From: arnaud dot bertrand at apvsys dot org
Operating system: win32 & Linux
PHP version: 4.3.4
PHP Bug Type: OpenSSL related
Bug description: when openssl_pkcs7_verify fails once, it fails next time even if it
should not
Description:
------------
The function openssl_pkcs7_verify has a strange behaviour juster after a
verification has report a bad signature.
When the verification reports a good signature, no problem
When it reports a bad signature, it works BUT the next time (if it is a
short time) the function is called, the access to the CA certificate
failed and it reports a bad signature even if it is a correct one.
Reproduce code:
---------------
Here is the function a use
///////////////// BEGIN
function CheckMailSignature($filename)
{
global $CertificatDir;
global $CertificatFile;
echo("Processing file: $filename<br>\n");
echo("Certificate: $CertificatDir<br>\n");
chdir($CertificatDir);
$tmp_cert = tempnam ("", "crt");
$res = openssl_pkcs7_verify($filename, 0,$tmp_cert, array($CertificatDir,
"$CertificatDir/$CertificatFile"));
if ($res === false)
echo("Digital Signature BAD!<br>\n");
else if ($res === -1)
echo("Error while verifying digital signature ($res)!<br>\n");
else {
echo("Digital Signature OK!<br>\n");
$cert_info = openssl_x509_parse("file://$tmp_cert");
echo("Common name: '".$cert_info['subject']['CN']."'<br>\n");
echo("E-mail: '".$cert_info['subject']['Email']."'<br>\n");
unlink($tmp_cert);
return true;
}
unlink($tmp_cert);
return false;
}
//////////////// END
Expected result:
----------------
Processing file: c:/test/abe-0.txt
Certificate: c:/certdir/cert
Digital Signature OK!
Common name: 'Thawte Freemail Member'
E-mail: '[EMAIL PROTECTED]'
// now check a bad one
Processing file: c:/test/abe-0-bad.txt
Certificate: c:/metadoc-iba/cert
Digital Signature BAD!
// Now check the correct one again
Processing file: c:/test/abe-0.txt
Certificate: c:/certdir/cert
Digital Signature OK!
Common name: 'Thawte Freemail Member'
E-mail: '[EMAIL PROTECTED]'
Actual result:
--------------
Processing file: c:/test/abe-0.txt
Certificate: c:/certdir/cert
Digital Signature OK!
Common name: 'Thawte Freemail Member'
E-mail: '[EMAIL PROTECTED]'
// now check a bad one
Processing file: c:/test/abe-0-bad.txt
Certificate: c:/metadoc-iba/cert
Digital Signature BAD!
// Now check the correct one again
Processing file: c:/test/abe-0.txt
Certificate: c:/certdir/cert
Warning: openssl_pkcs7_verify() [function.openssl-pkcs7-verify]: error
loading file c:/cert/thawte_freemail.cer in
c:\cvswork\ntmetapro\mailsign.php on line 12
Digital Signature BAD!
// Waiting a few minutes or restarting apache:
Processing file: c:/test/abe-0.txt
Certificate: c:/certdir/cert
Digital Signature OK!
Common name: 'Thawte Freemail Member'
E-mail: '[EMAIL PROTECTED]'
--
Edit bug report at http://bugs.php.net/?id=27585&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=27585&r=trysnapshot4
Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=27585&r=trysnapshot5
Fixed in CVS: http://bugs.php.net/fix.php?id=27585&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=27585&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=27585&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=27585&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=27585&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=27585&r=support
Expected behavior: http://bugs.php.net/fix.php?id=27585&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=27585&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=27585&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=27585&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=27585&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=27585&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=27585&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=27585&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=27585&r=float
