|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2021-08-13 11:37 UTC] cmb@php.net
-Status: Open
+Status: Duplicate
-Assigned To:
+Assigned To: cmb
[2021-08-13 11:37 UTC] cmb@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Fri Oct 24 12:00:01 2025 UTC |
Description: ------------ in interpreting $cainfo passed through the caller, php_openssl_setup_verify adds a default CA File to the store using X509_LOOKUP_load_file(file_lookup, NULL, X509_FILETYPE_DEFAULT) if no valid CA file was passed, and a default CA dir using X509_LOOKUP_add_dir(dir_lookup, NULL, X509_FILETYPE_DEFAULT) if no valid CA dir was passed. This means, if the user passes a single file location in $cainfo, indicating that they want only this file checked, the default ca dir will nevertheless be added to the store. Test script: --------------- <?php $ca = array( // a random ca-certificate that the signed mail was *not* signed with is required here '/etc/ca-certificates/extracted/cadir/T__RKTRUST_Elektronik_Sertifika_Hizmet_Sa__lay__c__s___H5.pem' ); // a pkcs7-signed email signed by a certificate in the default trust store is required $msg = 'signed_email.eml'; $verify = openssl_pkcs7_verify($msg, 0, $msg . '.cert', $ca); var_dump($verify); ?> Expected result: ---------------- The expected output is: bool(false) This indicates that the mail was not signed by any of the certificates passed in $cainfo. Actual result: -------------- The actual output is: bool(true)