feat(ssl): Add openssl.conf to configure SSL extension properly

2025-02-05 18:06:38 +01:00
parent a3c4f86e80
commit 1003858632
1 changed files with 50 additions and 8 deletions
--- a/app/Helpers/SslHelper.php
+++ b/app/Helpers/SslHelper.php
@@ -59,17 +59,56 @@ class SslHelper
            $subjectAlternativeNames = array_unique(
                array_merge(["DNS:$commonName"], $subjectAlternativeNames)
            );
-            $certificateSubject = [
+
+            $countryCode = self::DEFAULT_COUNTRY_CODE;
+            $state = self::DEFAULT_STATE;
+            $organization = self::DEFAULT_ORGANIZATION_NAME;
+
+            $altNames = [];
+            foreach ($subjectAlternativeNames as $index => $san) {
+                [$type, $value] = explode(':', $san, 2);
+                $altNames[] = "{$type}.".($index + 1)." = $value";
+            }
+            $altNamesSection = implode("\n", $altNames);
+
+            $basicConstraints = $isCaCertificate ? 'CA:TRUE' : 'CA:FALSE';
+            $keyUsage = $isCaCertificate ? 'keyCertSign, cRLSign' : 'digitalSignature, keyEncipherment';
+            $extendedKeyUsage = $isCaCertificate ? '' : 'extendedKeyUsage = serverAuth';
+
+            $config = <<<CONF
+                [req]
+                prompt = no
+                distinguished_name = req_distinguished_name
+                req_extensions = v3_req
+
+                [req_distinguished_name]
+                C = $countryCode
+                ST = $state
+                O = $organization
+                CN = $commonName
+
+                [v3_req]
+                basicConstraints = $basicConstraints
+                keyUsage = $keyUsage
+                $extendedKeyUsage
+                subjectAltName = @alt_names
+
+                [alt_names]
+                $altNamesSection
+            CONF;
+
+            $tempConfig = tmpfile();
+            fwrite($tempConfig, $config);
+            $tempConfigPath = stream_get_meta_data($tempConfig)['uri'];
+
+            $csr = openssl_csr_new([
                'commonName' => $commonName,
-                'subjectAltName' => $subjectAlternativeNames,
                'organizationName' => self::DEFAULT_ORGANIZATION_NAME,
                'countryName' => self::DEFAULT_COUNTRY_CODE,
                'stateOrProvinceName' => self::DEFAULT_STATE,
-            ];
-
-            $csr = openssl_csr_new($certificateSubject, $privateKey, [
+            ], $privateKey, [
                'digest_alg' => 'sha512',
-                'config' => null,
+                'config' => $tempConfigPath,
                'encrypt_key' => false,
            ]);

@@ -84,9 +123,10 @@ class SslHelper
                $validityDays,
                [
                    'digest_alg' => 'sha512',
-                    'config' => null,
+                    'config' => $tempConfigPath,
+                    'x509_extensions' => 'v3_req',
                ],
-                random_int(PHP_INT_MIN, PHP_INT_MAX)
+                random_int(1, PHP_INT_MAX)
            );

            if ($certificate === false) {
@@ -154,6 +194,8 @@ class SslHelper
                ]);
            }

+            fclose($tempConfig);
+
            return $sslCertificate;
        } catch (\Throwable $e) {
            throw new \RuntimeException('SSL Certificate generation failed: '.$e->getMessage(), 0, $e);