diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index a48ab20d6a797..8e33bd87cac90 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -16,7 +16,7 @@ | Wez Furlong | | Sascha Kettler | | Pierre-Alain Joye | - | Marc Delling (PKCS12 functions) | + | Marc Delling (PKCS12 functions) | +----------------------------------------------------------------------+ */ @@ -375,11 +375,35 @@ ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_random_pseudo_bytes, 0, 0, 1) ZEND_ARG_INFO(0, length) ZEND_ARG_INFO(1, result_is_strong) ZEND_END_ARG_INFO() + +ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_spki_new, 0, 0, 2) + ZEND_ARG_INFO(0, privkey) + ZEND_ARG_INFO(0, challenge) + ZEND_ARG_INFO(0, algo) +ZEND_END_ARG_INFO() + +ZEND_BEGIN_ARG_INFO(arginfo_openssl_spki_verify, 0) + ZEND_ARG_INFO(0, spki) +ZEND_END_ARG_INFO() + +ZEND_BEGIN_ARG_INFO(arginfo_openssl_spki_export, 0) + ZEND_ARG_INFO(0, spki) +ZEND_END_ARG_INFO() + +ZEND_BEGIN_ARG_INFO(arginfo_openssl_spki_export_challenge, 0) + ZEND_ARG_INFO(0, spki) +ZEND_END_ARG_INFO() /* }}} */ /* {{{ openssl_functions[] */ const zend_function_entry openssl_functions[] = { +/* spki functions */ + PHP_FE(openssl_spki_new, arginfo_openssl_spki_new) + PHP_FE(openssl_spki_verify, arginfo_openssl_spki_verify) + PHP_FE(openssl_spki_export, arginfo_openssl_spki_export) + PHP_FE(openssl_spki_export_challenge, arginfo_openssl_spki_export_challenge) + /* public/private key functions */ PHP_FE(openssl_pkey_free, arginfo_openssl_pkey_free) PHP_FE(openssl_pkey_new, arginfo_openssl_pkey_new) @@ -506,7 +530,7 @@ inline static int php_openssl_open_base_dir_chk(char *filename TSRMLS_DC) if (php_check_open_basedir(filename TSRMLS_CC)) { return -1; } - + return 0; } /* }}} */ @@ -565,7 +589,7 @@ static void add_assoc_name_entry(zval * val, char * key, X509_NAME * name, int s } else { subitem = val; } - + for (i = 0; i < X509_NAME_entry_count(name); i++) { unsigned char *to_add; int to_add_len; @@ -608,7 +632,7 @@ static void add_assoc_name_entry(zval * val, char * key, X509_NAME * name, int s last = j; } i = last; - + if (obj_cnt > 1) { add_assoc_zval_ex(subitem, sname, strlen(sname) + 1, subentries); } else { @@ -708,7 +732,7 @@ static inline int php_openssl_config_check_syntax(const char * section_label, co #endif { X509V3_CTX ctx; - + X509V3_set_ctx_test(&ctx); X509V3_set_conf_lhash(&ctx, config); if (!X509V3_EXT_add_conf(config, &ctx, (char *)section, NULL)) { @@ -836,7 +860,7 @@ static int php_openssl_parse_config(struct php_x509_request * req, zval * option } - + /* digest alg */ if (req->digest_name == NULL) { req->digest_name = CONF_get_string(req->req_config, req->section_name, "default_md"); @@ -858,7 +882,7 @@ static int php_openssl_parse_config(struct php_x509_request * req, zval * option } PHP_SSL_CONFIG_SYNTAX_CHECK(request_extensions_section); - + return SUCCESS; } /* }}} */ @@ -1021,10 +1045,10 @@ PHP_MINIT_FUNCTION(openssl) /* register a resource id number with OpenSSL so that we can map SSL -> stream structures in * OpenSSL callbacks */ ssl_stream_data_index = SSL_get_ex_new_index(0, "PHP stream index", NULL, NULL, NULL); - + REGISTER_STRING_CONSTANT("OPENSSL_VERSION_TEXT", OPENSSL_VERSION_TEXT, CONST_CS|CONST_PERSISTENT); REGISTER_LONG_CONSTANT("OPENSSL_VERSION_NUMBER", OPENSSL_VERSION_NUMBER, CONST_CS|CONST_PERSISTENT); - + /* purposes for cert purpose checking */ REGISTER_LONG_CONSTANT("X509_PURPOSE_SSL_CLIENT", X509_PURPOSE_SSL_CLIENT, CONST_CS|CONST_PERSISTENT); REGISTER_LONG_CONSTANT("X509_PURPOSE_SSL_SERVER", X509_PURPOSE_SSL_SERVER, CONST_CS|CONST_PERSISTENT); @@ -1076,7 +1100,7 @@ PHP_MINIT_FUNCTION(openssl) REGISTER_LONG_CONSTANT("OPENSSL_CIPHER_AES_192_CBC", PHP_OPENSSL_CIPHER_AES_192_CBC, CONST_CS|CONST_PERSISTENT); REGISTER_LONG_CONSTANT("OPENSSL_CIPHER_AES_256_CBC", PHP_OPENSSL_CIPHER_AES_256_CBC, CONST_CS|CONST_PERSISTENT); #endif - + /* Values for key types */ REGISTER_LONG_CONSTANT("OPENSSL_KEYTYPE_RSA", OPENSSL_KEYTYPE_RSA, CONST_CS|CONST_PERSISTENT); #ifndef NO_DSA @@ -1122,7 +1146,7 @@ PHP_MINIT_FUNCTION(openssl) php_register_url_stream_wrapper("https", &php_stream_http_wrapper TSRMLS_CC); php_register_url_stream_wrapper("ftps", &php_stream_ftp_wrapper TSRMLS_CC); - + return SUCCESS; } /* }}} */ @@ -1290,6 +1314,258 @@ PHP_FUNCTION(openssl_x509_export_to_file) } /* }}} */ +/* {{{ proto string openssl_spki_new(mixed zpkey, string challenge [, mixed method]) + Creates new private key (or uses existing) and creates a new spki cert + outputting results to var */ +PHP_FUNCTION(openssl_spki_new) +{ + int challenge_len, algo_len; + char * challenge, * spkstr, * s; + long keyresource = -1; + const char *spkac = "SPKAC="; + long algo = OPENSSL_ALGO_MD5; + + zval *method = NULL; + zval * zpkey = NULL; + EVP_PKEY * pkey = NULL; + NETSCAPE_SPKI *spki=NULL; + const EVP_MD *mdtype; + + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rs|z", &zpkey, &challenge, &challenge_len, &method) == FAILURE) { + return; + } + + pkey = php_openssl_evp_from_zval(&zpkey, 0, challenge, 1, &keyresource TSRMLS_CC); + + if (pkey == NULL) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to use supplied private key"); + RETURN_NULL(); + } + + if (Z_TYPE_P(method) == IS_LONG) { + if (method != NULL) { + algo = Z_LVAL_P(method); + } + mdtype = php_openssl_get_evp_md_from_algo(algo); + } + + if (!mdtype) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown signature algorithm."); + RETURN_NULL(); + } + + if ((spki = NETSCAPE_SPKI_new()) == NULL) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to create new SPKAC"); + RETURN_NULL(); + } + + if (challenge) { + ASN1_STRING_set(spki->spkac->challenge, challenge, (int)strlen(challenge)); + } + + if (!NETSCAPE_SPKI_set_pubkey(spki, pkey)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to embed public key"); + RETURN_NULL(); + } + + if (!NETSCAPE_SPKI_sign(spki, pkey, mdtype)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "unable to sign with %l algorithm", method); + RETURN_NULL(); + } + + spkstr = NETSCAPE_SPKI_b64_encode(spki); + if (!spkstr){ + php_error_docref(NULL TSRMLS_CC, E_WARNING, "unable encode SPKAC"); + RETURN_NULL(); + } + + s = emalloc(strlen(spkac) + strlen(spkstr) + 1); + sprintf(s, "%s%s", spkac, spkstr); + + if (sizeof(s)<=0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "unable to allocate memory for SPKAC"); + RETURN_NULL(); + } + + if (keyresource == -1 && spki != NULL) { + NETSCAPE_SPKI_free(spki); + } + if (keyresource == -1 && pkey != NULL) { + EVP_PKEY_free(pkey); + } + + RETURN_STRINGL(s, strlen(s), 1); +} +/* }}} */ + +/* {{{ proto bool openssl_spki_verify(string spki) + Verifies spki returns boolean */ +PHP_FUNCTION(openssl_spki_verify) +{ + int spkstr_len, i; + char *spkstr = NULL, * spkstr_cleaned; + + EVP_PKEY *pkey = NULL; + NETSCAPE_SPKI *spki = NULL; + + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &spkstr, &spkstr_len) == FAILURE) { + return; + } + + if (spkstr == NULL) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "unable to use supplied SPKAC"); + RETURN_FALSE; + } + + spkstr_cleaned = emalloc(spkstr_len + 1); + openssl_spki_cleanup(spkstr, spkstr_cleaned); + + if (strlen(spkstr_cleaned)<=0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "unable to allocate memory for SPKAC"); + RETURN_FALSE; + } + + spki = NETSCAPE_SPKI_b64_decode(spkstr_cleaned, strlen(spkstr_cleaned)); + if (spki == NULL) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "unable to decode supplied SPKAC"); + RETURN_FALSE; + } + + pkey = X509_PUBKEY_get(spki->spkac->pubkey); + if (pkey == NULL) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "unable to aquire signed public key"); + RETURN_FALSE; + } + + i = NETSCAPE_SPKI_verify(spki, pkey); + + if (spki != NULL) { + NETSCAPE_SPKI_free(spki); + } + if (pkey != NULL) { + EVP_PKEY_free(pkey); + } + + if (i > 0) { + RETURN_TRUE; + } else { + RETURN_FALSE; + } +} +/* }}} */ + +/* {{{ proto string openssl_spki_export(string spki) + Exports public key from existing spki to var */ +PHP_FUNCTION(openssl_spki_export) +{ + int spkstr_len; + char *spkstr, * spkstr_cleaned, * s; + + EVP_PKEY *pkey = NULL; + NETSCAPE_SPKI *spki = NULL; + BIO *out = BIO_new(BIO_s_mem()); + BUF_MEM *bio_buf; + + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &spkstr, &spkstr_len) == FAILURE) { + return; + } + + if (spkstr == NULL) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "unable to use supplied SPKAC"); + RETURN_NULL(); + } + + spkstr_cleaned = emalloc(spkstr_len + 1); + openssl_spki_cleanup(spkstr, spkstr_cleaned); + + spki = NETSCAPE_SPKI_b64_decode(spkstr_cleaned, strlen(spkstr_cleaned)); + if (spki == NULL) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "unable to decode supplied SPKAC"); + RETURN_NULL(); + } + + pkey = X509_PUBKEY_get(spki->spkac->pubkey); + if (pkey == NULL) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "unable to aquire signed public key"); + RETURN_NULL(); + } + + PEM_write_bio_PUBKEY(out, pkey); + BIO_get_mem_ptr(out, &bio_buf); + + if ((!bio_buf->data)&&(bio_buf->length<=0)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "unable to allocate memory for public key"); + RETURN_NULL(); + } + + s = emalloc(bio_buf->length); + BIO_read(out, s, bio_buf->length); + + if (spki != NULL) { + NETSCAPE_SPKI_free(spki); + } + if (out != NULL) { + BIO_free_all(out); + } + if (pkey != NULL) { + EVP_PKEY_free(pkey); + } + + RETURN_STRINGL(s, strlen(s), 1); +} +/* }}} */ + +/* {{{ proto string openssl_spki_export_challenge(string spki) + Exports spkac challenge from existing spki to var */ +PHP_FUNCTION(openssl_spki_export_challenge) +{ + int spkstr_len; + char *spkstr, * spkstr_cleaned; + + NETSCAPE_SPKI *spki = NULL; + + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &spkstr, &spkstr_len) == FAILURE) { + return; + } + + if (spkstr == NULL) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "unable to use supplied SPKAC"); + RETURN_NULL(); + } + + spkstr_cleaned = emalloc(spkstr_len + 1); + openssl_spki_cleanup(spkstr, spkstr_cleaned); + + spki = NETSCAPE_SPKI_b64_decode(spkstr_cleaned, strlen(spkstr_cleaned)); + if (spki == NULL) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "unable to allocate memory for public key"); + RETURN_NULL(); + } + + RETURN_STRINGL(ASN1_STRING_data(spki->spkac->challenge), strlen(ASN1_STRING_data(spki->spkac->challenge)), 1); +} +/* }}} */ + +/* {{{ proto int openssl_spki_cleanup(const char *src, char *results) + This will help remove new line chars in the SPKAC sent from the + browser */ +int openssl_spki_cleanup(const char *src, char *dest) +{ + int removed=0; + + while (*src) { + if (*src!='\n'&&*src!='\r') { + *dest++=*src; + } else { + ++removed; + } + ++src; + } + *dest=0; + return removed; +} +/* }}} */ + /* {{{ proto bool openssl_x509_export(mixed x509, string &out [, bool notext = true]) Exports a CERT to file or a var */ PHP_FUNCTION(openssl_x509_export) @@ -1342,14 +1618,14 @@ PHP_FUNCTION(openssl_x509_check_private_key) long certresource = -1, keyresource = -1; RETVAL_FALSE; - + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ZZ", &zcert, &zkey) == FAILURE) { return; } cert = php_openssl_x509_from_zval(zcert, 0, &certresource TSRMLS_CC); if (cert == NULL) { RETURN_FALSE; - } + } key = php_openssl_evp_from_zval(zkey, 0, "", 1, &keyresource TSRMLS_CC); if (key) { RETVAL_BOOL(X509_check_private_key(cert, key)); @@ -1402,11 +1678,11 @@ PHP_FUNCTION(openssl_x509_parse) snprintf(buf, sizeof(buf), "%08lx", X509_subject_name_hash(cert)); add_assoc_string(return_value, "hash", buf, 1); } - + add_assoc_name_entry(return_value, "issuer", X509_get_issuer_name(cert), useshortnames TSRMLS_CC); add_assoc_long(return_value, "version", X509_get_version(cert)); - add_assoc_string(return_value, "serialNumber", i2s_ASN1_INTEGER(NULL, X509_get_serialNumber(cert)), 1); + add_assoc_string(return_value, "serialNumber", i2s_ASN1_INTEGER(NULL, X509_get_serialNumber(cert)), 1); add_assoc_asn1_string(return_value, "validFrom", X509_get_notBefore(cert)); add_assoc_asn1_string(return_value, "validTo", X509_get_notAfter(cert)); @@ -1608,8 +1884,8 @@ PHP_FUNCTION(openssl_x509_checkpurpose) if (certresource == 1 && cert) { X509_free(cert); } - if (cainfo) { - X509_STORE_free(cainfo); + if (cainfo) { + X509_STORE_free(cainfo); } if (untrustedchain) { sk_X509_pop_free(untrustedchain, X509_free); @@ -1662,7 +1938,7 @@ static X509_STORE * setup_verify(zval * calist TSRMLS_DC) dir_lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir()); if (dir_lookup == NULL || !X509_LOOKUP_add_dir(dir_lookup, Z_STRVAL_PP(item), X509_FILETYPE_PEM)) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "error loading directory %s", Z_STRVAL_PP(item)); - } else { + } else { ndirs++; } dir_lookup = NULL; @@ -1756,11 +2032,11 @@ static STACK_OF(X509) * php_array_to_X509_sk(zval ** zcerts TSRMLS_DC) /* {{{ */ if (certresource != -1) { cert = X509_dup(cert); - + if (cert == NULL) { goto clean_exit; } - + } sk_X509_push(sk, cert); @@ -1769,7 +2045,7 @@ static STACK_OF(X509) * php_array_to_X509_sk(zval ** zcerts TSRMLS_DC) /* {{{ */ } else { /* a single certificate */ cert = php_openssl_x509_from_zval(zcerts, 0, &certresource TSRMLS_CC); - + if (cert == NULL) { goto clean_exit; } @@ -1810,7 +2086,7 @@ PHP_FUNCTION(openssl_pkcs12_export_to_file) return; RETVAL_FALSE; - + cert = php_openssl_x509_from_zval(zcert, 0, &certresource TSRMLS_CC); if (cert == NULL) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "cannot get cert from parameter 1"); @@ -1846,9 +2122,9 @@ PHP_FUNCTION(openssl_pkcs12_export_to_file) p12 = PKCS12_create(pass, friendly_name, priv_key, cert, ca, 0, 0, 0, 0, 0); - bio_out = BIO_new_file(filename, "w"); + bio_out = BIO_new_file(filename, "w"); if (bio_out) { - + i2d_PKCS12_bio(bio_out, p12); RETVAL_TRUE; @@ -1859,13 +2135,13 @@ PHP_FUNCTION(openssl_pkcs12_export_to_file) BIO_free(bio_out); PKCS12_free(p12); php_sk_X509_free(ca); - + cleanup: if (keyresource == -1 && priv_key) { EVP_PKEY_free(priv_key); } - if (certresource == -1 && cert) { + if (certresource == -1 && cert) { X509_free(cert); } } @@ -1891,7 +2167,7 @@ PHP_FUNCTION(openssl_pkcs12_export) return; RETVAL_FALSE; - + cert = php_openssl_x509_from_zval(&zcert, 0, &certresource TSRMLS_CC); if (cert == NULL) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "cannot get cert from parameter 1"); @@ -1914,7 +2190,7 @@ PHP_FUNCTION(openssl_pkcs12_export) if (args && zend_hash_find(Z_ARRVAL_P(args), "extracerts", sizeof("extracerts"), (void**)&item) == SUCCESS) ca = php_array_to_X509_sk(item TSRMLS_CC); /* end parse extra config */ - + p12 = PKCS12_create(pass, friendly_name, priv_key, cert, ca, 0, 0, 0, 0, 0); bio_out = BIO_new(BIO_s_mem()); @@ -1931,13 +2207,13 @@ PHP_FUNCTION(openssl_pkcs12_export) BIO_free(bio_out); PKCS12_free(p12); php_sk_X509_free(ca); - + cleanup: if (keyresource == -1 && priv_key) { EVP_PKEY_free(priv_key); } - if (certresource == -1 && cert) { + if (certresource == -1 && cert) { X509_free(cert); } } @@ -1961,12 +2237,12 @@ PHP_FUNCTION(openssl_pkcs12_read) return; RETVAL_FALSE; - + bio_in = BIO_new(BIO_s_mem()); - + if(!BIO_write(bio_in, zp12, zp12_len)) goto cleanup; - + if(d2i_PKCS12_bio(bio_in, &p12)) { if(PKCS12_parse(p12, pass, &pkey, &cert, &ca)) { BIO * bio_out; @@ -1996,12 +2272,12 @@ PHP_FUNCTION(openssl_pkcs12_read) MAKE_STD_ZVAL(zextracerts); array_init(zextracerts); - + for (i=0;;i++) { zval * zextracert; X509* aCA = sk_X509_pop(ca); if (!aCA) break; - + bio_out = BIO_new(BIO_s_mem()); if (PEM_write_bio_X509(bio_out, aCA)) { BUF_MEM *bio_buf; @@ -2009,7 +2285,7 @@ PHP_FUNCTION(openssl_pkcs12_read) MAKE_STD_ZVAL(zextracert); ZVAL_STRINGL(zextracert, bio_buf->data, bio_buf->length, 1); add_index_zval(zextracerts, i, zextracert); - + } BIO_free(bio_out); @@ -2021,13 +2297,13 @@ PHP_FUNCTION(openssl_pkcs12_read) } else { zval_dtor(zextracerts); } - + RETVAL_TRUE; - + PKCS12_free(p12); } } - + cleanup: if (bio_in) { BIO_free(bio_in); @@ -2035,7 +2311,7 @@ PHP_FUNCTION(openssl_pkcs12_read) if (pkey) { EVP_PKEY_free(pkey); } - if (cert) { + if (cert) { X509_free(cert); } } @@ -2054,7 +2330,7 @@ static int php_openssl_make_REQ(struct php_x509_request * req, X509_REQ * csr, z return FAILURE; } dn_sk = CONF_get_section(req->req_config, dn_sect); - if (dn_sk == NULL) { + if (dn_sk == NULL) { return FAILURE; } attr_sect = CONF_get_string(req->req_config, req->section_name, "attributes"); @@ -2074,15 +2350,15 @@ static int php_openssl_make_REQ(struct php_x509_request * req, X509_REQ * csr, z X509_NAME * subj; HashPosition hpos; zval ** item; - + subj = X509_REQ_get_subject_name(csr); /* apply values from the dn hash */ zend_hash_internal_pointer_reset_ex(HASH_OF(dn), &hpos); while(zend_hash_get_current_data_ex(HASH_OF(dn), (void**)&item, &hpos) == SUCCESS) { - char * strindex = NULL; + char * strindex = NULL; uint strindexlen = 0; ulong intindex; - + zend_hash_get_current_key_ex(HASH_OF(dn), &strindex, &strindexlen, &intindex, 0, &hpos); convert_to_string_ex(item); @@ -2092,7 +2368,7 @@ static int php_openssl_make_REQ(struct php_x509_request * req, X509_REQ * csr, z nid = OBJ_txt2nid(strindex); if (nid != NID_undef) { - if (!X509_NAME_add_entry_by_NID(subj, nid, MBSTRING_UTF8, + if (!X509_NAME_add_entry_by_NID(subj, nid, MBSTRING_UTF8, (unsigned char*)Z_STRVAL_PP(item), -1, -1, 0)) { php_error_docref(NULL TSRMLS_CC, E_WARNING, @@ -2113,10 +2389,10 @@ static int php_openssl_make_REQ(struct php_x509_request * req, X509_REQ * csr, z for(i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) { int len; char buffer[200 + 1]; /*200 + \0 !*/ - + v = sk_CONF_VALUE_value(dn_sk, i); type = v->name; - + len = strlen(type); if (len < sizeof("_default")) { continue; @@ -2131,7 +2407,7 @@ static int php_openssl_make_REQ(struct php_x509_request * req, X509_REQ * csr, z memcpy(buffer, type, len); buffer[len] = '\0'; type = buffer; - + /* Skip past any leading X. X: X, etc to allow for multiple * instances */ for (str = type; *str; str++) { @@ -2212,7 +2488,7 @@ static X509_REQ * php_openssl_csr_from_zval(zval ** val, int makeresource, long X509_REQ * csr = NULL; char * filename = NULL; BIO * in; - + if (resourceval) { *resourceval = -1; } @@ -2353,13 +2629,13 @@ PHP_FUNCTION(openssl_csr_sign) long csr_resource, certresource = 0, keyresource = -1; int i; struct php_x509_request req; - + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ZZ!Zl|a!l", &zcsr, &zcert, &zpkey, &num_days, &args, &serial) == FAILURE) return; RETVAL_FALSE; PHP_SSL_REQ_INIT(&req); - + csr = php_openssl_csr_from_zval(zcsr, 0, &csr_resource TSRMLS_CC); if (csr == NULL) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "cannot get CSR from parameter 1"); @@ -2381,7 +2657,7 @@ PHP_FUNCTION(openssl_csr_sign) php_error_docref(NULL TSRMLS_CC, E_WARNING, "private key does not correspond to signing cert"); goto cleanup; } - + if (PHP_SSL_REQ_PARSE(&req, args) == FAILURE) { goto cleanup; } @@ -2401,9 +2677,9 @@ PHP_FUNCTION(openssl_csr_sign) php_error_docref(NULL TSRMLS_CC, E_WARNING, "Signature did not match the certificate request"); goto cleanup; } - + /* Now we can get on with it */ - + new_cert = X509_new(); if (new_cert == NULL) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "No memory"); @@ -2414,7 +2690,7 @@ PHP_FUNCTION(openssl_csr_sign) goto cleanup; ASN1_INTEGER_set(X509_get_serialNumber(new_cert), serial); - + X509_set_subject_name(new_cert, X509_REQ_get_subject_name(csr)); if (cert == NULL) { @@ -2431,7 +2707,7 @@ PHP_FUNCTION(openssl_csr_sign) } if (req.extensions_section) { X509V3_CTX ctx; - + X509V3_set_ctx(&ctx, cert, new_cert, csr, NULL, 0); X509V3_set_conf_lhash(&ctx, req.req_config); if (!X509V3_EXT_add_conf(req.req_config, &ctx, req.extensions_section, new_cert)) { @@ -2444,11 +2720,11 @@ PHP_FUNCTION(openssl_csr_sign) php_error_docref(NULL TSRMLS_CC, E_WARNING, "failed to sign it"); goto cleanup; } - + /* Succeeded; lets return the cert */ RETVAL_RESOURCE(zend_list_insert(new_cert, le_x509 TSRMLS_CC)); new_cert = NULL; - + cleanup: if (cert == new_cert) { @@ -2465,7 +2741,7 @@ PHP_FUNCTION(openssl_csr_sign) if (csr_resource == -1 && csr) { X509_REQ_free(csr); } - if (certresource == -1 && cert) { + if (certresource == -1 && cert) { X509_free(cert); } if (new_cert) { @@ -2484,12 +2760,12 @@ PHP_FUNCTION(openssl_csr_new) X509_REQ * csr = NULL; int we_made_the_key = 1; long key_resource; - + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "az|a!a!", &dn, &out_pkey, &args, &attribs) == FAILURE) { return; } RETVAL_FALSE; - + PHP_SSL_REQ_INIT(&req); if (PHP_SSL_REQ_PARSE(&req, args) == SUCCESS) { @@ -2521,10 +2797,10 @@ PHP_FUNCTION(openssl_csr_new) php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error loading extension section %s", req.request_extensions_section); } else { RETVAL_TRUE; - + if (X509_REQ_sign(csr, req.priv_key, req.digest)) { RETVAL_RESOURCE(zend_list_insert(csr, le_csr TSRMLS_CC)); - csr = NULL; + csr = NULL; } else { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error signing request"); } @@ -2649,14 +2925,14 @@ static EVP_PKEY * php_openssl_evp_from_zval(zval ** val, int public_key, char * } if (Z_TYPE_PP(val) == IS_ARRAY) { zval ** zphrase; - + /* get passphrase */ if (zend_hash_index_find(HASH_OF(*val), 1, (void **)&zphrase) == FAILURE) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "key array must be of the form array(0 => key, 1 => phrase)"); return NULL; } - + if (Z_TYPE_PP(zphrase) == IS_STRING) { passphrase = Z_STRVAL_PP(zphrase); } else { @@ -2681,7 +2957,7 @@ static EVP_PKEY * php_openssl_evp_from_zval(zval ** val, int public_key, char * if (!what) { TMP_CLEAN; } - if (resourceval) { + if (resourceval) { *resourceval = Z_LVAL_PP(val); } if (type == le_x509) { @@ -2715,8 +2991,8 @@ static EVP_PKEY * php_openssl_evp_from_zval(zval ** val, int public_key, char * } } else { /* force it to be a string and check if it refers to a file */ - /* passing non string values leaks, object uses toString, it returns NULL - * See bug38255.phpt + /* passing non string values leaks, object uses toString, it returns NULL + * See bug38255.phpt */ if (!(Z_TYPE_PP(val) == IS_STRING || Z_TYPE_PP(val) == IS_OBJECT)) { TMP_CLEAN; @@ -2790,7 +3066,7 @@ static EVP_PKEY * php_openssl_generate_private_key(struct php_x509_request * req char * randfile = NULL; int egdsocket, seeded; EVP_PKEY * return_val = NULL; - + if (req->priv_key_bits < MIN_KEY_LENGTH) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "private key length is too short; it needs to be at least %d bits, not %d", MIN_KEY_LENGTH, req->priv_key_bits); @@ -2799,7 +3075,7 @@ static EVP_PKEY * php_openssl_generate_private_key(struct php_x509_request * req randfile = CONF_get_string(req->req_config, req->section_name, "RANDFILE"); php_openssl_load_rand_file(randfile, &egdsocket, &seeded TSRMLS_CC); - + if ((req->priv_key = EVP_PKEY_new()) != NULL) { switch(req->priv_key_type) { case OPENSSL_KEYTYPE_RSA: @@ -2849,13 +3125,13 @@ static EVP_PKEY * php_openssl_generate_private_key(struct php_x509_request * req } php_openssl_write_rand_file(randfile, egdsocket, seeded); - + if (return_val == NULL) { EVP_PKEY_free(req->priv_key); req->priv_key = NULL; return NULL; } - + return return_val; } /* }}} */ @@ -2884,7 +3160,7 @@ static int php_openssl_is_private_key(EVP_PKEY* pkey TSRMLS_DC) case EVP_PKEY_DSA4: assert(pkey->pkey.dsa != NULL); - if (NULL == pkey->pkey.dsa->p || NULL == pkey->pkey.dsa->q || NULL == pkey->pkey.dsa->priv_key){ + if (NULL == pkey->pkey.dsa->p || NULL == pkey->pkey.dsa->q || NULL == pkey->pkey.dsa->priv_key){ return 0; } break; @@ -3015,7 +3291,7 @@ PHP_FUNCTION(openssl_pkey_new) } RETURN_FALSE; } - } + } PHP_SSL_REQ_INIT(&req); @@ -3044,7 +3320,7 @@ PHP_FUNCTION(openssl_pkey_export_to_file) EVP_PKEY * key; BIO * bio_out = NULL; const EVP_CIPHER * cipher; - + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Zp|s!a!", &zpkey, &filename, &filename_len, &passphrase, &passphrase_len, &args) == FAILURE) { return; } @@ -3056,11 +3332,11 @@ PHP_FUNCTION(openssl_pkey_export_to_file) php_error_docref(NULL TSRMLS_CC, E_WARNING, "cannot get key from parameter 1"); RETURN_FALSE; } - + if (php_openssl_open_base_dir_chk(filename TSRMLS_CC)) { RETURN_FALSE; } - + PHP_SSL_REQ_INIT(&req); if (PHP_SSL_REQ_PARSE(&req, args) == SUCCESS) { @@ -3103,7 +3379,7 @@ PHP_FUNCTION(openssl_pkey_export) EVP_PKEY * key; BIO * bio_out = NULL; const EVP_CIPHER * cipher; - + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Zz|s!a!", &zpkey, &out, &passphrase, &passphrase_len, &args) == FAILURE) { return; } @@ -3115,7 +3391,7 @@ PHP_FUNCTION(openssl_pkey_export) php_error_docref(NULL TSRMLS_CC, E_WARNING, "cannot get key from parameter 1"); RETURN_FALSE; } - + PHP_SSL_REQ_INIT(&req); if (PHP_SSL_REQ_PARSE(&req, args) == SUCCESS) { @@ -3235,7 +3511,7 @@ PHP_FUNCTION(openssl_pkey_get_details) array_init(return_value); add_assoc_long(return_value, "bits", EVP_PKEY_bits(pkey)); add_assoc_stringl(return_value, "key", pbio, pbio_len, 1); - /*TODO: Use the real values once the openssl constants are used + /*TODO: Use the real values once the openssl constants are used * See the enum at the top of this file */ switch (EVP_PKEY_type(pkey->type)) { @@ -3259,7 +3535,7 @@ PHP_FUNCTION(openssl_pkey_get_details) add_assoc_zval(return_value, "rsa", rsa); } - break; + break; case EVP_PKEY_DSA: case EVP_PKEY_DSA2: case EVP_PKEY_DSA3: @@ -3280,7 +3556,7 @@ PHP_FUNCTION(openssl_pkey_get_details) } break; case EVP_PKEY_DH: - + ktype = OPENSSL_KEYTYPE_DH; if (pkey->pkey.dh != NULL) { @@ -3296,7 +3572,7 @@ PHP_FUNCTION(openssl_pkey_get_details) } break; -#ifdef EVP_PKEY_EC +#ifdef EVP_PKEY_EC case EVP_PKEY_EC: ktype = OPENSSL_KEYTYPE_EC; break; @@ -3330,7 +3606,7 @@ PHP_FUNCTION(openssl_pkcs7_verify) char * extracerts = NULL; int extracerts_len = 0; char * signersfilename = NULL; int signersfilename_len = 0; char * datafilename = NULL; int datafilename_len = 0; - + RETVAL_LONG(-1); if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "pl|papp", &filename, &filename_len, @@ -3338,7 +3614,7 @@ PHP_FUNCTION(openssl_pkcs7_verify) &extracerts, &extracerts_len, &datafilename, &datafilename_len) == FAILURE) { return; } - + if (extracerts) { others = load_all_certs_from_file(extracerts); if (others == NULL) { @@ -3390,11 +3666,11 @@ PHP_FUNCTION(openssl_pkcs7_verify) if (signersfilename) { BIO *certout; - + if (php_openssl_open_base_dir_chk(signersfilename TSRMLS_CC)) { goto clean_exit; } - + certout = BIO_new_file(signersfilename, "w"); if (certout) { int i; @@ -3443,14 +3719,14 @@ PHP_FUNCTION(openssl_pkcs7_encrypt) char * strindex; char * infilename = NULL; int infilename_len; char * outfilename = NULL; int outfilename_len; - + RETVAL_FALSE; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ppZa!|ll", &infilename, &infilename_len, &outfilename, &outfilename_len, &zrecipcerts, &zheaders, &flags, &cipherid) == FAILURE) return; - + if (php_openssl_open_base_dir_chk(infilename TSRMLS_CC) || php_openssl_open_base_dir_chk(outfilename TSRMLS_CC)) { return; } @@ -3461,7 +3737,7 @@ PHP_FUNCTION(openssl_pkcs7_encrypt) } outfile = BIO_new_file(outfilename, "w"); - if (outfile == NULL) { + if (outfile == NULL) { goto clean_exit; } @@ -3588,12 +3864,12 @@ PHP_FUNCTION(openssl_pkcs7_sign) &extracertsfilename_len) == FAILURE) { return; } - + RETVAL_FALSE; if (extracertsfilename) { others = load_all_certs_from_file(extracertsfilename); - if (others == NULL) { + if (others == NULL) { goto clean_exit; } } @@ -3704,7 +3980,7 @@ PHP_FUNCTION(openssl_pkcs7_decrypt) php_error_docref(NULL TSRMLS_CC, E_WARNING, "unable to get private key"); goto clean_exit; } - + if (php_openssl_open_base_dir_chk(infilename TSRMLS_CC) || php_openssl_open_base_dir_chk(outfilename TSRMLS_CC)) { goto clean_exit; } @@ -3723,7 +3999,7 @@ PHP_FUNCTION(openssl_pkcs7_decrypt) if (p7 == NULL) { goto clean_exit; } - if (PKCS7_decrypt(p7, key, cert, out, PKCS7_DETACHED)) { + if (PKCS7_decrypt(p7, key, cert, out, PKCS7_DETACHED)) { RETVAL_TRUE; } clean_exit: @@ -3756,7 +4032,7 @@ PHP_FUNCTION(openssl_private_encrypt) int data_len; long padding = RSA_PKCS1_PADDING; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "szZ|l", &data, &data_len, &crypted, &key, &padding) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "szZ|l", &data, &data_len, &crypted, &key, &padding) == FAILURE) { return; } RETVAL_FALSE; @@ -3774,10 +4050,10 @@ PHP_FUNCTION(openssl_private_encrypt) switch (pkey->type) { case EVP_PKEY_RSA: case EVP_PKEY_RSA2: - successful = (RSA_private_encrypt(data_len, - (unsigned char *)data, - cryptedbuf, - pkey->pkey.rsa, + successful = (RSA_private_encrypt(data_len, + (unsigned char *)data, + cryptedbuf, + pkey->pkey.rsa, padding) == cryptedlen); break; default: @@ -3794,7 +4070,7 @@ PHP_FUNCTION(openssl_private_encrypt) if (cryptedbuf) { efree(cryptedbuf); } - if (keyresource == -1) { + if (keyresource == -1) { EVP_PKEY_free(pkey); } } @@ -3832,10 +4108,10 @@ PHP_FUNCTION(openssl_private_decrypt) switch (pkey->type) { case EVP_PKEY_RSA: case EVP_PKEY_RSA2: - cryptedlen = RSA_private_decrypt(data_len, - (unsigned char *)data, - crypttemp, - pkey->pkey.rsa, + cryptedlen = RSA_private_decrypt(data_len, + (unsigned char *)data, + crypttemp, + pkey->pkey.rsa, padding); if (cryptedlen != -1) { cryptedbuf = emalloc(cryptedlen + 1); @@ -3860,7 +4136,7 @@ PHP_FUNCTION(openssl_private_decrypt) if (keyresource == -1) { EVP_PKEY_free(pkey); } - if (cryptedbuf) { + if (cryptedbuf) { efree(cryptedbuf); } } @@ -3884,7 +4160,7 @@ PHP_FUNCTION(openssl_public_encrypt) return; RETVAL_FALSE; - + pkey = php_openssl_evp_from_zval(key, 1, NULL, 0, &keyresource TSRMLS_CC); if (pkey == NULL) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "key parameter is not a valid public key"); @@ -3897,10 +4173,10 @@ PHP_FUNCTION(openssl_public_encrypt) switch (pkey->type) { case EVP_PKEY_RSA: case EVP_PKEY_RSA2: - successful = (RSA_public_encrypt(data_len, - (unsigned char *)data, - cryptedbuf, - pkey->pkey.rsa, + successful = (RSA_public_encrypt(data_len, + (unsigned char *)data, + cryptedbuf, + pkey->pkey.rsa, padding) == cryptedlen); break; default: @@ -3943,7 +4219,7 @@ PHP_FUNCTION(openssl_public_decrypt) return; } RETVAL_FALSE; - + pkey = php_openssl_evp_from_zval(key, 1, NULL, 0, &keyresource TSRMLS_CC); if (pkey == NULL) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "key parameter is not a valid public key"); @@ -3956,10 +4232,10 @@ PHP_FUNCTION(openssl_public_decrypt) switch (pkey->type) { case EVP_PKEY_RSA: case EVP_PKEY_RSA2: - cryptedlen = RSA_public_decrypt(data_len, - (unsigned char *)data, - crypttemp, - pkey->pkey.rsa, + cryptedlen = RSA_public_decrypt(data_len, + (unsigned char *)data, + crypttemp, + pkey->pkey.rsa, padding); if (cryptedlen != -1) { cryptedbuf = emalloc(cryptedlen + 1); @@ -3967,10 +4243,10 @@ PHP_FUNCTION(openssl_public_decrypt) successful = 1; } break; - + default: php_error_docref(NULL TSRMLS_CC, E_WARNING, "key type not supported in this PHP build!"); - + } efree(crypttemp); @@ -4088,7 +4364,7 @@ PHP_FUNCTION(openssl_verify) char * signature; int signature_len; zval *method = NULL; long signature_algo = OPENSSL_ALGO_SHA1; - + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ssZ|z", &data, &data_len, &signature, &signature_len, &key, &method) == FAILURE) { return; } @@ -4147,7 +4423,7 @@ PHP_FUNCTION(openssl_seal) if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "szza/|s", &data, &data_len, &sealdata, &ekeys, &pubkeys, &method, &method_len) == FAILURE) { return; } - + pubkeysht = HASH_OF(pubkeys); nkeys = pubkeysht ? zend_hash_num_elements(pubkeysht) : 0; if (!nkeys) { @@ -4242,7 +4518,7 @@ PHP_FUNCTION(openssl_seal) if (key_resources[i] == -1) { EVP_PKEY_free(pkeys[i]); } - if (eks[i]) { + if (eks[i]) { efree(eks[i]); } } @@ -4288,13 +4564,13 @@ PHP_FUNCTION(openssl_open) } else { cipher = EVP_rc4(); } - + buf = emalloc(data_len + 1); if (EVP_OpenInit(&ctx, cipher, (unsigned char *)ekey, ekey_len, NULL, pkey) && EVP_OpenUpdate(&ctx, buf, &len1, (unsigned char *)data, data_len)) { if (!EVP_OpenFinal(&ctx, buf + len1, &len2) || (len1 + len2 == 0)) { efree(buf); - if (keyresource == -1) { + if (keyresource == -1) { EVP_PKEY_free(pkey); } RETURN_FALSE; @@ -4531,7 +4807,7 @@ SSL *php_SSL_new_from_context(SSL_CTX *ctx, php_stream *stream TSRMLS_DC) /* {{{ if (SSL_CTX_use_PrivateKey_file(ctx, resolved_path_buff, SSL_FILETYPE_PEM) != 1) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to set private key file `%s'", resolved_path_buff); return NULL; - } + } } tmpssl = SSL_new(ctx); @@ -4588,7 +4864,7 @@ PHP_FUNCTION(openssl_get_md_methods) } array_init(return_value); OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_MD_METH, - aliases ? openssl_add_method_or_alias: openssl_add_method, + aliases ? openssl_add_method_or_alias: openssl_add_method, return_value); } /* }}} */ @@ -4604,7 +4880,7 @@ PHP_FUNCTION(openssl_get_cipher_methods) } array_init(return_value); OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH, - aliases ? openssl_add_method_or_alias: openssl_add_method, + aliases ? openssl_add_method_or_alias: openssl_add_method, return_value); } /* }}} */ diff --git a/ext/openssl/php_openssl.h b/ext/openssl/php_openssl.h index fc118dba1ebb8..59b53a1b178dd 100644 --- a/ext/openssl/php_openssl.h +++ b/ext/openssl/php_openssl.h @@ -77,6 +77,12 @@ PHP_FUNCTION(openssl_csr_export_to_file); PHP_FUNCTION(openssl_csr_sign); PHP_FUNCTION(openssl_csr_get_subject); PHP_FUNCTION(openssl_csr_get_public_key); + +PHP_FUNCTION(openssl_spki_new); +PHP_FUNCTION(openssl_spki_verify); +PHP_FUNCTION(openssl_spki_export); +PHP_FUNCTION(openssl_spki_export_challenge); +PHP_FUNCTION(openssl_spki_details); #else #define phpext_openssl_ptr NULL diff --git a/ext/openssl/tests/026.phpt b/ext/openssl/tests/026.phpt new file mode 100644 index 0000000000000..026330ad8c32a --- /dev/null +++ b/ext/openssl/tests/026.phpt @@ -0,0 +1,208 @@ +--TEST-- +openssl_spki_new(), openssl_spki_verify(), openssl_spki_export(), openssl_spki_export_challenge(), openssl_spki_details() +--SKIPIF-- + +--FILE-- + +--EXPECT-- +Creating private key +Creating new SPKAC with defaults +Verifying SPKAC using defaults +Exporting challenge using defaults +Exporting public key from SPKAC using defaults +Generating details of SPKAC structure using defaults +Creating new SPKAC using md5 signature +Verifying SPKAC using md5 signature +Exporting challenge using md5 signature +Exporting public key from SPKAC using md5 signature +Generating details of SPKAC structure using md5 signature +Creating new SPKAC using sha1 signature +Verifying SPKAC using sha1 signature +Exporting challenge using sha1 signature +Exporting public key from SPKAC using sha1 signature +Generating details of SPKAC structure using sha1 signature +Creating new SPKAC using sha512 signature +Verifying SPKAC using sha512 signature +Exporting challenge using sha512 signature +Exporting public key from SPKAC using sha512 signature +Generating details of SPKAC structure using sha512 signature +OK!