php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #48520 openssl_csr_new does not allow multiple values/field in dn
Submitted: 2009-06-10 16:23 UTC Modified: 2009-06-12 11:56 UTC
Votes:9
Avg. Score:4.6 ± 1.3
Reproduced:6 of 7 (85.7%)
Same Version:0 (0.0%)
Same OS:2 (33.3%)
From: php at divinehawk dot com Assigned: pajoye
Status: Assigned Package: OpenSSL related
PHP Version: 5.2.9 OS: *
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2009-06-10 16:23 UTC] php at divinehawk dot com
Description:
------------
With the latest 5.2 (and trunk), you can't have multiple fields with the same name in the DN.

E.g. it's impossible to produce CN=server, OU= Company, OU=Division, OU=Sector, O=Organization




Reproduce code:
---------------
$dn = array("commonName" => "server",
	   "organizationalUnitName" => array("Company", "Division", "Section"),
	   "organizationName" => "Organization", 
	);

$privkey = openssl_pkey_new();
$csr = openssl_csr_new($dn, $privkey);

openssl_csr_export($csr, $csrout);
file_put_contents("test.csr", $csrout);


Expected result:
----------------
openssl req -in test.csr -noout -subject

subject=/CN=server/OU=Company/OU=Division/OU=Section/O=Organization



Actual result:
--------------
PHP Notice:  Array to string conversion in /var/www/html/bug/cert.php on line 9

Then:

openssl req -in test.csr -noout -subject

subject=/CN=server/OU=Array/O=Organization


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-06-10 16:25 UTC] php at divinehawk dot com
Patch:

--- php-5.2.9/ext/openssl/openssl.c.orig	2009-06-10 06:55:27.000000000 -0400
+++ php-5.2.9/ext/openssl/openssl.c	2009-06-10 06:56:56.000000000 -0400
@@ -1707,7 +1707,9 @@
 		CONF_VALUE * v;
 		X509_NAME * subj;
 		HashPosition hpos;
+		HashPosition subhpos;
 		zval ** item;
+		zval ** subitem;
 		
 		subj = X509_REQ_get_subject_name(csr);
 		/* apply values from the dn hash */
@@ -1719,6 +1721,32 @@
 			
 			zend_hash_get_current_key_ex(HASH_OF(dn), &strindex, &strindexlen, &intindex, 0, &hpos);
 
+			if(Z_TYPE_PP(item) == IS_ARRAY && strindex)
+			{
+				/* multi-value string */
+				int nid;
+				nid = OBJ_txt2nid(strindex);
+					
+				if (nid != NID_undef) {
+					zend_hash_internal_pointer_reset_ex(HASH_OF(*item), &subhpos);
+					while(zend_hash_get_current_data_ex(HASH_OF(*item), (void**)&subitem, &subhpos) == SUCCESS)
+					{	 
+						convert_to_string_ex(subitem);
+						if (!X509_NAME_add_entry_by_NID(subj, nid, MBSTRING_ASC, 
+								(unsigned char*)Z_STRVAL_PP(subitem), -1, -1, 1))
+						{
+							php_error_docref(NULL TSRMLS_CC, E_WARNING, "dn: add_entry_by_NID %d -> %s (failed)", nid, Z_STRVAL_PP(subitem));
+							return FAILURE;
+						}
+						zend_hash_move_forward_ex(HASH_OF(dn), &subhpos);
+					}
+				} else {
+					php_error_docref(NULL TSRMLS_CC, E_WARNING, "dn: %s is not a recognized name", strindex);
+				}
+				zend_hash_move_forward_ex(HASH_OF(dn), &hpos);
+				continue;
+			}
+
 			convert_to_string_ex(item);
 
 			if (strindex) {
 [2009-06-10 16:29 UTC] pajoye@php.net
Thanks for your work :)

We need a patch against 5.3+ as well as test cases.

PHP 5.2 won't get new features (only bug fixes).


 [2009-06-10 18:38 UTC] php at divinehawk dot com
Patch against 5.3

--- openssl.c	20 Apr 2009 09:44:29 -0000	1.98.2.5.2.41.2.29
+++ openssl.c	10 Jun 2009 18:36:57 -0000
@@ -1998,7 +1998,9 @@
 		CONF_VALUE * v;
 		X509_NAME * subj;
 		HashPosition hpos;
+		HashPosition subhpos;
 		zval ** item;
+		zval ** subitem;
 		
 		subj = X509_REQ_get_subject_name(csr);
 		/* apply values from the dn hash */
@@ -2010,6 +2012,29 @@
 			
 			zend_hash_get_current_key_ex(HASH_OF(dn), &strindex, &strindexlen, &intindex, 0, &hpos);
 
+			if(Z_TYPE_PP(item) == IS_ARRAY && strindex) {
+				/* multi-value string */
+				int nid;
+				nid = OBJ_txt2nid(strindex);
+					
+				if (nid != NID_undef) {
+					zend_hash_internal_pointer_reset_ex(HASH_OF(*item), &subhpos);
+					while(zend_hash_get_current_data_ex(HASH_OF(*item), (void**)&subitem, &subhpos) == SUCCESS) {	 
+						convert_to_string_ex(subitem);
+						if (!X509_NAME_add_entry_by_NID(subj, nid, MBSTRING_ASC, 
+								(unsigned char*)Z_STRVAL_PP(subitem), -1, -1, 1)) {
+							php_error_docref(NULL TSRMLS_CC, E_WARNING, "dn: add_entry_by_NID %d -> %s (failed)", nid, Z_STRVAL_PP(subitem));
+							return FAILURE;
+						}
+						zend_hash_move_forward_ex(HASH_OF(dn), &subhpos);
+					}
+				} else {
+					php_error_docref(NULL TSRMLS_CC, E_WARNING, "dn: %s is not a recognized name", strindex);
+				}
+				zend_hash_move_forward_ex(HASH_OF(dn), &hpos);
+				continue;
+			}
+
 			convert_to_string_ex(item);
 
 			if (strindex) {
 [2010-07-25 17:43 UTC] nirfri at hotmail dot com
This patch doesn't work on multiple CNs.

"commonName" => array("test2", "test")

is this fixed at 5.3.2 ?
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC