CertificateDownloader.php 8.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235
  1. #!/usr/bin/env php
  2. <?php declare(strict_types=1);
  3. // load autoload.php
  4. $possibleFiles = [__DIR__.'/../vendor/autoload.php', __DIR__.'/../../../autoload.php', __DIR__.'/../../autoload.php'];
  5. $file = null;
  6. foreach ($possibleFiles as $possibleFile) {
  7. if (\file_exists($possibleFile)) {
  8. $file = $possibleFile;
  9. break;
  10. }
  11. }
  12. if (null === $file) {
  13. throw new \RuntimeException('Unable to locate autoload.php file.');
  14. }
  15. require_once $file;
  16. unset($possibleFiles, $possibleFile, $file);
  17. use GuzzleHttp\Middleware;
  18. use GuzzleHttp\Utils;
  19. use GuzzleHttp\Exception\RequestException;
  20. use Psr\Http\Message\ResponseInterface;
  21. use WeChatPay\Builder;
  22. use WeChatPay\ClientDecoratorInterface;
  23. use WeChatPay\Crypto\AesGcm;
  24. /**
  25. * CertificateDownloader class
  26. */
  27. class CertificateDownloader
  28. {
  29. private const DEFAULT_BASE_URI = 'https://api.mch.weixin.qq.com/';
  30. public function run(): void
  31. {
  32. $opts = $this->parseOpts();
  33. if (!$opts || isset($opts['help'])) {
  34. $this->printHelp();
  35. return;
  36. }
  37. if (isset($opts['version'])) {
  38. static::prompt(ClientDecoratorInterface::VERSION);
  39. return;
  40. }
  41. $this->job($opts);
  42. }
  43. /**
  44. * Before `verifier` executing, decrypt and put the platform certificate(s) into the `$certs` reference.
  45. *
  46. * @param string $apiv3Key
  47. * @param array<string,?string> $certs
  48. *
  49. * @return callable(ResponseInterface)
  50. */
  51. private static function certsInjector(string $apiv3Key, array &$certs): callable {
  52. return static function(ResponseInterface $response) use ($apiv3Key, &$certs): ResponseInterface {
  53. $body = (string) $response->getBody();
  54. /** @var object{data:array<object{encrypt_certificate:object{serial_no:string,nonce:string,associated_data:string}}>} $json */
  55. $json = Utils::jsonDecode($body);
  56. $data = \is_object($json) && isset($json->data) && \is_array($json->data) ? $json->data : [];
  57. \array_map(static function($row) use ($apiv3Key, &$certs) {
  58. $cert = $row->encrypt_certificate;
  59. $certs[$row->serial_no] = AesGcm::decrypt($cert->ciphertext, $apiv3Key, $cert->nonce, $cert->associated_data);
  60. }, $data);
  61. return $response;
  62. };
  63. }
  64. /**
  65. * @param array<string,string|true> $opts
  66. *
  67. * @return void
  68. */
  69. private function job(array $opts): void
  70. {
  71. static $certs = ['any' => null];
  72. $outputDir = $opts['output'] ?? \sys_get_temp_dir();
  73. $apiv3Key = (string) $opts['key'];
  74. $instance = Builder::factory([
  75. 'mchid' => $opts['mchid'],
  76. 'serial' => $opts['serialno'],
  77. 'privateKey' => \file_get_contents((string)$opts['privatekey']),
  78. 'certs' => &$certs,
  79. 'base_uri' => (string)($opts['baseuri'] ?? self::DEFAULT_BASE_URI),
  80. ]);
  81. /** @var \GuzzleHttp\HandlerStack $stack */
  82. $stack = $instance->getDriver()->select(ClientDecoratorInterface::JSON_BASED)->getConfig('handler');
  83. // The response middle stacks were executed one by one on `FILO` order.
  84. $stack->after('verifier', Middleware::mapResponse(static::certsInjector($apiv3Key, $certs)), 'injector');
  85. $stack->before('verifier', Middleware::mapResponse(static::certsRecorder((string) $outputDir, $certs)), 'recorder');
  86. $instance->chain('v3/certificates')->getAsync(
  87. ['debug' => true]
  88. )->otherwise(static function($exception) {
  89. static::prompt($exception->getMessage());
  90. if ($exception instanceof RequestException && $exception->hasResponse()) {
  91. /** @var ResponseInterface $response */
  92. $response = $exception->getResponse();
  93. static::prompt((string) $response->getBody(), '', '');
  94. }
  95. static::prompt($exception->getTraceAsString());
  96. })->wait();
  97. }
  98. /**
  99. * After `verifier` executed, wrote the platform certificate(s) onto disk.
  100. *
  101. * @param string $outputDir
  102. * @param array<string,?string> $certs
  103. *
  104. * @return callable(ResponseInterface)
  105. */
  106. private static function certsRecorder(string $outputDir, array &$certs): callable {
  107. return static function(ResponseInterface $response) use ($outputDir, &$certs): ResponseInterface {
  108. $body = (string) $response->getBody();
  109. /** @var object{data:array<object{effective_time:string,expire_time:string:serial_no:string}>} $json */
  110. $json = Utils::jsonDecode($body);
  111. $data = \is_object($json) && isset($json->data) && \is_array($json->data) ? $json->data : [];
  112. \array_walk($data, static function($row, $index, $certs) use ($outputDir) {
  113. $serialNo = $row->serial_no;
  114. $outpath = $outputDir . \DIRECTORY_SEPARATOR . 'wechatpay_' . $serialNo . '.pem';
  115. static::prompt(
  116. 'Certificate #' . $index . ' {',
  117. ' Serial Number: ' . static::highlight($serialNo),
  118. ' Not Before: ' . (new \DateTime($row->effective_time))->format(\DateTime::W3C),
  119. ' Not After: ' . (new \DateTime($row->expire_time))->format(\DateTime::W3C),
  120. ' Saved to: ' . static::highlight($outpath),
  121. ' You may confirm the above infos again even if this library already did(by Crypto\Rsa::verify):',
  122. ' ' . static::highlight(\sprintf('openssl x509 -in %s -noout -serial -dates', $outpath)),
  123. ' Content: ', '', $certs[$serialNo], '',
  124. '}'
  125. );
  126. \file_put_contents($outpath, $certs[$serialNo]);
  127. }, $certs);
  128. return $response;
  129. };
  130. }
  131. /**
  132. * @param string $thing
  133. */
  134. private static function highlight(string $thing): string
  135. {
  136. return \sprintf("\x1B[1;32m%s\x1B[0m", $thing);
  137. }
  138. /**
  139. * @param string $messages
  140. */
  141. private static function prompt(...$messages): void
  142. {
  143. \array_walk($messages, static function (string $message): void { \printf('%s%s', $message, \PHP_EOL); });
  144. }
  145. /**
  146. * @return ?array<string,string|true>
  147. */
  148. private function parseOpts(): ?array
  149. {
  150. $opts = [
  151. [ 'key', 'k', true ],
  152. [ 'mchid', 'm', true ],
  153. [ 'privatekey', 'f', true ],
  154. [ 'serialno', 's', true ],
  155. [ 'output', 'o', false ],
  156. // baseuri can be one of 'https://api2.mch.weixin.qq.com/', 'https://apihk.mch.weixin.qq.com/'
  157. [ 'baseuri', 'u', false ],
  158. ];
  159. $shortopts = 'hV';
  160. $longopts = [ 'help', 'version' ];
  161. foreach ($opts as $opt) {
  162. [$key, $alias] = $opt;
  163. $shortopts .= $alias . ':';
  164. $longopts[] = $key . ':';
  165. }
  166. $parsed = \getopt($shortopts, $longopts);
  167. if (!$parsed) {
  168. return null;
  169. }
  170. $args = [];
  171. foreach ($opts as $opt) {
  172. [$key, $alias, $mandatory] = $opt;
  173. if (isset($parsed[$key]) || isset($parsed[$alias])) {
  174. $possiable = $parsed[$key] ?? $parsed[$alias] ?? '';
  175. $args[$key] = (string) (\is_array($possiable) ? $possiable[0] : $possiable);
  176. } elseif ($mandatory) {
  177. return null;
  178. }
  179. }
  180. if (isset($parsed['h']) || isset($parsed['help'])) {
  181. $args['help'] = true;
  182. }
  183. if (isset($parsed['V']) || isset($parsed['version'])) {
  184. $args['version'] = true;
  185. }
  186. return $args;
  187. }
  188. private function printHelp(): void
  189. {
  190. static::prompt(
  191. 'Usage: 微信支付平台证书下载工具 [-hV]',
  192. ' -f=<privateKeyFilePath> -k=<apiv3Key> -m=<merchantId>',
  193. ' -s=<serialNo> -o=[outputFilePath] -u=[baseUri]',
  194. 'Options:',
  195. ' -m, --mchid=<merchantId> 商户号',
  196. ' -s, --serialno=<serialNo> 商户证书的序列号',
  197. ' -f, --privatekey=<privateKeyFilePath>',
  198. ' 商户的私钥文件',
  199. ' -k, --key=<apiv3Key> APIv3密钥',
  200. ' -o, --output=[outputFilePath]',
  201. ' 下载成功后保存证书的路径,可选,默认为临时文件目录夹',
  202. ' -u, --baseuri=[baseUri] 接入点,可选,默认为 ' . self::DEFAULT_BASE_URI,
  203. ' -V, --version Print version information and exit.',
  204. ' -h, --help Show this help message and exit.', ''
  205. );
  206. }
  207. }
  208. // main
  209. (new CertificateDownloader())->run();