The php Function OpenSSL_X509_Parse

The php function openssl_x509_parse is used for parsing the certificate data from x509certdata. A small helper function is also provided for converting the time stamps from the x509certdata to integer timestamp values.

A memory corruption flaw was discovered in the way the openssl_x509_parse() function of the PHP OpenSSL extension parsed X.509 certificates. A remote attacker could use this flaw to provide a malicious or self-signed certificate to a PHP application that calls openssl_x509_parse() and cause it to crash or execute arbitrary code with the privileges of the user running the web server.

This issue was caused by the fact that the parser within this helper function uses asn1_time_to_time_t() to convert timestamps from ASN1 string format into integer timestamp values - this function is not binary safe and can be tricked to write up to five NUL bytes outside of an allocated buffer - depending on how openssl_x509_parse() is used inside a web application this may result in a crash or arbitrary code execution. The flaw has been fixed in PHP 5.4.23 and later, but it can be triggered by a malicious certificate signed by a compromised/malicious CA or can be carried out with a self-signed certificate.

openssl_x509_parse() returns information about the supplied x509cert - fields such as subject name, issuer name, purposes, valid from and valid to dates etc are indexed here. The option shortnames controls how the fields are indexed - if this is TRUE then the fields will be indexed in their short form, otherwise the long name (e.g. CN) will be used - the structure of this returned data is (deliberately) not yet documented, as it is still subject to change.

Andreas Behr - CTO of DesertCoderz
You are a developer and looking for Shopware projects?
Apply Now!

openssl_x509_parse example


    public static function verify_ssl_certificate( $stream$host ) {
        $context_options = stream_context_get_options( $stream );

        if ( empty( $context_options['ssl']['peer_certificate'] ) ) {
            return false;
        }

        $cert = openssl_x509_parse( $context_options['ssl']['peer_certificate'] );
        if ( ! $cert ) {
            return false;
        }

        /* * If the request is being made to an IP address, we'll validate against IP fields * in the cert (if they exist) */
        $host_type = ( WP_Http::is_ip_address( $host ) ? 'ip' : 'dns' );

        $certificate_hostnames = array();
        

    public function verify_certificate_from_context($host$context) {
        $meta = stream_context_get_options($context);

        // If we don't have SSL options, then we couldn't make the connection at         // all         if (empty($meta) || empty($meta['ssl']) || empty($meta['ssl']['peer_certificate'])) {
            throw new Exception(rtrim($this->connect_error), 'ssl.connect_error');
        }

        $cert = openssl_x509_parse($meta['ssl']['peer_certificate']);

        return Ssl::verify_certificate($host$cert);
    }

    /** * Self-test whether the transport can be used. * * The available capabilities to test for can be found in {@see \WpOrg\Requests\Capability}. * * @codeCoverageIgnore * @param array<string, bool> $capabilities Optional. Associative array of capabilities to test against, i.e. `['<capability>' => true]`. * @return bool Whether the transport can be used. */
$a['trueColor'] = imageistruecolor($gd);

        return $a;
    }

    /** * @return array */
    public static function castOpensslX509($h, array $a, Stub $stub, bool $isNested)
    {
        $stub->cut = -1;
        $info = openssl_x509_parse($h, false);

        $pin = openssl_pkey_get_public($h);
        $pin = openssl_pkey_get_details($pin)['key'];
        $pin = \array_slice(explode("\n", $pin), 1, -2);
        $pin = base64_decode(implode('', $pin));
        $pin = base64_encode(hash('sha256', $pin, true));

        $a += [
            'subject' => new EnumStub(array_intersect_key($info['subject']['organizationName' => true, 'commonName' => true])),
            'issuer' => new EnumStub(array_intersect_key($info['issuer']['organizationName' => true, 'commonName' => true])),
            'expiry' => new ConstStub(date(\DateTimeInterface::ISO8601, $info['validTo_time_t'])$info['validTo_time_t']),
            
$a['trueColor'] = imageistruecolor($gd);

        return $a;
    }

    /** * @return array */
    public static function castOpensslX509($h, array $a, Stub $stub, bool $isNested)
    {
        $stub->cut = -1;
        $info = openssl_x509_parse($h, false);

        $pin = openssl_pkey_get_public($h);
        $pin = openssl_pkey_get_details($pin)['key'];
        $pin = \array_slice(explode("\n", $pin), 1, -2);
        $pin = base64_decode(implode('', $pin));
        $pin = base64_encode(hash('sha256', $pin, true));

        $a += [
            'subject' => new EnumStub(array_intersect_key($info['subject']['organizationName' => true, 'commonName' => true])),
            'issuer' => new EnumStub(array_intersect_key($info['issuer']['organizationName' => true, 'commonName' => true])),
            'expiry' => new ConstStub(date(\DateTimeInterface::ISO8601, $info['validTo_time_t'])$info['validTo_time_t']),
            
Home | Imprint | This part of the site doesn't use cookies.