Table of Contents

Private key: .jks file

1. Build .jks từ file .key + .pem

Bên thứ 3 cấp:
- Private key: private_cks_1.key, private_cks_2.key
- Public key 1: 54010B007388C3100483CBE72871C03C_001085011568.pem giống 54010B007388C3100483CBE72871C03C_001085011568.cer (dạng binary)
- Public key 2: 54010B0079786E5860697DB032820EF5_035083000087.pem giống 54010B0079786E5860697DB032820EF5_035083000087.cer (dạng binary)
- Gửi 54010B007388C3100483CBE72871C03C_001085011568.cer, 54010B0079786E5860697DB032820EF5_035083000087.cer cho TCB
- Gen private key: 1pay_cks_1.jks, 1pay_cks_2.jks

openssl pkcs12 -export -in 1pay_cks_1.pem -inkey private_cks_1.key -out 1pay_cks_1.p12 
keytool -importkeystore -srckeystore 1pay_cks_1.p12 -srcstoretype PKCS12 -destkeystore 1pay_cks_1.jks -deststoretype JKS 
keytool -importkeystore -srckeystore 1pay_cks_1.jks -destkeystore 1pay_cks_1.jks -deststoretype pkcs12
keytool -changealias -alias 1 -destalias verify-with-tcb1 -keystore 1pay_cks_1.jks

openssl pkcs12 -export -in 1pay_cks_2.pem -inkey private_cks_2.key -out 1pay_cks_2.p12 
keytool -importkeystore -srckeystore 1pay_cks_2.p12 -srcstoretype PKCS12 -destkeystore 1pay_cks_2.jks -deststoretype JKS 
keytool -importkeystore -srckeystore 1pay_cks_2.jks -destkeystore 1pay_cks_2.jks -deststoretype pkcs12
keytool -changealias -alias 1 -destalias verify-with-tcb2 -keystore 1pay_cks_2.jks

keytool -v -list -keystore 1pay_cks_1.jks

2. Build .jks từ file .p12

tungnt@MacBook-Pro-cua-Nguyen-2 tan % openssl pkcs12 -in 5401120DBEDE6BADB78DB6895AEA45AA_0108425897.p12 -out private_cks_1.key -legacy -nodes
Enter Import Password:
tungnt@MacBook-Pro-cua-Nguyen-2 tan % cp publicCert_architect.crt 1pay_cks_1.pem
tungnt@MacBook-Pro-cua-Nguyen-2 tan % openssl pkcs12 -export -in 1pay_cks_1.pem -inkey private_cks_1.key -out 1pay_cks_1.p12
Enter Export Password:
Verifying - Enter Export Password:
tungnt@MacBook-Pro-cua-Nguyen-2 tan % keytool -importkeystore -srckeystore 1pay_cks_1.p12 -srcstoretype PKCS12 -destkeystore 1pay_cks_1.jks -deststoretype JKS 
Importing keystore 1pay_cks_1.p12 to 1pay_cks_1.jks...
Enter destination keystore password:  
Re-enter new password: 
Enter source keystore password:  
Entry for alias 1 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
 
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore 1pay_cks_1.jks -destkeystore 1pay_cks_1.jks -deststoretype pkcs12".
tungnt@MacBook-Pro-cua-Nguyen-2 tan % keytool -importkeystore -srckeystore 1pay_cks_1.jks -destkeystore 1pay_cks_1.jks -deststoretype pkcs12
Enter source keystore password:  
Entry for alias 1 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
 
Warning:
Migrated "1pay_cks_1.jks" to PKCS12. The JKS keystore is backed up as "1pay_cks_1.jks.old".
tungnt@MacBook-Pro-cua-Nguyen-2 tan % cp 1pay_cks_1.pem 1pay_tcb_verify_sign_1.cer
tungnt@MacBook-Pro-cua-Nguyen-2 tan % keytool -changealias -alias 1 -destalias verify-with-tcb1 -keystore 1pay_cks_1.jks
Enter keystore password:  
 
tungnt@MacBook-Pro-cua-Nguyen-2 athinh % openssl pkcs12 -in 54011207CA3D4C2003112ECF619FEC8B_0108425897.p12 -out private_cks_2.key -legacy -nodes
Enter Import Password:
tungnt@MacBook-Pro-cua-Nguyen-2 athinh % cp publicCert_ceo.crt 1pay_cks_2.pem
tungnt@MacBook-Pro-cua-Nguyen-2 athinh % openssl pkcs12 -export -in 1pay_cks_2.pem -inkey private_cks_2.key -out 1pay_cks_2.p12
Enter Export Password:
Verifying - Enter Export Password:
tungnt@MacBook-Pro-cua-Nguyen-2 athinh % keytool -importkeystore -srckeystore 1pay_cks_2.p12 -srcstoretype PKCS12 -destkeystore 1pay_cks_2.jks -deststoretype JKS 
Importing keystore 1pay_cks_2.p12 to 1pay_cks_2.jks...
Enter destination keystore password:  
Re-enter new password: 
Enter source keystore password:  
Entry for alias 1 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
 
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore 1pay_cks_2.jks -destkeystore 1pay_cks_2.jks -deststoretype pkcs12".
tungnt@MacBook-Pro-cua-Nguyen-2 athinh % keytool -importkeystore -srckeystore 1pay_cks_2.jks -destkeystore 1pay_cks_2.jks -deststoretype pkcs12
Enter source keystore password:  
Entry for alias 1 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
 
Warning:
Migrated "1pay_cks_2.jks" to PKCS12. The JKS keystore is backed up as "1pay_cks_2.jks.old".
tungnt@MacBook-Pro-cua-Nguyen-2 athinh % cp 1pay_cks_2.pem 1pay_tcb_verify_sign_2.cer
tungnt@MacBook-Pro-cua-Nguyen-2 athinh % keytool -changealias -alias 1 -destalias verify-with-tcb2 -keystore 1pay_cks_2.jks
Enter keystore password:

3. Sử dụng jks với PHP

    /**
     * @param $data
     * @param $privateKeyPath
     * @param null $password
     * @return string
     */
    private function sign($data, $privateKeyPath, $password = null)
    {
        $cert_store = $this->getKeyContentFromFile($privateKeyPath);
 
        openssl_pkcs12_read($cert_store, $cert_info, $password);
        openssl_sign($data, $signature, data_get($cert_info, 'pkey'), OPENSSL_ALGO_SHA256);
 
        return base64_encode($signature);
 
        /*$signature = null;
 
        openssl_sign($data, $signature, $this->getKeyContentFromFile($privateKeyPath), OPENSSL_ALGO_SHA256);
 
        return base64_encode($signature);*/
    }
 
    /**
     * @param $data
     * @param $signature
     * @param $publicKeyPath
     * @return int
     */
    private function verify($data, $signature, $publicKeyPath)
    {
        $signature = base64_decode($signature);
        $public_key = file_get_contents($publicKeyPath);
        $verify_result = openssl_verify($data, $signature, $public_key, OPENSSL_ALGO_SHA256);
        return $verify_result === 1;
    }
 
    /**
     * @param $fileKeyPath
     * @return false|string
     */
    public function getKeyContentFromFile($fileKeyPath)
    {
        return file_get_contents($fileKeyPath);
    }
 
 
    public function index(Request $request)
    {
        $aesPlaintText = "Test";
 
        $aesPlaintTextHash = hash('sha256', $aesPlaintText, true);
 
        $sign1 = $this->sign($aesPlaintTextHash, config('techcombank.transfer.private_key_1'), config('techcombank.transfer.password_key_1'));
        $sign2 = $this->sign($aesPlaintTextHash, config('techcombank.transfer.private_key_2'), config('techcombank.transfer.password_key_2'));
 
        //$verify1 = $this->verify($aesPlaintTextHash, $sign1, storage_path('credentials/rsa/transfer/techcombank/tcb_verify_sign_1.cer'));
        //$verify2 = $this->verify($aesPlaintTextHash, $sign2, storage_path('credentials/rsa/transfer/techcombank/tcb_verify_sign_2.cer'));
        $verify1 = $this->verify($aesPlaintTextHash, $sign1, config('techcombank.transfer.public_key_1'));
        $verify2 = $this->verify($aesPlaintTextHash, $sign2, config('techcombank.transfer.public_key_2'));
 
        dd(config('techcombank.transfer.private_key_1'), config('techcombank.transfer.public_key_1'), $sign1, $verify1, config('techcombank.transfer.private_key_2'), config('techcombank.transfer.public_key_2'), $sign2, $verify2);
 
    }