In order for the CA certificate to be displayed at the prompt first the card reader must be properly configured and exporting the token certificate to the client’s certificate directory.
To know if the certificate is being listed you can take the Rasa test: https://serasa.certificadodigital.com.br/wp-content/themes/serasaLoja/testeRequest1/testeRequest.php
If the reader is not exporting I suggest installing the program "Token administration" Certisign or similar according to card reader model.
Observing: Only if you have any valid certificate on the machine will it be possible to view this response.
Getting CA data from PHP.
To obtain the certificate from a client, it is necessary that the web server is configured to perform the SSL HAND SHAKE and export the obtained certificate data to environment variables. This negotiation will happen before PHP is compiled/executed.
To allow SSL Hand Shake to happen it is necessary to enable the "Verity client" option on your web server, but it can only be enabled for the entire domain (see. https://serverfault.com/questions/843259/is-possible-to-use-lighttpd-httpurl-conditional-to-enable-ssl-verifyclient). To do this you need the following settings:
About obtaining the certificate’s CPF/CNPJ, it is attached to the CN after the name the character : separates the numerical sequence from the CPF or CNPJ and can be extracted in this way.
This method gives you access to the certificate, as it shows the image "---- BEGIN CERTIFICATE ----- ", is the certificate string it is accessible in $_SERVER['SSL_CLIENT_CERT'] which in turn guarantees you access to the public key through the function openssl_pkey_get_public then you can use the option of sign the PDF with libraries as TCPDF.
Follow the example of the code that generated the image above:
<?php
if ($_SERVER['HTTPS'] == 'on') { //Alterar a validação de https de acordo com seu servidor web
echo "<table>";
echo "<tr><th>Chave</th><th>valor</th></tr>";
foreach ($_SERVER as $key => $value) {
switch (true) {
//case strpos($key,"HTTP") == 0:
case preg_match("/^SSL_CLIENT(.*)$/", $key):
echo "<tr><td>", $key, "</td><td><pre>", $value, "</pre></td></tr>", PHP_EOL;
break;
default:
break;
}
}
if ($_SERVER['SSL_CLIENT_CERT']) {
$pub_key = openssl_pkey_get_public($_SERVER['SSL_CLIENT_CERT']);
$keyData = openssl_pkey_get_details($pub_key);
echo "<tr><td>Public Key Resource</td><td><pre>", $pub_key, "</pre></td></tr>", PHP_EOL;
echo "<tr><td>Bits</td><td><pre>", $keyData["bits"], "</pre></td></tr>", PHP_EOL;
echo "<tr><td>PUBLIC KEY</td><td><pre>", $keyData["key"], "</pre></td></tr>", PHP_EOL;
echo "<tr><td>RSA N</td><td><pre>", $keyData["rsa"]['n'], "</pre></td></tr>", PHP_EOL;
echo "<tr><td>RSA E</td><td><pre>", $keyData["rsa"]['e'], "</pre></td></tr>", PHP_EOL;
echo "<tr><td>Type</td><td><pre>", $keyData['type'], "</pre></td></tr>", PHP_EOL;
echo "<tr><td>Raw Key Data Key</td><td><pre>";
var_dump($keyData);
echo "</pre></td></tr>", PHP_EOL;
openssl_pkey_free($pub_key);
$cert = openssl_x509_read($_SERVER['SSL_CLIENT_CERT']);
$certData = openssl_x509_parse($cert);
foreach ($certData as $k => $d) {
echo "<tr><td>", strtoupper($k), "</td><td><pre>";
switch (gettype($d)) {
case "string":
echo $d;
break;
default:
var_dump($d);
break;
}
echo "</pre></td></tr>", PHP_EOL;
}
echo "<tr><td>Certificate Raw</td><td><pre>";
var_dump($certData);
echo "</pre></td></tr>", PHP_EOL;
openssl_x509_free($cert);
}
echo "</table>";
}
Consideration on the browsers:
General:
- By denying a certificate you will need to close and open the browser, there is no way to re-request the certificate.
- The previous rule applies for multiple certificates, only 1 certificate per session is possible.
- After the certificate selected, it is valid for that session, that is, until the browser is closed. Just closing the tab will not renew the digital certificate session. The behavior is the same in all browsers.
Firefox:
Chrome:
- No additional configuration required, uses the directory’s own certificate directory.
- The usability of the interface is better, but the cancel button will prevent re-ordering the certificate in the same session.
Edge:
- No additional configuration required, uses the directory’s own certificate directory.
- It does not list all certificates it is necessary to use the "More options" option to list the other certificates.
IE:
- As it is no longer an officially supported browser I have no test data for it.
The A3 certificate is totally contrary to WEB principles. Primarily requiring "low-level" languages to access the corresponding hardware, they are also difficult to interact with and install with the desktop environments. <p>Just imagine if the banks, which have state-of-the-art technology for users to access their systems, were to make A3 certificates available for them to access? It would NEVER be possible! Or it would be impossible to try! Certification bodies in Brazil should rethink about this! <p>While we are accessing our accounts; paying, seeing balance, transferring,
– Henrique Arigoni
You can use A3 with "Web". The problem is not the certificate, the problem is people getting into using "WEB principles" for real application tasks. It’s been at least 10 years since I’ve heard that the web is the future of applications, and all the ones on the market are clear proof that it didn’t work. The few that work REASONABLY well, like the online version of Office, have required far more men-hours than a conventional application, and without the same solidity. Who knows after 10 more years the kids start waking up to make real apps.
– Bacco
Other than that, you could use A3 seats, no problem. You are confusing limitation for a specific task with the use of the A3 for what was done. I’m using the term A3 for physical card certificates, actually this nomenclature problem is part of the poorly implemented bureaucracies in our public IT. And in this part I agree, our public IT goes against not only technology, but common sense, and I wonder if it’s just the fact that we have the wrong people making important decisions, or if you have reasons that go beyond the public interest, like lobbying companies influencing.
– Bacco
If it is a system, probably PHP is a bad choice, but not because of the certificate. The simple fact of using a language made for "web scripts" instead of a language for actual programming is already an indicator of problems. The "Web systems" that are on the market are the biggest proof of this. In the same way, I would not recommend Java, because I understand that forcing someone to install a JRE because of a system that could be done without dependencies is a very big mess. But then the respect with client is already personal posture, and not technical decision.
– Bacco
I think they are underestimating PHP. PHP4 back in the early days was a scripting language, today it is a powerful WEB language. Certificate negotiation happens on the network layer and not on the application layer, Handshake is done by the web server and not by php. You need to enable the "Verify client Certificate" function to gain access to certificates, this way the browser will request the user’s permission for authorization and reading of the certificate. Doubt? See my answer here: https://goo.gl/wxqBjw
– LeonanCarvalho