|
1
|
|
|
<?php |
|
2
|
|
|
|
|
3
|
|
|
namespace LiquidWeb\SslCertificate; |
|
4
|
|
|
|
|
5
|
|
|
use Throwable; |
|
6
|
|
|
use phpseclib\File\X509; |
|
7
|
|
|
use LiquidWeb\SslCertificate\Exceptions\CouldNotDownloadCertificate; |
|
8
|
|
|
|
|
9
|
|
|
class Downloader |
|
10
|
|
|
{ |
|
11
|
8 |
|
public static function downloadCertificateFromUrl(string $url, int $timeout = 30): array |
|
12
|
|
|
{ |
|
13
|
|
|
// Trusted variable to keep track of SSL trust |
|
14
|
8 |
|
$trusted = true; |
|
15
|
8 |
|
$sslConfig = StreamConfig::configSecure(); |
|
16
|
8 |
|
$parsedUrl = new Url($url); |
|
17
|
7 |
|
$hostName = $parsedUrl->getHostName(); |
|
18
|
7 |
|
$client = null; |
|
19
|
|
|
|
|
20
|
|
|
try { |
|
21
|
7 |
|
$client = stream_socket_client( |
|
22
|
7 |
|
"ssl://{$parsedUrl->getTestURL()}", |
|
23
|
|
|
$errorNumber, |
|
24
|
|
|
$errorDescription, |
|
25
|
|
|
$timeout, |
|
26
|
7 |
|
STREAM_CLIENT_CONNECT, |
|
27
|
7 |
|
$sslConfig->getContext() |
|
28
|
|
|
); |
|
29
|
2 |
|
unset($sslConfig); |
|
30
|
5 |
|
} catch (Throwable $thrown) { |
|
31
|
|
|
// Try agian in insecure mode |
|
32
|
5 |
|
$sslConfig = StreamConfig::configInsecure(); |
|
33
|
|
|
|
|
34
|
|
|
try { |
|
35
|
|
|
// As the URL failed verification we set to false |
|
36
|
5 |
|
$trusted = false; |
|
37
|
5 |
|
$client = stream_socket_client( |
|
38
|
5 |
|
"ssl://{$parsedUrl->getTestURL()}", |
|
39
|
|
|
$errorNumber, |
|
40
|
|
|
$errorDescription, |
|
41
|
|
|
$timeout, |
|
42
|
5 |
|
STREAM_CLIENT_CONNECT, |
|
43
|
5 |
|
$sslConfig->getContext() |
|
44
|
|
|
); |
|
45
|
1 |
|
unset($sslConfig); |
|
46
|
|
|
|
|
47
|
1 |
|
return self::prepareCertificateResponse($client, $trusted, $parsedUrl->getIp(), $parsedUrl->getTestURL()); |
|
48
|
4 |
|
} catch (Throwable $thrown) { |
|
49
|
4 |
|
if (str_contains($thrown->getMessage(), 'getaddrinfo failed')) { |
|
50
|
|
|
throw CouldNotDownloadCertificate::hostDoesNotExist($hostName); |
|
51
|
|
|
} |
|
52
|
|
|
|
|
53
|
4 |
|
if (str_contains($thrown->getMessage(), 'error:14090086')) { |
|
54
|
|
|
throw CouldNotDownloadCertificate::noCertificateInstalled($hostName); |
|
55
|
|
|
} |
|
56
|
|
|
|
|
57
|
4 |
|
if (str_contains($thrown->getMessage(), 'error:14077410') || str_contains($thrown->getMessage(), 'error:140770FC')) { |
|
58
|
3 |
|
throw CouldNotDownloadCertificate::failedHandshake($parsedUrl); |
|
59
|
|
|
} |
|
60
|
|
|
|
|
61
|
1 |
|
if (str_contains($thrown->getMessage(), '(Connection timed out)')) { |
|
62
|
1 |
|
throw CouldNotDownloadCertificate::connectionTimeout($parsedUrl->getTestURL()); |
|
63
|
|
|
} |
|
64
|
|
|
|
|
65
|
|
|
throw CouldNotDownloadCertificate::unknownError($parsedUrl->getTestURL(), $thrown->getMessage()); |
|
66
|
|
|
} |
|
67
|
|
|
} |
|
68
|
|
|
|
|
69
|
2 |
|
$sslData = self::prepareCertificateResponse($client, $trusted, $parsedUrl->getIp(), $parsedUrl->getTestURL()); |
|
70
|
|
|
|
|
71
|
2 |
|
return $sslData; |
|
72
|
|
|
} |
|
73
|
|
|
|
|
74
|
3 |
|
private static function prepareCertificateResponse($resultClient, bool $trusted, string $domainIp, string $testedUrl): array |
|
75
|
|
|
{ |
|
76
|
|
|
$results = [ |
|
77
|
3 |
|
'tested' => $testedUrl, |
|
78
|
3 |
|
'trusted' => $trusted, |
|
79
|
3 |
|
'dns-resolves-to' => $domainIp, |
|
80
|
|
|
'cert' => null, |
|
81
|
|
|
'full_chain' => [], |
|
82
|
|
|
'connection' => [], |
|
83
|
|
|
]; |
|
84
|
3 |
|
$response = stream_context_get_options($resultClient); |
|
85
|
3 |
|
$results['connection'] = stream_get_meta_data($resultClient)['crypto']; |
|
86
|
3 |
|
unset($resultClient); |
|
87
|
3 |
|
$results['cert'] = openssl_x509_parse($response['ssl']['peer_certificate'], true); |
|
88
|
|
|
|
|
89
|
3 |
|
if (count($response['ssl']['peer_certificate_chain']) > 1) { |
|
90
|
2 |
|
foreach ($response['ssl']['peer_certificate_chain'] as $cert) { |
|
91
|
2 |
|
$parsedCert = openssl_x509_parse($cert, true); |
|
92
|
2 |
|
$isChain = ! ($parsedCert['hash'] === $results['cert']['hash']); |
|
93
|
2 |
|
if ($isChain === true) { |
|
94
|
2 |
|
array_push($results['full_chain'], $parsedCert); |
|
95
|
|
|
} |
|
96
|
|
|
} |
|
97
|
|
|
} |
|
98
|
|
|
|
|
99
|
3 |
|
return $results; |
|
100
|
|
|
} |
|
101
|
|
|
|
|
102
|
2 |
|
public static function downloadRevocationListFromUrl(string $url): array |
|
103
|
|
|
{ |
|
104
|
2 |
|
$parsedUrl = new Url($url); |
|
105
|
2 |
|
$csrConfig = StreamConfig::configCrl(); |
|
106
|
2 |
|
$file = file_get_contents($parsedUrl->getValidatedURL(), false, $csrConfig->getContext()); |
|
107
|
2 |
|
unset($csrConfig, $parsedUrl); |
|
108
|
2 |
|
$x509 = new X509(); |
|
109
|
2 |
|
$crl = $x509->loadCRL($file); // see ev2009a.crl |
|
110
|
2 |
|
unset($x509, $file); |
|
111
|
|
|
|
|
112
|
2 |
|
return $crl; |
|
113
|
|
|
} |
|
114
|
|
|
} |
|
115
|
|
|
|
liquidweb /
ssl-certificate
