|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75494 php_openssl_setup_verify overzealously adds default files / dirs to trust store
Submitted: 2017-11-07 07:08 UTC Modified: -
From: luke at lerlacher dot de Assigned:
Status: Open Package: OpenSSL related
PHP Version: 7.2.0RC5 OS:
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2017-11-07 07:08 UTC] luke at lerlacher dot de
in interpreting $cainfo passed through the caller, php_openssl_setup_verify adds a default CA File to the store using

X509_LOOKUP_load_file(file_lookup, NULL, X509_FILETYPE_DEFAULT)

if no valid CA file was passed, and a default CA dir using 

X509_LOOKUP_add_dir(dir_lookup, NULL, X509_FILETYPE_DEFAULT)

if no valid CA dir was passed.

This means, if the user passes a single file location in $cainfo, indicating that they want only this file checked, the default ca dir will nevertheless be added to the store.

Test script:

  $ca = array(
      // a random ca-certificate that the signed mail was *not* signed with is required here

  // a pkcs7-signed email signed by a certificate in the default trust store is required
  $msg = 'signed_email.eml';

  $verify = openssl_pkcs7_verify($msg, 0, $msg . '.cert', $ca);



Expected result:
The expected output is:


This indicates that the mail was not signed by any of the certificates passed in $cainfo.

Actual result:
The actual output is:



Add a Patch

Pull Requests

Add a Pull Request

PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Wed Aug 04 19:01:26 2021 UTC