php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #74022 PHP Fast CGI crashes when reading from a pfx file with valid password.
Submitted: 2017-01-31 13:13 UTC Modified: 2017-05-18 11:01 UTC
From: ckmailid at gmail dot com Assigned: ab (profile)
Status: Closed Package: OpenSSL related
PHP Version: 7.0.15 OS: Windows 10
Private report: No CVE-ID: None
View Developer Edit
 [2017-01-31 13:13 UTC] ckmailid at gmail dot com 
Description:
------------
PHP process crashes when i use a pfx file to read using function openssl_pkcs12_read with valid password.
But it gives error if password is wrong, that is working fine. 

That pfx file is working well with openssl command line utility

Environment :

PHP : 7 .0.9
OS: windows 10
Server: IIS, Using Fast CGI
certificate : It is specially exported certificate from windows. when a highly secure certificate is exported , it asks for login user password,  and after 4 attempt with wrong password it export the certificate even after wrong password.
You can do it by import a pfx file that with enabling strong private key encrypting checkbox on wizard and after finish set security level HIGH.

I tried it on linux with gdb, it shows Segmentation fault (core dumped).


Test script:
---------------
if (!$cert_store = file_get_contents("sample_export.pfx")) {
    echo "Error: Unable to read the cert file\n";
    exit;
}

if (openssl_pkcs12_read($cert_store, $cert_info, "csos")) {
    echo "Certificate Information\n";
    print_r($cert_info);
} else {
    echo "Error: Unable to read the cert store.\n";
    exit;
}


Expected result:
----------------
it will crash the PHP process.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-31 13:48 UTC] [email protected]
-Status: Open +Status: Feedback
 [2017-01-31 13:48 UTC] [email protected] 
Thanks for the report. Could you provide the backtrace? Also, were it possible to get some .pfx file for debugging? If not your exact file, then any that reproduces.

Thanks.
 [2017-02-01 06:50 UTC] ckmailid at gmail dot com
-Status: Feedback +Status: Open
 [2017-02-01 06:50 UTC] ckmailid at gmail dot com 
Hi, i generate a sample key and made a sample pfx file that can reproduce but i didn't find any option to attach a file. I am afraid but can you please guide me where to upload sample pfx file.
 [2017-02-01 12:55 UTC] [email protected] 
This tracker doesn't allow file uploads except patches, but that's not the case for the purpose. If there are text files only, please gist them somewhere and post a link. Otherwise, probably no way around than sharing them through dropbox or a similar service.

Thanks.
 [2017-02-01 13:01 UTC] ckmailid at gmail dot com 
Thanks for the suggestion,

please use the following link to get the file
 
https://drive.google.com/file/d/0Bzazdkn-4vEOTk5VYW8wUTM1LXM/view?usp=sharing

let me know in case of any difficulties.
 [2017-02-02 12:09 UTC] [email protected] 
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6fc0ae638acd2a66a4181078f4ac5d789762d9de
Log: Fixed #74022 PHP Fast CGI crashes when reading from a pfx file.
 [2017-02-02 12:09 UTC] [email protected]
-Status: Open +Status: Closed
 [2017-05-17 06:55 UTC] falundir at gmail dot com 
Probably this is the fix that broke openssl_pkcs12_read - starting from PHP 7.0.17 and 7.1.3 this function returns only one certificate in 'extracerts', even when there are more than one.

See here: https://3v4l.org/r3brq
 [2017-05-17 07:45 UTC] falundir at gmail dot com 
Looking at the diff, I think that sk_X509_num(ca) should be evaluated before the for-loop, because sk_X509_pop probably changes the sk_X509_num result.
 [2017-05-17 09:56 UTC] falundir at gmail dot com 
I've confirmed this suspicion. Following patch (against 7.1.5) fixes the problem:

@@ -2972,11 +2972,9 @@ PHP_FUNCTION(openssl_pkcs12_read)
 		}
 
 		if (ca && sk_X509_num(ca)) {
-			int num;
 			array_init(&zextracerts);
 
-			num = sk_X509_num(ca);
-			for (i = 0; i < num; i++) {
+			for (i = 0; i < sk_X509_num(ca); i++) {
 				zval zextracert;
 				X509* aCA = sk_X509_pop(ca);
 				if (!aCA) break;
 [2017-05-18 11:01 UTC] [email protected]
-Assigned To: +Assigned To: ab
 [2017-05-18 11:01 UTC] [email protected] 
Thanks for the ping. Fixed in 464c1639ae544e3952823caf169d2e4199a32fc3, please check the current 7.0+ snapshots.

Thanks.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sun Jun 08 21:01:27 2025 UTC