Patch spki.patch for OpenSSL related Bug #38917
Patch version 2011-12-19 14:36 UTC
Return to Bug #38917
| Download this patch
Patch Revisions:
2011-12-22 10:41 UTC | 2011-12-21 20:31 UTC | 2011-12-21 16:09 UTC | 2011-12-21 03:48 UTC | 2011-12-21 03:26 UTC | 2011-12-19 17:58 UTC | 2011-12-19 17:53 UTC | 2011-12-19 14:36 UTC | 2011-12-14 11:38 UTC | 2011-12-13 16:55 UTC | 2011-12-08 10:57 UTC | 2011-12-06 21:02 UTC | 2011-12-06 11:35 UTC | 2011-12-06 11:29 UTCDeveloper: jason.gerfen@gmail.com
--- php-5.3.8/ext/openssl/openssl.c
+++ php-5.3.8/ext/openssl/openssl.c
@@ -372,11 +372,35 @@
--- php-5.3.8/ext/openssl/openssl.c 2011-07-25 05:42:53.000000000 -0600
+++ php-5.3.8/ext/openssl/openssl.c 2011-12-17 20:02:34.740053638 -0700
@@ -372,11 +372,48 @@
ZEND_ARG_INFO(0, length)
ZEND_ARG_INFO(1, result_is_strong)
ZEND_END_ARG_INFO()
+
+ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_spki_new, 0, 0, 0)
+ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_spki_new, 0, 0, 2)
+ ZEND_ARG_INFO(0, privkey)
+ ZEND_ARG_INFO(0, password)
+ ZEND_ARG_INFO(0, spki_hash)
+ ZEND_ARG_INFO(0, challenge)
+ ZEND_ARG_INFO(0, algo)
+ZEND_END_ARG_INFO()
+
+ZEND_BEGIN_ARG_INFO(arginfo_openssl_spki_verify, 0)
+ ZEND_ARG_INFO(0, spki)
+ZEND_END_ARG_INFO()
+
+ZEND_BEGIN_ARG_INFO(arginfo_openssl_spki_export, 0)
+ ZEND_ARG_INFO(0, spki)
+ZEND_END_ARG_INFO()
+
+ZEND_BEGIN_ARG_INFO(arginfo_openssl_spki_export_challenge, 0)
+ ZEND_ARG_INFO(0, spki)
+ZEND_END_ARG_INFO()
+
+ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_spki_export_cert, 0, 0, 2)
+ ZEND_ARG_INFO(0, cert)
+ ZEND_ARG_INFO(0, spkistr)
+ ZEND_ARG_INFO(0, dn) /* array */
+ ZEND_ARG_INFO(0, configargs)
+ZEND_END_ARG_INFO()
+
+ZEND_BEGIN_ARG_INFO(arginfo_openssl_spki_details, 0)
+ ZEND_ARG_INFO(0, spki)
+/* spki functions */
+ PHP_FE(openssl_spki_new, arginfo_openssl_spki_new)
+ PHP_FE(openssl_spki_verify, arginfo_openssl_spki_verify)
+ PHP_FE(openssl_spki_export, arginfo_openssl_spki_export)
+ PHP_FE(openssl_spki_export_challenge, arginfo_openssl_spki_export_challenge)
+ PHP_FE(openssl_spki_export_cert, arginfo_openssl_spki_export_cert)
+ PHP_FE(openssl_spki_details, arginfo_openssl_spki_details)
+
/* public/private key functions */
PHP_FE(openssl_pkey_free, arginfo_openssl_pkey_free)
PHP_FE(openssl_pkey_new, arginfo_openssl_pkey_new)
@@ -1252,6 +1276,190 @@
@@ -1252,6 +1289,348 @@
}
/* }}} */
+/* {{{ proto string openssl_spki_new(mixed priv_key, string password)
+/* {{{ proto string openssl_spki_new(mixed zpkey, string challenge [, string algo='sha256'])
+ Creates new private key (or uses existing) and creates a new spki cert
+ outputting results to var */
+PHP_FUNCTION(openssl_spki_new)
+{
+ zval * zout, * zpkey = NULL;
+ zval * zpkey = NULL;
+ EVP_PKEY * pkey = NULL;
+ NETSCAPE_SPKI *spki=NULL;
+ char * password, * spkstr;
+ int challenge_len, algo_len;
+ char * challenge, * spkstr, *algo="sha256";
+ long keyresource = -1;
+ const char *spkac = "SPKAC=";
+
+ zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rs|s", &zpkey, &password, &zout);
+
+ pkey = php_openssl_evp_from_zval(&zpkey, 0, password, 1, &keyresource TSRMLS_CC);
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rs|s", &zpkey, &challenge, &challenge_len, &algo, &algo_len) == FAILURE) {
+ return;
+ }
+ RETVAL_FALSE;
+
+ pkey = php_openssl_evp_from_zval(&zpkey, 0, challenge, 1, &keyresource TSRMLS_CC);
+
+ if (pkey == NULL) {
+ goto cleanup;
+ }
+
+ goto cleanup;
+ }
+
+ if ((spki = NETSCAPE_SPKI_new()) == NULL) {
+ goto cleanup;
+ }
+
+ if (password) {
+ ASN1_STRING_set(spki->spkac->challenge, password, (int)strlen(password));
+ }
+
+ if (!NETSCAPE_SPKI_set_pubkey(spki, pkey)) {
+ goto cleanup;
+ }
+
+ if (!NETSCAPE_SPKI_sign(spki, pkey, EVP_md5())) {
+ goto cleanup;
+ }
+
+ spkstr = NETSCAPE_SPKI_b64_encode(spki);
+ if (challenge) {
+ ASN1_STRING_set(spki->spkac->challenge, challenge, (int)strlen(challenge));
+ }
+
+ if (!NETSCAPE_SPKI_set_pubkey(spki, pkey)) {
+ goto cleanup;
+ }
+
+ if (strcmp(algo, "md5")==0){
+ if (!NETSCAPE_SPKI_sign(spki, pkey, EVP_md5())) {
+ goto cleanup;
+ }
+ } else if(strcmp(algo, "sha1")==0){
+ if (!NETSCAPE_SPKI_sign(spki, pkey, EVP_sha1())) {
+ goto cleanup;
+ }
+ } else if(strcmp(algo, "sha256")==0){
+ if (!NETSCAPE_SPKI_sign(spki, pkey, EVP_sha256())) {
+ goto cleanup;
+ }
+ } else if (strcmp(algo, "sha512")==0){
+ if (!NETSCAPE_SPKI_sign(spki, pkey, EVP_sha512())) {
+ goto cleanup;
+ }
+ }
+
+ spkstr = NETSCAPE_SPKI_b64_encode(spki);
+ if (!spkstr){
+ goto cleanup;
+ }
+
+ char * s = malloc(snprintf(NULL, 0, "%s%s", spkac, spkstr));
+ sprintf(s, "%s%s", spkac, spkstr);
+
+ if (strlen(s)>0) {
+ RETVAL_STRINGL(s, strlen(s), 0);
+ } else {
+ RETURN_FALSE;
+ }
+
+
+ if (strlen(s)<=0) {
+ goto cleanup;
+ }
+ RETURN_STRING(s, 1);
+
+cleanup:
+ if (keyresource == -1 && pkey) {
+ if (keyresource == -1 && spki) {
+ NETSCAPE_SPKI_free(spki);
+ EVP_PKEY_free(pkey);
+ }
+ if (spkstr) {
+ OPENSSL_free(spkstr);
+ if (keyresource == -1 && pkey) {
+ EVP_PKEY_free(pkey);
+ }
+ if (keyresource == -1 && s) {
+ free(s);
+ }
+ RETURN_NULL();
+}
+/* }}} */
+
+/* {{{ proto bool openssl_spki_verify(string spki)
+PHP_FUNCTION(openssl_spki_verify)
+{
+ int spkstr_len, i, x=0;
+ char *spkstr = NULL;
+ EVP_PKEY *pkey = NULL;
+ NETSCAPE_SPKI *spki = NULL;
+
+ EVP_PKEY *pkey = NULL;
+ NETSCAPE_SPKI *spki = NULL;
+
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &spkstr, &spkstr_len) == FAILURE) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "missing argument 1");
+ goto cleanup;
+ }
+
+ if (!spkstr) {
+ return;
+ }
+
+ if (!spkstr) {
+ goto cleanup;
+ }
+
+ spki = NETSCAPE_SPKI_b64_decode(spkstr, -1);
+ char * spkstr_cleaned = malloc(strlen(spkstr));
+ openssl_spki_cleanup(spkstr, spkstr_cleaned);
+
+ spki = NETSCAPE_SPKI_b64_decode(spkstr_cleaned, strlen(spkstr_cleaned));
+ if (!spki) {
+ goto cleanup;
+ }
+
+ pkey = NETSCAPE_SPKI_get_pubkey(spki);
+ goto cleanup;
+ }
+
+ pkey = X509_PUBKEY_get(spki->spkac->pubkey);
+ if (pkey == NULL) {
+ goto cleanup;
+ }
+ }
+
+ i = NETSCAPE_SPKI_verify(spki, pkey);
+
+ if (i > 0) {
+ x = 1;
+ }
+ goto cleanup;
+
+cleanup:
+ }
+ goto cleanup;
+
+cleanup:
+ if (spki) {
+ NETSCAPE_SPKI_free(spki);
+ }
+ if (pkey) {
+ EVP_PKEY_free(pkey);
+ }
+ }
+ RETURN_BOOL(x);
+}
+/* }}} */
+
+PHP_FUNCTION(openssl_spki_export)
+{
+ int spkstr_len;
+ EVP_PKEY *pkey = NULL;
+ NETSCAPE_SPKI *spki = NULL;
+ BIO *out = BIO_new_fp(stdout, BIO_CLOSE);
+ char *spkstr;
+
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &spkstr, &spkstr_len) == FAILURE) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "missing argument 1");
+ goto cleanup;
+ }
+
+ if (!spkstr) {
+ goto cleanup;
+ }
+
+ spki = NETSCAPE_SPKI_b64_decode(spkstr, strlen(spkstr));
+ if (!spki) {
+ NETSCAPE_SPKI *spki = NULL;
+ BIO *out = BIO_new(BIO_s_mem());
+ BUF_MEM *bio_buf;
+ char *spkstr;
+
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &spkstr, &spkstr_len) == FAILURE) {
+ goto cleanup;
+ }
+
+ if (!spkstr) {
+ goto cleanup;
+ }
+
+ pkey = NETSCAPE_SPKI_get_pubkey(spki);
+
+ char * spkstr_cleaned = malloc(strlen(spkstr));
+ openssl_spki_cleanup(spkstr, spkstr_cleaned);
+
+ spki = NETSCAPE_SPKI_b64_decode(spkstr_cleaned, strlen(spkstr_cleaned));
+ if (!spki) {
+ goto cleanup;
+ }
+
+ pkey = X509_PUBKEY_get(spki->spkac->pubkey);
+ if (!pkey) {
+ goto cleanup;
+ }
+
+ PEM_write_bio_PUBKEY(out, pkey);
+
+ PEM_write_bio_PUBKEY(out, pkey);
+ BIO_get_mem_ptr(out, &bio_buf);
+
+ if ((!bio_buf->data)&&(bio_buf->length<=0)) {
+ goto cleanup;
+ }
+
+ char * s = malloc(bio_buf->length);
+ BIO_read(out, s, bio_buf->length);
+ RETURN_STRING(s, 1);
+
+cleanup:
+ if (spki) {
+ NETSCAPE_SPKI_free(spki);
+ }
+ BIO_free_all(out);
+ }
+ if (pkey) {
+ EVP_PKEY_free(pkey);
+ }
+}
+ }
+}
+/* }}} */
+
+/* {{{ proto string openssl_spki_export_challenge(string spki)
+ Exports spkac challenge from existing spki to var */
+PHP_FUNCTION(openssl_spki_export_challenge)
+{
+ int spkstr_len;
+ NETSCAPE_SPKI *spki = NULL;
+ char *spkstr;
+
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &spkstr, &spkstr_len) == FAILURE) {
+ goto cleanup;
+ }
+
+ if (!spkstr) {
+ goto cleanup;
+ }
+
+ char * spkstr_cleaned = malloc(strlen(spkstr));
+ openssl_spki_cleanup(spkstr, spkstr_cleaned);
+
+ spki = NETSCAPE_SPKI_b64_decode(spkstr_cleaned, strlen(spkstr_cleaned));
+ if (!spki) {
+ goto cleanup;
+ }
+
+ RETURN_STRING(ASN1_STRING_data(spki->spkac->challenge), 1);
+
+cleanup:
+ if (spki) {
+ NETSCAPE_SPKI_free(spki);
+ }
+}
+/* }}} */
+
+/* {{{ proto bool openssl_spki_export_cert(mixed zpkey, string spkac, array dn [, array configargs])
+ Generates a CSR from SPKAC */
+PHP_FUNCTION(openssl_spki_export_cert)
+{
+ int spkistr_len;
+ char *spkistr = NULL;
+ long keyresource = -1;
+ zval * zpkey = NULL;
+ zval * args = NULL, * dn, ** zcert;
+ ASN1_UTCTIME *tm,*tmptm;
+ ASN1_STRING *str,*str2;
+ ASN1_OBJECT *obj; X509 *ret=NULL;
+ X509_NAME *n;
+ X509_REQ * csr = NULL;
+ X509_CINF *ci;
+ X509_NAME_ENTRY *ne;
+ X509_NAME_ENTRY *tne,*push;
+ X509_NAME *name=NULL,*CAname=NULL,*subject=NULL, *dn_subject=NULL;
+ EVP_PKEY *pktmp, *pkey;
+ NETSCAPE_SPKI *spki = NULL;
+
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rsa|a", &zpkey, &spkistr, &spkistr_len, &dn, &args) == FAILURE) {
+ return;
+ }
+ RETVAL_FALSE;
+
+ if (!spkistr) {
+ goto cleanup;
+ }
+
+ char * spkistr_cleaned = malloc(strlen(spkistr));
+ openssl_spki_cleanup(spkistr, spkistr_cleaned);
+
+ spki = NETSCAPE_SPKI_b64_decode(spkistr_cleaned, strlen(spkistr_cleaned));
+ if (!spki) {
+ goto cleanup;
+ }
+
+ pktmp = X509_PUBKEY_get(spki->spkac->pubkey);
+ if (!pktmp) {
+ goto cleanup;
+ }
+
+ pkey = php_openssl_evp_from_zval(&zpkey, 0, ASN1_STRING_data(spki->spkac->challenge), 1, &keyresource TSRMLS_CC);
+ if (pkey == NULL) {
+ goto cleanup;
+ }
+
+ tmptm=ASN1_UTCTIME_new();
+
+cleanup:
+ if (spki) {
+ NETSCAPE_SPKI_free(spki);
+ }
+}
+/* }}} */
+
+/* {{{ proto string openssl_spki_details(string spki)
+ Provides details from existing spki to var */
+PHP_FUNCTION(openssl_spki_details)
+{
+ BUF_MEM *buf;
+ int spkstr_len;
+ NETSCAPE_SPKI *spki = NULL;
+ BIO *out = BIO_new_fp(stdout, BIO_NOCLOSE);
+ BIO *out = BIO_new(BIO_s_mem());
+ BUF_MEM *bio_buf;
+ zval *zout;
+ char *spkstr;
+
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &spkstr, &spkstr_len) == FAILURE) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "missing argument 1");
+ goto cleanup;
+ return;
+ }
+ RETVAL_FALSE;
+
+ if (!spkstr) {
+ goto cleanup;
+ }
+
+ spki = NETSCAPE_SPKI_b64_decode(spkstr, strlen(spkstr));
+ if (!spki) {
+ goto cleanup;
+ }
+
+ NETSCAPE_SPKI_print(out, spki);
+ char * spkstr_cleaned = malloc(strlen(spkstr));
+ openssl_spki_cleanup(spkstr, spkstr_cleaned);
+
+ spki = NETSCAPE_SPKI_b64_decode(spkstr_cleaned, strlen(spkstr_cleaned));
+ if (!spki) {
+ goto cleanup;
+ }
+
+ NETSCAPE_SPKI_print(out, spki);
+ BIO_get_mem_ptr(out, &bio_buf);
+
+ if ((!bio_buf->data)&&(bio_buf->length<=0)) {
+ goto cleanup;
+ }
+
+ char * s = malloc(bio_buf->length);
+ BIO_read(out, s, bio_buf->length);
+ RETURN_STRING(s, 1);
+
+cleanup:
+ if (spki) {
+ NETSCAPE_SPKI_free(spki);
+ }
+ if (out) {
+ BIO_free_all(out);
+ }
+ BIO_free_all(out);
+}
+/* }}} */
+
+/* {{{ proto int openssl_spki_cleanup(const char *src, char *results)
+ This will help remove new line chars in the SPKAC sent from the
+ browser */
+int openssl_spki_cleanup(const char *src, char *dest)
+{
+ int removed=0;
+
+ while (*src) {
+ if (*src!='\n'&&*src!='\r') {
+ *dest++=*src;
+ } else {
+ ++removed;
+ }
+ ++src;
+ }
+ *dest=0;
+ return removed;
+}
+/* }}} */
+
/* {{{ proto bool openssl_x509_export(mixed x509, string &out [, bool notext = true])
Exports a CERT to file or a var */
PHP_FUNCTION(openssl_x509_export)
--- php-5.3.8/ext/openssl/php_openssl.h
+++ php-5.3.8/ext/openssl/php_openssl.h
@@ -74,6 +74,11 @@
@@ -2056,6 +2435,13 @@
if (strindex) {
int nid;
+ if (strcmp(strindex, "SPKAC") == 0) {
+ if (!X509_NAME_add_entry_by_txt(subj, strindex, MBSTRING_ASC, (unsigned char*)Z_STRVAL_PP(item), -1, -1, 0)){
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "dn: add_entry_by_txt %s (failed)", strindex);
+ return FAILURE;
+ }
+ }
+
nid = OBJ_txt2nid(strindex);
if (nid != NID_undef) {
if (!X509_NAME_add_entry_by_NID(subj, nid, MBSTRING_ASC,
--- php-5.3.8/ext/openssl/php_openssl.h 2010-12-31 19:19:59.000000000 -0700
+++ php-5.3.8/ext/openssl/php_openssl.h 2011-12-15 18:08:39.482574322 -0700
@@ -74,6 +74,13 @@
PHP_FUNCTION(openssl_csr_sign);
PHP_FUNCTION(openssl_csr_get_subject);
PHP_FUNCTION(openssl_csr_get_public_key);
+
+PHP_FUNCTION(openssl_spki_new);
+PHP_FUNCTION(openssl_spki_verify);
+PHP_FUNCTION(openssl_spki_export);
+PHP_FUNCTION(openssl_spki_export_challenge);
+PHP_FUNCTION(openssl_spki_export_cert);
+PHP_FUNCTION(openssl_spki_details);
#else
#define phpext_openssl_ptr NULL
--- php-5.3.8/ext/openssl/tests/026.phpt 1969-12-31 17:00:00.000000000 -0700
+++ php-5.3.8/ext/openssl/tests/026.phpt 2011-12-14 15:04:17.290077417 -0700
@@ -0,0 +1,67 @@
+--TEST--
+openssl_spki_new(), openssl_spki_verify(), openssl_spki_export(), openssl_spki_export_challenge(), openssl_spki_details()
+--SKIPIF--
+<?php
+if (!extension_loaded("openssl")) die("skip");
+if (!@openssl_pkey_new()) die("skip cannot create private key");
+?>
+--FILE--
+<?php
+
+echo "Creating private key\n";
+$key = openssl_pkey_new();
+if ($key === false)
+ die("failed to create private key\n");
+
+echo "Creating new SPKAC\n";
+if (!function_exists("openssl_spki_new"))
+ die("openssl_spki_new() does not exist\n");
+
+$spki = openssl_spki_new($key, "sample_challenge_string");
+if ($spki === false)
+ die("could not create spkac\n");
+
+echo "Verifying SPKAC\n";
+if (!function_exists("openssl_spki_verify"))
+ die("openssl_spki_verify() does not exist\n");
+
+$x = openssl_spki_verify(preg_replace("/SPKAC=/", "", $spki));
+if ($x === false)
+ die("could not verify spkac\n");
+
+echo "Exporting challenge\n";
+if (!function_exists("openssl_spki_export_challenge"))
+ die("openssl_spki_export_challenge() does not exist\n");
+
+$y = openssl_spki_export_challenge(preg_replace("/SPKAC=/", "", $spki));
+if ($y !== "sample_challenge_string")
+ die("could not verify challenge string from spkac\n");
+
+echo "Exporting public key from SPKAC\n";
+if (!function_exists("openssl_spki_export"))
+ die("openssl_spki_export() does not exist\n");
+
+$z = openssl_spki_export(preg_replace("/SPKAC=/", '', $spki));
+if ($z === "")
+ die("could not export public key from spkac\n");
+
+echo "Generating details of SPKAC structure\n";
+if (!function_exists("openssl_spki_details"))
+ die("openssl_spki_details() does not exist\n");
+
+$w = openssl_spki_details(preg_replace('/SPKAC=/', '', $spki));
+if ($w === "")
+ die("could not obtain details from spkac\n");
+
+echo "OK!\n";
+
+openssl_free_key($key);
+?>
+--EXPECT--
+Creating private key
+Creating new SPKAC
+Verifying SPKAC
+Exporting challenge
+Exporting public key from SPKAC
+Generating details of SPKAC structure
+OK!
|