Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:99424
Return-Path: <jelle@vdwaa.nl>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 3898 invoked from network); 7 Jun 2017 12:54:57 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 7 Jun 2017 12:54:57 -0000
Authentication-Results: pb1.pair.com smtp.mail=jelle@vdwaa.nl; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=jelle@vdwaa.nl; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain vdwaa.nl from 74.125.82.52 cause and error)
X-PHP-List-Original-Sender: jelle@vdwaa.nl
X-Host-Fingerprint: 74.125.82.52 mail-wm0-f52.google.com  
Received: from [74.125.82.52] ([74.125.82.52:38379] helo=mail-wm0-f52.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 05/3A-27119-0A7F7395 for <internals@lists.php.net>; Wed, 07 Jun 2017 08:54:57 -0400
Received: by mail-wm0-f52.google.com with SMTP id n195so10561819wmg.1
        for <internals@lists.php.net>; Wed, 07 Jun 2017 05:54:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=vdwaa-nl.20150623.gappssmtp.com; s=20150623;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=iP5TggptAYhAKNAasgawWeGHrHygk1+BId+Y8DpmKn8=;
        b=s7lw19RSA7Q7LTbClBm9VSmJD+ZdhOVZcDwB8XmvBeO5v89EnW1zFoZqHJ1PRnlWz+
         Kx7a+eP/E7rWMHgD4sCnpMM2k31knVwqPtvJ7zB59P2a2ncuhKTlkddgLHPmXz51H5I5
         fltYL+RIVNiVk3oNZfyAXb0oTtTpoAK02DTNFwWWrSzCqLTbgYCjxmYu4/Hdxhj5TAXm
         wHK0r9Nz3Q9QMJKQ9g+lMHqZ4B2DCrJUAB/cef0Jt+EtmxmvvqqD4sLj0KMzdNjyjpOw
         tbmXMxZEV3RmAsS92WB3AKHZ7ORNXhauiExhxo5bNiEdgeEVtIAn6V48KFSA+VSTxAq3
         MqnQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=iP5TggptAYhAKNAasgawWeGHrHygk1+BId+Y8DpmKn8=;
        b=EM4V6gCx2p9nWGdB+vSUNL0aAv17AY7YMxBfbU4QIVDdY95cQPfiUy8gDdK2bU0wCM
         FZXFUH/cnrTNJQdEDGGnNfPqZZC5PsaSVB8JViWRkLIQ3dpo2uG1phdCpVbxbCBF+ZCp
         oawrP4zx5Gw2Knvn/QACqcu5/ubYgvFbeHjfXPCzfnXX6w01l57kCFc+UgP1lv5Oc1Ga
         5ymzND3EeQqthiArHDlnlQtgArwAnSEKPW40uH6htJx+modma647xAIJY4pAav33BZIZ
         YbvJV2+qLR1KTaEeD9T/3XTHpVHbC/u5x2Dx3TVtwwiyOTq+wd0DOoVdIaev2EgPVEn3
         S7Uw==
X-Gm-Message-State: AODbwcBIzfcIlWkIgRgotTSicedQk84BL6PgJznPxYUtVSK3wt+qzm34
	SX7Z3exJLewMPSm1i7Bcvw==
X-Received: by 10.80.139.249 with SMTP id n54mr20455842edn.71.1496840093055;
        Wed, 07 Jun 2017 05:54:53 -0700 (PDT)
Received: from gmail.com (D57D69B2.static.ziggozakelijk.nl. [213.125.105.178])
        by smtp.gmail.com with ESMTPSA id s40sm899414edd.21.2017.06.07.05.54.51
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Wed, 07 Jun 2017 05:54:51 -0700 (PDT)
Date: Wed, 7 Jun 2017 14:54:51 +0200
To: Jakub Zelenka <bukka@php.net>
Cc: php-internals <internals@lists.php.net>
Message-ID: <20170607125449.GA9868@gmail.com>
References: <20170531101952.GB26690@gmail.com>
 <CAEKnhAF-NnxvwmgVzZuKitKZJu1cUTK+9dKzuido22s373m73w@mail.gmail.com>
 <20170604182219.GA6723@gmail.com>
 <CAEKnhAG=i0DKfa8E9cfFqE2DoO8p08WcYkm00+Z=ib5fEfGsig@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAEKnhAG=i0DKfa8E9cfFqE2DoO8p08WcYkm00+Z=ib5fEfGsig@mail.gmail.com>
User-Agent: Mutt/1.8.3 (2017-05-23)
Subject: Re: [PHP-DEV] [RFC] Add openssl_pkcs7_read and extend
 openssl_pkcs7_verify
From: jelle@vdwaa.nl (Jelle van der Waa)

On 06/04/17 at 08:02pm, Jakub Zelenka wrote:
> On Sun, Jun 4, 2017 at 7:22 PM, Jelle van der Waa <jelle@vdwaa.nl> wrote:
> 
> > On 06/04/17 at 07:00pm, Jakub Zelenka wrote:
> > > On Wed, May 31, 2017 at 11:19 AM, Jelle van der Waa <jelle@vdwaa.nl>
> > wrote:
> > >
> > > > I would like to propose the addition of openssl_pkcs7_read and
> > extending
> > > > openssl_pkcs7_verify to also return a PKCS7 structure. The reasoning
> > for
> > > > the addition of these functions is the requirement at work to obtain
> > the
> > > > CA certificates usually send along with a signed email. The CA
> > > > certificates are required for OCSP verification (which is currently
> > done
> > > > in pure PHP, I also would like to see this added in PHP in the future).
> > > >
> > > > It is currently impossible to acquire the CA certificates with the
> > > > openssl functions which PHP provides, I've also found a bug report
> > > > requesting the ability to read a PKCS7 blob. [1]
> > > >
> > > > To summarize, I would propose to add an optional parameter to
> > > > openssl_pkcs7_verify which takes a string that defines the location
> > > > where the PKCS7 blob should be stored.
> > > >
> > > > $pkcs7 = "chain.pk7";
> > > > openssl_pkcs7_verify($file, PKCS7_NOVERIFY, $outfile, [], $outfile,
> > > > $content, $pkcs7);
> > > >
> > > > To be able to read the blob, I would propose a new function
> > > > openssl_pkcs7_read which returns an array of strings containing the PEM
> > > > certificates in the PKCS7 blob. I've based the naming and behaviour on
> > > > openssl_pkcs12_read.
> > > >
> > > > openssl_pkcs7_read($pkcs7, $data);
> > > > var_dump($data);
> > > >
> > > > I've implemented the above mentioned changes in my fork of PHP, mind
> > > > that the code isn't ready for a PR yet since there are some styling
> > > > issues, possible memory leaks and of course missing tests. The code
> > > > however works as a proof of concept. [2]
> > > >
> > > > For further background information, obtaining the pk7 output can be
> > done
> > > > with the 'openssl' tool:
> > > >
> > > > openssl smime -verify -pk7out  -in signed_email.eml  > foo.pkcs7
> > > > openssl pkcs7 -print_certs -in foo.pkcs7
> > > >
> > > >
> > > It seems reasonable from the quick look.
> > >
> > > I don't think we need RFC unless there are some objections. Once it's
> > > ready, PR should be enough IMHO.
> >
> > Thanks, this is my first contributing a feature to PHP and from reading
> > the wiki an RFC was the method to introduce new features.
> >
> > Offtopic, I also want to later add string based instead of file based
> > openssl_pkcs7_* functions. Do I need to create an RFC for it?
> >
> >
> First of all, it's really great that you contribute to this so thanks!

No problem, we've so far build our application with S/MIME support on
PHP and it worked so far :-)

> I think that for changes like this, it's best to first open PR. When the PR
> is ready and all issues resolved, then it should be announced on this
> mailing list and then see if there are no objections. If there are not, it
> should be fine to merge it IMHO. Otherwise if there is no agreement, it
> probably needs RFC. :) I think that RFC makes sense either when the feature
> is complex or when people are not in agreement about it.

Ok, I'm open to feedback! I've opened the PR https://github.com/php/php-src/pull/2563

Another thing I would want to work on is making the openssl_pkcs7_*
functions in memory instead of file based. This would increase the
security concerns since that means it won't save plaintext temporarily to
file. 

An attempt for that has been made in a PR, but was closed. Is the PR on
the right 'track' or can the current functions change to accept either a
string or a filename? (I'm not 100% if PHP internals allow that) or if
it's really wanted. [1]

[1] https://github.com/php/php-src/pull/560

-- 
Jelle van der Waa