php - 使用 PHP 为 Apple Wallet 通行证创建 PKCS #7 分离签名

这对我来说是一个全新的概念，所以我在黑暗中拍摄。

To create the signature file, make a PKCS #7 detached signature of the manifest file, using the private key associated with your signing certificate. Include the WWDR intermediate certificate as part of the signature. You can download this certificate from Apple’s website. Write the signature to the file signature at the top level of the pass package. Include the date and time that the pass was signed using the S/MIME signing-time attribute.

我的理解:

To create the signature file, make a PKCS #7 detached signature of the manifest file

我将使用 openssl_pkcs7_sign使用标志 PKCS7_DETACHED 的函数。

using the private key associated with your signing certificate.

我将使用我的 ssl cert.pem 文件的位置作为 signcert 参数和 cert.key 的位置文件作为 privkey 参数。

Include the WWDR intermediate certificate as part of the signature.

我将在 extracerts 参数中包含 WWDR 证书的路径

Include the date and time that the pass was signed using the S/MIME signing-time attribute.

我将包含一个数组，其中包含一个键 signing-time 和 headers 的值类似于 2015-05-03 10:40:00 参数。

我的代码:

private function createSignature($dir)
{
    $cert = '/etc/ssl/cert.pem';
    $key = '/etc/ssl/private/cert.key';
    $wwdr = '/location/of/apple/wwdr/cert.cer';
    $headers = [
        'signing-time' => (new DateTime())->format('o-m-d H:i:s'),
    ];

    return openssl_pkcs7_sign("$dir/manifest.json", "$dir/signature", $cert, $key, $headers, PKCS7_DETACHED, $wwdr);
}

其他问题:

我在 openssl_pkcs7_sign 函数的文档示例中注意到文件的 一些 位置以 file:// 为前缀>。这是为什么呢？

---

Best Answer-推荐答案

1. 在 https://developer.apple.com/account/ios/identifier/passTypeId 生成通行证类型 ID
2. 在 https://developer.apple.com/account/ios/certificate/create/ 为该通行证类型 ID 创建证书
3. 下载证书并将其放入您的钥匙串(keychain)中
4. 在您的钥匙串(keychain)中找到证书并将其导出为 Certificates.p12，无需密码
5. 打开终端，运行openssl pkcs12 -in Certificates.p12 -clcerts -nokeys -out pass_cert.pem -passin pass:生成证书
6. 在终端中，运行 openssl pkcs12 -in Certificates.p12 -nocerts -out pass_key.pem -passin pass: -passout pass:YourPassword 生成 key
7. 从 https://www.apple.com/certificateauthority/ 下载 WWDR 证书并将其放入您的钥匙串(keychain)中
8. 将 WWDR 证书从您的钥匙串(keychain)导出为 wwdr.pem

创建分离签名的函数:

public function createSignature()
{
    $cert = "file://location/of/pass_cert.pem";
    $key = "file://location/of/pass_key.pem";
    $wwdr = "/location/of/wwdr.pem";

    openssl_pkcs7_sign("/location/of/manifest.json", "/location/of/signature",
        $cert, [$key, 'YourPassword'], [], PKCS7_BINARY | PKCS7_DETACHED, $wwdr);

    // convert pem to der
    $signature = file_get_contents("/location/of/signature");
    $begin = 'filename="smime.p7s"';
    $end = '------';
    $signature = substr($signature, strpos($signature, $begin) + strlen($begin));
    $signature = substr($signature, 0, strpos($signature, $end));
    $signature = trim($signature);
    $signature = base64_decode($signature);

    file_put_contents("/location/of/signature", $signature);
}

引用资料:

• https://www.raywenderlich.com/20734/beginning-passbook-part-1
• https://github.com/tschoffelen/PHP-PKPass/blob/master/PKPass.php

关于php - 使用 PHP 为 Apple Wallet 通行证创建 PKCS #7 分离签名，我们在Stack Overflow上找到一个类似的问题： https://stackoverflow.com/questions/37010864/