php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66122 Certification cannot be used directly after openssl_csr_sign
Submitted: 2013-11-20 04:40 UTC Modified: 2023-11-23 13:02 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: phpbugs at lavoie dot sl Assigned: bukka (profile)
Status: Closed Package: OpenSSL related
PHP Version: 5.5.6 OS: Linux/Mac
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: phpbugs at lavoie dot sl
New email:
PHP Version: OS:

 

 [2013-11-20 04:40 UTC] phpbugs at lavoie dot sl
Description:
------------
When generating a CRT using KEY/CSR, the certificate resource is not "ready". To use it, you have to export and import it back.

The test was done using a CA or a selfsigned.


Tested on 3 systems:
  OSX 10.9
    PHP 5.5.6 (brew)
    OpenSSL 1.0.1e

  Ubuntu
    PHP 5.4.21-1+debphp.org~quantal+1
    OpenSSL 1.0.1c

    PHP 5.3.10-1ubuntu3.6
    OpenSSL 1.0.1 (Native)


If nobody can reproduce this, I can post the rest of the system configurations

Test script:
---------------
<?php
$key = openssl_pkey_new();
$csr = openssl_csr_new(array(), $key);
$crt = openssl_csr_sign($csr, null, $key, 365 * 100);

openssl_pkcs7_encrypt($plain1, $enc, $crt, array('foo' => 'bar'));
openssl_pkcs7_decrypt($enc, $plain2, $crt, $key); // error, empty
?>


Full example:
https://gist.github.com/lavoiesl/7557763/raw/openssl-test.php

Expected result:
----------------
string(0) "hello"
string(5) "hello"
string(0) "hello"
array(0) {
}

Actual result:
--------------
error:21070073:PKCS7 routines:PKCS7_dataDecode:no recipient matches certificatestring(0) ""
string(5) "hello"
error:21070073:PKCS7 routines:PKCS7_dataDecode:no recipient matches certificatestring(0) ""
array(0) {
}

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2023-11-23 13:02 UTC] bukka@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: bukka
 [2023-11-23 13:02 UTC] bukka@php.net
Apology for very late response. I have done a bit of testing and checking and this actually seems like an old issue in OpenSSL 1.0.2 and below. I was able to recreate only with 1.0.2 but didn't test older versions as we don't support them anymore. OpenSSL probably incorrectly set issuer or serial on cert because pkcs7 decrypt cannot find matching cert. I don't want to spend too much time digging to exactly identify what OpenSSL issue it was as it is fixed in 1.1.1+ (including 3.0+ ofc). So there's not much point to spend too much time on this. I just quickly checked if there's some potential fix in the extension code for 1.0.2 but don't think this can be easily done. So will just close this as OpenSSL issue that got fixed.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Mar 03 04:01:28 2024 UTC