Edit report at https://bugs.php.net/bug.php?id=38917&edit=1
ID: 38917 Comment by: jason dot gerfen at gmail dot com Reported by: zeph at purotesto dot it Summary: OpenSSL: signing function for spkac Status: Feedback Type: Feature/Change Request Package: OpenSSL related Operating System: Irrilevant PHP Version: trunk Block user comment: N Private report: N New Comment: I have added the requested test case and it is included in the patch as 026.phpt. I have also performed the required testing against the Openssl 0.9.8x and 1.0.0x. It is attached to the original bug report #38917. In addition to attaching the proposed patch I have created a github repo to make maintenance on the patch simple for myself. The URL is https://github.com/jas-/SPKAC-PHP-OpenSSL. Previous Comments: ------------------------------------------------------------------------ [2011-12-21 10:49:08] jason dot gerfen at gmail dot com Once again, please disregard the last message. After researching the documentation I found that where I had been using NULL with the openssl_csr_sign() function allows for a CA option as well as the SPKAC addition to the configargs optional array. The patch was updated last night to include the 026.phpt test script, as well as the five new functions to work with the SPKI provided by keygen tags. How do patch inclusions work besides posting them to the php internals list? ------------------------------------------------------------------------ [2011-12-14 22:10:52] jason dot gerfen at gmail dot com Please disregard my previous comment. I did a little more digging and am under the impression that adding the following to php_openssl_make_REQ() function should allow me to create a self signed certificate using the SPKAC NID like so? if (strcmp(strindex, "SPKAC") == 0) { if (!X509_NAME_add_entry_by_txt(subj, strindex, MBSTRING_ASC, (unsigned char*)Z_STRVAL_PP(item), -1, -1, 0)){ php_error_docref(NULL TSRMLS_CC, E_WARNING, "dn: add_entry_by_txt %s -> %s (failed)", strindex, Z_STRVAL_PP(item)); return FAILURE; } } Would you recommend another method? Please advise. ------------------------------------------------------------------------ [2011-12-14 19:40:20] jason dot gerfen at gmail dot com One other question about using SPKAC's when creating a x509. It seems the current method using openssl_csr_new() which in turn calls the php_openssl_make_REQ() to assign the specified DN attributes has no method of adding the SPKAC field. After digging around it seems logical to use the OBJ_create() and OBJ_* family of functions to add NID. Please forgive me if I am way off here but any direction you could point me in using the existing functions to output and sign a certificate similar to the following command? openssl ca -config /path/to/openssl.conf -days 180 -notext -batch \ -spkac /path/to/cert.pem -out /path/to/signed.pem -passin pass:'random' My assumption is that I will need to create one specifically for this purpose but would like your insight. ------------------------------------------------------------------------ [2011-12-14 13:51:42] jason dot gerfen at gmail dot com This will test all five new functions unless you would like one test case per function? --TEST-- openssl_spki_new(), openssl_spki_verify(), openssl_spki_export(), openssl_spki_export_challenge(), openssl_spki_details() --SKIPIF-- <?php if (!extension_loaded("openssl")) die("skip"); if (!@openssl_pkey_new()) die("skip cannot create private key"); ?> --FILE-- <?php echo "Creating private key\n"; $key = openssl_pkey_new(); if ($key === false) die("failed to create private key\n"); echo "Creating new SPKAC\n"; if (!function_exists("openssl_spki_new")) die("openssl_spki_new() does not exist\n"); $spki = openssl_spki_new($key, "sample_challenge_string"); if ($spki === false) die("could not create spkac\n"); echo "Verifying SPKAC\n"; if (!function_exists("openssl_spki_verify")) die("openssl_spki_verify() does not exist\n"); $x = openssl_spki_verify(preg_replace("/SPKAC=/", "", $spki)); if ($x === false) die("could not verify spkac\n"); echo "Exporting challenge\n"; if (!function_exists("openssl_spki_export_challenge")) die("openssl_spki_export_challenge() does not exist\n"); $y = openssl_spki_export_challenge(preg_replace("/SPKAC=/", "", $spki)); if ($y !== "sample_challenge_string") die("could not verify challenge string from spkac\n"); echo "Exporting public key from SPKAC\n"; if (!function_exists("openssl_spki_export")) die("openssl_spki_export() does not exist\n"); $z = openssl_spki_export(preg_replace("/SPKAC=/", '', $spki)); if ($z === "") die("could not export public key from spkac\n"); echo "Generating details of SPKAC structure\n"; if (!function_exists("openssl_spki_details")) die("openssl_spki_details() does not exist\n"); $w = openssl_spki_details(preg_replace('/SPKAC=/', '', $spki)); if ($w === "") die("could not obtain details from spkac\n"); echo "OK!\n"; openssl_free_key($key); ?> --EXPECT-- Creating private key Creating new SPKAC Verifying SPKAC Exporting challenge Exporting public key from SPKAC Generating details of SPKAC structure OK! ------------------------------------------------------------------------ [2011-12-14 12:02:35] paj...@php.net Please see the phpt files in ext/openssl/tests/ this is how tests should be written. Further explanations are available here: http://qa.php.net/ Thanks! ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=38917 -- Edit this bug report at https://bugs.php.net/bug.php?id=38917&edit=1