ID: 42886 Updated by: [EMAIL PROTECTED] Reported By: tokul at users dot sourceforge dot net -Status: Assigned +Status: Analyzed Bug Type: OpenSSL related Operating System: Linux Debian Etch PHP Version: 5CVS-2008-11-01 Assigned To: pajoye New Comment:
It seems to be a bug in the openssl directly. I have tried with many different certs and many failed (including the one available in the openssl's demo directory). I have to work on other things now, the fix may require to duplicate the x509_verify_cert code (partially or completely). tested with 0.98g and 0.9.8i Previous Comments: ------------------------------------------------------------------------ [2008-11-01 21:13:07] tokul at users dot sourceforge dot net php 5.2-200811011530 Test result is the same. It is impossible to verify purpose of certificate, because function returns integer value which is evaluated as false even when certificate can be used for SMIME signatures. I don't know options that Thawte used to generate certificate. I've accepted default options with 2048-bit encryption for Mozilla Firefox/Thunderbird. Here goes already expired certificate used for initial bug report. -----BEGIN CERTIFICATE----- MIIC8DCCAlmgAwIBAgIQS8GxvbV7pghz0FD/I7rVVjANBgkqhkiG9w0BAQUFADBi MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg THRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vpbmcg Q0EwHhcNMDcwMjI0MDYyMzA0WhcNMDgwMjI0MDYyMzA0WjBNMR8wHQYDVQQDExZU aGF3dGUgRnJlZW1haWwgTWVtYmVyMSowKAYJKoZIhvcNAQkBFht0b2t1bEB1c2Vy cy5zb3VyY2Vmb3JnZS5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDQALcUK5moBKz5tHqYcquqb8seEKgzDbFJ3Nko8VEyVy1vnwKtHkNeXuMv1mbH 2dhkvI2JtWpNte36bzLErQHzZhnehAdRb3RIlLrASxkn4btidkWasYjqhtMI1sGL D+7wFdC4rSfdYwRUto8zrB5FeoNakJre8gmljqwm18fh5ZMsiWboXdKVVCa8ALBk P5dZ7gYElfNj3FJSjqo0Efs5yQn8EsY+uDNTH+y8HE5Sqq0mkuLw/7WIO5PCsQAF xTsEo2dqnj3us9KGgNGkR4JRp17NPfNofLs26w7H2n3oAmjMaM51U5lpPOSh0Nm7 uwrpsWnE84Jm2I/9WhhuSOEJAgMBAAGjODA2MCYGA1UdEQQfMB2BG3Rva3VsQHVz ZXJzLnNvdXJjZWZvcmdlLm5ldDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUA A4GBAJlmrYGSeE00IK7WR+05BT0g6YigfIoKLbeTJu25oVHN8dBLU0Jjx5KZRfZQ BCt/8CVBNxNwwKRQnQ36M4Hq0YLa+bBYq3pJPbL62Ffj7mLHhDkFvJw/sgQ1I7jH URvzt58Hw3B34wEHzqnzcsFOPxNZN3aU4BTnbUBTUjkVVpuZ -----END CERTIFICATE----- ------------------------------------------------------------------------ [2008-10-31 08:49:37] [EMAIL PROTECTED] Please provide a sample certificate to reproduce this problem or the values you used to create a similar certificate. ------------------------------------------------------------------------ [2007-10-08 10:52:55] tokul at users dot sourceforge dot net Description: ------------ According to last chapter in openssl_x509_checkpurpose() manual function should return true, false or int(-1). Synopsis line shows that function returns integer. If I check public certificate file with OpenSSL binary (openssl x509 -purpose -in certfile.pem), it shows purposes as ---- SSL client : Yes SSL client CA : No SSL server : Yes SSL server CA : No Netscape SSL server : Yes Netscape SSL server CA : No S/MIME signing : Yes S/MIME signing CA : No S/MIME encryption : Yes S/MIME encryption CA : No CRL signing : Yes CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : No ---- If I check it with PHP ---- var_dump(openssl_x509_checkpurpose(file_get_contents('./certfile.pem'),X509_PURPOSE_SMIME_SIGN)); --- it returns int(0). Int(0) is evaluated as boolean false in PHP. Tested PHP 5.2.0 and PHP 5.2-dev (200710080830). OpenSSL 0.9.8c (Debian 0.9.8c-4 package). Used Thawte free email certificate for testing. Certificate is valid from 2007.02.24 till 2008.02.24. System clock is correct. Reproduce code: --------------- var_dump(openssl_x509_checkpurpose(file_get_contents('./certfile.pem'),X509_PURPOSE_SMIME_SIGN)); Expected result: ---------------- bool(true) or int(1) Actual result: -------------- int(0) ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=42886&edit=1