|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2008-05-23 06:39 UTC] imm at reasoningmind dot org
Description:
------------
I'm trying to add extra attributes to CSR and I expect them in Attributes section. This is req_attributes section of openssl config. But function allways puts them into the Subject.
IMHO, this is not right becausee subject defined in first argument and because there is no way to add extra attributes.
Reproduce code:
---------------
$csr = openssl_csr_new(
$this->dn,
$this->pkey_bin,
array(
"digest_alg" => "sha1",
"private_key_bits" => 2048,
"req_extensions" => "v3_req",
"x509_extensions" => "usr_cert",
);
array(
'challengePassword' => 'passwd',
'principalName' => 'DER:65726e6573744077696e2e6365726e2e6368',
)
);
Expected result:
----------------
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=Texas, L=Houston, O=Example Inc, OU=RMStuff, CN=Test User/emailAddress=foouser@example.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:cc:15:67:32:6a:2b:ad:5e:71:e6:48:22:f9:76:
<...skip...>
eb:5e:9e:e0:1b:13:b0:93:cf:d5:02:c2:6d:f2:1e:
e2:83
Exponent: 65537 (0x10001)
Attributes:
chalengePassword passwd
principalName :DER:65726e6573744077696e2e6365726e2e6368
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
clientAuthentication, smartCardLogon
Actual result:
--------------
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=Texas, L=Houston, O=Example Inc, OU=RMStuff, CN=Test User/emailAddress=foouser@example.org/challengePassword=passwd/principalName=DER:65726e6573744077696e2e6365726e2e6368
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:cc:15:67:32:6a:2b:ad:5e:71:e6:48:22:f9:76:
<...skip...>
eb:5e:9e:e0:1b:13:b0:93:cf:d5:02:c2:6d:f2:1e:
e2:83
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
clientAuthentication, smartCardLogon
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Fri Oct 31 03:00:01 2025 UTC |
This behavior seems like a legitimate bug and this issue was closed prematurely. The PHP source code in '/ext/openssl/openssl.c', php_openssl_make_REQ() has the following logic: attr_sect = CONF_get_string(req->req_config, req->section_name, "attributes"); if (attr_sect == NULL) { attr_sk = NULL; } else { attr_sk = CONF_get_section(req->req_config, attr_sect); if (attr_sk == NULL) { return FAILURE; } } subj = X509_REQ_get_subject_name(csr); ... if (attribs) { [Loop over hash] [convert value to string] [if key is a string] nid = OBJ_txt2nid(strindex); [if nid is not valid, display an error] X509_NAME_add_entry_by_NID(subj, nid, MBSTRING_UTF8, (unsigned char*)Z_STRVAL_PP(item), -1, -1, 0) [if the previous call failed, display an error] [end of loop] [Loop over attr_sk ... we're still in the if (attribs) statement here] nid = OBJ_txt2nid(key); [if attribute already exists, continue to the next iteration] X509_REQ_add1_attr_by_txt(csr, key, MBSTRING_UTF8, (unsigned char*)value, -1) [if the previous call failed, display an error] [end of loop] } Parts of that mess was so convoluted that I converted it to pseudocode and picked out the OpenSSL library functions used. It looks like the above C code would be the source of the issue experienced by the original poster and looks like the only workaround is to use a configuration file with the desired attributes to get attributes into the right location. It's seriously inconsistent and looks like a copy-paste bug. However, fixing this bug would result in no easy way to add more options to the subject. (As it stands, the name $extraattribs is misleading and should be changed to $extrasubject unless this bug is fixed.) To fix the bug, a more correct function call might be to use X509_REQ_add1_attr_by_NID() in both loops to offer consistency with handling attributes. Interestingly, the latter loop retrieves the NID but then calls the ...by_txt() variant which will inevitably have to get the NID anyway. This part of the OpenSSL extension needs some work but what the actual fix should look like is debatable. My suggestion above is one possible solution. The bug has existed for a really long time and few people have encountered it and there is an "okay" workaround, so it is obviously a minor bug.