PHP :: Bug #77416 :: openssl_csr_new add fields to subject

Bug #77416

openssl_csr_new add fields to subject

Submitted:

2019-01-06 19:22 UTC

Modified:

2019-12-01 19:39 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

joose dot vettenranta at kompassi dot fi

Assigned:

bukka (profile)

Status:

Wont fix

Package:

OpenSSL related

PHP Version:

7.2.13

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	joose dot vettenranta at kompassi dot fi
New email:
PHP Version:		OS:

New Comment:

[2019-01-06 19:22 UTC] joose dot vettenranta at kompassi dot fi

Description:
------------
When creating new CSR, it will add "ST=Some-State, O=Internet Widgits Pty Ltd" to the subject if not defined in openssl_csr_new -function call. This has been a bug in PHP for a long time.

Test script:
---------------
<?php
$config=array(
    "private_key_bits" => 2048,
    "private_key_type" => OPENSSL_KEYTYPE_RSA,
);
$privkey = openssl_pkey_new($config);

$csr = openssl_csr_new(array("C"=>"FI"), $privkey);

openssl_csr_export($csr, $csrout);
echo($csrout);

/* using same system, but command line openssl command to generate csr works just fine. I have been using this code to do csr:
 $csr = shell_exec('openssl req -new -sha256 -key '.$tempDir.'/private.key -outform '.$format.' -subj "'.$subject.'"');
*/
?>
$ php test.php > /tmp/foo3 
$ openssl req -in /tmp/foo3 -noout -text


Expected result:
----------------
Certificate Request:
    Data:
    Version: 0 (0x0)
    Subject: C=FI

Actual result:
--------------
Certificate Request:
    Data:
    Version: 0 (0x0)
    Subject: C=FI, ST=Some-State, O=Internet Widgits Pty Ltd

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-01-06 19:27 UTC] requinix@php.net

-Status: Open +Status: Feedback

[2019-01-06 19:27 UTC] requinix@php.net

How does your openssl.cnf look?

[2019-01-06 21:09 UTC] joose dot vettenranta at kompassi dot fi

-Status: Feedback +Status: Open

[2019-01-06 21:09 UTC] joose dot vettenranta at kompassi dot fi

I have not checked. But I have tried this with different distros, different php -versions and with different operating systems (macos and linux). Also have tried docker images. And as I notided in the test script, doing the same thing on the same computer using command line openssl command, it will work as expected.

[2019-01-06 21:12 UTC] joose dot vettenranta at kompassi dot fi

I need different kind of subjects when I am creating certificates for systems other than SSL. That is why to subject is completely different what is normally (SSL) used.

[2019-01-06 21:30 UTC] joose dot vettenranta at kompassi dot fi

If I create own openssl.cnf file containing: 
distinguished_name  = req_distinguished_name
[req_distinguished_name]
[v3_req]
[v3_ca]

it will work as expected

[2019-12-01 19:39 UTC] bukka@php.net

PHP is using default openssl config which is usually the system one but depends on the installation. This can be overwritten using OPENSSL_CONF environment variable. The default config is always loaded which is on purpose and it can't be changed due to BC.

So the only solution in here is to either change your default config or use specific config for openssl_csr_new.

[2019-12-01 19:39 UTC] bukka@php.net

-Status: Open +Status: Wont fix -Assigned To: +Assigned To: bukka

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Nov 01 00:00:01 2025 UTC