支持生成自签SSL证书

flucont · Aug 13, 2024 · 5e1f19d · 5e1f19d
1 parent 57cbf93
commit 5e1f19d
Show file tree

Hide file tree

Showing 25 changed files with 723 additions and 470 deletions.
diff --git a/app/common.php b/app/common.php
@@ -180,6 +180,11 @@ function checkIfActive($string) {
 		return null;
 }
 
+function checkDomain($domain){
+	if(empty($domain) || !preg_match('/^[-$a-z0-9_*.]{2,512}$/i', $domain) || (stripos($domain, '.') === false) || substr($domain, -1) == '.' || substr($domain, 0 ,1) == '.' || substr($domain, 0 ,1) == '*' && substr($domain, 1 ,1) != '.' || substr_count($domain, '*')>1 || strpos($domain, '*')>0 || strlen($domain)<4) return false;
+	return true;
+}
+
 function errorlog($msg){
 	$handle = fopen(app()->getRootPath()."record.txt", 'a');
 	fwrite($handle, date('Y-m-d H:i:s')."\t".$msg."\r\n");
@@ -224,4 +229,69 @@ function pemToBase64($pem){
         }
     }
     return $encoded;
+}
+
+function makeSelfSignSSL(string $commonName, array $domainList, $validity = 3650){
+	// 加载 CA 证书和私钥
+	$dir = app()->getBasePath().'script/';
+	$caCert = file_get_contents($dir.'ca.crt');
+	$caPrivateKey = file_get_contents($dir.'ca.key');
+
+	$opensslConfigFile = sys_get_temp_dir().'/openssl'.time().mt_rand(1000, 9999).'.cnf';
+	$opensslConfigContent = <<<EOF
+[req]
+req_extensions = extension_section
+x509_extensions	= extension_section
+distinguished_name = dn
+
+[dn]
+
+[extension_section]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+EOF;
+	$ip_index = 1;
+	$dns_index = 1;
+	foreach ($domainList as $value) {
+		if(empty($value)) continue;
+		if(filter_var($value, FILTER_VALIDATE_IP)){
+			$opensslConfigContent .= sprintf("\nIP.%d = %s", $ip_index, $value);
+			$ip_index++;
+		}else{
+			$opensslConfigContent .= sprintf("\nDNS.%d = %s", $dns_index, $value);
+			$dns_index++;
+		}
+	}
+
+	if(!file_put_contents($opensslConfigFile, $opensslConfigContent)) return false;
+
+	// 生成域名证书的私钥和 CSR
+	$domainPrivateKey = openssl_pkey_new([
+		'private_key_bits' => 2048,
+		'private_key_type' => OPENSSL_KEYTYPE_RSA,
+	]);
+	if(!$domainPrivateKey) return false;
+
+	$csrConfig = ['digest_alg' => 'sha256', 'config' => $opensslConfigFile];
+
+	$domainCsr = openssl_csr_new([
+		'commonName' => $commonName
+	], $domainPrivateKey, $csrConfig);
+	if(!$domainCsr) return false;
+
+	// 生成域名证书
+	$domainCertificate = openssl_csr_sign($domainCsr, $caCert, $caPrivateKey, $validity, $csrConfig);
+	if(!$domainCertificate) return false;
+
+	// 导出域名证书
+	openssl_x509_export($domainCertificate, $certificate);
+	openssl_pkey_export($domainPrivateKey, $privateKey);
+	$certificate .= $caCert;
+
+	unlink($opensslConfigFile);
+
+	return ['cert' => $certificate, 'key' => $privateKey];
 }
diff --git a/app/controller/Admin.php b/app/controller/Admin.php
@@ -400,4 +400,37 @@ public function cleancache(){
         Cache::clear();
         return json(['code'=>0,'msg'=>'succ']);
     }
+
+    public function ssl(){
+        if(request()->isAjax()){
+            $domain_list = input('post.domain_list', null, 'trim');
+            $common_name = input('post.common_name', null, 'trim');
+            $validity = input('post.validity/d');
+            if(empty($domain_list) || empty($validity)){
+                return json(['code'=>-1, 'msg'=>'参数不能为空']);
+            }
+            $array = explode("\n", $domain_list);
+            $domain_list = [];
+            foreach($array as $domain){
+                $domain = trim($domain);
+                if(empty($domain)) continue;
+                if(!checkDomain($domain)) return json(['code'=>-1, 'msg'=>'域名或IP格式不正确:'.$domain]);
+                $domain_list[] = $domain;
+            }
+            if(empty($domain_list)) return json(['code'=>-1, 'msg'=>'域名列表不能为空']);
+            if(empty($common_name)) $common_name = $domain_list[0];
+            $result = makeSelfSignSSL($common_name, $domain_list, $validity);
+            if(!$result){
+                return json(['code'=>-1, 'msg'=>'生成证书失败']);
+            }
+            return json(['code'=>0, 'msg'=>'生成证书成功', 'cert'=>$result['cert'], 'key'=>$result['key']]);
+        }
+
+        $dir = app()->getBasePath().'script/';
+        $ssl_path = app()->getRootPath().'public/ssl/baota_root.pfx';
+        $ssl_path_mac = app()->getRootPath().'public/ssl/baota_root.crt';
+        $isca = file_exists($dir.'ca.crt') && file_exists($dir.'ca.key') && file_exists($ssl_path) && file_exists($ssl_path_mac);
+        View::assign('isca', $isca);
+        return view();
+    }
 }
diff --git a/app/controller/Api.php b/app/controller/Api.php
@@ -464,4 +464,31 @@ public function logerror(){
         fclose($handle);
         return json(['status'=>false, 'msg'=>'不支持当前操作']);
     }
+
+    //生成自签名SSL证书
+    public function bt_cert(){
+        $data = input('post.data');
+        $param = json_decode($data, true);
+        if(!$param || !isset($param['domain'])) return json(['status'=>false, 'msg'=>'参数错误']);
+
+        $dir = app()->getBasePath().'script/';
+        $ssl_path = app()->getRootPath().'public/ssl/baota_root.pfx';
+        $isca = file_exists($dir.'ca.crt') && file_exists($dir.'ca.key') && file_exists($ssl_path);
+        if(!$isca) return json(['status'=>false, 'msg'=>'CA证书不存在']);
+
+        $domain = $param['domain'];
+        if(empty($domain)) return json(['status'=>false, 'msg'=>'域名不能为空']);
+        $domain_list = explode(',', $domain);
+        foreach($domain_list as $d){
+            if(!checkDomain($d)) return json(['status'=>false, 'msg'=>'域名或IP格式不正确:'.$d]);
+        }
+        $common_name = $domain_list[0];
+        $validity = 3650;
+        $result = makeSelfSignSSL($common_name, $domain_list, $validity);
+        if(!$result){
+            return json(['status'=>false, 'msg'=>'生成证书失败']);
+        }
+        $ca_pfx = base64_encode(file_get_contents($ssl_path));
+        return json(['status'=>true, 'msg'=>'生成证书成功', 'cert'=>$result['cert'], 'key'=>$result['key'], 'pfx'=>$ca_pfx, 'password'=>'']);
+    }
 }