|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2013-03-24 10:44 UTC] eugene at zhegan dot in
Description: ------------ openssl extension cannot work with non-default engines/algos, for example GOST. I have a set of openssl 1.0.1x binaries on various OSes, including Linux Debian Wheezy, Solaris 10 x86, Solaris 11 x86, Solaris 11.1. x86. I have a GOST-enabled configuration file, containing a set of parameters: openssl_conf = openssl_def [openssl_def] oid_section = new_oids engines = engine_section [engine_section] gost = gost_section [gost_section] engine_id = gost dynamic_path = /usr/local/openssl/lib/engines/libgost.so default_algorithms = ALL All of my openssl console utilities are able to create certificates and private keys using GOST engine/algos and sign/verify S/MIME with it: OPENSSL_CONF=/usr/local/openssl/ssl/openssl-gost.cnf export OPENSSL_CONF /usr/local/openssl/bin/openssl req -x509 -engine gost -newkey GOST2001:gost2001.parfile -keyout key.pem -out cert.pem -nodes (file is created) /usr/local/openssl/bin/openssl req -x509 -engine gost -newkey GOST2001:gost2001.parfile -keyout key.pem -out cert.pem -nodes (certificate is created) /usr/local/openssl/bin/openssl cms -sign -signer cert.pem -inkey key.pem -in msg.txt -out signed.txt (S/MIME is signed) None of my PHP binaries, built with same openssl libraries are capable of using such engine/algo. They all complain about non-supported algorithm. Not only one openssl_pkcs7_sign() is affected, but the whole set of openssl_* calls. The same thing applies to loading and testing private keys using PHP and openssl_pkey_get_private() call and so on. This is reproducible on various PHP versions, including 5.3.23, 5.4.11, 5.4.12 and so on. This is related to bugs: https://bugs.php.net/bug.php?id=63992 https://bugs.php.net/bug.php?id=60157 https://bugs.php.net/bug.php?id=54473 Further investigation using truss/strace/ktrace OS-specific utilities shows that OPENSSL_CONF environment variable is totally ignored, at least I don't see any open() on a file pointed with OPENSSL_CONF variable. Furthermore, if being used inside a default configuration file, this does nothing, because it's totally ignored by the PHP, thus only defaults are used. Test script: --------------- <?php if (openssl_pkcs7_sign("./msg.txt", "phpsigned.txt", 'file://'.realpath('./cert.pem'), array('file://'.realpath('./key.pem'), ""), array("To" => "joes@example.com", // keyed syntax "From: HQ <ceo@example.com>", // indexed syntax "Subject" => "Eyes only") )) { } else { echo openssl_error_string(), "\n"; } ?> Expected result: ---------------- This code should produce a valid S/MIME file. Actual result: -------------- This code now produces a set of errors and warnings: # php sign.php PHP Warning: openssl_pkcs7_sign(): error getting private key in /home/emz/openssl/sign.php on line 8 error:0606F076:digital envelope routines:EVP_PKCS82PKEY:unsupported private key algorithm PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sat May 03 18:01:30 2025 UTC |
i have same problem on different systems. on some systems openssl configuration loaded and works with GOST, on others - not. simple test to check is: strace php -m 2>&1 |grep openssl.cnf open("/etc/ssl/openssl.cnf", O_RDONLY|O_LARGEFILE) = 3 ^^^^^^^^^^^^^^^^^^^^ if it opened - all works fine. also tested with patches from related bugs, which forces loading openssl configuration (OPENSSL_config & etc...) : on some systems php throws "GOST engine already loaded" and 'open("/etc/ssl/openssl.cnf", O_RDONLY|O_LARGEFILE) = 3' appears twice. php curl extension. depending on the version of curl library it loads openssl configuration itself (7.5x - loads, 7.3x - not). "curl" initialized before "openssl" extension (alphabetically?) and all works fine. another workaround for this bug? upgrade curl to 7.5x and enable php curl extension?