ID: 27585
User updated by: arnaud dot bertrand at apvsys dot org
Reported By: arnaud dot bertrand at apvsys dot org
Status: Bogus
Bug Type: OpenSSL related
Operating System: win32 & Linux
PHP Version: 4.3.4
New Comment:
I tried it on Linux 2.4 with apache 2.0.48 php 5.0.0b4
It fails with openssl 0.9.6l but works good with 0.9.7b
here's the script so you can try to reproduce it
==bug.php===================================================
<?php
function processMail($filename)
{
$ret = false;
$tmp_cert = tempnam ("", "crt");
$res = openssl_pkcs7_verify($filename, 0, $tmp_cert, array(".",
"thawte_freemail.cer"));
if ($res === false)
echo("Digital Signature BAD!<br>\n");
else if ($res === -1)
echo("Error while verifying digital signature ($res)!<br>\n");
else {
echo("Digital Signature OK!<br>\n");
$cert_info = openssl_x509_parse("file://$tmp_cert");
print_r($cert_info['subject']);
$ret = true;
}
unlink($tmp_cert);
return $ret;
}
?>
<HTML>
<HEAD>
<TITLE>Signed Mail check</TITLE>
</HEAD>
<BODY>
<pre>
<?php
processMail('mail_ok.txt');
processMail('mail_bad.txt');
processMail('mail_ok.txt');
?>
</pre>
</BODY>
</HTML>
==mail_ok.txt===============================================
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3)
Gecko/20030312
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: [EMAIL PROTECTED]
Subject: DigiSign
Content-Type: multipart/signed;
protocol="application/x-pkcs7-signature"; micalg=sha1;
boundary="------------ms020400030006030201090307"
Status: U
This is a cryptographically signed message in MIME format.
--------------ms020400030006030201090307
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
user=jfm
document=test2.txt
version=1.1
checksum=ASH454sdFDD5s4g54b56jhg156qzejh
--------------ms020400030006030201090307
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIH5TCC
Ak0wggG2oAMCAQICAwvUDjANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE
ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv
bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDQwMzAzMTYwNTU5WhcNMDUwMzAzMTYwNTU5
WjBEMR8wHQYDVQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMSEwHwYJKoZIhvcNAQkBFhJq
Zi5tZWVzc2VuQGdteC5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPWGAmUv7Zv7
fqYsiTWiTng95UnrsuVVsVpyUjHh+B5KGNW/ZQRDkc8cf6zD0XJEwDXoCFKaN1YNCzsIK6oB
1JRxYfAN5AMMORqGctNd9/ZIg1T21VaUlqsmyYFFqfRh/BGz3ZCxXCYHFCSy42tXNG0doEjD
UbeOSoOLZhQTxKW5AgMBAAGjLzAtMB0GA1UdEQQWMBSBEmpmLm1lZXNzZW5AZ214Lm5ldDAM
BgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBACaUclk1ab25qRYbrZSyEn9XA5TMFoRY
ezCfHYJr8PPSt3Jp79jzdcDQ3gq6ceWbjhCZo6ILbsPU585mCtTrgo8w4iTcn8dNGlCIe83S
fOxS/e1DBXTsn0sVj77HbaWqXbYRruK9IZSst96cgi2Yi/KkHIRW/8akl8jROu/OBTMVMIIC
TTCCAbagAwIBAgIDC9QOMA0GCSqGSIb3DQEBBAUAMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQK
ExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29u
YWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wNDAzMDMxNjA1NTlaFw0wNTAzMDMxNjA1NTla
MEQxHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxITAfBgkqhkiG9w0BCQEWEmpm
Lm1lZXNzZW5AZ214Lm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA9YYCZS/tm/t+
piyJNaJOeD3lSeuy5VWxWnJSMeH4HkoY1b9lBEORzxx/rMPRckTANegIUpo3Vg0LOwgrqgHU
lHFh8A3kAww5GoZy01339kiDVPbVVpSWqybJgUWp9GH8EbPdkLFcJgcUJLLja1c0bR2gSMNR
t45Kg4tmFBPEpbkCAwEAAaMvMC0wHQYDVR0RBBYwFIESamYubWVlc3NlbkBnbXgubmV0MAwG
A1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAJpRyWTVpvbmpFhutlLISf1cDlMwWhFh7
MJ8dgmvw89K3cmnv2PN1wNDeCrpx5ZuOEJmjogtuw9TnzmYK1OuCjzDiJNyfx00aUIh7zdJ8
7FL97UMFdOyfSxWPvsdtpapdthGu4r0hlKy33pyCLZiL8qQchFb/xqSXyNE6784FMxUwggM/
MIICqKADAgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMM
V2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25z
dWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYD
VQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNv
bmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcNMTMwNzE2MjM1OTU5
WjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRk
LjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5owHUEcJ3f6f+jHuy9zfVb8hp2
vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/EfkTYkKhPPK9Xzgnc9
A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7AgMBAAGjgZQwgZEw
EgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsLnRoYXd0
ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8EBAMCAQYwKQYDVR0R
BCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqGSIb3DQEBBQUAA4GB
AEiM0VCD6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQcUCCTcDz9reFhYsPZ
Ohl+hLGZGwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bGCE6u9uo05RAaWzVN
d+NWIXiC3CEZNd4ksdMdRv9dX2VPMYICujCCArYCAQEwaTBiMQswCQYDVQQGEwJaQTElMCMG
A1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBl
cnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECAwvUDjAJBgUrDgMCGgUAoIIBpzAYBgkqhkiG
9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNDAzMDQxNjE2MjVaMCMGCSqG
SIb3DQEJBDEWBBSoz3DTfkOtsaniB90/6/SQEKbTFzBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqG
SIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG
9w0DAgIBKDB4BgkrBgEEAYI3EAQxazBpMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3
dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJl
ZW1haWwgSXNzdWluZyBDQQIDC9QOMHoGCyqGSIb3DQEJEAILMWugaTBiMQswCQYDVQQGEwJa
QTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhh
d3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECAwvUDjANBgkqhkiG9w0BAQEFAASB
gKy6YFFpuMyjCT4BMbqD06pv8x7n9KUXB+jHy3y1T+Cre7ygPJ20W1BDazaZsuykqVO1YX5J
jNThDYP8K57W0K34dCndY+qGMLdqKRMwyZvQoTtkH0pKFdslhzc+hnFK2RXCBapdpK5f0WCQ
Ly2eSSK9SZiDB6wTJnab7Ariuw3fAAAAAAAA
--------------ms020400030006030201090307--
==mail_bad.txt==============================================
just take mail_ok.txt and change something in the message body
==thawte_freemail.cer=======================================
-----BEGIN CERTIFICATE-----
MIIDLTCCApagAwIBAgIBADANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkEx
FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYD
VQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBT
ZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVt
YWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUu
Y29tMB4XDTk2MDEwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgdExCzAJBgNVBAYT
AlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEa
MBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRp
b24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBG
cmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhh
d3RlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1GnX1LCUZFtx6UfY
DFG26nKRsIRefS0Nj3sS34UldSh0OkIsYyeflXtL734Zhx2G6qPduc6WZBrCFG5E
rHzmj+hND3EfQDimAKOHePb5lIZererAXnbr2RSjXW56fAylS1V/Bhkpf56aJtVq
uzgkCGqYx7Hao5iR/Xnb5VrEHLkCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zAN
BgkqhkiG9w0BAQQFAAOBgQDH7JJ+Tvj1lqVnYiqk8E0RYNBvjWBYYawmu1I1XAjP
MPuoSpaKH2JCI4wXD/S6ZJwXrEcp352YXtJsYHFcoqzceePnbgBHH7UNKOgCneSa
/RP0ptl8sfjcXyMmCZGAc9AUG95DqYMl8uacLxXK/qarigd1iwzdUYRr5PjRznei
gQ==
-----END CERTIFICATE-----
Previous Comments:
------------------------------------------------------------------------
[2004-03-15 07:43:57] [EMAIL PROTECTED]
Let you friend report it then. (I can't reproduce this either on linux
or windows)
------------------------------------------------------------------------
[2004-03-14 14:10:55] arnaud dot bertrand at apvsys dot org
Yes, I'm sure it happens under Linux (Suse8, Kernel 2.4)
The version I used was sapi php4apache.
After multiple tries, I found a version that works without the problem
under Win32. This version has openssl 0.9.7.b.
The previous one that failed was 0.9.6.k.
Under Linux, because it is a friend of me who is testing it, I've to be
sure of the exact versions.
------------------------------------------------------------------------
[2004-03-14 10:34:51] [EMAIL PROTECTED]
Also, tell us your openssl version and which sapi (cli, cgi, apache,
isapi) you are using to reproduce this.
Does using one or all of the others (that you can try) also cause the
problem?
------------------------------------------------------------------------
[2004-03-14 10:21:55] [EMAIL PROTECTED]
Are you sure this happens under linux too?
I'd almost expect it under win32 (which has funny
locking semantics).
------------------------------------------------------------------------
[2004-03-13 07:04:30] arnaud dot bertrand at apvsys dot org
Description:
------------
The function openssl_pkcs7_verify has a strange behaviour juster after
a verification has report a bad signature.
When the verification reports a good signature, no problem
When it reports a bad signature, it works BUT the next time (if it is a
short time) the function is called, the access to the CA certificate
failed and it reports a bad signature even if it is a correct one.
Reproduce code:
---------------
Here is the function a use
///////////////// BEGIN
function CheckMailSignature($filename)
{
global $CertificatDir;
global $CertificatFile;
echo("Processing file: $filename<br>\n");
echo("Certificate: $CertificatDir<br>\n");
chdir($CertificatDir);
$tmp_cert = tempnam ("", "crt");
$res = openssl_pkcs7_verify($filename, 0,$tmp_cert,
array($CertificatDir, "$CertificatDir/$CertificatFile"));
if ($res === false)
echo("Digital Signature BAD!<br>\n");
else if ($res === -1)
echo("Error while verifying digital signature ($res)!<br>\n");
else {
echo("Digital Signature OK!<br>\n");
$cert_info = openssl_x509_parse("file://$tmp_cert");
echo("Common name: '".$cert_info['subject']['CN']."'<br>\n");
echo("E-mail: '".$cert_info['subject']['Email']."'<br>\n");
unlink($tmp_cert);
return true;
}
unlink($tmp_cert);
return false;
}
//////////////// END
Expected result:
----------------
Processing file: c:/test/abe-0.txt
Certificate: c:/certdir/cert
Digital Signature OK!
Common name: 'Thawte Freemail Member'
E-mail: '[EMAIL PROTECTED]'
// now check a bad one
Processing file: c:/test/abe-0-bad.txt
Certificate: c:/metadoc-iba/cert
Digital Signature BAD!
// Now check the correct one again
Processing file: c:/test/abe-0.txt
Certificate: c:/certdir/cert
Digital Signature OK!
Common name: 'Thawte Freemail Member'
E-mail: '[EMAIL PROTECTED]'
Actual result:
--------------
Processing file: c:/test/abe-0.txt
Certificate: c:/certdir/cert
Digital Signature OK!
Common name: 'Thawte Freemail Member'
E-mail: '[EMAIL PROTECTED]'
// now check a bad one
Processing file: c:/test/abe-0-bad.txt
Certificate: c:/metadoc-iba/cert
Digital Signature BAD!
// Now check the correct one again
Processing file: c:/test/abe-0.txt
Certificate: c:/certdir/cert
Warning: openssl_pkcs7_verify() [function.openssl-pkcs7-verify]: error
loading file c:/cert/thawte_freemail.cer in
c:\cvswork\ntmetapro\mailsign.php on line 12
Digital Signature BAD!
// Waiting a few minutes or restarting apache:
Processing file: c:/test/abe-0.txt
Certificate: c:/certdir/cert
Digital Signature OK!
Common name: 'Thawte Freemail Member'
E-mail: '[EMAIL PROTECTED]'
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=27585&edit=1
