Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:102905
Return-Path: <dol+php@snowgarden.ch>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 42558 invoked from network); 17 Jul 2018 23:14:23 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Jul 2018 23:14:23 -0000
Authentication-Results: pb1.pair.com smtp.mail=dol+php@snowgarden.ch; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=dol+php@snowgarden.ch; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain snowgarden.ch designates 149.126.4.81 as permitted sender)
X-PHP-List-Original-Sender: dol+php@snowgarden.ch
X-Host-Fingerprint: 149.126.4.81 s072.cyon.net  
Received: from [149.126.4.81] ([149.126.4.81:55574] helo=s072.cyon.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 78/5F-37178-B487E4B5 for <internals@lists.php.net>; Tue, 17 Jul 2018 19:14:20 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=snowgarden.ch; s=default; h=Content-Transfer-Encoding:Content-Type:
	MIME-Version:Date:Message-ID:To:Subject:From:Sender:Reply-To:Cc:Content-ID:
	Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
	:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
	List-Subscribe:List-Post:List-Owner:List-Archive;
	bh=v7U91II0VFlsc28a+csB5OwYtChGEFOGKgQjPtE56QI=; b=KgM+2zkg4r2RLjl74cR7LJUC1t
	5gEpWxfjqXAZUrhWUbaj7Bv67KuS9EIoBx5FLHAW6q3wBF3WJSeaVKoKNVmTo4lKHdxqvxsfY8UYS
	zWeK/fR8VRhM3uTf9TW1KXQT4xCCLbYA0/TYFBPJHkMW8P21ErOMzZxaKyLhkLMWqOnKtoyuqvCwa
	jsKdFvxH0VRXI2hhPNu7ATs8s8bX8Pif4gR4x7ebdne0HwvhrU0171zrb0oPkXme+wDq78XFc652u
	7YaQEC2xOJmt/Abx0dAuLLQo8U/6meY44KLYv8GmU4fr+W8N9YBY8MXbN2knjTlh31dIPB8h0uHFT
	iiU2JWJg==;
Received: from [10.20.10.233] (port=59506 helo=mail.cyon.ch)
	by s072.cyon.net with esmtpa (Exim 4.91)
	(envelope-from <dol+php@snowgarden.ch>)
	id 1ffZAc-00Em2s-1y
	for internals@lists.php.net; Wed, 18 Jul 2018 01:14:16 +0200
Openpgp: preference=signencrypt
Autocrypt: addr=dol+php@snowgarden.ch; prefer-encrypt=mutual; keydata=
 xsFNBFNnkpkBEACsqZuMTw78Res2peaYETNfMLQzbIK+RB+q+WkFGuZFIEvhVfHJhJesxv40
 V1O5sNVe989PV/okSx/SDPO/1mb84PDWMvjLnk5eviOUrPJ9vcb61baltWjF1XMqyN56KZSb
 lK3sbpghnWL5zLgJhqXimZZV1XIzZuKL3zMjMzoLiJZBfQy0wW2K3aLyfUyqS6df5aANCPOb
 ws5pakSFpVHrVzOl3uPFXQaTwe6JRrFpcTXNxD0k0xowaEHGhHIEmDhAJxSWNfMUTBeYGFCL
 DD3+UXaLSj1J3KcU6vYe9V7cIWqnjZSfLKvDGu7FFEE2o6IH7i2nI63+FgY5sEzMPMOFBG30
 RO2V+nMfVCyOqtPKjsrBfb+/AMhQ6qyt0UlCokhIIJnYxLyzVfLPnfKq/3885zsu76ZtEKgD
 w2J3H/aYIk9Eou0mHX91K/kACUj/8Jjg2Sm9kQWrqE6HYVtAdVWAXfic6UcoQuy8JpnhL3J8
 KHHl0BkrlkAv1zazjw8mMdSwDWnVHJAnvtE7wbbvWMK6QIejan9LyDxHeAxd+lcS4ci0XuPt
 WXATtsvK6L5up+6auxAn2NN1xjLbU5Ue7ssKdTlvt0hs0bE0ymQLZdgvBQlG6l0P70ua29LD
 cvvVC2axakQT0UqFhkgrvanOzUZ/kB73M2aRplAHjuiJgcxynQARAQABzSZEb21pbmljIEx1
 ZWNoaW5nZXIgPGRldkBzbm93Z2FyZGVuLmNoPsLBeAQTAQIAIgUCWPu+XgIbLwYLCQgHAwIG
 FQgCCQoLBBYCAwECHgECF4AACgkQU5raBq3u/RR3XA//cz0sXJGR0iltUFElgQSnH8ILRBtX
 leT0ev1kHGDMeop9fWD/5MYamRPvseAGKeWoVCcYHTraDpEI7pv2Q3vpCLDTl/ozavLyL1g6
 H+2clA4YSoaWVwTS+4lfi/3iLrKjiAk9Jtb08VU3VBCeZHIGTOSDeajeOyG/O3BFBkkYZBcx
 6g3M9m2aIl4SqZ146G+Z7OelFMYcb/aV+Gel73JlAuO+/Xm/La5MI62lYcFBhMUuzyyXTWwt
 dw4Fz1YD1g4aeRZ+PvxqtYRS8Xpte2fxIve6W6JyY8mVI3CX5iNV/2revmgLr5d9l+yjf4Gl
 3gHwOpVbMXkCDvc4dJy4yfLtjj+YUIO1viVtyxcW4bN3ujFqTUTJWxm8GbeBRHZCCwyKSoXo
 v8Hk4QgDmL+S6uxNkk4SO8UrDbwjGWZAMxvvksEw06uSe7lCOg0D+Ul8MeKToQ/GJ1AgFGfb
 FrcwPk6Glyb+zotWiHgvQ+kbhNi2Qo9tUFqHF8yR/30gp3EdknIfDBXyne3HBQs5W/NTuP+A
 Oj0Soe6xBloEwsC932iKEawgoZRR/7osWuMro6NQXD0uPKlzUvGz/1sfK9+0PKfG3Ma6ygIW
 qRCq7oVSnSayz4WPCgD7MXPJrofDCBGtzbx1JBMkrohFzKEiIs8wXjHJ67kZ5W+0gsl3fGTc
 wlQHIErOwE0EU2eSmQEIAMBOwOe+uYk56LVYgy0ZP1CQewWxKHqU+nLijSwo7AhJ3htTvp3l
 UPwUa3a7ExIWeInphM2kKmqFVm64P/LixyV/cp6oLZJ2FMbYVcpQXPAe3Y6ljVIwzP+QYsFn
 LwRemsc1pN6oo/hOOxPcVQWmc55RcGTLJmy1fIw+rvUrpcmmtn7+wXKIbrVFYuubhbSuWJP5
 ad1N01sptRF7XFo3izllSZD5xC+8OQY1XVa5+Ox1869QcpaAKb70GPWvxO5AVSa9VvZvUeGi
 pIfsppm2kazUFSlzWntvWtNffyDLAMwfw8ZTnkf0AehlgTVy0BM3to4zzi5a1g0eHBWZ1Mnw
 WKUAEQEAAcLChAQYAQoADwUCU2eSmQUJDwmcAAIbDAEpCRBTmtoGre79FMBdIAQZAQoABgUC
 U2eSmQAKCRDaXTUnWHK7C/HCCACRzfzmtbGJa47/aeiaeO3ztDZVfUyC7Bv77UfsTRVZ9wFv
 97EVDoPLdT18Mcl1AJDeHLIQMIaDaeS375pj+5tTwVB5vqbe2Imkdk29kVAelQd5U6DqzBnq
 bitASlI8WO883+Q4gVKNXhzsRyLJJl0AjU8IIwrJe7f/pmKR/3gA4g3PP/M7WIuzAlkO28zv
 A8fZLqsDQjL+vFyC1Q39nbMegGrwwH94CbKsk4+K28VnkxW8WQBAR1V4vP4EnZYrxE+Sn9Fe
 HXR2DkFSoydzMnWhR4MZGJNX9tkDMwoMniOnn64fnixM9abMDPcGHdjJUQc6wMfkmq9y6kt7
 TzT04aenty4P/1y3FJzJal9mHDao6Z1FoGnRSyeEXBSNL6W3Q+SRrl0fKAWjID/A3e4XbYQF
 CRzKF7NVSOcRS5Kts9aYpwZy12NWE97K9ylSv+OzH3P83aA9nkTgoVNGKJrqTa401dSoowjW
 PY7HdgVuiREe+bBFmXEVxZ0wGNx3juXLALTs+upko7Fh4l88GZ18u5hZWwkmSAnbdUzGWPBZ
 siwFd+TblQ81NhQo7iwv8JRir7/lbb7A+KwrLbYEU71aOaauBYwyfgHmqYDxW3LHMZGL2mTz
 nl6xMQ1Q+j6RjCs6RFjC2vxzXxicB3D33ilNrOlAntbkgu+uCJ7zfI3sdhcVgUQI2P3MbJI5
 CTPz40IcUgQaEwGdVVSlN33rJU6DLaCao6Xd78aO3AUhDycK1Yj/BfEduOPzKIDJuLs1mXF8
 fV17NQ3EesyVG2kHDlvqfYcB0qv4fq/eXL8LVqPy2dd7TAz2oRXr7u55UAb/kX7xjmLeKs4m
 vcX1cebXV090ug1hDOpf1hd3bJp1uLcPcT1G7LkyrYlb/mNxbWTBO/H/1b2km49dKhisTnQm
 8t9Gi3SRX05Kut2tGbJho6zzKF1rdKiyddknXyatbzLNkVpwlJxWdzqeREl6fj+cEe1hN7UF
 M3soAyHAV1EbnM0XfSoC5G0wcOntbrRVc2lCtFOvwQqXcBGM
To: internals@lists.php.net
Message-ID: <8bb21db9-1f64-6520-68af-23840bba77ea@snowgarden.ch>
Date: Wed, 18 Jul 2018 01:14:12 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - s072.cyon.net
X-AntiAbuse: Original Domain - lists.php.net
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - snowgarden.ch
X-Get-Message-Sender-Via: s072.cyon.net: authenticated_id: d.luechinger@snowgarden.ch
X-Authenticated-Sender: s072.cyon.net: d.luechinger@snowgarden.ch
X-Source: 
X-Source-Args: 
X-Source-Dir: 
Subject: Improvements to openssl_crs_new. Need advice
From: dol+php@snowgarden.ch (Dominic Luechinger)

I'd like to improve the openssl_csr_new function to add any X509
"Requested Extensions" [1] to a CSR.
My motivation to improve this functionality is to avoid workarounds like
altering a openssl.cnf file and pass some ENV variable to it [2].

I already implemented the following new functionality:

Old:
mixed openssl_csr_new ( array $dn , resource &$privkey [, array
$configargs [, array $extraattribs ]] )

New (I can provide a patch, needs cleanup and testing):
mixed openssl_csr_new ( array $dn , resource &$privkey [, array
$configargs [, array $extraattribs[, array $extraexts ]]] )

E.g:
```
$privkey = openssl_pkey_new();
$csr = openssl_csr_new([], $privkey, null, [], [
    'subjectAltName' => 'DNS:example.tld',
]);

```

While implementing the new functionality I realized that the 'Requested
Extensions' are represented as a CSR attribute and it contains the ASN1
structure of multiple extensions and their definitions. With the
following example the declaration of the extension should be possible
without the new argument $extraexts in openssl_csr_new.

```
$privkey = openssl_pkey_new();
// Use OID of ExtensionRequest
$csr = openssl_csr_new([], $privkey, null, ['1.2.840.113549.1.9.14' =>
0xDEADBEEF]);
```

This won't work because the argument $extraattribs only applies to
subject attributes. The argument name is kind of misleading. See the
following bug report [3] from 2008 that describes the issue in a good
manor. IMHO this bug report is valid and the bug should be fixed in a
way that the attributes are added to the certificationRequestInfo [4]
instead being merged into the subject. This might break some existing
usage of this argument. With this bug fixed 'Requested Extensions' can
be added in a programmatic way. To generate the DER encoded content of
'Requested Extensions' a ASN1 library should be used.


Now comes to tricky part about supporting my initial goal to add
additional'Requested Extensions' to an CSR.

Should I summit my patch with the extra argument as a PR or should I fix
the bug 45076 or should I do both?

extraexts VS bug fix:
- No BC break VS BC break
- No need for a ASN1 library VS working with ASN1 DER encoded data
- Default extensions from openssl.cnf are preserved and can be
overwritten VS definition of 'Requested Extensions' in DER overwrites
default extensions from openssl.cnf

Looking at the pros and cons my guts tells my to do both. Patch and bug fix.
Any other suggestions/thoughts?

Kind regards
Dominic



PS: In addition to this patch I'm also working on a openssl_x509_parse
equivalent for CSR's.



[1] http://www.alvestrand.no/objectid/1.2.840.113549.1.9.14.html
[2] https://gist.github.com/dol/e0b7f084e2e7158efc87
[3] https://bugs.php.net/bug.php?id=45076
[4] https://tools.ietf.org/html/rfc2986