php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66122 Certification cannot be used directly after openssl_csr_sign
Submitted: 2013-11-20 04:40 UTC Modified: 2023-11-23 13:02 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: phpbugs at lavoie dot sl Assigned: bukka (profile)
Status: Closed Package: OpenSSL related
PHP Version: 5.5.6 OS: Linux/Mac
Private report: No CVE-ID: None
 [2013-11-20 04:40 UTC] phpbugs at lavoie dot sl
Description:
------------
When generating a CRT using KEY/CSR, the certificate resource is not "ready". To use it, you have to export and import it back.

The test was done using a CA or a selfsigned.


Tested on 3 systems:
  OSX 10.9
    PHP 5.5.6 (brew)
    OpenSSL 1.0.1e

  Ubuntu
    PHP 5.4.21-1+debphp.org~quantal+1
    OpenSSL 1.0.1c

    PHP 5.3.10-1ubuntu3.6
    OpenSSL 1.0.1 (Native)


If nobody can reproduce this, I can post the rest of the system configurations

Test script:
---------------
<?php
$key = openssl_pkey_new();
$csr = openssl_csr_new(array(), $key);
$crt = openssl_csr_sign($csr, null, $key, 365 * 100);

openssl_pkcs7_encrypt($plain1, $enc, $crt, array('foo' => 'bar'));
openssl_pkcs7_decrypt($enc, $plain2, $crt, $key); // error, empty
?>


Full example:
https://gist.github.com/lavoiesl/7557763/raw/openssl-test.php

Expected result:
----------------
string(0) "hello"
string(5) "hello"
string(0) "hello"
array(0) {
}

Actual result:
--------------
error:21070073:PKCS7 routines:PKCS7_dataDecode:no recipient matches certificatestring(0) ""
string(5) "hello"
error:21070073:PKCS7 routines:PKCS7_dataDecode:no recipient matches certificatestring(0) ""
array(0) {
}

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2023-11-23 13:02 UTC] bukka@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: bukka
 [2023-11-23 13:02 UTC] bukka@php.net
Apology for very late response. I have done a bit of testing and checking and this actually seems like an old issue in OpenSSL 1.0.2 and below. I was able to recreate only with 1.0.2 but didn't test older versions as we don't support them anymore. OpenSSL probably incorrectly set issuer or serial on cert because pkcs7 decrypt cannot find matching cert. I don't want to spend too much time digging to exactly identify what OpenSSL issue it was as it is fixed in 1.1.1+ (including 3.0+ ofc). So there's not much point to spend too much time on this. I just quickly checked if there's some potential fix in the extension code for 1.0.2 but don't think this can be easily done. So will just close this as OpenSSL issue that got fixed.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu May 30 17:01:32 2024 UTC