Project

General

Profile

Actions
Copy link

Bug #12327

closed

PHP Error using CRL with intermediate CA

Added by Asier Carreño over 2 years ago. Updated over 2 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
Certificates
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

Hi,

My CA is composed by intermediate + RootCA. When I try to revoke a cert it raises a PHP error like the following:

PHP Errors:
[01-Jun-2021 11:17:53 Etc/UTC] PHP Fatal error:  Uncaught Error: Call to a member function findContext() 
on null in /usr/local/share/openssl_x509_crl/X509_CERT.php:56
Stack trace:
#0 /usr/local/share/openssl_x509_crl/X509_CRL.php(98): Ukrbublik\openssl_x509_crl\X509_CERT::getExtVal_Subject('')

#1 /etc/inc/certs.inc(1044): Ukrbublik\openssl_x509_crl\X509_CRL::create(Array, Resource id 0000033, false)
0000002 /etc/inc/certs.inc(1074): crl_update(Array)
0000003 /usr/local/www/system_crlmanager.php(153): cert_revoke(Array, Array, '-1')
0000004 {main} thrown in /usr/local/share/openssl_x509_crl/X509_CERT.php on line 56

Apparently the problem is /usr/local/share/openssl_x509_crl/X509_CRL.php pem2der function.
This function doesn't expect CA + Intermediate pem file. The regexp only matches if there is a single BEGIN/END

        /** 
         * Convert certificate data from PEM format to DER
         *
         * @param string $pem data in PEM format
         * @return false|string data in DER format
         */
        public static function pem2der($pem) {
            $matches = array();
            if (!preg_match('~^-----BEGIN ([A-Z0-9 ]+)-----\s*?([A-Za-z0-9+=/\r\n]+)\s*?-----END \1-----\s*$~D', $pem, $matches))
                return false;
            $pem_filtr = str_replace(array("\r", "\n"), array('', ''), $matches[2]);

            $derData = base64_decode($pem_filtr);
            return $derData;
        }

For the moment I have solved it by changing the regexp like this:
if (!preg_match('~^-----BEGIN ([A-Z0-9 ]+)-----\s*?([A-Za-z0-9+=/\r\n]+)\s*?-----END \1-----~D', $pem, $matches))

Let me know if you need more info.

Regards

Actions
Copy link
 #1

Updated by Jim Pingle over 2 years ago

  • Status changed from New to Not a Bug

That isn't our code but a library we include (php74-openssl_x509_crl-1.3 ) -- you could report it upstream at https://github.com/ukrbublik/openssl_x509_crl

That said, you should not have two certificates in one entry like that. Each component should be imported separately (root first, then intermediate(s)).

Even so, I suspect you'll hit this bug in OpenSSL: https://redmine.pfsense.org/issues/9889

Actions
Copy link

Also available in: Atom PDF