wez Sun Apr 30 23:43:40 2006 UTC Modified files: (Branch: PHP_5_1) /php-src/ext/openssl openssl.c xp_ssl.c Log: Add two new context options for ssl: "capture_peer_cert" and "capture_peer_cert_chain" If true, the peer certificate and peer certificate chain respectively will be captured and made available in the ssl context variables "peer_certificate" and "peer_certificate_chain" respectively. The certificates are exposed as x509 certificate resources and can be inspected using the existing openssl extension functions. This allows applications to perform extended validation. http://cvs.php.net/viewcvs.cgi/php-src/ext/openssl/openssl.c?r1=1.98.2.4&r2=1.98.2.5&diff_format=u Index: php-src/ext/openssl/openssl.c diff -u php-src/ext/openssl/openssl.c:1.98.2.4 php-src/ext/openssl/openssl.c:1.98.2.5 --- php-src/ext/openssl/openssl.c:1.98.2.4 Sun Jan 1 12:50:10 2006 +++ php-src/ext/openssl/openssl.c Sun Apr 30 23:43:40 2006 @@ -18,7 +18,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: openssl.c,v 1.98.2.4 2006/01/01 12:50:10 sniper Exp $ */ +/* $Id: openssl.c,v 1.98.2.5 2006/04/30 23:43:40 wez Exp $ */ #ifdef HAVE_CONFIG_H #include "config.h" @@ -156,6 +156,11 @@ static int le_csr; static int ssl_stream_data_index; +int php_openssl_get_x509_list_id(void) +{ + return le_x509; +} + /* {{{ resource destructors */ static void php_pkey_free(zend_rsrc_list_entry *rsrc TSRMLS_DC) { http://cvs.php.net/viewcvs.cgi/php-src/ext/openssl/xp_ssl.c?r1=1.22.2.2&r2=1.22.2.3&diff_format=u Index: php-src/ext/openssl/xp_ssl.c diff -u php-src/ext/openssl/xp_ssl.c:1.22.2.2 php-src/ext/openssl/xp_ssl.c:1.22.2.3 --- php-src/ext/openssl/xp_ssl.c:1.22.2.2 Sun Jan 1 12:50:10 2006 +++ php-src/ext/openssl/xp_ssl.c Sun Apr 30 23:43:40 2006 @@ -16,7 +16,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: xp_ssl.c,v 1.22.2.2 2006/01/01 12:50:10 sniper Exp $ */ +/* $Id: xp_ssl.c,v 1.22.2.3 2006/04/30 23:43:40 wez Exp $ */ #include "php.h" #include "ext/standard/file.h" @@ -33,6 +33,7 @@ int php_openssl_apply_verification_policy(SSL *ssl, X509 *peer, php_stream *stream TSRMLS_DC); SSL *php_SSL_new_from_context(SSL_CTX *ctx, php_stream *stream TSRMLS_DC); +int php_openssl_get_x509_list_id(void); /* This implementation is very closely tied to the that of the native * sockets implemented in the core. @@ -414,9 +415,63 @@ SSL_shutdown(sslsock->ssl_handle); } else { sslsock->ssl_active = 1; + + /* allow the script to capture the peer cert + * and/or the certificate chain */ + if (stream->context) { + zval **val, *zcert; + + if (SUCCESS == php_stream_context_get_option( + stream->context, "ssl", + "capture_peer_cert", &val) && + zval_is_true(*val)) { + MAKE_STD_ZVAL(zcert); + ZVAL_RESOURCE(zcert, zend_list_insert(peer_cert, + php_openssl_get_x509_list_id())); + php_stream_context_set_option(stream->context, + "ssl", "peer_certificate", + zcert); + peer_cert = NULL; + } + + if (SUCCESS == php_stream_context_get_option( + stream->context, "ssl", + "capture_peer_cert_chain", &val) && + zval_is_true(*val)) { + zval *arr; + STACK_OF(X509) *chain; + + MAKE_STD_ZVAL(arr); + chain = SSL_get_peer_cert_chain( + sslsock->ssl_handle); + + if (chain) { + int i; + array_init(arr); + + for (i = 0; i < sk_X509_num(chain); i++) { + X509 *mycert = X509_dup( + sk_X509_value(chain, i)); + MAKE_STD_ZVAL(zcert); + ZVAL_RESOURCE(zcert, + zend_list_insert(mycert, + php_openssl_get_x509_list_id())); + add_next_index_zval(arr, zcert); + } + } else { + ZVAL_NULL(arr); + } + + php_stream_context_set_option(stream->context, + "ssl", "peer_certificate_chain", + arr); + } + } } - X509_free(peer_cert); + if (peer_cert) { + X509_free(peer_cert); + } } else { n = errno == EAGAIN ? 0 : -1; }
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php