The "openssl_csr_sign" function forces the use of certificate request
specifications in the 'openssl.cnf' (configuration) file, and completely
ignores the extension sections passed in the "configargs" array.
The (CA) signing functions allow for configuration extensions that are not
defined nor used in generating the certificate request, but
"openssl_csr_sign" does not provide for this, forcing the use of the
request extensions,
if (req.request_extensions_section) {
X509V3_CTX ctx;
X509V3_set_ctx(&ctx, cert, new_cert, csr, NULL, 0);
X509V3_set_conf_lhash(&ctx, req.req_config);
if (!X509V3_EXT_add_conf(req.req_config, &ctx,
req.request_extensions_section, new_cert)) {
goto cleanup;
}
}
just before signing the certificate request.
Setting the "configargs" array that the "openssl_csr_sign" function
supposedly provides for the PHP programmer to OVERRIDE definitions in the
OpenSSL configuration file don't appear to be picked up or used:
(debug output from modified openssl.c showing "req_extensions" from "req"
section of configuration file)
req.section_name: req
req.config_filename: /usr/local/ssl/openssl.cnf2
req.digest_name: (null)
req.extensions_section: (null)
req.request_extensions_section: v3_req
(PHP program fragment with "openssl_csr_sign" call)
$configargs = array("req_extensions" => "ssl_only_IT_server_cert",
"x509_extensions" => "ssl_only_IT_server_cert");
$usercert = openssl_csr_sign($csr, $cacert, $caprivkey, 365, $configargs);
Using the OpenSSL CA.sh script, modified with desired extension sections,
works just fine in signing a certificate and adding the specific
extensions, which are NOT present in the certificate request.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
