php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #45076 openssl_csr_new() puts extraattribs in wrong place of CSR
Submitted: 2008-05-23 06:39 UTC Modified: 2008-11-29 01:00 UTC
Votes:3
Avg. Score:3.7 ± 1.2
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: imm at reasoningmind dot org Assigned:
Status: No Feedback Package: OpenSSL related
PHP Version: 5.2.6 OS: Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2008-05-23 06:39 UTC] imm at reasoningmind dot org
Description:
------------
I'm trying to add extra attributes to CSR and I expect them in Attributes section. This is req_attributes section of openssl config. But function allways puts them into the Subject.
IMHO, this is not right becausee subject defined in first argument and because there is no way to add extra attributes.


Reproduce code:
---------------
$csr = openssl_csr_new(
    $this->dn,
    $this->pkey_bin,
    array(
        "digest_alg" => "sha1",
        "private_key_bits" => 2048,
        "req_extensions" => "v3_req",
        "x509_extensions" => "usr_cert",
    );
    array(
        'challengePassword' => 'passwd',
        'principalName' => 'DER:65726e6573744077696e2e6365726e2e6368',
    )
);


Expected result:
----------------
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=Texas, L=Houston, O=Example Inc, OU=RMStuff, CN=Test User/emailAddress=foouser@example.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:cc:15:67:32:6a:2b:ad:5e:71:e6:48:22:f9:76:
                    <...skip...>
                    eb:5e:9e:e0:1b:13:b0:93:cf:d5:02:c2:6d:f2:1e:
                    e2:83
                Exponent: 65537 (0x10001)
        Attributes:
            chalengePassword  passwd
            principalName :DER:65726e6573744077696e2e6365726e2e6368
        Requested Extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage: 
                clientAuthentication, smartCardLogon


Actual result:
--------------
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=Texas, L=Houston, O=Example Inc, OU=RMStuff, CN=Test User/emailAddress=foouser@example.org/challengePassword=passwd/principalName=DER:65726e6573744077696e2e6365726e2e6368
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:cc:15:67:32:6a:2b:ad:5e:71:e6:48:22:f9:76:
                    <...skip...>
                    eb:5e:9e:e0:1b:13:b0:93:cf:d5:02:c2:6d:f2:1e:
                    e2:83
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage: 
                clientAuthentication, smartCardLogon


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-11-21 16:32 UTC] jani@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.


 [2008-11-29 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2015-06-15 20:04 UTC] justleavingthishere at mailismagic dot com
This behavior seems like a legitimate bug and this issue was closed prematurely.  The PHP source code in '/ext/openssl/openssl.c', php_openssl_make_REQ() has the following logic:

	attr_sect = CONF_get_string(req->req_config, req->section_name, "attributes");
	if (attr_sect == NULL) {
		attr_sk = NULL;
	} else {
		attr_sk = CONF_get_section(req->req_config, attr_sect);
		if (attr_sk == NULL) {
			return FAILURE;
		}
	}

		subj = X509_REQ_get_subject_name(csr);
...

		if (attribs) {
[Loop over hash]
  [convert value to string]
  [if key is a string]
    nid = OBJ_txt2nid(strindex);
    [if nid is not valid, display an error]
    X509_NAME_add_entry_by_NID(subj, nid, MBSTRING_UTF8, (unsigned char*)Z_STRVAL_PP(item), -1, -1, 0)
    [if the previous call failed, display an error]
[end of loop]

[Loop over attr_sk ... we're still in the if (attribs) statement here]
    nid = OBJ_txt2nid(key);
    [if attribute already exists, continue to the next iteration]
    X509_REQ_add1_attr_by_txt(csr, key, MBSTRING_UTF8, (unsigned char*)value, -1)
    [if the previous call failed, display an error]
[end of loop]
            }

Parts of that mess was so convoluted that I converted it to pseudocode and picked out the OpenSSL library functions used.  It looks like the above C code would be the source of the issue experienced by the original poster and looks like the only workaround is to use a configuration file with the desired attributes to get attributes into the right location.  It's seriously inconsistent and looks like a copy-paste bug.  However, fixing this bug would result in no easy way to add more options to the subject.  (As it stands, the name $extraattribs is misleading and should be changed to $extrasubject unless this bug is fixed.)

To fix the bug, a more correct function call might be to use X509_REQ_add1_attr_by_NID() in both loops to offer consistency with handling attributes.  Interestingly, the latter loop retrieves the NID but then calls the ...by_txt() variant which will inevitably have to get the NID anyway.

This part of the OpenSSL extension needs some work but what the actual fix should look like is debatable.  My suggestion above is one possible solution.  The bug has existed for a really long time and few people have encountered it and there is an "okay" workaround, so it is obviously a minor bug.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Mon May 17 14:01:24 2021 UTC