php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #55820 php openssl csr parser ignores SANs
Submitted: 2011-09-30 15:45 UTC Modified: 2011-09-30 15:57 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:0 (0.0%)
From: zedwoodnoreply at gmail dot com Assigned:
Status: Analyzed Package: OpenSSL related
PHP Version: 5.3.8 OS: Ubuntu Linux 10.04
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2011-09-30 15:45 UTC] zedwoodnoreply at gmail dot com
Description:
------------
The SANs (Subject Alternative Names) field of a CSR is totally ignored by the CSR parser openssl_csr_get_subject();

Test script:
---------------
<?php
print_r(openssl_csr_get_subject('-----BEGIN CERTIFICATE REQUEST-----
MIIC8jCCAdoCAQAwWzELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxDzANBgNV
BAcTBkxpbmRvbjESMBAGA1UEChMJWiBXaWRnZXRzMRgwFgYDVQQDEw93d3cuZXhh
bXBsZS5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDUXRBdEikS
M+tUevGctlIil04GNPkB9sff0BhTwn1ckXrMS4IBzO43M6eFR6Bfxr1tAi8WcdPs
QoxiF6FBz/A3O3zcJzkLd8WZcFxZx+qIKoi1HY052YKcq1KjhmnUMDfAgPV92Sp1
pHkdvuAjRavYdBir+7DU00X/OLXWFnGaHdyZpSEP2RKVxHC6QLSPpuZH3UtaJdLh
+OgoEyCEeqJcsQDDiJ3gOxrOiZLwYoC9tleX8Ih5F2MDwR2TPfy7f3QtrIG6KD2x
Sz4ce1JviZVTZvpDHETnNbipf0VkrUapMgSr27s5veGA4IlNMvJyLmWn9TY7rdSG
YkT8oRAGuuJ/AgMBAAGgUjBQBgkqhkiG9w0BCQ4xQzBBMD8GA1UdEQQ4MDaCEHRl
c3QuZXhhbXBsZS5jb22CEW90aGVyLmV4YW1wbGUuY29tgg93d3cuZXhhbXBsZS5u
ZXQwDQYJKoZIhvcNAQEFBQADggEBAM6cf7LD8KtnJPaC3YYhNMiGSedQ6l9tm2li
e7N/HX19SdYmNPG7EWIbL/3Gkib9OsVl2kVlXOaWJNvePVq7AfEhVnC2ytwNbWB9
spa2VCz2rdMfeIyMEWaj20DuxaTbdjABuX6XEJb5Pvp9l6XH0pmkFgn9TjZqE6HO
nBSjoCsrxcCptDz4usPWaxqjpJuiV4+Iq5sHBWBWWDfL53i/o6Uf2YGERnrhOONp
QNU9sHr3jPasDBTZUOJZx4W15MeP9jluyhqWHnXrtPUwcYKPS1Kt3InB26sDQ7Bz
v/kDaAV03I6GKff8W6+UogfFmgCus5pSwp8aiqCADtomP503Hd8=
-----END CERTIFICATE REQUEST-----'));

Expected result:
----------------
Array
(
    [C] => US
    [ST] => Utah
    [L] => Lindon
    [O] => Z Widgets
    [CN] => www.example.edu
    [SANS] => DNS:test.example.com, DNS:other.example.com, DNS:www.example.net
)


Actual result:
--------------
Array
(
    [C] => US
    [ST] => Utah
    [L] => Lindon
    [O] => Z Widgets
    [CN] => www.example.edu
)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-09-30 15:46 UTC] zedwoodnoreply at gmail dot com
openssl req -in sans.csr -noout -text
#output is
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=Utah, L=Lindon, O=Z Widgets, CN=www.example.edu
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:d4:5d:10:5d:12:29:12:33:eb:54:7a:f1:9c:b6:
                    52:22:97:4e:06:34:f9:01:f6:c7:df:d0:18:53:c2:
                    7d:5c:91:7a:cc:4b:82:01:cc:ee:37:33:a7:85:47:
                    a0:5f:c6:bd:6d:02:2f:16:71:d3:ec:42:8c:62:17:
                    a1:41:cf:f0:37:3b:7c:dc:27:39:0b:77:c5:99:70:
                    5c:59:c7:ea:88:2a:88:b5:1d:8d:39:d9:82:9c:ab:
                    52:a3:86:69:d4:30:37:c0:80:f5:7d:d9:2a:75:a4:
                    79:1d:be:e0:23:45:ab:d8:74:18:ab:fb:b0:d4:d3:
                    45:ff:38:b5:d6:16:71:9a:1d:dc:99:a5:21:0f:d9:
                    12:95:c4:70:ba:40:b4:8f:a6:e6:47:dd:4b:5a:25:
                    d2:e1:f8:e8:28:13:20:84:7a:a2:5c:b1:00:c3:88:
                    9d:e0:3b:1a:ce:89:92:f0:62:80:bd:b6:57:97:f0:
                    88:79:17:63:03:c1:1d:93:3d:fc:bb:7f:74:2d:ac:
                    81:ba:28:3d:b1:4b:3e:1c:7b:52:6f:89:95:53:66:
                    fa:43:1c:44:e7:35:b8:a9:7f:45:64:ad:46:a9:32:
                    04:ab:db:bb:39:bd:e1:80:e0:89:4d:32:f2:72:2e:
                    65:a7:f5:36:3b:ad:d4:86:62:44:fc:a1:10:06:ba:
                    e2:7f
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name: 
                DNS:test.example.com, DNS:other.example.com, DNS:www.example.net
    Signature Algorithm: sha1WithRSAEncryption
        ce:9c:7f:b2:c3:f0:ab:67:24:f6:82:dd:86:21:34:c8:86:49:
        e7:50:ea:5f:6d:9b:69:62:7b:b3:7f:1d:7d:7d:49:d6:26:34:
        f1:bb:11:62:1b:2f:fd:c6:92:26:fd:3a:c5:65:da:45:65:5c:
        e6:96:24:db:de:3d:5a:bb:01:f1:21:56:70:b6:ca:dc:0d:6d:
        60:7d:b2:96:b6:54:2c:f6:ad:d3:1f:78:8c:8c:11:66:a3:db:
        40:ee:c5:a4:db:76:30:01:b9:7e:97:10:96:f9:3e:fa:7d:97:
        a5:c7:d2:99:a4:16:09:fd:4e:36:6a:13:a1:ce:9c:14:a3:a0:
        2b:2b:c5:c0:a9:b4:3c:f8:ba:c3:d6:6b:1a:a3:a4:9b:a2:57:
        8f:88:ab:9b:07:05:60:56:58:37:cb:e7:78:bf:a3:a5:1f:d9:
        81:84:46:7a:e1:38:e3:69:40:d5:3d:b0:7a:f7:8c:f6:ac:0c:
        14:d9:50:e2:59:c7:85:b5:e4:c7:8f:f6:39:6e:ca:1a:96:1e:
        75:eb:b4:f5:30:71:82:8f:4b:52:ad:dc:89:c1:db:ab:03:43:
        b0:73:bf:f9:03:68:05:74:dc:8e:86:29:f7:fc:5b:af:94:a2:
        07:c5:9a:00:ae:b3:9a:52:c2:9f:1a:8a:a0:80:0e:da:26:3f:
        9d:37:1d:df
 [2011-09-30 15:57 UTC] pajoye@php.net
-Status: Open +Status: Analyzed
 [2011-09-30 15:57 UTC] pajoye@php.net
hi,

NID_subject_alt_name is not part of the subject name, as returned by the 
X509_REQ_get_subject_name.

As you can see in your openssl command output, we do return the correct value:
Subject: C=US, ST=Utah, L=Lindon, O=Z Widgets, CN=www.example.edu

However I can see a need to fetch extensions (v3 or v2) and we may need to 
expose X509_get_ext_d2i (or equivalent.
 [2011-09-30 20:21 UTC] zedwoodnoreply at gmail dot com
Currently, openssl_x509_parse returns the x509v3 extensions, so it would be nice if there was some way to have an openssl_csr_parse that returns both the subject and the extensions and potentially other fields/extensions in the future.  Right now the only thing we can extract from a CSR with php is the public key and subject.  Thanks.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC