php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #34261 openssl_pkcs7_verify returns FALSE for msg that is correct
Submitted: 2005-08-25 22:17 UTC Modified: 2006-08-15 20:06 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: arnaud dot bertrand at apvsys dot org Assigned: wez (profile)
Status: Not a bug Package: OpenSSL related
PHP Version: 5CVS-2005-08-28 OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: arnaud dot bertrand at apvsys dot org
New email:
PHP Version: OS:

 

 [2005-08-25 22:17 UTC] arnaud dot bertrand at apvsys dot org
Description:
------------
Context:
A message "msg.txt" was signed the 01-01-2005 with a certificate expired the 03-03-2005. It is a valid signed message.

If the system date is 02-02-2005,the openssl_pkcs7_verify function applied to this "msg.txt" returns TRUE. It means it is a valid message

If you change the system date to 04-04-2005 (date after the expiration date of the certificate), the openssl_pkcs7_verify function applied to this "msg.txt" returns FALSE! Without any other information. 

But it is not correct because at the moment of the signature, it was correct.




Reproduce code:
---------------
$filename="/tmp/msg.txt";
$lCertT=array("/tmp/certifdir","/tmp/certifdir/thawte_freemail.cer");
$tmp_cert = tempnam ("", "crt");
$res = openssl_pkcs7_verify($filename, 0, $tmp_cert, $lCertT);
if (!$res) {
    echo("Digital Signature BAD!<br>\n");
}
else if ($res === -1) {
    echo("Error ...");
}
else {
    echo("Digital Signature OK!<br>\n");
    $cert_info = openssl_x509_parse("file://$tmp_cert");
    var_dump($cert_info);
}

		
		

Expected result:
----------------
We expect to have result independent of the current date.. or at least, to have information that at the signature time, the message was correct but was signed with a certificate that is expired today.

Another possibility could be: to foressen an extra parameter to the function to pass the date of the validation.

If you check the same message with an e-mail client (e.g. thunderbird), it will say that the message was correctly signed with a valid certificate... whatever the current date is.



Actual result:
--------------
Validation result depends of the system date

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-08-26 16:34 UTC] sniper@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip


 [2005-08-28 10:35 UTC] arnaud dot bertrand at apvsys dot org
Thank for your fast answer,

I've just tried with the latest win32 version (begin of the phpinfo() follows). 

Result is unfortunately identical with the latest version.
The bug is still in.

phpinfo()
PHP Version 5.1.0-dev 

System  Windows NT EULER 5.1 build 2600  
Build Date  Aug 28 2005 08:23:12  
Configure Command  cscript /nologo configure.js "--enable-snapshot-build" "--with-gd=shared"  
Server API  Apache 2.0 Handler  
Virtual Directory Support  enabled  
Configuration File (php.ini) Path  C:\php\php.ini  
PHP API  20041225  
PHP Extension  20050617  
Zend Extension  220050617  
Debug Build  no  
Thread Safety  enabled  
Zend Memory Manager  enabled  
IPv6 Support  enabled  
Registered PHP Streams  php, file, http, ftp, compress.zlib, https, ftps  
Registered Stream Socket Transports  tcp, udp, ssl, sslv3, sslv2, tls  
Registered Stream Filters  convert.iconv.*, string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, zlib.*
 [2005-09-07 16:27 UTC] sniper@php.net
Can you please provide a full reproducing case with all the required files included?

 [2005-09-10 01:21 UTC] arnaud dot bertrand at apvsys dot org
Hi,

here is the full testcase:

http://www.apvsys.org/testcase.tgz

Download this file and extract it in /
The 3 files will be extracted in /tmp

tmp/thawte_freemail.cer
tmp/msg.txt
tmp/testcase.php

just execute testcase.php at the current time:
you will get:
Digital Signature BAD!

Now, change the system date to 9/9/2004
rexecute it...
Now the message is valid and you should get:
Digital Signature OK!
array(11) { ["name"]=> string(65) "/CN=Thawte Freemail Member/emailAddress=arnaud.bertrand@n-tech.be" (...)
 [2005-09-21 12:07 UTC] sniper@php.net
Assigned to the maintainer.

 [2006-08-15 20:06 UTC] pajoye@php.net
Cannot reproduce with 5.2-cvs or 5.1 (windows, linux and bsd, openssl 0.9.8a).
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Mon Dec 06 10:03:36 2021 UTC