Add PKCS7_NOOLDMIMETYPE and OPENSSL_CMS_OLDMIMETYPE

kesselb · bukka · commit fa10dfcc81bb · 2023-05-06T11:12:31.000+01:00
PKCS7_NOOLDMIMETYPE to use Content-Type application/pkcs7-mime OPENSSL_CMS_OLDMIMETYPE to use Content-Type application/x-pkcs7-mime SMIME_write_PKCS7 and SMIME_write_CMS are using SMIME_write_ASN1_ex. The Content-Type application/x-pkcs7-mime is generated with the flag SMIME_OLDMIME (0x400).[^1] SMIME_write_PKCS7 set SMIME_OLDMIME by default.[^2] SMIME_write_CMS does not.[^3] I picked OPENSSL_CMS_OLDMIMETYPE over OPENSSL_CMS_NOOLDMIMETYPE because that's what the flag actually does. [^1]: https://github.com/openssl/openssl/blob/9a2f78e14a67eeaadefc77d05f0778fc9684d26c/crypto/asn1/asn_mime.c#L248-L251 [^2]: https://github.com/openssl/openssl/blob/9a2f78e14a67eeaadefc77d05f0778fc9684d26c/crypto/pkcs7/pk7_mime.c#L41-L43 [^3]: https://github.com/openssl/openssl/blob/9a2f78e14a67eeaadefc77d05f0778fc9684d26c/crypto/cms/cms_io.c#L93 Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
diff --git a/NEWS b/NEWS
@@ -115,6 +115,10 @@ PHP                                                                        NEWS
   . Added memfd api usage, on Linux, for zend_shared_alloc_create_lock()
     to create an abstract anonymous file for the opcache's lock. (Max Kellermann)
 
+- OpenSSL:
+  . Added OPENSSL_CMS_OLDMIMETYPE and PKCS7_NOOLDMIMETYPE contants to switch
+    between mime content types. (Daniel Kesselberg)
+
 - PCNTL:
   . SA_ONSTACK is now set for pcntl_signal. (Kévin Dunglas)
   . Added SIGINFO constant. (David Carlier)
diff --git a/UPGRADING b/UPGRADING
@@ -214,6 +214,10 @@ PHP 8.3 UPGRADE NOTES
   . MIXED_NUMBERS (Spoofchecker).
   . HIDDEN_OVERLAY (Spoofchecker).
 
+- OpenSSL:
+  . OPENSSL_CMS_OLDMIMETYPE
+  . PKCS7_NOOLDMIMETYPE
+
 - PCNTL:
   . SIGINFO
 
diff --git a/ext/openssl/openssl.stub.php b/ext/openssl/openssl.stub.php
@@ -161,6 +161,11 @@
  * @cvalue PKCS7_NOSIGS
  */
 const PKCS7_NOSIGS = UNKNOWN;
+/**
+ * @var int
+ * @cvalue PKCS7_NOOLDMIMETYPE
+ */
+const PKCS7_NOOLDMIMETYPE = UNKNOWN;
 
 /**
  * @var int
@@ -202,6 +207,11 @@
  * @cvalue CMS_NOSIGS
  */
 const OPENSSL_CMS_NOSIGS = UNKNOWN;
+/**
+ * @var int
+ * @cvalue CMS_NOOLDMIMETYPE
+ */
+const OPENSSL_CMS_OLDMIMETYPE = UNKNOWN;
 
 /**
  * @var int
diff --git a/ext/openssl/openssl_arginfo.h b/ext/openssl/openssl_arginfo.h
diff --git a/ext/openssl/tests/openssl_cms_encrypt_basic.phpt b/ext/openssl/tests/openssl_cms_encrypt_basic.phpt
@@ -9,6 +9,9 @@ $outfile = tempnam(sys_get_temp_dir(), "cms_enc_basic");
 if ($outfile === false)
     die("failed to get a temporary filename!");
 $outfile2 = $outfile . ".out";
+$outfile3 = tempnam(sys_get_temp_dir(), "cms_enc_basic");
+if ($outfile3 === false)
+    die("failed to get a temporary filename!");
 $single_cert = "file://" . __DIR__ . "/cert.crt";
 $privkey = "file://" . __DIR__ . "/private_rsa_1024.key";
 $wrongkey = "file://" . __DIR__ . "/private_rsa_2048.key";
@@ -33,6 +36,7 @@ var_dump(openssl_cms_encrypt($infile, $outfile, $wrong, $headers, cipher_algo: $
 var_dump(openssl_cms_encrypt($infile, $outfile, $empty, $headers, cipher_algo: $cipher));
 var_dump(openssl_cms_encrypt($infile, $outfile, $multi_certs, $headers, cipher_algo: $cipher));
 var_dump(openssl_cms_encrypt($infile, $outfile, array_map('openssl_x509_read', $multi_certs), $headers, cipher_algo: $cipher));
+var_dump(openssl_cms_encrypt($infile, $outfile3, $single_cert, $headers, flags: OPENSSL_CMS_OLDMIMETYPE, cipher_algo: $cipher));
 
 if (file_exists($outfile)) {
     echo "true\n";
@@ -42,6 +46,15 @@ if (file_exists($outfile2)) {
     echo "true\n";
     unlink($outfile2);
 }
+
+if (file_exists($outfile3)) {
+    $content = file_get_contents($outfile3, false, null, 0, 256);
+    if (str_contains($content, 'Content-Type: application/x-pkcs7-mime; smime-type=enveloped-data; name="smime.p7m"')) {
+        echo "true\n";
+    }
+    unset($content); 
+    unlink($outfile3);
+}
 ?>
 --EXPECT--
 bool(true)
@@ -57,5 +70,7 @@ bool(false)
 bool(false)
 bool(true)
 bool(true)
+bool(true)
+true
 true
 true
diff --git a/ext/openssl/tests/openssl_pkcs7_encrypt_basic.phpt b/ext/openssl/tests/openssl_pkcs7_encrypt_basic.phpt
@@ -11,6 +11,9 @@ if ($outfile === false)
 $outfile2 = tempnam(sys_get_temp_dir(), "ssl");
 if ($outfile2 === false)
     die("failed to get a temporary filename!");
+$outfile3 = tempnam(sys_get_temp_dir(), "ssl");
+if ($outfile3 === false)
+    die("failed to get a temporary filename!");
 
 $single_cert = "file://" . __DIR__ . "/cert.crt";
 $privkey = "file://" . __DIR__ . "/private_rsa_1024.key";
@@ -34,6 +37,7 @@ var_dump(openssl_pkcs7_encrypt($infile, $outfile, $wrong, $headers, 0, $cipher))
 var_dump(openssl_pkcs7_encrypt($infile, $outfile, $empty, $headers, 0, $cipher));
 var_dump(openssl_pkcs7_encrypt($infile, $outfile, $multi_certs, $headers, 0, $cipher));
 var_dump(openssl_pkcs7_encrypt($infile, $outfile, array_map('openssl_x509_read', $multi_certs), $headers, 0, $cipher));
+var_dump(openssl_pkcs7_encrypt($infile, $outfile3, $single_cert, $headers, PKCS7_NOOLDMIMETYPE, $cipher));
 
 if (file_exists($outfile)) {
     echo "true\n";
@@ -43,6 +47,15 @@ if (file_exists($outfile2)) {
     echo "true\n";
     unlink($outfile2);
 }
+
+if (file_exists($outfile3)) {
+    $content = file_get_contents($outfile3, false, null, 0, 256);
+    if (str_contains($content, 'Content-Type: application/pkcs7-mime; smime-type=enveloped-data; name="smime.p7m"')) {
+        echo "true\n";
+    }
+    unset($content); 
+    unlink($outfile3);
+}
 ?>
 --EXPECT--
 bool(true)
@@ -57,5 +70,7 @@ bool(false)
 bool(false)
 bool(true)
 bool(true)
+bool(true)
+true
 true
 true
