ID: 27585 User updated by: arnaud dot bertrand at apvsys dot org Reported By: arnaud dot bertrand at apvsys dot org -Status: Feedback +Status: Open Bug Type: OpenSSL related Operating System: win32 & Linux PHP Version: 4.3.4 New Comment:
Yes, I'm sure it happens under Linux (Suse8, Kernel 2.4) The version I used was sapi php4apache. After multiple tries, I found a version that works without the problem under Win32. This version has openssl 0.9.7.b. The previous one that failed was 0.9.6.k. Under Linux, because it is a friend of me who is testing it, I've to be sure of the exact versions. Previous Comments: ------------------------------------------------------------------------ [2004-03-14 10:34:51] [EMAIL PROTECTED] Also, tell us your openssl version and which sapi (cli, cgi, apache, isapi) you are using to reproduce this. Does using one or all of the others (that you can try) also cause the problem? ------------------------------------------------------------------------ [2004-03-14 10:21:55] [EMAIL PROTECTED] Are you sure this happens under linux too? I'd almost expect it under win32 (which has funny locking semantics). ------------------------------------------------------------------------ [2004-03-13 07:04:30] arnaud dot bertrand at apvsys dot org Description: ------------ The function openssl_pkcs7_verify has a strange behaviour juster after a verification has report a bad signature. When the verification reports a good signature, no problem When it reports a bad signature, it works BUT the next time (if it is a short time) the function is called, the access to the CA certificate failed and it reports a bad signature even if it is a correct one. Reproduce code: --------------- Here is the function a use ///////////////// BEGIN function CheckMailSignature($filename) { global $CertificatDir; global $CertificatFile; echo("Processing file: $filename<br>\n"); echo("Certificate: $CertificatDir<br>\n"); chdir($CertificatDir); $tmp_cert = tempnam ("", "crt"); $res = openssl_pkcs7_verify($filename, 0,$tmp_cert, array($CertificatDir, "$CertificatDir/$CertificatFile")); if ($res === false) echo("Digital Signature BAD!<br>\n"); else if ($res === -1) echo("Error while verifying digital signature ($res)!<br>\n"); else { echo("Digital Signature OK!<br>\n"); $cert_info = openssl_x509_parse("file://$tmp_cert"); echo("Common name: '".$cert_info['subject']['CN']."'<br>\n"); echo("E-mail: '".$cert_info['subject']['Email']."'<br>\n"); unlink($tmp_cert); return true; } unlink($tmp_cert); return false; } //////////////// END Expected result: ---------------- Processing file: c:/test/abe-0.txt Certificate: c:/certdir/cert Digital Signature OK! Common name: 'Thawte Freemail Member' E-mail: '[EMAIL PROTECTED]' // now check a bad one Processing file: c:/test/abe-0-bad.txt Certificate: c:/metadoc-iba/cert Digital Signature BAD! // Now check the correct one again Processing file: c:/test/abe-0.txt Certificate: c:/certdir/cert Digital Signature OK! Common name: 'Thawte Freemail Member' E-mail: '[EMAIL PROTECTED]' Actual result: -------------- Processing file: c:/test/abe-0.txt Certificate: c:/certdir/cert Digital Signature OK! Common name: 'Thawte Freemail Member' E-mail: '[EMAIL PROTECTED]' // now check a bad one Processing file: c:/test/abe-0-bad.txt Certificate: c:/metadoc-iba/cert Digital Signature BAD! // Now check the correct one again Processing file: c:/test/abe-0.txt Certificate: c:/certdir/cert Warning: openssl_pkcs7_verify() [function.openssl-pkcs7-verify]: error loading file c:/cert/thawte_freemail.cer in c:\cvswork\ntmetapro\mailsign.php on line 12 Digital Signature BAD! // Waiting a few minutes or restarting apache: Processing file: c:/test/abe-0.txt Certificate: c:/certdir/cert Digital Signature OK! Common name: 'Thawte Freemail Member' E-mail: '[EMAIL PROTECTED]' ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=27585&edit=1