When checking with (a properly specified) $cainfo variable, does PHP's openssl_check_purpose() function take revocation into account when determining validity? The documentation for the API is somewhat lacking, leaving the verification process as something of a "black box" to a non-expert.
If it does, are the failed criteria considered errors that can be retrieved by calling openssl_error_string, or do I have to do something else to find out why it's invalid?
If not, is there a function I'm missing that will let me pull the certificate in question from a "bundle" file, so that I can get the CRL from it and check manually?
(According to the accepted answer to another question, the check in C# does include revocation, but I've learned not to take anything for granted in PHP.)
UPDATE:
After some manual testing, it would appear that openssl_check_purpose() does not check for revocation. I suspect that part of this may be because I'm testing against a local demoCA, though, and the ca cert doesn't include any CRL info.
The test code:
$pemfile = "/home/dev/cert1.pem"; //"Good" certificate
$revfile = "/home/dev/cert2.pem"; //"Revoked" certificate
$cafile = "/home/dev/local-ca.crt";
$error = null;
$pemcansign = openssl_x509_checkpurpose(
openssl_x509_read(file_get_contents($pemfile)),
X509_PURPOSE_SMIME_SIGN,array($cafile));
if ($error = openssl_error_string()){
echo "SSL Error At 22: ".$error."\n";
}
$revcansign = openssl_x509_checkpurpose(
openssl_x509_read(file_get_contents($revfile)),
X509_PURPOSE_SMIME_SIGN,array($cafile));
if ($error = openssl_error_string()){
echo "SSL Error At 22: ".$error."\n";
}
echo "PEM Key can " .
($pemcansign === true ?"":"NOT ") .
"be used for signing S/MIME (Result: $pemcansign)\n";
echo "Revoked PEM Key can " .
($revcansign === true ?"":"NOT ") .
"be used for signing S/MIME (Result: $revcansign)\n";
Still results in the output:
PEM Key can be used for signing S/MIME (Result: 1)
Revoked PEM Key can be used for signing S/MIME (Result: 1)
UPDATE 2:
After even more testing, it looks like even OpenSSL doesn't automatically check revocation lists.