php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #77416 openssl_csr_new add fields to subject
Submitted: 2019-01-06 19:22 UTC Modified: 2019-12-01 19:39 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: joose dot vettenranta at kompassi dot fi Assigned: bukka (profile)
Status: Wont fix Package: OpenSSL related
PHP Version: 7.2.13 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: joose dot vettenranta at kompassi dot fi
New email:
PHP Version: OS:

 

 [2019-01-06 19:22 UTC] joose dot vettenranta at kompassi dot fi 
Description:
------------
When creating new CSR, it will add "ST=Some-State, O=Internet Widgits Pty Ltd" to the subject if not defined in openssl_csr_new -function call. This has been a bug in PHP for a long time.

Test script:
---------------
<?php
$config=array(
    "private_key_bits" => 2048,
    "private_key_type" => OPENSSL_KEYTYPE_RSA,
);
$privkey = openssl_pkey_new($config);

$csr = openssl_csr_new(array("C"=>"FI"), $privkey);

openssl_csr_export($csr, $csrout);
echo($csrout);

/* using same system, but command line openssl command to generate csr works just fine. I have been using this code to do csr:
 $csr = shell_exec('openssl req -new -sha256 -key '.$tempDir.'/private.key -outform '.$format.' -subj "'.$subject.'"');
*/
?>
$ php test.php > /tmp/foo3 
$ openssl req -in /tmp/foo3 -noout -text


Expected result:
----------------
Certificate Request:
    Data:
    Version: 0 (0x0)
    Subject: C=FI

Actual result:
--------------
Certificate Request:
    Data:
    Version: 0 (0x0)
    Subject: C=FI, ST=Some-State, O=Internet Widgits Pty Ltd

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-01-06 19:27 UTC] requinix@php.net
-Status: Open +Status: Feedback
 [2019-01-06 19:27 UTC] requinix@php.net 
How does your openssl.cnf look?
 [2019-01-06 21:09 UTC] joose dot vettenranta at kompassi dot fi
-Status: Feedback +Status: Open
 [2019-01-06 21:09 UTC] joose dot vettenranta at kompassi dot fi 
I have not checked. But I have tried this with different distros, different php -versions and with different operating systems (macos and linux). Also have tried docker images. And as I notided in the test script, doing the same thing on the same computer using command line openssl command, it will work as expected.
 [2019-01-06 21:12 UTC] joose dot vettenranta at kompassi dot fi 
I need different kind of subjects when I am creating certificates for systems other than SSL. That is why to subject is completely different what is normally (SSL) used.
 [2019-01-06 21:30 UTC] joose dot vettenranta at kompassi dot fi 
If I create own openssl.cnf file containing: 
distinguished_name  = req_distinguished_name
[req_distinguished_name]
[v3_req]
[v3_ca]

it will work as expected
 [2019-12-01 19:39 UTC] bukka@php.net 
PHP is using default openssl config which is usually the system one but depends on the installation. This can be overwritten using OPENSSL_CONF environment variable. The default config is always loaded which is on purpose and it can't be changed due to BC.

So the only solution in here is to either change your default config or use specific config for openssl_csr_new.
 [2019-12-01 19:39 UTC] bukka@php.net
-Status: Open +Status: Wont fix -Assigned To: +Assigned To: bukka
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Apr 20 06:01:28 2024 UTC