paragonie/certainty 问题修复 & 功能扩展

解决BUG、新增功能、兼容多环境部署,快速响应你的开发需求

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

paragonie/certainty

Composer 安装命令:

composer require paragonie/certainty

包简介

Up-to-date, verifiable repository for Certificate Authorities

README 文档

README

Build Status Latest Stable Version Latest Unstable Version License Downloads

Automate your PHP projects' cacert.pem management. Read the blog post introducing Certainty.

Requires PHP 8.3 or newer. Certainty should work on any operating system (including Windows), although the symlink feature may not function in Virtualbox Shared Folders.

Note

For PHP < 8.3 support, you can use version 2.x of the library instead of v3+.

Who is Certainty meant for?

  • Open source developers with no control over where their code is deployed (e.g. Magento module developers).
  • People whose code might be deployed in weird environments with CACert bundles that are outdated or in unpredictable locations.
  • People who are generally forced between:
    1. Disabling certificate validation entirely, or
    2. Increasing their support burden to deal with corner-cases where suddenly HTTP requests are failing on weird systems

Certainty allows your software to "just work" (which is usually the motivation for disabling certificate validation) without being vulnerable to man-in-the-middle attacks.

Motivation

Many HTTP libraries require you to specify a file path to a cacert.pem file in order to use TLS correctly. Omitting this file means either disabling certificate validation entirely (which enables trivial man-in-the-middle exploits), connection failures, or hoping that your library falls back safely to the operating system's bundle.

In short, the possible outcomes (from best to worst) are as follows:

  1. Specify a cacert file, and you get to enjoy TLS as it was intended. (Secure.)
  2. Omit a cacert file, and the OS maybe bails you out. (Uncertain.)
  3. Omit a cacert file, and it fails closed. (Connection failed. Angry customers.)
  4. Omit a cacert file, and it fails open. (Data compromised. Hurt customers. Expensive legal proceedings.)

Obviously, the first outcome is optimal. So we built Certainty to make it easier to ensure open source projects do this.

Installing Certainty

From Composer:

composer require paragonie/certainty:^3

Certainty will keep certificates up to date via RemoteFetch, so you don't need to update Certainty library just to get fresh CA-Cert bundles. Update only for bugfixes (especially security fixes) and new features.

Non-Supported Use Case:

If you are not using RemoteFetch (which is strongly recommended that you do, and we only provide support for systems that do use RemoteFetch), then you want to use dev-master rather than a version constraint, due to the nature of CA Certificates.

If a major CA gets compromised and their certificates are revoked, you don't want to continue trusting these certificates.

Furthermore, in the event of avoiding RemoteFetch, you should be running composer update at least once per week to prevent stale CA-Cert files from causing issues.

Using Certainty

See the documentation.

What Certainty Does

Certainty maintains a repository of all the cacert.pem files since 2017, along with a sha256sum and Ed25519 signature of each file. When you request the latest bundle, Certainty will check both these values (the latter can only be signed by a key held by Paragon Initiative Enterprises, LLC) for each entry in the JSON value, and return the latest bundle that passes validation.

The cacert.pem files contained within are reproducible from Mozilla's bundle.

How is Certainty different from composer/ca-bundle?

The key differences are:

  • Certainty will keep the CA-Cert bundles on your system up-to-date even if you do not run composer update.
  • We sign our CA-Cert bundles using Ed25519, and check every update into the PHP community Chronicle.

Support Contracts

If your company uses this library in their products or services, you may be interested in purchasing a support contract from Paragon Initiative Enterprises.

paragonie/certainty 适用场景与选型建议

paragonie/certainty 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 2.58M 次下载、GitHub Stars 达 264, 最近一次更新时间为 2017 年 10 月 22 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「ssl」 「tls」 「ca」 「pki」 「certificate authority」 「cacert」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 paragonie/certainty 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 paragonie/certainty 我们能提供哪些服务?
定制开发 / 二次开发

基于 paragonie/certainty 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 2.58M
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 266
  • 点击次数: 30
  • 依赖项目数: 22
  • 推荐数: 4

GitHub 信息

  • Stars: 264
  • Watchers: 11
  • Forks: 18
  • 开发语言: PHP

其他信息

  • 授权协议: ISC
  • 更新时间: 2017-10-22