Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:99352
Return-Path: <jelle@vdwaa.nl>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 38655 invoked from network); 4 Jun 2017 18:21:22 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 4 Jun 2017 18:21:22 -0000
Authentication-Results: pb1.pair.com header.from=jelle@vdwaa.nl; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=jelle@vdwaa.nl; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain vdwaa.nl from 74.125.82.41 cause and error)
X-PHP-List-Original-Sender: jelle@vdwaa.nl
X-Host-Fingerprint: 74.125.82.41 mail-wm0-f41.google.com  
Received: from [74.125.82.41] ([74.125.82.41:32862] helo=mail-wm0-f41.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 14/25-12681-0AF44395 for <internals@lists.php.net>; Sun, 04 Jun 2017 14:21:21 -0400
Received: by mail-wm0-f41.google.com with SMTP id m7so19298026wmg.0
        for <internals@lists.php.net>; Sun, 04 Jun 2017 11:21:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=vdwaa-nl.20150623.gappssmtp.com; s=20150623;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=z6G3JZUjKc3i6UuxGfJny+xg/ZJ3634sLta2mbI9SQs=;
        b=ennnhvifaJTpjmFIB8GU7BBH1g0RlE7JKGrFmxh8KB+gBeR4fmxotljyDJt/7Bnsqs
         VcLjOJZj0GsTtyvgza13SCpc40klaBOsplwdeWt69d1vjVH7lzuv/KyMpPMtRcxOVRgk
         dUjDq6oR6cjPGjPOWPBdwsGFiWUXdLGqZLrAPYbtu6MSoXES3gqK+VYpOl2rwTi6wuL4
         enTS//o3wNRnSKRmzfCywiLNTftM8PywvFvWx/uLaBznGlnIcneZGvbx2qMmxn+4kS8U
         Fvu5q6jXijEbwxQ00epB7UpcRfi8rTnqukT7gt26TXVW9BJOJo++0jaW8TJyVprkLLmp
         NsNA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=z6G3JZUjKc3i6UuxGfJny+xg/ZJ3634sLta2mbI9SQs=;
        b=T95xP/ugaMgP0GpL7vArsr1pdJ8+h9jUwGkwX3h4RmbUqrInQWFiYmPJE27wpgwD9u
         30knys/P5cNk5Yg8GW4A8v3jJOi9lxvKMZDBW2OE/RX6bRsTRIWhWE6XyiPYLTXE7qom
         0KCVstAF7EyxR4PcFDpDELcHniutHHuEmrynw7YcG38iy0gIdigeCuy7jc8uyrFnpgaQ
         tJc7KZCXZ3lPqxR6iY83/nRg3RBJ6AeZT01CslhW5+5NCosyt4+gJm5ORe2zjg49HInr
         muM1WVDzwNJP7Wjj5mIAVOlJLV9yueJQEQf7MQPM0m3aByjdKDlP4Umpshk95h54ufB0
         3qWg==
X-Gm-Message-State: AODbwcBYvvklCn0FcwSnqomcqIE4ov4jphWh8EQ6pccK5+qHHoJffsGF
	EvEeDaYf1XW5qEX4
X-Received: by 10.80.139.249 with SMTP id n54mr9389788edn.71.1496600477958;
        Sun, 04 Jun 2017 11:21:17 -0700 (PDT)
Received: from gmail.com ([2001:470:7a95:4242:c166:a4da:4f77:965a])
        by smtp.gmail.com with ESMTPSA id l45sm11461748edc.51.2017.06.04.11.21.16
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Sun, 04 Jun 2017 11:21:17 -0700 (PDT)
Date: Sun, 4 Jun 2017 20:22:20 +0200
To: Jakub Zelenka <bukka@php.net>
Cc: php-internals <internals@lists.php.net>
Message-ID: <20170604182219.GA6723@gmail.com>
References: <20170531101952.GB26690@gmail.com>
 <CAEKnhAF-NnxvwmgVzZuKitKZJu1cUTK+9dKzuido22s373m73w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAEKnhAF-NnxvwmgVzZuKitKZJu1cUTK+9dKzuido22s373m73w@mail.gmail.com>
User-Agent: Mutt/1.8.3 (2017-05-23)
Subject: Re: [PHP-DEV] [RFC] Add openssl_pkcs7_read and extend
 openssl_pkcs7_verify
From: jelle@vdwaa.nl (Jelle van der Waa)

On 06/04/17 at 07:00pm, Jakub Zelenka wrote:
> On Wed, May 31, 2017 at 11:19 AM, Jelle van der Waa <jelle@vdwaa.nl> wrote:
> 
> > I would like to propose the addition of openssl_pkcs7_read and extending
> > openssl_pkcs7_verify to also return a PKCS7 structure. The reasoning for
> > the addition of these functions is the requirement at work to obtain the
> > CA certificates usually send along with a signed email. The CA
> > certificates are required for OCSP verification (which is currently done
> > in pure PHP, I also would like to see this added in PHP in the future).
> >
> > It is currently impossible to acquire the CA certificates with the
> > openssl functions which PHP provides, I've also found a bug report
> > requesting the ability to read a PKCS7 blob. [1]
> >
> > To summarize, I would propose to add an optional parameter to
> > openssl_pkcs7_verify which takes a string that defines the location
> > where the PKCS7 blob should be stored.
> >
> > $pkcs7 = "chain.pk7";
> > openssl_pkcs7_verify($file, PKCS7_NOVERIFY, $outfile, [], $outfile,
> > $content, $pkcs7);
> >
> > To be able to read the blob, I would propose a new function
> > openssl_pkcs7_read which returns an array of strings containing the PEM
> > certificates in the PKCS7 blob. I've based the naming and behaviour on
> > openssl_pkcs12_read.
> >
> > openssl_pkcs7_read($pkcs7, $data);
> > var_dump($data);
> >
> > I've implemented the above mentioned changes in my fork of PHP, mind
> > that the code isn't ready for a PR yet since there are some styling
> > issues, possible memory leaks and of course missing tests. The code
> > however works as a proof of concept. [2]
> >
> > For further background information, obtaining the pk7 output can be done
> > with the 'openssl' tool:
> >
> > openssl smime -verify -pk7out  -in signed_email.eml  > foo.pkcs7
> > openssl pkcs7 -print_certs -in foo.pkcs7
> >
> >
> It seems reasonable from the quick look.
> 
> I don't think we need RFC unless there are some objections. Once it's
> ready, PR should be enough IMHO.

Thanks, this is my first contributing a feature to PHP and from reading
the wiki an RFC was the method to introduce new features.

Offtopic, I also want to later add string based instead of file based
openssl_pkcs7_* functions. Do I need to create an RFC for it?

-- 
Jelle van der Waa