|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60388 openssl_x509_parse extensions=>subjectAltName
Submitted: 2011-11-25 15:05 UTC Modified: -
Avg. Score:4.4 ± 1.2
Reproduced:8 of 9 (88.9%)
Same Version:5 (62.5%)
Same OS:7 (87.5%)
From: daniel at blacklotus dot no Assigned:
Status: Open Package: OpenSSL related
PHP Version: 5.3.8 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: daniel at blacklotus dot no
New email:
PHP Version: OS:


 [2011-11-25 15:05 UTC] daniel at blacklotus dot no
$x509 = openssl_x509_parse($_SERVER['SSL_CLIENT_CERT']);
$subjectAltName = $x509['extensions']['subjectAltName'];

When parsing a x509 certificate and ['extensions']['subjectAltName'] contains a 
newline or space as shown below:


The value in this case "Princpal" will not be shown.
$subjectAltName as shown in the code will display "othername:", and only that.

Test script:
$x509 = openssl_x509_parse($_SERVER['SSL_CLIENT_CERT']);
$subjectAltName = $x509['extensions']['subjectAltName'];

Expected result:
echo $subjectAltName;
// Should print "othername: Princpal"


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2013-04-23 14:14 UTC] jingruhuang at yahoo dot com
Since there is no fixed, I was tasked to get this to work..  Here is the 
workaround I created and the code has been in the production for a year.  I 
found it works well.  Also, when Microsoft utilize subjectAltName as 
UserPrincipalName value to integrate smart card authentication with Active 
Directory.  Getting this to work is very important for web applications.

1) create a directory USERCERT under your PHP script folder.  allow this folder 
upload files via the web browser.
2) copy paste the following codes to your php script which is used to read the 
certificate information.
        $yourcn = $_SERVER['SSL_CLIENT_S_DN_CN']; 
        $filename=str_replace('(Affiliate)', '', str_replace(' ', '.', 
	$file1 = $_SERVER['SSL_CLIENT_CERT'];
	file_put_contents('USERCERT/'.$filename, $file1);
	$cmd1 = "openssl asn1parse  -in USERCERT/$filename | grep -A 1 'Subject 
Alternative Name' | cut -f1 -d':' | tail -1";
	$output1 = shell_exec($cmd1);
	$output3 = shell_exec("sh '$output1' '$filename'");
   so. the result of $output3 will be the subjectAltName.  This value is the 
UserPrincipalName in Active Directory.

3) create a shell script, name and place under the same directory as 
your php script at the step 2.  Please make this with 644 permission 
in Linux.  Here is the content of
    openssl asn1parse -strparse $1 -in USERCERT/$2 | grep -A 2 "Microsoft 
Universal Principal Name" | cut -f4 -d":" |tail -1

Hope this works for you.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Mar 02 14:01:34 2024 UTC