php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #40046 OpenSSL CRL generation support
Submitted: 2007-01-06 20:59 UTC Modified: 2020-03-10 10:44 UTC
Votes:77
Avg. Score:4.8 ± 0.6
Reproduced:62 of 62 (100.0%)
Same Version:22 (35.5%)
Same OS:19 (30.6%)
From: mbechler at eenterphace dot org Assigned:
Status: Suspended Package: OpenSSL related
PHP Version: * OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
21 - 9 = ?
Subscribe to this entry?

 
 [2007-01-06 20:59 UTC] mbechler at eenterphace dot org 
Description:
------------
Requesting inclusion of CRL generation support in the OpenSSL extension. Patch has been submitted to php.internals.

Having CRL support would be nice for creating CA applications in PHP. I've tried to do it in a standalone extension but that does not itegrate very well with ext/openssl's certificate functions.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-01-06 22:00 UTC] pajoye@php.net 
The patch you sent to the list:
http://pecl.php.net/~pierre/ext-openssl-crl.patch
 [2007-01-07 02:26 UTC] mbechler at eenterhace dot org 
When trying to use the functionality in a real world scenario I noticed problems with this patch. My FastCGI processes are throwing errors like this *** corrupted double-linked list: 0x08a135f0 *** while it is working nice when run from the command line. I could not get any helpful information yet by debugging, but this one is definitly not ready for inclusion. I'm trying to figure out what's wrong, but I am thankful for any help provided.
 [2007-01-07 02:47 UTC] mbechler at eenterphace dot org 
Ok, finally found the bug - new patch is here:
http://mbechler.eenterphace.org/ext-openssl-crl.patch
 [2007-08-03 11:37 UTC] pajoye@php.net 
Add the note here too :)

Please provide some test cases as well, including the required data (if any).
 [2007-09-23 19:51 UTC] pajoye@php.net 
From Moritz Bechler:

It took some time - but I now managed to put together some test cases
(which hopefully can also serve as examples). I noticed that the current
"openssl_x509_checkpurpose" function does not allow for passing
verification flags so I introduced a new function "openssl_x509_check"
(verify might be better but might cause confusion with openssl_verify)
which does pretty much the same thing but takes a flags parameter which
can be used to enable CRL checking and some other checking features
which I did not test yet. I chose to add a new function because a)
adding the argument to the end forces passing two (one unused in most
cases) optional arguments b) _checkpurpose is a bit too specific. I hope
that approach is okay.

The updated patch is at
http://mbechler.eenterphace.org/php6-openssl-crl.patch
and the phpt and required data (needs a small CA, included files are
valid for 5 years) at
http://mbechler.eenterphace.org/php6-openssl-crl-tests.tar.bz2


I noted my test fails (even for ascii filenames) when run in unicode
mode which is a result of
this check in php_openssl_x509_from_zval:

if (!(Z_TYPE_PP(val) == IS_STRING || Z_TYPE_PP(val) == IS_OBJECT)) {
   return NULL;
}

maybe I'll find some time to have a look at proper filesystem encoding
conversions for ext/openssl.
 [2010-02-15 09:07 UTC] cnyegle at gmail dot com 
Will the patch be merged into PHP?It's two years after the last modification of this issue.
 [2010-04-12 17:50 UTC] pm at datasphere dot ch 
I'm also very interested in having this feature supported in the PHP standards. Can I expect to see it soon available ?
 [2010-12-20 14:19 UTC] jani@php.net
-Package: Feature/Change Request +Package: OpenSSL related -PHP Version: 5.2.1RC2 +PHP Version: *
 [2011-05-27 00:51 UTC] rsmaia at gmail dot com 
I am waiting for this patch too. Would be great to see this patch applied into PHP core.
+1 for this improvement!
 [2015-09-19 22:19 UTC] ukrbublik at gmail dot com 
For those who are looking for pure PHP implementation of CRL generation, you can check mine, for example :)
https://github.com/ukrbublik/openssl_x509_gencrl
 [2016-12-12 17:58 UTC] yehuda at ymkatz dot net 
This has been sitting for a long time. Any chance of it making it in?
 [2017-01-26 13:42 UTC] info-bugs dot php at ch2o dot info 
why not include this fonnctionality ?
 [2017-10-24 07:33 UTC] kalle@php.net
-Status: Assigned +Status: Open -Assigned To: pajoye +Assigned To:
 [2020-03-10 10:44 UTC] cmb@php.net
-Status: Open +Status: Suspended
 [2020-03-10 10:44 UTC] cmb@php.net 
This should be discussed on the internals mailing list[1], and
might require the RFC process[2].  Anybody who is interesting in
having it integrated to the OpenSSL extension, is welcome to start
this discussion.  For the time being, I'm suspending this ticket.

[1] <https://www.php.net/mailing-lists.php#internals>
[2] <https://wiki.php.net/rfc/howto>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Apr 23 08:01:30 2024 UTC