php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #64501 openssl cannot work with non-default engines/algos
Submitted: 2013-03-24 10:44 UTC Modified: 2021-01-12 17:57 UTC
Votes:8
Avg. Score:4.4 ± 0.9
Reproduced:6 of 6 (100.0%)
Same Version:1 (16.7%)
Same OS:0 (0.0%)
From: eugene at zhegan dot in Assigned: cmb (profile)
Status: Closed Package: OpenSSL related
PHP Version: Irrelevant OS: irrelevant
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: eugene at zhegan dot in
New email:
PHP Version: OS:

 

 [2013-03-24 10:44 UTC] eugene at zhegan dot in
Description:
------------
openssl extension cannot work with non-default engines/algos, for example GOST.

I have a set of openssl 1.0.1x binaries on various OSes, including Linux Debian Wheezy, Solaris 10 x86, Solaris 11 x86, Solaris 11.1. x86. I have a GOST-enabled configuration file, containing a set of parameters:

openssl_conf = openssl_def

[openssl_def]
oid_section             = new_oids
engines                 = engine_section

[engine_section]
gost = gost_section

[gost_section]
engine_id = gost
dynamic_path = /usr/local/openssl/lib/engines/libgost.so
default_algorithms = ALL

All of my openssl console utilities are able to create certificates and private keys using GOST engine/algos and sign/verify S/MIME with it:

OPENSSL_CONF=/usr/local/openssl/ssl/openssl-gost.cnf
export OPENSSL_CONF

/usr/local/openssl/bin/openssl req -x509 -engine gost -newkey GOST2001:gost2001.parfile -keyout key.pem -out cert.pem -nodes
(file is created)

/usr/local/openssl/bin/openssl req -x509 -engine gost -newkey GOST2001:gost2001.parfile -keyout key.pem -out cert.pem -nodes
(certificate is created)

/usr/local/openssl/bin/openssl cms -sign -signer cert.pem -inkey key.pem -in msg.txt -out signed.txt
(S/MIME is signed)

None of my PHP binaries, built with same openssl libraries are capable of using such engine/algo. They all complain about non-supported algorithm.

Not only one openssl_pkcs7_sign() is affected, but the whole set of openssl_* calls. The same thing applies to loading and testing private keys using PHP and openssl_pkey_get_private() call and so on.

This is reproducible on various PHP versions, including 5.3.23, 5.4.11, 5.4.12 and so on.

This is related to bugs:

https://bugs.php.net/bug.php?id=63992
https://bugs.php.net/bug.php?id=60157
https://bugs.php.net/bug.php?id=54473

Further investigation using truss/strace/ktrace OS-specific utilities shows that OPENSSL_CONF environment variable is totally ignored, at least I don't see any open() on a file pointed with OPENSSL_CONF variable. Furthermore, if being used inside a default configuration file, this does nothing, because it's totally ignored by the PHP, thus only defaults are used.

Test script:
---------------
<?php

if (openssl_pkcs7_sign("./msg.txt", "phpsigned.txt", 'file://'.realpath('./cert.pem'),
    array('file://'.realpath('./key.pem'), ""),
    array("To" => "joes@example.com", // keyed syntax
          "From: HQ <ceo@example.com>", // indexed syntax
          "Subject" => "Eyes only")
    )) {
} else {
    echo openssl_error_string(), "\n";
}
?>

Expected result:
----------------
This code should produce a valid S/MIME file.

Actual result:
--------------
This code now produces a set of errors and warnings:

# php sign.php
PHP Warning:  openssl_pkcs7_sign(): error getting private key in /home/emz/openssl/sign.php on line 8
error:0606F076:digital envelope routines:EVP_PKCS82PKEY:unsupported private key algorithm

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-12-03 16:11 UTC] dab1818 at gmail dot com
i have same problem on different systems.
on some systems openssl configuration loaded and works with GOST, on others - not.

simple test to check is:
strace php -m 2>&1 |grep openssl.cnf
open("/etc/ssl/openssl.cnf", O_RDONLY|O_LARGEFILE) = 3
      ^^^^^^^^^^^^^^^^^^^^ if it opened - all works fine.

also tested with patches from related bugs, which forces loading openssl configuration (OPENSSL_config & etc...) :
on some systems php throws "GOST engine already loaded" and
'open("/etc/ssl/openssl.cnf", O_RDONLY|O_LARGEFILE) = 3' appears twice.

php curl extension.
depending on the version of curl library it loads openssl configuration itself (7.5x - loads, 7.3x - not).
"curl" initialized before "openssl" extension (alphabetically?) and all works fine.

another workaround for this bug?
upgrade curl to 7.5x and enable php curl extension?
 [2021-01-12 17:57 UTC] cmb@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2021-01-12 17:57 UTC] cmb@php.net
This is fixed[1] as of PHP 7.2.0.

[1] <https://github.com/php/php-src/commit/1f843a8fb50de77a3f53a6b892a46d9e0afdfdd7>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Dec 22 06:01:30 2024 UTC