|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75494 php_openssl_setup_verify overzealously adds default files / dirs to trust store
Submitted: 2017-11-07 07:08 UTC Modified: 2021-08-13 11:37 UTC
From: luke at lerlacher dot de Assigned: cmb (profile)
Status: Duplicate Package: OpenSSL related
PHP Version: 7.2.0RC5 OS:
Private report: No CVE-ID: None
 [2017-11-07 07:08 UTC] luke at lerlacher dot de
in interpreting $cainfo passed through the caller, php_openssl_setup_verify adds a default CA File to the store using

X509_LOOKUP_load_file(file_lookup, NULL, X509_FILETYPE_DEFAULT)

if no valid CA file was passed, and a default CA dir using 

X509_LOOKUP_add_dir(dir_lookup, NULL, X509_FILETYPE_DEFAULT)

if no valid CA dir was passed.

This means, if the user passes a single file location in $cainfo, indicating that they want only this file checked, the default ca dir will nevertheless be added to the store.

Test script:

  $ca = array(
      // a random ca-certificate that the signed mail was *not* signed with is required here

  // a pkcs7-signed email signed by a certificate in the default trust store is required
  $msg = 'signed_email.eml';

  $verify = openssl_pkcs7_verify($msg, 0, $msg . '.cert', $ca);



Expected result:
The expected output is:


This indicates that the mail was not signed by any of the certificates passed in $cainfo.

Actual result:
The actual output is:



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2021-08-13 11:37 UTC]
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2021-08-13 11:37 UTC]
This has already been reported as bug #65154.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Apr 13 03:01:29 2024 UTC