PHP :: Bug #36732 :: configargs req_extensions & x509

Bug #36732

configargs req_extensions & x509_extensions broken

Submitted:

2006-03-14 05:30 UTC

Modified:

2006-07-31 00:42 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

ben at psc dot edu

Assigned:

pajoye (profile)

Status:

Closed

Package:

OpenSSL related

PHP Version:

5.1.2

OS:

Linux 2.6 / FC4

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	ben at psc dot edu
New email:
PHP Version:		OS:

New Comment:

[2006-03-14 05:30 UTC] ben at psc dot edu

Description:
------------
According to the PHP manual, configargs keys req_extensions and x509_extensions can be used to select which extensions are used when creating a CSR and x509 certificate, respectively.

There are [what appear to be] a few mistakes in ext/openssl/openssl.c which result in neither of these two options working properly.

Bug #31638 appears to have reported this issue, but has not been resolved.


The following patches resolve this issue, and are available at http://www.psc.edu/~ben/patches/php/

  php-4.4.2-openssl-extentions-fix.patch
    Tested with php-4.4.1 and php-4.4.2

  php-5.1.2-openssl-extensions-fix.patch
    Tested with only php-5.1.2

Reproduce code:
---------------
$configargs = array(
        "req_extensions" => "v3_req",
        "x509_extensions" => "usr_cert"
);

$dn = array(
        "countryName" => "GB",
        "stateOrProvinceName" => "Berkshire",
        "localityName" => "Newbury",
        "organizationName" => "My Company Ltd",
        "commonName" => "Demo Cert"
);

$key = openssl_pkey_new();
$csr = openssl_csr_new($dn, $key, $configargs);
$crt = openssl_csr_sign($csr, NULL, $key, 365, $configargs);

openssl_csr_export($csr, $str, false);
print $str . "\n\n";
openssl_x509_export($crt, $str, false);
print $str;

Expected result:
----------------
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd, CN=Demo Cert
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:e7:16:aa:4c:d2:b9:53:5b:50:74:ef:b8:7b:e3:
                    5f:1c:a3:12:f0:12:7f:9b:94:2b:1c:d7:c6:6e:99:
                    2a:4f:7a:59:b2:99:6f:43:a2:e3:85:93:09:d7:ff:
                    f0:d4:ff:05:de:e9:79:17:67:1e:23:f5:e9:41:41:
                    18:f3:31:80:16:9a:dd:56:f3:22:fb:44:7d:ca:40:
                    2b:fa:e1:6b:28:54:99:d5:34:69:18:dd:16:47:84:
                    54:fc:a0:0d:8f:9e:db:08:44:51:fe:5a:48:c7:61:
                    3c:34:6b:dc:af:b3:dc:37:7c:52:34:f8:0e:38:be:
                    25:45:96:ca:2f:b6:5e:eb:f5
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
    Signature Algorithm: md5WithRSAEncryption
        67:0f:ab:26:a5:9e:6e:00:4d:71:39:a2:cc:c9:f6:67:32:e2:
        5c:bd:21:4d:b9:e0:bb:8f:e8:d5:d6:42:3c:20:71:fc:08:7a:
        00:b2:97:7d:b1:47:48:f4:a7:86:f5:7f:86:d7:9c:ca:ae:0e:
        03:db:c5:df:c6:4b:ea:31:37:75:4f:1e:72:3d:d5:e3:89:9f:
        82:ef:3d:88:d2:fe:fd:25:5d:d0:da:0e:a9:19:2c:e5:14:ee:
        3c:90:0e:ed:f3:25:6f:36:29:39:a3:23:8b:b6:62:1a:fb:b3:
        c7:ff:c6:73:cc:66:50:b4:1e:72:79:f6:8b:8c:67:99:f7:8b:
        81:ea
-----BEGIN CERTIFICATE REQUEST-----
MIIByTCCATICAQAwYDELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUJlcmtzaGlyZTEQ
MA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBMdGQxEjAQBgNV
BAMTCURlbW8gQ2VydDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5xaqTNK5
U1tQdO+4e+NfHKMS8BJ/m5QrHNfGbpkqT3pZsplvQ6LjhZMJ1//w1P8F3ul5F2ce
I/XpQUEY8zGAFprdVvMi+0R9ykAr+uFrKFSZ1TRpGN0WR4RU/KANj57bCERR/lpI
x2E8NGvcr7PcN3xSNPgOOL4lRZbKL7Ze6/UCAwEAAaApMCcGCSqGSIb3DQEJDjEa
MBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwDQYJKoZIhvcNAQEEBQADgYEAZw+r
JqWebgBNcTmizMn2ZzLiXL0hTbngu4/o1dZCPCBx/Ah6ALKXfbFHSPSnhvV/htec
yq4OA9vF38ZL6jE3dU8ecj3V44mfgu89iNL+/SVd0NoOqRks5RTuPJAO7fMlbzYp
OaMji7ZiGvuzx//Gc8xmULQecnn2i4xnmfeLgeo=
-----END CERTIFICATE REQUEST-----


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd, CN=Demo Cert
        Validity
            Not Before: Mar 14 04:02:52 2006 GMT
            Not After : Mar 14 04:02:52 2007 GMT
        Subject: C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd, CN=Demo Cert
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:e7:16:aa:4c:d2:b9:53:5b:50:74:ef:b8:7b:e3:
                    5f:1c:a3:12:f0:12:7f:9b:94:2b:1c:d7:c6:6e:99:
                    2a:4f:7a:59:b2:99:6f:43:a2:e3:85:93:09:d7:ff:
                    f0:d4:ff:05:de:e9:79:17:67:1e:23:f5:e9:41:41:
                    18:f3:31:80:16:9a:dd:56:f3:22:fb:44:7d:ca:40:
                    2b:fa:e1:6b:28:54:99:d5:34:69:18:dd:16:47:84:
                    54:fc:a0:0d:8f:9e:db:08:44:51:fe:5a:48:c7:61:
                    3c:34:6b:dc:af:b3:dc:37:7c:52:34:f8:0e:38:be:
                    25:45:96:ca:2f:b6:5e:eb:f5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                30:7D:D0:40:08:90:42:B9:E6:0C:55:F0:2A:28:D6:85:78:9E:C1:AF
            X509v3 Authority Key Identifier:
                keyid:30:7D:D0:40:08:90:42:B9:E6:0C:55:F0:2A:28:D6:85:78:9E:C1:AF
                DirName:/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=Demo Cert
                serial:00

    Signature Algorithm: md5WithRSAEncryption
        7f:58:74:93:91:a1:a5:0f:0a:78:90:11:77:f7:05:29:03:42:
        fa:2f:ae:43:a6:75:e9:49:73:0f:25:3a:6b:15:53:d1:07:7d:
        e6:2c:5b:25:01:e5:f4:ff:bc:60:e6:09:91:62:80:cd:d1:6a:
        47:86:37:58:24:92:55:81:b8:f4:d7:a7:5c:8a:9e:9a:1f:23:
        27:1a:bc:4a:08:92:e2:fa:7f:53:96:93:7a:0f:53:cc:d9:55:
        bd:ad:ff:5b:21:19:29:77:e8:ce:5f:32:5c:62:7c:16:8c:a2:
        e3:48:9f:58:be:2f:f4:2d:55:bf:c3:36:a2:75:46:aa:bd:fb:
        0a:0f
-----BEGIN CERTIFICATE-----
MIIDHjCCAoegAwIBAgIBADANBgkqhkiG9w0BAQQFADBgMQswCQYDVQQGEwJHQjES
MBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MRcwFQYDVQQKEw5N
eSBDb21wYW55IEx0ZDESMBAGA1UEAxMJRGVtbyBDZXJ0MB4XDTA2MDMxNDA0MDI1
MloXDTA3MDMxNDA0MDI1MlowYDELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUJlcmtz
aGlyZTEQMA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBMdGQx
EjAQBgNVBAMTCURlbW8gQ2VydDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
5xaqTNK5U1tQdO+4e+NfHKMS8BJ/m5QrHNfGbpkqT3pZsplvQ6LjhZMJ1//w1P8F
3ul5F2ceI/XpQUEY8zGAFprdVvMi+0R9ykAr+uFrKFSZ1TRpGN0WR4RU/KANj57b
CERR/lpIx2E8NGvcr7PcN3xSNPgOOL4lRZbKL7Ze6/UCAwEAAaOB5zCB5DAJBgNV
HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp
Y2F0ZTAdBgNVHQ4EFgQUMH3QQAiQQrnmDFXwKijWhXiewa8wgYkGA1UdIwSBgTB/
gBQwfdBACJBCueYMVfAqKNaFeJ7Br6FkpGIwYDELMAkGA1UEBhMCR0IxEjAQBgNV
BAgTCUJlcmtzaGlyZTEQMA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29t
cGFueSBMdGQxEjAQBgNVBAMTCURlbW8gQ2VydIIBADANBgkqhkiG9w0BAQQFAAOB
gQB/WHSTkaGlDwp4kBF39wUpA0L6L65DpnXpSXMPJTprFVPRB33mLFslAeX0/7xg
5gmRYoDN0WpHhjdYJJJVgbj016dcip6aHyMnGrxKCJLi+n9TlpN6D1PM2VW9rf9b
IRkpd+jOXzJcYnwWjKLjSJ9Yvi/0LVW/wzaidUaqvfsKDw==
-----END CERTIFICATE-----

Actual result:
--------------
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd, CN=Demo Cert
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:ca:ae:6a:a3:ee:6b:78:17:a7:1c:56:5b:cb:dc:
                    e8:67:bc:7f:d6:89:66:f2:09:eb:2b:02:c4:99:2f:
                    14:c3:68:95:f8:e9:1c:b4:a2:c4:26:cf:2a:ab:19:
                    63:8d:81:f9:10:7e:c7:10:4c:9f:51:f3:78:cf:d5:
                    58:a5:d3:e4:36:d9:ba:d0:48:91:1c:f9:d3:a0:08:
                    07:69:4d:15:96:0c:0a:21:68:68:a0:39:17:ce:57:
                    ac:11:b2:fc:3e:d5:85:30:a4:c0:01:b7:e7:45:c8:
                    e8:c4:e6:7b:8a:f4:bf:90:84:02:03:34:8c:c7:05:
                    fa:fd:84:e1:3b:73:2d:da:95
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: md5WithRSAEncryption
        af:ba:0e:d1:69:71:d5:8a:42:54:8e:c6:af:44:db:8d:a6:8b:
        66:22:21:7b:34:db:eb:ff:d4:5b:e6:ac:9d:48:08:f5:a1:34:
        88:b3:c1:dd:19:ef:34:8e:3a:65:e2:46:5e:6f:8b:88:dc:dc:
        b8:cb:44:b3:5f:7a:fc:08:91:a8:44:23:37:f3:38:39:e6:4f:
        03:e1:40:c8:3a:be:bb:62:9b:92:68:ca:08:df:c0:cd:60:df:
        78:49:cc:73:29:10:68:fe:03:53:57:69:48:d8:73:92:7d:63:
        1f:38:1e:dd:63:d7:1a:75:9b:20:0c:bd:02:1b:b8:c3:d5:f8:
        fe:63
-----BEGIN CERTIFICATE REQUEST-----
MIIBoDCCAQkCAQAwYDELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUJlcmtzaGlyZTEQ
MA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBMdGQxEjAQBgNV
BAMTCURlbW8gQ2VydDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyq5qo+5r
eBenHFZby9zoZ7x/1olm8gnrKwLEmS8Uw2iV+OkctKLEJs8qqxljjYH5EH7HEEyf
UfN4z9VYpdPkNtm60EiRHPnToAgHaU0VlgwKIWhooDkXzlesEbL8PtWFMKTAAbfn
RcjoxOZ7ivS/kIQCAzSMxwX6/YThO3Mt2pUCAwEAAaAAMA0GCSqGSIb3DQEBBAUA
A4GBAK+6DtFpcdWKQlSOxq9E242mi2YiIXs02+v/1FvmrJ1ICPWhNIizwd0Z7zSO
OmXiRl5vi4jc3LjLRLNfevwIkahEIzfzODnmTwPhQMg6vrtim5JoygjfwM1g33hJ
zHMpEGj+A1NXaUjYc5J9Yx84Ht1j1xp1myAMvQIbuMPV+P5j
-----END CERTIFICATE REQUEST-----


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd, CN=Demo Cert
        Validity
            Not Before: Mar 14 04:01:18 2006 GMT
            Not After : Mar 14 04:01:18 2007 GMT
        Subject: C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd, CN=Demo Cert
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:ca:ae:6a:a3:ee:6b:78:17:a7:1c:56:5b:cb:dc:
                    e8:67:bc:7f:d6:89:66:f2:09:eb:2b:02:c4:99:2f:
                    14:c3:68:95:f8:e9:1c:b4:a2:c4:26:cf:2a:ab:19:
                    63:8d:81:f9:10:7e:c7:10:4c:9f:51:f3:78:cf:d5:
                    58:a5:d3:e4:36:d9:ba:d0:48:91:1c:f9:d3:a0:08:
                    07:69:4d:15:96:0c:0a:21:68:68:a0:39:17:ce:57:
                    ac:11:b2:fc:3e:d5:85:30:a4:c0:01:b7:e7:45:c8:
                    e8:c4:e6:7b:8a:f4:bf:90:84:02:03:34:8c:c7:05:
                    fa:fd:84:e1:3b:73:2d:da:95
                Exponent: 65537 (0x10001)
    Signature Algorithm: md5WithRSAEncryption
        7e:a5:c6:7c:bf:cf:0a:81:ee:1d:fb:05:4e:52:03:fe:c8:c5:
        d3:09:fc:a6:0f:ec:d9:9c:ed:00:0a:5a:db:b6:5e:d0:85:b9:
        45:74:ea:10:7f:7e:78:df:9f:23:8d:a0:7e:28:96:74:2c:1f:
        79:ce:45:65:50:9d:4b:4d:69:41:0e:d0:dd:54:a1:f4:b7:a2:
        b3:48:19:4e:2c:68:fa:78:8d:ab:9f:e7:18:7b:e1:c4:65:cf:
        04:00:5c:ca:61:1e:cc:86:72:29:ec:29:d6:19:43:c3:3f:87:
        8d:a9:5a:a5:34:a0:ee:44:5d:42:af:44:75:8d:10:17:73:82:
        93:0c
-----BEGIN CERTIFICATE-----
MIICNDCCAZ2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBgMQswCQYDVQQGEwJHQjES
MBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MRcwFQYDVQQKEw5N
eSBDb21wYW55IEx0ZDESMBAGA1UEAxMJRGVtbyBDZXJ0MB4XDTA2MDMxNDA0MDEx
OFoXDTA3MDMxNDA0MDExOFowYDELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUJlcmtz
aGlyZTEQMA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBMdGQx
EjAQBgNVBAMTCURlbW8gQ2VydDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
yq5qo+5reBenHFZby9zoZ7x/1olm8gnrKwLEmS8Uw2iV+OkctKLEJs8qqxljjYH5
EH7HEEyfUfN4z9VYpdPkNtm60EiRHPnToAgHaU0VlgwKIWhooDkXzlesEbL8PtWF
MKTAAbfnRcjoxOZ7ivS/kIQCAzSMxwX6/YThO3Mt2pUCAwEAATANBgkqhkiG9w0B
AQQFAAOBgQB+pcZ8v88Kge4d+wVOUgP+yMXTCfymD+zZnO0AClrbtl7QhblFdOoQ
f354358jjaB+KJZ0LB95zkVlUJ1LTWlBDtDdVKH0t6KzSBlOLGj6eI2rn+cYe+HE
Zc8EAFzKYR7MhnIp7CnWGUPDP4eNqVqlNKDuRF1Cr0R1jRAXc4KTDA==
-----END CERTIFICATE-----

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-03-14 05:48 UTC] ben at psc dot edu

typo in location of 4.4.1 and 4.4.2 patch.

correct spelling is:
  php-4.4.2-openssl-extensions-fix.patch

[2006-03-20 23:17 UTC] tony2001@php.net

Wez, patches are looking good, please check them (and apply?).

[2006-07-31 00:42 UTC] pajoye@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

[2011-09-14 10:55 UTC] cataphract@php.net

Automatic comment from SVN on behalf of cataphract
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=316731
Log: - ext/openssl/tests/bug36732.phpt more portable.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 15:01:30 2024 UTC