php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62122 openssl_pkcs7_verify with PKCS7_BINARY flag does not work (patch included)
Submitted: 2012-05-23 13:06 UTC Modified: 2017-04-28 15:29 UTC
Votes:4
Avg. Score:4.8 ± 0.4
Reproduced:4 of 4 (100.0%)
Same Version:3 (75.0%)
Same OS:4 (100.0%)
From: f-roth at megaera dot de Assigned: bukka (profile)
Status: Not a bug Package: OpenSSL related
PHP Version: master-Git-2012-05-23 (Git) OS: Linux
Private report: No CVE-ID: None
 [2012-05-23 13:06 UTC] f-roth at megaera dot de
Description:
------------
I found the function openssl_pkcs7_verify not working correctly with the PKCS7_BINARY flag and an ASN1 encoded input file.

I traced the error message returned by openssl_error_string() and found the error hidden in ext/openssl/openssl.c.

When using libopenssl and ASN1 input you have to use the d2i_PKCS7_bio function instead of SMIME_read_PKCS7 because of a known bug in the later one("The parser assumes that the PKCS7 structure is always base64 encoded and will not handle the case where it is in binary format or uses quoted printable format." [from man 3 SMIME_read_PKCS7]).

I changed the code in ext/openssl/openssl.c similar to the one from openssl-1.0.0/apps/smime.c (the openssl command line tool).

I tested my patch successfully on 



Test script:
---------------
echo(openssl_pkcs7_verify("input", PKCS7_BINARY|PKCS7_NOVERIFY);
echo(openssl_error_string());

with ASN1 encoded "input" file.

Expected result:
----------------
output of: "1" and no error message

(this expected result actually occurs with my patch applied)

Actual result:
--------------
output of "-1error:0D0D40D1:asn1 encoding routines:SMIME_read_ASN1:no content type"

Patches

openssl_pkcs7_verify.patch (last revision 2012-05-23 13:06 UTC by f-roth at megaera dot de)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-05-23 13:09 UTC] f-roth at megaera dot de
I'm sorry, I did not finish the "I tested the patch on... line"

It should have been:
"I tested the patch on CentOS release 6.2 (Final)
 [2016-12-14 11:58 UTC] tony2001@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: bukka
 [2016-12-14 11:58 UTC] tony2001@php.net
Jakub, could you take a look at this?
The patch indeed fixes the problem, I can confirm it.
 [2016-12-14 19:02 UTC] bukka@php.net
Well this doesn't seem correct. The purpose of PKCS7_BINARY is more just for Windows to work with binary files. It means still using PEM but the file is a win binary (I'm not really a win user so not sure if it's useful but there might be some use cases if it's there). The option has no effect on Linux as there are no binary files. We can't just change this and accept DER as it would be a BC break of course.

So the better solution would be to introduce a new flag that would specify that the format is DER. It could be also useful for other PKCS7 functions. Surely this is a more feature request...
 [2017-04-28 15:29 UTC] bukka@php.net
-Status: Assigned +Status: Not a bug
 [2017-04-28 15:29 UTC] bukka@php.net
I'm going to close this one as it is not a bug for the reason explained above. If you would like DER support, please open a feature request and if you write a patch, please open PR.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 13:01:28 2024 UTC