php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77416 openssl_csr_new add fields to subject
Submitted: 2019-01-06 19:22 UTC Modified: 2019-12-01 19:39 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: joose dot vettenranta at kompassi dot fi Assigned: bukka (profile)
Status: Wont fix Package: OpenSSL related
PHP Version: 7.2.13 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: joose dot vettenranta at kompassi dot fi
New email:
PHP Version: OS:

 

 [2019-01-06 19:22 UTC] joose dot vettenranta at kompassi dot fi
Description:
------------
When creating new CSR, it will add "ST=Some-State, O=Internet Widgits Pty Ltd" to the subject if not defined in openssl_csr_new -function call. This has been a bug in PHP for a long time.

Test script:
---------------
<?php
$config=array(
    "private_key_bits" => 2048,
    "private_key_type" => OPENSSL_KEYTYPE_RSA,
);
$privkey = openssl_pkey_new($config);

$csr = openssl_csr_new(array("C"=>"FI"), $privkey);

openssl_csr_export($csr, $csrout);
echo($csrout);

/* using same system, but command line openssl command to generate csr works just fine. I have been using this code to do csr:
 $csr = shell_exec('openssl req -new -sha256 -key '.$tempDir.'/private.key -outform '.$format.' -subj "'.$subject.'"');
*/
?>
$ php test.php > /tmp/foo3 
$ openssl req -in /tmp/foo3 -noout -text


Expected result:
----------------
Certificate Request:
    Data:
    Version: 0 (0x0)
    Subject: C=FI

Actual result:
--------------
Certificate Request:
    Data:
    Version: 0 (0x0)
    Subject: C=FI, ST=Some-State, O=Internet Widgits Pty Ltd


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-01-06 19:27 UTC] requinix@php.net
-Status: Open +Status: Feedback
 [2019-01-06 19:27 UTC] requinix@php.net
How does your openssl.cnf look?
 [2019-01-06 21:09 UTC] joose dot vettenranta at kompassi dot fi
-Status: Feedback +Status: Open
 [2019-01-06 21:09 UTC] joose dot vettenranta at kompassi dot fi
I have not checked. But I have tried this with different distros, different php -versions and with different operating systems (macos and linux). Also have tried docker images. And as I notided in the test script, doing the same thing on the same computer using command line openssl command, it will work as expected.
 [2019-01-06 21:12 UTC] joose dot vettenranta at kompassi dot fi
I need different kind of subjects when I am creating certificates for systems other than SSL. That is why to subject is completely different what is normally (SSL) used.
 [2019-01-06 21:30 UTC] joose dot vettenranta at kompassi dot fi
If I create own openssl.cnf file containing: 
distinguished_name  = req_distinguished_name
[req_distinguished_name]
[v3_req]
[v3_ca]

it will work as expected
 [2019-12-01 19:39 UTC] bukka@php.net
PHP is using default openssl config which is usually the system one but depends on the installation. This can be overwritten using OPENSSL_CONF environment variable. The default config is always loaded which is on purpose and it can't be changed due to BC.

So the only solution in here is to either change your default config or use specific config for openssl_csr_new.
 [2019-12-01 19:39 UTC] bukka@php.net
-Status: Open +Status: Wont fix -Assigned To: +Assigned To: bukka
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat Dec 07 06:01:24 2019 UTC