当我看一下paypal文档时,他们会说"Note that the PayPal SDK for PHP does not require SSL encryption" . https://developer.paypal.com/docs/classic/api/apiCredentials/#encrypting-your-certificate
这句话的陈述是,我在使用php时不必创建p12证书,而是使用 public_key.pem
和 paypal_public_key.pem
?
如果是:是否足够安全地创建没有p12证书的加密表单输入元素?
如果不是:它们是什么意思? :-)
在提出这个问题之前,我已经测试了这个小程序 . http://www.softarea51.com/blog/how-to-integrate-your-custom-shopping-cart-with-paypal-website-payments-standard-using-php/
有一个配置文件 paypal-wps-config.inc.php
,我可以在其中定义证书的路径 .
// tryed to use // 'paypal_cert.p12 ';
$config['private_key_path'] = '/home/folder/.cert/pp/prvkey.pem';
// must match the one you set when you created the private key
$config['private_key_password'] = ''; //'my_password';
当我尝试使用p12证书时, openssl_error_string()
返回“无法签名数据:错误:0906D06C:PEM例程:PEM_read_bio:无起始行 openssl_pkcs7_sign
当我改为使用没有密码的prvkey.pem时,一切正常 .
这是函数,它对数据进行签名和加密 .
function signAndEncrypt($dataStr_, $ewpCertPath_, $ewpPrivateKeyPath_, $ewpPrivateKeyPwd_, $paypalCertPath_)
{
$dataStrFile = realpath(tempnam('/tmp', 'pp_'));
$fd = fopen($dataStrFile, 'w');
if(!$fd) {
$error = "Could not open temporary file $dataStrFile.";
return array("status" => false, "error_msg" => $error, "error_no" => 0);
}
fwrite($fd, $dataStr_);
fclose($fd);
$signedDataFile = realpath(tempnam('/tmp', 'pp_'));
**// here the error came from**
if(!@openssl_pkcs7_sign( $dataStrFile,
$signedDataFile,
"file://$ewpCertPath_",
array("file://$ewpPrivateKeyPath_", $ewpPrivateKeyPwd_),
array(),
PKCS7_BINARY)) {
unlink($dataStrFile);
unlink($signedDataFile);
$error = "Could not sign data: ".openssl_error_string();
return array("status" => false, "error_msg" => $error, "error_no" => 0);
}
unlink($dataStrFile);
$signedData = file_get_contents($signedDataFile);
$signedDataArray = explode("\n\n", $signedData);
$signedData = $signedDataArray[1];
$signedData = base64_decode($signedData);
unlink($signedDataFile);
$decodedSignedDataFile = realpath(tempnam('/tmp', 'pp_'));
$fd = fopen($decodedSignedDataFile, 'w');
if(!$fd) {
$error = "Could not open temporary file $decodedSignedDataFile.";
return array("status" => false, "error_msg" => $error, "error_no" => 0);
}
fwrite($fd, $signedData);
fclose($fd);
$encryptedDataFile = realpath(tempnam('/tmp', 'pp_'));
if(!@openssl_pkcs7_encrypt( $decodedSignedDataFile,
$encryptedDataFile,
file_get_contents($paypalCertPath_),
array(),
PKCS7_BINARY)) {
unlink($decodedSignedDataFile);
unlink($encryptedDataFile);
$error = "Could not encrypt data: ".openssl_error_string();
return array("status" => false, "error_msg" => $error, "error_no" => 0);
}
unlink($decodedSignedDataFile);
$encryptedData = file_get_contents($encryptedDataFile);
if(!$encryptedData) {
$error = "Encryption and signature of data failed.";
return array("status" => false, "error_msg" => $error, "error_no" => 0);
}
unlink($encryptedDataFile);
$encryptedDataArray = explode("\n\n", $encryptedData);
$encryptedData = trim(str_replace("\n", '', $encryptedDataArray[1]));
return array("status" => true, "encryptedData" => $encryptedData);
} // signAndEncrypt
} // PPCrypto
The main questions:
-
是否可以在php中使用p12证书,或者它是否足够安全,没有它?
-
为什么我在使用
openssl_pkcs7_sign
时出错
请帮忙 .
问候ninchen
1 回答
你不应该将'using SSL'与'using SSL with a predefined client certificate'混淆 . 您链接的文档描述了后者 . 只需调用
https
URL即可启用SSL并提供与浏览器等效的安全性 . 这是由SDK自动完成的 .预定义的客户端证书可防止攻击者执行中间人攻击 . 这两种方法都可以阻止不成熟的攻击者直接读取您的网络流量 .
客户端证书还用于向您验证PayPal,作为用户/密码/签名的替代方案 .