wez Sun Apr 30 23:43:40 2006 UTC
Modified files: (Branch: PHP_5_1)
/php-src/ext/openssl openssl.c xp_ssl.c
Log:
Add two new context options for ssl:
"capture_peer_cert" and "capture_peer_cert_chain"
If true, the peer certificate and peer certificate chain respectively will be
captured and made available in the ssl context variables "peer_certificate"
and
"peer_certificate_chain" respectively. The certificates are exposed as x509
certificate resources and can be inspected using the existing openssl
extension
functions.
This allows applications to perform extended validation.
http://cvs.php.net/viewcvs.cgi/php-src/ext/openssl/openssl.c?r1=1.98.2.4&r2=1.98.2.5&diff_format=u
Index: php-src/ext/openssl/openssl.c
diff -u php-src/ext/openssl/openssl.c:1.98.2.4
php-src/ext/openssl/openssl.c:1.98.2.5
--- php-src/ext/openssl/openssl.c:1.98.2.4 Sun Jan 1 12:50:10 2006
+++ php-src/ext/openssl/openssl.c Sun Apr 30 23:43:40 2006
@@ -18,7 +18,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: openssl.c,v 1.98.2.4 2006/01/01 12:50:10 sniper Exp $ */
+/* $Id: openssl.c,v 1.98.2.5 2006/04/30 23:43:40 wez Exp $ */
#ifdef HAVE_CONFIG_H
#include "config.h"
@@ -156,6 +156,11 @@
static int le_csr;
static int ssl_stream_data_index;
+int php_openssl_get_x509_list_id(void)
+{
+ return le_x509;
+}
+
/* {{{ resource destructors */
static void php_pkey_free(zend_rsrc_list_entry *rsrc TSRMLS_DC)
{
http://cvs.php.net/viewcvs.cgi/php-src/ext/openssl/xp_ssl.c?r1=1.22.2.2&r2=1.22.2.3&diff_format=u
Index: php-src/ext/openssl/xp_ssl.c
diff -u php-src/ext/openssl/xp_ssl.c:1.22.2.2
php-src/ext/openssl/xp_ssl.c:1.22.2.3
--- php-src/ext/openssl/xp_ssl.c:1.22.2.2 Sun Jan 1 12:50:10 2006
+++ php-src/ext/openssl/xp_ssl.c Sun Apr 30 23:43:40 2006
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: xp_ssl.c,v 1.22.2.2 2006/01/01 12:50:10 sniper Exp $ */
+/* $Id: xp_ssl.c,v 1.22.2.3 2006/04/30 23:43:40 wez Exp $ */
#include "php.h"
#include "ext/standard/file.h"
@@ -33,6 +33,7 @@
int php_openssl_apply_verification_policy(SSL *ssl, X509 *peer, php_stream
*stream TSRMLS_DC);
SSL *php_SSL_new_from_context(SSL_CTX *ctx, php_stream *stream TSRMLS_DC);
+int php_openssl_get_x509_list_id(void);
/* This implementation is very closely tied to the that of the native
* sockets implemented in the core.
@@ -414,9 +415,63 @@
SSL_shutdown(sslsock->ssl_handle);
} else {
sslsock->ssl_active = 1;
+
+ /* allow the script to capture the peer cert
+ * and/or the certificate chain */
+ if (stream->context) {
+ zval **val, *zcert;
+
+ if (SUCCESS ==
php_stream_context_get_option(
+
stream->context, "ssl",
+
"capture_peer_cert", &val) &&
+ zval_is_true(*val)) {
+ MAKE_STD_ZVAL(zcert);
+ ZVAL_RESOURCE(zcert,
zend_list_insert(peer_cert,
+
php_openssl_get_x509_list_id()));
+
php_stream_context_set_option(stream->context,
+ "ssl",
"peer_certificate",
+ zcert);
+ peer_cert = NULL;
+ }
+
+ if (SUCCESS ==
php_stream_context_get_option(
+
stream->context, "ssl",
+
"capture_peer_cert_chain", &val) &&
+ zval_is_true(*val)) {
+ zval *arr;
+ STACK_OF(X509) *chain;
+
+ MAKE_STD_ZVAL(arr);
+ chain = SSL_get_peer_cert_chain(
+
sslsock->ssl_handle);
+
+ if (chain) {
+ int i;
+ array_init(arr);
+
+ for (i = 0; i <
sk_X509_num(chain); i++) {
+ X509 *mycert =
X509_dup(
+
sk_X509_value(chain, i));
+
MAKE_STD_ZVAL(zcert);
+
ZVAL_RESOURCE(zcert,
+
zend_list_insert(mycert,
+
php_openssl_get_x509_list_id()));
+
add_next_index_zval(arr, zcert);
+ }
+ } else {
+ ZVAL_NULL(arr);
+ }
+
+
php_stream_context_set_option(stream->context,
+ "ssl",
"peer_certificate_chain",
+ arr);
+ }
+ }
}
- X509_free(peer_cert);
+ if (peer_cert) {
+ X509_free(peer_cert);
+ }
} else {
n = errno == EAGAIN ? 0 : -1;
}
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
