php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #55362 X509_PURPOSE_ANY is not recognized by openssl
Submitted: 2011-08-04 12:14 UTC Modified: 2025-01-19 20:02 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: anders at ingemann dot de Assigned: bukka (profile)
Status: Not a bug Package: OpenSSL related
PHP Version: 5.3.6 OS: Windows 7
Private report: No CVE-ID: None
 [2011-08-04 12:14 UTC] anders at ingemann dot de
Description:
------------
On http://www.php.net/manual/en/function.openssl-x509-checkpurpose.php the purpose 
check X509_PURPOSE_ANY is mentioned and the constant is defined as well.
openssl_x509_checkpurpose() however reports "error:0B086079:x509 certificate 
routines:X509_STORE_CTX_purpose_inherit:unknown purpose id".
Checking up in the documentation i can see that this purpose is not supported 
(http://www.openssl.org/docs/apps/verify.html#COMMAND_OPTIONS). This constant 
should be removed, and a note should be put in the documentation, specifying that 
this is not supported.

Test script:
---------------
openssl_x509_checkpurpose( mixed $x509cert , X509_PURPOSE_ANY );
while($error = openssl_error_string()) echo $error."\n";

Expected result:
----------------
With a valid certificate openssl_x509_checkpurpose($cert, X509_PURPOSE_ANY) 
returns true.

Actual result:
--------------
With a valid certificate openssl_x509_checkpurpose($cert, X509_PURPOSE_ANY) 
returns false.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-08-04 12:23 UTC] anders at ingemann dot de
-Summary: X509_PURPOSE_ANY is not supported +Summary: X509_PURPOSE_ANY is not recognized by openssl
 [2011-08-04 12:23 UTC] anders at ingemann dot de
I just found out that the "any" purpose IS actually supported, but it is simply 
not documented. It seems the constant is somehow referring to a wrong value.
 [2011-08-04 12:40 UTC] pajoye@php.net
-Status: Open +Status: Feedback
 [2011-08-04 12:40 UTC] pajoye@php.net
c:\test\php536nts>php -n -d extension_dir=ext -d extension=php_openssl.dll -r 
"print_r(get_defined_constants());" | FIND "X509"
    [X509_PURPOSE_SSL_CLIENT] => 1
    [X509_PURPOSE_SSL_SERVER] => 2
    [X509_PURPOSE_NS_SSL_SERVER] => 3
    [X509_PURPOSE_SMIME_SIGN] => 4
    [X509_PURPOSE_SMIME_ENCRYPT] => 5
    [X509_PURPOSE_CRL_SIGN] => 6
    [X509_PURPOSE_ANY] => 7


and from the x509v3.h:
#define X509_PURPOSE_ANY     7

What do you mean then?
 [2011-08-04 13:27 UTC] anders at ingemann dot de
-Status: Feedback +Status: Open
 [2011-08-04 13:27 UTC] anders at ingemann dot de
The constant is not the problem.
Somehow int(7) causes an error with the openssl api. It says that this purpose id 
is not known.
 [2025-01-19 20:02 UTC] bukka@php.net
-Status: Open +Status: Not a bug -Assigned To: +Assigned To: bukka
 [2025-01-19 20:02 UTC] bukka@php.net
I just checked this out and don't really see any issue. The X509_PURPOSE_ANY is defined. It might be misunderstanding of its meaning maybe. The best documentation is actually in changelog for 0.9.5a changes

 * Add compatibility options to the purpose and trust code. The
   purpose X509_PURPOSE_ANY is "any purpose" which automatically
   accepts a certificate or CA, this was the previous behaviour,
   with all the associated security issues.

   X509_TRUST_COMPAT is the old trust behaviour: only and
   automatically trust self signed roots in certificate store. A
   new trust setting X509_TRUST_DEFAULT is used to specify that
   a purpose has no associated trust setting and it should instead
   use the value in the default purpose.

Anyway openssl ext just set this flag to X509_STORE_CTX_set_purpose as it should so there is no issue with that.

Closing as not a bug.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 12:01:26 2025 UTC