php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #34261 openssl_pkcs7_verify returns FALSE for msg that is correct
Submitted: 2005-08-25 22:17 UTC Modified: 2006-08-15 20:06 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: arnaud dot bertrand at apvsys dot org Assigned: wez (profile)
Status: Not a bug Package: OpenSSL related
PHP Version: 5CVS-2005-08-28 OS: *
Private report: No CVE-ID: None
View Developer Edit
 [2005-08-25 22:17 UTC] arnaud dot bertrand at apvsys dot org 
Description:
------------
Context:
A message "msg.txt" was signed the 01-01-2005 with a certificate expired the 03-03-2005. It is a valid signed message.

If the system date is 02-02-2005,the openssl_pkcs7_verify function applied to this "msg.txt" returns TRUE. It means it is a valid message

If you change the system date to 04-04-2005 (date after the expiration date of the certificate), the openssl_pkcs7_verify function applied to this "msg.txt" returns FALSE! Without any other information. 

But it is not correct because at the moment of the signature, it was correct.




Reproduce code:
---------------
$filename="/tmp/msg.txt";
$lCertT=array("/tmp/certifdir","/tmp/certifdir/thawte_freemail.cer");
$tmp_cert = tempnam ("", "crt");
$res = openssl_pkcs7_verify($filename, 0, $tmp_cert, $lCertT);
if (!$res) {
    echo("Digital Signature BAD!<br>\n");
}
else if ($res === -1) {
    echo("Error ...");
}
else {
    echo("Digital Signature OK!<br>\n");
    $cert_info = openssl_x509_parse("file://$tmp_cert");
    var_dump($cert_info);
}

		
		

Expected result:
----------------
We expect to have result independent of the current date.. or at least, to have information that at the signature time, the message was correct but was signed with a certificate that is expired today.

Another possibility could be: to foressen an extra parameter to the function to pass the date of the validation.

If you check the same message with an e-mail client (e.g. thunderbird), it will say that the message was correctly signed with a valid certificate... whatever the current date is.



Actual result:
--------------
Validation result depends of the system date

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-08-26 16:34 UTC] sniper@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip
 [2005-08-28 10:35 UTC] arnaud dot bertrand at apvsys dot org 
Thank for your fast answer,

I've just tried with the latest win32 version (begin of the phpinfo() follows). 

Result is unfortunately identical with the latest version.
The bug is still in.

phpinfo()
PHP Version 5.1.0-dev 

System  Windows NT EULER 5.1 build 2600  
Build Date  Aug 28 2005 08:23:12  
Configure Command  cscript /nologo configure.js "--enable-snapshot-build" "--with-gd=shared"  
Server API  Apache 2.0 Handler  
Virtual Directory Support  enabled  
Configuration File (php.ini) Path  C:\php\php.ini  
PHP API  20041225  
PHP Extension  20050617  
Zend Extension  220050617  
Debug Build  no  
Thread Safety  enabled  
Zend Memory Manager  enabled  
IPv6 Support  enabled  
Registered PHP Streams  php, file, http, ftp, compress.zlib, https, ftps  
Registered Stream Socket Transports  tcp, udp, ssl, sslv3, sslv2, tls  
Registered Stream Filters  convert.iconv.*, string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, zlib.*
 [2005-09-07 16:27 UTC] sniper@php.net 
Can you please provide a full reproducing case with all the required files included?
 [2005-09-10 01:21 UTC] arnaud dot bertrand at apvsys dot org 
Hi,

here is the full testcase:

http://www.apvsys.org/testcase.tgz

Download this file and extract it in /
The 3 files will be extracted in /tmp

tmp/thawte_freemail.cer
tmp/msg.txt
tmp/testcase.php

just execute testcase.php at the current time:
you will get:
Digital Signature BAD!

Now, change the system date to 9/9/2004
rexecute it...
Now the message is valid and you should get:
Digital Signature OK!
array(11) { ["name"]=> string(65) "/CN=Thawte Freemail Member/emailAddress=arnaud.bertrand@n-tech.be" (...)
 [2005-09-21 12:07 UTC] sniper@php.net 
Assigned to the maintainer.
 [2006-08-15 20:06 UTC] pajoye@php.net 
Cannot reproduce with 5.2-cvs or 5.1 (windows, linux and bsd, openssl 0.9.8a).
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Nov 29 13:00:01 2025 UTC