Req #38917 [Com]: OpenSSL: signing function for spkac

Wed, 14 Dec 2011 14:11:28 -0800 

Edit report at https://bugs.php.net/bug.php?id=38917&edit=1

 ID:                 38917
 Comment by:         jason dot gerfen at gmail dot com
 Reported by:        zeph at purotesto dot it
 Summary:            OpenSSL: signing function for spkac
 Status:             Feedback
 Type:               Feature/Change Request
 Package:            OpenSSL related
 Operating System:   Irrilevant
 PHP Version:        trunk
 Block user comment: N
 Private report:     N

 New Comment:

Please disregard my previous comment. I did a little more digging and am under 
the impression that adding the following to php_openssl_make_REQ() function 
should allow me to create a self signed certificate using the SPKAC NID like so?

if (strcmp(strindex, "SPKAC") == 0) {
 if (!X509_NAME_add_entry_by_txt(subj, strindex, MBSTRING_ASC, (unsigned 
char*)Z_STRVAL_PP(item), -1, -1, 0)){
  php_error_docref(NULL TSRMLS_CC, E_WARNING, "dn: add_entry_by_txt %s -> %s 
(failed)", strindex, Z_STRVAL_PP(item));
  return FAILURE;
 }
}

Would you recommend another method? Please advise.


Previous Comments:
------------------------------------------------------------------------
[2011-12-14 19:40:20] jason dot gerfen at gmail dot com

One other question about using SPKAC's when creating a x509. It seems the 
current method using openssl_csr_new() which in turn calls the 
php_openssl_make_REQ() to assign the specified DN attributes has no method of 
adding the SPKAC field.

After digging around it seems logical to use the OBJ_create() and OBJ_* family 
of functions to add NID. Please forgive me if I am way off here but any 
direction you could point me in using the existing functions to output and sign 
a certificate similar to the following command?

openssl ca -config /path/to/openssl.conf -days 180 -notext -batch \
  -spkac /path/to/cert.pem -out /path/to/signed.pem -passin pass:'random'

My assumption is that I will need to create one specifically for this purpose 
but would like your insight.

------------------------------------------------------------------------
[2011-12-14 13:51:42] jason dot gerfen at gmail dot com

This will test all five new functions unless you would like one test case per 
function?

--TEST--
openssl_spki_new(), openssl_spki_verify(), openssl_spki_export(), 
openssl_spki_export_challenge(), openssl_spki_details()
--SKIPIF--
<?php
if (!extension_loaded("openssl")) die("skip");
if (!@openssl_pkey_new()) die("skip cannot create private key");
?>
--FILE--
<?php

echo "Creating private key\n";
$key = openssl_pkey_new();
if ($key === false)
 die("failed to create private key\n");

echo "Creating new SPKAC\n";
if (!function_exists("openssl_spki_new"))
 die("openssl_spki_new() does not exist\n");

$spki = openssl_spki_new($key, "sample_challenge_string");
if ($spki === false)
 die("could not create spkac\n");

echo "Verifying SPKAC\n";
if (!function_exists("openssl_spki_verify"))
 die("openssl_spki_verify() does not exist\n");

$x = openssl_spki_verify(preg_replace("/SPKAC=/", "", $spki));
if ($x === false)
 die("could not verify spkac\n");

echo "Exporting challenge\n";
if (!function_exists("openssl_spki_export_challenge"))
 die("openssl_spki_export_challenge() does not exist\n");

$y = openssl_spki_export_challenge(preg_replace("/SPKAC=/", "", $spki));
if ($y !== "sample_challenge_string")
 die("could not verify challenge string from spkac\n");

echo "Exporting public key from SPKAC\n";
if (!function_exists("openssl_spki_export"))
 die("openssl_spki_export() does not exist\n");

$z = openssl_spki_export(preg_replace("/SPKAC=/", '', $spki));
if ($z === "")
 die("could not export public key from spkac\n");

echo "Generating details of SPKAC structure\n";
if (!function_exists("openssl_spki_details"))
 die("openssl_spki_details() does not exist\n");

$w = openssl_spki_details(preg_replace('/SPKAC=/', '', $spki));
if ($w === "")
 die("could not obtain details from spkac\n");

echo "OK!\n";

openssl_free_key($key);
?>
--EXPECT--
Creating private key
Creating new SPKAC
Verifying SPKAC
Exporting challenge
Exporting public key from SPKAC
Generating details of SPKAC structure
OK!

------------------------------------------------------------------------
[2011-12-14 12:02:35] [email protected]

Please see the phpt files in ext/openssl/tests/

this is how tests should be written.

Further explanations are available here: http://qa.php.net/

Thanks!

------------------------------------------------------------------------
[2011-12-14 11:40:42] jason dot gerfen at gmail dot com

<form id="spkac" name="spkac" method="post" action="openssl-spki.php">
 <keygen name="spki-key" keytype="rsa" challenge="testing"></keygen>
 <input type="submit">
</form>

<?php

if (!empty($_POST['spki-key'])) {
 echo '<pre>'; print_r($_POST['spki-key']); echo '</pre>';


}

if (empty($_POST['spki-key'])){

 echo "Generating private key...";

 $key = openssl_pkey_new(array('digest_alg' => 'sha1',

                               'private_key_type' => OPENSSL_KEYTYPE_RSA,

                               'private_key_bits' => 2048));

 echo "done<br/>";

 echo "============================<br/>";

}



if (empty($_POST['spki-key'])){

 echo "Creating SPKAC...<br/>";

 if (function_exists('openssl_spki_new')){

  $spki = openssl_spki_new($key, 'wtfd00d');

  echo "<pre>".$spki."</pre>";

 }

 echo "<br/>done<br/>";

 echo "============================<br/>";

}



echo "Verifying SPKAC...<br/>";

if (function_exists('openssl_spki_verify')){

 $y = (empty($_POST['spki-key'])) ?

  openssl_spki_verify(preg_replace('/SPKAC=/', '', $spki)) :

  openssl_spki_verify($_POST['spki-key']);

 var_dump($y);

}

echo "<br/>============================<br/>";



echo "Exporting challenge from SPKAC...<br/>";

if (function_exists('openssl_spki_export_challenge')){

 $x = (empty($_POST['spki-key'])) ?

  openssl_spki_export_challenge(preg_replace('/SPKAC=/', '', $spki)) :

  openssl_spki_export_challenge($_POST['spki-key']);

 echo $x;

}

echo "<br/>done<br/>";

echo "============================<br/>";



echo "Exporting public key from SPKAC...<br/>";

if (function_exists('openssl_spki_export')){

 $z = (empty($_POST['spki-key'])) ?

  openssl_spki_export(preg_replace('/SPKAC=/', '', $spki)) :

  openssl_spki_export($_POST['spki-key']);

 echo '<pre>'; print_r($z); echo '</pre>';

}

echo "<br/>============================<br/>";



echo "SPKAC details...<br/>";

if (function_exists('openssl_spki_details')){

 $w = (empty($_POST['spki-key'])) ?

  openssl_spki_details(preg_replace('/SPKAC=/', '', $spki)) :

  openssl_spki_details($_POST['spki-key']);

 echo '<pre>'; print_r($w); echo '</pre>';

}

echo "done<br/>";

echo "============================<br/>";



if (empty($_POST['spki-key'])){

 openssl_free_key($key);

}



?>

------------------------------------------------------------------------
[2011-12-13 17:04:07] [email protected]

Hi!

Thanks for the patch, please add some test cases as well (phpt format) so we 
can 
easily valid the new functions.

Also be sure that the patched ssl can still be built against older openssl 
version 
as we still support them (0.9.x serie for trunk and 5.4).

------------------------------------------------------------------------


The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at

    https://bugs.php.net/bug.php?id=38917


-- 
Edit this bug report at https://bugs.php.net/bug.php?id=38917&edit=1

Reply via email to