ID: 36732 Updated by: [EMAIL PROTECTED] Reported By: ben at psc dot edu -Status: Open +Status: Assigned Bug Type: OpenSSL related Operating System: Linux 2.6 / FC4 PHP Version: 5.1.2 -Assigned To: +Assigned To: wez New Comment:
Wez, patches are looking good, please check them (and apply?). Previous Comments: ------------------------------------------------------------------------ [2006-03-14 05:48:34] ben at psc dot edu typo in location of 4.4.1 and 4.4.2 patch. correct spelling is: php-4.4.2-openssl-extensions-fix.patch ------------------------------------------------------------------------ [2006-03-14 05:30:12] ben at psc dot edu Description: ------------ According to the PHP manual, configargs keys req_extensions and x509_extensions can be used to select which extensions are used when creating a CSR and x509 certificate, respectively. There are [what appear to be] a few mistakes in ext/openssl/openssl.c which result in neither of these two options working properly. Bug #31638 appears to have reported this issue, but has not been resolved. The following patches resolve this issue, and are available at http://www.psc.edu/~ben/patches/php/ php-4.4.2-openssl-extentions-fix.patch Tested with php-4.4.1 and php-4.4.2 php-5.1.2-openssl-extensions-fix.patch Tested with only php-5.1.2 Reproduce code: --------------- $configargs = array( "req_extensions" => "v3_req", "x509_extensions" => "usr_cert" ); $dn = array( "countryName" => "GB", "stateOrProvinceName" => "Berkshire", "localityName" => "Newbury", "organizationName" => "My Company Ltd", "commonName" => "Demo Cert" ); $key = openssl_pkey_new(); $csr = openssl_csr_new($dn, $key, $configargs); $crt = openssl_csr_sign($csr, NULL, $key, 365, $configargs); openssl_csr_export($csr, $str, false); print $str . "\n\n"; openssl_x509_export($crt, $str, false); print $str; Expected result: ---------------- Certificate Request: Data: Version: 0 (0x0) Subject: C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd, CN=Demo Cert Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:e7:16:aa:4c:d2:b9:53:5b:50:74:ef:b8:7b:e3: 5f:1c:a3:12:f0:12:7f:9b:94:2b:1c:d7:c6:6e:99: 2a:4f:7a:59:b2:99:6f:43:a2:e3:85:93:09:d7:ff: f0:d4:ff:05:de:e9:79:17:67:1e:23:f5:e9:41:41: 18:f3:31:80:16:9a:dd:56:f3:22:fb:44:7d:ca:40: 2b:fa:e1:6b:28:54:99:d5:34:69:18:dd:16:47:84: 54:fc:a0:0d:8f:9e:db:08:44:51:fe:5a:48:c7:61: 3c:34:6b:dc:af:b3:dc:37:7c:52:34:f8:0e:38:be: 25:45:96:ca:2f:b6:5e:eb:f5 Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Signature Algorithm: md5WithRSAEncryption 67:0f:ab:26:a5:9e:6e:00:4d:71:39:a2:cc:c9:f6:67:32:e2: 5c:bd:21:4d:b9:e0:bb:8f:e8:d5:d6:42:3c:20:71:fc:08:7a: 00:b2:97:7d:b1:47:48:f4:a7:86:f5:7f:86:d7:9c:ca:ae:0e: 03:db:c5:df:c6:4b:ea:31:37:75:4f:1e:72:3d:d5:e3:89:9f: 82:ef:3d:88:d2:fe:fd:25:5d:d0:da:0e:a9:19:2c:e5:14:ee: 3c:90:0e:ed:f3:25:6f:36:29:39:a3:23:8b:b6:62:1a:fb:b3: c7:ff:c6:73:cc:66:50:b4:1e:72:79:f6:8b:8c:67:99:f7:8b: 81:ea -----BEGIN CERTIFICATE REQUEST----- MIIByTCCATICAQAwYDELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUJlcmtzaGlyZTEQ MA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBMdGQxEjAQBgNV BAMTCURlbW8gQ2VydDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5xaqTNK5 U1tQdO+4e+NfHKMS8BJ/m5QrHNfGbpkqT3pZsplvQ6LjhZMJ1//w1P8F3ul5F2ce I/XpQUEY8zGAFprdVvMi+0R9ykAr+uFrKFSZ1TRpGN0WR4RU/KANj57bCERR/lpI x2E8NGvcr7PcN3xSNPgOOL4lRZbKL7Ze6/UCAwEAAaApMCcGCSqGSIb3DQEJDjEa MBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwDQYJKoZIhvcNAQEEBQADgYEAZw+r JqWebgBNcTmizMn2ZzLiXL0hTbngu4/o1dZCPCBx/Ah6ALKXfbFHSPSnhvV/htec yq4OA9vF38ZL6jE3dU8ecj3V44mfgu89iNL+/SVd0NoOqRks5RTuPJAO7fMlbzYp OaMji7ZiGvuzx//Gc8xmULQecnn2i4xnmfeLgeo= -----END CERTIFICATE REQUEST----- Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd, CN=Demo Cert Validity Not Before: Mar 14 04:02:52 2006 GMT Not After : Mar 14 04:02:52 2007 GMT Subject: C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd, CN=Demo Cert Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:e7:16:aa:4c:d2:b9:53:5b:50:74:ef:b8:7b:e3: 5f:1c:a3:12:f0:12:7f:9b:94:2b:1c:d7:c6:6e:99: 2a:4f:7a:59:b2:99:6f:43:a2:e3:85:93:09:d7:ff: f0:d4:ff:05:de:e9:79:17:67:1e:23:f5:e9:41:41: 18:f3:31:80:16:9a:dd:56:f3:22:fb:44:7d:ca:40: 2b:fa:e1:6b:28:54:99:d5:34:69:18:dd:16:47:84: 54:fc:a0:0d:8f:9e:db:08:44:51:fe:5a:48:c7:61: 3c:34:6b:dc:af:b3:dc:37:7c:52:34:f8:0e:38:be: 25:45:96:ca:2f:b6:5e:eb:f5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 30:7D:D0:40:08:90:42:B9:E6:0C:55:F0:2A:28:D6:85:78:9E:C1:AF X509v3 Authority Key Identifier: keyid:30:7D:D0:40:08:90:42:B9:E6:0C:55:F0:2A:28:D6:85:78:9E:C1:AF DirName:/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=Demo Cert serial:00 Signature Algorithm: md5WithRSAEncryption 7f:58:74:93:91:a1:a5:0f:0a:78:90:11:77:f7:05:29:03:42: fa:2f:ae:43:a6:75:e9:49:73:0f:25:3a:6b:15:53:d1:07:7d: e6:2c:5b:25:01:e5:f4:ff:bc:60:e6:09:91:62:80:cd:d1:6a: 47:86:37:58:24:92:55:81:b8:f4:d7:a7:5c:8a:9e:9a:1f:23: 27:1a:bc:4a:08:92:e2:fa:7f:53:96:93:7a:0f:53:cc:d9:55: bd:ad:ff:5b:21:19:29:77:e8:ce:5f:32:5c:62:7c:16:8c:a2: e3:48:9f:58:be:2f:f4:2d:55:bf:c3:36:a2:75:46:aa:bd:fb: 0a:0f -----BEGIN CERTIFICATE----- MIIDHjCCAoegAwIBAgIBADANBgkqhkiG9w0BAQQFADBgMQswCQYDVQQGEwJHQjES MBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MRcwFQYDVQQKEw5N eSBDb21wYW55IEx0ZDESMBAGA1UEAxMJRGVtbyBDZXJ0MB4XDTA2MDMxNDA0MDI1 MloXDTA3MDMxNDA0MDI1MlowYDELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUJlcmtz aGlyZTEQMA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBMdGQx EjAQBgNVBAMTCURlbW8gQ2VydDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA 5xaqTNK5U1tQdO+4e+NfHKMS8BJ/m5QrHNfGbpkqT3pZsplvQ6LjhZMJ1//w1P8F 3ul5F2ceI/XpQUEY8zGAFprdVvMi+0R9ykAr+uFrKFSZ1TRpGN0WR4RU/KANj57b CERR/lpIx2E8NGvcr7PcN3xSNPgOOL4lRZbKL7Ze6/UCAwEAAaOB5zCB5DAJBgNV HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp Y2F0ZTAdBgNVHQ4EFgQUMH3QQAiQQrnmDFXwKijWhXiewa8wgYkGA1UdIwSBgTB/ gBQwfdBACJBCueYMVfAqKNaFeJ7Br6FkpGIwYDELMAkGA1UEBhMCR0IxEjAQBgNV BAgTCUJlcmtzaGlyZTEQMA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29t cGFueSBMdGQxEjAQBgNVBAMTCURlbW8gQ2VydIIBADANBgkqhkiG9w0BAQQFAAOB gQB/WHSTkaGlDwp4kBF39wUpA0L6L65DpnXpSXMPJTprFVPRB33mLFslAeX0/7xg 5gmRYoDN0WpHhjdYJJJVgbj016dcip6aHyMnGrxKCJLi+n9TlpN6D1PM2VW9rf9b IRkpd+jOXzJcYnwWjKLjSJ9Yvi/0LVW/wzaidUaqvfsKDw== -----END CERTIFICATE----- Actual result: -------------- Certificate Request: Data: Version: 0 (0x0) Subject: C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd, CN=Demo Cert Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ca:ae:6a:a3:ee:6b:78:17:a7:1c:56:5b:cb:dc: e8:67:bc:7f:d6:89:66:f2:09:eb:2b:02:c4:99:2f: 14:c3:68:95:f8:e9:1c:b4:a2:c4:26:cf:2a:ab:19: 63:8d:81:f9:10:7e:c7:10:4c:9f:51:f3:78:cf:d5: 58:a5:d3:e4:36:d9:ba:d0:48:91:1c:f9:d3:a0:08: 07:69:4d:15:96:0c:0a:21:68:68:a0:39:17:ce:57: ac:11:b2:fc:3e:d5:85:30:a4:c0:01:b7:e7:45:c8: e8:c4:e6:7b:8a:f4:bf:90:84:02:03:34:8c:c7:05: fa:fd:84:e1:3b:73:2d:da:95 Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: md5WithRSAEncryption af:ba:0e:d1:69:71:d5:8a:42:54:8e:c6:af:44:db:8d:a6:8b: 66:22:21:7b:34:db:eb:ff:d4:5b:e6:ac:9d:48:08:f5:a1:34: 88:b3:c1:dd:19:ef:34:8e:3a:65:e2:46:5e:6f:8b:88:dc:dc: b8:cb:44:b3:5f:7a:fc:08:91:a8:44:23:37:f3:38:39:e6:4f: 03:e1:40:c8:3a:be:bb:62:9b:92:68:ca:08:df:c0:cd:60:df: 78:49:cc:73:29:10:68:fe:03:53:57:69:48:d8:73:92:7d:63: 1f:38:1e:dd:63:d7:1a:75:9b:20:0c:bd:02:1b:b8:c3:d5:f8: fe:63 -----BEGIN CERTIFICATE REQUEST----- MIIBoDCCAQkCAQAwYDELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUJlcmtzaGlyZTEQ MA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBMdGQxEjAQBgNV BAMTCURlbW8gQ2VydDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyq5qo+5r eBenHFZby9zoZ7x/1olm8gnrKwLEmS8Uw2iV+OkctKLEJs8qqxljjYH5EH7HEEyf UfN4z9VYpdPkNtm60EiRHPnToAgHaU0VlgwKIWhooDkXzlesEbL8PtWFMKTAAbfn RcjoxOZ7ivS/kIQCAzSMxwX6/YThO3Mt2pUCAwEAAaAAMA0GCSqGSIb3DQEBBAUA A4GBAK+6DtFpcdWKQlSOxq9E242mi2YiIXs02+v/1FvmrJ1ICPWhNIizwd0Z7zSO OmXiRl5vi4jc3LjLRLNfevwIkahEIzfzODnmTwPhQMg6vrtim5JoygjfwM1g33hJ zHMpEGj+A1NXaUjYc5J9Yx84Ht1j1xp1myAMvQIbuMPV+P5j -----END CERTIFICATE REQUEST----- Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd, CN=Demo Cert Validity Not Before: Mar 14 04:01:18 2006 GMT Not After : Mar 14 04:01:18 2007 GMT Subject: C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd, CN=Demo Cert Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ca:ae:6a:a3:ee:6b:78:17:a7:1c:56:5b:cb:dc: e8:67:bc:7f:d6:89:66:f2:09:eb:2b:02:c4:99:2f: 14:c3:68:95:f8:e9:1c:b4:a2:c4:26:cf:2a:ab:19: 63:8d:81:f9:10:7e:c7:10:4c:9f:51:f3:78:cf:d5: 58:a5:d3:e4:36:d9:ba:d0:48:91:1c:f9:d3:a0:08: 07:69:4d:15:96:0c:0a:21:68:68:a0:39:17:ce:57: ac:11:b2:fc:3e:d5:85:30:a4:c0:01:b7:e7:45:c8: e8:c4:e6:7b:8a:f4:bf:90:84:02:03:34:8c:c7:05: fa:fd:84:e1:3b:73:2d:da:95 Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption 7e:a5:c6:7c:bf:cf:0a:81:ee:1d:fb:05:4e:52:03:fe:c8:c5: d3:09:fc:a6:0f:ec:d9:9c:ed:00:0a:5a:db:b6:5e:d0:85:b9: 45:74:ea:10:7f:7e:78:df:9f:23:8d:a0:7e:28:96:74:2c:1f: 79:ce:45:65:50:9d:4b:4d:69:41:0e:d0:dd:54:a1:f4:b7:a2: b3:48:19:4e:2c:68:fa:78:8d:ab:9f:e7:18:7b:e1:c4:65:cf: 04:00:5c:ca:61:1e:cc:86:72:29:ec:29:d6:19:43:c3:3f:87: 8d:a9:5a:a5:34:a0:ee:44:5d:42:af:44:75:8d:10:17:73:82: 93:0c -----BEGIN CERTIFICATE----- MIICNDCCAZ2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBgMQswCQYDVQQGEwJHQjES MBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MRcwFQYDVQQKEw5N eSBDb21wYW55IEx0ZDESMBAGA1UEAxMJRGVtbyBDZXJ0MB4XDTA2MDMxNDA0MDEx OFoXDTA3MDMxNDA0MDExOFowYDELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUJlcmtz aGlyZTEQMA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBMdGQx EjAQBgNVBAMTCURlbW8gQ2VydDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA yq5qo+5reBenHFZby9zoZ7x/1olm8gnrKwLEmS8Uw2iV+OkctKLEJs8qqxljjYH5 EH7HEEyfUfN4z9VYpdPkNtm60EiRHPnToAgHaU0VlgwKIWhooDkXzlesEbL8PtWF MKTAAbfnRcjoxOZ7ivS/kIQCAzSMxwX6/YThO3Mt2pUCAwEAATANBgkqhkiG9w0B AQQFAAOBgQB+pcZ8v88Kge4d+wVOUgP+yMXTCfymD+zZnO0AClrbtl7QhblFdOoQ f354358jjaB+KJZ0LB95zkVlUJ1LTWlBDtDdVKH0t6KzSBlOLGj6eI2rn+cYe+HE Zc8EAFzKYR7MhnIp7CnWGUPDP4eNqVqlNKDuRF1Cr0R1jRAXc4KTDA== -----END CERTIFICATE----- ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=36732&edit=1