ID: 34261 User updated by: arnaud dot bertrand at apvsys dot org Reported By: arnaud dot bertrand at apvsys dot org -Status: Feedback +Status: Open Bug Type: OpenSSL related Operating System: * PHP Version: 5CVS-2005-08-28 New Comment:
Hi, here is the full testcase: http://www.apvsys.org/testcase.tgz Download this file and extract it in / The 3 files will be extracted in /tmp tmp/thawte_freemail.cer tmp/msg.txt tmp/testcase.php just execute testcase.php at the current time: you will get: Digital Signature BAD! Now, change the system date to 9/9/2004 rexecute it... Now the message is valid and you should get: Digital Signature OK! array(11) { ["name"]=> string(65) "/CN=Thawte Freemail Member/[EMAIL PROTECTED]" (...) Previous Comments: ------------------------------------------------------------------------ [2005-09-07 16:27:59] [EMAIL PROTECTED] Can you please provide a full reproducing case with all the required files included? ------------------------------------------------------------------------ [2005-08-28 10:35:05] arnaud dot bertrand at apvsys dot org Thank for your fast answer, I've just tried with the latest win32 version (begin of the phpinfo() follows). Result is unfortunately identical with the latest version. The bug is still in. phpinfo() PHP Version 5.1.0-dev System Windows NT EULER 5.1 build 2600 Build Date Aug 28 2005 08:23:12 Configure Command cscript /nologo configure.js "--enable-snapshot-build" "--with-gd=shared" Server API Apache 2.0 Handler Virtual Directory Support enabled Configuration File (php.ini) Path C:\php\php.ini PHP API 20041225 PHP Extension 20050617 Zend Extension 220050617 Debug Build no Thread Safety enabled Zend Memory Manager enabled IPv6 Support enabled Registered PHP Streams php, file, http, ftp, compress.zlib, https, ftps Registered Stream Socket Transports tcp, udp, ssl, sslv3, sslv2, tls Registered Stream Filters convert.iconv.*, string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, zlib.* ------------------------------------------------------------------------ [2005-08-26 16:34:56] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php5-latest.tar.gz For Windows: http://snaps.php.net/win32/php5-win32-latest.zip ------------------------------------------------------------------------ [2005-08-25 22:17:51] arnaud dot bertrand at apvsys dot org Description: ------------ Context: A message "msg.txt" was signed the 01-01-2005 with a certificate expired the 03-03-2005. It is a valid signed message. If the system date is 02-02-2005,the openssl_pkcs7_verify function applied to this "msg.txt" returns TRUE. It means it is a valid message If you change the system date to 04-04-2005 (date after the expiration date of the certificate), the openssl_pkcs7_verify function applied to this "msg.txt" returns FALSE! Without any other information. But it is not correct because at the moment of the signature, it was correct. Reproduce code: --------------- $filename="/tmp/msg.txt"; $lCertT=array("/tmp/certifdir","/tmp/certifdir/thawte_freemail.cer"); $tmp_cert = tempnam ("", "crt"); $res = openssl_pkcs7_verify($filename, 0, $tmp_cert, $lCertT); if (!$res) { echo("Digital Signature BAD!<br>\n"); } else if ($res === -1) { echo("Error ..."); } else { echo("Digital Signature OK!<br>\n"); $cert_info = openssl_x509_parse("file://$tmp_cert"); var_dump($cert_info); } Expected result: ---------------- We expect to have result independent of the current date.. or at least, to have information that at the signature time, the message was correct but was signed with a certificate that is expired today. Another possibility could be: to foressen an extra parameter to the function to pass the date of the validation. If you check the same message with an e-mail client (e.g. thunderbird), it will say that the message was correctly signed with a valid certificate... whatever the current date is. Actual result: -------------- Validation result depends of the system date ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=34261&edit=1