Req #40046 [Com]: OpenSSL CRL generation support

[rsmaia at gmail dot com]

Edit report at http://bugs.php.net/bug.php?id=40046&edit=1

 ID: 40046
 Comment by: rsmaia at gmail dot com
 Reported by:mbechler at eenterphace dot org
 Summary:OpenSSL CRL generation support
 Status: Assigned
 Type:   Feature/Change Request
 Package:OpenSSL related
 PHP Version:*
 Assigned To:pajoye
 Block user comment: N
 Private report: N

 New Comment:

I am waiting for this patch too. Would be great to see this patch
applied into PHP core.

+1 for this improvement!


Previous Comments:

[2010-04-12 17:50:29] pm at datasphere dot ch

I'm also very interested in having this feature supported in the PHP
standards. Can I expect to see it soon available ?


[2010-02-15 09:07:32] cnyegle at gmail dot com

Will the patch be merged into PHP?It's two years after the last
modification of this issue.


[2007-09-23 19:51:19] paj...@php.net

>From Moritz Bechler:



It took some time - but I now managed to put together some test cases

(which hopefully can also serve as examples). I noticed that the
current

"openssl_x509_checkpurpose" function does not allow for passing

verification flags so I introduced a new function "openssl_x509_check"

(verify might be better but might cause confusion with openssl_verify)

which does pretty much the same thing but takes a flags parameter which

can be used to enable CRL checking and some other checking features

which I did not test yet. I chose to add a new function because a)

adding the argument to the end forces passing two (one unused in most

cases) optional arguments b) _checkpurpose is a bit too specific. I
hope

that approach is okay.



The updated patch is at

http://mbechler.eenterphace.org/php6-openssl-crl.patch

and the phpt and required data (needs a small CA, included files are

valid for 5 years) at

http://mbechler.eenterphace.org/php6-openssl-crl-tests.tar.bz2





I noted my test fails (even for ascii filenames) when run in unicode

mode which is a result of

this check in php_openssl_x509_from_zval:



if (!(Z_TYPE_PP(val) == IS_STRING || Z_TYPE_PP(val) == IS_OBJECT)) {

   return NULL;

}



maybe I'll find some time to have a look at proper filesystem encoding

conversions for ext/openssl.


[2007-08-03 11:37:24] paj...@php.net

Add the note here too :)



Please provide some test cases as well, including the required data (if
any).


[2007-01-07 02:47:19] mbechler at eenterphace dot org

Ok, finally found the bug - new patch is here:

http://mbechler.eenterphace.org/ext-openssl-crl.patch




The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at

http://bugs.php.net/bug.php?id=40046


-- 
Edit this bug report at http://bugs.php.net/bug.php?id=40046&edit=1

Req #40046 [Com]: OpenSSL CRL generation support

[pm at datasphere dot ch]

Edit report at http://bugs.php.net/bug.php?id=40046&edit=1

 ID:  40046
 Comment by:  pm at datasphere dot ch
 Reported by: mbechler at eenterphace dot org
 Summary: OpenSSL CRL generation support
 Status:  Assigned
 Type:Feature/Change Request
 Package: Feature/Change Request
 PHP Version: 5.2.1RC2
 Assigned To: pajoye

 New Comment:

I'm also very interested in having this feature supported in the PHP
standards. Can I expect to see it soon available ?


Previous Comments:

[2010-02-15 09:07:32] cnyegle at gmail dot com

Will the patch be merged into PHP?It's two years after the last
modification of this issue.


[2007-09-23 19:51:19] paj...@php.net

>From Moritz Bechler:



It took some time - but I now managed to put together some test cases

(which hopefully can also serve as examples). I noticed that the
current

"openssl_x509_checkpurpose" function does not allow for passing

verification flags so I introduced a new function "openssl_x509_check"

(verify might be better but might cause confusion with openssl_verify)

which does pretty much the same thing but takes a flags parameter which

can be used to enable CRL checking and some other checking features

which I did not test yet. I chose to add a new function because a)

adding the argument to the end forces passing two (one unused in most

cases) optional arguments b) _checkpurpose is a bit too specific. I
hope

that approach is okay.



The updated patch is at

http://mbechler.eenterphace.org/php6-openssl-crl.patch

and the phpt and required data (needs a small CA, included files are

valid for 5 years) at

http://mbechler.eenterphace.org/php6-openssl-crl-tests.tar.bz2





I noted my test fails (even for ascii filenames) when run in unicode

mode which is a result of

this check in php_openssl_x509_from_zval:



if (!(Z_TYPE_PP(val) == IS_STRING || Z_TYPE_PP(val) == IS_OBJECT)) {

   return NULL;

}



maybe I'll find some time to have a look at proper filesystem encoding

conversions for ext/openssl.


[2007-08-03 11:37:24] paj...@php.net

Add the note here too :)



Please provide some test cases as well, including the required data (if
any).


[2007-01-07 02:47:19] mbechler at eenterphace dot org

Ok, finally found the bug - new patch is here:

http://mbechler.eenterphace.org/ext-openssl-crl.patch


[2007-01-07 02:26:36] mbechler at eenterhace dot org

When trying to use the functionality in a real world scenario I noticed
problems with this patch. My FastCGI processes are throwing errors like
this *** corrupted double-linked list: 0x08a135f0 *** while it is
working nice when run from the command line. I could not get any helpful
information yet by debugging, but this one is definitly not ready for
inclusion. I'm trying to figure out what's wrong, but I am thankful for
any help provided.




The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at

http://bugs.php.net/bug.php?id=40046


-- 
Edit this bug report at http://bugs.php.net/bug.php?id=40046&edit=1