ID: 42886
Comment by: ryan+phpbugs at sleevi dot com
Reported By: tokul at users dot sourceforge dot net
Status: Assigned
Bug Type: OpenSSL related
Operating System: Linux Debian Etch
PHP Version: 5CVS-2008-11-01
Assigned To: pajoye
New Comment:
The problem is not resolved in PHP 5.2.6, provided you call it
correctly.
openssl_x509_checkpurpose expects to be able to build a full chain of
certificates to verify its purpose. Furthermore, it expects there to be
a trusted certificate as part of the chain.
When invoked as
var_dump(openssl_x509_checkpurpose(file_get_contents('./certfile.pem').
X509_PURPOSE_SMIME_SIGN));
this fails, because a chain cannot properly be built to a trusted
root.
My test case involved:
- Obtaining Using the Thawte intermediate and root certificates,
obtained via http://www.thawte.com/repository/index.html
- Copying the contents of the Thawte Personal Freemail Issuing CA and
Thawte Personal Freemail CA PEM files from that list into a new file,
called 'chain.pem'. The certs were simply appended one after the other
- Setting the system time to be during the validity period of the
certificate (2007-10-10 00:00:00 GMT)
- executing as
var_dump(openssl_x509_checkpurpose(file_get_contents('./certfile.pem').
X509_PURPOSE_SMIME_SIGN, array('./chain.pem'));
- I received int(1) as the result
I do not believe the reporter's initial case should be supported.
Purpose checking requires checking each of the CAs that issued the
certificate to make sure there are no purpose constraints. The absence
of the CA certificates makes this impossible, hence the failure.
If one wishes to obtain any X509 certificate extensions for a single
certificate, openssl_x509_parse is able to provide this information.
However, it should not be treated as authoritative, as it does not
reflect the full chain policy being enforced for that certificate.
My OpenSSL version was 0.9.8f, running Linux kernel 2.6.14.6 and PHP
5.2.6. While these versions do differ from the original submission, with
the above explanation, it should provide enough information to see if
this does resolve the situation with purpose verification.
Previous Comments:
------------------------------------------------------------------------
[2008-11-18 10:09:50] paj...@php.net
It seems to be a bug in the openssl directly. I have tried with many
different certs and many failed (including the one available in the
openssl's demo directory).
I have to work on other things now, the fix may require to duplicate
the x509_verify_cert code (partially or completely).
tested with 0.98g and 0.9.8i
------------------------------------------------------------------------
[2008-11-01 21:13:07] tokul at users dot sourceforge dot net
php 5.2-200811011530
Test result is the same. It is impossible to verify purpose of
certificate, because function returns integer value which is evaluated
as false even when certificate can be used for SMIME signatures.
I don't know options that Thawte used to generate certificate. I've
accepted default options with 2048-bit encryption for Mozilla
Firefox/Thunderbird.
Here goes already expired certificate used for initial bug report.
-----BEGIN CERTIFICATE-----
MIIC8DCCAlmgAwIBAgIQS8GxvbV7pghz0FD/I7rVVjANBgkqhkiG9w0BAQUFADBi
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
THRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vpbmcg
Q0EwHhcNMDcwMjI0MDYyMzA0WhcNMDgwMjI0MDYyMzA0WjBNMR8wHQYDVQQDExZU
aGF3dGUgRnJlZW1haWwgTWVtYmVyMSowKAYJKoZIhvcNAQkBFht0b2t1bEB1c2Vy
cy5zb3VyY2Vmb3JnZS5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDQALcUK5moBKz5tHqYcquqb8seEKgzDbFJ3Nko8VEyVy1vnwKtHkNeXuMv1mbH
2dhkvI2JtWpNte36bzLErQHzZhnehAdRb3RIlLrASxkn4btidkWasYjqhtMI1sGL
D+7wFdC4rSfdYwRUto8zrB5FeoNakJre8gmljqwm18fh5ZMsiWboXdKVVCa8ALBk
P5dZ7gYElfNj3FJSjqo0Efs5yQn8EsY+uDNTH+y8HE5Sqq0mkuLw/7WIO5PCsQAF
xTsEo2dqnj3us9KGgNGkR4JRp17NPfNofLs26w7H2n3oAmjMaM51U5lpPOSh0Nm7
uwrpsWnE84Jm2I/9WhhuSOEJAgMBAAGjODA2MCYGA1UdEQQfMB2BG3Rva3VsQHVz
ZXJzLnNvdXJjZWZvcmdlLm5ldDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUA
A4GBAJlmrYGSeE00IK7WR+05BT0g6YigfIoKLbeTJu25oVHN8dBLU0Jjx5KZRfZQ
BCt/8CVBNxNwwKRQnQ36M4Hq0YLa+bBYq3pJPbL62Ffj7mLHhDkFvJw/sgQ1I7jH
URvzt58Hw3B34wEHzqnzcsFOPxNZN3aU4BTnbUBTUjkVVpuZ
-----END CERTIFICATE-----
------------------------------------------------------------------------
[2008-10-31 08:49:37] paj...@php.net
Please provide a sample certificate to reproduce this problem or the
values you used to create a similar certificate.
------------------------------------------------------------------------
[2007-10-08 10:52:55] tokul at users dot sourceforge dot net
Description:
------------
According to last chapter in openssl_x509_checkpurpose() manual
function should return true, false or int(-1). Synopsis line shows that
function returns integer.
If I check public certificate file with OpenSSL binary (openssl x509
-purpose -in certfile.pem), it shows purposes as
----
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
----
If I check it with PHP
----
var_dump(openssl_x509_checkpurpose(file_get_contents('./certfile.pem'),X509_PURPOSE_SMIME_SIGN));
---
it returns int(0). Int(0) is evaluated as boolean false in PHP.
Tested PHP 5.2.0 and PHP 5.2-dev (200710080830). OpenSSL 0.9.8c (Debian
0.9.8c-4 package). Used Thawte free email certificate for testing.
Certificate is valid from 2007.02.24 till 2008.02.24. System clock is
correct.
Reproduce code:
---------------
var_dump(openssl_x509_checkpurpose(file_get_contents('./certfile.pem'),X509_PURPOSE_SMIME_SIGN));
Expected result:
----------------
bool(true) or int(1)
Actual result:
--------------
int(0)
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=42886&edit=1
