php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #48520 openssl_csr_new should allow multiple values/fields in dn
Submitted: 2009-06-10 16:23 UTC Modified: 2023-12-21 19:14 UTC
Votes:13
Avg. Score:4.4 ± 1.4
Reproduced:10 of 11 (90.9%)
Same Version:1 (10.0%)
Same OS:4 (40.0%)
From: php at divinehawk dot com Assigned: bukka (profile)
Status: Closed Package: OpenSSL related
PHP Version: 5.2.9 OS: *
Private report: No CVE-ID: None
 [2009-06-10 16:23 UTC] php at divinehawk dot com
Description:
------------
With the latest 5.2 (and trunk), you can't have multiple fields with the same name in the DN.

E.g. it's impossible to produce CN=server, OU= Company, OU=Division, OU=Sector, O=Organization




Reproduce code:
---------------
$dn = array("commonName" => "server",
	   "organizationalUnitName" => array("Company", "Division", "Section"),
	   "organizationName" => "Organization", 
	);

$privkey = openssl_pkey_new();
$csr = openssl_csr_new($dn, $privkey);

openssl_csr_export($csr, $csrout);
file_put_contents("test.csr", $csrout);


Expected result:
----------------
openssl req -in test.csr -noout -subject

subject=/CN=server/OU=Company/OU=Division/OU=Section/O=Organization



Actual result:
--------------
PHP Notice:  Array to string conversion in /var/www/html/bug/cert.php on line 9

Then:

openssl req -in test.csr -noout -subject

subject=/CN=server/OU=Array/O=Organization


Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-06-10 16:25 UTC] php at divinehawk dot com
Patch:

--- php-5.2.9/ext/openssl/openssl.c.orig	2009-06-10 06:55:27.000000000 -0400
+++ php-5.2.9/ext/openssl/openssl.c	2009-06-10 06:56:56.000000000 -0400
@@ -1707,7 +1707,9 @@
 		CONF_VALUE * v;
 		X509_NAME * subj;
 		HashPosition hpos;
+		HashPosition subhpos;
 		zval ** item;
+		zval ** subitem;
 		
 		subj = X509_REQ_get_subject_name(csr);
 		/* apply values from the dn hash */
@@ -1719,6 +1721,32 @@
 			
 			zend_hash_get_current_key_ex(HASH_OF(dn), &strindex, &strindexlen, &intindex, 0, &hpos);
 
+			if(Z_TYPE_PP(item) == IS_ARRAY && strindex)
+			{
+				/* multi-value string */
+				int nid;
+				nid = OBJ_txt2nid(strindex);
+					
+				if (nid != NID_undef) {
+					zend_hash_internal_pointer_reset_ex(HASH_OF(*item), &subhpos);
+					while(zend_hash_get_current_data_ex(HASH_OF(*item), (void**)&subitem, &subhpos) == SUCCESS)
+					{	 
+						convert_to_string_ex(subitem);
+						if (!X509_NAME_add_entry_by_NID(subj, nid, MBSTRING_ASC, 
+								(unsigned char*)Z_STRVAL_PP(subitem), -1, -1, 1))
+						{
+							php_error_docref(NULL TSRMLS_CC, E_WARNING, "dn: add_entry_by_NID %d -> %s (failed)", nid, Z_STRVAL_PP(subitem));
+							return FAILURE;
+						}
+						zend_hash_move_forward_ex(HASH_OF(dn), &subhpos);
+					}
+				} else {
+					php_error_docref(NULL TSRMLS_CC, E_WARNING, "dn: %s is not a recognized name", strindex);
+				}
+				zend_hash_move_forward_ex(HASH_OF(dn), &hpos);
+				continue;
+			}
+
 			convert_to_string_ex(item);
 
 			if (strindex) {
 [2009-06-10 16:29 UTC] pajoye@php.net
Thanks for your work :)

We need a patch against 5.3+ as well as test cases.

PHP 5.2 won't get new features (only bug fixes).


 [2009-06-10 18:38 UTC] php at divinehawk dot com
Patch against 5.3

--- openssl.c	20 Apr 2009 09:44:29 -0000	1.98.2.5.2.41.2.29
+++ openssl.c	10 Jun 2009 18:36:57 -0000
@@ -1998,7 +1998,9 @@
 		CONF_VALUE * v;
 		X509_NAME * subj;
 		HashPosition hpos;
+		HashPosition subhpos;
 		zval ** item;
+		zval ** subitem;
 		
 		subj = X509_REQ_get_subject_name(csr);
 		/* apply values from the dn hash */
@@ -2010,6 +2012,29 @@
 			
 			zend_hash_get_current_key_ex(HASH_OF(dn), &strindex, &strindexlen, &intindex, 0, &hpos);
 
+			if(Z_TYPE_PP(item) == IS_ARRAY && strindex) {
+				/* multi-value string */
+				int nid;
+				nid = OBJ_txt2nid(strindex);
+					
+				if (nid != NID_undef) {
+					zend_hash_internal_pointer_reset_ex(HASH_OF(*item), &subhpos);
+					while(zend_hash_get_current_data_ex(HASH_OF(*item), (void**)&subitem, &subhpos) == SUCCESS) {	 
+						convert_to_string_ex(subitem);
+						if (!X509_NAME_add_entry_by_NID(subj, nid, MBSTRING_ASC, 
+								(unsigned char*)Z_STRVAL_PP(subitem), -1, -1, 1)) {
+							php_error_docref(NULL TSRMLS_CC, E_WARNING, "dn: add_entry_by_NID %d -> %s (failed)", nid, Z_STRVAL_PP(subitem));
+							return FAILURE;
+						}
+						zend_hash_move_forward_ex(HASH_OF(dn), &subhpos);
+					}
+				} else {
+					php_error_docref(NULL TSRMLS_CC, E_WARNING, "dn: %s is not a recognized name", strindex);
+				}
+				zend_hash_move_forward_ex(HASH_OF(dn), &hpos);
+				continue;
+			}
+
 			convert_to_string_ex(item);
 
 			if (strindex) {
 [2010-07-25 17:43 UTC] nirfri at hotmail dot com
This patch doesn't work on multiple CNs.

"commonName" => array("test2", "test")

is this fixed at 5.3.2 ?
 [2017-10-24 07:30 UTC] kalle@php.net
-Status: Assigned +Status: Open -Assigned To: pajoye +Assigned To:
 [2022-01-18 19:44 UTC] connum at gmail dot com
13 years on, and it's still not possible to generate a CSR with multiple values for a designated name?

They can be decoded using openssl_csr_get_subject() perfectly, but using that same array as dn input to create a new CSR still results in "Array to string conversion" (at least in PHP 7.4.27 I'm using right now).
 [2023-12-20 16:08 UTC] bukka@php.net
-Summary: openssl_csr_new does not allow multiple values/field in dn +Summary: openssl_csr_new should allow multiple values/fields in dn -Type: Bug +Type: Feature/Change Request
 [2023-12-20 16:24 UTC] bukka@php.net
The following pull request has been associated:

Patch Name: Implement request #48520: openssl_csr_new - allow multiple values in DN
On GitHub:  https://github.com/php/php-src/pull/12984
Patch:      https://github.com/php/php-src/pull/12984.patch
 [2023-12-21 19:14 UTC] bukka@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: bukka
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 06:01:29 2024 UTC