php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #55820 php openssl csr parser ignores SANs
Submitted: 2011-09-30 15:45 UTC Modified: 2021-12-18 21:19 UTC
Votes:5
Avg. Score:4.4 ± 0.8
Reproduced:4 of 4 (100.0%)
Same Version:2 (50.0%)
Same OS:1 (25.0%)
From: zedwoodnoreply at gmail dot com Assigned:
Status: Analyzed Package: OpenSSL related
PHP Version: 5.3.8 OS: Ubuntu Linux 10.04
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: zedwoodnoreply at gmail dot com
New email:
PHP Version: OS:

 

 [2011-09-30 15:45 UTC] zedwoodnoreply at gmail dot com 
Description:
------------
The SANs (Subject Alternative Names) field of a CSR is totally ignored by the CSR parser openssl_csr_get_subject();

Test script:
---------------
<?php
print_r(openssl_csr_get_subject('-----BEGIN CERTIFICATE REQUEST-----
MIIC8jCCAdoCAQAwWzELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxDzANBgNV
BAcTBkxpbmRvbjESMBAGA1UEChMJWiBXaWRnZXRzMRgwFgYDVQQDEw93d3cuZXhh
bXBsZS5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDUXRBdEikS
M+tUevGctlIil04GNPkB9sff0BhTwn1ckXrMS4IBzO43M6eFR6Bfxr1tAi8WcdPs
QoxiF6FBz/A3O3zcJzkLd8WZcFxZx+qIKoi1HY052YKcq1KjhmnUMDfAgPV92Sp1
pHkdvuAjRavYdBir+7DU00X/OLXWFnGaHdyZpSEP2RKVxHC6QLSPpuZH3UtaJdLh
+OgoEyCEeqJcsQDDiJ3gOxrOiZLwYoC9tleX8Ih5F2MDwR2TPfy7f3QtrIG6KD2x
Sz4ce1JviZVTZvpDHETnNbipf0VkrUapMgSr27s5veGA4IlNMvJyLmWn9TY7rdSG
YkT8oRAGuuJ/AgMBAAGgUjBQBgkqhkiG9w0BCQ4xQzBBMD8GA1UdEQQ4MDaCEHRl
c3QuZXhhbXBsZS5jb22CEW90aGVyLmV4YW1wbGUuY29tgg93d3cuZXhhbXBsZS5u
ZXQwDQYJKoZIhvcNAQEFBQADggEBAM6cf7LD8KtnJPaC3YYhNMiGSedQ6l9tm2li
e7N/HX19SdYmNPG7EWIbL/3Gkib9OsVl2kVlXOaWJNvePVq7AfEhVnC2ytwNbWB9
spa2VCz2rdMfeIyMEWaj20DuxaTbdjABuX6XEJb5Pvp9l6XH0pmkFgn9TjZqE6HO
nBSjoCsrxcCptDz4usPWaxqjpJuiV4+Iq5sHBWBWWDfL53i/o6Uf2YGERnrhOONp
QNU9sHr3jPasDBTZUOJZx4W15MeP9jluyhqWHnXrtPUwcYKPS1Kt3InB26sDQ7Bz
v/kDaAV03I6GKff8W6+UogfFmgCus5pSwp8aiqCADtomP503Hd8=
-----END CERTIFICATE REQUEST-----'));

Expected result:
----------------
Array
(
    [C] => US
    [ST] => Utah
    [L] => Lindon
    [O] => Z Widgets
    [CN] => www.example.edu
    [SANS] => DNS:test.example.com, DNS:other.example.com, DNS:www.example.net
)


Actual result:
--------------
Array
(
    [C] => US
    [ST] => Utah
    [L] => Lindon
    [O] => Z Widgets
    [CN] => www.example.edu
)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-09-30 15:46 UTC] zedwoodnoreply at gmail dot com 
openssl req -in sans.csr -noout -text
#output is
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=Utah, L=Lindon, O=Z Widgets, CN=www.example.edu
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:d4:5d:10:5d:12:29:12:33:eb:54:7a:f1:9c:b6:
                    52:22:97:4e:06:34:f9:01:f6:c7:df:d0:18:53:c2:
                    7d:5c:91:7a:cc:4b:82:01:cc:ee:37:33:a7:85:47:
                    a0:5f:c6:bd:6d:02:2f:16:71:d3:ec:42:8c:62:17:
                    a1:41:cf:f0:37:3b:7c:dc:27:39:0b:77:c5:99:70:
                    5c:59:c7:ea:88:2a:88:b5:1d:8d:39:d9:82:9c:ab:
                    52:a3:86:69:d4:30:37:c0:80:f5:7d:d9:2a:75:a4:
                    79:1d:be:e0:23:45:ab:d8:74:18:ab:fb:b0:d4:d3:
                    45:ff:38:b5:d6:16:71:9a:1d:dc:99:a5:21:0f:d9:
                    12:95:c4:70:ba:40:b4:8f:a6:e6:47:dd:4b:5a:25:
                    d2:e1:f8:e8:28:13:20:84:7a:a2:5c:b1:00:c3:88:
                    9d:e0:3b:1a:ce:89:92:f0:62:80:bd:b6:57:97:f0:
                    88:79:17:63:03:c1:1d:93:3d:fc:bb:7f:74:2d:ac:
                    81:ba:28:3d:b1:4b:3e:1c:7b:52:6f:89:95:53:66:
                    fa:43:1c:44:e7:35:b8:a9:7f:45:64:ad:46:a9:32:
                    04:ab:db:bb:39:bd:e1:80:e0:89:4d:32:f2:72:2e:
                    65:a7:f5:36:3b:ad:d4:86:62:44:fc:a1:10:06:ba:
                    e2:7f
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name: 
                DNS:test.example.com, DNS:other.example.com, DNS:www.example.net
    Signature Algorithm: sha1WithRSAEncryption
        ce:9c:7f:b2:c3:f0:ab:67:24:f6:82:dd:86:21:34:c8:86:49:
        e7:50:ea:5f:6d:9b:69:62:7b:b3:7f:1d:7d:7d:49:d6:26:34:
        f1:bb:11:62:1b:2f:fd:c6:92:26:fd:3a:c5:65:da:45:65:5c:
        e6:96:24:db:de:3d:5a:bb:01:f1:21:56:70:b6:ca:dc:0d:6d:
        60:7d:b2:96:b6:54:2c:f6:ad:d3:1f:78:8c:8c:11:66:a3:db:
        40:ee:c5:a4:db:76:30:01:b9:7e:97:10:96:f9:3e:fa:7d:97:
        a5:c7:d2:99:a4:16:09:fd:4e:36:6a:13:a1:ce:9c:14:a3:a0:
        2b:2b:c5:c0:a9:b4:3c:f8:ba:c3:d6:6b:1a:a3:a4:9b:a2:57:
        8f:88:ab:9b:07:05:60:56:58:37:cb:e7:78:bf:a3:a5:1f:d9:
        81:84:46:7a:e1:38:e3:69:40:d5:3d:b0:7a:f7:8c:f6:ac:0c:
        14:d9:50:e2:59:c7:85:b5:e4:c7:8f:f6:39:6e:ca:1a:96:1e:
        75:eb:b4:f5:30:71:82:8f:4b:52:ad:dc:89:c1:db:ab:03:43:
        b0:73:bf:f9:03:68:05:74:dc:8e:86:29:f7:fc:5b:af:94:a2:
        07:c5:9a:00:ae:b3:9a:52:c2:9f:1a:8a:a0:80:0e:da:26:3f:
        9d:37:1d:df
 [2011-09-30 15:57 UTC] pajoye@php.net
-Status: Open +Status: Analyzed
 [2011-09-30 15:57 UTC] pajoye@php.net 
hi,

NID_subject_alt_name is not part of the subject name, as returned by the 
X509_REQ_get_subject_name.

As you can see in your openssl command output, we do return the correct value:
Subject: C=US, ST=Utah, L=Lindon, O=Z Widgets, CN=www.example.edu

However I can see a need to fetch extensions (v3 or v2) and we may need to 
expose X509_get_ext_d2i (or equivalent.
 [2011-09-30 20:21 UTC] zedwoodnoreply at gmail dot com 
Currently, openssl_x509_parse returns the x509v3 extensions, so it would be nice if there was some way to have an openssl_csr_parse that returns both the subject and the extensions and potentially other fields/extensions in the future.  Right now the only thing we can extract from a CSR with php is the public key and subject.  Thanks.
 [2021-09-29 15:43 UTC] cmb@php.net 
> However I can see a need to fetch extensions (v3 or v2) and we
> may need to expose X509_get_ext_d2i (or equivalent.

Changing to feature request.
 [2021-12-18 21:19 UTC] bukka@php.net
-Type: Bug +Type: Feature/Change Request
 [2024-04-22 06:05 UTC] szasz dot attila at microsec dot hu 
Still waiting for this feature?
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Oct 27 16:01:27 2024 UTC