Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:99351
Return-Path: <jakub.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 36509 invoked from network); 4 Jun 2017 18:00:47 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 4 Jun 2017 18:00:47 -0000
Authentication-Results: pb1.pair.com header.from=jakub.php@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=jakub.php@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.161.173 as permitted sender)
X-PHP-List-Original-Sender: jakub.php@gmail.com
X-Host-Fingerprint: 209.85.161.173 mail-yw0-f173.google.com  
Received: from [209.85.161.173] ([209.85.161.173:33844] helo=mail-yw0-f173.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 01/C4-12681-DCA44395 for <internals@lists.php.net>; Sun, 04 Jun 2017 14:00:46 -0400
Received: by mail-yw0-f173.google.com with SMTP id l14so47063632ywk.1
        for <internals@lists.php.net>; Sun, 04 Jun 2017 11:00:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=bBAW2H5vJd5TsVmTo811qZrh149s6DfNslRa+Gc8MzY=;
        b=EgVR7vWKcXb0+UYKNzpS4aHQCIXMcHqRNUmrsYvtSYymB1wIlaOmxKULLm4E93MSAi
         9k3Wk5632qfUsL7ZNH3DgQV0RfAu0GMSHoItMC3bFlQhPi5G/oTJViemFvkTnrTq+8Qx
         tKDtZWrW7gUJou+Z/xn8SIvM7ymfiI97Czkdd6a82f2PI2W9d1mp73fHfP8HxmHIOsev
         Y7QBKelc5FezODwQ8Z0A4flXCAJleoTiLS3sKarwgrnSPlvGWgy9KSuajvyZkthsQqAg
         polgRsiKF29O136IVhhzMbr86QiWeFMRSnn/xBBltzFyqk6J3Otv0ApRCZBZivEEQZel
         bGqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=bBAW2H5vJd5TsVmTo811qZrh149s6DfNslRa+Gc8MzY=;
        b=lTyXGmcI2k9ECWnMQt4b8jauXZGDcDqHXuos4GD/IifdZED2HOvvM3UNI5kjIjCtc6
         DzCq/jF0khWLjwU/Vm4k1jo6An0fPZqpEiIJwKVXjCDBSvUCmjkUlnO9hGQKGdIUuxub
         iAq/u32ecFCDHliVFiviSLvMujeQHhbGPYssFNbxXWeSkorFj8lm3iJBKc+6G9nWNM5s
         8/q6wfyfUI7iampHtpVBsYtbdOeQFyFR/Pct8DjZUOBR2t9Y03egZaFb6NmVafOcUjeF
         VGhEe5CozrKOaHp9JeOf+ucGqC74hngPbc/9kXrZWcga+UwX05k+6EzOOAVdGjxM2LGK
         Eojg==
X-Gm-Message-State: AODbwcDoR+TKx49DgLBWircWeb+k/YZvTXeDODIr/R60OXn2NEEItnI+
	aMknxJDy2lRs+QyCZ7kB6AzcoV2bPw==
X-Received: by 10.13.217.129 with SMTP id b123mr13786357ywe.105.1496599243378;
 Sun, 04 Jun 2017 11:00:43 -0700 (PDT)
MIME-Version: 1.0
Sender: jakub.php@gmail.com
Received: by 10.129.85.151 with HTTP; Sun, 4 Jun 2017 11:00:42 -0700 (PDT)
In-Reply-To: <20170531101952.GB26690@gmail.com>
References: <20170531101952.GB26690@gmail.com>
Date: Sun, 4 Jun 2017 19:00:42 +0100
X-Google-Sender-Auth: ysKyfG8M1X6LgvCrN9ZVfxdsK8Q
Message-ID: <CAEKnhAF-NnxvwmgVzZuKitKZJu1cUTK+9dKzuido22s373m73w@mail.gmail.com>
To: Jelle van der Waa <jelle@vdwaa.nl>
Cc: php-internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="001a114fa4644609610551262a28"
Subject: Re: [PHP-DEV] [RFC] Add openssl_pkcs7_read and extend openssl_pkcs7_verify
From: bukka@php.net (Jakub Zelenka)

--001a114fa4644609610551262a28
Content-Type: text/plain; charset="UTF-8"

On Wed, May 31, 2017 at 11:19 AM, Jelle van der Waa <jelle@vdwaa.nl> wrote:

> I would like to propose the addition of openssl_pkcs7_read and extending
> openssl_pkcs7_verify to also return a PKCS7 structure. The reasoning for
> the addition of these functions is the requirement at work to obtain the
> CA certificates usually send along with a signed email. The CA
> certificates are required for OCSP verification (which is currently done
> in pure PHP, I also would like to see this added in PHP in the future).
>
> It is currently impossible to acquire the CA certificates with the
> openssl functions which PHP provides, I've also found a bug report
> requesting the ability to read a PKCS7 blob. [1]
>
> To summarize, I would propose to add an optional parameter to
> openssl_pkcs7_verify which takes a string that defines the location
> where the PKCS7 blob should be stored.
>
> $pkcs7 = "chain.pk7";
> openssl_pkcs7_verify($file, PKCS7_NOVERIFY, $outfile, [], $outfile,
> $content, $pkcs7);
>
> To be able to read the blob, I would propose a new function
> openssl_pkcs7_read which returns an array of strings containing the PEM
> certificates in the PKCS7 blob. I've based the naming and behaviour on
> openssl_pkcs12_read.
>
> openssl_pkcs7_read($pkcs7, $data);
> var_dump($data);
>
> I've implemented the above mentioned changes in my fork of PHP, mind
> that the code isn't ready for a PR yet since there are some styling
> issues, possible memory leaks and of course missing tests. The code
> however works as a proof of concept. [2]
>
> For further background information, obtaining the pk7 output can be done
> with the 'openssl' tool:
>
> openssl smime -verify -pk7out  -in signed_email.eml  > foo.pkcs7
> openssl pkcs7 -print_certs -in foo.pkcs7
>
>
It seems reasonable from the quick look.

I don't think we need RFC unless there are some objections. Once it's
ready, PR should be enough IMHO.

Cheers

Jakub

--001a114fa4644609610551262a28--