php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #48520 openssl_csr_new should allow multiple values/fields in dn
Submitted: 2009-06-10 16:23 UTC Modified: 2023-12-21 19:14 UTC
Votes:13
Avg. Score:4.4 ± 1.4
Reproduced:10 of 11 (90.9%)
Same Version:1 (10.0%)
Same OS:4 (40.0%)
From: php at divinehawk dot com Assigned: bukka (profile)
Status: Closed Package: OpenSSL related
PHP Version: 5.2.9 OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: php at divinehawk dot com
New email:
PHP Version: OS:

 

 [2009-06-10 16:23 UTC] php at divinehawk dot com 
Description:
------------
With the latest 5.2 (and trunk), you can't have multiple fields with the same name in the DN.

E.g. it's impossible to produce CN=server, OU= Company, OU=Division, OU=Sector, O=Organization




Reproduce code:
---------------
$dn = array("commonName" => "server",
	   "organizationalUnitName" => array("Company", "Division", "Section"),
	   "organizationName" => "Organization", 
	);

$privkey = openssl_pkey_new();
$csr = openssl_csr_new($dn, $privkey);

openssl_csr_export($csr, $csrout);
file_put_contents("test.csr", $csrout);


Expected result:
----------------
openssl req -in test.csr -noout -subject

subject=/CN=server/OU=Company/OU=Division/OU=Section/O=Organization



Actual result:
--------------
PHP Notice:  Array to string conversion in /var/www/html/bug/cert.php on line 9

Then:

openssl req -in test.csr -noout -subject

subject=/CN=server/OU=Array/O=Organization

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-06-10 16:25 UTC] php at divinehawk dot com 
Patch:

--- php-5.2.9/ext/openssl/openssl.c.orig	2009-06-10 06:55:27.000000000 -0400
+++ php-5.2.9/ext/openssl/openssl.c	2009-06-10 06:56:56.000000000 -0400
@@ -1707,7 +1707,9 @@
 		CONF_VALUE * v;
 		X509_NAME * subj;
 		HashPosition hpos;
+		HashPosition subhpos;
 		zval ** item;
+		zval ** subitem;
 		
 		subj = X509_REQ_get_subject_name(csr);
 		/* apply values from the dn hash */
@@ -1719,6 +1721,32 @@
 			
 			zend_hash_get_current_key_ex(HASH_OF(dn), &strindex, &strindexlen, &intindex, 0, &hpos);
 
+			if(Z_TYPE_PP(item) == IS_ARRAY && strindex)
+			{
+				/* multi-value string */
+				int nid;
+				nid = OBJ_txt2nid(strindex);
+					
+				if (nid != NID_undef) {
+					zend_hash_internal_pointer_reset_ex(HASH_OF(*item), &subhpos);
+					while(zend_hash_get_current_data_ex(HASH_OF(*item), (void**)&subitem, &subhpos) == SUCCESS)
+					{	 
+						convert_to_string_ex(subitem);
+						if (!X509_NAME_add_entry_by_NID(subj, nid, MBSTRING_ASC, 
+								(unsigned char*)Z_STRVAL_PP(subitem), -1, -1, 1))
+						{
+							php_error_docref(NULL TSRMLS_CC, E_WARNING, "dn: add_entry_by_NID %d -> %s (failed)", nid, Z_STRVAL_PP(subitem));
+							return FAILURE;
+						}
+						zend_hash_move_forward_ex(HASH_OF(dn), &subhpos);
+					}
+				} else {
+					php_error_docref(NULL TSRMLS_CC, E_WARNING, "dn: %s is not a recognized name", strindex);
+				}
+				zend_hash_move_forward_ex(HASH_OF(dn), &hpos);
+				continue;
+			}
+
 			convert_to_string_ex(item);
 
 			if (strindex) {
 [2009-06-10 16:29 UTC] pajoye@php.net 
Thanks for your work :)

We need a patch against 5.3+ as well as test cases.

PHP 5.2 won't get new features (only bug fixes).
 [2009-06-10 18:38 UTC] php at divinehawk dot com 
Patch against 5.3

--- openssl.c	20 Apr 2009 09:44:29 -0000	1.98.2.5.2.41.2.29
+++ openssl.c	10 Jun 2009 18:36:57 -0000
@@ -1998,7 +1998,9 @@
 		CONF_VALUE * v;
 		X509_NAME * subj;
 		HashPosition hpos;
+		HashPosition subhpos;
 		zval ** item;
+		zval ** subitem;
 		
 		subj = X509_REQ_get_subject_name(csr);
 		/* apply values from the dn hash */
@@ -2010,6 +2012,29 @@
 			
 			zend_hash_get_current_key_ex(HASH_OF(dn), &strindex, &strindexlen, &intindex, 0, &hpos);
 
+			if(Z_TYPE_PP(item) == IS_ARRAY && strindex) {
+				/* multi-value string */
+				int nid;
+				nid = OBJ_txt2nid(strindex);
+					
+				if (nid != NID_undef) {
+					zend_hash_internal_pointer_reset_ex(HASH_OF(*item), &subhpos);
+					while(zend_hash_get_current_data_ex(HASH_OF(*item), (void**)&subitem, &subhpos) == SUCCESS) {	 
+						convert_to_string_ex(subitem);
+						if (!X509_NAME_add_entry_by_NID(subj, nid, MBSTRING_ASC, 
+								(unsigned char*)Z_STRVAL_PP(subitem), -1, -1, 1)) {
+							php_error_docref(NULL TSRMLS_CC, E_WARNING, "dn: add_entry_by_NID %d -> %s (failed)", nid, Z_STRVAL_PP(subitem));
+							return FAILURE;
+						}
+						zend_hash_move_forward_ex(HASH_OF(dn), &subhpos);
+					}
+				} else {
+					php_error_docref(NULL TSRMLS_CC, E_WARNING, "dn: %s is not a recognized name", strindex);
+				}
+				zend_hash_move_forward_ex(HASH_OF(dn), &hpos);
+				continue;
+			}
+
 			convert_to_string_ex(item);
 
 			if (strindex) {
 [2010-07-25 17:43 UTC] nirfri at hotmail dot com 
This patch doesn't work on multiple CNs.

"commonName" => array("test2", "test")

is this fixed at 5.3.2 ?
 [2017-10-24 07:30 UTC] kalle@php.net
-Status: Assigned +Status: Open -Assigned To: pajoye +Assigned To:
 [2022-01-18 19:44 UTC] connum at gmail dot com 
13 years on, and it's still not possible to generate a CSR with multiple values for a designated name?

They can be decoded using openssl_csr_get_subject() perfectly, but using that same array as dn input to create a new CSR still results in "Array to string conversion" (at least in PHP 7.4.27 I'm using right now).
 [2023-12-20 16:08 UTC] bukka@php.net
-Summary: openssl_csr_new does not allow multiple values/field in dn +Summary: openssl_csr_new should allow multiple values/fields in dn -Type: Bug +Type: Feature/Change Request
 [2023-12-20 16:24 UTC] bukka@php.net 
The following pull request has been associated:

Patch Name: Implement request #48520: openssl_csr_new - allow multiple values in DN
On GitHub:  https://github.com/php/php-src/pull/12984
Patch:      https://github.com/php/php-src/pull/12984.patch
 [2023-12-21 19:14 UTC] bukka@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: bukka
 [2023-12-21 19:14 UTC] bukka@php.net 
PR merged: https://github.com/php/php-src/commit/48ebe588cd18867ead009576c0cdbaa29e953398
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Nov 01 23:00:01 2025 UTC