php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #67403 Add signatureType to openssl_x509_parse
Submitted: 2014-06-09 17:46 UTC Modified: 2015-03-05 17:30 UTC
From: mark at zedwood dot com Assigned: rdlowrey
Status: Closed Package: OpenSSL related
PHP Version: 5.5.13 OS: Ubuntu 14.04
Private report: No CVE-ID:
 [2014-06-09 17:46 UTC] mark at zedwood dot com
Description:
------------
One of the main attributes of an x509 certificate that is not parsed or exposed in openssl_x509_parse, is the signature type.  On a linux command line, running "cat my.pem|openssl x509 -noout -text" does provide the signature type, but there should be a native way in php to parse this out of a certificate without having to fallback to the command line.

Reading the source code, it looks like someone else tried to add it, but left it commented out, see: ext/openssl/openssl.c around line 1540...
/*
	add_assoc_long(return_value, "signaturetypeLONG", X509_get_signature_type(cert));
	add_assoc_string(return_value, "signaturetype", OBJ_nid2sn(X509_get_signature_type(cert)), 1);
	add_assoc_string(return_value, "signaturetypeLN", OBJ_nid2ln(X509_get_signature_type(cert)), 1);
*/
It was commented out, because the code did not work.  Perhaps there is a way to provide this functionality.

Test script:
---------------
<?php
$cert=<<<EOF
-----BEGIN CERTIFICATE-----
MIIBBzCBrgIJANZXs2GIGRy3MAoGCCqGSM49BAMDMAwxCjAIBgNVBAMMAXgwHhcN
MTQwNjA5MTczMjQ1WhcNMjQwNjA2MTczMjQ1WjAMMQowCAYDVQQDDAF4MFkwEwYH
KoZIzj0CAQYIKoZIzj0DAQcDQgAEK8KP9tJ1bZxLGKqNP9JpOkaq9paKoMS4/0wm
6u62b0mArY7xmS5/Nlkyi/GK21QpjSk4vRwkN+tYPeAy/8Bd2TAKBggqhkjOPQQD
AwNIADBFAiAjVRQZKlKCBzJxJ7aw8qRrZUhBczX9psneshOhI7g4mQIhAPlTbP67
mq9Qf/YphH6gWZXX50TGC2OTOUXRm60Cajs3
-----END CERTIFICATE-----
EOF;
$r = openssl_x509_parse($cert);
echo $r['signatureType']."\n";


Expected result:
----------------
string(23) "sha256WithRSAEncryption"


Actual result:
--------------
NULL

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-06-10 13:31 UTC] zelnaga at gmail dot com
FWIW you can get this info with phpseclib, a pure PHP X.509 decoder:

<?php
include('File/X509.php');

$x509 = new File_X509();
$cert = $x509->loadX509('-----BEGIN CERTIFICATE-----
MIIBBzCBrgIJANZXs2GIGRy3MAoGCCqGSM49BAMDMAwxCjAIBgNVBAMMAXgwHhcN
MTQwNjA5MTczMjQ1WhcNMjQwNjA2MTczMjQ1WjAMMQowCAYDVQQDDAF4MFkwEwYH
KoZIzj0CAQYIKoZIzj0DAQcDQgAEK8KP9tJ1bZxLGKqNP9JpOkaq9paKoMS4/0wm
6u62b0mArY7xmS5/Nlkyi/GK21QpjSk4vRwkN+tYPeAy/8Bd2TAKBggqhkjOPQQD
AwNIADBFAiAjVRQZKlKCBzJxJ7aw8qRrZUhBczX9psneshOhI7g4mQIhAPlTbP67
mq9Qf/YphH6gWZXX50TGC2OTOUXRm60Cajs3
-----END CERTIFICATE-----');

echo $cert['signatureAlgorithm']['algorithm'];
?>

That said "sha256WithRSAEncryption" isn't your signature type. sha384ECDSA is. And the OID that corresponds to that signature type doesn't seem to be recognized by OpenSSL. At least not the version I'm using. When I try it with OpenSSL (or phpseclib) I just get the OID: 1.2.840.10045.4.3.3
 [2014-06-10 15:49 UTC] mark at zedwood dot com
The problem here isn't how to parse the signature in php... there are many asn1 decoders that allow this.  This issue is, adding this functionality to php-openssl, as it probably should have been there already.
 [2015-03-04 21:23 UTC] rdlowrey@php.net
-Status: Open +Status: Analyzed -Assigned To: +Assigned To: rdlowrey
 [2015-03-05 17:27 UTC] rdlowrey@php.net
Automatic comment on behalf of rdlowrey
Revision: http://git.php.net/?p=php-src.git;a=commit;h=94140afa69e334405688d3cb09a47c07aeaef825
Log: Fix bug #67403 (Add signatureType to openssl_x509_parse)
 [2015-03-05 17:27 UTC] rdlowrey@php.net
-Status: Analyzed +Status: Closed
 [2015-03-05 17:28 UTC] rdlowrey@php.net
Automatic comment on behalf of rdlowrey
Revision: http://git.php.net/?p=php-src.git;a=commit;h=94140afa69e334405688d3cb09a47c07aeaef825
Log: Fix bug #67403 (Add signatureType to openssl_x509_parse)
 [2015-03-05 17:28 UTC] rdlowrey@php.net
Automatic comment on behalf of rdlowrey
Revision: http://git.php.net/?p=php-src.git;a=commit;h=94140afa69e334405688d3cb09a47c07aeaef825
Log: Fix bug #67403 (Add signatureType to openssl_x509_parse)
 [2015-03-05 17:30 UTC] rdlowrey@php.net
5.5, 5.6 and master branches have been updated to add the following keys:

"signatureTypeSN" (short name)
"signatureTypeLN" (long name)
"signatureTypeNID" (nid)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Wed Aug 23 02:01:33 2017 UTC