php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75494 php_openssl_setup_verify overzealously adds default files / dirs to trust store
Submitted: 2017-11-07 07:08 UTC Modified: 2021-08-13 11:37 UTC
From: luke at lerlacher dot de Assigned: cmb (profile)
Status: Duplicate Package: OpenSSL related
PHP Version: 7.2.0RC5 OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: luke at lerlacher dot de
New email:
PHP Version: OS:

 

 [2017-11-07 07:08 UTC] luke at lerlacher dot de
Description:
------------
in interpreting $cainfo passed through the caller, php_openssl_setup_verify adds a default CA File to the store using

X509_LOOKUP_load_file(file_lookup, NULL, X509_FILETYPE_DEFAULT)

if no valid CA file was passed, and a default CA dir using 

X509_LOOKUP_add_dir(dir_lookup, NULL, X509_FILETYPE_DEFAULT)

if no valid CA dir was passed.

This means, if the user passes a single file location in $cainfo, indicating that they want only this file checked, the default ca dir will nevertheless be added to the store.

Test script:
---------------
<?php

  $ca = array(
      // a random ca-certificate that the signed mail was *not* signed with is required here
      '/etc/ca-certificates/extracted/cadir/T__RKTRUST_Elektronik_Sertifika_Hizmet_Sa__lay__c__s___H5.pem'
);

  // a pkcs7-signed email signed by a certificate in the default trust store is required
  $msg = 'signed_email.eml';

  $verify = openssl_pkcs7_verify($msg, 0, $msg . '.cert', $ca);

  var_dump($verify);


?>

Expected result:
----------------
The expected output is:

bool(false)

This indicates that the mail was not signed by any of the certificates passed in $cainfo.

Actual result:
--------------
The actual output is:

bool(true)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-08-13 11:37 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2021-08-13 11:37 UTC] cmb@php.net
This has already been reported as bug #65154.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 14:01:29 2024 UTC