php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #51647 Certificate file without private key (pk in another file) doesn't work
Submitted: 2010-04-23 15:38 UTC Modified: 2020-04-09 09:47 UTC
Votes:3
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: andrey@php.net Assigned: cmb (profile)
Status: Closed Package: OpenSSL related
PHP Version: 5.3SVN-2010-04-23 (SVN) OS: Linux
Private report: No CVE-ID: None
View Developer Edit
 [2010-04-23 15:38 UTC] andrey@php.net 
Description:
------------
If a user has a certificate file (pem) with only the public key, and the private key in another file he cannot use them by pushing down to the stream by using a context. The user is forced to put keys in the same file, which is not always possible.

Test script:
---------------
From the sources:
		if (VCWD_REALPATH(certfile, resolved_path_buff)) {
			/* a certificate to use for authentication */
			if (SSL_CTX_use_certificate_chain_file(ctx, resolved_path_buff) != 1) {
				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to set local cert chain file `%s'; Check that your cafile/capath settings include details of your certificate and its issuer", certfile);
				return NULL;
			}

			if (SSL_CTX_use_PrivateKey_file(ctx, resolved_path_buff, SSL_FILETYPE_PEM) != 1) {
				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to set private key file `%s'", resolved_path_buff);
				return NULL;
			}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-04-23 15:40 UTC] andrey@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: andrey
 [2010-04-23 15:54 UTC] andrey@php.net 
Automatic comment from SVN on behalf of andrey
Revision: http://svn.php.net/viewvc/?view=revision&revision=298374
Log: Fix for bug #51647 Certificate file without private key (pk in another file) doesn't work
 [2010-04-23 15:56 UTC] andrey@php.net
-Status: Verified +Status: Closed
 [2010-04-23 15:56 UTC] andrey@php.net 
Addressed in 5.3.3
 [2010-04-23 16:30 UTC] pajoye@php.net
-Status: Closed +Status: Assigned -Assigned To: andrey +Assigned To: pajoye
 [2010-04-23 16:30 UTC] pajoye@php.net 
To open a bug, commit the same wrong thing and close the bug does not solve anything. I mailed you what I'm expecting.
 [2010-04-23 17:15 UTC] andrey@php.net 
You need to start the MySQL server with the following options :
ssl-ca=/path/to/cacert.pem
ssl-cert=/path/to/server-cert.pem
ssl-key=/path/to/server-key.pem

All files you can find here:
http://www.hristov.com/andrey/projects/php_stuff/certs/
 [2010-04-23 17:18 UTC] andrey@php.net 
Pierre, I haven't committed the same wrong thing. I thought you can read emails/diffs, but somehow I lost this feeling.
 [2010-04-23 17:28 UTC] andrey@php.net 
Here is the new patch, already committed, also to be found in the commit email.

Index: ext/openssl/openssl.c
===================================================================
--- ext/openssl/openssl.c	(revision 298371)
+++ ext/openssl/openssl.c	(working copy)
@@ -4445,6 +4445,7 @@
 		EVP_PKEY *key = NULL;
 		SSL *tmpssl;
 		char resolved_path_buff[MAXPATHLEN];
+		const char * private_key = NULL;
 
 		if (VCWD_REALPATH(certfile, resolved_path_buff)) {
 			/* a certificate to use for authentication */
@@ -4452,10 +4453,21 @@
 				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to set local cert chain file `%s'; Check that your cafile/capath settings include details of your certificate and its issuer", certfile);
 				return NULL;
 			}
+			GET_VER_OPT_STRING("local_pk", private_key);
 
-			if (SSL_CTX_use_PrivateKey_file(ctx, resolved_path_buff, SSL_FILETYPE_PEM) != 1) {
-				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to set private key file `%s'", resolved_path_buff);
-				return NULL;
+			if (private_key) {
+				char resolved_path_buff_pk[MAXPATHLEN];
+				if (VCWD_REALPATH(private_key, resolved_path_buff_pk)) {
+					if (SSL_CTX_use_PrivateKey_file(ctx, resolved_path_buff_pk, SSL_FILETYPE_PEM) != 1) {
+						php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to set private key file `%s'", resolved_path_buff_pk);
+						return NULL;
+					}
+				}
+			} else {
+				if (SSL_CTX_use_PrivateKey_file(ctx, resolved_path_buff, SSL_FILETYPE_PEM) != 1) {
+					php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to set private key file `%s'", resolved_path_buff);
+					return NULL;
+				}		
 			}
 
 			tmpssl = SSL_new(ctx);
 [2014-01-30 17:46 UTC] daverandom@php.net 
Pierre/Andrey

Are we happy that this bug is fixed? The context option that was added by the patch is not currently documented. I will be helping to update the documentation for the recent OpenSSL changes, can I include this in the docs as well?

Thanks, Chris
 [2014-03-04 18:55 UTC] rdlowrey@php.net 
> The user is forced to put keys in the same file,
> which is not always possible.

I'm drawing a blank on when this would not be possible. The only thing that needs to happen in order for this to work is the concatenation of the private key and the public cert into the same file.

Are there scenarios where this isn't possible that I'm missing? Otherwise I wouldn't really consider this a bug.
 [2015-07-10 11:33 UTC] spam2 at rhsoft dot net 
Related To: Bug #70039
 [2015-07-10 13:21 UTC] spam2 at rhsoft dot net 
Related To: Bug #70039
 [2017-10-24 07:30 UTC] kalle@php.net
-Status: Assigned +Status: Open -Assigned To: pajoye +Assigned To:
 [2020-04-09 09:47 UTC] cmb@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2020-04-09 09:47 UTC] cmb@php.net 
Closing, since this is fixed as of PHP 5.3.3 (IOW, the commit never had been reverted).
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 12:01:29 2024 UTC