|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2004-03-13 07:04 UTC] arnaud dot bertrand at apvsys dot org
Description:
------------
The function openssl_pkcs7_verify has a strange behaviour juster after a verification has report a bad signature.
When the verification reports a good signature, no problem
When it reports a bad signature, it works BUT the next time (if it is a short time) the function is called, the access to the CA certificate failed and it reports a bad signature even if it is a correct one.
Reproduce code:
---------------
Here is the function a use
///////////////// BEGIN
function CheckMailSignature($filename)
{
global $CertificatDir;
global $CertificatFile;
echo("Processing file: $filename<br>\n");
echo("Certificate: $CertificatDir<br>\n");
chdir($CertificatDir);
$tmp_cert = tempnam ("", "crt");
$res = openssl_pkcs7_verify($filename, 0,$tmp_cert, array($CertificatDir, "$CertificatDir/$CertificatFile"));
if ($res === false)
echo("Digital Signature BAD!<br>\n");
else if ($res === -1)
echo("Error while verifying digital signature ($res)!<br>\n");
else {
echo("Digital Signature OK!<br>\n");
$cert_info = openssl_x509_parse("file://$tmp_cert");
echo("Common name: '".$cert_info['subject']['CN']."'<br>\n");
echo("E-mail: '".$cert_info['subject']['Email']."'<br>\n");
unlink($tmp_cert);
return true;
}
unlink($tmp_cert);
return false;
}
//////////////// END
Expected result:
----------------
Processing file: c:/test/abe-0.txt
Certificate: c:/certdir/cert
Digital Signature OK!
Common name: 'Thawte Freemail Member'
E-mail: 'arnaud.bertrand@apvsys.org'
// now check a bad one
Processing file: c:/test/abe-0-bad.txt
Certificate: c:/metadoc-iba/cert
Digital Signature BAD!
// Now check the correct one again
Processing file: c:/test/abe-0.txt
Certificate: c:/certdir/cert
Digital Signature OK!
Common name: 'Thawte Freemail Member'
E-mail: 'arnaud.bertrand@apvsys.org'
Actual result:
--------------
Processing file: c:/test/abe-0.txt
Certificate: c:/certdir/cert
Digital Signature OK!
Common name: 'Thawte Freemail Member'
E-mail: 'arnaud.bertrand@apvsys.org'
// now check a bad one
Processing file: c:/test/abe-0-bad.txt
Certificate: c:/metadoc-iba/cert
Digital Signature BAD!
// Now check the correct one again
Processing file: c:/test/abe-0.txt
Certificate: c:/certdir/cert
Warning: openssl_pkcs7_verify() [function.openssl-pkcs7-verify]: error loading file c:/cert/thawte_freemail.cer in c:\cvswork\ntmetapro\mailsign.php on line 12
Digital Signature BAD!
// Waiting a few minutes or restarting apache:
Processing file: c:/test/abe-0.txt
Certificate: c:/certdir/cert
Digital Signature OK!
Common name: 'Thawte Freemail Member'
E-mail: 'arnaud.bertrand@apvsys.org'
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Fri Oct 24 07:00:01 2025 UTC |
I tried it on Linux 2.4 with apache 2.0.48 php 5.0.0b4 It fails with openssl 0.9.6l but works good with 0.9.7b here's the script so you can try to reproduce it ==bug.php=================================================== <?php function processMail($filename) { $ret = false; $tmp_cert = tempnam ("", "crt"); $res = openssl_pkcs7_verify($filename, 0, $tmp_cert, array(".", "thawte_freemail.cer")); if ($res === false) echo("Digital Signature BAD!<br>\n"); else if ($res === -1) echo("Error while verifying digital signature ($res)!<br>\n"); else { echo("Digital Signature OK!<br>\n"); $cert_info = openssl_x509_parse("file://$tmp_cert"); print_r($cert_info['subject']); $ret = true; } unlink($tmp_cert); return $ret; } ?> <HTML> <HEAD> <TITLE>Signed Mail check</TITLE> </HEAD> <BODY> <pre> <?php processMail('mail_ok.txt'); processMail('mail_bad.txt'); processMail('mail_ok.txt'); ?> </pre> </BODY> </HTML> ==mail_ok.txt=============================================== User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030312 X-Accept-Language: en-us, en MIME-Version: 1.0 To: xyz@notmyrealaddress.com Subject: DigiSign Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms020400030006030201090307" Status: U This is a cryptographically signed message in MIME format. --------------ms020400030006030201090307 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit user=jfm document=test2.txt version=1.1 checksum=ASH454sdFDD5s4g54b56jhg156qzejh --------------ms020400030006030201090307 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIH5TCC Ak0wggG2oAMCAQICAwvUDjANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDQwMzAzMTYwNTU5WhcNMDUwMzAzMTYwNTU5 WjBEMR8wHQYDVQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMSEwHwYJKoZIhvcNAQkBFhJq Zi5tZWVzc2VuQGdteC5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPWGAmUv7Zv7 fqYsiTWiTng95UnrsuVVsVpyUjHh+B5KGNW/ZQRDkc8cf6zD0XJEwDXoCFKaN1YNCzsIK6oB 1JRxYfAN5AMMORqGctNd9/ZIg1T21VaUlqsmyYFFqfRh/BGz3ZCxXCYHFCSy42tXNG0doEjD UbeOSoOLZhQTxKW5AgMBAAGjLzAtMB0GA1UdEQQWMBSBEmpmLm1lZXNzZW5AZ214Lm5ldDAM BgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBACaUclk1ab25qRYbrZSyEn9XA5TMFoRY ezCfHYJr8PPSt3Jp79jzdcDQ3gq6ceWbjhCZo6ILbsPU585mCtTrgo8w4iTcn8dNGlCIe83S fOxS/e1DBXTsn0sVj77HbaWqXbYRruK9IZSst96cgi2Yi/KkHIRW/8akl8jROu/OBTMVMIIC TTCCAbagAwIBAgIDC9QOMA0GCSqGSIb3DQEBBAUAMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQK ExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29u YWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wNDAzMDMxNjA1NTlaFw0wNTAzMDMxNjA1NTla MEQxHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxITAfBgkqhkiG9w0BCQEWEmpm Lm1lZXNzZW5AZ214Lm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA9YYCZS/tm/t+ piyJNaJOeD3lSeuy5VWxWnJSMeH4HkoY1b9lBEORzxx/rMPRckTANegIUpo3Vg0LOwgrqgHU lHFh8A3kAww5GoZy01339kiDVPbVVpSWqybJgUWp9GH8EbPdkLFcJgcUJLLja1c0bR2gSMNR t45Kg4tmFBPEpbkCAwEAAaMvMC0wHQYDVR0RBBYwFIESamYubWVlc3NlbkBnbXgubmV0MAwG A1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAJpRyWTVpvbmpFhutlLISf1cDlMwWhFh7 MJ8dgmvw89K3cmnv2PN1wNDeCrpx5ZuOEJmjogtuw9TnzmYK1OuCjzDiJNyfx00aUIh7zdJ8 7FL97UMFdOyfSxWPvsdtpapdthGu4r0hlKy33pyCLZiL8qQchFb/xqSXyNE6784FMxUwggM/ MIICqKADAgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMM V2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25z dWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYD VQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNv bmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcNMTMwNzE2MjM1OTU5 WjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRk LjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwgZ8wDQYJ KoZIhvcNAQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5owHUEcJ3f6f+jHuy9zfVb8hp2 vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/EfkTYkKhPPK9Xzgnc9 A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7AgMBAAGjgZQwgZEw EgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsLnRoYXd0 ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8EBAMCAQYwKQYDVR0R BCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqGSIb3DQEBBQUAA4GB AEiM0VCD6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQcUCCTcDz9reFhYsPZ Ohl+hLGZGwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bGCE6u9uo05RAaWzVN d+NWIXiC3CEZNd4ksdMdRv9dX2VPMYICujCCArYCAQEwaTBiMQswCQYDVQQGEwJaQTElMCMG A1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBl cnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECAwvUDjAJBgUrDgMCGgUAoIIBpzAYBgkqhkiG 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNDAzMDQxNjE2MjVaMCMGCSqG SIb3DQEJBDEWBBSoz3DTfkOtsaniB90/6/SQEKbTFzBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqG SIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG 9w0DAgIBKDB4BgkrBgEEAYI3EAQxazBpMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3 dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJl ZW1haWwgSXNzdWluZyBDQQIDC9QOMHoGCyqGSIb3DQEJEAILMWugaTBiMQswCQYDVQQGEwJa QTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhh d3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECAwvUDjANBgkqhkiG9w0BAQEFAASB gKy6YFFpuMyjCT4BMbqD06pv8x7n9KUXB+jHy3y1T+Cre7ygPJ20W1BDazaZsuykqVO1YX5J jNThDYP8K57W0K34dCndY+qGMLdqKRMwyZvQoTtkH0pKFdslhzc+hnFK2RXCBapdpK5f0WCQ Ly2eSSK9SZiDB6wTJnab7Ariuw3fAAAAAAAA --------------ms020400030006030201090307-- ==mail_bad.txt============================================== just take mail_ok.txt and change something in the message body ==thawte_freemail.cer======================================= -----BEGIN CERTIFICATE----- MIIDLTCCApagAwIBAgIBADANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkEx FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYD VQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBT ZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVt YWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUu Y29tMB4XDTk2MDEwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgdExCzAJBgNVBAYT AlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEa MBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRp b24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBG cmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhh d3RlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1GnX1LCUZFtx6UfY DFG26nKRsIRefS0Nj3sS34UldSh0OkIsYyeflXtL734Zhx2G6qPduc6WZBrCFG5E rHzmj+hND3EfQDimAKOHePb5lIZererAXnbr2RSjXW56fAylS1V/Bhkpf56aJtVq uzgkCGqYx7Hao5iR/Xnb5VrEHLkCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zAN BgkqhkiG9w0BAQQFAAOBgQDH7JJ+Tvj1lqVnYiqk8E0RYNBvjWBYYawmu1I1XAjP MPuoSpaKH2JCI4wXD/S6ZJwXrEcp352YXtJsYHFcoqzceePnbgBHH7UNKOgCneSa /RP0ptl8sfjcXyMmCZGAc9AUG95DqYMl8uacLxXK/qarigd1iwzdUYRr5PjRznei gQ== -----END CERTIFICATE-----