diff options
| author | Nikita Popov <nikita.ppv@gmail.com> | 2020-06-19 09:43:56 +0200 |
|---|---|---|
| committer | Nikita Popov <nikita.ppv@gmail.com> | 2020-06-19 09:43:56 +0200 |
| commit | 21a2da23498509fa671a69ae42d4c2cd841ee94d (patch) | |
| tree | c88226db4a6f4f46006961ebe514402778d21822 | |
| parent | f3e6b123dc5da6a92960fbe21000b53a3450e64a (diff) | |
| download | php-git-21a2da23498509fa671a69ae42d4c2cd841ee94d.tar.gz | |
Generate temporary config file when generating certificates
The putenv trick doesn't work on ZTS Windows, so generate a new
openssl config every time.
| -rw-r--r-- | ext/openssl/tests/CertificateGenerator.inc | 71 | ||||
| -rw-r--r-- | ext/openssl/tests/san.cnf | 13 |
2 files changed, 47 insertions, 37 deletions
diff --git a/ext/openssl/tests/CertificateGenerator.inc b/ext/openssl/tests/CertificateGenerator.inc index 4cd8540cef..b409376058 100644 --- a/ext/openssl/tests/CertificateGenerator.inc +++ b/ext/openssl/tests/CertificateGenerator.inc @@ -3,7 +3,6 @@ class CertificateGenerator { const CONFIG = __DIR__. DIRECTORY_SEPARATOR . 'openssl.cnf'; - const SAN_CONFIG = __DIR__ . DIRECTORY_SEPARATOR . 'san.cnf'; /** @var resource */ private $ca; @@ -96,32 +95,56 @@ class CertificateGenerator $dn['commonName'] = $commonNameForCert; } - $config = [ - 'digest_alg' => 'sha256', - 'req_extensions' => 'v3_req', - 'x509_extensions' => 'usr_cert', - ]; - if ($subjectAltName !== null) { - putenv("PHP_SUBJECTALTNAME=$subjectAltName"); - $config['config'] = self::SAN_CONFIG; - } - - $this->lastKey = self::generateKey($keyLength); - $this->lastCert = openssl_csr_sign( - openssl_csr_new($dn, $this->lastKey, $config), - $this->ca, - $this->caKey, - /* days */ 2, - $config, - ); + $subjectAltNameConfig = + $subjectAltName ? "subjectAltName = $subjectAltName" : ""; + $configCode = <<<CONFIG +[ req ] +distinguished_name = req_distinguished_name +default_md = sha256 + +[ req_distinguished_name ] + +[ v3_req ] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +$subjectAltNameConfig + +[ usr_cert ] +basicConstraints = CA:FALSE +$subjectAltNameConfig +CONFIG; + $configFile = $file . '.cnf'; + file_put_contents($configFile, $configCode); + + try { + $config = [ + 'config' => $configFile, + 'req_extensions' => 'v3_req', + 'x509_extensions' => 'usr_cert', + ]; + + $this->lastKey = self::generateKey($keyLength); + $this->lastCert = openssl_csr_sign( + openssl_csr_new($dn, $this->lastKey, $config), + $this->ca, + $this->caKey, + /* days */ 2, + $config, + ); + if (!$this->lastCert) { + throw new Exception('Failed to create certificate'); + } - $certText = ''; - openssl_x509_export($this->lastCert, $certText); + $certText = ''; + openssl_x509_export($this->lastCert, $certText); - $keyText = ''; - openssl_pkey_export($this->lastKey, $keyText); + $keyText = ''; + openssl_pkey_export($this->lastKey, $keyText); - file_put_contents($file, $certText . PHP_EOL . $keyText); + file_put_contents($file, $certText . PHP_EOL . $keyText); + } finally { + unlink($configFile); + } } public function getCertDigest($algo) diff --git a/ext/openssl/tests/san.cnf b/ext/openssl/tests/san.cnf deleted file mode 100644 index fd347331a9..0000000000 --- a/ext/openssl/tests/san.cnf +++ /dev/null @@ -1,13 +0,0 @@ -[ req ] -distinguished_name = req_distinguished_name - -[ req_distinguished_name ] - -[ v3_req ] -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment -subjectAltName = ${ENV::PHP_SUBJECTALTNAME} - -[ usr_cert ] -basicConstraints = CA:FALSE -subjectAltName = ${ENV::PHP_SUBJECTALTNAME} |