php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #52093 Openssl_csr_sign (serial)
Submitted: 2010-06-16 11:34 UTC Modified: 2018-02-28 19:52 UTC
Votes:3
Avg. Score:3.3 ± 1.2
Reproduced:3 of 3 (100.0%)
Same Version:1 (33.3%)
Same OS:1 (33.3%)
From: dreuzel at belgacom dot net Assigned:
Status: Open Package: OpenSSL related
PHP Version: 5.3.2 OS: win7
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: dreuzel at belgacom dot net
New email:
PHP Version: OS:

 

 [2010-06-16 11:34 UTC] dreuzel at belgacom dot net
Description:
------------
The  Certificat  defintion OpenSSL   allows for  numerical serial numbers up to 
20 positions or more..    
In PHP  there is  build  in integer   rerstriction only allowing  half the serial
numbers .....   higher  numbers  have a cleared  part......


The serial needs to be  numerical no problem  but it need not be an integer
or limited by that  (allow  higher numbers)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-08-02 14:27 UTC] narf at devilix dot net
There's a worse problem with this ... It's not even supposed to be a decimal number.
 [2018-02-28 19:52 UTC] cmb@php.net
-Package: Unknown/Other Function +Package: OpenSSL related
 [2019-08-18 20:35 UTC] hunterr83 at hotmail dot com
Not sure if the same thing, but very related.

When I do print(PHP_INT_MAX), I get a value of 9223372036854775807. However, when I try to pass in that value to the serial number parameter, the certificate that is generated shows a serial value of ff, which is 255.

Similarly, if I go down one count in value and pass in 9223372036854775806, then I get a final serial number of fe, which is 254.

If I pass in 4294967290, then I get fa, which is 250.

Some rough testing shows that the maximum value the function is willing to accept is something a bit higher than 4,000,000,000. Once you go above whatever the actual cap is, you start to see some really strange serial numbers. I feel if it's too difficult to support the PHP_INT_MAX value, then we could at least throw an error if the integer being passed in is more than the function can support.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Fri Dec 13 23:01:23 2019 UTC