Edit report at http://bugs.php.net/bug.php?id=48520&edit=1
ID: 48520
Comment by: nirfri at hotmail dot com
Reported by: php at divinehawk dot com
Summary: openssl_csr_new does not allow multiple values/field
in dn
Status: Assigned
Type: Bug
Package: OpenSSL related
Operating System: *
PHP Version: 5.2.9
Assigned To: pajoye
New Comment:
This patch doesn't work on multiple CNs.
"commonName" => array("test2", "test")
is this fixed at 5.3.2 ?
Previous Comments:
------------------------------------------------------------------------
[2009-06-10 18:38:44] php at divinehawk dot com
Patch against 5.3
--- openssl.c 20 Apr 2009 09:44:29 -0000 1.98.2.5.2.41.2.29
+++ openssl.c 10 Jun 2009 18:36:57 -0000
@@ -1998,7 +1998,9 @@
CONF_VALUE * v;
X509_NAME * subj;
HashPosition hpos;
+ HashPosition subhpos;
zval ** item;
+ zval ** subitem;
subj = X509_REQ_get_subject_name(csr);
/* apply values from the dn hash */
@@ -2010,6 +2012,29 @@
zend_hash_get_current_key_ex(HASH_OF(dn), &strindex,
&strindexlen,
&intindex, 0, &hpos);
+ if(Z_TYPE_PP(item) == IS_ARRAY && strindex) {
+ /* multi-value string */
+ int nid;
+ nid = OBJ_txt2nid(strindex);
+
+ if (nid != NID_undef) {
+
zend_hash_internal_pointer_reset_ex(HASH_OF(*item), &subhpos);
+
while(zend_hash_get_current_data_ex(HASH_OF(*item),
(void**)&subitem, &subhpos) == SUCCESS) {
+ convert_to_string_ex(subitem);
+ if
(!X509_NAME_add_entry_by_NID(subj, nid, MBSTRING_ASC,
+ (unsigned
char*)Z_STRVAL_PP(subitem), -1, -1, 1)) {
+ php_error_docref(NULL
TSRMLS_CC, E_WARNING, "dn:
add_entry_by_NID %d -> %s (failed)", nid, Z_STRVAL_PP(subitem));
+ return FAILURE;
+ }
+
zend_hash_move_forward_ex(HASH_OF(dn), &subhpos);
+ }
+ } else {
+ php_error_docref(NULL TSRMLS_CC,
E_WARNING, "dn: %s is not a
recognized name", strindex);
+ }
+ zend_hash_move_forward_ex(HASH_OF(dn), &hpos);
+ continue;
+ }
+
convert_to_string_ex(item);
if (strindex) {
------------------------------------------------------------------------
[2009-06-10 16:29:39] paj...@php.net
Thanks for your work :)
We need a patch against 5.3+ as well as test cases.
PHP 5.2 won't get new features (only bug fixes).
------------------------------------------------------------------------
[2009-06-10 16:25:12] php at divinehawk dot com
Patch:
--- php-5.2.9/ext/openssl/openssl.c.orig 2009-06-10 06:55:27.000000000
-0400
+++ php-5.2.9/ext/openssl/openssl.c 2009-06-10 06:56:56.000000000 -0400
@@ -1707,7 +1707,9 @@
CONF_VALUE * v;
X509_NAME * subj;
HashPosition hpos;
+ HashPosition subhpos;
zval ** item;
+ zval ** subitem;
subj = X509_REQ_get_subject_name(csr);
/* apply values from the dn hash */
@@ -1719,6 +1721,32 @@
zend_hash_get_current_key_ex(HASH_OF(dn), &strindex,
&strindexlen,
&intindex, 0, &hpos);
+ if(Z_TYPE_PP(item) == IS_ARRAY && strindex)
+ {
+ /* multi-value string */
+ int nid;
+ nid = OBJ_txt2nid(strindex);
+
+ if (nid != NID_undef) {
+
zend_hash_internal_pointer_reset_ex(HASH_OF(*item), &subhpos);
+
while(zend_hash_get_current_data_ex(HASH_OF(*item),
(void**)&subitem, &subhpos) == SUCCESS)
+ {
+ convert_to_string_ex(subitem);
+ if
(!X509_NAME_add_entry_by_NID(subj, nid, MBSTRING_ASC,
+ (unsigned
char*)Z_STRVAL_PP(subitem), -1, -1, 1))
+ {
+ php_error_docref(NULL
TSRMLS_CC, E_WARNING, "dn:
add_entry_by_NID %d -> %s (failed)", nid, Z_STRVAL_PP(subitem));
+ return FAILURE;
+ }
+
zend_hash_move_forward_ex(HASH_OF(dn), &subhpos);
+ }
+ } else {
+ php_error_docref(NULL TSRMLS_CC,
E_WARNING, "dn: %s is not a
recognized name", strindex);
+ }
+ zend_hash_move_forward_ex(HASH_OF(dn), &hpos);
+ continue;
+ }
+
convert_to_string_ex(item);
if (strindex) {
------------------------------------------------------------------------
[2009-06-10 16:23:27] php at divinehawk dot com
Description:
------------
With the latest 5.2 (and trunk), you can't have multiple fields with the
same name in the DN.
E.g. it's impossible to produce CN=server, OU= Company, OU=Division,
OU=Sector, O=Organization
Reproduce code:
---------------
$dn = array("commonName" => "server",
"organizationalUnitName" => array("Company", "Division",
"Section"),
"organizationName" => "Organization",
);
$privkey = openssl_pkey_new();
$csr = openssl_csr_new($dn, $privkey);
openssl_csr_export($csr, $csrout);
file_put_contents("test.csr", $csrout);
Expected result:
----------------
openssl req -in test.csr -noout -subject
subject=/CN=server/OU=Company/OU=Division/OU=Section/O=Organization
Actual result:
--------------
PHP Notice: Array to string conversion in /var/www/html/bug/cert.php on
line 9
Then:
openssl req -in test.csr -noout -subject
subject=/CN=server/OU=Array/O=Organization
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/bug.php?id=48520&edit=1
