ID: 42886
Updated by: [EMAIL PROTECTED]
Reported By: tokul at users dot sourceforge dot net
-Status: Assigned
+Status: Analyzed
Bug Type: OpenSSL related
Operating System: Linux Debian Etch
PHP Version: 5CVS-2008-11-01
Assigned To: pajoye
New Comment:
It seems to be a bug in the openssl directly. I have tried with many
different certs and many failed (including the one available in the
openssl's demo directory).
I have to work on other things now, the fix may require to duplicate
the x509_verify_cert code (partially or completely).
tested with 0.98g and 0.9.8i
Previous Comments:
------------------------------------------------------------------------
[2008-11-01 21:13:07] tokul at users dot sourceforge dot net
php 5.2-200811011530
Test result is the same. It is impossible to verify purpose of
certificate, because function returns integer value which is evaluated
as false even when certificate can be used for SMIME signatures.
I don't know options that Thawte used to generate certificate. I've
accepted default options with 2048-bit encryption for Mozilla
Firefox/Thunderbird.
Here goes already expired certificate used for initial bug report.
-----BEGIN CERTIFICATE-----
MIIC8DCCAlmgAwIBAgIQS8GxvbV7pghz0FD/I7rVVjANBgkqhkiG9w0BAQUFADBi
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
THRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vpbmcg
Q0EwHhcNMDcwMjI0MDYyMzA0WhcNMDgwMjI0MDYyMzA0WjBNMR8wHQYDVQQDExZU
aGF3dGUgRnJlZW1haWwgTWVtYmVyMSowKAYJKoZIhvcNAQkBFht0b2t1bEB1c2Vy
cy5zb3VyY2Vmb3JnZS5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDQALcUK5moBKz5tHqYcquqb8seEKgzDbFJ3Nko8VEyVy1vnwKtHkNeXuMv1mbH
2dhkvI2JtWpNte36bzLErQHzZhnehAdRb3RIlLrASxkn4btidkWasYjqhtMI1sGL
D+7wFdC4rSfdYwRUto8zrB5FeoNakJre8gmljqwm18fh5ZMsiWboXdKVVCa8ALBk
P5dZ7gYElfNj3FJSjqo0Efs5yQn8EsY+uDNTH+y8HE5Sqq0mkuLw/7WIO5PCsQAF
xTsEo2dqnj3us9KGgNGkR4JRp17NPfNofLs26w7H2n3oAmjMaM51U5lpPOSh0Nm7
uwrpsWnE84Jm2I/9WhhuSOEJAgMBAAGjODA2MCYGA1UdEQQfMB2BG3Rva3VsQHVz
ZXJzLnNvdXJjZWZvcmdlLm5ldDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUA
A4GBAJlmrYGSeE00IK7WR+05BT0g6YigfIoKLbeTJu25oVHN8dBLU0Jjx5KZRfZQ
BCt/8CVBNxNwwKRQnQ36M4Hq0YLa+bBYq3pJPbL62Ffj7mLHhDkFvJw/sgQ1I7jH
URvzt58Hw3B34wEHzqnzcsFOPxNZN3aU4BTnbUBTUjkVVpuZ
-----END CERTIFICATE-----
------------------------------------------------------------------------
[2008-10-31 08:49:37] [EMAIL PROTECTED]
Please provide a sample certificate to reproduce this problem or the
values you used to create a similar certificate.
------------------------------------------------------------------------
[2007-10-08 10:52:55] tokul at users dot sourceforge dot net
Description:
------------
According to last chapter in openssl_x509_checkpurpose() manual
function should return true, false or int(-1). Synopsis line shows that
function returns integer.
If I check public certificate file with OpenSSL binary (openssl x509
-purpose -in certfile.pem), it shows purposes as
----
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
----
If I check it with PHP
----
var_dump(openssl_x509_checkpurpose(file_get_contents('./certfile.pem'),X509_PURPOSE_SMIME_SIGN));
---
it returns int(0). Int(0) is evaluated as boolean false in PHP.
Tested PHP 5.2.0 and PHP 5.2-dev (200710080830). OpenSSL 0.9.8c (Debian
0.9.8c-4 package). Used Thawte free email certificate for testing.
Certificate is valid from 2007.02.24 till 2008.02.24. System clock is
correct.
Reproduce code:
---------------
var_dump(openssl_x509_checkpurpose(file_get_contents('./certfile.pem'),X509_PURPOSE_SMIME_SIGN));
Expected result:
----------------
bool(true) or int(1)
Actual result:
--------------
int(0)
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=42886&edit=1
