php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #36732 configargs req_extensions & x509_extensions broken
Submitted: 2006-03-14 05:30 UTC Modified: 2006-07-31 00:42 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: ben at psc dot edu Assigned: pajoye
Status: Closed Package: OpenSSL related
PHP Version: 5.1.2 OS: Linux 2.6 / FC4
Private report: No CVE-ID:
 [2006-03-14 05:30 UTC] ben at psc dot edu
Description:
------------
According to the PHP manual, configargs keys req_extensions and x509_extensions can be used to select which extensions are used when creating a CSR and x509 certificate, respectively.

There are [what appear to be] a few mistakes in ext/openssl/openssl.c which result in neither of these two options working properly.

Bug #31638 appears to have reported this issue, but has not been resolved.


The following patches resolve this issue, and are available at http://www.psc.edu/~ben/patches/php/

  php-4.4.2-openssl-extentions-fix.patch
    Tested with php-4.4.1 and php-4.4.2

  php-5.1.2-openssl-extensions-fix.patch
    Tested with only php-5.1.2

Reproduce code:
---------------
$configargs = array(
        "req_extensions" => "v3_req",
        "x509_extensions" => "usr_cert"
);

$dn = array(
        "countryName" => "GB",
        "stateOrProvinceName" => "Berkshire",
        "localityName" => "Newbury",
        "organizationName" => "My Company Ltd",
        "commonName" => "Demo Cert"
);

$key = openssl_pkey_new();
$csr = openssl_csr_new($dn, $key, $configargs);
$crt = openssl_csr_sign($csr, NULL, $key, 365, $configargs);

openssl_csr_export($csr, $str, false);
print $str . "\n\n";
openssl_x509_export($crt, $str, false);
print $str;

Expected result:
----------------
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd, CN=Demo Cert
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:e7:16:aa:4c:d2:b9:53:5b:50:74:ef:b8:7b:e3:
                    5f:1c:a3:12:f0:12:7f:9b:94:2b:1c:d7:c6:6e:99:
                    2a:4f:7a:59:b2:99:6f:43:a2:e3:85:93:09:d7:ff:
                    f0:d4:ff:05:de:e9:79:17:67:1e:23:f5:e9:41:41:
                    18:f3:31:80:16:9a:dd:56:f3:22:fb:44:7d:ca:40:
                    2b:fa:e1:6b:28:54:99:d5:34:69:18:dd:16:47:84:
                    54:fc:a0:0d:8f:9e:db:08:44:51:fe:5a:48:c7:61:
                    3c:34:6b:dc:af:b3:dc:37:7c:52:34:f8:0e:38:be:
                    25:45:96:ca:2f:b6:5e:eb:f5
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
    Signature Algorithm: md5WithRSAEncryption
        67:0f:ab:26:a5:9e:6e:00:4d:71:39:a2:cc:c9:f6:67:32:e2:
        5c:bd:21:4d:b9:e0:bb:8f:e8:d5:d6:42:3c:20:71:fc:08:7a:
        00:b2:97:7d:b1:47:48:f4:a7:86:f5:7f:86:d7:9c:ca:ae:0e:
        03:db:c5:df:c6:4b:ea:31:37:75:4f:1e:72:3d:d5:e3:89:9f:
        82:ef:3d:88:d2:fe:fd:25:5d:d0:da:0e:a9:19:2c:e5:14:ee:
        3c:90:0e:ed:f3:25:6f:36:29:39:a3:23:8b:b6:62:1a:fb:b3:
        c7:ff:c6:73:cc:66:50:b4:1e:72:79:f6:8b:8c:67:99:f7:8b:
        81:ea
-----BEGIN CERTIFICATE REQUEST-----
MIIByTCCATICAQAwYDELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUJlcmtzaGlyZTEQ
MA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBMdGQxEjAQBgNV
BAMTCURlbW8gQ2VydDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5xaqTNK5
U1tQdO+4e+NfHKMS8BJ/m5QrHNfGbpkqT3pZsplvQ6LjhZMJ1//w1P8F3ul5F2ce
I/XpQUEY8zGAFprdVvMi+0R9ykAr+uFrKFSZ1TRpGN0WR4RU/KANj57bCERR/lpI
x2E8NGvcr7PcN3xSNPgOOL4lRZbKL7Ze6/UCAwEAAaApMCcGCSqGSIb3DQEJDjEa
MBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwDQYJKoZIhvcNAQEEBQADgYEAZw+r
JqWebgBNcTmizMn2ZzLiXL0hTbngu4/o1dZCPCBx/Ah6ALKXfbFHSPSnhvV/htec
yq4OA9vF38ZL6jE3dU8ecj3V44mfgu89iNL+/SVd0NoOqRks5RTuPJAO7fMlbzYp
OaMji7ZiGvuzx//Gc8xmULQecnn2i4xnmfeLgeo=
-----END CERTIFICATE REQUEST-----


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd, CN=Demo Cert
        Validity
            Not Before: Mar 14 04:02:52 2006 GMT
            Not After : Mar 14 04:02:52 2007 GMT
        Subject: C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd, CN=Demo Cert
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:e7:16:aa:4c:d2:b9:53:5b:50:74:ef:b8:7b:e3:
                    5f:1c:a3:12:f0:12:7f:9b:94:2b:1c:d7:c6:6e:99:
                    2a:4f:7a:59:b2:99:6f:43:a2:e3:85:93:09:d7:ff:
                    f0:d4:ff:05:de:e9:79:17:67:1e:23:f5:e9:41:41:
                    18:f3:31:80:16:9a:dd:56:f3:22:fb:44:7d:ca:40:
                    2b:fa:e1:6b:28:54:99:d5:34:69:18:dd:16:47:84:
                    54:fc:a0:0d:8f:9e:db:08:44:51:fe:5a:48:c7:61:
                    3c:34:6b:dc:af:b3:dc:37:7c:52:34:f8:0e:38:be:
                    25:45:96:ca:2f:b6:5e:eb:f5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                30:7D:D0:40:08:90:42:B9:E6:0C:55:F0:2A:28:D6:85:78:9E:C1:AF
            X509v3 Authority Key Identifier:
                keyid:30:7D:D0:40:08:90:42:B9:E6:0C:55:F0:2A:28:D6:85:78:9E:C1:AF
                DirName:/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=Demo Cert
                serial:00

    Signature Algorithm: md5WithRSAEncryption
        7f:58:74:93:91:a1:a5:0f:0a:78:90:11:77:f7:05:29:03:42:
        fa:2f:ae:43:a6:75:e9:49:73:0f:25:3a:6b:15:53:d1:07:7d:
        e6:2c:5b:25:01:e5:f4:ff:bc:60:e6:09:91:62:80:cd:d1:6a:
        47:86:37:58:24:92:55:81:b8:f4:d7:a7:5c:8a:9e:9a:1f:23:
        27:1a:bc:4a:08:92:e2:fa:7f:53:96:93:7a:0f:53:cc:d9:55:
        bd:ad:ff:5b:21:19:29:77:e8:ce:5f:32:5c:62:7c:16:8c:a2:
        e3:48:9f:58:be:2f:f4:2d:55:bf:c3:36:a2:75:46:aa:bd:fb:
        0a:0f
-----BEGIN CERTIFICATE-----
MIIDHjCCAoegAwIBAgIBADANBgkqhkiG9w0BAQQFADBgMQswCQYDVQQGEwJHQjES
MBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MRcwFQYDVQQKEw5N
eSBDb21wYW55IEx0ZDESMBAGA1UEAxMJRGVtbyBDZXJ0MB4XDTA2MDMxNDA0MDI1
MloXDTA3MDMxNDA0MDI1MlowYDELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUJlcmtz
aGlyZTEQMA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBMdGQx
EjAQBgNVBAMTCURlbW8gQ2VydDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
5xaqTNK5U1tQdO+4e+NfHKMS8BJ/m5QrHNfGbpkqT3pZsplvQ6LjhZMJ1//w1P8F
3ul5F2ceI/XpQUEY8zGAFprdVvMi+0R9ykAr+uFrKFSZ1TRpGN0WR4RU/KANj57b
CERR/lpIx2E8NGvcr7PcN3xSNPgOOL4lRZbKL7Ze6/UCAwEAAaOB5zCB5DAJBgNV
HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp
Y2F0ZTAdBgNVHQ4EFgQUMH3QQAiQQrnmDFXwKijWhXiewa8wgYkGA1UdIwSBgTB/
gBQwfdBACJBCueYMVfAqKNaFeJ7Br6FkpGIwYDELMAkGA1UEBhMCR0IxEjAQBgNV
BAgTCUJlcmtzaGlyZTEQMA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29t
cGFueSBMdGQxEjAQBgNVBAMTCURlbW8gQ2VydIIBADANBgkqhkiG9w0BAQQFAAOB
gQB/WHSTkaGlDwp4kBF39wUpA0L6L65DpnXpSXMPJTprFVPRB33mLFslAeX0/7xg
5gmRYoDN0WpHhjdYJJJVgbj016dcip6aHyMnGrxKCJLi+n9TlpN6D1PM2VW9rf9b
IRkpd+jOXzJcYnwWjKLjSJ9Yvi/0LVW/wzaidUaqvfsKDw==
-----END CERTIFICATE-----

Actual result:
--------------
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd, CN=Demo Cert
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:ca:ae:6a:a3:ee:6b:78:17:a7:1c:56:5b:cb:dc:
                    e8:67:bc:7f:d6:89:66:f2:09:eb:2b:02:c4:99:2f:
                    14:c3:68:95:f8:e9:1c:b4:a2:c4:26:cf:2a:ab:19:
                    63:8d:81:f9:10:7e:c7:10:4c:9f:51:f3:78:cf:d5:
                    58:a5:d3:e4:36:d9:ba:d0:48:91:1c:f9:d3:a0:08:
                    07:69:4d:15:96:0c:0a:21:68:68:a0:39:17:ce:57:
                    ac:11:b2:fc:3e:d5:85:30:a4:c0:01:b7:e7:45:c8:
                    e8:c4:e6:7b:8a:f4:bf:90:84:02:03:34:8c:c7:05:
                    fa:fd:84:e1:3b:73:2d:da:95
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: md5WithRSAEncryption
        af:ba:0e:d1:69:71:d5:8a:42:54:8e:c6:af:44:db:8d:a6:8b:
        66:22:21:7b:34:db:eb:ff:d4:5b:e6:ac:9d:48:08:f5:a1:34:
        88:b3:c1:dd:19:ef:34:8e:3a:65:e2:46:5e:6f:8b:88:dc:dc:
        b8:cb:44:b3:5f:7a:fc:08:91:a8:44:23:37:f3:38:39:e6:4f:
        03:e1:40:c8:3a:be:bb:62:9b:92:68:ca:08:df:c0:cd:60:df:
        78:49:cc:73:29:10:68:fe:03:53:57:69:48:d8:73:92:7d:63:
        1f:38:1e:dd:63:d7:1a:75:9b:20:0c:bd:02:1b:b8:c3:d5:f8:
        fe:63
-----BEGIN CERTIFICATE REQUEST-----
MIIBoDCCAQkCAQAwYDELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUJlcmtzaGlyZTEQ
MA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBMdGQxEjAQBgNV
BAMTCURlbW8gQ2VydDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyq5qo+5r
eBenHFZby9zoZ7x/1olm8gnrKwLEmS8Uw2iV+OkctKLEJs8qqxljjYH5EH7HEEyf
UfN4z9VYpdPkNtm60EiRHPnToAgHaU0VlgwKIWhooDkXzlesEbL8PtWFMKTAAbfn
RcjoxOZ7ivS/kIQCAzSMxwX6/YThO3Mt2pUCAwEAAaAAMA0GCSqGSIb3DQEBBAUA
A4GBAK+6DtFpcdWKQlSOxq9E242mi2YiIXs02+v/1FvmrJ1ICPWhNIizwd0Z7zSO
OmXiRl5vi4jc3LjLRLNfevwIkahEIzfzODnmTwPhQMg6vrtim5JoygjfwM1g33hJ
zHMpEGj+A1NXaUjYc5J9Yx84Ht1j1xp1myAMvQIbuMPV+P5j
-----END CERTIFICATE REQUEST-----


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd, CN=Demo Cert
        Validity
            Not Before: Mar 14 04:01:18 2006 GMT
            Not After : Mar 14 04:01:18 2007 GMT
        Subject: C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd, CN=Demo Cert
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:ca:ae:6a:a3:ee:6b:78:17:a7:1c:56:5b:cb:dc:
                    e8:67:bc:7f:d6:89:66:f2:09:eb:2b:02:c4:99:2f:
                    14:c3:68:95:f8:e9:1c:b4:a2:c4:26:cf:2a:ab:19:
                    63:8d:81:f9:10:7e:c7:10:4c:9f:51:f3:78:cf:d5:
                    58:a5:d3:e4:36:d9:ba:d0:48:91:1c:f9:d3:a0:08:
                    07:69:4d:15:96:0c:0a:21:68:68:a0:39:17:ce:57:
                    ac:11:b2:fc:3e:d5:85:30:a4:c0:01:b7:e7:45:c8:
                    e8:c4:e6:7b:8a:f4:bf:90:84:02:03:34:8c:c7:05:
                    fa:fd:84:e1:3b:73:2d:da:95
                Exponent: 65537 (0x10001)
    Signature Algorithm: md5WithRSAEncryption
        7e:a5:c6:7c:bf:cf:0a:81:ee:1d:fb:05:4e:52:03:fe:c8:c5:
        d3:09:fc:a6:0f:ec:d9:9c:ed:00:0a:5a:db:b6:5e:d0:85:b9:
        45:74:ea:10:7f:7e:78:df:9f:23:8d:a0:7e:28:96:74:2c:1f:
        79:ce:45:65:50:9d:4b:4d:69:41:0e:d0:dd:54:a1:f4:b7:a2:
        b3:48:19:4e:2c:68:fa:78:8d:ab:9f:e7:18:7b:e1:c4:65:cf:
        04:00:5c:ca:61:1e:cc:86:72:29:ec:29:d6:19:43:c3:3f:87:
        8d:a9:5a:a5:34:a0:ee:44:5d:42:af:44:75:8d:10:17:73:82:
        93:0c
-----BEGIN CERTIFICATE-----
MIICNDCCAZ2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBgMQswCQYDVQQGEwJHQjES
MBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MRcwFQYDVQQKEw5N
eSBDb21wYW55IEx0ZDESMBAGA1UEAxMJRGVtbyBDZXJ0MB4XDTA2MDMxNDA0MDEx
OFoXDTA3MDMxNDA0MDExOFowYDELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUJlcmtz
aGlyZTEQMA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBMdGQx
EjAQBgNVBAMTCURlbW8gQ2VydDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
yq5qo+5reBenHFZby9zoZ7x/1olm8gnrKwLEmS8Uw2iV+OkctKLEJs8qqxljjYH5
EH7HEEyfUfN4z9VYpdPkNtm60EiRHPnToAgHaU0VlgwKIWhooDkXzlesEbL8PtWF
MKTAAbfnRcjoxOZ7ivS/kIQCAzSMxwX6/YThO3Mt2pUCAwEAATANBgkqhkiG9w0B
AQQFAAOBgQB+pcZ8v88Kge4d+wVOUgP+yMXTCfymD+zZnO0AClrbtl7QhblFdOoQ
f354358jjaB+KJZ0LB95zkVlUJ1LTWlBDtDdVKH0t6KzSBlOLGj6eI2rn+cYe+HE
Zc8EAFzKYR7MhnIp7CnWGUPDP4eNqVqlNKDuRF1Cr0R1jRAXc4KTDA==
-----END CERTIFICATE-----

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-03-14 05:48 UTC] ben at psc dot edu
typo in location of 4.4.1 and 4.4.2 patch.

correct spelling is:
  php-4.4.2-openssl-extensions-fix.patch
 [2006-03-20 23:17 UTC] tony2001@php.net
Wez, patches are looking good, please check them (and apply?).
 [2006-07-31 00:42 UTC] pajoye@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2011-09-14 10:55 UTC] cataphract@php.net
Automatic comment from SVN on behalf of cataphract
Revision: http://svn.php.net/viewvc/?view=revision&revision=316731
Log: - ext/openssl/tests/bug36732.phpt more portable.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 10:02:06 2014 UTC