문제
When checking with (a properly specified) $cainfo variable, does PHP's openssl_check_purpose() function take revocation into account when determining validity? The documentation for the API is somewhat lacking, leaving the verification process as something of a "black box" to a non-expert.
If it does, are the failed criteria considered errors that can be retrieved by calling openssl_error_string, or do I have to do something else to find out why it's invalid?
If not, is there a function I'm missing that will let me pull the certificate in question from a "bundle" file, so that I can get the CRL from it and check manually?
(According to the accepted answer to another question, the check in C# does include revocation, but I've learned not to take anything for granted in PHP.)
UPDATE:
After some manual testing, it would appear that openssl_check_purpose() does not check for revocation. I suspect that part of this may be because I'm testing against a local demoCA, though, and the ca cert doesn't include any CRL info.
The test code:
https://stackoverflow.com/questions/20746408
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian$pemfile = "/home/dev/cert1.pem"; //"Good" certificate
$revfile = "/home/dev/cert2.pem"; //"Revoked" certificate
$cafile = "/home/dev/local-ca.crt";
$error = null;
$pemcansign = openssl_x509_checkpurpose(
openssl_x509_read(file_get_contents($pemfile)),
X509_PURPOSE_SMIME_SIGN,array($cafile));
if ($error = openssl_error_string()){
echo "SSL Error At 22: ".$error."\n";
}
$revcansign = openssl_x509_checkpurpose(
openssl_x509_read(file_get_contents($revfile)),
X509_PURPOSE_SMIME_SIGN,array($cafile));
if ($error = openssl_error_string()){
echo "SSL Error At 22: ".$error."\n";
}
echo "PEM Key can " .
($pemcansign === true ?"":"NOT ") .
"be used for signing S/MIME (Result: $pemcansign)\n";
echo "Revoked PEM Key can " .
($revcansign === true ?"":"NOT ") .
"be used for signing S/MIME (Result: $revcansign)\n";
Still results in the output:
PEM Key can be used for signing S/MIME (Result: 1)
Revoked PEM Key can be used for signing S/MIME (Result: 1)
UPDATE 2:
After even more testing, it looks like even OpenSSL doesn't automatically check revocation lists.
해결책
So all evidence points to "no", and there doesn't seem to be a standalone function in the openssl_* API to handle it. As long as exec() isn't disabled, it appears you can usually get the URI to the CRL from the client cert (FSVO "usually" empirically limited to certs from GoDaddy and StartSSL. YMMV), then call the openssl CLI and scrape the results.
Hardly ideal, but poking at it for a week hasn't come up with another way other than writing a new PHP extension.
