openssl_pkcs7_verify - save verified data [PATCH]

OK; can you make sure that the patch applies to HEAD, and then attach
it as a text attachment in an email and/or upload it to a www server,
and I'll apply it.

Thanks,

--Wez.

Wez Furlong wrote:

What's the difference between the data you save and the data that's
read in? In other words, how is this different from copying the file
from one place to another; why would you use it?

--Wez.

The data you read in is a signed message (which can be in several
formats), that is some data plus some signature. The data saved is
only the raw data without the signature. The data itself can be any
random binary string when using PKCS7_BINARY flag. We use it to transfer
zip files between a ASP script and PHP.

m.

Hi!

Dunno, if this is the right place to ask, but I give it a try anyway. If
I'm misguided, please feel free to point me in the right direction!

Attached is a patch which adds a 6th option to openssl_pkcs7_verify,
which should be a string and point to a file where the contents of the
signed message should be saved.

[I believe this patch also fixes a minor safe-mode related bug]

I've tried this on FreeBSD 4.11 / php-5.0.4 / OpenSSL 0.9.7d , so the
patch is against openssl.c,v 1.89.2.6 , but should apply against HEAD also.

This seems to work correctly with messages created with openssl and
CAPICOM (The M$ PKI library.)

Cheers,

m.

--- ext/openssl/openssl.c.orig Tue Mar 15 01:29:36 2005
+++ ext/openssl/openssl.c Thu Jun 16 14:01:07 2005
@@ -2152,7 +2152,7 @@

/* {{{ PKCS7 S/MIME functions */

-/* {{{ proto bool openssl_pkcs7_verify(string filename, long flags [, string signerscerts [, array cainfo [, string extracerts]]])
+/* {{{ proto bool openssl_pkcs7_verify(string filename, long flags [, string signerscerts [, array cainfo [, string extracerts [, string content]]]])
Verifys that the data block is intact, the signer is who they say they are, and returns the CERTs of the signers */
PHP_FUNCTION(openssl_pkcs7_verify)
{
@@ -2161,17 +2161,18 @@
STACK_OF(X509) *signers= NULL;
STACK_OF(X509) *others = NULL;
PKCS7 * p7 = NULL;

•   BIO * in = NULL, * datain = NULL;
  

•   BIO * in = NULL, * datain = NULL, * dataout = NULL;
   long flags = 0;
   char * filename; int filename_len;
   char * extracerts = NULL; int extracerts_len;
   char * signersfilename = NULL; int signersfilename_len;
  

•   char * datafilename = NULL; int datafilename_len;
  
   RETVAL_LONG(-1);
  

•   if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sl|sas", &filename, &filename_len,
  

•   if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sl|sass", &filename, &filename_len,
                           &flags, &signersfilename, &signersfilename_len, &cainfo,
  

•                           &extracerts, &extracerts_len) == FAILURE) {
  

•                           &extracerts, &extracerts_len, &datafilename, &datafilename_len) == FAILURE) {
           return;
   }
  

@@ -2204,18 +2205,30 @@
#endif
goto clean_exit;
}

•   if (datafilename) {
  

•           if (php_openssl_safe_mode_chk(datafilename TSRMLS_CC)) {
  

•                   goto clean_exit;
  

•           }
  

•           dataout = BIO_new_file(datafilename, "w");
  

•           if (dataout == NULL) {
  

•                   goto clean_exit;
  

•           }
  

•   }
  

#if DEBUG_SMIME
zend_printf("Calling PKCS7 verify\n");
#endif

•   if (PKCS7_verify(p7, others, store, datain, NULL, flags)) {
  

•   if (PKCS7_verify(p7, others, store, datain, dataout, flags)) {
  
           RETVAL_TRUE;
  
           if (signersfilename) {
                   BIO *certout;
  

•                   if (php_openssl_safe_mode_chk(filename TSRMLS_CC)) {
  

•                   if (php_openssl_safe_mode_chk(signersfilename TSRMLS_CC)) {
                           goto clean_exit;
                   }
  

@@ -2242,6 +2255,7 @@
X509_STORE_free(store);
BIO_free(datain);
BIO_free(in);

•   BIO_free(dataout);
   PKCS7_free(p7);
   sk_X509_free(others);
  

}