|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #50713 openssl_pkcs7_verify returns TRUE, but openssl_error_string() returns an error
Submitted: 2010-01-10 11:52 UTC Modified: -
Avg. Score:4.7 ± 0.5
Reproduced:2 of 3 (66.7%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: dark-tranquillity at yandex dot ru Assigned:
Status: Open Package: OpenSSL related
PHP Version: 5.3.1 OS: Win32
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2010-01-10 11:52 UTC] dark-tranquillity at yandex dot ru
I have a private key & self-signed certificate.
1) create a signature (openssl_pkcs7_sign)

2) verify the signature: function openssl_pkcs7_verify returns TRUE (Verification successful),
   but openssl_error_string() - returns an error message (error:2107C080:PKCS7 routines:PKCS7_get0_signers:signer certificate not found)

3) in the command line are no errors
   openssl smime -sign -nocerts -signer proc.crt -inkey proc.key -in in.txt -out signed.txt
   openssl smime -verify -noverify -nointern -nochain -in signed.txt -certfile proc.crt

Reproduce code:
    file_put_contents("in.txt", "demo text");

    $crt      =file_get_contents($certfname);
    $priv_key =file_get_contents('./proc.key');

    if(openssl_pkcs7_sign("in.txt", "signed.txt", $crt, $priv_key, array(), PKCS7_NOCERTS))
       $status=openssl_pkcs7_verify("signed.txt", PKCS7_NOVERIFY|PKCS7_NOINTERN|PKCS7_NOCHAIN, "1.tmp", array(), $certfname);
       while($msg=openssl_error_string()) echo "$msg\n"; 
       echo "status=$status\n";
    else die('failed openssl_pkcs7_sign');

Expected result:

Actual result:
error:2107C080:PKCS7 routines:PKCS7_get0_signers:signer certificate not found


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-03-14 08:59 UTC] allesbesser at gmail dot com
The problem comes from the $outfilename argument which allows you to have PHP save the certificates used to sign the message.

The PHP source is here:

First, the function does what it should do and calls PKCS7_verify(). This function verifies the signature using the internal and $extracerts by calling:

signers = PKCS7_get0_signers(p7, others, (int)flags);

others are the $extracerts. Now, as you speified $extracerts, you also had to specify $outfilename. Hence, the PHP function makes another function call:

signers = PKCS7_get0_signers(p7, NULL, (int)flags);

this time without the extra certs. Now, as the internal certificates are empty, this function raises an error as there are no certificates.

There are several ways to fix this (apart from ignoring the error when $extracerts is not empty):
- Modify the OpenSSL code so that it does not raise the error when getting certificates
- Change the way PHP gets the certificates so that the error is not raised anymore
- Allow $outfilename to be NULL so that the function is not even called

Personally, I think passing NULL as $outfilename should be accepted in these OpenSSL functions.
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue Mar 09 05:01:23 2021 UTC