diff --git a/app/controller/Cert.php b/app/controller/Cert.php index 33550cd..1693395 100644 --- a/app/controller/Cert.php +++ b/app/controller/Cert.php @@ -304,10 +304,6 @@ class Cert extends BaseController } } - if ($certInfo['keytype'] == 'ECC') { - $privatekey = CertHelper::ensureECPrivateKeyFormat($privatekey); - } - $order = [ 'aid' => 0, 'keytype' => $certInfo['keytype'], @@ -371,10 +367,6 @@ class Cert extends BaseController if ($certInfo['code'] == -1) return json($certInfo); $domains = $certInfo['domains']; - if ($certInfo['keytype'] == 'ECC') { - $privatekey = CertHelper::ensureECPrivateKeyFormat($privatekey); - } - $order = [ 'aid' => 0, 'keytype' => $certInfo['keytype'], diff --git a/app/lib/CertHelper.php b/app/lib/CertHelper.php index 7b3c3db..fa8f3ca 100644 --- a/app/lib/CertHelper.php +++ b/app/lib/CertHelper.php @@ -407,24 +407,6 @@ location / { return false; } - /** - * 确保ECC私钥使用EC专用格式标识 - * 某些程序需要EC标识才能正确识别ECC私钥 - */ - public static function ensureECPrivateKeyFormat($private_key) - { - if (strpos($private_key, '-----BEGIN EC PRIVATE KEY-----') !== false) { - return $private_key; - } - - if (strpos($private_key, '-----BEGIN PRIVATE KEY-----') !== false) { - $private_key = preg_replace('/^-----BEGIN PRIVATE KEY-----$/m', '-----BEGIN EC PRIVATE KEY-----', $private_key); - $private_key = preg_replace('/^-----END PRIVATE KEY-----$/m', '-----END EC PRIVATE KEY-----', $private_key); - } - - return $private_key; - } - public static function getPfx($fullchain, $privatekey, $pwd = '123456') { openssl_pkcs12_export($fullchain, $pfx, $privatekey, $pwd); diff --git a/app/lib/acme/ACMECert.php b/app/lib/acme/ACMECert.php index 1eada49..5c7ab27 100644 --- a/app/lib/acme/ACMECert.php +++ b/app/lib/acme/ACMECert.php @@ -4,7 +4,6 @@ namespace app\lib\acme; use Exception; use stdClass; -use app\lib\CertHelper; /** * ACMECert @@ -369,12 +368,10 @@ class ACMECert extends ACMEv2 if (version_compare(PHP_VERSION, '7.1.0') < 0) throw new Exception('PHP >= 7.1.0 required for EC keys !'); $map = array('256' => 'prime256v1', '384' => 'secp384r1', '521' => 'secp521r1'); if (isset($map[$curve_name])) $curve_name = $map[$curve_name]; - $pem = $this->generateKey(array( + return $this->generateKey(array( 'curve_name' => $curve_name, 'private_key_type' => OPENSSL_KEYTYPE_EC )); - - return CertHelper::ensureECPrivateKeyFormat($pem); } public function parseCertificate($cert_pem) diff --git a/app/lib/deploy/upyun.php b/app/lib/deploy/upyun.php index 77ae4e9..287689c 100644 --- a/app/lib/deploy/upyun.php +++ b/app/lib/deploy/upyun.php @@ -31,9 +31,15 @@ class upyun implements DeployInterface $this->login(); $url = 'https://console.upyun.com/api/https/certificate/'; + // 如果是 EC 证书,调整私钥头为 EC PRIVATE KEY + $privatekey_send = $privatekey; + if ($this->isEcCertificate($fullchain)) { + $privatekey_send = str_replace('-----BEGIN PRIVATE KEY-----', '-----BEGIN EC PRIVATE KEY-----', $privatekey_send); + $privatekey_send = str_replace('-----END PRIVATE KEY-----', '-----END EC PRIVATE KEY-----', $privatekey_send); + } $params = [ 'certificate' => $fullchain, - 'private_key' => $privatekey, + 'private_key' => $privatekey_send, ]; $response = http_request($url, http_build_query($params), null, $this->cookie, null, $this->proxy); $result = json_decode($response['body'], true); @@ -130,4 +136,22 @@ class upyun implements DeployInterface call_user_func($this->logger, $txt); } } + + /** + * 判断是否为 EC (ECDSA) 证书 + */ + private function isEcCertificate($fullchain) + { + // 提取第一个证书 + if (!preg_match('/-----BEGIN CERTIFICATE-----\s*(.+?)\s*-----END CERTIFICATE-----/s', $fullchain, $m)) { + return false; + } + + $pubKey = openssl_pkey_get_public($m[0]); + if (!$pubKey) return false; + + $details = openssl_pkey_get_details($pubKey); + + return $details && ($details['type'] ?? 0) === OPENSSL_KEYTYPE_EC; + } }