php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #64802 openssl_x509_parse fails to parse subject properly in some cases
Submitted: 2013-05-09 16:49 UTC Modified: 2013-10-28 16:37 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: mark at zedwood dot com Assigned:
Status: Assigned Package: OpenSSL related
PHP Version: 5.4.15 OS: Ubuntu Linux
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2013-05-09 16:49 UTC] mark at zedwood dot com
Description:
------------
When the subject of the certificate has multiple CN (common name) values in the subject, openssl_x509_parse seems to work, but in this case it fails to parse the rest of the subject as well as additional CN values.

Here is the subject of the cert triggering the failure
cat cert.pem |openssl x509 -noout -text |grep Subject:
Subject: CN=www.rd.io, CN=rdio.com, CN=rd.io, CN=api.rdio.com, CN=api.rd.io/serialNumber=4586007/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization, C=US/postalCode=94103, ST=CA, L=San Francisco/street=1550 Bryant st, O=Rdio, Inc., OU=COMODO EV Multi-Domain SSL, CN=www.rdio.com

The cert.pem I used can be found in the embedded php script: http://pastebin.com/dppuUWVq

Test script:
---------------
http://pastebin.com/dppuUWVq

Expected result:
----------------
Array
(
    [CN] => Array(
        [0] => www.rdio.com
        [1] => api.rd.io
        [2] => api.rdio.com
        [3] => rd.io
        [4] => rdio.com
        [5] => www.rd.io
    )
    [OU] => COMODO EV Multi-Domain SSL
    [O] => Rdio, Inc
    [street] => 1550 Bryant st
    [L] => San Francisco
    [ST] => CA
    [postalCode] => 94103
    [C] => US
    [businessCategory] => Private Organization
    [1.3.6.1.4.1.311.60.2.1.2] => Delaware
    [1.3.6.1.4.1.311.60.2.1.3] => US
    [serialNumber] => 4586007
)

Actual result:
--------------
Array
(
    [CN] => Array
        (
            [0] => www.rd.io
            [1] => rdio.com
            [2] => rd.io
            [3] => api.rdio.com
            [4] => api.rd.io
            [5] => www.rdio.com
        )
)


Patches

openssl_x509_parse_bug_fix (last revision 2013-08-09 16:25 UTC) by mark at zedwood dot com)
openssl_parse_patch (last revision 2013-08-06 23:16 UTC) by mark at zedwood dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-05-15 15:45 UTC] zelnaga at gmail dot com
As a workaround until PHP fixes this issue you can use phpseclib, a pure PHP 
X.509 implementation. eg.

<?php
include('File/X509.php');

$x509 = new File_X509();
$cert = $x509->loadX509('...'); // see google.crt

print_r($cert);
print_r($x509->getSubjectDN());
?>

getSubjectDN takes an optional $format parameter that can be one of the 
following:

FILE_X509_DN_ARRAY (this is the default value)
FILE_X509_DN_STRING
FILE_X509_DN_ASN1
FILE_X509_DN_OPENSSL
FILE_X509_DN_CANON
FILE_X509_DN_HASH
 [2013-08-09 16:26 UTC] mark at zedwood dot com
There was a bug in the last patch I submitted.  I replaced it with a new patch, everything should be good now.  It was a patch to php 5.5.1
 [2013-10-28 16:37 UTC] mark at zedwood dot com
-Status: Open +Status: Assigned
 [2013-10-28 16:37 UTC] mark at zedwood dot com
closing, the bugfix/patch was accepted into 
PHP 5.5.4 and  PHP 5.4.20
both released on 19-Sep-2013
see: http://php.net/ChangeLog-5.php
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 22:02:16 2014 UTC