displayed at the prompt first the card reader must be properly configured and exporting the token certificate to the client’s certificate directory.

To know if the certificate is being listed you can take the Rasa test: https://serasa.certificadodigital.com.br/wp-content/themes/serasaLoja/testeRequest1/testeRequest.php

If the reader is not exporting I suggest installing the program "Token administration" Certisign or similar according to card reader model.

inserir a descrição da imagem aqui

Observing: Only if you have any valid certificate on the machine will it be possible to view this response.

Getting CA data from PHP.

To obtain the certificate from a client, it is necessary that the web server is configured to perform the SSL HAND SHAKE and export the obtained certificate data to environment variables. This negotiation will happen before PHP is compiled/executed.

To allow SSL Hand Shake to happen it is necessary to enable the "Verity client" option on your web server, but it can only be enabled for the entire domain (see. https://serverfault.com/questions/843259/is-possible-to-use-lighttpd-httpurl-conditional-to-enable-ssl-verifyclient). To do this you need the following settings:

About obtaining the certificate’s CPF/CNPJ, it is attached to the CN after the name the character : separates the numerical sequence from the CPF or CNPJ and can be extracted in this way.

inserir a descrição da imagem aqui

This method gives you access to the certificate, as it shows the image "---- BEGIN CERTIFICATE ----- ", is the certificate string it is accessible in $_SERVER['SSL_CLIENT_CERT'] which in turn guarantees you access to the public key through the function openssl_pkey_get_public then you can use the option of sign the PDF with libraries as TCPDF.

Follow the example of the code that generated the image above:

<?php
if ($_SERVER['HTTPS'] == 'on') { //Alterar a validação de https de acordo com seu servidor web
    echo "<table>";
    echo "<tr><th>Chave</th><th>valor</th></tr>";
    foreach ($_SERVER as $key => $value) {
        switch (true) {
            //case strpos($key,"HTTP") == 0:
            case preg_match("/^SSL_CLIENT(.*)$/", $key):
                echo "<tr><td>", $key, "</td><td><pre>", $value, "</pre></td></tr>", PHP_EOL;
                break;
            default:
                break;
        }
    }

    if ($_SERVER['SSL_CLIENT_CERT']) {
        $pub_key = openssl_pkey_get_public($_SERVER['SSL_CLIENT_CERT']);
        $keyData = openssl_pkey_get_details($pub_key);
        echo "<tr><td>Public Key Resource</td><td><pre>", $pub_key, "</pre></td></tr>", PHP_EOL;
        echo "<tr><td>Bits</td><td><pre>", $keyData["bits"], "</pre></td></tr>", PHP_EOL;
        echo "<tr><td>PUBLIC KEY</td><td><pre>", $keyData["key"], "</pre></td></tr>", PHP_EOL;
        echo "<tr><td>RSA N</td><td><pre>", $keyData["rsa"]['n'], "</pre></td></tr>", PHP_EOL;
        echo "<tr><td>RSA E</td><td><pre>", $keyData["rsa"]['e'], "</pre></td></tr>", PHP_EOL;
        echo "<tr><td>Type</td><td><pre>", $keyData['type'], "</pre></td></tr>", PHP_EOL;
        echo "<tr><td>Raw Key Data Key</td><td><pre>";
        var_dump($keyData);
        echo "</pre></td></tr>", PHP_EOL;

        openssl_pkey_free($pub_key);

        $cert = openssl_x509_read($_SERVER['SSL_CLIENT_CERT']);
        $certData = openssl_x509_parse($cert);
        foreach ($certData as $k => $d) {
            echo "<tr><td>", strtoupper($k), "</td><td><pre>";
            switch (gettype($d)) {
                case "string":
                    echo $d;
                    break;
                default:
                    var_dump($d);
                    break;
            }

            echo "</pre></td></tr>", PHP_EOL;
        }
        echo "<tr><td>Certificate Raw</td><td><pre>";
        var_dump($certData);
        echo "</pre></td></tr>", PHP_EOL;
        openssl_x509_free($cert);
    }


    echo "</table>";
}

Consideration on the browsers:

General:

  • By denying a certificate you will need to close and open the browser, there is no way to re-request the certificate.
  • The previous rule applies for multiple certificates, only 1 certificate per session is possible.
  • After the certificate selected, it is valid for that session, that is, until the browser is closed. Just closing the tab will not renew the digital certificate session. The behavior is the same in all browsers.

Firefox:

Chrome:

  • No additional configuration required, uses the directory’s own certificate directory.
  • The usability of the interface is better, but the cancel button will prevent re-ordering the certificate in the same session.

Edge:

  • No additional configuration required, uses the directory’s own certificate directory.
  • It does not list all certificates it is necessary to use the "More options" option to list the other certificates.

IE:

  • As it is no longer an officially supported browser I have no test data for it.
  • Thank you so much for the answer. I’ll check it out and test it. I’ll pass you the feedback. Just one question, can you tell me how I will put the certificate information (sign in case) in pdf?

  • This method gives you access to the certificate (as shown in the image where the BEGIN CERTIFICATE is, the certificate string is accessible in $_SERVER['SSL_CLIENT_CERT']) which in turn grants you access to the public key through the openssl_pkey_get_public function so you can use the option to sign the pdf with libraries as TCPDF. To verify that the signature is valid the private key is required. It is +- so, encrypted with the public, only opens with the private. Encrypted with private, can open with public.

  • I get it... man you don’t know how much it helped me and it’s helping me. I’ve done a lot of research, but nothing like you published here. Thank you very much!

  • Any feedback will be welcome! I have implemented in a specific situation. If you have anything to contribute, just say or edit my answer.

  • And then they say that PHP is only script language. If you think that PHP does not exist 2 options, either you are doing wrong or you do not know how to do.

  • Can you tell me if this works with A1 certificate?

  • @Jordanbragon Works Yes. The second image item that is written "Select a certificate" is a certificate of type A1

  • Friend you certainly know a lot about this subject and even after reading this excellent topic you have published here (super complete and very detailed) I still can not solve my problem described in https://answall.com/questions/273193/php-com-certificado-tipo -1 Would you be so kind as to give a?

  • @Samul thank you, but what you want to do is different, you need to sign a file digitally , in the case of a invoice xml, the process is difficult. This process here is for a certified login.

  • 1

    Oops! You really know your stuff. This reply + that guide to setting up the certificate in Apache helped me make my application to read CA and it was something I had no idea the possibility. But then I started getting the ERR_BAD_SSL_CLIENT_AUTH_CERT error when selecting the certificate. You would know how to tell me what might cause such an error?

  • 1

    @Viniantichrist this error occurs when the server rejects the certificate that was sent. When you enable certificate reading, all traffic within that domain needs to happen with the present user certificate, so it is necessary to use a subdomain. If your doubt is much more complex I suggest you ask a question to address it.

  • @Leonancarvalho we were able to correct the error by setting the option Sslcacertificatefile with the path of a valid certificate in the Apache settings. The reason I asked you in the comment was because I couldn’t find much content on this error when it comes to certificates but now it’s all right. Thanks for everything

  • Hello, I’m also checking on certified authentication and I found some points. If you want the browser to re-request the certificate if the customer selects a wrong certificate/cancel, just do TLS renegotiation (the Handshake again), this will show the prompt in the browser again without having to close it. There is also a way to make only 1 route request the certificate using a reverse proxy. To get the certificate data correctly should be read the subjectAltName of the certificate according to the specification of ICP-Brazil.

Show 8 more comments

1

Some time ago I researched this too and after much reading I discovered that:

Either you have a certificate installed on the server that will sign (type A1 not in token/smartcard, but in file) or you use Java (in case you use certificate stored in token/smartcard).

You can even get the certificate data plugged into the client machine with PHP and settings in Apache, but you can’t sign the files with it without using Java.

  • I get it, I... Can you tell me what are the procedures done and the methods/functions used to make the whole interface and signature with the A1 certificate in PHP?

  • No, I don’t know, man, because I only did A3 research in token/smartcard, but I stopped when I came across the need to use java. I wanted to do only with PHP or javascript, but this, it is impossible today :(

  • 1

    Searching through my bookmarks I found these two links. This might help you: httpd.apache.org/Docs/2.2/ssl/ssl_howto.html and www.nakov.com/research/Documents-Signing/

  • 2

    Thanks for your help, I’ll take a look at those links. As soon as I succeed I will create a tutorial on how to integrate the digital certificate and sign a file too... I don’t want anyone to go through the headache I’m going through kkkkk... very grateful for your help

  • Did Jordanbragon manage to evolve something ? face I can read the data of a digital certificate installed on my machine, but my question is whether I force a record with this data or I have to sign some AC (certificate authorized) to log in?

  • @Josevieiraneto has not progressed at all, I had to stop the development with the certificate... I’m resuming now. How you were able to read the certificate data?

  • @Jordanbragon my project is in java with spring boot ai the spring security itself already has an authentication via certificates X509 ai facilitated to read and log in, but I could not verify in a CA if the certificate is valid.

  • Take a look at my answer here: http://answall.com/questions/139462/certificado-digital-a3-e-cpf-como-acessar-as-informa%C3%A7%C3%B5es-com-javascript/194946#194946

  • Friend I had done a ceritifcado A3 and after reading what you said I entered with request to make the A1 and luckily I managed to use the right of repentance to receive back the amount paid. But I have a question, could you kindly take a look at https://answall.com/questions/273193/php-com-certificado-tipo-a1 ?

Show 4 more comments

Browser other questions tagged

You are not signed in. Login or sign up in order to post.