Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:99293
Return-Path: <jelle@vdwaa.nl>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 27778 invoked from network); 31 May 2017 10:20:05 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 31 May 2017 10:20:05 -0000
Authentication-Results: pb1.pair.com header.from=jelle@vdwaa.nl; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=jelle@vdwaa.nl; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain vdwaa.nl from 74.125.82.51 cause and error)
X-PHP-List-Original-Sender: jelle@vdwaa.nl
X-Host-Fingerprint: 74.125.82.51 mail-wm0-f51.google.com  
Received: from [74.125.82.51] ([74.125.82.51:37067] helo=mail-wm0-f51.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 41/4B-43873-0D89E295 for <internals@lists.php.net>; Wed, 31 May 2017 06:20:00 -0400
Received: by mail-wm0-f51.google.com with SMTP id d127so12721898wmf.0
        for <internals@lists.php.net>; Wed, 31 May 2017 03:19:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=vdwaa-nl.20150623.gappssmtp.com; s=20150623;
        h=date:from:to:subject:message-id:mime-version:content-disposition
         :user-agent;
        bh=mtxJMrOEewxV/GxMoQq8VXPtDCV4gT9KqI6BOwKh8lQ=;
        b=cZIEzApjXRf95KKTj+zs/7OhC3aH4/NlRHbRy2e6iYh9TQlijZ2slw7y1KOidTsQDV
         pdKI1mVGS3i4iVHzQsUKG1B1ucSCbiI+XIFVfBRVY0vJVI0NFM5e6t8mpBXYQK0IK8wi
         pOnm8b5fv5KOCq8Yo2slpWtS6krLj3SgvSnfGm4qz2GTHlj85H+YhDdDiddo7xd3QEWD
         8unHhKC1WBbelXVEjzkfNswia91jaK5qbZ1h3znjXpy5qoTf9q2a/Np3vpKWvzrFVGUe
         9vO4ar86eI1hRyZJQTXFg5xw3+0nXS+nujVE3fPHeQf0CGZ1jvrmR6U3suiQum/4tAZE
         t94w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:subject:message-id:mime-version
         :content-disposition:user-agent;
        bh=mtxJMrOEewxV/GxMoQq8VXPtDCV4gT9KqI6BOwKh8lQ=;
        b=hQQXzPfUXHkb6XW26UDWycTKIuXFtUpPTxdnQEm/Gkw+yTrgA3tHK6C/VDAZmGgkI8
         9l1VEadvOvS6jukeVNL83ZZghYw1WAKWyxm2KXfNo2nzzGpL4VQprT6Il1AwJyfTY3Pc
         ttiT7UBLVcuwaaeKC80HMZqpyUvyU2A7bzySwtg2q+GkwTNL10P9dk9HKHrGv+bHwiyv
         LpzvUmUIfWBFOAOqSc5+/dsdKbw3iUMUqOTJeaLTakPQP6HltytMOdDWX/LmXNZCbvpi
         c65AOS0WAaf+OV0NSM3AqaYvKKdIx8iT7bexC2NBqUfLVXZj9sBhKXRr2ViHqCioXSn+
         oUyg==
X-Gm-Message-State: AODbwcCi4NxvoBCM4+awR05h20vA+QHRkyQOX4Tm6M/jdx/J8OEkTlRp
	qKaEfvTui0rNKDTubjEApg==
X-Received: by 10.80.137.84 with SMTP id f20mr20258016edf.152.1496225995819;
        Wed, 31 May 2017 03:19:55 -0700 (PDT)
Received: from gmail.com (D57D69B2.static.ziggozakelijk.nl. [213.125.105.178])
        by smtp.gmail.com with ESMTPSA id f25sm8082870edf.36.2017.05.31.03.19.54
        for <internals@lists.php.net>
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Wed, 31 May 2017 03:19:54 -0700 (PDT)
Date: Wed, 31 May 2017 12:19:54 +0200
To: php-internals <internals@lists.php.net>
Message-ID: <20170531101952.GB26690@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.8.2 (2017-04-18)
Subject: [RFC] Add openssl_pkcs7_read and extend openssl_pkcs7_verify
From: jelle@vdwaa.nl (Jelle van der Waa)

I would like to propose the addition of openssl_pkcs7_read and extending
openssl_pkcs7_verify to also return a PKCS7 structure. The reasoning for
the addition of these functions is the requirement at work to obtain the
CA certificates usually send along with a signed email. The CA
certificates are required for OCSP verification (which is currently done
in pure PHP, I also would like to see this added in PHP in the future).

It is currently impossible to acquire the CA certificates with the
openssl functions which PHP provides, I've also found a bug report
requesting the ability to read a PKCS7 blob. [1]

To summarize, I would propose to add an optional parameter to
openssl_pkcs7_verify which takes a string that defines the location
where the PKCS7 blob should be stored.

$pkcs7 = "chain.pk7";
openssl_pkcs7_verify($file, PKCS7_NOVERIFY, $outfile, [], $outfile, $content, $pkcs7);

To be able to read the blob, I would propose a new function
openssl_pkcs7_read which returns an array of strings containing the PEM
certificates in the PKCS7 blob. I've based the naming and behaviour on
openssl_pkcs12_read.

openssl_pkcs7_read($pkcs7, $data);
var_dump($data);

I've implemented the above mentioned changes in my fork of PHP, mind
that the code isn't ready for a PR yet since there are some styling
issues, possible memory leaks and of course missing tests. The code
however works as a proof of concept. [2]

For further background information, obtaining the pk7 output can be done
with the 'openssl' tool:

openssl smime -verify -pk7out  -in signed_email.eml  > foo.pkcs7
openssl pkcs7 -print_certs -in foo.pkcs7


[1] https://bugs.php.net/bug.php?id=72249
[2] https://github.com/jelly/php-src/commits/pkcs7

-- 
Jelle van der Waa