php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75494 php_openssl_setup_verify overzealously adds default files / dirs to trust store
Submitted: 2017-11-07 07:08 UTC Modified: -
From: luke at lerlacher dot de Assigned:
Status: Open Package: OpenSSL related
PHP Version: 7.2.0RC5 OS:
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2017-11-07 07:08 UTC] luke at lerlacher dot de
Description:
------------
in interpreting $cainfo passed through the caller, php_openssl_setup_verify adds a default CA File to the store using

X509_LOOKUP_load_file(file_lookup, NULL, X509_FILETYPE_DEFAULT)

if no valid CA file was passed, and a default CA dir using 

X509_LOOKUP_add_dir(dir_lookup, NULL, X509_FILETYPE_DEFAULT)

if no valid CA dir was passed.

This means, if the user passes a single file location in $cainfo, indicating that they want only this file checked, the default ca dir will nevertheless be added to the store.

Test script:
---------------
<?php

  $ca = array(
      // a random ca-certificate that the signed mail was *not* signed with is required here
      '/etc/ca-certificates/extracted/cadir/T__RKTRUST_Elektronik_Sertifika_Hizmet_Sa__lay__c__s___H5.pem'
);

  // a pkcs7-signed email signed by a certificate in the default trust store is required
  $msg = 'signed_email.eml';

  $verify = openssl_pkcs7_verify($msg, 0, $msg . '.cert', $ca);

  var_dump($verify);


?>

Expected result:
----------------
The expected output is:

bool(false)

This indicates that the mail was not signed by any of the certificates passed in $cainfo.

Actual result:
--------------
The actual output is:

bool(true)

Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue Jul 16 02:01:26 2019 UTC