php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #40046 OpenSSL CRL generation support
Submitted: 2007-01-06 20:59 UTC Modified: 2010-12-20 14:19 UTC
Votes:70
Avg. Score:4.7 ± 0.6
Reproduced:53 of 53 (100.0%)
Same Version:18 (34.0%)
Same OS:15 (28.3%)
From: mbechler at eenterphace dot org Assigned: pajoye
Status: Assigned Package: OpenSSL related
PHP Version: * OS:
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2007-01-06 20:59 UTC] mbechler at eenterphace dot org
Description:
------------
Requesting inclusion of CRL generation support in the OpenSSL extension. Patch has been submitted to php.internals.

Having CRL support would be nice for creating CA applications in PHP. I've tried to do it in a standalone extension but that does not itegrate very well with ext/openssl's certificate functions.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-01-06 22:00 UTC] pajoye@php.net
The patch you sent to the list:
http://pecl.php.net/~pierre/ext-openssl-crl.patch
 [2007-01-07 02:26 UTC] mbechler at eenterhace dot org
When trying to use the functionality in a real world scenario I noticed problems with this patch. My FastCGI processes are throwing errors like this *** corrupted double-linked list: 0x08a135f0 *** while it is working nice when run from the command line. I could not get any helpful information yet by debugging, but this one is definitly not ready for inclusion. I'm trying to figure out what's wrong, but I am thankful for any help provided.
 [2007-01-07 02:47 UTC] mbechler at eenterphace dot org
Ok, finally found the bug - new patch is here:
http://mbechler.eenterphace.org/ext-openssl-crl.patch
 [2007-08-03 11:37 UTC] pajoye@php.net
Add the note here too :)

Please provide some test cases as well, including the required data (if any).
 [2007-09-23 19:51 UTC] pajoye@php.net
From Moritz Bechler:

It took some time - but I now managed to put together some test cases
(which hopefully can also serve as examples). I noticed that the current
"openssl_x509_checkpurpose" function does not allow for passing
verification flags so I introduced a new function "openssl_x509_check"
(verify might be better but might cause confusion with openssl_verify)
which does pretty much the same thing but takes a flags parameter which
can be used to enable CRL checking and some other checking features
which I did not test yet. I chose to add a new function because a)
adding the argument to the end forces passing two (one unused in most
cases) optional arguments b) _checkpurpose is a bit too specific. I hope
that approach is okay.

The updated patch is at
http://mbechler.eenterphace.org/php6-openssl-crl.patch
and the phpt and required data (needs a small CA, included files are
valid for 5 years) at
http://mbechler.eenterphace.org/php6-openssl-crl-tests.tar.bz2


I noted my test fails (even for ascii filenames) when run in unicode
mode which is a result of
this check in php_openssl_x509_from_zval:

if (!(Z_TYPE_PP(val) == IS_STRING || Z_TYPE_PP(val) == IS_OBJECT)) {
   return NULL;
}

maybe I'll find some time to have a look at proper filesystem encoding
conversions for ext/openssl.
 [2010-02-15 09:07 UTC] cnyegle at gmail dot com
Will the patch be merged into PHP?It's two years after the last modification of this issue.
 [2010-04-12 17:50 UTC] pm at datasphere dot ch
I'm also very interested in having this feature supported in the PHP standards. Can I expect to see it soon available ?
 [2010-12-20 14:19 UTC] jani@php.net
-Package: Feature/Change Request +Package: OpenSSL related -PHP Version: 5.2.1RC2 +PHP Version: *
 [2011-05-27 00:51 UTC] rsmaia at gmail dot com
I am waiting for this patch too. Would be great to see this patch applied into PHP core.
+1 for this improvement!
 [2015-09-19 22:19 UTC] ukrbublik at gmail dot com
For those who are looking for pure PHP implementation of CRL generation, you can check mine, for example :)
https://github.com/ukrbublik/openssl_x509_gencrl
 [2016-12-12 17:58 UTC] yehuda at ymkatz dot net
This has been sitting for a long time. Any chance of it making it in?
 [2017-01-26 13:42 UTC] info-bugs dot php at ch2o dot info
why not include this fonnctionality ?
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC