ID: 27585 User updated by: arnaud dot bertrand at apvsys dot org Reported By: arnaud dot bertrand at apvsys dot org Status: Bogus Bug Type: OpenSSL related Operating System: win32 & Linux PHP Version: 4.3.4 New Comment:
I tried it on Linux 2.4 with apache 2.0.48 php 5.0.0b4 It fails with openssl 0.9.6l but works good with 0.9.7b here's the script so you can try to reproduce it ==bug.php=================================================== <?php function processMail($filename) { $ret = false; $tmp_cert = tempnam ("", "crt"); $res = openssl_pkcs7_verify($filename, 0, $tmp_cert, array(".", "thawte_freemail.cer")); if ($res === false) echo("Digital Signature BAD!<br>\n"); else if ($res === -1) echo("Error while verifying digital signature ($res)!<br>\n"); else { echo("Digital Signature OK!<br>\n"); $cert_info = openssl_x509_parse("file://$tmp_cert"); print_r($cert_info['subject']); $ret = true; } unlink($tmp_cert); return $ret; } ?> <HTML> <HEAD> <TITLE>Signed Mail check</TITLE> </HEAD> <BODY> <pre> <?php processMail('mail_ok.txt'); processMail('mail_bad.txt'); processMail('mail_ok.txt'); ?> </pre> </BODY> </HTML> ==mail_ok.txt=============================================== User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030312 X-Accept-Language: en-us, en MIME-Version: 1.0 To: [EMAIL PROTECTED] Subject: DigiSign Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms020400030006030201090307" Status: U This is a cryptographically signed message in MIME format. --------------ms020400030006030201090307 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit user=jfm document=test2.txt version=1.1 checksum=ASH454sdFDD5s4g54b56jhg156qzejh --------------ms020400030006030201090307 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIH5TCC Ak0wggG2oAMCAQICAwvUDjANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDQwMzAzMTYwNTU5WhcNMDUwMzAzMTYwNTU5 WjBEMR8wHQYDVQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMSEwHwYJKoZIhvcNAQkBFhJq Zi5tZWVzc2VuQGdteC5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPWGAmUv7Zv7 fqYsiTWiTng95UnrsuVVsVpyUjHh+B5KGNW/ZQRDkc8cf6zD0XJEwDXoCFKaN1YNCzsIK6oB 1JRxYfAN5AMMORqGctNd9/ZIg1T21VaUlqsmyYFFqfRh/BGz3ZCxXCYHFCSy42tXNG0doEjD UbeOSoOLZhQTxKW5AgMBAAGjLzAtMB0GA1UdEQQWMBSBEmpmLm1lZXNzZW5AZ214Lm5ldDAM BgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBACaUclk1ab25qRYbrZSyEn9XA5TMFoRY ezCfHYJr8PPSt3Jp79jzdcDQ3gq6ceWbjhCZo6ILbsPU585mCtTrgo8w4iTcn8dNGlCIe83S fOxS/e1DBXTsn0sVj77HbaWqXbYRruK9IZSst96cgi2Yi/KkHIRW/8akl8jROu/OBTMVMIIC TTCCAbagAwIBAgIDC9QOMA0GCSqGSIb3DQEBBAUAMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQK ExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29u YWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wNDAzMDMxNjA1NTlaFw0wNTAzMDMxNjA1NTla MEQxHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxITAfBgkqhkiG9w0BCQEWEmpm Lm1lZXNzZW5AZ214Lm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA9YYCZS/tm/t+ piyJNaJOeD3lSeuy5VWxWnJSMeH4HkoY1b9lBEORzxx/rMPRckTANegIUpo3Vg0LOwgrqgHU lHFh8A3kAww5GoZy01339kiDVPbVVpSWqybJgUWp9GH8EbPdkLFcJgcUJLLja1c0bR2gSMNR t45Kg4tmFBPEpbkCAwEAAaMvMC0wHQYDVR0RBBYwFIESamYubWVlc3NlbkBnbXgubmV0MAwG A1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAJpRyWTVpvbmpFhutlLISf1cDlMwWhFh7 MJ8dgmvw89K3cmnv2PN1wNDeCrpx5ZuOEJmjogtuw9TnzmYK1OuCjzDiJNyfx00aUIh7zdJ8 7FL97UMFdOyfSxWPvsdtpapdthGu4r0hlKy33pyCLZiL8qQchFb/xqSXyNE6784FMxUwggM/ MIICqKADAgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMM V2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25z dWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYD VQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNv bmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcNMTMwNzE2MjM1OTU5 WjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRk LjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwgZ8wDQYJ KoZIhvcNAQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5owHUEcJ3f6f+jHuy9zfVb8hp2 vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/EfkTYkKhPPK9Xzgnc9 A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7AgMBAAGjgZQwgZEw EgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsLnRoYXd0 ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8EBAMCAQYwKQYDVR0R BCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqGSIb3DQEBBQUAA4GB AEiM0VCD6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQcUCCTcDz9reFhYsPZ Ohl+hLGZGwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bGCE6u9uo05RAaWzVN d+NWIXiC3CEZNd4ksdMdRv9dX2VPMYICujCCArYCAQEwaTBiMQswCQYDVQQGEwJaQTElMCMG A1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBl cnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECAwvUDjAJBgUrDgMCGgUAoIIBpzAYBgkqhkiG 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNDAzMDQxNjE2MjVaMCMGCSqG SIb3DQEJBDEWBBSoz3DTfkOtsaniB90/6/SQEKbTFzBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqG SIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG 9w0DAgIBKDB4BgkrBgEEAYI3EAQxazBpMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3 dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJl ZW1haWwgSXNzdWluZyBDQQIDC9QOMHoGCyqGSIb3DQEJEAILMWugaTBiMQswCQYDVQQGEwJa QTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhh d3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECAwvUDjANBgkqhkiG9w0BAQEFAASB gKy6YFFpuMyjCT4BMbqD06pv8x7n9KUXB+jHy3y1T+Cre7ygPJ20W1BDazaZsuykqVO1YX5J jNThDYP8K57W0K34dCndY+qGMLdqKRMwyZvQoTtkH0pKFdslhzc+hnFK2RXCBapdpK5f0WCQ Ly2eSSK9SZiDB6wTJnab7Ariuw3fAAAAAAAA --------------ms020400030006030201090307-- ==mail_bad.txt============================================== just take mail_ok.txt and change something in the message body ==thawte_freemail.cer======================================= -----BEGIN CERTIFICATE----- MIIDLTCCApagAwIBAgIBADANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkEx FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYD VQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBT ZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVt YWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUu Y29tMB4XDTk2MDEwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgdExCzAJBgNVBAYT AlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEa MBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRp b24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBG cmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhh d3RlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1GnX1LCUZFtx6UfY DFG26nKRsIRefS0Nj3sS34UldSh0OkIsYyeflXtL734Zhx2G6qPduc6WZBrCFG5E rHzmj+hND3EfQDimAKOHePb5lIZererAXnbr2RSjXW56fAylS1V/Bhkpf56aJtVq uzgkCGqYx7Hao5iR/Xnb5VrEHLkCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zAN BgkqhkiG9w0BAQQFAAOBgQDH7JJ+Tvj1lqVnYiqk8E0RYNBvjWBYYawmu1I1XAjP MPuoSpaKH2JCI4wXD/S6ZJwXrEcp352YXtJsYHFcoqzceePnbgBHH7UNKOgCneSa /RP0ptl8sfjcXyMmCZGAc9AUG95DqYMl8uacLxXK/qarigd1iwzdUYRr5PjRznei gQ== -----END CERTIFICATE----- Previous Comments: ------------------------------------------------------------------------ [2004-03-15 07:43:57] [EMAIL PROTECTED] Let you friend report it then. (I can't reproduce this either on linux or windows) ------------------------------------------------------------------------ [2004-03-14 14:10:55] arnaud dot bertrand at apvsys dot org Yes, I'm sure it happens under Linux (Suse8, Kernel 2.4) The version I used was sapi php4apache. After multiple tries, I found a version that works without the problem under Win32. This version has openssl 0.9.7.b. The previous one that failed was 0.9.6.k. Under Linux, because it is a friend of me who is testing it, I've to be sure of the exact versions. ------------------------------------------------------------------------ [2004-03-14 10:34:51] [EMAIL PROTECTED] Also, tell us your openssl version and which sapi (cli, cgi, apache, isapi) you are using to reproduce this. Does using one or all of the others (that you can try) also cause the problem? ------------------------------------------------------------------------ [2004-03-14 10:21:55] [EMAIL PROTECTED] Are you sure this happens under linux too? I'd almost expect it under win32 (which has funny locking semantics). ------------------------------------------------------------------------ [2004-03-13 07:04:30] arnaud dot bertrand at apvsys dot org Description: ------------ The function openssl_pkcs7_verify has a strange behaviour juster after a verification has report a bad signature. When the verification reports a good signature, no problem When it reports a bad signature, it works BUT the next time (if it is a short time) the function is called, the access to the CA certificate failed and it reports a bad signature even if it is a correct one. Reproduce code: --------------- Here is the function a use ///////////////// BEGIN function CheckMailSignature($filename) { global $CertificatDir; global $CertificatFile; echo("Processing file: $filename<br>\n"); echo("Certificate: $CertificatDir<br>\n"); chdir($CertificatDir); $tmp_cert = tempnam ("", "crt"); $res = openssl_pkcs7_verify($filename, 0,$tmp_cert, array($CertificatDir, "$CertificatDir/$CertificatFile")); if ($res === false) echo("Digital Signature BAD!<br>\n"); else if ($res === -1) echo("Error while verifying digital signature ($res)!<br>\n"); else { echo("Digital Signature OK!<br>\n"); $cert_info = openssl_x509_parse("file://$tmp_cert"); echo("Common name: '".$cert_info['subject']['CN']."'<br>\n"); echo("E-mail: '".$cert_info['subject']['Email']."'<br>\n"); unlink($tmp_cert); return true; } unlink($tmp_cert); return false; } //////////////// END Expected result: ---------------- Processing file: c:/test/abe-0.txt Certificate: c:/certdir/cert Digital Signature OK! Common name: 'Thawte Freemail Member' E-mail: '[EMAIL PROTECTED]' // now check a bad one Processing file: c:/test/abe-0-bad.txt Certificate: c:/metadoc-iba/cert Digital Signature BAD! // Now check the correct one again Processing file: c:/test/abe-0.txt Certificate: c:/certdir/cert Digital Signature OK! Common name: 'Thawte Freemail Member' E-mail: '[EMAIL PROTECTED]' Actual result: -------------- Processing file: c:/test/abe-0.txt Certificate: c:/certdir/cert Digital Signature OK! Common name: 'Thawte Freemail Member' E-mail: '[EMAIL PROTECTED]' // now check a bad one Processing file: c:/test/abe-0-bad.txt Certificate: c:/metadoc-iba/cert Digital Signature BAD! // Now check the correct one again Processing file: c:/test/abe-0.txt Certificate: c:/certdir/cert Warning: openssl_pkcs7_verify() [function.openssl-pkcs7-verify]: error loading file c:/cert/thawte_freemail.cer in c:\cvswork\ntmetapro\mailsign.php on line 12 Digital Signature BAD! // Waiting a few minutes or restarting apache: Processing file: c:/test/abe-0.txt Certificate: c:/certdir/cert Digital Signature OK! Common name: 'Thawte Freemail Member' E-mail: '[EMAIL PROTECTED]' ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=27585&edit=1