php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #51647 Certificate file without private key (pk in another file) doesn't work
Submitted: 2010-04-23 15:38 UTC Modified: 2010-04-23 17:28 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: andrey@php.net Assigned: pajoye
Status: Assigned Package: OpenSSL related
PHP Version: 5.3SVN-2010-04-23 (SVN) OS: Linux
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2010-04-23 15:38 UTC] andrey@php.net
Description:
------------
If a user has a certificate file (pem) with only the public key, and the private key in another file he cannot use them by pushing down to the stream by using a context. The user is forced to put keys in the same file, which is not always possible.

Test script:
---------------
From the sources:
		if (VCWD_REALPATH(certfile, resolved_path_buff)) {
			/* a certificate to use for authentication */
			if (SSL_CTX_use_certificate_chain_file(ctx, resolved_path_buff) != 1) {
				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to set local cert chain file `%s'; Check that your cafile/capath settings include details of your certificate and its issuer", certfile);
				return NULL;
			}

			if (SSL_CTX_use_PrivateKey_file(ctx, resolved_path_buff, SSL_FILETYPE_PEM) != 1) {
				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to set private key file `%s'", resolved_path_buff);
				return NULL;
			}



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-04-23 15:40 UTC] andrey@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: andrey
 [2010-04-23 15:54 UTC] andrey@php.net
Automatic comment from SVN on behalf of andrey
Revision: http://svn.php.net/viewvc/?view=revision&revision=298374
Log: Fix for bug #51647 Certificate file without private key (pk in another file) doesn't work
 [2010-04-23 15:56 UTC] andrey@php.net
-Status: Verified +Status: Closed
 [2010-04-23 15:56 UTC] andrey@php.net
Addressed in 5.3.3
 [2010-04-23 16:30 UTC] pajoye@php.net
-Status: Closed +Status: Assigned -Assigned To: andrey +Assigned To: pajoye
 [2010-04-23 16:30 UTC] pajoye@php.net
To open a bug, commit the same wrong thing and close the bug does not solve anything. I mailed you what I'm expecting.
 [2010-04-23 17:15 UTC] andrey@php.net
You need to start the MySQL server with the following options :
ssl-ca=/path/to/cacert.pem
ssl-cert=/path/to/server-cert.pem
ssl-key=/path/to/server-key.pem

All files you can find here:
http://www.hristov.com/andrey/projects/php_stuff/certs/
 [2010-04-23 17:18 UTC] andrey@php.net
Pierre, I haven't committed the same wrong thing. I thought you can read emails/diffs, but somehow I lost this feeling.
 [2010-04-23 17:28 UTC] andrey@php.net
Here is the new patch, already committed, also to be found in the commit email.

Index: ext/openssl/openssl.c
===================================================================
--- ext/openssl/openssl.c	(revision 298371)
+++ ext/openssl/openssl.c	(working copy)
@@ -4445,6 +4445,7 @@
 		EVP_PKEY *key = NULL;
 		SSL *tmpssl;
 		char resolved_path_buff[MAXPATHLEN];
+		const char * private_key = NULL;
 
 		if (VCWD_REALPATH(certfile, resolved_path_buff)) {
 			/* a certificate to use for authentication */
@@ -4452,10 +4453,21 @@
 				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to set local cert chain file `%s'; Check that your cafile/capath settings include details of your certificate and its issuer", certfile);
 				return NULL;
 			}
+			GET_VER_OPT_STRING("local_pk", private_key);
 
-			if (SSL_CTX_use_PrivateKey_file(ctx, resolved_path_buff, SSL_FILETYPE_PEM) != 1) {
-				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to set private key file `%s'", resolved_path_buff);
-				return NULL;
+			if (private_key) {
+				char resolved_path_buff_pk[MAXPATHLEN];
+				if (VCWD_REALPATH(private_key, resolved_path_buff_pk)) {
+					if (SSL_CTX_use_PrivateKey_file(ctx, resolved_path_buff_pk, SSL_FILETYPE_PEM) != 1) {
+						php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to set private key file `%s'", resolved_path_buff_pk);
+						return NULL;
+					}
+				}
+			} else {
+				if (SSL_CTX_use_PrivateKey_file(ctx, resolved_path_buff, SSL_FILETYPE_PEM) != 1) {
+					php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to set private key file `%s'", resolved_path_buff);
+					return NULL;
+				}		
 			}
 
 			tmpssl = SSL_new(ctx);
 [2014-01-30 17:46 UTC] daverandom@php.net
Pierre/Andrey

Are we happy that this bug is fixed? The context option that was added by the patch is not currently documented. I will be helping to update the documentation for the recent OpenSSL changes, can I include this in the docs as well?

Thanks, Chris
 [2014-03-04 18:55 UTC] rdlowrey@php.net
> The user is forced to put keys in the same file,
> which is not always possible.

I'm drawing a blank on when this would not be possible. The only thing that needs to happen in order for this to work is the concatenation of the private key and the public cert into the same file.

Are there scenarios where this isn't possible that I'm missing? Otherwise I wouldn't really consider this a bug.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 24 21:01:55 2014 UTC