search

PayU-EMEA / apple-pay

This library is used to decode tokens for Apple Pay.
49 stars 31 forks source link

Could not verify certificate on centos 8 php7.4 openssl 1.1.1k #22

Closed doanhtai00 closed 2 years ago

doanhtai00 commented 2 years ago

I decrypted successfully on mac os big sur, but I could not decrypt on backend server

exception: Can't validate certificate chain

Symfony\Component\Process\Exception\ProcessFailedException: The command "'openssl' 'verify' '-CAfile' '../ApplePayCA.pem' '-untrusted' '/tmp/phpcgCT7A' '/tmp/phpou32WH'" failed.

Exit Code: 2(Misuse of shell builtins)

Working directory: /path/.../public

Output:
================
error /tmp/phpou32WH: verification failed

Error Output:
================
CN = Apple Application Integration CA - G3, OU = Apple Certification Authority, O = Apple Inc., C = US
error 20 at 1 depth lookup: unable to get local issuer certificate
 in /path/.../vendor/symfony/process/Process.php:269

on mac: openssl version

LibreSSL 2.8.3 openssl version -a LibreSSL 2.8.3 built on: date not available platform: information not available options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) compiler: information not available OPENSSLDIR: "/private/etc/ssl"

on centos 8:
openssl version

OpenSSL 1.1.1k FIPS 25 Mar 2021 openssl version -a OpenSSL 1.1.1k FIPS 25 Mar 2021 built on: Thu Dec 2 16:40:48 2021 UTC platform: linux-x86_64 options: bn(64,64) md2(char) rc4(16x,int) des(int) idea(int) blowfish(ptr) compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config" OPENSSLDIR: "/etc/pki/tls" ENGINESDIR: "/usr/lib64/engines-1.1" Seeding source: os-specific engines: rdrand dynamic

willemstuursma commented 2 years ago

Hi, please verify the output of the openssl command on your servers manually. Then, please create a test with the output and make code changes as needed.

Changes with an included test will be accepted.

doanhtai00 commented 2 years ago

thank you, @willemstuursma I resolved it after adding example to my project, some config were wrong.