ID: 42886 User updated by: tokul at users dot sourceforge dot net Reported By: tokul at users dot sourceforge dot net Status: Bogus Bug Type: OpenSSL related Operating System: Linux Debian Etch PHP Version: 5CVS-2008-11-01 Assigned To: pajoye New Comment:
I don't agree that bug is bogus. 1. /usr/bin/openssl works without any chain certificate arguments. 2. how am I supposed to know all chained certificates and why do I have to go through all the trouble of getting them in order to check certificates. function should use trusted system certificates like /usr/bin/openssl does (if /usr/bin/openssl does it). 3. Bug report also states that function returns integer value when one part of documentation states that it should return boolean or different integer value. Even if bug report is bogus, documentation is still broken. Previous Comments: ------------------------------------------------------------------------ [2009-09-04 06:40:23] [email protected] @ryan+phpbugs at sleevi dot com Thanks for the detailed explanation. And you are right about the conclusions. That's also not something we should try to change from PHP (if there was a bug), that's openssl's job. ------------------------------------------------------------------------ [2009-09-04 05:06:16] ryan+phpbugs at sleevi dot com The problem is not resolved in PHP 5.2.6, provided you call it correctly. openssl_x509_checkpurpose expects to be able to build a full chain of certificates to verify its purpose. Furthermore, it expects there to be a trusted certificate as part of the chain. When invoked as var_dump(openssl_x509_checkpurpose(file_get_contents('./certfile.pem'). X509_PURPOSE_SMIME_SIGN)); this fails, because a chain cannot properly be built to a trusted root. My test case involved: - Obtaining Using the Thawte intermediate and root certificates, obtained via http://www.thawte.com/repository/index.html - Copying the contents of the Thawte Personal Freemail Issuing CA and Thawte Personal Freemail CA PEM files from that list into a new file, called 'chain.pem'. The certs were simply appended one after the other - Setting the system time to be during the validity period of the certificate (2007-10-10 00:00:00 GMT) - executing as var_dump(openssl_x509_checkpurpose(file_get_contents('./certfile.pem'). X509_PURPOSE_SMIME_SIGN, array('./chain.pem')); - I received int(1) as the result I do not believe the reporter's initial case should be supported. Purpose checking requires checking each of the CAs that issued the certificate to make sure there are no purpose constraints. The absence of the CA certificates makes this impossible, hence the failure. If one wishes to obtain any X509 certificate extensions for a single certificate, openssl_x509_parse is able to provide this information. However, it should not be treated as authoritative, as it does not reflect the full chain policy being enforced for that certificate. My OpenSSL version was 0.9.8f, running Linux kernel 2.6.14.6 and PHP 5.2.6. While these versions do differ from the original submission, with the above explanation, it should provide enough information to see if this does resolve the situation with purpose verification. ------------------------------------------------------------------------ [2008-11-18 10:09:50] [email protected] It seems to be a bug in the openssl directly. I have tried with many different certs and many failed (including the one available in the openssl's demo directory). I have to work on other things now, the fix may require to duplicate the x509_verify_cert code (partially or completely). tested with 0.98g and 0.9.8i ------------------------------------------------------------------------ [2008-11-01 21:13:07] tokul at users dot sourceforge dot net php 5.2-200811011530 Test result is the same. It is impossible to verify purpose of certificate, because function returns integer value which is evaluated as false even when certificate can be used for SMIME signatures. I don't know options that Thawte used to generate certificate. I've accepted default options with 2048-bit encryption for Mozilla Firefox/Thunderbird. Here goes already expired certificate used for initial bug report. -----BEGIN CERTIFICATE----- MIIC8DCCAlmgAwIBAgIQS8GxvbV7pghz0FD/I7rVVjANBgkqhkiG9w0BAQUFADBi MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg THRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vpbmcg Q0EwHhcNMDcwMjI0MDYyMzA0WhcNMDgwMjI0MDYyMzA0WjBNMR8wHQYDVQQDExZU aGF3dGUgRnJlZW1haWwgTWVtYmVyMSowKAYJKoZIhvcNAQkBFht0b2t1bEB1c2Vy cy5zb3VyY2Vmb3JnZS5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDQALcUK5moBKz5tHqYcquqb8seEKgzDbFJ3Nko8VEyVy1vnwKtHkNeXuMv1mbH 2dhkvI2JtWpNte36bzLErQHzZhnehAdRb3RIlLrASxkn4btidkWasYjqhtMI1sGL D+7wFdC4rSfdYwRUto8zrB5FeoNakJre8gmljqwm18fh5ZMsiWboXdKVVCa8ALBk P5dZ7gYElfNj3FJSjqo0Efs5yQn8EsY+uDNTH+y8HE5Sqq0mkuLw/7WIO5PCsQAF xTsEo2dqnj3us9KGgNGkR4JRp17NPfNofLs26w7H2n3oAmjMaM51U5lpPOSh0Nm7 uwrpsWnE84Jm2I/9WhhuSOEJAgMBAAGjODA2MCYGA1UdEQQfMB2BG3Rva3VsQHVz ZXJzLnNvdXJjZWZvcmdlLm5ldDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUA A4GBAJlmrYGSeE00IK7WR+05BT0g6YigfIoKLbeTJu25oVHN8dBLU0Jjx5KZRfZQ BCt/8CVBNxNwwKRQnQ36M4Hq0YLa+bBYq3pJPbL62Ffj7mLHhDkFvJw/sgQ1I7jH URvzt58Hw3B34wEHzqnzcsFOPxNZN3aU4BTnbUBTUjkVVpuZ -----END CERTIFICATE----- ------------------------------------------------------------------------ [2008-10-31 08:49:37] [email protected] Please provide a sample certificate to reproduce this problem or the values you used to create a similar certificate. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/42886 -- Edit this bug report at http://bugs.php.net/?id=42886&edit=1
