Edit report at https://bugs.php.net/bug.php?id=55820&edit=1
ID: 55820
Comment by: zedwoodnoreply at gmail dot com
Reported by: zedwoodnoreply at gmail dot com
Summary: php openssl csr parser ignores SANs
Status: Analyzed
Type: Bug
Package: OpenSSL related
Operating System: Ubuntu Linux 10.04
PHP Version: 5.3.8
Block user comment: N
Private report: N
New Comment:
Currently, openssl_x509_parse returns the x509v3 extensions, so it would be
nice if there was some way to have an openssl_csr_parse that returns both the
subject and the extensions and potentially other fields/extensions in the
future. Right now the only thing we can extract from a CSR with php is the
public key and subject. Thanks.
Previous Comments:
------------------------------------------------------------------------
[2011-09-30 15:57:13] paj...@php.net
hi,
NID_subject_alt_name is not part of the subject name, as returned by the
X509_REQ_get_subject_name.
As you can see in your openssl command output, we do return the correct value:
Subject: C=US, ST=Utah, L=Lindon, O=Z Widgets, CN=www.example.edu
However I can see a need to fetch extensions (v3 or v2) and we may need to
expose X509_get_ext_d2i (or equivalent.
------------------------------------------------------------------------
[2011-09-30 15:46:54] zedwoodnoreply at gmail dot com
openssl req -in sans.csr -noout -text
#output is
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=Utah, L=Lindon, O=Z Widgets, CN=www.example.edu
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:d4:5d:10:5d:12:29:12:33:eb:54:7a:f1:9c:b6:
52:22:97:4e:06:34:f9:01:f6:c7:df:d0:18:53:c2:
7d:5c:91:7a:cc:4b:82:01:cc:ee:37:33:a7:85:47:
a0:5f:c6:bd:6d:02:2f:16:71:d3:ec:42:8c:62:17:
a1:41:cf:f0:37:3b:7c:dc:27:39:0b:77:c5:99:70:
5c:59:c7:ea:88:2a:88:b5:1d:8d:39:d9:82:9c:ab:
52:a3:86:69:d4:30:37:c0:80:f5:7d:d9:2a:75:a4:
79:1d:be:e0:23:45:ab:d8:74:18:ab:fb:b0:d4:d3:
45:ff:38:b5:d6:16:71:9a:1d:dc:99:a5:21:0f:d9:
12:95:c4:70:ba:40:b4:8f:a6:e6:47:dd:4b:5a:25:
d2:e1:f8:e8:28:13:20:84:7a:a2:5c:b1:00:c3:88:
9d:e0:3b:1a:ce:89:92:f0:62:80:bd:b6:57:97:f0:
88:79:17:63:03:c1:1d:93:3d:fc:bb:7f:74:2d:ac:
81:ba:28:3d:b1:4b:3e:1c:7b:52:6f:89:95:53:66:
fa:43:1c:44:e7:35:b8:a9:7f:45:64:ad:46:a9:32:
04:ab:db:bb:39:bd:e1:80:e0:89:4d:32:f2:72:2e:
65:a7:f5:36:3b:ad:d4:86:62:44:fc:a1:10:06:ba:
e2:7f
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
DNS:test.example.com, DNS:other.example.com, DNS:www.example.net
Signature Algorithm: sha1WithRSAEncryption
ce:9c:7f:b2:c3:f0:ab:67:24:f6:82:dd:86:21:34:c8:86:49:
e7:50:ea:5f:6d:9b:69:62:7b:b3:7f:1d:7d:7d:49:d6:26:34:
f1:bb:11:62:1b:2f:fd:c6:92:26:fd:3a:c5:65:da:45:65:5c:
e6:96:24:db:de:3d:5a:bb:01:f1:21:56:70:b6:ca:dc:0d:6d:
60:7d:b2:96:b6:54:2c:f6:ad:d3:1f:78:8c:8c:11:66:a3:db:
40:ee:c5:a4:db:76:30:01:b9:7e:97:10:96:f9:3e:fa:7d:97:
a5:c7:d2:99:a4:16:09:fd:4e:36:6a:13:a1:ce:9c:14:a3:a0:
2b:2b:c5:c0:a9:b4:3c:f8:ba:c3:d6:6b:1a:a3:a4:9b:a2:57:
8f:88:ab:9b:07:05:60:56:58:37:cb:e7:78:bf:a3:a5:1f:d9:
81:84:46:7a:e1:38:e3:69:40:d5:3d:b0:7a:f7:8c:f6:ac:0c:
14:d9:50:e2:59:c7:85:b5:e4:c7:8f:f6:39:6e:ca:1a:96:1e:
75:eb:b4:f5:30:71:82:8f:4b:52:ad:dc:89:c1:db:ab:03:43:
b0:73:bf:f9:03:68:05:74:dc:8e:86:29:f7:fc:5b:af:94:a2:
07:c5:9a:00:ae:b3:9a:52:c2:9f:1a:8a:a0:80:0e:da:26:3f:
9d:37:1d:df
------------------------------------------------------------------------
[2011-09-30 15:45:56] zedwoodnoreply at gmail dot com
Description:
------------
The SANs (Subject Alternative Names) field of a CSR is totally ignored by the
CSR parser openssl_csr_get_subject();
Test script:
---------------
<?php
print_r(openssl_csr_get_subject('-----BEGIN CERTIFICATE REQUEST-----
MIIC8jCCAdoCAQAwWzELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxDzANBgNV
BAcTBkxpbmRvbjESMBAGA1UEChMJWiBXaWRnZXRzMRgwFgYDVQQDEw93d3cuZXhh
bXBsZS5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDUXRBdEikS
M+tUevGctlIil04GNPkB9sff0BhTwn1ckXrMS4IBzO43M6eFR6Bfxr1tAi8WcdPs
QoxiF6FBz/A3O3zcJzkLd8WZcFxZx+qIKoi1HY052YKcq1KjhmnUMDfAgPV92Sp1
pHkdvuAjRavYdBir+7DU00X/OLXWFnGaHdyZpSEP2RKVxHC6QLSPpuZH3UtaJdLh
+OgoEyCEeqJcsQDDiJ3gOxrOiZLwYoC9tleX8Ih5F2MDwR2TPfy7f3QtrIG6KD2x
Sz4ce1JviZVTZvpDHETnNbipf0VkrUapMgSr27s5veGA4IlNMvJyLmWn9TY7rdSG
YkT8oRAGuuJ/AgMBAAGgUjBQBgkqhkiG9w0BCQ4xQzBBMD8GA1UdEQQ4MDaCEHRl
c3QuZXhhbXBsZS5jb22CEW90aGVyLmV4YW1wbGUuY29tgg93d3cuZXhhbXBsZS5u
ZXQwDQYJKoZIhvcNAQEFBQADggEBAM6cf7LD8KtnJPaC3YYhNMiGSedQ6l9tm2li
e7N/HX19SdYmNPG7EWIbL/3Gkib9OsVl2kVlXOaWJNvePVq7AfEhVnC2ytwNbWB9
spa2VCz2rdMfeIyMEWaj20DuxaTbdjABuX6XEJb5Pvp9l6XH0pmkFgn9TjZqE6HO
nBSjoCsrxcCptDz4usPWaxqjpJuiV4+Iq5sHBWBWWDfL53i/o6Uf2YGERnrhOONp
QNU9sHr3jPasDBTZUOJZx4W15MeP9jluyhqWHnXrtPUwcYKPS1Kt3InB26sDQ7Bz
v/kDaAV03I6GKff8W6+UogfFmgCus5pSwp8aiqCADtomP503Hd8=
-----END CERTIFICATE REQUEST-----'));
Expected result:
----------------
Array
(
[C] => US
[ST] => Utah
[L] => Lindon
[O] => Z Widgets
[CN] => www.example.edu
[SANS] => DNS:test.example.com, DNS:other.example.com, DNS:www.example.net
)
Actual result:
--------------
Array
(
[C] => US
[ST] => Utah
[L] => Lindon
[O] => Z Widgets
[CN] => www.example.edu
)
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=55820&edit=1
