diff options
| author | Ben Scholzen (DASPRiD) <mail@dasprids.de> | 2018-10-20 02:19:09 +0200 |
|---|---|---|
| committer | Peter Kokot <peterkokot@gmail.com> | 2018-11-14 21:40:34 +0100 |
| commit | ee939b70d316fba104a2d41b72b2c17ac711be6c (patch) | |
| tree | 21eb23939f403175c9052d7ae73b7f1c9e6a3c4c | |
| parent | 22889c94d1666646002ff67b5464fa276e1af7f4 (diff) | |
| download | php-git-ee939b70d316fba104a2d41b72b2c17ac711be6c.tar.gz | |
Add openssl_x509_verify() function
This patch introduces a wrapper around OpenSSL's X509_verify() function.
| -rw-r--r-- | ext/openssl/openssl.c | 46 | ||||
| -rw-r--r-- | ext/openssl/php_openssl.h | 1 | ||||
| -rw-r--r-- | ext/openssl/tests/openssl_x509_verify.phpt | 32 | ||||
| -rw-r--r-- | ext/openssl/tests/public_rsa_2048.key | 9 |
4 files changed, 88 insertions, 0 deletions
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 89c84b42e4..7fcab17ed6 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -153,6 +153,11 @@ ZEND_BEGIN_ARG_INFO(arginfo_openssl_x509_check_private_key, 0) ZEND_ARG_INFO(0, key) ZEND_END_ARG_INFO() +ZEND_BEGIN_ARG_INFO(arginfo_openssl_x509_verify, 0) + ZEND_ARG_INFO(0, cert) + ZEND_ARG_INFO(0, key) +ZEND_END_ARG_INFO() + ZEND_BEGIN_ARG_INFO_EX(arginfo_openssl_x509_parse, 0, 0, 1) ZEND_ARG_INFO(0, x509) ZEND_ARG_INFO(0, shortname) @@ -492,6 +497,7 @@ static const zend_function_entry openssl_functions[] = { PHP_FE(openssl_x509_parse, arginfo_openssl_x509_parse) PHP_FE(openssl_x509_checkpurpose, arginfo_openssl_x509_checkpurpose) PHP_FE(openssl_x509_check_private_key, arginfo_openssl_x509_check_private_key) + PHP_FE(openssl_x509_verify, arginfo_openssl_x509_verify) PHP_FE(openssl_x509_export, arginfo_openssl_x509_export) PHP_FE(openssl_x509_fingerprint, arginfo_openssl_x509_fingerprint) PHP_FE(openssl_x509_export_to_file, arginfo_openssl_x509_export_to_file) @@ -2224,6 +2230,46 @@ PHP_FUNCTION(openssl_x509_check_private_key) } /* }}} */ +/* {{{ proto int openssl_x509_verify(mixed cert, mixed key) + Verifies the signature of certificate cert using public key key */ +PHP_FUNCTION(openssl_x509_verify) +{ + zval * zcert, *zkey; + X509 * cert = NULL; + EVP_PKEY * key = NULL; + zend_resource *keyresource = NULL; + int err = -1; + + if (zend_parse_parameters(ZEND_NUM_ARGS(), "zz", &zcert, &zkey) == FAILURE) { + return; + } + cert = php_openssl_x509_from_zval(zcert, 0, NULL); + if (cert == NULL) { + RETURN_LONG(err); + } + key = php_openssl_evp_from_zval(zkey, 1, NULL, 0, 0, &keyresource); + if (key == NULL) { + X509_free(cert); + RETURN_LONG(err); + } + + err = X509_verify(cert, key); + + if (err < 0) { + php_openssl_store_errors(); + } + + if (keyresource == NULL && key) { + EVP_PKEY_free(key); + } + if (Z_TYPE_P(zcert) != IS_RESOURCE) { + X509_free(cert); + } + + RETURN_LONG(err); +} +/* }}} */ + /* Special handling of subjectAltName, see CVE-2013-4073 * Christian Heimes */ diff --git a/ext/openssl/php_openssl.h b/ext/openssl/php_openssl.h index b9026a503d..abe358fe67 100644 --- a/ext/openssl/php_openssl.h +++ b/ext/openssl/php_openssl.h @@ -127,6 +127,7 @@ PHP_FUNCTION(openssl_x509_export); PHP_FUNCTION(openssl_x509_fingerprint); PHP_FUNCTION(openssl_x509_export_to_file); PHP_FUNCTION(openssl_x509_check_private_key); +PHP_FUNCTION(openssl_x509_verify); PHP_FUNCTION(openssl_pkcs12_export); PHP_FUNCTION(openssl_pkcs12_export_to_file); diff --git a/ext/openssl/tests/openssl_x509_verify.phpt b/ext/openssl/tests/openssl_x509_verify.phpt new file mode 100644 index 0000000000..293c004b90 --- /dev/null +++ b/ext/openssl/tests/openssl_x509_verify.phpt @@ -0,0 +1,32 @@ +--TEST-- +openssl_x509_verify() tests +--SKIPIF-- +<?php if (!extension_loaded("openssl")) print "skip"; ?> +--FILE-- +<?php +$fp = fopen(dirname(__FILE__) . "/cert.crt","r"); +$a = fread($fp, 8192); +fclose($fp); + +$fp = fopen(dirname(__FILE__) . "/public.key","r"); +$b = fread($fp, 8192); +fclose($fp); + +$cert = "file://" . dirname(__FILE__) . "/cert.crt"; +$key = "file://" . dirname(__FILE__) . "/public.key"; +$wrongKey = "file://" . dirname(__FILE__) . "/public_rsa_2048.key"; + +var_dump(openssl_x509_verify($cert, $key)); +var_dump(openssl_x509_verify("", $key)); +var_dump(openssl_x509_verify($cert, "")); +var_dump(openssl_x509_verify("", "")); +var_dump(openssl_x509_verify(openssl_x509_read($a), $b)); +var_dump(openssl_x509_verify($cert, $wrongKey)); +?> +--EXPECT-- +int(1) +int(-1) +int(-1) +int(-1) +int(1) +int(0) diff --git a/ext/openssl/tests/public_rsa_2048.key b/ext/openssl/tests/public_rsa_2048.key new file mode 100644 index 0000000000..de3bc9e701 --- /dev/null +++ b/ext/openssl/tests/public_rsa_2048.key @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArbUmVW1Y+rJzZRC3DYB0 +kdIgvk7MAday78ybGPPDhVlbAb4CjWbaPs4nyUCTEt9KVG0H7pXHxDbWSsC2974z +dvqlP0L2op1/M2SteTcGCBOdwGH2jORVAZL8/WbTOf9IpKAM77oN14scsyOlQBJq +hh+xrLg8ksB2dOos54yDqo0Tq7R5tldV+alKZXWlJnqRCfFuxvqtfWI5nGTAedVZ +hvjQfLQQgujfXHoFWoGbXn2buzfwKGJEeqWPbQOZF/FeOJPlgOBhhDb3BAFNVCtM +3k71Rblj54pNd3yvq152xsgFd0o3s15fuSwZgerUjeEuw/wTK9k7vyp+MrIQHQmP +dQIDAQAB +-----END PUBLIC KEY----- |