Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:102920 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 77073 invoked from network); 19 Jul 2018 20:36:50 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Jul 2018 20:36:50 -0000 Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain kelunik.com from 85.215.255.25 cause and error) X-PHP-List-Original-Sender: me@kelunik.com X-Host-Fingerprint: 85.215.255.25 mo4-p00-ob.smtp.rzone.de Received: from [85.215.255.25] ([85.215.255.25:22943] helo=mo4-p00-ob.smtp.rzone.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 9A/80-06777-266F05B5 for ; Thu, 19 Jul 2018 16:36:50 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1532032607; s=strato-dkim-0002; d=kelunik.com; h=Cc:To:Subject:Message-ID:Date:From:In-Reply-To:References: X-RZG-CLASS-ID:X-RZG-AUTH:From:Subject:Sender; bh=2DTNqabcD1xD91mUVaxNi7n9VDrkzQbFnoZQZZ97JMM=; b=Qyq/Jdob5/MbShPdHHtmhGa23KJ4yQMphgo+huc8rZML0HMH/7lm4H4+zAdmfrAJWM 8UslZJk3eMlsA9aYDScSsyA/352EgaHW0GA8tbbGZMcewWZISdmHoNSbHEAeeP4N6GNi XwSI+LgWb5eCbuKjtbGtBvewNOOtbwa2MwCOvnDftRBvNq0zBWkrLF6BzaUXQsov6kl/ ET4p2wJ/ZHaLapHkikWGrYSZjypS2MznhmS5rnThXIIOIMY35oo8v4tlqsnG4mso1W7Z w1+2JRo00WZTmBMh3VHTW0DcDeHqB5223MkgrPSaAz1yce48/ifxl25Dc+3rBifGx5Eb /6ng== X-RZG-AUTH: ":IWkkfkWkbvHsXQGmRYmUo9mlsGbEv0XHBzMIJSS+jKTzde5mDb8Db2nURiuwcA==" X-RZG-CLASS-ID: mo00 Received: by mail-yw0-f177.google.com with SMTP id k18-v6so3574366ywm.11 for ; Thu, 19 Jul 2018 13:36:47 -0700 (PDT) X-Gm-Message-State: AOUpUlH2eu8+dnzA77xOmpgZ/cfaBhVsVCyMeyIQ6er+auyKE4662xtn qD/M+xBWLC7ECrHjNdNsblkAdjFCkqjoGxeTeCY= X-Google-Smtp-Source: AAOMgpf2hPA4IB9SnoZ1kiKp6AoYEml7xjOo16YoN0Iocj8bZaxwr8C/zSIq/BaJ9jEuTZOJKKvR/dg+Sn1R8IgeBMA= X-Received: by 2002:a81:94c5:: with SMTP id l188-v6mr5958936ywg.463.1532032607112; Thu, 19 Jul 2018 13:36:47 -0700 (PDT) MIME-Version: 1.0 References: <8bb21db9-1f64-6520-68af-23840bba77ea@snowgarden.ch> In-Reply-To: Date: Thu, 19 Jul 2018 22:36:35 +0200 X-Gmail-Original-Message-ID: Message-ID: To: Jakub Zelenka Cc: dol+php@snowgarden.ch, PHP Internals Content-Type: text/plain; charset="UTF-8" Subject: Re: [PHP-DEV] Improvements to openssl_crs_new. Need advice From: me@kelunik.com (Niklas Keller) Hey, I'd prefer a proper OO API in case we add new features in that area. Regards, Niklas Am Do., 19. Juli 2018 um 01:05 Uhr schrieb Jakub Zelenka : > > Hi, > > On Wed, 18 Jul 2018, 00:15 Dominic Luechinger, > wrote: > > > I'd like to improve the openssl_csr_new function to add any X509 > > "Requested Extensions" [1] to a CSR. > > My motivation to improve this functionality is to avoid workarounds like > > altering a openssl.cnf file and pass some ENV variable to it [2]. > > > > I already implemented the following new functionality: > > > > Old: > > mixed openssl_csr_new ( array $dn , resource &$privkey [, array > > $configargs [, array $extraattribs ]] ) > > > > New (I can provide a patch, needs cleanup and testing): > > mixed openssl_csr_new ( array $dn , resource &$privkey [, array > > $configargs [, array $extraattribs[, array $extraexts ]]] ) > > > > E.g: > > ``` > > $privkey = openssl_pkey_new(); > > $csr = openssl_csr_new([], $privkey, null, [], [ > > 'subjectAltName' => 'DNS:example.tld', > > ]); > > > > ``` > > > > While implementing the new functionality I realized that the 'Requested > > Extensions' are represented as a CSR attribute and it contains the ASN1 > > structure of multiple extensions and their definitions. With the > > following example the declaration of the extension should be possible > > without the new argument $extraexts in openssl_csr_new. > > > > ``` > > $privkey = openssl_pkey_new(); > > // Use OID of ExtensionRequest > > $csr = openssl_csr_new([], $privkey, null, ['1.2.840.113549.1.9.14' => > > 0xDEADBEEF]); > > ``` > > > > This won't work because the argument $extraattribs only applies to > > subject attributes. The argument name is kind of misleading. See the > > following bug report [3] from 2008 that describes the issue in a good > > manor. IMHO this bug report is valid and the bug should be fixed in a > > way that the attributes are added to the certificationRequestInfo [4] > > instead being merged into the subject. This might break some existing > > usage of this argument. With this bug fixed 'Requested Extensions' can > > be added in a programmatic way. To generate the DER encoded content of > > 'Requested Extensions' a ASN1 library should be used. > > > > > > Now comes to tricky part about supporting my initial goal to add > > additional'Requested Extensions' to an CSR. > > > > Should I summit my patch with the extra argument as a PR or should I fix > > the bug 45076 or should I do both? > > > > extraexts VS bug fix: > > - No BC break VS BC break > > - No need for a ASN1 library VS working with ASN1 DER encoded data > > - Default extensions from openssl.cnf are preserved and can be > > overwritten VS definition of 'Requested Extensions' in DER overwrites > > default extensions from openssl.cnf > > > > Looking at the pros and cons my guts tells my to do both. Patch and bug > > fix. > > Any other suggestions/thoughts? > > > > I haven't had time to properly look into it but from the quick read, I > would prefer not to break BC even though the behaviour seems incorrect. I > think that changing that can cause some issues potentially. But I might > need more time to think about. Anyway the proposed patch seems reasonable > so it would be great if you can create a PR that. > > Cheers > > Jakub > > >