php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #52093 openssl_csr_sign truncates $serial
Submitted: 2010-06-16 11:34 UTC Modified: 2021-08-03 14:14 UTC
Votes:3
Avg. Score:3.3 ± 1.2
Reproduced:3 of 3 (100.0%)
Same Version:1 (33.3%)
Same OS:1 (33.3%)
From: dreuzel at belgacom dot net Assigned: cmb (profile)
Status: Closed Package: OpenSSL related
PHP Version: 5.3.2 OS: win7
Private report: No CVE-ID: None
 [2010-06-16 11:34 UTC] dreuzel at belgacom dot net
Description:
------------
The  Certificat  defintion OpenSSL   allows for  numerical serial numbers up to 
20 positions or more..    
In PHP  there is  build  in integer   rerstriction only allowing  half the serial
numbers .....   higher  numbers  have a cleared  part......


The serial needs to be  numerical no problem  but it need not be an integer
or limited by that  (allow  higher numbers)


Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-08-02 14:27 UTC] narf at devilix dot net
There's a worse problem with this ... It's not even supposed to be a decimal number.
 [2018-02-28 19:52 UTC] cmb@php.net
-Package: Unknown/Other Function +Package: OpenSSL related
 [2019-08-18 20:35 UTC] hunterr83 at hotmail dot com
Not sure if the same thing, but very related.

When I do print(PHP_INT_MAX), I get a value of 9223372036854775807. However, when I try to pass in that value to the serial number parameter, the certificate that is generated shows a serial value of ff, which is 255.

Similarly, if I go down one count in value and pass in 9223372036854775806, then I get a final serial number of fe, which is 254.

If I pass in 4294967290, then I get fa, which is 250.

Some rough testing shows that the maximum value the function is willing to accept is something a bit higher than 4,000,000,000. Once you go above whatever the actual cap is, you start to see some really strange serial numbers. I feel if it's too difficult to support the PHP_INT_MAX value, then we could at least throw an error if the integer being passed in is more than the function can support.
 [2021-06-30 12:37 UTC] cmb@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2021-06-30 12:37 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #52093: openssl_csr_sign silently truncates $serial
On GitHub:  https://github.com/php/php-src/pull/7209
Patch:      https://github.com/php/php-src/pull/7209.patch
 [2021-06-30 13:51 UTC] cmb@php.net
-Summary: Openssl_csr_sign (serial) +Summary: openssl_csr_sign truncates $serial
 [2021-07-01 13:46 UTC] git@php.net
Automatic comment on behalf of cmb69
Revision: https://github.com/php/php-src/commit/334387bb7097840789fbc95bd38c425645705d30
Log: Fix #52093: openssl_csr_sign truncates $serial
 [2021-07-01 13:46 UTC] git@php.net
-Status: Verified +Status: Closed
 [2021-08-03 13:47 UTC] izorkin at elven dot pw
After this patch error build php 7.4 and php 8.0:
```
/build/php-src-7.4.22/ext/openssl/openssl.c: In function 'zif_openssl_csr_sign':
/build/php-src-7.4.22/ext/openssl/openssl.c:3528:2: warning: implicit declaration of function 'ASN1_INTEGER_set_int64'; did you mean 'ASN1_INTEGER_set'? [^[]8;;https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wimplicit-function-declaration^G-Wimplicit-function-declaration^[]8;;^G]
 3528 |  ASN1_INTEGER_set_int64(X509_get_serialNumber(new_cert), serial);
      |  ^~~~~~~~~~~~~~~~~~~~~~
      |  ASN1_INTEGER_set
```

Use Openssl version 1.1.1k.
 [2021-08-03 14:14 UTC] cmb@php.net
@izorkin, I can't explain that build failure.  The function is
supposed to be available with OpenSSL >= 1.1.0.  Anyhow, please
open a new ticket, because the fix for this ticket has already
been released, so re-opening this ticket would be confusing at
best.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 07 08:01:28 2024 UTC