php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #40046 OpenSSL CRL generation support
Submitted: 2007-01-06 20:59 UTC Modified: 2020-03-10 10:44 UTC
Votes:77
Avg. Score:4.8 ± 0.6
Reproduced:62 of 62 (100.0%)
Same Version:22 (35.5%)
Same OS:19 (30.6%)
From: mbechler at eenterphace dot org Assigned:
Status: Suspended Package: OpenSSL related
PHP Version: * OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: mbechler at eenterphace dot org
New email:
PHP Version: OS:

 

 [2007-01-06 20:59 UTC] mbechler at eenterphace dot org
Description:
------------
Requesting inclusion of CRL generation support in the OpenSSL extension. Patch has been submitted to php.internals.

Having CRL support would be nice for creating CA applications in PHP. I've tried to do it in a standalone extension but that does not itegrate very well with ext/openssl's certificate functions.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-01-06 22:00 UTC] pajoye@php.net
The patch you sent to the list:
http://pecl.php.net/~pierre/ext-openssl-crl.patch
 [2007-01-07 02:26 UTC] mbechler at eenterhace dot org
When trying to use the functionality in a real world scenario I noticed problems with this patch. My FastCGI processes are throwing errors like this *** corrupted double-linked list: 0x08a135f0 *** while it is working nice when run from the command line. I could not get any helpful information yet by debugging, but this one is definitly not ready for inclusion. I'm trying to figure out what's wrong, but I am thankful for any help provided.
 [2007-01-07 02:47 UTC] mbechler at eenterphace dot org
Ok, finally found the bug - new patch is here:
http://mbechler.eenterphace.org/ext-openssl-crl.patch
 [2007-08-03 11:37 UTC] pajoye@php.net
Add the note here too :)

Please provide some test cases as well, including the required data (if any).
 [2007-09-23 19:51 UTC] pajoye@php.net
From Moritz Bechler:

It took some time - but I now managed to put together some test cases
(which hopefully can also serve as examples). I noticed that the current
"openssl_x509_checkpurpose" function does not allow for passing
verification flags so I introduced a new function "openssl_x509_check"
(verify might be better but might cause confusion with openssl_verify)
which does pretty much the same thing but takes a flags parameter which
can be used to enable CRL checking and some other checking features
which I did not test yet. I chose to add a new function because a)
adding the argument to the end forces passing two (one unused in most
cases) optional arguments b) _checkpurpose is a bit too specific. I hope
that approach is okay.

The updated patch is at
http://mbechler.eenterphace.org/php6-openssl-crl.patch
and the phpt and required data (needs a small CA, included files are
valid for 5 years) at
http://mbechler.eenterphace.org/php6-openssl-crl-tests.tar.bz2


I noted my test fails (even for ascii filenames) when run in unicode
mode which is a result of
this check in php_openssl_x509_from_zval:

if (!(Z_TYPE_PP(val) == IS_STRING || Z_TYPE_PP(val) == IS_OBJECT)) {
   return NULL;
}

maybe I'll find some time to have a look at proper filesystem encoding
conversions for ext/openssl.
 [2010-02-15 09:07 UTC] cnyegle at gmail dot com
Will the patch be merged into PHP?It's two years after the last modification of this issue.
 [2010-04-12 17:50 UTC] pm at datasphere dot ch
I'm also very interested in having this feature supported in the PHP standards. Can I expect to see it soon available ?
 [2010-12-20 14:19 UTC] jani@php.net
-Package: Feature/Change Request +Package: OpenSSL related -PHP Version: 5.2.1RC2 +PHP Version: *
 [2011-05-27 00:51 UTC] rsmaia at gmail dot com
I am waiting for this patch too. Would be great to see this patch applied into PHP core.
+1 for this improvement!
 [2015-09-19 22:19 UTC] ukrbublik at gmail dot com
For those who are looking for pure PHP implementation of CRL generation, you can check mine, for example :)
https://github.com/ukrbublik/openssl_x509_gencrl
 [2016-12-12 17:58 UTC] yehuda at ymkatz dot net
This has been sitting for a long time. Any chance of it making it in?
 [2017-01-26 13:42 UTC] info-bugs dot php at ch2o dot info
why not include this fonnctionality ?
 [2017-10-24 07:33 UTC] kalle@php.net
-Status: Assigned +Status: Open -Assigned To: pajoye +Assigned To:
 [2020-03-10 10:44 UTC] cmb@php.net
-Status: Open +Status: Suspended
 [2020-03-10 10:44 UTC] cmb@php.net
This should be discussed on the internals mailing list[1], and
might require the RFC process[2].  Anybody who is interesting in
having it integrated to the OpenSSL extension, is welcome to start
this discussion.  For the time being, I'm suspending this ticket.

[1] <https://www.php.net/mailing-lists.php#internals>
[2] <https://wiki.php.net/rfc/howto>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Nov 26 07:01:30 2024 UTC