php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #60388 openssl_x509_parse extra flag for raw extensions subjectAltName parsing
Submitted: 2011-11-25 15:05 UTC Modified: 2024-12-16 16:38 UTC
Votes:14
Avg. Score:4.4 ± 1.2
Reproduced:8 of 9 (88.9%)
Same Version:5 (62.5%)
Same OS:7 (87.5%)
From: daniel at blacklotus dot no Assigned: bukka (profile)
Status: Assigned Package: OpenSSL related
PHP Version: 5.3.8 OS:
Private report: No CVE-ID: None
View Developer Edit
 [2011-11-25 15:05 UTC] daniel at blacklotus dot no 
Description:
------------
[code]
$x509 = openssl_x509_parse($_SERVER['SSL_CLIENT_CERT']);
$subjectAltName = $x509['extensions']['subjectAltName'];
[/code]

When parsing a x509 certificate and ['extensions']['subjectAltName'] contains a 
newline or space as shown below:

othername:
 Princpal name=test@test.com

The value in this case "Princpal name=test@test.com" will not be shown.
$subjectAltName as shown in the code will display "othername:", and only that.

Test script:
---------------
$x509 = openssl_x509_parse($_SERVER['SSL_CLIENT_CERT']);
$subjectAltName = $x509['extensions']['subjectAltName'];

Expected result:
----------------
echo $subjectAltName;
// Should print "othername: Princpal name=test@test.com"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-04-23 14:14 UTC] jingruhuang at yahoo dot com 
Since there is no fixed, I was tasked to get this to work..  Here is the 
workaround I created and the code has been in the production for a year.  I 
found it works well.  Also, when Microsoft utilize subjectAltName as 
UserPrincipalName value to integrate smart card authentication with Active 
Directory.  Getting this to work is very important for web applications.

1) create a directory USERCERT under your PHP script folder.  allow this folder 
upload files via the web browser.
2) copy paste the following codes to your php script which is used to read the 
certificate information.
        $yourcn = $_SERVER['SSL_CLIENT_S_DN_CN']; 
        $filename=str_replace('(Affiliate)', '', str_replace(' ', '.', 
$yourcn)).rand().".cer";
	$file1 = $_SERVER['SSL_CLIENT_CERT'];
	file_put_contents('USERCERT/'.$filename, $file1);
	$cmd1 = "openssl asn1parse  -in USERCERT/$filename | grep -A 1 'Subject 
Alternative Name' | cut -f1 -d':' | tail -1";
	$output1 = shell_exec($cmd1);
	$output3 = shell_exec("sh testname.sh '$output1' '$filename'");
    
   so. the result of $output3 will be the subjectAltName.  This value is the 
UserPrincipalName in Active Directory.

----
3) create a shell script, name testname.sh and place under the same directory as 
your php script at the step 2.  Please make this testname.sh with 644 permission 
in Linux.  Here is the content of testname.sh
    openssl asn1parse -strparse $1 -in USERCERT/$2 | grep -A 2 "Microsoft 
Universal Principal Name" | cut -f4 -d":" |tail -1


--------
Hope this works for you.
 [2024-12-16 16:36 UTC] bukka@php.net
-Assigned To: +Assigned To: bukka
 [2024-12-16 16:36 UTC] bukka@php.net 
Apology for very late replay.

I have been looking and debugging this and we are using GENERAL_NAME API for printing SAN which has got specific format and some users likely depend on it. It doesn't support printing non standard name like this one. We could however introduce some flag that would print extension like X509V3_extensions_print does (specifically calling X509V3_EXT_print).

This is of course a feature, not a bug.

For the record my test setup with cert can be seen here: https://github.com/bukka/php-manual-tests/tree/affdd1e71f52261715116ea95e5fa52858a935ec/openssl/san_new_line
 [2024-12-16 16:37 UTC] bukka@php.net
-Type: Bug +Type: Feature/Change Request
 [2024-12-16 16:38 UTC] bukka@php.net
-Summary: openssl_x509_parse extensions=>subjectAltName +Summary: openssl_x509_parse extra flag for raw extensions subjectAltName parsing
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Jan 30 16:01:30 2025 UTC