From 10a20f23bf6a1978115a693f2251eb7652c0d301 Mon Sep 17 00:00:00 2001 From: Mark O'Keeffe Date: Mon, 9 Jul 2018 08:50:31 +1000 Subject: [PATCH 1/4] Add optional key length to OpenSSLHelper Added a $bits argument to OpenSSLHelper::generateCSR(). Mainly because I'd love to use this package to create certificates that can be used in Amazon CloudFront, but for some reason, certificates uploaded into the AWS Certificate Manager must have a key length of 2048 bits in order to work with CloudFront. --- src/helpers/OpenSSLHelper.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/helpers/OpenSSLHelper.php b/src/helpers/OpenSSLHelper.php index 49d89f9..de1be71 100644 --- a/src/helpers/OpenSSLHelper.php +++ b/src/helpers/OpenSSLHelper.php @@ -99,7 +99,7 @@ public static function generateKeyPair($type) * @param string $privateKey * @return mixed */ - public static function generateCSR($domainList, $dn, $privateKey) + public static function generateCSR($domainList, $dn, $privateKey, $bits = 4096) { $san = array_map( function($domain) { @@ -116,7 +116,7 @@ function($domain) { HOME = . RANDFILE = \$ENV::HOME/.rnd [ req ] - default_bits = 4096 + default_bits = ".$bits." default_keyfile = privkey.pem distinguished_name = req_distinguished_name req_extensions = v3_req From c02d4d6066d1be096bd1f8d6e39844d7f9e2b8d8 Mon Sep 17 00:00:00 2001 From: MarkO Date: Mon, 9 Jul 2018 16:03:08 +1000 Subject: [PATCH 2/4] Added support for 'ready' order status --- src/services/OrderService.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/services/OrderService.php b/src/services/OrderService.php index 39c6371..a101ad2 100644 --- a/src/services/OrderService.php +++ b/src/services/OrderService.php @@ -374,7 +374,7 @@ public function getCertificateFile($csr = NULL) throw new OrderException("There are still some authorizations that are not valid."); } - if ($this->status == 'pending') + if ($this->status == 'pending' || $this->status == 'ready') { if (!$csr) { From 61d4e7199b1aaf28cc39f49ee2e0d87eb1b24e3b Mon Sep 17 00:00:00 2001 From: MarkO Date: Mon, 9 Jul 2018 16:19:30 +1000 Subject: [PATCH 3/4] - Mode getCSR() method public - Allow 'bits' argument on getCSR method --- src/services/OrderService.php | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/services/OrderService.php b/src/services/OrderService.php index a101ad2..2331aa5 100644 --- a/src/services/OrderService.php +++ b/src/services/OrderService.php @@ -535,13 +535,14 @@ private function getAuthorizationList() /** * Get csr info, if the csr doesn't exist then create it + * @param int $bits * @return bool|string */ - private function getCSR() + public function getCSR($bits = 4096) { if (!is_file($this->_csrPath)) { - $this->createCSRFile(); + $this->createCSRFile($bits); } return file_get_contents($this->_csrPath); @@ -549,8 +550,9 @@ private function getCSR() /** * Create csr file + * @param int $bits */ - private function createCSRFile() + private function createCSRFile($bits = 4096) { $domainList = array_map( function($identifier) { @@ -562,7 +564,8 @@ function($identifier) { $csr = OpenSSLHelper::generateCSR( $domainList, ['commonName' => CommonHelper::getCommonNameForCSR($domainList)], - $this->getPrivateKey() + $this->getPrivateKey(), + $bits ); file_put_contents($this->_csrPath, $csr); From fa563ddda6b263606f3eec68916b6ede54b06293 Mon Sep 17 00:00:00 2001 From: MarkO Date: Tue, 10 Jul 2018 09:02:06 +1000 Subject: [PATCH 4/4] - Changed bits attribute to Order Service constructor argument - Added constants for order status --- src/Client.php | 4 ++-- src/Runtime.php | 4 ++-- src/constants/CommonConstant.php | 24 +++++++++++++++++++++++ src/helpers/OpenSSLHelper.php | 5 +++-- src/services/OrderService.php | 33 +++++++++++++++++--------------- 5 files changed, 49 insertions(+), 21 deletions(-) diff --git a/src/Client.php b/src/Client.php index ab9407f..44dcd1d 100644 --- a/src/Client.php +++ b/src/Client.php @@ -55,8 +55,8 @@ public function getAccount() * @throws exceptions\OrderException * @throws exceptions\RequestException */ - public function getOrder($domainInfo, $algorithm, $renew = FALSE) + public function getOrder($domainInfo, $algorithm, $renew = FALSE, $bits = 4096) { - return self::$runtime->getOrder($domainInfo, $algorithm, $renew); + return self::$runtime->getOrder($domainInfo, $algorithm, $renew, $bits); } } diff --git a/src/Runtime.php b/src/Runtime.php index 748ab6d..6505394 100644 --- a/src/Runtime.php +++ b/src/Runtime.php @@ -109,11 +109,11 @@ public function init() * @throws exceptions\OrderException * @throws exceptions\RequestException */ - public function getOrder($domainInfo, $algorithm, $renew) + public function getOrder($domainInfo, $algorithm, $renew, $bits = 4096) { if (!$this->order) { - $this->order = new OrderService($domainInfo, $algorithm, $renew); + $this->order = new OrderService($domainInfo, $algorithm, $renew, $bits); } return $this->order; diff --git a/src/constants/CommonConstant.php b/src/constants/CommonConstant.php index 7d65574..fa9d2b3 100644 --- a/src/constants/CommonConstant.php +++ b/src/constants/CommonConstant.php @@ -57,4 +57,28 @@ class CommonConstant * @var int */ const CHALLENGE_TYPE_DNS = 'dns-01'; + + /** + * Order status: pending + * @var string + */ + const ORDER_STATUS_PENDING = 'pending'; + + /** + * Order status: ready + * @var string + */ + const ORDER_STATUS_READY = 'ready'; + + /** + * Order status: valid + * @var string + */ + const ORDER_STATUS_VALID = 'valid'; + + /** + * Order status: processing + * @var string + */ + const ORDER_STATUS_PROCESSING = 'processing'; } diff --git a/src/helpers/OpenSSLHelper.php b/src/helpers/OpenSSLHelper.php index de1be71..4bc08ce 100644 --- a/src/helpers/OpenSSLHelper.php +++ b/src/helpers/OpenSSLHelper.php @@ -46,12 +46,12 @@ public static function generateECKeyPair() * @return array * @throws OpenSSLException */ - public static function generateKeyPair($type) + public static function generateKeyPair($type, $bits = 4096) { $configMap = [ CommonConstant::KEY_PAIR_TYPE_RSA => [ 'private_key_type' => OPENSSL_KEYTYPE_RSA, - 'private_key_bits' => 4096, + 'private_key_bits' => $bits, ], CommonConstant::KEY_PAIR_TYPE_EC => [ @@ -138,6 +138,7 @@ function($domain) { [ 'config' => $opensslConfigFilePath, 'digest_alg' => 'sha256', + 'private_key_bits' => (int)$bits, ] ); diff --git a/src/services/OrderService.php b/src/services/OrderService.php index 2331aa5..096d3a3 100644 --- a/src/services/OrderService.php +++ b/src/services/OrderService.php @@ -131,20 +131,25 @@ class OrderService */ private $_orderInfoPath; + /** + * Key length in bits. Default value is 4096 + * @var int + */ + private $_bits; + /** * OrderService constructor. * @param array $domainInfo * @param string $algorithm * @param bool $renew + * @param int $bits * @throws OrderException - * @throws \stonemax\acme2\exceptions\AccountException - * @throws \stonemax\acme2\exceptions\NonceException - * @throws \stonemax\acme2\exceptions\RequestException */ - public function __construct($domainInfo, $algorithm, $renew = FALSE) + public function __construct($domainInfo, $algorithm, $renew = FALSE, $bits = 4096) { $this->_algorithm = $algorithm; $this->_renew = boolval($renew); + $this->_bits = $bits; if ($this->_algorithm == CommonConstant::KEY_PAIR_TYPE_EC && version_compare(PHP_VERSION, '7.1.0') == -1) { @@ -374,7 +379,7 @@ public function getCertificateFile($csr = NULL) throw new OrderException("There are still some authorizations that are not valid."); } - if ($this->status == 'pending' || $this->status == 'ready') + if ($this->status == CommonConstant::ORDER_STATUS_PENDING || $this->status == CommonConstant::ORDER_STATUS_READY) { if (!$csr) { @@ -384,7 +389,7 @@ public function getCertificateFile($csr = NULL) $this->finalizeOrder(CommonHelper::getCSRWithoutComment($csr)); } - while ($this->status != 'valid') + while ($this->status != CommonConstant::ORDER_STATUS_VALID) { sleep(3); @@ -433,7 +438,7 @@ public function getCertificateFile($csr = NULL) */ public function revokeCertificate($reason = 0) { - if ($this->status != 'valid') + if ($this->status != CommonConstant::ORDER_STATUS_VALID) { throw new OrderException("Revoke certificate failed because of invalid status({$this->status})"); } @@ -488,7 +493,7 @@ public function isAllAuthorizationValid() */ public function isOrderFinalized() { - return ($this->status == 'processing' || $this->status == 'valid'); + return ($this->status == CommonConstant::ORDER_STATUS_PROCESSING || $this->status == CommonConstant::ORDER_STATUS_VALID); } /** @@ -535,14 +540,13 @@ private function getAuthorizationList() /** * Get csr info, if the csr doesn't exist then create it - * @param int $bits * @return bool|string */ - public function getCSR($bits = 4096) + public function getCSR() { if (!is_file($this->_csrPath)) { - $this->createCSRFile($bits); + $this->createCSRFile(); } return file_get_contents($this->_csrPath); @@ -550,9 +554,8 @@ public function getCSR($bits = 4096) /** * Create csr file - * @param int $bits */ - private function createCSRFile($bits = 4096) + private function createCSRFile() { $domainList = array_map( function($identifier) { @@ -565,7 +568,7 @@ function($identifier) { $domainList, ['commonName' => CommonHelper::getCommonNameForCSR($domainList)], $this->getPrivateKey(), - $bits + $this->_bits ); file_put_contents($this->_csrPath, $csr); @@ -594,7 +597,7 @@ private function getPrivateKey() */ private function createKeyPairFile() { - $keyPair = OpenSSLHelper::generateKeyPair($this->_algorithm); + $keyPair = OpenSSLHelper::generateKeyPair($this->_algorithm, $this->_bits); $result = file_put_contents($this->_privateKeyPath, $keyPair['privateKey']) && file_put_contents($this->_publicKeyPath, $keyPair['publicKey']);